Page 47 - Computer Software Application TP - Volume 1
P. 47
COMPUTER SOFTWARE APPLICATION - CITS
EXERCISE 10 : Setting password policy
Objectives
At the end of this exercise you shall be able to
• implement a password policy.
Requirements
Tools/Materials
• PC laptop with network connectivity
Procedure
Setting up a password policy in a network is an essential security measure to protect sensitive information and
resources from unauthorized access.
Implement a password policy
1 Assessment: Begin by assessing the current state of password security within your network. Understand the
existing password practices, weaknesses, and areas that need improvement.
2 Define Password Requirements: Determine the password requirements that users must adhere to. These
requirements typically include:
• Minimum password length: Suggest a minimum length of 8-12 characters.
• Complexity: Require a combination of uppercase letters, lowercase letters, numbers, and special
characters.
• Expiry: Set a policy for password expiration, such as every 90 days.
• History: Enforce a rule that prevents users from reusing old passwords.
• Lockout: Establish a threshold for failed login attempts before an account is locked out temporarily.
• Account Inactivity: Consider disabling or prompting for password change after a certain period of inactivity.
• Two-Factor Authentication (2FA): Encourage or mandate the use of 2FA where possible for an added
layer of security.
3 Communicate Policy: Clearly communicate the password policy to all users within the network. Explain the
rationale behind each requirement and the importance of adhering to them.
4 Implement Policy: Utilize the network’s administrative tools or security software to enforce the password
policy. This may involve configuring settings in:
• Active Directory (for Windows networks)
• Group Policy (for Windows networks)
• LDAP (Lightweight Directory Access Protocol)
• RADIUS (Remote Authentication Dial-In User Service)
• IAM (Identity and Access Management) solutions
• Password management tools
5 Enforcement: Regularly monitor adherence to the password policy. Implement mechanisms to enforce the
policy automatically, such as system prompts for password changes when they expire, or locking out accounts
after multiple failed login attempts.
6 Education and Training: Conduct training sessions or provide resources to educate users about the
importance of strong passwords, how to create them securely, and the consequences of weak password
practices.
7 Periodic Review and Update: Regularly review the password policy to ensure it remains effective and up-
to-date with evolving security threats and best practices. Make necessary adjustments based on feedback,
security incidents, or changes in regulations.
8 Testing: Periodically conduct security audits or penetration tests to evaluate the effectiveness of the password
policy and identify any vulnerabilities that need to be addressed.
32