SA8: Mechanisms for users to set or change passwords must be secure. Systems that manage passwords must be configured securely. Storage and management of passwords requires L4 security.

See also: Level 2, Level 3, Level 4, 11, Servers A, Level 2, Level 3, Level 4

How to Comply

Important Steps for Configuring Active Directory

Logging:

Keep domain controller logs centrally.
Keep security logs from all domain joined servers centrally.
Create and monitor alerts on:
- The use (success or failure) of any domain administrator credentials.
- The use of any local administrator credentials.
- Changes to domain administrator or other sensitive groups in AD.

Cached Credentials:

Use GPO to set cached credentials on servers to the minimum you possibly can (0 or 1 for servers - for desktops, you may find...

Coordinate Harvard authentication with Identity & Access Management (IAM)

Consult the IAM website for authentication protocol options and guides. For additional assistance, please email iam_help@harvard.edu or submit a ServiceNow ticket under the subcategory of Authentication Services: Consulting.

Transfer temporary passwords securely

Initial/temporary passwords or secrets must be securely transferred to the user (email to a known good address without the username or address of record, or phone call). A phone call is the preferred method.

Require password changes

When creating passwords, administrators must ensure that they are set to be changed after first use.

Information Security Policy

Harvard University

Password Management

How to Comply

Important Steps for Configuring Active Directory

Coordinate Harvard authentication with Identity & Access Management (IAM)

Transfer temporary passwords securely

Require password changes

a5521c6de467d1f1f57b952884f5e43e