Password Management

SA8: Mechanisms for users to set or change passwords must be secure. Systems that manage passwords must be configured securely. Storage and management of passwords requires L4 security.

How to Comply

Important Steps for Configuring Active Directory



  • Keep domain controller logs centrally.
  • Keep security logs from all domain joined servers centrally.
  • Create and monitor alerts on:
    • The use (success or failure) of any domain administrator credentials.
    • The use of any local administrator credentials.
    • Changes to domain administrator or other sensitive groups in AD.

Cached Credentials:

  • Use GPO to set cached credentials on servers to the minimum you possibly can (0 or 1 for servers - for desktops, you may find...
Read more about Important Steps for Configuring Active Directory

Transfer temporary passwords securely

 Initial/temporary passwords or secrets must be securely transferred to the user (email to a known good address without the username or address of record, or phone call).  A phone call is the preferred method.

Require password changes

When creating passwords, administrators must ensure that they are set to be changed after first use.