January 2022 saw the most significant update to the UK’s National Cyber Security Centre (NCSC) Cyber Essentials guidance in the history of the certification. This update reflected the growing challenges and changing landscape of security threats in the world of technology.
Specops has sponsored this post. If you’d like to learn more about Specops, check them out!
Cyber Essentials is a UK government-backed 12-month certification that requires a verified self-certification. With this certification, your organization shows that they take cyber security seriously and seek to protect customer data and its infrastructure.
Compliance with the newly updated certification was initially supposed to be completed by January 2023 but was recently extended to April 2023 to account for an upcoming clarification update. There are two levels, Cyber Essentials and Cyber Essentials Plus. The difference comes down to verification. With the former, a qualified assessor reviews the application and ensures it meets the requirements. The latter has a qualified assessor perform a hands-on technical verification of those same claims.
With these updates, how does an organization configure and secure its on-premise Active Directory infrastructure to ensure compliance with the updated Cyber Essentials certification?
Stay Certified With These Updates to Cyber Essentials
The Cyber Essentials guidance needs to evolve as the security landscape is ever-changing. With this update, there were several password-related requirements have been updated. Stressing the importance of multi-factor authentication (MFA) and more stringent password requirements, this update looks to keep organizations secure against threat actors.
Securing Password-Based Authentication
Password-based authentication is not ending any time soon. Cyber Essentials focuses on the brute-force aspect of guessing passwords and the complexity of those same passwords.
Brute-Force Password Guessing
At least one or more of the following requirements must be implemented to satisfy the Cyber Essentials requirement.
- Permit no more than ten guesses in 5 minutes to “throttle” the number of guesses an attacker can perform quickly.
- After ten unsuccessful attempts, lock the targeted account.
- Implement Multi-Factor Authentication to make guessing passwords much more difficult without the additional authentication factor.
Password Quality and Complexity
To ensure adequate password quality, one of the following requirements must be implemented to meet the Cyber Essentials requirements.
- Minimum password length of at least 12 characters and no length restriction
- Minimum password length of at least eight characters, no maximum, and automatic blocking of common passwords with a deny list.
- Multi-Factor Authentication.
Foil Attackers with Multi-Factor Authentication (MFA)
Paired with secure passwords, MFA makes the lives of threat actors far more complex, as it is not enough to steal or crack a password. The Cyber Essentials guidance states that any account externally accessible via the internet and administrative accounts must have MFA enabled.
Since MFA adds a significant layer of protection, the length requirement for the password is lowered from 12 to 8, still with no maximum length restriction. The types of MFA generally accepted for use with Cyber Essentials are the following.
- Managed/Enterprise Device
- App on a Trusted Device
- Physically Separate Token
- Known or Trusted Account
Configuring On-Premise Active Directory for Cyber Essentials
What do the updated Cyber Essential requirements look like in practice on a standard Active Directory domain? Using the default Active Directory technologies, the password quality and brute-force password guessing requirements can be minimally implemented.
1. First, launch the Group Policy Management snap-in for Active Directory via the shortcut in Administrative Tools or from Start → Run → gpedit.msc
.
2. Next, edit the Default Domain Policy or create a new password-specific policy that overrides the default.
The downside to creating an overriding policy is that it may only be applied in some places if not correctly linked. Set baseline password policies in the Default Domain Policy and create OU (organizational unit) specific GPOs (Group Policy Objects) as necessary.
3. Active Directory does not offer fine-grained policies to conform strictly to every Cyber Essentials policy, but the following does meet the basic requirements. Navigate to the Policies → Windows Settings → Security Settings → Account Policies sections.
Password Policy Active Directory does not have built-in MFA, such as a Microsoft Authenticator or SMS, and only a complicated third-party SmartCard device, so the password needs to be a minimum of 12
.
Though the Cyber Essentials policy states a no maximum password length requirement, Windows 10/11 GUI only supports 127 characters with a stored password maximum of 256 characters for any given account.
Account Lockout Policy Additional security settings are optional, but making the account lockout threshold ten will satisfy the requirement needed for the certification.
Account lockout threshold: 10 invalid logon attempts
Wait for devices to update, or run gpupdate /force
on the client machines to force the Group Policy update.
The Challenge of On-Premise Active Directory MFA
Multi-factor authentication with on-premise Active Directory is traditionally provided through SmartCards, such as a YubiKey device. A SmartCard satisfies the “something I have, and something I know” approach to MFA. Though you don’t typically enter an AD username and password with a YubiKey, you would plug the USB device into the computer and then enter the unique PIN.
The challenge with this approach is the setup. Configuring SmartCards for Active Directory is difficult and time-consuming. Other solutions, such as Duo, are more accessible but rely on a third-party service rather than a one-off device purchase with smartcards, ultimately increasing potential cost.
Staying Secure with Specops Password Policy & Breached Password Protection
With on-premise Active Directory prevalent in many organizations, complying with Cyber Essentials is difficult with the built-in AD tools. Specops Password Policy with Breached Password Protection adds in-depth password length and complexity controls, along with active checks of over 3 billion compromised passwords.
Ensure that every corner of your organization is covered with AD GPOs catering to the unique password needs of specific computers, users, or groups. With the Specops Authentication Client, provide real-time feedback on password changes to users. Block weak, compromised, and common passwords using custom lists and breached password protection.
Compliance-driven templates offer Cyber Essentials compliance out of the box, freeing your IT administrators to focus on more pressing security concerns. Specops Password Policy & Breached Password Protection team up to ensure your organization’s compliance with Cyber Essentials while taking your security to the next level!
Staying Out of the Headlines with Cyber Essentials
Threat actors are becoming increasingly sophisticated, and Cyber Essentials helps organizations avoid the consequences of stolen data and compromised systems. On-premise Active Directory may comply with the Cyber Essentials basics, but proper in-depth protection is not available with the built-in tools.
Specops Password Policy and Breached Password Protection will allow your organization to better protect your users and infrastructure while freeing up your IT team for more important tasks. Ensure your stay compliant with the new Cyber Essentials updates with updates to AD policies while increasing your security through Specops Password Policy and Breached Password Protection!