Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


August 2007

Password Synchronization

Microsoft solutions for secure access
From the August 2007 Edition
of Windows IT Pro
Jan De Clercq
Feature
InstantDoc #96220
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Executive Summary:
Microsoft offers several password synchronization solutions for securing access to your information technology (IT) infrastructure. Microsoft’s Identity Lifecycle Manager (ILM) is provisioning or identity lifecycle management software that provides directory synchronization, account provisioning and deprovisioning, password synchronization, and management services. Microsoft’s Identity Integration Feature Pack (IIFP) can provide identity directory synchronization, account provisioning and deprovisioning, and password synchronization services. Microsoft’s Services for UNIX (SFU) 3.5, which Windows 2003 R2 includes, has a password synchronization service. Host Integration Server (HIS) comes with an optional component called Enterprise Single Sign-On (ENTSSO) that can provide single sign-on (SSO) services. Services for NetWare can provide one-way password synchronization from Active Directory (AD) to a bindery, Novell Directory Services (NDS), or eDirectory.


Passwords have become a necessary evil to many users and administrators. Although passwords are a cheap solution for securing access to an IT infrastructure and its resources, poorly chosen or managed passwords can lead to insecure environments and the compromise of corporate data or resources. In addition, because different applications and environments have specific password requirements, most users end up with several passwords. Average users who must deal with different passwords often choose identical or easy-to-remember passwords. If a user's passwords aren't easy to remember, the user might record the passwords on a handy notepad. These practices make password compromise more likely than ever.

Several approaches exist for making passwords more secure and easier to manage. Options include enforcement of strong password policies, employment of credential mapping solutions, and use of password synchronization.

Strong password policies can ensure that passwords are changed at regular intervals and that they adhere to certain complexity rules—both of which lower the chances of successful password guessing or brute force cracking-based attacks on password hashes. Credential mapping solutions map a user's credentials that are needed to access different resources to a set of primary user credentials. Successful authentication using the primary credentials transparently unlocks the other user credentials and provides single sign-on (SSO) for that particular user to the other resources.

The third approach—password synchronization—specifically targets the user and administrator problem of having to deal with different passwords. Password synchronization can significantly ease users' and administrators' lives because it reduces the problem of multiple passwords to the management and maintenance of just one password. In this article I focus on Microsoft solutions for synchronizing passwords between Active Directory (AD) and other repositories. To start with, I define password synchronization and discuss the challenges you might face when architecting a password synchronization solution.

Definition and Challenges
A password synchronization solution ensures that a user's passwords that are stored in different repositories are kept synchronized. A single synchronized password is easier to remember than multiple passwords, and users are far less prone to having problems and calling the Help desk. Users also tend to write down their single synchronized passwords less often.

Password synchronization solutions come in two flavors: one-way and bidirectional. Table 1 lists four Microsoft password synchronization solutions and their characteristics (including one-way or bidirectional). (For more information about these solutions, see the Learning Path.) One-way password synchronization solutions push password changes from a central "master" repository to a set of connected repositories—these solutions are also referred to as "password push" solutions. In bidirectional password synchronization solutions, password changes can occur in any of the connected repositories. Even though both solutions sound like simple copy operations, they pose a few interesting challenges.

One challenge arises from the fact that passwords are stored in a secure format. For example, in AD, passwords are always stored in a hashed format. Hash functions are one-way cryptographic ciphers: You can't derive the original password from a password hash. As a result, accessing a user's plaintext password under normal AD operations is impossible. Plaintext passwords are available only when the password is set (i.e., when the associated user account is created), reset by an administrator, or changed by the user. This also means that passwords can—unlike other user attributes— be synchronized only when a password set, reset, or change event occurs. Also, unless users communicate with the password synchronization solution only when they set or change their password, password synchronization solutions require special software logic that can intercept plaintext passwords when users set or change their password on an AD domain controller (DC) or a Novell NetWare directory server.

Another challenge is password complexity rules. Different repositories typically have different rules regarding password complexity. When you set up password synchronization between repositories, you must define the least common denominator set of password complexity rules for each of the connected repositories. If you don't align the password complexity rules, synchronization will fail. For security experts, this alignment of the password complexity rules is a valid reason to argue against the security of password synchronization solutions. Moreover, security experts typically aren't fond of password synchronization solutions because they think that synchronizing password credentials between the databases of different authentication authorities is dangerous. Their objections are based on the "key to the kingdom" argument: If you know a user's password, you can access other resources that are secured with the same password (as long as you know the correct user account on the target system). However, this problem shouldn't be overemphasized. Even with password synchronization, a significant barrier still exists for a malicious person to access information that's secured using a user ID/password-based authentication scheme. The user must know the single synchronized password and the correct user ID on the target system. Nevertheless, when you implement password synchronization you need to educate your users about their single synchronized password's crucial role. In addition, you must constantly remind users of the dangers of social engineering and of sharing their password with others.

Finally, bidirectional password synchronization solutions require a synchronization loop detection mechanism. Without loop detection, password synchronization would go on forever between the different repositories. This problem doesn't occur with one-way password synchronization solutions.

Using ILM or IIFP
Microsoft Identity Lifecycle Manager (ILM, formerly known as Microsoft Identity Integration Server—MIIS) is Microsoft's provisioning or identity lifecycle management software. Besides directory synchronization, account provisioning, and deprovisioning services, ILM can also provide password synchronization and management services. ILM can provide these services between a wide range of connected repositories, including AD, Active Directory Application Mode (ADAM), Exchange 2000 Server or Exchange Server 2003, and Windows NT 4.0, as well as Lotus Notes, Sun ONE Directory Server, and Novell eDirectory. The latest ILM version is ILM 2007. For more information about ILM, go to the Microsoft Identity Lifecycle Manager 2007 Web site at http://www.microsoft.com/windowsserver/ilm2007/default.mspx

Microsoft's Identity Integration Feature Pack (IIFP) can provide identity directory synchronization, account provisioning and deprovisioning, and password synchronization services—but only between AD, ADAM, and Exchange 2000 or Exchange 2003 instances. You can download this free software package from http://www.microsoft.com/downloads/details.aspx?familyid=d9143610-c04d-41c4b7ea-6f56819769d5&displaylang=en

   Previous  [1]  2  3  Next 


Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Learning Path ILM and IIFP Resources
"Does Your Network See Dead People?"

"ENTSSO Password Synchronization"

"Extending MIIS 2003 Functionality"

"Getting to Know ADAM"

"Identity Lifecycle Manager 2007"

"Secure Directory Access with MIIS"


SFU and Windows Server 2003 R2 Resources
"Microsoft Windows NT Services for UNIX"

"New Features in Windows Server 2003 R2"

"R2 Moves Windows 2003 Forward"

"Services for UNIX 3.5"

"Services for UNIX 3.5’s Flair for Interoperability"

"What You Probably Don’t Know About Windows Server 2003 R2 (Part 1)"


Host Integration Server 2006 Resources
"Host Integration Server Community"

"Microsoft Host Integration Server Web site"


Services for NetWare Resources
"Microsoft Windows Services for NetWare 5.03 Web site"
Top Viewed ArticlesView all articles
Friday at PASS Europe 2006

Kevin talks about the closing day of the event and shares a funny Microsoft film. ...

Windows Mobile: What Went Wrong?

Paul discusses the evolution of Windows Mobile and why he thinks the platform is probably doomed. ...

More fun TechEd 2005 Resources

Kevin points out some more TechEd resources ...
Related Articles Specops Password Policy

Emailing Users Before Their Passwords Expire
Security Whitepapers Protecting (You and) Your Data with Exchange Server 2007

Extended Validation SSL Certificates

Unauthorized applications: Taking back control
Related Events Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.

Job Openings in IT

ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

Microsoft Exchange & Windows Connections event returns to Las Vegas Nov 10 - 13
Connections returns to Las Vegas for this exciting event where each attendee will receive SQL Server 2008 standard with 1 CAL. Co-located with Microsoft ASP.NET, SQL Server, and SharePoint Connections with over 250 in-depth sessions.

Free Online Event! Virtualization:Get the Facts!
Register now and attend this free, live in-depth online conference on November 13 and 20, 2008, produced by Windows IT Pro. All registrants are eligible to receive a complimentary one-year digital subscription to Windows IT Pro (a $49.95 value)!

Check Out Hyper-V Video on ITTV
Watch Karen Forster's interview on Hyper-V's performance on ITTV.net.

Ease Your Scripting Pains with the Flexibility of PowerShell!
Join MVP Paul Robichaux on December 11, 2008 at 11:00 AM EDT as he equips you with PowerShell basics in 3 introductory lessons, each followed by a live Q&A session—all on your own computer!

PASS Community Summit 2008 in Seattle on Nov 18-21
The don’t-miss event for Microsoft SQL Server Professionals. Register now and you’ll enjoy top-notch Microsoft and Community speakers and more.



Solving PST Management Problems
In this white paper, read about the top PST issues and how to administer local/network PST Files.

Get Protected -- Data Protection Manager 2007
Protect your virtualized environment with Data Protection Manager

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing