Enterprise Authentication: Password Controls Phase 2

1
Enterprise Authentication Password Controls
Phase 2

• December 12, 2003

2
Background

• Enterprise Authentication Password Controls
  Committee - Phase 1 (Dec 02)
• Anixis Password Policy Enforcer (PPE) implemented
  across forest
• Mostly consistent password strength rules
• 2 alphabetic, 2 numeric characters in password
• Minimum password length 6 characters
• No match with 4 chars of username, or name
• No match with 4 chars of current password (HCIS
  environment only)
• Random values for new account passwords (in all
  except HCIS environment)

3
Background

• Phase 1 (continued)
• Inconsistent password controls across forest
• Password history (number of previous passwords
  checked)
• Account Lockout values
• Password Expiration intervals
• Decision to accept inconsistencies for the short
  term
• Develop self-service utilities
• Password change
• Store user password secrets
• Password reset (using secrets)
• Account lookup, account test
• Administrative password reset

4
Phase 2

• Enterprise Authentication Password Controls
  Committee - reconvened
• Current landscape review
• Consistent password controls
• Improve tools (self-service, administrator)
• Develop communication plan

5
Phase 2 Goals

• Consistent password controls University-wide
• Improve user experience
• Decrease support effort
• Achieve compliance with regulations
• Audit requirements to improve security
• Improve self-service password tools

6
Phase 2 Project Plan

• Develop communication plans for providers, user
  community
• Implement password control changes in the EAS
• Expiration 180 days
• History 10 previous passwords
• Lockouts 5 invalid attempts in 15 minutes locks
  account for 15 minutes
• Strength length 6, with 2 alpha, 2 numeric, no
  match with 4 chars of name, username, or previous
  password

7
Phase 2 Project Plan

• Replace end user HawkID self-service tools with
  Anixis Password Reset product
• Enforces all PPE strength settings
• Adds account unlock function
• Combines all tools into one interface
• Provides contextual error messages
• Develop password expiration notification process
• Non-Windows services user notification

8
Work Groups

• Communication plans
• Self-Service tool implementation
• Password expiration notification process
• Password control changes
• Enhancements to administrative password reset
  tools

9
Communication Plan

• New Herky logo images
• Advertising campaign Password Security is
  Serious scenarios
• DI ads, ITC screensavers, Cambus posters,
  bulletin boards
• FYI, press release, emails, websites
• Provider notices, testing
• Timing of changes

10
Prototypes Ad Campaign
11
Timing Considerations

• Decision to delay until after the planned AD
  forest upgrade to Windows 2003 server in January.
  
• Need sufficient interval to allow for testing of
  non-Windows services integration with tool, and
  password expiration (e.g., HR-SS, WebISIS).
• Need sufficient interval between tool release and
  expiration to allow self-enrollment and voluntary
  password change by users
• Decision not to implement changes over breaks or
  at beginning of semester when students and
  faculty/staff are unavailable or very busy.

12
Timeline

• Anixis Password Reset Self-Service Tools
• Installed, available to early adopters testers
  12/30/03
• Available to campus 2/1/04
• Minor Password Control Changes implemented -
  2/1/04

13
Timeline

• Password expiration e-mail notice process
  developed and pilot group implemented 1/19/04
• Password expiration implemented in Iowa domain
  with e-mail notices 3/1/04 to 4/1/04
• TBD- Administrative Reset Tool updates

14
Questions?

• Timing
• Integration Issues
• Communication