Best Practices for Password Synchronization
Updated: March 1, 2012
Applies To: SharePoint Server 2007 for Search, Windows Server 2008 R2, Windows Server 2012
Install Password Synchronization on appropriate domain controllers
To ensure consistent synchronization of domain passwords with UNIX passwords, Password Synchronization must be installed on the primary domain controller and, in the case of a Windows 2000 domain, all domain controllers in a domain.
If you add a domain controller to a domain, you should install Password Synchronization on the new domain controller as soon as possible and configure it to match the other domain controllers.
If you need to remove Password Synchronization from any domain controller, you should demote the server to a member server before uninstalling Password Synchronization.
- If you add a domain controller to a domain, you should install Password Synchronization on the new domain controller as soon as possible and configure it to match the other domain controllers.
Ensure consistent password policies
If you are providing only for one-way password synchronization, make sure that the password policy on the computer from which passwords will be synchronized is at least as restrictive in all areas as the policy on the computer to which passwords are synchronized. For example, if you configure Windows-to-UNIX synchronization, the Windows password policy must be at least as restrictive as the policy of the UNIX computers with which it synchronizes passwords. If you are supporting two-way synchronization, the password policies must be equally restrictive on both systems. Inconsistent password policies can result in synchronization failure when a user changes a password on the less restrictive system; or the password might be changed on the more restrictive system, even if it does not conform to the system's policies.
Make sure that Windows users are aware of any special password restrictions on the UNIX systems with which their passwords will be synchronized. For example, some versions of UNIX support a maximum password length of eight characters. For maximum compatibility with the default Windows password policy and these UNIX limitations, passwords should be seven or eight characters long unless you are sure that all UNIX systems can support longer passwords.
Configure Password Synchronization to provide the maximum protection for your users' passwords
Follow these recommendations to maintain optimal security:
- Explicitly list the users whose passwords are to be synchronized
To provide maximum control over which users can synchronize passwords, do not use the ALL keyword with the SYNC_USERS list in sso.conf on the UNIX host. Instead, you should explicitly list each user for whom password synchronization is allowed or blocked. On the Windows-based computer running Password Synchronization, create the PasswordPropAllow group and add the accounts of users whose passwords you want to synchronize. For more information, see Controlling password synchronization for user accounts.
- Do not synchronize passwords for disabled UNIX accounts
On some versions of UNIX, changing the password of a disabled user account activates that account. Consequently, if a user has a disabled account on a UNIX computer that is configured to synchronize passwords with a Windows-based computer, the user or an administrator can activate the UNIX account by changing the user's Windows password. To prevent this, use the PasswordPropDeny group to block synchronization for disabled UNIX accounts.
Also, when an administrator disables a UNIX account, the administrator should use the SYNC_USERS entry in sso.conf to block password synchronization for the account.
- Avoid synchronizing administrator passwords
Do not synchronize passwords for members of the Windows Administrators groups or the passwords of UNIX superuser or root accounts.
- Perform the Windows
Server 2003 Service Pack 1 (SP1) compatibility check
when you enable
Windows to NIS (Active Directory) password synchronization
Password Synchronization Properties
tab. To protect the security of user account passwords in your enterprise, it is strongly recommended that you allow Password Synchronization to identify all domain controllers in the forest that are not running Windows Server 2003 SP1 or later releases.
Password Synchronization prompts you to allow the compatibility check when you select Enable in the Windows to NIS (Active Directory) password synchronization area. With Windows Server 2003 SP1, or a later release installed on all the domain controllers in a forest, the risk of exposing user password hashes to unauthorized viewers is greatly reduced. When Windows Server 2003 SP1 is not the minimum functional level of all the domain controllers in a forest, it is possible for any authenticated user on the domain to view the password hash for any UNIX user whose account has been migrated to Active Directory Domain Services (AD DS).
In the event an unauthorized user breaks the password hash for a UNIX-based user account in AD DS, the Windows-based password for the account is no longer secure.
- Explicitly list the users whose passwords are to be synchronized To provide maximum control over which users can synchronize passwords, do not use the ALL keyword with the SYNC_USERS list in sso.conf on the UNIX host. Instead, you should explicitly list each user for whom password synchronization is allowed or blocked. On the Windows-based computer running Password Synchronization, create the PasswordPropAllow group and add the accounts of users whose passwords you want to synchronize. For more information, see Controlling password synchronization for user accounts.
When Password Synchronization is installed, members of the local Administrators group and the Domain Administrators group are added to the PasswordPropDeny group, which prevents their passwords from being synchronized. If you add a user to either the Administrators or Domain Administrators group, be sure to add the user to the PasswordPropDeny group as well.
Modify the SYNC_USERS statement in the sso.conf file on all UNIX-based systems to prevent the passwords of superusers from being synchronized.
Do not use the default port number and encryption key
Preserving the default port number and encryption key makes it possible for an attacker to set up a spoofing UNIX host to capture passwords. You should protect the port number and encryption keys used to synchronize passwords as carefully as the passwords themselves.
Secure the sso.conf file
The sso.conf file on each UNIX host contains important configuration information that could be used to compromise security. It is recommended that you set the mode bit mask of the file to 600.
Ensure that the directory identified by TEMP_FILE_PATH is properly protected
The temporary files created on UNIX hosts by Password Synchronization contain information that could be used by an attacker to compromise system security. For this reason, you should ensure that any directory referenced by TEMP_FILE_PATH in sso.conf has read access only for the
account and cannot be accessed by any other users.
Ensure log files are appropriately protected
On the UNIX host, Password Synchronization uses the
daemon to log messages that result from synchronization operations. The resulting logs contain such information as the names of users whose passwords are being synchronized and with which computers, propagation errors, and so on. These log files should be protected to ensure that only administrators can view them.
Restart the Password Synchronization daemon after changing its configuration
When you make changes to the Password Synchronization daemon configuration file (sso.conf), you must stop and restart the daemon for configuration changes to take effect.
Configure systems to handle user name case sensitivity correctly
Unless you rigorously enforce a policy to ensure that Windows and UNIX user names match in both spelling and case, verify that the CASE_IGNORE_NAME option in the sso.conf file is set to 1 (the default). UNIX user names are case sensitive; therefore, passwords might not synchronize properly if the user names do not match exactly, because the Password Synchronization daemon is unable to associate the Windows user name with the corresponding UNIX user name.
Make sure that password file type and name are consistent
When you configure the Password Synchronization daemon, verify that the password file type (specified by USE_SHADOW) and path name (set by FILE_PATH) are appropriate for each other. For example, on most systems, if USE_SHADOW is set to 0 (to indicate that the passwd file is used for synchronization), then the FILE_PATH option should be set to /etc/passwd. However, if USE_SHADOW is set to 1 (to indicate that the shadow file is used instead), then the FILE_PATH option should be set to /etc/shadow. (On IBM AIX systems, the path and name of the shadow file is /etc/security/passwd.)