Skip to main content

This section of the ISM provides guidance on authentication hardening.

Account types

When these guidelines refer to authentication hardening, it is equally applicable to all account types. This includes user accounts, privileged accounts, break glass accounts and service accounts.

Authentication types

When these guidelines refer to authentication hardening, it is equally applicable to both interactive authentication and non-interactive authentication.

Authenticating to systems

Before access to a system and its resources is granted to a user, it is essential that they are authenticated. This is typically achieved via multi-factor authentication, such as a username along with biometrics and a password, or via single-factor authentication, such as a username and passphrase.

Security Control: 1546; Revision: 0; Updated: Aug-19; Applicability: O, P, S, TS
Users are authenticated before they are granted access to a system and its resources.

Multi-factor authentication

Multi-factor authentication uses two or more authentication factors to confirm a user’s identity. This may include:

  • something a user knows, such as a password
  • something a user has, such as a Universal 2nd factor security key, physical one-time password token or smartcard
  • something a user is, such as a fingerprint or their facial geometry.

Note, however, that if something a user knows is written down, or typed into a file and stored as plaintext, this becomes something that a user has rather than something a user knows.

Privileged users, positions of trust, users of remote access solutions and users with access to important data repositories are more likely to be targeted by an adversary due to their level of access. For this reason, it is especially important that multi-factor authentication is used for these accounts. In addition, multi-factor authentication is vital to any system administration activities as it can limit the consequences of a compromise by preventing or slowing an adversary’s ability to gain unrestricted access to assets. In this regard, multi-factor authentication may be implemented as part of a jump server authentication process rather than performing multi-factor authentication on all critical assets, some of which may not support multi-factor authentication.

When implementing multi-factor authentication, several different authentication factors can be implemented. Unfortunately, some authentication factors, such as those sent via Short Message Service, are more susceptible to compromise by an adversary than others. For this reason, a limited number of authentication factors are recommended for use as part of multi-factor authentication implementations.

The benefit of implementing multi-factor authentication can be diminished when credentials are reused on other systems. For example, when usernames and passwords used as part of multi-factor authentication for remote access are the same as those used for corporate workstations. In such circumstances, if an adversary had compromised the device used for remote access, they could capture the username and password for reuse against a corporate workstation that did not require the use of multi-factor authentication.

Security Control: 0974; Revision: 5; Updated: Sep-18; Applicability: O, P, S, TS
Multi-factor authentication is used to authenticate standard users.

Security Control: 1173; Revision: 3; Updated: Mar-19; Applicability: O, P, S, TS
Multi-factor authentication is used to authenticate all privileged users and any other positions of trust.

Security Control: 1384; Revision: 3; Updated: Aug-20; Applicability: O, P, S, TS
Multi-factor authentication is used to authenticate privileged users each time they perform privileged actions.

Security Control: 1504; Revision: 0; Updated: Sep-18; Applicability: O, P, S, TS
Multi-factor authentication is used to authenticate all users of remote access solutions.

Security Control: 1505; Revision: 0; Updated: Sep-18; Applicability: O, P, S, TS
Multi-factor authentication is used to authenticate all users when accessing important data repositories.

Security Control: 1401; Revision: 4; Updated: Oct-19; Applicability: O, P, S, TS
Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards.

Security Control: 1559; Revision: 0; Updated: Oct-19; Applicability: O, P
Passwords used for multi-factor authentication are a minimum of 6 characters.

Security Control: 1560; Revision: 0; Updated: Oct-19; Applicability: S
Passwords used for multi-factor authentication are a minimum of 8 characters.

Security Control: 1561; Revision: 0; Updated: Oct-19; Applicability: TS
Passwords used for multi-factor authentication are a minimum of 10 characters.

Security Control: 1357; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS
When multi-factor authentication is implemented, none of the authentication factors on their own can be used for single-factor authentication to another system.

Single-factor authentication

A significant threat to the compromise of user accounts is offline password/passphrase cracking tools. When an adversary gains access to a list of usernames and hashed passwords/passphrases from a system, they can attempt to recover them by comparing the hash of a known password/passphrase with the hashes from the list of hashed passwords/passphrases that they obtained. By finding a match, an adversary will know the password/passphrase associated with a given username. Combined, this often forms a complete set of credentials for an account.

In order to reduce this security risk, organisations should implement multi-factor authentication. Note, while single-factor authentication is no longer considered suitable for protecting sensitive or classified information, it may not be possible to implement on some systems. In such cases, organisations will need to increase the time on average it takes an adversary to compromise a password/passphrase by introducing complexity and continuing to increase its length over time. Such increases in length can be balanced against useability through the use of passphrases rather than passwords. In cases where systems don’t support passphrases, and as an absolute last resort, the strongest password length and complexity supported by a system will need to be implemented.

Security Control: 0417; Revision: 5; Updated: Oct-19; Applicability: O, P, S, TS
When systems cannot support multi-factor authentication, single-factor authentication using passphrases is implemented instead.

Security Control: 0421; Revision: 6; Updated: Oct-19; Applicability: O, P
Passphrases used for single-factor authentication are a minimum of 14 characters with complexity, ideally as 4 random words.

Security Control: 1557; Revision: 0; Updated: Oct-19; Applicability: S
Passphrases used for single-factor authentication are a minimum of 17 characters with complexity, ideally as 5 random words.

Security Control: 0422; Revision: 6; Updated: Oct-19; Applicability: TS
Passphrases used for single-factor authentication are a minimum of 20 characters with complexity, ideally as 6 random words.

Security Control: 1558; Revision: 1; Updated: Apr-20; Applicability: O, P, S, TS
Passphrases used for single-factor authentication:

  • are not constructed from song lyrics, movies, literature or any other publicly available material
  • do not form a real sentence in a natural language
  • are not a list of categorised words.

Security Control: 1596; Revision: 0; Updated: Aug-20; Applicability: O, P, S, TS
Passphrases used for single-factor authentication can not be used to authenticate to multiple different systems.

Setting and resetting credentials for user accounts

When passwords/passphrases for users are set or reset on their behalf, it is important that they are randomly generated and, following sufficient verification of their identity (e.g. physically presenting themselves and their pass to a service desk or known colleague, or answering a set of challenge-response questions), provided to them via a secure communications channel in order to prevent their compromise. If this is not possible, alternative risk-based measures will need to be implemented.

Security Control: 1227; Revision: 4; Updated: Aug-20; Applicability: O, P, S, TS
Passwords/passphrases set or reset on users’ behalf are randomly generated.

Security Control: 1593; Revision: 0; Updated: Aug-20; Applicability: O, P, S, TS
Users provide sufficient evidence to verify their identity when collecting a password/passphrase for their account.

Security Control: 1594; Revision: 0; Updated: Aug-20; Applicability: O, P, S, TS
Passwords/passphrases are provided to users via a secure communications channel or, if not possible, split into parts with part being provided to the user and part provided to the user’s supervisor.

Security Control: 1595; Revision: 0; Updated: Aug-20; Applicability: O, P, S, TS
Users that do not set their own initial password/passphrase are required to change it on first use.

Setting and resetting credentials for service accounts

To provide additional security and credential management functionality for service accounts, Microsoft introduced group Managed Service Accounts in Microsoft Windows Server 2012. In doing so, service accounts that are created as group Managed Service Accounts do not require manual credential management by administrators, as the operating system automatically manages the credentials. This ensures that service account credentials are not misplaced or forgotten, and that they are automatically changed on a regular basis.

Security Control: 1619; Revision: 0; Updated: Oct-20; Applicability: O, P, S, TS
Service accounts are created as group Managed Service Accounts.

Account lockouts

Locking an account after a specified number of failed logon attempts reduces the likelihood of successful password spraying attacks. However, care should be taken as implementing account lockout functionality can increase the likelihood of a denial of service. Alternatively, some systems can be configured to automatically slowdown repeated failed logon attempts rather than locking accounts. Implementing multi-factor authentication is also an effective way of reducing the likelihood of successful password spraying attacks.

Security Control: 1403; Revision: 2; Updated: Oct-19; Applicability: O, P, S, TS
Accounts are locked out after a maximum of five failed logon attempts.

Security Control: 0431; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
Repeated account lockouts are investigated before reauthorising access.

Account unlocks

To reduce the likelihood of social engineering being used to compromise accounts, users should provide sufficient evidence to verify their identity when requesting an account unlock.

Security Control: 0976; Revision: 6; Updated: Aug-20; Applicability: O, P, S, TS
Users provide sufficient evidence to verify their identity when requesting an account unlock.

Unsecure authentication methods

Authentication methods need to resist theft, interception, duplication, forgery, unauthorised access and unauthorised modification. For example, Local Area Network (LAN) Manager and NT LAN Manager authentication methods use weak hashing algorithms. As such, passwords/passphrases used as part of LAN Manager authentication and NT LAN Manager authentication (i.e. NTLMv1, NTLMv2 and NTLM2) can easily be compromised. Instead, organisations should use Kerberos for authentication within Microsoft Windows environments.

Security Control: 1603; Revision: 0; Updated: Aug-20; Applicability: O, P, S, TS
Authentication methods susceptible to replay attacks are disabled.

Security Control: 1055; Revision: 4; Updated: Oct-20; Applicability: O, P, S, TS
LAN Manager and NT LAN Manager authentication methods are disabled.

Security Control: 1620; Revision: 0; Updated: Oct-20; Applicability: O, P, S, TS
Privileged accounts are members of the Protected Users security group.

Protecting credentials

Storing credentials with a system that it grants access to increases the likelihood of an adversary gaining access to the system. For example, a password/passphrase should never be written down and stuck to a laptop or computer monitor and one-time password tokens should never be left with computers or in laptop bags. Furthermore, obscuring credentials as they are entered into systems can assist in protecting them against screen scrapers and shoulder surfers.

If storing credentials on a system, sufficient protection should be implemented to prevent them from being compromised as part of a targeted cyber intrusion. For example, credentials can be stored in a password vault rather than in a Microsoft Word or Excel document, credentials stored in a database can be hashed, salted and stretched, or credentials can be stored in a hardware security module.

Finally, asymmetric authentication and secure transmission of credentials reduces the likelihood of an adversary intercepting and using such information to access a system under the guise of a valid user.

Security Control: 0418; Revision: 4; Updated: Oct-19; Applicability: O, P, S, TS
Credentials are stored separately from systems to which they grant access.

Security Control: 1597; Revision: 0; Updated: Aug-20; Applicability: O, P, S, TS
Credentials are obscured as they are entered into systems.

Security Control: 1402; Revision: 5; Updated: Aug-20; Applicability: O, P, S, TS
Stored passwords/passphrases are protected by ensuring they are hashed, salted and stretched.

Security Control: 1590; Revision: 0; Updated: Aug-20; Applicability: O, P, S, TS
Passwords/passphrases are changed if:

  • they are directly compromised
  • they are suspected of being compromised
  • they appear in online data breach databases
  • they are discovered stored in the clear on a network
  • they are discovered being transferred in the clear across a network
  • membership of a shared account changes
  • they have not been changed in the past 12 months.

Session termination

Implementing measures to automatically terminate user sessions outside of business hours (noting this may differ between different work areas), after an appropriate period of inactivity, and then reboot workstations can assist in both system maintenance activities (such as patching) as well as removing any adversaries that may have compromised a system but failed to gain persistence.

Security Control: 0853; Revision: 1; Updated: Aug-20; Applicability: O, P, S, TS
Outside of business hours, and after an appropriate period of inactivity, user sessions are terminated and workstations are rebooted.

Session and screen locking

Session and screen locking prevents unauthorised access to a system which a user has already been authenticated to access.

Security Control: 0428; Revision: 6; Updated: Sep-18; Applicability: O, P, S, TS
Systems are configured with a session or screen lock that:

  • activates after a maximum of 15 minutes of user inactivity or if manually activated by the user
  • completely conceals all information on the screen
  • ensures that the screen does not enter a power saving state before the screen or session lock is activated
  • requires the user to reauthenticate to unlock the system
  • denies users the ability to disable the session or screen locking mechanism.

Logon banner

Displaying a logon banner to users before access is granted to a system reminds them of their security responsibilities. Logon banners may cover topics such as:

  • the sensitivity or classification of the system
  • access to the system being restricted to authorised users
  • acceptable usage and security policies for the system
  • the user’s agreement to abide by abovementioned policies
  • legal ramifications of violating the abovementioned policies
  • details of monitoring and auditing activities
  • a point of contact for any questions.

Security Control: 0408; Revision: 4; Updated: Sep-18; Applicability: O, P, S, TS
Systems have a logon banner that requires users to acknowledge and accept their security responsibilities before access is granted.

Security Control: 0979; Revision: 4; Updated: Sep-18; Applicability: O, P, S, TS
Legal advice is sought on the exact wording of logon banners.

Further information

Further information on authorisations, security clearances and briefings for system access can be found in the access to systems and their resources section of the Guidelines for Personnel Security.

Further information on restricting administrative privileges can be found in the ACSC’s Restricting Administrative Privileges publication at https://www.cyber.gov.au/acsc/view-all-content/publications/restricting-administrative-privileges.

Further information on implementing multi-factor authentication can be found in the ACSC’s Implementing Multi-Factor Authentication publication at https://www.cyber.gov.au/acsc/view-all-content/publications/implementing-multi-factor-authentication.

Further information on mitigating the use of stolen credentials can be found in the ACSC’s Mitigating the Use of Stolen Credentials publication at https://www.cyber.gov.au/acsc/view-all-content/publications/mitigating-the-use-of-stolen-credentials.

A method for randomly generating passphrases can be found at the Electronic Frontier Foundation’s website at https://www.eff.org/dice (preferably using five dice rolls and the long word list) while a random five dice roller can be found at https://www.random.org/dice/?num=5.