What is the FGPP, or how to apply a refined password policy?

The FGPP, or refined password strategy, integrates with the password policies applied in Active Directory.

What's special about it? It authorises different protocols within the same domain.

This is a major advantage in a business environment where organisations are becoming increasingly complex, and where different departments are accessing ever more data and applications... with different levels of sensitivity and criticality. What's more, IT security is becoming an increasingly important issue for businesses.

So what exactly is the FGPP and what are its benefits? Are there any differences with a password strategy deployed via GPOs? How do you set up a Fine Grained Password Policy within your information system, and what tools are there to support you in this task?

Let's take a look.

See all software IT Management

What is FGPP?

FGPP is an acronym for Fine Grained Password Policy . It is executed as part of a password policy deployed via the Active Directory.

💡 As a reminder, Active Directory, or AD, is defined as a directory of LDAP (Lightweight Directory Access Protocol) services set up by Microsoft. Its purpose? To centralise identification and authentication elements within a single information system in a Windows environment.

To achieve this, Active Directory is structured into various objects of different types (resources, users and services).

For a long time, AD did not allow multiple password strategies to be applied to the same domain. This is why Microsoft developed the FGPP, with the arrival of Windows Server 2008. As a result, businesses can now set up different policies without having to create new domains.

☝️ Note: a Fine Grained Password Policy can relate to a user or a group, but not to an organisational unit (administrative container created in a domain).

What's the difference with GPOs?

GPOs (Group Policy Objects) are a set of Group Policy settings that define a system and its behaviour for associated users.

Determining a password policy via GPOs remains the most widespread method, having been permitted since the introduction of Active Directory in 1999.

What makes it special?

It is configured by default in the domain policy. As a result, the password policy settings applied to a domain's users are those characterised by its GPOs.

In other words, a single password policy is in effect for all users in the same domain.

What are the advantages and disadvantages?

FGPP and GPO have the same list of constraints (minimum length required, for example). However, as we have just seen, their application differs.

GPO and complex password can therefore go hand in hand... but only one strategy per domain is authorised. This constraint forces companies to multiply their domains if they want to apply a different policy to different users or groups of users.

In contrast, with a Fine Grained Password Policy, organisations enjoy greater flexibility. They can, for example, require different password lengths depending on the services or the sensitivity of the data to which a particular group of employees has access.

Let's take a closer look at how to deploy an FGPP.

How do you implement refined password strategies?

FGPP prerequisites

There are several prerequisites for deploying an FGPP.

Firstly, you need to have at least a working level of Windows Server 2008, because Fine Grained Password Policy was introduced with this version.

Secondly, the person carrying out the configuration must be an administrator of the domain concerned. To make sure this is the case, the following note is placed under the domain name in the Active Directory Administrative Center (ADAC): " system\Password Settings Container".

Application orders

Active Directory involves a hierarchy in the directory, represented in the form of a tree structure, to organise computers and users into groups and sub-groups.

As a result, you need to understand how the application orders of an FGPP act.

1. As a reminder, the password strategy defined applies to a user or a group. However, we recommend the first option. In this way, the chosen policy will automatically be effective for any group that includes the user in question.
   
   
2. If several policies apply to the same user or group, the system will prioritise the one containing the lowest value in the " Precedence" attribute.
   If the values entered are identical, the strategy with the smallest GUID (Globally Unique IDentifier ) will take precedence.
   
   
3. Finally, when a group contains other groups (nested groups), the protocol applies to all the users in these groups.

Parameters to be entered

Password length, complexity, expiry date, etc. Active Directory allows you to manage various parameters. Here's how to do it.

Launch the Active Directory console (in Windows administration tools) then click on Password Setting Container > New > Settings.

Once you have launched the configuration interface, specify the various characteristics of your password policy. To do this, you need to enter values in the fields, or tick/untick boxes according to your preferences.

Here are the various parameters in question:

• " Name: this is the name of the password strategy. Ideally, it should reflect the group or individual concerned.
  
  
• " Precedence: the FGPP Precedence indicates the value used to prioritise, particularly in cases where several Fine Grained Password Policies apply to a user or group. In this case, the smaller numbers take precedence.
  
  
• " Enforce minimum password length", in number of characters.
  
  
• " Enforce password history", to prevent passwords being recycled.
  
  
• " Password must meet complexity requirements ": this attribute allows you to choose whether or not to meet the required level of complexity. The security requirements applied by default operate on two levels:
  • the password must not contain the user's name (the amAccountName value) or the entire Full Name value (displayName) ;
  • it must contain characters from at least 3 of the following 5 categories:
    • upper case letters
    • lower case letters
    • numbers
    • special characters and Unicode characters classified as alphabetical characters (characters from Asian languages, for example).
      
      
• " Store password using reversible encryption": for security reasons, this option is not recommended.
  
  
• " Protect from accidental deletion".
  
  
• " Enforce minimum password age": This parameter controls the minimum duration of the password's validity, to prevent it being changed too frequently. You can define a value between 1 and 998 days, or authorise changes immediately by specifying 0.
  
  
• " Enforce maximum password age": This feature determines when the password should be renewed, as sufficiently frequent renewal is one of the conditions for optimum security in a password policy. Define a value between 1 and 999 days, or enter 0 if you do not want your passwords to expire.
  
  
• " Enforce account lockout policy": this setting includes :
  • " Number of failed logon attemptsallowed",
  • " Reset failed logonattempts count after",
  • " Account will be locked out": the account will be locked out for a period of so many minutes, or until an administrator manually unlocks it.
    
    
• " Description": you can add a description if required. Specify, for example, the person to whom the constraints are addressed, their duties and responsibilities within the company, etc.
  
  
• " Directly Applies to ": specify to whom this policy applies (group or user).

Once all these parameters have been validated, the policy appears in the Password Settings Container interface (in a folder containing the name entered in " Name").

See all software IT Management

What tools can you use to manage your FGPP?

We have just seen how to develop a password policy (or even several password policies) using a refined strategy.

However, the level of granularity allowed may not be sufficient. Remember that for the attribute " The password must comply with security requirements", you either tick or untick the box.

To go further than the default rules included in Active Directory, and also to facilitate the deployment of your password policy, we recommend that you use dedicated software, such as Specops Password Policy.

With this tool, you can :

• secure your password policies by complying with certain standards (NCSC, NIST, ANSSI): type of characters, length of passwords, blocking of certain expressions using a customised dictionary, etc. ;
• benefit from additional functions, such as calculating the length of time a password is valid;
• filter passwords that have been compromised or appear on lists of leaked passwords, using a database.
  
  

If your company operates in an Active Directory environment, FGPPs are essential to ensure a degree of granularity according to groups or users.

However, the use of an additional specific solution is still highly recommended to give you more options for defining your password policy, simplify management and, above all, bring you into line with the latest standards... a guarantee of an optimum level of security in the face of an ever-increasing number of cyber-attacks!