Obviously, your first name, cat’s name or mother-in-law’s birthday are not good passwords. Also password or 123456 (actually to be found on the list of the most frequently chosen passwords!) are out of the question. As the administrator of a UCS domain, you can’t prevent users from writing down their passwords or storing them under the keyboard, but you can tweak other settings to make the system more secure.
Policies can, for example, be used to specify a minimum length or to require users to change passwords regularly. In addition, Univention Corporate Server provides a quality check that forces the use of a certain number of numbers, special characters, uppercase and lowercase letters in passwords. This article presents some tips and tricks for setting up a good password policy in an UCS domain. We also show what variables can be set in the Univention Configuration Registry to optimize the whole thing. If you are using Samba in your environment, this article will also explain how to adjust the password requirements for the Samba domain object to those of the new policy.
Adding a New Password Policy
By default, passwords consisting of at least eight characters are valid for all users of the UCS domain and are valid indefinitely. If a user changes the password to a length less than this minimum, the system issues a warning:
To set up a new password policy for users, open the Univention Management Console and go to the Domain category. Open the Policies module and create a new policy by clicking Add. From the Type drop-down menu, select Policy: Passwords and click Next.
Configuring the UCS Password Policy
Enter a description in the Name field; make sure that the name does not contain any umlauts. Beside letters and numbers, spaces and some special characters (# ! $ % & | ^ . ~ _ -) are allowed. Directly below, you define the password length, i.e. the minimum number of characters a password needs in your UCS domain. If you do not enter anything here, the minimum length of eight characters applies. If you do not want the password length to be checked, enter 0 as the value.
The password expiry interval forces your users to change the password regularly. Enter the number of days after which a user is prompted to change the password here; if you leave the field empty, there is no expiration interval.
You also enter a number in the History Length field. It determines when a user can use an old password again. If there is a 3 in this field, a user must set three new passwords before he can use any old one again. If you do not want UCS to create a password history, enter 0.
As a last option, you can enable password quality checking, which, among other things, tests whether a password is in a dictionary. You set up additional checks for the quality check using variables in the Univention Configuration Registry (see next section).
Finally, click Create Policy in the upper right corner. You can then assign the new password policy to the user objects of the domain. To do this, open User Preferences and select Policies from the left pane. Then expand the entry Policy: Password in the right half, select the policy you just created from the drop-down menu and click Save – done.
Univention Configuration Registry: Password Quality Checking Variables
If you have enabled the Password Quality Check option when creating the new password policy, you can fine tune it using six different UCR variables. You can access the module Univention Configuration Registry from the System category. Enter password/quality in the search field to list the individual checks. The following settings are hidden behind the entries:
password/quality/credit/digits: the minimum number of numbers a password must contain.
password/quality/credit/lower: the minimum number of lowercase letters
password/quality/credit/other: the minimum number of characters that are not letters or numbers
password/quality/credit/upper: the minimum number of uppercase letters
password/quality/forbidden/chars: excludes certain characters and numbers
password/quality/required/chars: enforces certain characters and numbers
You activate each verification by setting a value to the corresponding variable; you open the configuration dialog by clicking on the name of the variable. The example shows, that each password needs to contain one lower-, one uppercase and a number.
Samba Passwords for Windows Clients
If you are using Samba in your UCS domain, be sure to match the password requirements for the Samba domain object to the new policy. Otherwise, UCS and Windows logon will be subject to different conditions. After you have configured a new password policy, open the Domain category and the LDAP Directory module. Click on samba in the left tree view and then select the desired Samba domain on the right by clicking on the NetBIOS name.
Scroll down to the Password section. In the Password Length and Password History fields, enter the same values as for the policy. If you have defined a Password Expiration Interval there, enter it in the Maximum Password Age field; be sure to change the unit from seconds (default) to days in the drop-down menu to the right. Finally, click on Save in the upper right corner.
Further securing of UCS
Secure passwords are only half the battle – hardening a system involves several other aspects, such as running a firewall, using non-privileged accounts where possible, or controlling access to sensitive data. It’s also a good idea to only install software from the Univention App Center that you or your users really need. Our developers have published a guide for UCS administrators in the Knowledge Base that explains a number of measures: a password policy, as shown in this article, is a must.