What is FGPP, or how to apply a refined password policy?

FGPP, or fine-tuned password strategy, integrates with the password policies applied in Active Directory.

What makes it special? It authorizes different protocols within the same domain.

This is a major advantage in a business context where organizations are becoming increasingly complex, and where different departments are accessing ever more data and applications... with different levels of sensitivity and criticality. What's more, IT security is becoming an increasingly important issue for companies.

So what exactly is FGPP, and what are its benefits? Are there any differences with a password strategy deployed via GPOs? How can you set up a Fine Grained Password Policy within your information system, and what tools can support you in this task?

Let's find out.

See all software IT Management

What is FGPP?

FGPP stands for Fine Grained Password Policy . It is executed as part of a password policy deployed via the Active Directory.

💡 As a reminder, Active Directory, or AD, is defined as a directory of LDAP (Lightweight Directory Access Protocol) services set up by Microsoft. Its objective? To centralize identification and authentication elements within a single information system in a Windows environment.

To achieve this, Active Directory is structured into different types of objects (resources, users and services).

For a long time, AD did not allow multiple password strategies to be applied to the same domain. That's why Microsoft developed the FGPP, with the arrival of Windows Server 2008. As a result, companies are now able to set up different policies, without having to create new domains.

☝️ Please note: a Fine Grained Password Policy can refer to a user or a group, but not to an organizational unit (administrative container created within a domain).

What's the difference with GPOs?

GPOs (Group Policy Objects) are a set of Group Policy settings, defining a system and its behavior for associated users.

Determining a password policy via GPOs remains the most widespread method, as it has been permitted since the introduction of Active Directory in 1999.

What makes it special?

It is configured by default in the domain policy. As a result, the password policy settings applied to a domain's users are those characterized by its GPOs.

In other words, a single password policy is effective for all users in a domain.

What are the advantages and disadvantages?

FGPP and GPO have the same list of constraints (minimum length required, for example). But as we've just seen, their application differs.

GPO and complex passwords can therefore go hand in hand... but only one strategy per domain is allowed. This constraint forces companies to multiply domains when they wish to apply a different policy to different users or groups of users.

In contrast, with a Fine Grained Password Policy, organizations benefit from greater flexibility. They can, for example, require different password lengths for different departments or for different groups of employees, depending on the sensitivity of the data to which they have access.

Let's now take a closer look at how to deploy an FGPP.

How to implement refined password strategies?

FGPP prerequisites

There are several prerequisites for deploying an FGPP.

Firstly, you need to have at least a working level of Windows Server 2008, as Fine Grained Password Policy was introduced with this version.

Secondly, the person performing the configuration must be an administrator of the domain concerned. To make sure of this, the Active Directory Administrative Center (ADAC) has the following entry under the domain name: " system\Password Settings Container".

Application orders

Active Directory implies a directory hierarchy, represented as a tree structure, to organize computers and users into groups and subgroups.

You therefore need to understand how the application orders of an FGPP work.

1. As a reminder, the password strategy defined applies either to a user or to a group. However, we recommend the first option. In this way, the chosen policy will automatically be effective for any group including the user in question.
   
   
2. If several policies apply to the same user or group, the system will prioritize the one with the lowest " Precedence" value.
   If the values are identical, the strategy with the smallest GUID (Globally Unique IDentifier ) will prevail.
   
   
3. Finally, when a group contains other groups (nested groups), the protocol applies to all users in these groups.

Parameters to be set

Password length, complexity, expiry date... Active Directory lets you manage different parameters. Here's how to do it.

Launch the Active Directory console (in Windows Administration Tools), then click on Password Setting Container > New > Settings.

Once you've launched the configuration interface, specify the various features of your password policy. To do this, you need to enter values in fields, or check/uncheck boxes according to your preferences.

Here are the various parameters involved:

• " Name: this is the name of the password strategy. Ideally, it should reflect the group or individual concerned.
  
  
• " Precedence" or " Priority": the FGPP Precedence indicates the value used to prioritize, particularly in cases where several Fine Grained Password Policies apply to a user or group. In this case, the smaller numbers take precedence.
  
  
• " Enforce minimum password length", in number of characters.
  
  
• " Enforce password history" to prevent password recycling.
  
  
• " Password must meet complexity requirements ": this attribute lets you choose whether or not to meet the required level of complexity. The security requirements applied by default operate on two levels:
  • the password must not contain the user's name (the amAccountName value) or the entire Full Name value (displayName);
  • it must contain characters from at least 3 of the following 5 categories :
    • uppercase letters,
    • lowercase letters,
    • numbers,
    • special characters and Unicode characters classified as alphabetical characters (characters from Asian languages, for example).
      
      
• " Store password using reversible encryption": for security reasons, this option is not recommended.
  
  
• " Protect from accidental deletion".
  
  
• " Enforce minimum password age": This parameter controls the minimum duration of password validity, to prevent over-frequent changes. You can set a value between 1 and 998 days, or authorize changes immediately by specifying 0.
  
  
• " Enforce maximum password age: This feature determines when the password should be renewed, as sufficiently frequent renewal is a prerequisite for optimal password policy security. Set a value between 1 and 999 days, or enter 0 if you don't want your passwords to expire.
  
  
• " Enforce account lockout policy": this setting includes :
  • " Number of failed logon attemptsallowed",
  • " Reset failedlogon attempts count after",
  • " Account will be locked out": the account will be locked out for a period of so many minutes, or until manually unlocked by an administrator.
    
    
• " Description": you can add a description if required. Specify, for example, the person to whom the constraints are addressed, their functions and responsibilities within the company, etc.
  
  
• " Directly Applies to ": specify to whom this policy applies (group or user).

Once all these parameters have been validated, the policy appears in the Password Settings Container interface (in a folder containing the name entered in " Name").

See all software IT Management

What tools do you need to manage your FGPP?

We've just seen how to develop a password policy (or even several password policies) using a refined strategy.

However, the level of granularity allowed may not be sufficient. Remember that for the attribute " Password must meet security requirements", either check or uncheck the "Password must meet security requirements" box.

To go further than the default rules included in Active Directory, but also to facilitate the deployment of your password policy, we recommend the use of dedicated software, such as Specops Password Policy.

With this tool, you can :

• secure your password policies by complying with certain standards (NCSC, NIST, ANSSI): character type, password length, blocking of certain expressions thanks to a customized dictionary, etc. ;
• benefit from additional functionalities, such as calculating the duration of a password's validity based on its length;
• use a database to filter out compromised passwords or those on lists of leaked passwords.
  
  

If your company operates in an Active Directory environment, FGPPs are essential to ensure a certain granularity according to groups or users.

However, the use of a specific additional solution is still highly recommended to give you more options in defining your password policy, simplify management and, above all, bring you into line with the latest standards... a guarantee of optimum security in the face of an ever-increasing number of cyber-attacks!