Password Policies and Auditing – CompTIA Server+ Guide
Password Policies and Auditing
Why Is This Important?
Passwords remain one of the most fundamental layers of defense in server and network security. Weak, reused, or improperly managed passwords are among the leading causes of security breaches. In a server environment, a compromised credential can give an attacker privileged access to critical systems, data, and infrastructure. Password policies ensure that all users and administrators follow a consistent, enforceable standard for creating and maintaining strong credentials. Auditing, on the other hand, provides visibility into authentication events, policy compliance, and potential threats. Together, password policies and auditing form a critical part of any organization's security posture and are a key topic on the CompTIA Server+ exam.
What Are Password Policies?
Password policies are a set of rules and requirements enforced by the operating system, directory service (such as Active Directory), or application that govern how passwords are created, used, and maintained. These policies typically include the following elements:
1. Minimum Password Length
This defines the shortest acceptable password. Industry best practice typically recommends a minimum of 8–12 characters, though many organizations now require 14 or more characters. Longer passwords are exponentially harder to crack through brute-force attacks.
2. Password Complexity Requirements
Complexity rules require users to include a mix of character types in their passwords. Common requirements include:
- At least one uppercase letter (A–Z)
- At least one lowercase letter (a–z)
- At least one numeric digit (0–9)
- At least one special character (!, @, #, $, etc.)
These rules reduce the likelihood that a password can be guessed or cracked using dictionary attacks.
3. Password History (Password Reuse Prevention)
This setting tracks a certain number of previously used passwords and prevents the user from reusing them. For example, if the history is set to 24, the user must create 24 unique passwords before they can reuse an old one. This prevents users from cycling back to the same weak password.
4. Maximum Password Age
This defines how long a password can be used before the user is forced to change it. Common settings range from 60 to 90 days. Forcing periodic password changes limits the window of opportunity if a password is compromised.
5. Minimum Password Age
This prevents users from changing their password multiple times in rapid succession to cycle through the password history and return to a preferred (possibly weak) password. A typical setting is 1–2 days.
6. Account Lockout Policy
Account lockout policies protect against brute-force attacks by locking an account after a specified number of failed login attempts. Key settings include:
- Account lockout threshold: The number of failed attempts before lockout (e.g., 3–5 attempts).
- Account lockout duration: How long the account remains locked (e.g., 15–30 minutes, or until an administrator unlocks it).
- Reset account lockout counter after: The time window in which failed attempts are counted (e.g., 15–30 minutes).
7. Password Expiration Notifications
Users are typically warned a certain number of days before their password expires so they can change it proactively without disrupting their workflow.
8. Multifactor Authentication (MFA)
While not strictly a password policy, MFA is often implemented alongside password policies to add an additional layer of security. MFA requires something you know (password), something you have (token, smart card), or something you are (biometrics).
What Is Auditing?
Auditing in the context of password security refers to the systematic monitoring, logging, and review of authentication-related events. Auditing allows administrators to detect unauthorized access attempts, verify compliance with password policies, and investigate security incidents.
Key Auditing Components:
1. Logon/Logoff Events
Tracking successful and failed logon attempts helps identify suspicious activity such as brute-force attacks, unauthorized access from unusual locations or times, and compromised accounts.
2. Account Management Events
Auditing account creation, deletion, modification, password resets, and group membership changes provides visibility into administrative actions and potential insider threats.
3. Policy Change Events
Monitoring changes to password policies, audit policies, and security settings ensures that configurations are not weakened intentionally or accidentally.
4. Privilege Use
Tracking the use of elevated privileges (such as administrator or root access) helps ensure that privileged accounts are used appropriately and not abused.
5. Object Access
Auditing access to sensitive files, folders, registry keys, and other objects can reveal unauthorized data access or exfiltration attempts.
How Auditing Works:
- On Windows Server, auditing is configured through Group Policy (Local Security Policy or domain-level GPOs). The Audit Policy and Advanced Audit Policy Configuration settings control what events are logged. Events are recorded in the Windows Security Event Log, which can be viewed using Event Viewer or forwarded to a SIEM (Security Information and Event Management) system.
- On Linux servers, auditing is handled by tools such as auditd (the Linux Audit Daemon), PAM (Pluggable Authentication Modules), and log files like /var/log/auth.log or /var/log/secure. The auditctl command is used to define audit rules, and ausearch or aureport is used to query audit logs.
How Password Policies and Auditing Work Together:
Password policies establish the rules, while auditing verifies that the rules are being followed and detects violations. For example:
- A password policy requires complexity and a minimum length of 12 characters.
- Auditing logs all password change events and failed logon attempts.
- If an account experiences numerous failed logon attempts, the audit log flags this for review, and the lockout policy automatically locks the account.
- Periodic audit reviews ensure that password policies have not been weakened and that all accounts comply with organizational standards.
Best Practices for Server Environments:
- Enforce strong password policies across all servers and services using centralized management (e.g., Group Policy in Active Directory).
- Enable auditing for logon events, account management, and policy changes at a minimum.
- Forward logs to a centralized SIEM for correlation, alerting, and long-term retention.
- Regularly review audit logs and generate reports to identify trends and anomalies.
- Use service accounts with unique, strong passwords and audit their usage.
- Implement MFA for all administrator and remote access accounts.
- Do not use default passwords on any server, application, or device.
- Conduct periodic password audits to identify weak, expired, or non-compliant passwords.
- Document password policies and auditing procedures as part of the organization's security policy.
Exam Tips: Answering Questions on Password Policies and Auditing
1. Know the specific policy settings: Be prepared to identify the purpose of each password policy setting — minimum length, complexity, history, maximum age, minimum age, and account lockout threshold/duration. The exam may present a scenario and ask which setting addresses the problem.
2. Understand account lockout vs. password expiration: Account lockout protects against brute-force attacks (too many failed attempts). Password expiration forces periodic changes to limit the exposure window of a compromised password. Do not confuse these two concepts.
3. Recognize auditing event categories: Know the difference between logon events, account management events, policy change events, and privilege use events. The exam may ask which type of auditing detects a specific scenario.
4. Scenario-based questions: The exam often presents a scenario such as: "An administrator notices multiple failed login attempts on a server account during off-hours. What should be implemented?" The answer likely involves account lockout policies and logon event auditing.
5. Think about the principle of least privilege: Password policies and auditing often connect to broader security principles. Administrator accounts should have stricter policies, and their use should be closely audited.
6. Know where policies are configured: On Windows, Group Policy (GPO) is the primary mechanism. On Linux, PAM and configuration files like /etc/login.defs and /etc/pam.d/ are used. The exam may reference these tools.
7. Remember the relationship between password history and minimum password age: Password history alone is not effective if the minimum password age is set to zero — a user could change their password repeatedly in one session to cycle through the history. The minimum age prevents this.
8. SIEM and centralized logging: Understand that in enterprise environments, audit logs should be forwarded to a centralized SIEM system for analysis. This is a best practice that may appear on the exam.
9. Default passwords are always wrong: If a question asks about a security vulnerability or first step in hardening a server, changing default passwords is almost always a correct action.
10. Elimination strategy: When unsure, eliminate answers that weaken security (such as disabling lockout, reducing complexity, or turning off auditing). The correct answer on the Server+ exam will almost always align with stronger security practices.
By mastering the concepts of password policies and auditing — including their individual components, how they interact, and where they are configured — you will be well-prepared to answer related questions on the CompTIA Server+ exam confidently and accurately.
