Attack Recovery: How to Implement a “Reset All AD Passwords” Directive
In light of potential increase in cyberattacks, the White House issued a fact sheet on March 21, 2022, with wide-sweeping cybersecurity recommendations. One recommendation is to reset all passwords, to eliminate the possibility of an unknown leaked credential being used against your organization. When an organization is compromised, that potentially means all current passwords are known to the attacker. Whether you are responding to a cybersecurity warning like the one issued by the White House or as part of recovering from an attack, organizations will want to require all their users to reset their passwords once the attacker no longer has access.
But requiring everyone to reset their Active Directory passwords isn’t as simple as it may seem. How do you carry out an organization-wide password reset without disrupting critical work or overwhelming your IT service desk? In this post, we’ll walk through our recommendations for resetting all passwords in an organization.
Planning for mass resets
Depending on the size of your organization, forcing a password reset on everyone could be overwhelming to your internal resources. You’ll want to make sure you have availability on your IT desk before this change is implemented; hopefully, you’ll also be able to make use of a self-service password reset tool that can check against a compromised password list, such as Specops uReset and Breached Password Protection as well.
Having a self-service password reset solution in place well ahead of the need to recover from an attack will make the burden on your IT department easier.
Force every AD password to reset: implementation
So how do you implement this?
The easiest way to implement a forced password reset across your organization is to encourage users to reset or change their passwords on their own before you force a change. Encouraging the use of a self-service password reset solution ahead of your forced password reset deadline can help lift the burden off your IT service desk.
To actually expire all passwords and force a reset on next logon for users who haven’t reset passwords themselves by your deadline, you’ll want to get some insights into who has changed their password since you asked. Take a look at Darren’s walk-through of how to run this report with a PowerShell script, in addition to how to actually force the password change, including copy-and-paste PowerShell scripts you can use to implement.
Ahead of running the script, you should communicate to users that they’ll need to reset their passwords on logon the next day, reminding them of the requirements for the new password, as well as where else they may need to update their passwords – whether that’s their mobile device or other applications that cache credentials.
If you’ve implemented a breached password check solution since the last time your users needed to select a new password, you should include an overview of what that is and what it would mean if the password they tried to choose was on a compromised list.
If you have a self-service password reset solution in place, you’ll want to make sure your IT service desk is trained on directing callers to use that, especially when call volume is high. Service desk best practices like enforcing identity verification before resetting passwords and more are also a good idea.
With end users set, you’ll want to make sure you’ve also reset passwords for service accounts that often don’t have MFA configured.
(Last updated on March 23, 2022)