How to Protect Microsoft Active Directory Passwords?
Even though Microsoft has ranted about passwords being irrelevant, they do provide different levels of protection for maintaining password hygiene, as probably they don’t believe this themselves. Although we celebrate MFA and passwordless authentication methods, for most organizations, it is quite a struggle and will take a very long time to eliminate them across the board. Microsoft reports the underwhelming 11% MFA adoption rate amongst enterprise users, even though 1.2 million(!) of their accounts are being compromised each month.
With ransomware frequency and damages breaking new heights each year, perhaps it makes sense to focus on what we can do today, to mitigate the number one attack vector leading up to them. First of all, let’s investigate what Microsoft does, and what they recommend.
Azure AD Password Protection
As with many services, Microsoft is pushing their customers towards cloud adoption, so it is no surprise that Azure AD provides the highest level of flexibility in terms of password protection, utilizing cloud-based intelligence and of course enabling MFA and Azure AD-based SSO for supported applications. When we look at the exact settings available, we can see that the following options are available:
- Character sets
- Password length (8-256)
- Character mix (maximum three out of: numbers, uppercase, lowercase, symbols)
- Recent passwords (including small changes such as abcdefg -> abcdefh)
- Custom ban list (fuzzy matching for variations)
- Global ban list (enforced)
This may seem fairly okay, except they lack repeating and sequential character bans, as well as breached passwords, even though they reference NIST’s identity guide that specifically recommends these controls. Microsoft is not relying on publicly available breached password lists, because their “global banned list is small in comparison to some third-party bulk lists, it’s sourced from real-world security telemetry on actual password spray attacks.”. Well, this is certainly a good effort to combat mass murder, but when companies are directly targeted using a recently breached account, it only takes a single try to be successful. It remains a mystery why they do not rely on these lists based on the 1.2m breaches mentioned above, but there is even more.
In their guide “scoped to users of Microsoft’s identity platforms (Azure Active Directory, Active Directory, and Microsoft account” Microsoft has a few good recommendations that everyone should take to heart:
Ban common passwords
So far no surprise, available in Azure AD.
Educating users not to reuse organization credentials anywhere else
Here, we have a recommendation that is ranked even higher than Multi-Factor, and that is not supported via any tool or enforcement. By the way, password reuse and employee education are two different topics that should be considered separately as well.
- Enforcing Multi-Factor Authentication registration
- Enabling risk-based multi-factor authentication (pretty much the same as #3)
In conclusion, Microsoft neglects breached passwords and has no tool to educate or monitor for password reuse in third-party applications. No wonder that this became the top attack vector for hackers. The combination of reusing however secure or complex passwords on random websites - that get breached by the day- opens up cheap effortless ransomware deployments.
How to take it to the next level?
Breached Passwords Tracking
Automatically checking against publicly available breach lists should be a top priority. It’s easy and even though doesn’t protect against recently breached passwords, why not take a swing at the billions of known passwords that are out there for any organization to blacklist? If you don’t, attackers will. Scirge does that completely transparently for users, but there are other solutions out there to help you out with your AD passwords.
AD Password Reuse Detection
This is a tough one. To completely weed out password reuse, you need to have a great awareness/education program in place. Using password managers also helps, in case they provide reuse detection as well as generating strong and unique passwords. This adoption takes some time though, and password managers also have the downside of fostering password sharing and potentially enabling employees to synchronize their corporate accounts to private endpoints, enabling access to corporate services even after they left the organization. Ultimately, monitoring every single web account is the only solution for complete reuse detection, as password managers will always be opt-in for any given registration.
Password Complexity Checks
Although Azure AD does provide improved complexities, and we do not necessarily agree with high complexity requirements for human memorized passwords, there are a few things to be considered:
- Microsoft doesn’t provide detection of repeating or sequential characters.
- Some industry standards such as PCI want you to have very strong complexity rules in place
Is this an issue? You tell us. It certainly is, in case your employees are trying to figure out the easiest passwords that will pass through complexity check (asdf123! perhaps?) or if you are under some strict regulations. There are only two ways to fight this, as Microsoft doesn’t provide these as native options.
The first is to integrate a third-party password layer for your local AD logins, and refuse weak passwords, and enforce stronger ones. This is great for enforcement but comes at a very high price if implementing a layer of third-party software within your most crucial login processes, which is a huge operational risk for business continuity, and a potential burden for employees.
The other one is to simply use passive monitoring for AD passwords. Scirge does that via the browsers, and optionally warns employees about weak or plain passwords. The upside? No operational risk and employees are free to make changes in their free time, or based on central policies. What’s more? We can do the same for all other web accounts. Because it is not only the AD passwords that are critical.
Regardless of the actual tactics we are using, it is always about whether our employees are educated and responsible about it enough? So keep in mind to provide sufficient training and timely notifications for your employees about the risks and expected behaviors, because most of them do not feel responsible for your organization’s security.
Scirge provides a unique approach to unveil and gain control over unmanaged third-party web accounts. Scirge tracks the websites employees use corporate email addresses to register on and log in to. Having a central dashboard of discovered accounts helps to reduce the risk of credential-related threats such as password reuse or account takeover (ATO). Scirge gives a level of control over SaaS usage to overcome Shadow IT. It also helps to ensure that your company complies with GDPR, CCPA, and other audit requirements.