Use Microsoft Entra ID Password Protection to defend against password spray attacks

-

 

Working on my own tenant resulted in re-visiting the password protection policies that I had configured some time ago. As a result, I wanted to explore all possible settings and thus came about the idea of putting a blog post together.

Recent studies suggest that weak passwords are often the root cause of data breaches, hacks, and other cybersecurity incidents. They’re the weak link in the chain, easily guessable by hackers looking to brute force their way into a business or individual’s online accounts. This is where the need for strong Password protection policies comes into play.

Microsoft Entra ID Password Protection 

Microsoft Entra ID Password Protection can help you defend against password spray attacks. Most password spray attacks don't attempt to attack any given individual account more than a few times. This behavior would increase the likelihood of detection, either via account lockout or other means.

The majority of password spray attacks submit only a small number of the known weakest passwords against each of the accounts in an enterprise. This technique allows the attacker to quickly search for an easily compromised account and avoid potential detection thresholds.

Microsoft Entra ID Password Protection efficiently blocks all known weak passwords likely to be used in password spray attacks. This protection is based on real-world security telemetry data from Microsoft Entra ID to build the global banned password list.

Many organizations have a hybrid identity model that includes on-premises Active Directory Domain Services (AD DS) environments. To extend the security benefits of Microsoft Entra ID Password Protection into your AD DS environment, you can install components on your on-premises servers. These agents require password change events in the on-premises AD DS environment to comply with the same password policy as in Microsoft Entra ID.

Eliminate bad passwords using Azure Active Directory Password Protection

Global banned password list

The Microsoft Entra ID Identity Protection team constantly analyzes Microsoft Entra ID security telemetry data looking for commonly used weak or compromised passwords. The analysis looks for base terms that often are used as the basis for weak passwords. When weak terms are found, they're added to the global banned password list. The contents of the global banned password list are on the results of Microsoft Entra ID security telemetry and analysis.

Custom banned password list

Organizations can improve their cyber security by adding their own customizations on top of the global banned password list. Terms added to the custom banned password list should be focused on organizational-specific terms such as the following examples:

-Brand names
-Product names
-Locations, such as company headquarters
-Company-specific internal terms
-Abbreviations that have specific company meaning

I scoured through the internet and put a list of most commonly used passwords.

1234
12345
000000
111111
123123
123321
123456
555555
654321
666666
1111111
1234567
7777777
12345678
123456789
1234567890
1q2w3e
1q2w3e4r5t
abcdefg
Admin
Col1@23456
dragon
guest
homelesspa
Iloveyou
monkey
p@ssw0rd
p@ssword
Password
q2w3e4r
q2w3e4r5t
qaz2wsx
qwerty
qwertyuiop
welcome

Note: Instead of blocking specific variation of terms like Password123 or Password@123, just look at blocking the key base term. Ex - Password. This is because the password validation algorithm will automatically block weak variants and combinations.

Here is how you can configure them in your tenant -

1. Sign in to the Microsoft Entra ID portal using an account with global administrator permissions.

2. Under Protection, select Authentication methods, then Password protection.

3. Set the option for Enforce custom list to Yes.

Add strings to the Custom banned password list, one string per line. The following considerations and limitations apply to the custom banned password list:

-The custom banned password list can contain up to 1000 terms.
-The custom banned password list is case-insensitive.
-The custom banned password list considers common character substitution, such as "o" and "0", or "a" and "@".
-The minimum string length is four characters, and the maximum is 16 characters.


4. Set Mode to Enforced

Note: You have the option to set it to Audit as well which will only log the attempt made by the user. Also, it may take several hours for updates to the custom banned password list to be applied.

User Experience

When a user attempts to reset a password using myaccount.microsoft.com to something that's on the global or custom banned password list, they see one of the following error messages:

-Unfortunately, your password contains a word, phrase, or pattern that makes your password easily guessable. Please try again with a different password.

-Unfortunately, you can't use that password because it contains words or characters that have been blocked by your administrator. Please try again with a different password.




Final Thoughts

Please note that even if a user's password contains a banned password, the password may be accepted if the overall password is otherwise strong enough. When terms are added to the custom banned password list, they're combined with the terms in the global banned password list. Password change or reset events are then validated against the combined set of these banned password lists.

Tip: Use User risk and Risky sign-in together with Microsoft Entra ID password protection to defend against brute force and spray attacks. I blogged about it earlier this year which you can refer to over here.

Comments

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){                 $KPID=$KP.KeyProtectorId                 break;             }         }        $o
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $Path1
Read more

Intune: UAC Elevation Prompt Behavior for Standard Users

-
Image
Implementing and maintaining a good security posture is an integral part of overall IT security governance for most organizations now. While you want to harden the security of infrastructure and give least number of privileges to your end users, sometimes you may need to cut back on the restrictions to ensure a good user experience and an effective IT support process. Recently, I had a requirement where the customer wanted to ease the restriction on the end user devices to make the helpdesk support process more efficient. This involved easing the UAC level access for the Standard users and if you are managing your devices using Intune, then this blog may just help you. Let us see what all is involved and some of the ways that you can use to implement this easily. Policy CSP – LocalPoliciesSecurityOptions LocalPoliciesSecurityOptions has many CSP settings and if you are managing these settings at an individual level, then the CSP that we need to concern ourselves with here is U
Read more