The latter part of the last year Microsoft went public preview with Azure AD Password Protection and smart Lockout features. I had the opportunity to implement it in my production environment and instantly understood how important and relevant these are on today’s organizational security. Let’s see what these features are and how you can use it to strengthen the password security.
What is Password Protection
Password guessing is the easiest way to gain access to a user account, this is why every security mechanism advice is to have a complex password. But what if these complex passwords are also guessable. In my carrier I have worked with many organizations like banking, shipping, telco, etc. when complex passwords are enforced with AD or any other identity provider, users tend to use some organizational familiar characters with easy to remember numbers. In example terminalworks@123, Contoso@123 or P@ssw0rd, when attacker trying to gain access to your organization from outside, the most common method is to get the user list or the email addresses and try these types of passwords. These can be low privileges accounts but once they gain access to them, it can be used for lateral movement throughout the organization to get hold of the high privileged accounts.
With Azure Password Protection, you can define a list of weak passwords which may include the Company name or company abbreviation, so users cannot use them. Also, password protection feature can run in Audit mode so before enforcing you can understand how many users are using weak passwords in your organization.
What is Azure Active Directory Smart Lockout
The smart lockout is a feature to lock accounts when a bad actor trying to access the accounts using password guessing or to a brute force attack. It is an intelligent system which can recognize if the sign-in attempt is made by a genuine user or a bad actor and act differently to both. Which means it will lock the account if it’s a bad actor and work as usual when it understands it’s a normal user. Smart lockout supports cloud and hybrid scenarios with
- AD Connect with password hash sync or
- AD Connect with pass-through authentication.
How Password Protection works
Azure password protection helps to eliminate weak passwords in a cloud and on-premise hybrid environments. When you configure a banned password list, every time user or an admin set a password, it will be checked against this list and if its matching or came close (lowercase or with numbers), a password is denied.
In an example, when the word “password” is added to the banned list, attempts made such as P@ssw0rd or password@123 will be blocked because Azure is intelligent to identify as a variant of the word “password”.
As I mentioned earlier password protection works with Hybrid environments where an on-premise Active Directory maintaining all the user accounts and sync to Azure Active Directory using an AAD Sync service. When the user changes the password in on-premise environment password protection policy will deny the weak password.
To support the on-premise Active Directory, you need to install the Password Protection agent in domain controllers. This agent will communicate with Azure Password protection service but not directly. You need to install a Password protection proxy service on a machine that has access to the internet. Proxy service will securely connect to the Azure Password Protection service on cloud and forward the requests from domain controller agents and receive them back. Proxy service will make sure you don’t need Internet connectivity on domain controllers to implement password protection.
Following Microsoft TechNet diagram will help you understand the password protection process
- The Azure AD password protection proxy service will forward requests from domain controllers to Azure AD and returns the response from Azure AD back to the domain controller.
- Password protection DC agent receives password validation requests from the DC Agent password filter dll, processes them using the current locally available password policy, and returns the result (pass\fail). This service will run per hour to retrieve new versions of the password policy.
- Domain controllers Password protection agent password filter dll receives password validation requests from the operating system and forwards them to the Azure AD password protection DC agent service running locally on the domain controller.
For cloud only users, Azure AD password protections comes as free, if you want to define custom banned passwords you need Azure AD Basic. Also, if you need to implement it on-premise as a hybrid you need to have Azure AD premium licenses.
Hope this post has given you a good understanding on Azure AD Password protection, in the next post I will give you step by step guide on implementing the solution in the cloud and on-premise hybrid. Also, we'll discuss how to monitor the password activities when Audit mode is on.
Asitha De Silva
Microsoft Ignite 2018