Microsoft Outlines Password Best Practices for Azure Active Directory Users
Microsoft on Monday offered a checklist of best practices for identity security when using Azure Active Directory or Windows Server Active Directory Federation Services (ADFS).
Many of these best practices can be used to defend against so-called "password spray attacks," Microsoft argued, in an announcement. With these types of attacks, commonly used passwords (such as "password" or "12345678") are tried by attackers across many user accounts. Attackers only need to successfully guess a few passwords to possibly gain a foothold in an organization.
Microsoft's identity security best practices include using its various cloud-based services, including Azure AD. It also recommended using multifactor authentication (MFA) for IT pro accounts, but only requiring MFA for end users based on automated risk assessments. Microsoft is encouraging organizations with "hybrid" networks (local Windows Server plus cloud services) using ADFS, a Windows Server role, to upgrade from Windows Server 2012 to Windows Server 2016 because that's where Microsoft will be rolling out its newest security features.
Organizations also should have a mechanism to ban commonly used passwords. They should also avoid some conventional approaches to password security, such as requiring end users to frequently change them, Microsoft argued.
Microsoft's announcement contended that the use of its cloud-based security tools, as well as its Azure AD identity and access service, adds "real-time" protections for organizations. The Azure AD protections include:
- IP Lockout, which blocks Internet Protocol addresses that act maliciously
- Smart Lockout, which sorts valid sign-in attempts from attempts by attackers
Microsoft also touted the use by IT pros of its Attack Simulator tool, part of the Office 365 Threat Intelligence service. It can be used to probe vulnerabilities by simulating phishing attacks and password spray attacks on end users.
For organizations with hybrid networks, specifically with Windows Server 2016 and its ADFS role, Microsoft plans to add Smart Lockout support sometime this month. The Smart Lockout feature will arrive via Windows Update.
Users of Microsoft accounts, which are typically used by consumers and students, already have protections such as "Smart Lockout, IP Lockout, risk-based two-step verification, banned passwords, and more," Microsoft's announcement explained.
Azure AD Multifactor Authentication
The greatest security for organizations is enabled by always enforcing MFA for users all of the time, both when using Azure AD and ADFS, according to Microsoft. MFA typically entails using a secondary verification means, such as a response to an automated cell phone call, to verify a user's identity. IT pros particularly should have to undergo MFA, Microsoft argued.
"We strongly recommend enabling always-on multi-factor authentication for all admins in your organization, especially subscription owners and tenant admins," Microsoft's announcement indicated. "Seriously, go do this right now."
End users don't necessarily have to undergo MFA verifications. Microsoft recommends enforcing it based on risk assessments, which can be enabled through Azure AD Premium P2 licensing.
For Windows Server 2016 ADFS users, it's possible to use Azure AD MFA as a primary authentication process, which Microsoft recommends doing, especially when organizations use extranets. According to Microsoft's documentation, an organization might take that approach:
- To avoid passwords for sign-in to Azure AD, Office 365 and other AD FS apps
- To protect password based sign-in by requiring an additional factor such as verification code prior to the password
Microsoft advised organizations to block the use of "legacy authentication protocols" from extranets because they "don't have the ability to enforce MFA." Doing so will help ward off password spray attacks, Microsoft argued.
ADFS users should have an extranet lockout in the Web application proxy. It'll add protection against password brute force attacks.
Microsoft touted the use of its Azure AD Connect Health service as a means for viewing bad user names and password tries by attackers, as recorded in the ADFS logs. Azure AD Connect Health will work with ADFS on both Windows Server 2012 R2 (with KB3134222 installed) and Windows Server 2016.
Lastly, Microsoft that suggested organizations could opt for authentication approaches that don't depend on the use of passwords. Examples include using Windows Hello for Business, using Azure AD MFA as a primary authentication process or through certificate authentication when using ADFS.
"Certificate based authentication allows username/password endpoints to be blocked completely at the firewall," Microsoft's announcement explained.
Password Best Practices
Azure AD runs all passwords through a "banned password checker" to keep end users from creating commonly used versions that get scanned by attackers in password spray attacks. Microsoft plans to add the ability for organizations to create their own custom banned password lists. That capability is at the "limited preview" stage right now, but Microsoft expects to deliver it sometime later this year.
Organizations using hybrid networks with Azure AD also will be getting a new tool to ban certain passwords in list-like approach. It's designed to enforce good practices for password creation no matter where the passwords get created. A "limited private preview" of this feature has been available since last month, but Microsoft is planning a "general availability" release sometime this year.
Microsoft recommended that organizations should start using the new custom banned password tools when they become available to improve the passwords that end users create. Organizations also should avoid commonplace password security practices. For instance, they should quit enforcing regular password changes by end users. It just encourages end users to choose predictable password names, Microsoft argued.
Organizations using accounts managed via the cloud should consider setting passwords to "never expire" to prevent end users from creating "seasonal patterns" in password names, Microsoft also indicated. Other common password practices that Microsoft doesn't favor include requiring the use of multiple and complex character sets for passwords, and requiring long passwords. The rationales for going against the grain in those respects are explained in this "Microsoft Password Guidance" document.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.