Enhanced Password Security Utilising Microsoft Cloud

 In azure, Office 365 Security & Compliance

Todays Blog entry comes straight from an excellent post by Alex Simons from the Microsoft Identity Team…. it it, he discusses utilising AzureAD to protect against a common form of password attack…

Alex’s post details some interesting authentication discussions and is worthy of a read. Give us a shout at Transparity to discuss your specific environment and how, together, we can ensure your overall security.

As long as we’ve had passwords, people have tried to guess them. In this blog, we’re going to talk about a common attack which has become MUCH more frequent recently and some best practices for defending against it. This attack is commonly called ‘password spray’.

In a password spray attack, the bad guys try the most common passwords across many different accounts and services to gain access to any password protected assets they can find. Usually these span many different organizations and identity providers. For example, an attacker will use a commonly available toolkit like Mailsniper to enumerate all of the users in several organisations and then try passwords such as “P@$$w0rd” and “Password1” against all of those accounts.

To give you the idea, an attack might look like this:

Target User Target Password
User1@org1.com Password1
User2@org1.com Password1
User1@org2.com Password1
User2@org2.com Password1
User1@org1.com P@$$w0rd
User2@org1.com P@$$w0rd
User1@org2.com P@$$w0rd
User2@org2.com P@$$w0rd

This attack pattern evades most detection techniques because from the vantage point of an individual user or company, the attack just looks like an isolated failed login.

For attackers, it’s a numbers game: they know that there are some passwords out there that are very common. Even though these most common passwords account for only 0.5-1.0% of accounts, the attacker will get a few successes for every thousand accounts attacked, and that’s enough to be effective.

They use the accounts to get data from emails, harvest contact info, and send phishing links or just expand the password spray target group. The attackers don’t care much about who those initial targets are—just that they have some success that they can leverage.

The good news is that Microsoft has many tools already implemented and available to blunt these attacks, and more are coming soon. Read on to see what you can do now and in the coming months to stop password spray attacks.

 

Four easy steps to disrupt password spray attacks

Step 1: Use cloud authentication

In the cloud, there are billions of sign-ins to Microsoft systems every day. Their security detection algorithms allow them to detect and block attacks as they’re happening. Because these are real time detection and protection systems driven from the cloud, they are available only when doing Azure AD authentication in the cloud (including Pass-Through Authentication).

Smart Lockout

In the cloud, Microsoft use Smart Lockout to differentiate between sign-in attempts that look like they’re from the valid user against sign-ins that may be from an attacker. The attachker can then be locked out whilst letting the valid user continue to use the account. This prevents denial-of-service on the user and stops overzealous password spray attacks. This applies to all Azure AD sign-ins regardless of license level and to all Microsoft account sign-ins.

Tenants using Active Directory Federation Services (ADFS) will be able to use Smart Lockout natively in ADFS in Windows Server 2016 starting in March 2018 —look for this ability to come via Windows Update – (Transparity can assist you to upgrade existing ADFS implementations).

IP Lockout

IP lockout works by analysing  billions of sign-ins to assess the quality of traffic from each IP address hitting Microsoft’s systems. With that analysis, IP lockout finds IP addresses acting maliciously and blocks those sign-ins in real-time.

Attack Simulations

Now available in public preview, Attack Simulator as part of Office 365 Threat Intelligence, enables O365 customers to launch simulated attacks on their own end users and determine how their users behave in the event of an attack. Policies can be updated and security tools and measures put in place protect the organisation from threats like password spray attacks.

Things we recommend you do ASAP:

  1. If you’re using cloud authentication, you’re covered
  2. If you’re using ADFS or another hybrid scenario, look for an ADFS upgrade in March 2018 for Smart Lockout
  3. Use Attack Simulator to proactively evaluate your security posture and make adjustments

 

Step 2: Use multi-factor authentication

A password is the key to accessing an account, but in a successful password spray attack, the attacker has guessed the correct password. To stop them, we need to use something in addition to just a password to distinguish between the account owner and the attacker. The three ways to do this are below.

Risk-based multi-factor authentication

Azure AD Identity Protection uses the sign-in data mentioned above and adds on advanced machine learning and algorithmic detection to risk score every sign-in that comes in to the system. This enables enterprise customers to create policies in Identity Protection that prompt a user to authenticate with a second factor if and only if there’s risk detected for the user or for the session. This lessens the burden on your users and puts blocks in the way of the bad guys.

Always-on multi-factor authentication

For even more security, you can use Azure MFA to require multi-factor authentication for your users all the time, both in cloud authentication and ADFS. While this requires end users to always have their devices and to more frequently perform multi-factor authentication, it provides the most security for your enterprise. This should be enabled for every admin in an organization.

Azure MFA as primary authentication

In ADFS 2016, you have the ability use Azure MFA as primary authentication for password-less authentication. This is a great tool to guard against password spray and password theft attacks: if there’s no password, it can’t be guessed. This works great for all types of devices with various form factors. Additionally, you can now use password as the second factor only after your OTP (one-time-password) has been validated with Azure MFA.

Things we recommend you do ASAP:

  1. We strongly recommend enabling always-on multi-factor authentication for all admins in your organization, especially subscription owners and tenant admins.
  2. For the best experience for the rest of your users, we recommend risk-based multi-factor authentication, which is available with Azure AD Premium P2 licenses.
  3. Otherwise, use Azure MFA for cloud authentication and ADFS.
  4. In ADFS, upgrade to ADFS on Windows Server 2016 to use Azure MFA as primary authentication, especially for all your extranet access.

 

Step 3: Better passwords for everyone

Even with all the above, a key component of password spray defense is for all users to have passwords that are hard to guess. It’s often difficult for users to know how to create hard-to-guess passwords. Microsoft helps you make this happen with these tools.

Banned passwords

In Azure AD, every password change and reset runs through a banned password checker. When a new password is submitted, it’s fuzzy-matched against a list of words that no one, ever, should have in their password (and l33t-sp3@k spelling doesn’t help). If it matches, it’s rejected, and the user is asked to choose a password that’s harder to guess. Microsoft build the list of the most commonly attacked passwords and update it frequently.

Custom banned passwords

To make banned passwords even better, Microsoft are going to allow tenants to customise their banned password lists. Admins can choose words common to their organisation—famous employees and founders, products, locations, regional icons, etc.—and prevent them from being used in their users’ passwords. This list will be enforced in addition to the global list, so you don’t have to choose one or the other. This feature is in limited preview now and will be rolling out later this year.

Banned passwords for on-premises changes

In addition, this spring Microsoft will be launching a tool to let enterprise admins ban passwords in hybrid Azure AD-Active Directory environments. Banned password lists will be synchronised from the cloud to your on-premises environments and enforced on every domain controller with the agent. This helps admins ensure users’ passwords are harder to guess no matter where—cloud or on-premises—the user changes her password. This launched to limited private preview in February 2018 and will go to General Availability (GA) this year.

Change how you think about passwords

A lot of common conceptions about what makes a good password are wrong. Usually something that should help mathematically actually results in predictable user behaviour.  For example, requiring certain character types and periodic password changes both result in specific password patterns. Read Microsoft’s password guidance whitepaper for more detail. If you’re using Active Directory with PTA or ADFS, update your password policies. If you’re using cloud managed accounts, consider setting your passwords to never expire.

Things we recommend you do ASAP:

  1. When it’s released, install the Microsoft banned password tool on-premises to help your users create better passwords.
  2. Review your password policies and consider setting them to never expire so your users don’t use seasonal patterns to create their passwords.

 

Step 4: More awesome features in ADFS and Active Directory

If you’re using hybrid authentication with ADFS and Active Directory, there are more steps you can take to secure your environment against password spray attacks.

The first step: for organisations running ADFS 2.0 or Windows Server 2012, plan to move to ADFS in Windows Server 2016 as soon as possible.  The latest version will be updated more quickly with a richer set of capabilities such as extranet lockout.

Block legacy authentication from the Extranet

Legacy authentication protocols don’t have the ability to enforce MFA, so the best approach is to block them from the extranet. This will prevent password spray attackers from exploiting the lack of MFA on those protocols.

Enable ADFS Web Application Proxy Extranet Lockout

If you do not have extranet lockout in place at the ADFS Web Application proxy, you should enable it as soon as possible to protect your users from potential password brute force compromise.

Deploy Azure AD Connect Health for ADFS

Azure AD Connect Health captures IP addresses recorded in the ADFS logs for bad username/password requests, gives you additional reporting on an array of scenarios, and provides additional insight to support engineers when opening assisted support cases.

To deploy, download the latest version of the Azure AD Connect Health Agent for ADFS on all ADFS Servers (2.6.491.0). ADFS servers must run Windows Server 2012 R2 with KB 3134222 installed or Windows Server 2016.

Use non-password-based access methods

Without a password, a password can’t be guessed. These non-password-based authentication methods are available for ADFS and the Web Application Proxy:

  1. Certificate based authentication allows username/password endpoints to be blocked completely at the firewall.
  2. Azure MFA, as mentioned above, can be used to as a second factor in cloud authentication and ADFS 2012 R2 and 2016. But, it also can be used as a primary factor in ADFS 2016 to completely stop the possibility of password spray.
  3. Windows Hello for Business, available in Windows 10 and supported by ADFS in Windows Server 2016, enables completely password-free access, including from the extranet, based on strong cryptographic keys tied to both the user and the device. This is available for corporate-managed devices that are Azure AD joined or Hybrid Azure AD joined as well as personal devices via “Add Work or School Account” from the Settings app.

Things we recommend you do ASAP:

  1. Upgrade to ADFS 2016 for faster updates
  2. Block legacy authentication from the extranet.
  3. Deploy Azure AD Connect Health agents for ADFS on all your ADFS servers.
  4. Consider using a password-less primary authentication method such as Azure MFA, certificates, or Windows Hello for Business.

 

Bonus: Protecting your Microsoft accounts

If you’re a Microsoft account user:

  • Great news, you’re protected already! Microsoft accounts also have Smart Lockout, IP lockout, risk-based two-step verification, banned passwords, and more.
  • But, take two minutes to go to the Microsoft account Security page and choose “Update your security info” to review your security info used for risk-based two-step verification
  • Consider turning on always-on two-step verification here to give your account the most security possible.

 

The best defense is… following the recommendations in this blog

Password spray is a serious threat to every service on the Internet that uses passwords but taking the steps in this blog will give you maximum protection against this form of attack vector. Additionally, because many kinds of attacks share similar traits, these are just good protection suggestions, irrespective. Microsoft’s stance is that your security is always their utmost priority, and Microsoft are continually working hard to develop new, advanced protections against password spray and every other type of attack out there.

 

Talk to Transparity

Contact us to discuss how we can assist you in your Microsoft Cloud Journey

Transparity – Securing Your Cloud Journey

We would be pleased to discuss the challenges and options available to you with migrating data to Azure

Contact Tim Hannibal or David Jobbins at:

email: hello@transparity.co.uk

Tel: 01202 800000

Recommended Posts

Leave a Comment