Talk to Transparity
Contact us to discuss how we can assist you in your Microsoft Cloud Journey
Todays Blog entry comes straight from an excellent post by Alex Simons from the Microsoft Identity Team…. it it, he discusses utilising AzureAD to protect against a common form of password attack…
Alex’s post details some interesting authentication discussions and is worthy of a read. Give us a shout at Transparity to discuss your specific environment and how, together, we can ensure your overall security.
As long as we’ve had passwords, people have tried to guess them. In this blog, we’re going to talk about a common attack which has become MUCH more frequent recently and some best practices for defending against it. This attack is commonly called ‘password spray’.
In a password spray attack, the bad guys try the most common passwords across many different accounts and services to gain access to any password protected assets they can find. Usually these span many different organizations and identity providers. For example, an attacker will use a commonly available toolkit like Mailsniper to enumerate all of the users in several organisations and then try passwords such as “P@$$w0rd” and “Password1” against all of those accounts.
To give you the idea, an attack might look like this:
|Target User||Target Password|
This attack pattern evades most detection techniques because from the vantage point of an individual user or company, the attack just looks like an isolated failed login.
For attackers, it’s a numbers game: they know that there are some passwords out there that are very common. Even though these most common passwords account for only 0.5-1.0% of accounts, the attacker will get a few successes for every thousand accounts attacked, and that’s enough to be effective.
They use the accounts to get data from emails, harvest contact info, and send phishing links or just expand the password spray target group. The attackers don’t care much about who those initial targets are—just that they have some success that they can leverage.
The good news is that Microsoft has many tools already implemented and available to blunt these attacks, and more are coming soon. Read on to see what you can do now and in the coming months to stop password spray attacks.
In the cloud, there are billions of sign-ins to Microsoft systems every day. Their security detection algorithms allow them to detect and block attacks as they’re happening. Because these are real time detection and protection systems driven from the cloud, they are available only when doing Azure AD authentication in the cloud (including Pass-Through Authentication).
In the cloud, Microsoft use Smart Lockout to differentiate between sign-in attempts that look like they’re from the valid user against sign-ins that may be from an attacker. The attachker can then be locked out whilst letting the valid user continue to use the account. This prevents denial-of-service on the user and stops overzealous password spray attacks. This applies to all Azure AD sign-ins regardless of license level and to all Microsoft account sign-ins.
Tenants using Active Directory Federation Services (ADFS) will be able to use Smart Lockout natively in ADFS in Windows Server 2016 starting in March 2018 —look for this ability to come via Windows Update – (Transparity can assist you to upgrade existing ADFS implementations).
IP lockout works by analysing billions of sign-ins to assess the quality of traffic from each IP address hitting Microsoft’s systems. With that analysis, IP lockout finds IP addresses acting maliciously and blocks those sign-ins in real-time.
Now available in public preview, Attack Simulator as part of Office 365 Threat Intelligence, enables O365 customers to launch simulated attacks on their own end users and determine how their users behave in the event of an attack. Policies can be updated and security tools and measures put in place protect the organisation from threats like password spray attacks.
A password is the key to accessing an account, but in a successful password spray attack, the attacker has guessed the correct password. To stop them, we need to use something in addition to just a password to distinguish between the account owner and the attacker. The three ways to do this are below.
Azure AD Identity Protection uses the sign-in data mentioned above and adds on advanced machine learning and algorithmic detection to risk score every sign-in that comes in to the system. This enables enterprise customers to create policies in Identity Protection that prompt a user to authenticate with a second factor if and only if there’s risk detected for the user or for the session. This lessens the burden on your users and puts blocks in the way of the bad guys.
For even more security, you can use Azure MFA to require multi-factor authentication for your users all the time, both in cloud authentication and ADFS. While this requires end users to always have their devices and to more frequently perform multi-factor authentication, it provides the most security for your enterprise. This should be enabled for every admin in an organization.
In ADFS 2016, you have the ability use Azure MFA as primary authentication for password-less authentication. This is a great tool to guard against password spray and password theft attacks: if there’s no password, it can’t be guessed. This works great for all types of devices with various form factors. Additionally, you can now use password as the second factor only after your OTP (one-time-password) has been validated with Azure MFA.
Even with all the above, a key component of password spray defense is for all users to have passwords that are hard to guess. It’s often difficult for users to know how to create hard-to-guess passwords. Microsoft helps you make this happen with these tools.
In Azure AD, every password change and reset runs through a banned password checker. When a new password is submitted, it’s fuzzy-matched against a list of words that no one, ever, should have in their password (and l33t-sp3@k spelling doesn’t help). If it matches, it’s rejected, and the user is asked to choose a password that’s harder to guess. Microsoft build the list of the most commonly attacked passwords and update it frequently.
To make banned passwords even better, Microsoft are going to allow tenants to customise their banned password lists. Admins can choose words common to their organisation—famous employees and founders, products, locations, regional icons, etc.—and prevent them from being used in their users’ passwords. This list will be enforced in addition to the global list, so you don’t have to choose one or the other. This feature is in limited preview now and will be rolling out later this year.
In addition, this spring Microsoft will be launching a tool to let enterprise admins ban passwords in hybrid Azure AD-Active Directory environments. Banned password lists will be synchronised from the cloud to your on-premises environments and enforced on every domain controller with the agent. This helps admins ensure users’ passwords are harder to guess no matter where—cloud or on-premises—the user changes her password. This launched to limited private preview in February 2018 and will go to General Availability (GA) this year.
A lot of common conceptions about what makes a good password are wrong. Usually something that should help mathematically actually results in predictable user behaviour. For example, requiring certain character types and periodic password changes both result in specific password patterns. Read Microsoft’s password guidance whitepaper for more detail. If you’re using Active Directory with PTA or ADFS, update your password policies. If you’re using cloud managed accounts, consider setting your passwords to never expire.
If you’re using hybrid authentication with ADFS and Active Directory, there are more steps you can take to secure your environment against password spray attacks.
The first step: for organisations running ADFS 2.0 or Windows Server 2012, plan to move to ADFS in Windows Server 2016 as soon as possible. The latest version will be updated more quickly with a richer set of capabilities such as extranet lockout.
Legacy authentication protocols don’t have the ability to enforce MFA, so the best approach is to block them from the extranet. This will prevent password spray attackers from exploiting the lack of MFA on those protocols.
If you do not have extranet lockout in place at the ADFS Web Application proxy, you should enable it as soon as possible to protect your users from potential password brute force compromise.
Azure AD Connect Health captures IP addresses recorded in the ADFS logs for bad username/password requests, gives you additional reporting on an array of scenarios, and provides additional insight to support engineers when opening assisted support cases.
To deploy, download the latest version of the Azure AD Connect Health Agent for ADFS on all ADFS Servers (2.6.491.0). ADFS servers must run Windows Server 2012 R2 with KB 3134222 installed or Windows Server 2016.
Without a password, a password can’t be guessed. These non-password-based authentication methods are available for ADFS and the Web Application Proxy:
If you’re a Microsoft account user:
Password spray is a serious threat to every service on the Internet that uses passwords but taking the steps in this blog will give you maximum protection against this form of attack vector. Additionally, because many kinds of attacks share similar traits, these are just good protection suggestions, irrespective. Microsoft’s stance is that your security is always their utmost priority, and Microsoft are continually working hard to develop new, advanced protections against password spray and every other type of attack out there.
Contact us to discuss how we can assist you in your Microsoft Cloud Journey
We would be pleased to discuss the challenges and options available to you with migrating data to Azure
Contact Tim Hannibal or David Jobbins at:
Tel: 01202 800000