Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2019-11-06) Azure AD Password Protection (A.k.a. Banned Password List) – Third Party Solution LithNet AD Password Protection (Part 9)

Posted by Jorge on 2019-11-06


In addition to Azure AD Password Protection, of course there are also other third-party solutions. Azure AD Password Protection performs one heck of a job.

Nevertheless, I do believe it would be an even better solution if:

One solution that caught my attention is: LithNet Active Directory Password Protection.

At a high level, its features are:

  • Does NOT have the limits specified above (except bullet 3)
  • Can work alongside the MSFT Password Solution if needed
  • Can run in LSA protected mode (co-signed by Microsoft) (https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)
  • Ability to take control of what a good password means to you
  • Fully or partially adopt 2018 NIST password recommendations (https://pages.nist.gov/800-63-3/sp800-63b.html)
    • An eight character minimum and 64 character maximum length
    • The ability to use all special characters but no special requirement to use them
    • Restrict sequential and repetitive characters (e.g. 12345 or aaaaaa)
    • Restrict context specific passwords (e.g. such as the name of the service, the username, and derivatives thereof, etc.)
    • Restrict commonly used passwords (e.g. p@ssw0rd, etc.)
    • Restrict passwords obtained from previous breach corpuses
  • Ability to be used against domain accounts and local accounts on workstations and servers
  • Rich set of group policy-based controls that allow to enable any combination of the following checks on attempted password changes (BE CAREFULL WHEN USING MULTIPLE POLICIES AS ONE MIGHT IMPACT THE OTHER!):
    • General settings
      • Disable password filter
    • Regular expression policies
      • Passwords must match regular expression
        AND/OR
      • Passwords must NOT match regular expression
    • Complexity policies
      • Points-based complexity policy definition. Assign points for the use of certain characters and categories and set a minimum point threshold a password must meet.
        Minimum # points required to allow/approve password
        • # Points for each character used
        • # Points for each number used
        • # Points for each lower case letter used
        • # Points for each upper case letter used
        • # Points for each symbol used
        • # Points for at least 1 number used
        • # Points for at least 1 lower case letter used
        • # Points for at least 1 upper case letter used
        • # Points for at least 1 symbol used
      • Length based complexity policy definition. For example, you can require number, symbol, upper and lower for passwords less than 13 characters, but have no special requirements for passwords 13 characters or longer. Reward length, with less complexity.
        REMARK: It is recommended to disable the built-in Active Directory password complexity requirements policy when this policy is enabled.
        REMARK: What happens when the password equals X or Y?)
        • Threshold Level 1 – less than X
          • Total number of character sets required (number, symbol, lower case letter, upper case letter)
          • Exact characters sets required at a minimum:
            • Lower case letter
            • Upper case letter
            • Symbol
            • Number
            • Number or symbol
        • Threshold Level 2 – equal to or longer than X and less than Y
          • Total number of character sets required (number, symbol, lower case letter, upper case letter)
          • Exact characters sets required at a minimum:
            • Lower case letter
            • Upper case letter
            • Symbol
            • Number
            • Number or symbol
        • Threshold Level 3 – equal to or longer than Y
          • Total number of character sets required (number, symbol, lower case letter, upper case letter)
          • Exact characters sets required at a minimum:
            • Lower case letter
            • Upper case letter
            • Symbol
            • Number
            • Number or symbol
      • Minimum password length
        REMARK: It is recommended to disable the built-in Active Directory password complexity requirements policy when this policy is enabled.
    • Password Content Policies
      • Reject passwords that contain the user’s account name (username length must be greater than 3)
      • Reject passwords that contain all or any part of the user’s display name
      • Reject passwords found in the compromised password store (Checks the exact password specified by the user against the list of compromised passwords)
        • Requires the import of the "Have I Been Pwned" (HIBP) password list!
        • Allows for differentiation between CHANGE and RESET
      • Reject normalized passwords found in the compromised password store (normalization rules) (Checks the normalized password specified by the user against the list of compromised passwords)
        • Requires the import of the "Have I Been Pwned" (HIBP) password list!
          AND/OR
        • Requires the addition of your own forbidden passwords!
        • Allows for differentiation between CHANGE and RESET
      • Reject normalized passwords found in the banned word store (Adding a banned word prevents it from being used as the base of a password. For example, adding the word ‘password’ to the banned word store, prevents not only the use of that word itself, but common variants such as ‘P@ssw0rd’, ‘pa55word!’ and ‘password123456!’. LPP is aware of common character substitutions and weak obfuscations and prevents their use through a normalization process.)
        • Requires the import of banned words!
        • Allows for differentiation between CHANGE and RESET
  • Full PowerShell support which is used to;
    • Manage the compromised password and banned word stores. Add your own banned words and compromised passwords, as well as use popular databases such as the haveibeenpwned.com downloadable password list (‘NTLM ordered by hash’ list)
    • Test passwords and existing hashes against the compromised store
    • Check to see if your user’s current passwords in AD are found in the compromised password store (based upon DS Internals!)
  • Passwords never leave the domain controller
  • Designed for large environments where high performance is required
  • Creates detailed event logs (Event Log: "Application", Source: "LithnetPasswordProtection")
  • Uses a DFS-R friendly data store
  • No internet access required
  • No additional servers required for deployment
  • Group policy support

Some numbers regarding the usage of Lith Active Directory Password Protection (Source: https://twitter.com/lithnet_io/status/1154892852184248320?s=12)

  • Australian university, 180000 users, 6 countries
  • Czech Republic and Slovakia, mobile operators, 15000 users
  • 50,000 users, manufacturing. Testing in another forest with 400,000.
  • 1000 user’s. Hospitality industry!
  • Humanitarian company. 14000 users worldwide
  • …and most likely there are more companies using it

More information:

Make sure to give it a try, as this really rocks! Oh and buy Ryan a beer as he really deserves it, looking at the cool stuff he designs and builds and makes it available for others to use.

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

 
%d bloggers like this: