Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Azure AD Password Protection’ Category

(2019-08-01) Moving Towards The Password-Less Concept – One Heck Of Journey And Badly Needed

Posted by Jorge on 2019-08-01


Current passwords are potentially weak and any use of those in general further weakens an infrastructure. Preferably any org needs to move away from using passwords as much as possible. This means for example preventing the usage of passwords, and instead use SSO and/or other more secure authentication mechanisms. In other words, the adoption of the "Password-Less" concept. However, for those scenarios that cannot adopt “Password-Less" (yet), passwords must be strengthened or better secured at rest and in transport. In today’s world “identity” is the key control plane. Therefore protecting the “identity” and everything related is of utmost importance. Usage of weak passwords presents unacceptable security risks to any org. We all know that, don’t we?! Now you need to act to secure yourself as best as possible.

Going password-less is a journey on its own and implementing that concept could mean for example (NOT an exhaustive list and also in random order!):

  • Ban “weak/common” words from being used in weak passwords using Azure AD Password Protection and/or LithNet Password Protection For Active Directory (LPP) (last one is free and the feature set is huge!)
  • Check AD for weak passwords and weak accounts configurations and follow up with risk mitigating actions. Can be done through LPP and DS Internals and generic LDAP queries
  • Help and educate users in terms of using, storing, generating, uniqueness, sharing/distributing, etc. for less frequent (complex and long) and regular used (pass phrases) passwords. Preferably use machine generated passwords as those have no human logic in them, or use (long) passphrases or bang your head against the keyboard multiple times while on and off holding the SHIFT key (last one, kidding!) (people tend to implement logic or sequences somehow in passwords to not forget those long passwords and to make them unique)
  • Move service accounts in AD from regular service accounts to:
    • Group Managed Service Accounts if possible
    • …and if that’s not possible have a password vault store, manage and change passwords on a regular basis
    • …and if that’s not possible keep using regular service accounts with long and unique passwords
  • If possible, increase the password length to a minimum of 15 characters for users
  • Move away from periodic password changes to risk based password changes (e.g. through Azure AD Identity Protection)
  • Using strong and unique passwords for every individual system/site not supporting SSO (the strength of a password is mostly determined by its length, the longer the better!);
  • Securely store passwords in an MFA enabled password manager/vault that is available on both your desktop and mobile device(s)
  • Make Self-Service Password Reset available to users for those occasions where the password is needed but the user has forgotten the password or has locked itself out
  • When using ADFS, implement extranet lockout policy
  • Only use HTTPS connections (at least TLS1.2) in your environment and do not use HTTP
  • Update systems, tools, scripts to NOT set weak/generic/well-known password or account configurations (e.g. LM Hashes, Password Not Required, Password Never Expires, etc)
  • Decrease the use of passwords as much as possible by:
    • Implementing SSO
    • Implement password-less authN for Windows computers (e.g. Windows Hello for Business) and remove password based authN if possible
    • Implement password-less authN for mobile devices (e.g. Azure AD MFA + AuthNtor App Notifications And OTPs) as primary authN, preferably with at least 2 factors during that primary authN, or implement password authN as secondary authN (when using ADFS)

Additional Resources:

Hope this helps you!

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Advertisements

Posted in Active Directory Domain Services (ADDS), Active Directory Federation Services (ADFS), Azure AD MFA Adapter, Azure AD Password Protection, Kerberos AuthN, Microsoft Authenticator App, Multi-Factor AuthN, NTLM AuthN, Password-Less, Security, Self-Service Password Reset, SSO, WH4B, Windows Azure Active Directory, Windows Client, Windows Integrated AuthN | Leave a Comment »

(2018-10-26) Running The Azure AD Password Protection Summary Report May Generate An Error

Posted by Jorge on 2018-10-26


When on one of the Azure AD Password Protection Proxy servers, you can generate an Azure AD Password Protection Summary report through one of the following commands:

Targeting a specific DC:

Get-AzureADPasswordProtectionSummaryReport -DomainController <RWDC FQDN>

Targeting all DCs in a specific AD Domain:

Get-AzureADPasswordProtectionSummaryReport -Domain <AD DOMAIN FQDN>

Targeting all DCs in a specific AD Forest:

Get-AzureADPasswordProtectionSummaryReport -Forest <AD FOREST FQDN>

Targeting all DCs in the local AD Forest:

Get-AzureADPasswordProtectionSummaryReport

So, whatever your targeted scope is, if all DCs have have the Azure AD Password Protection DC Agent installed, they will also have the corresponding event logs, which are:

Get-WinEvent -ListLog * | ?{$_.LogName -like "*AzureADPasswordProtection*"}

image

Figure 1: All The Azure AD Password Protection DC Agent Event Logs On An RWDC

….and for completeness on the Azure AD Password Protection Proxy servers

Get-WinEvent -ListLog * | ?{$_.LogName -like "*AzureADPasswordProtection*"}

image

Figure 2: All The Azure AD Password Protection Proxy Event Logs On The Proxy Servers

However, if you see errors similar to the one below…

image

Figure 2: Error When Generating The Azure AD Password Protection Summary Report Against Targeted DCs

…then the targeted event logs are missing. And of the events logs are missing, then the Azure AD Password Protection DC Agent is most likely not installed on the RWDC.

Solution? Install the Azure AD Password Protection DC Agent on the RWDC that throws the error.

Please be aware that querying for DCs that have the Service Connection Point (SCP) registered in AD, may not be accurate. Why? If you installed the Azure AD Password Protection DC Agent and then uninstall it, for whatever reason, the SCP for that RWDC is not cleaned during the uninstall. Also be aware that if you force removed any DC and did not clean up its metadata, you will be trying to reach an RWDC that does not exist anymore when running the summary report.

Although more intense, the most accurate way is checking for any of the following:

  • If the Azure AD Password Protection DC Agent is installed (against every RWDC –> Get-WmiObject -Class win32_product -Filter "Name like ‘Azure AD Password Protection DC Agent’")
  • If the Azure AD Password Protection DC Agent service is installed (against every RWDC –> Get-Service AzureADPasswordProtectionDCAgent)
  • If the Azure AD Password Protection DC Agent is installed (against every RWDC –> Get-WinEvent -ListLog * | ?{$_.LogName -like "*AzureADPasswordProtection*"})

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD Password Protection, Windows Azure Active Directory | Leave a Comment »

(2018-10-25) When Installing The Azure AD Password Protection DC Agent Generates An Error

Posted by Jorge on 2018-10-25


If you are installing the Azure AD Password Protection DC Agent on an RWDC and you receive the following error….

image

Figure 1: An Error The Azure AD Password Protection DC Agent Setup Wizard Ended Prematurely

….execute the AADPwdProtection\AzureADPasswordProtectionDCAgent.msi with the following options

MSIEXEC /i AzureADPasswordProtectionDCAgent.msi /log AzureADPasswordProtectionDCAgent.log

After it errors again, open the log file and search for the word ERROR. When you do, you will most likely find why it errors. If it has the same cause as I had, you will see something similar to the following:

Dumping MSI properties of interest:
  ‘INSTALLDIR’ = ‘C:\Program Files\Azure AD Password Protection DC Agent\’
  ‘Installed’ = ”
  ‘INSTALLLEVEL’ = ‘1’
  ‘ProductCode’ = ‘{67E66797-A45C-4C3C-B481-554F9F427227}’
  ‘ProductID’ = ”
  ‘ProductName’ = ‘Azure AD Password Protection DC Agent’
  ‘ProductState’ = ‘-1’
  ‘ProductVersion’ = ‘1.2.10.0’
  ‘ProgramFiles64Folder’ = ‘C:\Program Files\’
  ‘Remove’ = ”
  ‘UPGRADINGPRODUCTCODE’ = ”
  ‘BPL_NONUPGRADEABLEAPPFOUND’ = ”
  ‘BPL_STATEMIGRATIONFOLDER’ = ”
Done with MSI property dump
CheckForNonUpgradeableApps – opened Uninstall key with 9 subkeys
CheckForNonUpgradeableApps – a nonupgradeable app was found ‘Azure AD Password Protection DC Agent’ – ‘1.1.10.3’
CustomAction BPL_CheckForNonUpgradeableApps returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 16:30:01: BPL_CheckForNonUpgradeableApps. Return value 3.
Action ended 16:30:01: INSTALL. Return value 3.


In plain English this means you are trying to install a newer version on top of an version that cannot be upgraded. Check the versions. The old version here was installed by means months ago when I participated in the public preview. Today I wanted to install the officially released version and had forgotten the old version was still installed.

The solution here? Uninstall the old version first and install the newer version. After both the uninstall and the install a reboot of the RWDC is required.

To determine if a version is already installed and if yes to uninstall it, execute the following commands:

WMIC PRODUCT GET NAME | FIND /I "Azure AD Password Protection DC Agent"

WMIC PRODUCT WHERE NAME="Azure AD Password Protection DC Agent" CALL UNINSTALL

….and if you are a PowerShell junky, you can also use the following for the uninstall

$product = Get-WmiObject -Class win32_product -Filter "Name like ‘Azure AD Password Protection DC Agent’"

$product

$product.Uninstall() # WARNING: Reboot is immediate, no mercy and no questions asked!!!

After the uninstall and reboot, install the newest AzureADPasswordProtectionDCAgent.msi available from Microsoft

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD Password Protection, Windows Azure Active Directory | Leave a Comment »

 
%d bloggers like this: