Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Azure AD Password Protection’ Category

(2019-11-03) Azure AD Password Protection (A.k.a. Banned Password List) – Getting Statistics (Part 8)

Posted by Jorge on 2019-11-03


After running for some time in either AUDIT ONLY mode or ENFORCE mode, it is interesting to get some statistics of what your users are doing with regards to the passwords being used. Every RWDC with the Azure AD Password Protection DC Agent installed will evaluate the provided password against the algorithm. Regarding the algorithm see (2019-10-28) Azure AD Password Protection (A.k.a. Banned Password List) – Optimizing The Custom Per Tenant List (Part 6).

On every RWDC with the Azure AD Password Protection DC Agent installed, every password is evaluated, and the outcome is  logged in an event in the event log “\Applications and Services Logs\Microsoft\AzureADPasswordProtection\DCAgent\Admin”. More detailed info about the events can be found here..

When the PowerShell CMDlet is executed against an RWDC it basically counts the number of events for a specific action and reports that. If you therefore delete events or that RWDC is decommissioned for some reason, the statistics are lost. Remember, there are two modes, each mode has 2 possible actions, and multiple outcomes are possible that contribute to the statistics

Modes:

  • AUDIT ONLY Mode
  • ENFORCE Mode

Actions:

  • Password Change: actor knows old password and provides new password (always the owner of the account, or at least a person that knows the old password)
  • Password (Re)Set: actor does not know or remember old password and sets a new password. This could be an admin on behalf of the user account or an intermediate system (e.g. azure ad sspr or dell sspm or whatever) on behalf of the user and still actioned by the user itself

Statistics

  • PasswordChangesValidated: number of password changes that were validated in either mode
  • PasswordChangeAuditOnlyFailures: in AUDIT ONLY mode, the number of password changes that were validated and the result was not successful
  • PasswordChangeErrors: in ENFORCE mode, the number of password changes that resulted in an error for some reason
  • PasswordChangesRejected: in ENFORCE mode, the number of password changes that resulted in the password being rejecte
  • PasswordSetsValidated: number of password (re)sets that were validated in either mode
  • PasswordSetAuditOnlyFailures: in AUDIT ONLY mode, the number of password (re)sets that were validated and the result was not successfu
  • PasswordSetErrors: in ENFORCE mode, the number of password (re)sets that resulted in an error for some reason
  • PasswordSetRejected: in ENFORCE mode, the number of password (re)sets that resulted in the password being rejected

So how many passwords were correctly validated in either mode:

  • Successful “Password Changes” = PasswordChangesValidated – PasswordChangeAuditOnlyFailures – PasswordChangeErrors – PasswordChangesRejected
  • Successful “Password (Re)Sets” = PasswordSetsValidated – PasswordSetAuditOnlyFailures – PasswordSetErrors – PasswordSetsRejected

So to gather the statistics through an AD forest I have written a script that gathers the statistics from the RWDCs that are part of the specified scope. The script supports, three modes being: forest, domain (specified) and rwdc (specified)! Independent of the scope, it also counts the total of every statistic property and presents it accordingly at the end or in the GridView through a separate entry at the end. You can therefore see the statistics per RWDC and in total. It also provides a CSV file with the info for later use in either Excel, GridView or some other way.

# To Target All RWDCs In The AD Forest

.\AAD-Password-Protection-Statistics.ps1 -scope Forest

OR

# To Target All RWDCs In The Specified AD Domain(s)

.\AAD-Password-Protection-Statistics.ps1 -scope Domain -domains <FQDN Domain 1>,<FQDN Domains 2>,<FQDN Domain N>

OR

# For All Specified RWDCs

.\AAD-Password-Protection-Statistics.ps1 -scope RWDC -servers <FQDN RWDC 1>,<FQDN RWDC 2>,<FQDN RWDC N>

image

image

Figure 1: Creating A Report Of RWDCs With Numbers Regarding Passwords Processed And Evaluated

image

Figure 2: GridView Output With The Same Results

You can download the script from here

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Domain Services (ADDS), Azure AD Password Protection, Blog Post Series, Passwords, Passwords, Replication, Security, SYSVOL, Windows Azure Active Directory | Leave a Comment »

(2019-10-29) Azure AD Password Protection (A.k.a. Banned Password List) – From Audit Mode To Enforce Mode (Part 7)

Posted by Jorge on 2019-10-29


If you are implementing this correctly, you should configure Azure AD with the banned words and set it initially to AUDIT MODE, install the Azure AD Password Protection Proxy Service on 1 or 2 member servers within the targeted/registered AD forest, install AD Password Protection DC Agent on all the writable DCs in the targeted/registered AD forest. At some point in time you need to move from AUDIT MODE to ENFORCE MODE, but when do you do that?

At its core Azure AD Password Protection will prevent the usage of specific passwords that use words from the global Microsoft list and the custom per tenant list and that have a score that’s lower than the threshold. Therefore putting it in ENFORCE MODE right will hurt your users! Why? If your users have the habit of using weak words and/or words related to your business (that are or end up on the banned lists), you need to educate and communicate to those users NOT to use weak (pass)words. The strength of a password is not related to the number of characters substituted by special or numeric characters. The strength of a password is related to the length of the password. Therefore “mYc00lco3p@ny!” is really not as strong as something like “I really like to w0rk at my cool company!”.

So, while running in AUDIT MODE and at the same time educating/communicating to your users, you already can get some statistics about what users are doing with their passwords when changed or reset (admin or self-service). All new passwords will go throw the password filter and be evaluated. If the password should be blocked, in AUDIT MODE it will not block the password but it will specify in the DC Agent Admin Log (“\Applications and Services Logs\Microsoft\AzureADPasswordProtection\DCAgent\Admin”) it would have been blocked in ENFORCE MODE. The user itself is not notified of such potential blocking. After having everything setup and up and running after a week or 2 or so, check the statistics. Compare the amount of “bad passwords” with the amount of “good passwords”. Your eyes will pop out when you see the results! So educate and communicate first! Do not for get to also inform your service desk(s) before moving to ENFORCE MODE

As soon as you move to ENFORCE MODE, it will impact any account in the AD forest that tries to change or reset the password when running in ENFORCE MODE. It will NOT have an impact on existing passwords! With impact I mean: if the provided password is not accepted by Azure AD Password Protection, it will block the user from using it and the user will be notified as such. Unfortunately, the user gets the default “Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain” when updating the password through the GINA. The message may differ however, when using other intermediate systems/

One of the things that I have seen or heart when implementing Azure AD Password Protection, is that people want to understand why a password is not accepted. That is valid because with that in mind they can make a better choice for a new password. Following up that, you might hear something like: “can we publish somewhere which words we do not allow to be used in passwords?”. With this question in mind, please remember that it is not forbidden to use words on the global Microsoft list and/or the custom per tenant list. You just need to make sure the password with one or multiple words is accepted by the scoring algorithm (score of 5 or higher). For more information on that please check (2019-10-28) Azure AD Password Protection (A.k.a. Banned Password List) – Optimizing The Custom Per Tenant List (Part 6).

So to answer the question: “can we publish somewhere which words we do not allow to be used in passwords?”, the answer is: “yes, but it will not help you!”. Why? Because there are 2 lists! The custom per tenant list is managed by you and therefore known to you, but the global Microsoft list is managed by Microsoft and its contents is unknown to the outside world. Nevertheless, the blog post (2019-10-28) Azure AD Password Protection (A.k.a. Banned Password List) – Optimizing The Custom Per Tenant List (Part 6) does provide information on how to check if a password is blocked by the custom per tenant list or the global Microsoft list or both. In other words, there is no value in publishing your list, as it only tells you half of the truth. Nevertheless, you may of course decide different as you see fit.

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Domain Services (ADDS), Azure AD Password Protection, Blog Post Series, Passwords, Passwords, Replication, Security, SYSVOL, Windows Azure Active Directory | Leave a Comment »

(2019-10-28) Azure AD Password Protection (A.k.a. Banned Password List) – Optimizing The Custom Per Tenant List (Part 6)

Posted by Jorge on 2019-10-28


The main goal of Azure AD Password Protection is to prevent users from using passwords that are (too) common and predictable. Because those passwords are too common or predictable those are always used in attacks like or similar to password spraying. Looking at the past “January2018” is considered complex as it has characters from three out of four character sets. Most likely the next password is “February2018“, etc. The same is true for “Pa$$w0rd”. Those combinations are too easy and nobody is fooled by character substitutions.

Azure AD Password Protection has a specific algorithm and it works like:

  1. Normalize password
    1. all letters in password to lower case (e.g. A->a, B->b, etc.) and compare with banned password list. If true, deny!
    2. Replace special characters to normal letters (e.g. @->a, 1->I, etc.) and compare with banned password list. If true, deny!
  2. Fuzzy matching –> Check the password against the banned password list taking 1 edit distance into account (e.g. "abcdef" vs. "abcdeg"). If true, deny!
  3. Check if password contains:
    1. First Name. If true, deny!
    2. Last Name. If true, deny!
    3. Tenant Name. If true, deny!
  4. If still not denied, calculate the score of the password
    1. Minimum allowed score for passing is 5 points
    2. Check which words on BPL (e.g. motor, cycle, helmet) are in password, assign 1 point for each
      1. Found substrings (“m0torcyc1ehelmetU63”) = 1 point each –> 3 points in this example
    3. For every remaining individual characters, assign 1 point for each character
      1. Found individual characters (“m0torcyc1ehelmetU63”) = 1 point each –> 3 points in this example
    4. Total = 6 points –> PASS

REMARK: if the BPL has the words ”motor”, “cycle” and “motorcycle” and you are trying to use the password “m0torcycleY6k”, it will fail (4 points and not 5 points). In this case it check against the word “motorcycle” instead of “motor” and “cycle”. If the BPL contains 2 or more words that combined also exists as an individual word, it will always prefer to check against the longer word as with it will end up with lower amount of points.

The BPL consists of 2 lists, being the global MSFT list and the custom per tenant list. The custom per tenant list has a maximum of 1000 words, each word must be at least 4 characters long and not be longer than 16 characters. It is also not possible to tweak the algorithm. This is it and that’s what you can use.

With regards to the global MSFT list, which is maintained by MSFT, nobody, except MSFT, knows the content of that list. So when you need to populate the custom per-tenant list how do you know it is not already included in the global MSFT list and you are not wasting valuable space in the custom per-tenant list? Easy answer! You don’t! But, I found a way to test words to determine if those are already included in the global MSFT list or not! THAT will help YOU determine if any of your words are already included in the global MSFT list or not. I even wrote a PowerShell script for that you can use.

Yes I know it is against bad practice! But I did not want to complicate the script to get things done. In general this script requires “Domain Admins” equivalent permissions if you have a single AD domain in your AD forest! If you have multiple AD domains in your AD forest, then it really depends on your scenario which depends between needing “Domain Admins” or needing “Enterprise Admins”. You would just need “Domain Admins” if the executing account of the script is in the same AD domain as the account you are using to test the words against. You would just need “Enterprise Admins” if the executing account of the script is in some other AD domain then the account you are using to test the words against.

To really be concrete about what you need, you need the following:

  • Reset Password” Control Access Right, a.k.a. Extended Right, on the targeted AD user account
  • Permissions to read/query the Microsoft-AzureADPasswordProtection-DCAgent/Admin Event Log

As you can see, either “Domain Admins” or “Enterprise Admins” will get the job done, but I really can imagine if you want to cut down those permissions to delegated rights. Is that possible? Hell yes, it is possible. Feel free to use the contact form to get more info about delegating this. At this point I was just too lazy to write it all down in addition to this.

Other things to note when using Azure AD Password Protection:

  • You cannot change anything in this algorithm. This is it and you need to use as-is
  • Only populate lower version of words. Do not specify upper characters or special character to replace normal characters
  • Changes in Azure AD, may take some hours before those get down to the RWDCs. The easy way to propagate faster is to restart the Azure AD Password Protection DC Agent service on at least 1 RWDC per AD domain. That action makes sure that RWDC triggers the instant download of the newest policies for that AD domain. Remember, although this is a per AD forest registration, the consumption of all this is per AD domain!
  • Something else to note is localization. Unfortunately it is not fully localized (English Only). For example, it prohibits "welkom" and allows "wachtwoord", while it denies both "password" and "welcome". Weird, but true.
  • Another unfortunate thing is that it does not integrate directly with external solutions such as “Have I Been Pwned”. MSFT however may have some integration in the background where the newest compromised password are included. Unfortunately, nobody knows, except MSFT. You can check the latest version of the global MSFT list after restarting the Azure AD Password Protection DC Agent service as at that point in time it will specify in the Microsoft-AzureADPasswordProtection-DCAgent/Admin event log which policy date version is being used for the global MSFT list and the custom per tenant list.
  • Not easy to test passwords against it (please do continue reading!)

As mentioned earlier I found a way to check candidate words for the custom per-tenant list and check if those are already on that list and/or on the global MSFT list.

This is what you need:

  • Create an input text file with all the (new) candidate words for the custom per tenant list
  • Create an user account in some AD domain in the AD forest that is registered in Azure AD, and make sure that user account is disabled (security measure!)
  • If you want to use delegated permissions instead of the Domain/Enterprise Admins “will always work” permissions, you need at least the following delegated permissions
    • Reset Password” Control Access Right, a.k.a. Extended Right, on the targeted AD user account
    • Permissions to read/query the Microsoft-AzureADPasswordProtection-DCAgent/Admin Event Log
  • Create a PSO that allows a minimum password length of 7 characters (minimum word length of 4 + 3 additional characters)
  • Assign the user account directly to that PSO
  • ActiveDirectory PowerShell CMDlets

image

Figure 1: Example Details Of The AD User Account To Test Words Against

image

Figure 2: Example Details Of The AD User Account To Test Words Against

.\AAD-Password-Protection-Check-Custom-AAD-Banned-Word-List.ps1 –accountName <Domain FQDN>\<sAMAccountName> -inputFileWordsFullPath <Input File With Candicate Words To Test>

image

Figure 3: PowerShell Script That Checks Every Word In The Input File And Reports On It

You can download the script from here

Have fun!

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Domain Services (ADDS), Azure AD Password Protection, Blog Post Series, Passwords, Passwords, Replication, Security, SYSVOL, Windows Azure Active Directory | Leave a Comment »

(2019-10-26) Azure AD Password Protection (A.k.a. Banned Password List) – Checking The DC Agent Status (Part 5)

Posted by Jorge on 2019-10-26


As you deploy RWDCs, you need to make sure all have the Azure AD Password Protection DC Agent installed, and preferably the latest version. Although the Azure AD Password protection Proxy Service component supports autoupgrade, the Azure AD Password Protection DC Agent DOES NOT. It will log an event in the Azure AD Password Protection DC Agent Operational Event Log. With that information you need to download the latest version from here and you can check the version history here. To create a report of RWDCs that have the Azure AD Password Protection DC Agent with some other info, and RWDCs that DO NOT have it installed, what the OS is and if the minimum required .NET Framework version is installed, you can use the following PowerShell script. The script supports, three modes being: forest, domain (specified) and rwdc (specified)! Now be aware that this check script only reports the correct information about an RWDC if the RWDC has been rebooted after the installation of the Azure AD Password Protection DC Agent .

# To Target All RWDCs In The AD Forest

.\AAD-Password-Protection-Install-DC-Agent-Check.ps1 -scope Forest

OR

# To Target All RWDCs In The Specified AD Domain(s)

.\AAD-Password-Protection-Install-DC-Agent-Check.ps1 -scope Domain -domains <FQDN Domain 1>,<FQDN Domains 2>,<FQDN Domain N>

OR

# For All Specified RWDCs

.\AAD-Password-Protection-Install-DC-Agent-Check.ps1 -scope RWDC -servers <FQDN RWDC 1>,<FQDN RWDC 2>,<FQDN RWDC N>

image

image

image

   

Figure 1: Creating A Report Of RWDCs With And Without The Azure AD Password Protection DC Agent Before The Reboot (Scope: Forest)

image

Figure 2: GridView Output Before The Reboot

Based upon the output displayed above I can say the following:

  • This is a disconnected AD forest with no connection to Azure AD. That’s why some RWDCs that are all green still have “Not Registered/Unknown” for the Azure AD Tenant.
  • For all those cases where you can see the version installed and the version registered do not match (“Not Registered/Unknown”), that’s because those RWDCs have not been rebooted yet after installing the Azure AD Password Protection Agent for the first time!
  • For all those cases where you can see the version installed and the version registered do not match (numeric version mismatch), that’s because those RWDCs have not been rebooted yet after upgrading the Azure AD Password Protection Agent

After rebooting all RWDCs, it looks like:

image

image

image

Figure 3: Creating A Report Of RWDCs With And Without The Azure AD Password Protection DC Agent After The Reboot (Scope: Forest)

image

Figure 4: GridView Output After The Reboot

  image

Figure 5: Creating A Report Of RWDCs With And Without The Azure AD Password Protection DC Agent (Scope: Domain)

image

Figure 6: Creating A Report Of RWDCs With And Without The Azure AD Password Protection DC Agent (Scope: RWDC)

You can download the script from here

Have fun!

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Domain Services (ADDS), Azure AD Password Protection, Blog Post Series, Passwords, Passwords, Replication, Security, SYSVOL, Windows Azure Active Directory | Leave a Comment »

(2019-10-24) Azure AD Password Protection (A.k.a. Banned Password List) – Deploy The DC Agent (Part 4)

Posted by Jorge on 2019-10-24


In addition to configure Azure AD, the Azure AD Password Protection DC Agent needs to be installed on every writable domain controller in the AD domain. As read-only domain controllers do not process passwords by themselves, there is no need to install Azure AD Password Protection DC Agent on them. The Azure AD Password Protection DC Agent is nothing more than a password filter that will evaluate the password provided by the user.

To install the Azure AD Password Protection DC Agent, you can use the following PowerShell code which will configure a log file and some nice output. For additional requirements, please see Azure AD Password Protection – Deployment Requirements. Please be aware that the following PowerShell script target RWDCs based upon the scope (forest, domain, rwdc) you define in the parameters. With the forest scope it will enumerate all AD domains in the AD forest and then for every AD domain enumerate all writable domain controllers and try to install the software on each writable domain controller. With the domain scope it will enumerate all RWDCs of the specified AD domains and try to install the software on each writable domain controller. With the rwdc scope it will target the specified RWDCs. In all cases it will if Enterprise Admin credentials are available. If will always check if an AD domain or RWDC actually exists and in the latter case it will also check if it can connect to the RWDC. Installing the DC Agent requires a restart of the targeted RWDC(s). The code DOES NOT do that. You still need to do that by yourself! As an added bonus it checks if the minimum required .NET Framework is installed or not.

To download the latest version: Azure AD Password Protection for Windows Server Active Directory

To read about the version history and release notes: Azure AD Password Protection agent version history

# For All RWDCs In The AD Forest

.\AAD-Password-Protection-Install-DC-Agent.ps1 -scope Forest -installSourceFullPath "<Full Path To AzureADPasswordProtectionDCAgentSetup.msi>"

OR

# For All RWDCs In The Specified AD Domain(s)

.\AAD-Password-Protection-Install-DC-Agent.ps1 -scope Domain -domains <FQDN Domain 1>,<FQDN Domains 2>,<FQDN Domain N> -installSourceFullPath "<Full Path To AzureADPasswordProtectionDCAgentSetup.msi>"

OR

# For All Specified RWDCs

.\AAD-Password-Protection-Install-DC-Agent.ps1 -scope RWDC -servers <FQDN RWDC 1>,<FQDN RWDC 2>,<FQDN RWDC N> -installSourceFullPath "<Full Path To AzureADPasswordProtectionDCAgentSetup.msi>"

image

image

image

Figure 1: Installing The Azure AD Password Protection DC Agent (Scope: Forest)

image

Figure 2: GridView Output

image

Figure 3: Installation Log File Sample

image

Figure 4: Installing The Azure AD Password Protection DC Agent (Scope: Domain)

image

Figure 5: Installing The Azure AD Password Protection DC Agent (Scope: RWDC)

You can download the script from here

Unlike what the version history says, Azure AD Password Protection DC Agent software still uses an MSI. Nevertheless, the PowerShell code supports both an EXE and an MSI. The Azure AD Password Protection DC Agent does not support automatic upgrade like the Azure AD Password Protection Proxy Service does. However, the Azure AD Password Protection DC Agent will log an event ID 30034 in the Azure AD Password Protection DC Agent Operational Event Log mentioning there is a newer version available. You can then use this script if you want to redeploy/upgrade the Azure AD Password Protection DC Agent.

And if you require to UNinstall the Azure AD Password Protection DC Agent, then you can use the following on a single RWDC (I only provide the code and no script. However, if you want to you can leverage the code and logic above to execute the part below instead!)

WMIC PRODUCT WHERE NAME="Azure AD Password Protection DC Agent" CALL UNINSTALL

OR

$product = Get-WmiObject -Class win32_product -Filter "Name like ‘Azure AD Password Protection DC Agent’"

$product

$product.Uninstall() # WARNING: Reboot is immediate, no mercy and no questions asked!!!

Have fun!

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Domain Services (ADDS), Azure AD Password Protection, Blog Post Series, Passwords, Passwords, Replication, Security, SYSVOL, Windows Azure Active Directory | Leave a Comment »

(2019-10-22) Azure AD Password Protection (A.k.a. Banned Password List) – Deploy The Proxy Service (Part 3)

Posted by Jorge on 2019-10-22


As it is not desirable to have DCs communicate directly with anything on the internet, the Azure AD Password Protection solution provides a Azure AD Password Protection Proxy Service that acts as an intermediate between the Azure AD Password Protection DC Agents on the DCs and Azure AD. Per AD forest you can implement 2 servers with the Azure AD Password Protection Proxy Service installed.

To install the Azure AD Password Protection Proxy Service, you can use the PowerShell script which will configure use a log file and some nice output. For additional requirements, please see Azure AD Password Protection – Deployment Requirements.

To download the latest version: Azure AD Password Protection for Windows Server Active Directory

To read about the version history and release notes: Azure AD Password Protection agent version history

.\AAD-Password-Protection-Install-Proxy-Service.ps1 –servers <FQDN Server 1>,<FQDN Server 2> -installSourceFullPath "<Full Path To AzureADPasswordProtectionProxySetup.exe>"

image

Figure 1: Installing The Azure AD Password protection Proxy Service

image

Figure 2: GridView Output

image

Figure 3: Installation Log File Sample

You can download the script from here

Just before version 1.2.116.0 Azure AD Password Protection Proxy Service software was an MSI and starting with that version it is an EXE. That’s why the code above supports both.

With version 1.2.116.0 and higher the Azure AD Password Protection Proxy Service software supports automatic upgrade, which is enabled by default.

image

Figure 2: Checking The Azure AD Password Protection Proxy Service Configuration

To disable automatic upgrade, you can use the following command:

Set-AzureADPasswordProtectionProxyConfiguration -AutoUpgradeEnabled $false

… and to enable it again:

Set-AzureADPasswordProtectionProxyConfiguration -AutoUpgradeEnabled $true

If auto upgrade is disabled, the Azure AD Password Protection Proxy Service will log an event ID 20002 in the Azure AD Password Protection Proxy Service Operational Event Log mentioning there is a newer version available. With auto upgrade enabled, nothing is logged about a newer version.

After installing the Azure AD Password Protection Proxy Service for the first time or after installing version 1.2.116.0 or higher, you need to (re-)register both the Azure AD Password Protection Proxy Service and the on-premises AD forest in Azure AD.

To register the Azure AD Password Protection Proxy Service in Azure AD:

$adAdminAccount = Get-Credential

$aadAdminAccount = Get-Credential

Register-AzureADPasswordProtectionProxy -ForestCredential $adAdminAccount -AzureCredential $aadAdminAccount

If you are already logged on with an Enterprise Admin account for AD, then register the Azure AD Password Protection Proxy Service in Azure AD as follows:

$aadAdminAccount = Get-Credential

Register-AzureADPasswordProtectionProxy -AzureCredential $aadAdminAccount

To register the on-premises AD forest in Azure AD:

$adAdminAccount = Get-Credential

$aadAdminAccount = Get-Credential

Register-AzureADPasswordProtectionForest -ForestCredential $adAdminAccount -AzureCredential $aadAdminAccount

If you are already logged on with an Enterprise Admin account for AD, then register the on-premises AD forest in Azure AD as follows:

$aadAdminAccount = Get-Credential

Register-AzureADPasswordProtectionForest -AzureCredential $aadAdminAccount

And if you require to UNinstall the Azure AD Password Protection Proxy Service, then you can use the following

WMIC PRODUCT WHERE NAME="Azure AD Password Protection Proxy" CALL UNINSTALL

OR

$product = Get-WmiObject -Class win32_product -Filter "Name like ‘Azure AD Password Protection Proxy’"

$product

$product.Uninstall() # WARNING: Reboot is immediate, no mercy and no questions asked!!!

Have fun!

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Domain Services (ADDS), Azure AD Password Protection, Blog Post Series, Passwords, Passwords, Replication, Security, SYSVOL, Windows Azure Active Directory | Leave a Comment »

(2019-10-20) Azure AD Password Protection (A.k.a. Banned Password List) – The Configuration (Part 2)

Posted by Jorge on 2019-10-20


The concept of Azure AD Password Protection is very simple but yet so effective. With regards to simplicity, it also applies to its configuration. No configuration is required on-premises except deploying software and making sure the components can communicate with each other and with Azure AD (proxy service only!). The complete configuration of this interesting feature is completely done in Azure AD.

To access its configuration:

  • Navigate to the Azure AD Portal (https://portal.azure.com/) or use the Azure AD Portal app
  • Login with an admin account that has the Global Administrator role
  • In the first left pane click on “Azure Active Directory”
  • In the second pane from the left click on “Security”
  • In the second pane from the left click on “Authentication Methods”
  • In the second pane from the left click on “Password Protection”

You should now see something similar to the following

image

Figure 1: The Azure AD Password Protection Configuration Page

The “Custom Smart Lockout” settings only apply Azure AD native authN, not for on-premises authN as AD policies (GPO or PSO and PSO) govern that part. The settings that govern Azure AD Password Protection are in the section “Custom Banned Password”. These settings apply to both native Azure AD authN and on-premises authN.

“Enforce Custom List”: this tells Azure AD to also use the custom per tenant list in addition to the global Microsoft list

“Custom Banned Password List”: if the previous settings has been configured with “YES”, you will be able to define a custom per tenant list. Remember: word length 4 or more and 16 or less characters, with a maximum of 1000 words

If you want to use Azure AD Password Protection for the on-premises Active Directory, you need to configured the settings in the section “Password Protection For Windows Server Active Directory”.

“Enable Password Protection On Windows Server Active Directory”: enable or disable Azure AD Password Protection for the on-premises Active Directory

“Mode”: Configure Azure AD Password Protection for the on-premises Active Directory in either “Audit Mode” or “Enforce Mode’

In a later blog post, I’ll describe more about optimizing the custom list of banned words and moving from “Audit Mode” to “Enforce Mode”.

As soon as you change anything in the Azure AD, the on-premises DCs need to consume that new configuration. Unfortunately that may take some hours. To speed up the consumption of the configuration, restart the “Azure AD Password Protection DC Agent” service on a DC in each AD domain that is able to communicate with the Azure AD Password Protection Proxy service. The Azure AD Password Protection DC Agent on that DC will fetch the new configuration from Azure AD through the Azure AD Password Protection Proxy Service and put it on the SYSVOL (“<SYSVOL Path>\domain\AzureADPasswordProtection”, was previously “<SYSVOL Path>\domain\Policies\{4A9AB66B-4365-4C2A-996C-58ED9927332D}\AzureADPasswordProtection”, changed with version 1.2.65.0) of the AD domain the DC belongs to. The needs settings then need to be replicated through the SYSVOL every other DC in the same AD domain and be consumed by every individual DC. Every DC will log event ID 30006 in the “Microsoft-AzureADPasswordProtection-DCAgent/Admin” Event Log. If you need to measure the convergence of your SYSVOL, check out the following blog post: (2014-02-17) Testing SYSVOL Replication Latency/Convergence Through PowerShell (Update 3).

clip_image001

Figure 2: A New Azure AD Password Protection Configuration Being Consumed By The DC

The service is now enforcing the following Azure password policy.

Enabled: 1

AuditOnly: 1

Global policy date: ‎2019‎-‎07‎-‎04T00:00:00.000000000Z

Tenant policy date: ‎2019‎-‎08‎-‎08T09:54:22.682255000Z

Enforce tenant policy: 1

Enabled: 1 <—Corresponds to the setting “Enable Password Protection On Windows Server Active Directory” in Azure AD

AuditOnly: 1 <— Corresponds to the setting “Mode” in Azure AD

Global policy date: ‎2019‎-‎07‎-‎04T00:00:00.000000000Z <— Correspond to the last date/time Microsoft updated their global list

Tenant policy date: ‎2019‎-‎08‎-‎08T09:54:22.682255000Z <— Corresponds to the last date/time you updated your per tenant configuration (not just the list of words)

Enforce tenant policy: 1 <— Corresponds to the setting “Enforce Custom List” in Azure AD

Have fun!

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Domain Services (ADDS), Azure AD Password Protection, Blog Post Series, Passwords, Passwords, Replication, Security, SYSVOL, Windows Azure Active Directory | Leave a Comment »

(2019-10-18) Azure AD Password Protection (A.k.a. Banned Password List) – At A High Level (Part 1)

Posted by Jorge on 2019-10-18


AD has something like complexity requirements, and that means that C0mpany01 is a strong password. It may have been more than a decade ago, but it is not today. Hackers laugh at passwords like those. Quite some time ago Azure AD introduced something, initially called “Banned Password List (BPL), and called “Azure AD Password Protection” today. This is all about defining a list of words that are considered to be too common to be used in passwords, as those render the password to be weak as well. The list of banned words is defined in Azure AD, by Microsoft (the Global List) and by the owner/admin of the AAD Tenant (Custom Per Tenant List). DCs in the AD forest have a DC agent installed that retrieve the list of banned words through a proxy service. The DCs do not require direct connection to Azure AD. This Azure AD feature is really important to enhance the current use of passwords within organizations.

To read more about the architecture and how it all fits together, please see: Enforce Azure AD password protection for Windows Server Active Directory

Regarding the list of words, there is a global Microsoft list that nobody knows the content of, except Microsoft of course. The global list of banned words is not fully localized (English Only). For example, it prohibits "welkom" (welcome in Dutch), but it allows "wachtwoord" (password in Dutch), while it denies both "password" and "welcome" in English. Weird. In addition to that you can define your own custom list.

When defining that per list you need to take the following characteristics into account:

  • Minimum character length for each word = 4 or higher
  • Maximum character length for each word = 16 or less
  • The custom list supports a maximum of 1000 words

In the next blog post I’ll continue with its configuration.

More Information about this:

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Domain Services (ADDS), Azure AD Password Protection, Blog Post Series, Passwords, Passwords, Replication, Security, SYSVOL, Windows Azure Active Directory | Leave a Comment »

(2019-08-01) Moving Towards The Password-Less Concept – One Heck Of Journey And Badly Needed

Posted by Jorge on 2019-08-01


Current passwords are potentially weak and any use of those in general further weakens an infrastructure. Preferably any org needs to move away from using passwords as much as possible. This means for example preventing the usage of passwords, and instead use SSO and/or other more secure authentication mechanisms. In other words, the adoption of the "Password-Less" concept. However, for those scenarios that cannot adopt “Password-Less" (yet), passwords must be strengthened or better secured at rest and in transport. In today’s world “identity” is the key control plane. Therefore protecting the “identity” and everything related is of utmost importance. Usage of weak passwords presents unacceptable security risks to any org. We all know that, don’t we?! Now you need to act to secure yourself as best as possible.

Going password-less is a journey on its own and implementing that concept could mean for example (NOT an exhaustive list and also in random order!):

  • Ban “weak/common” words from being used in weak passwords using Azure AD Password Protection and/or LithNet Password Protection For Active Directory (LPP) (last one is free and the feature set is huge!)
  • Check AD for weak passwords and weak accounts configurations and follow up with risk mitigating actions. Can be done through LPP and DS Internals and generic LDAP queries
  • Help and educate users in terms of using, storing, generating, uniqueness, sharing/distributing, etc. for less frequent (complex and long) and regular used (pass phrases) passwords. Preferably use machine generated passwords as those have no human logic in them, or use (long) passphrases or bang your head against the keyboard multiple times while on and off holding the SHIFT key (last one, kidding!) (people tend to implement logic or sequences somehow in passwords to not forget those long passwords and to make them unique)
  • Move service accounts in AD from regular service accounts to:
    • Group Managed Service Accounts if possible
    • …and if that’s not possible have a password vault store, manage and change passwords on a regular basis
    • …and if that’s not possible keep using regular service accounts with long and unique passwords
  • If possible, increase the password length to a minimum of 15 characters for users
  • Move away from periodic password changes to risk based password changes (e.g. through Azure AD Identity Protection)
  • Using strong and unique passwords for every individual system/site not supporting SSO (the strength of a password is mostly determined by its length, the longer the better!);
  • Securely store passwords in an MFA enabled password manager/vault that is available on both your desktop and mobile device(s)
  • Make Self-Service Password Reset available to users for those occasions where the password is needed but the user has forgotten the password or has locked itself out
  • When using ADFS, implement extranet lockout policy
  • Only use HTTPS connections (at least TLS1.2) in your environment and do not use HTTP
  • Update systems, tools, scripts to NOT set weak/generic/well-known password or account configurations (e.g. LM Hashes, Password Not Required, Password Never Expires, etc)
  • Decrease the use of passwords as much as possible by:
    • Implementing SSO
    • Implement password-less authN for Windows computers (e.g. Windows Hello for Business) and remove password based authN if possible
    • Implement password-less authN for mobile devices (e.g. Azure AD MFA + AuthNtor App Notifications And OTPs) as primary authN, preferably with at least 2 factors during that primary authN, or implement password authN as secondary authN (when using ADFS)

Additional Resources:

Hope this helps you!

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Domain Services (ADDS), Active Directory Federation Services (ADFS), Azure AD MFA Adapter, Azure AD Password Protection, Kerberos AuthN, Microsoft Authenticator App, Multi-Factor AuthN, NTLM AuthN, Password-Less, Security, Self-Service Password Reset, SSO, WH4B, Windows Azure Active Directory, Windows Client, Windows Integrated AuthN | Leave a Comment »

(2018-10-26) Running The Azure AD Password Protection Summary Report May Generate An Error

Posted by Jorge on 2018-10-26


When on one of the Azure AD Password Protection Proxy servers, you can generate an Azure AD Password Protection Summary report through one of the following commands:

Targeting a specific DC:

Get-AzureADPasswordProtectionSummaryReport -DomainController <RWDC FQDN>

Targeting all DCs in a specific AD Domain:

Get-AzureADPasswordProtectionSummaryReport -Domain <AD DOMAIN FQDN>

Targeting all DCs in a specific AD Forest:

Get-AzureADPasswordProtectionSummaryReport -Forest <AD FOREST FQDN>

Targeting all DCs in the local AD Forest:

Get-AzureADPasswordProtectionSummaryReport

So, whatever your targeted scope is, if all DCs have have the Azure AD Password Protection DC Agent installed, they will also have the corresponding event logs, which are:

Get-WinEvent -ListLog * | ?{$_.LogName -like "*AzureADPasswordProtection*"}

image

Figure 1: All The Azure AD Password Protection DC Agent Event Logs On An RWDC

….and for completeness on the Azure AD Password Protection Proxy servers

Get-WinEvent -ListLog * | ?{$_.LogName -like "*AzureADPasswordProtection*"}

image

Figure 2: All The Azure AD Password Protection Proxy Event Logs On The Proxy Servers

However, if you see errors similar to the one below…

image

Figure 2: Error When Generating The Azure AD Password Protection Summary Report Against Targeted DCs

…then the targeted event logs are missing. And of the events logs are missing, then the Azure AD Password Protection DC Agent is most likely not installed on the RWDC.

Solution? Install the Azure AD Password Protection DC Agent on the RWDC that throws the error.

Please be aware that querying for DCs that have the Service Connection Point (SCP) registered in AD, may not be accurate. Why? If you installed the Azure AD Password Protection DC Agent and then uninstall it, for whatever reason, the SCP for that RWDC is not cleaned during the uninstall. Also be aware that if you force removed any DC and did not clean up its metadata, you will be trying to reach an RWDC that does not exist anymore when running the summary report.

Although more intense, the most accurate way is checking for any of the following:

  • If the Azure AD Password Protection DC Agent is installed (against every RWDC –> Get-WmiObject -Class win32_product -Filter "Name like ‘Azure AD Password Protection DC Agent’")
  • If the Azure AD Password Protection DC Agent service is installed (against every RWDC –> Get-Service AzureADPasswordProtectionDCAgent)
  • If the Azure AD Password Protection DC Agent is installed (against every RWDC –> Get-WinEvent -ListLog * | ?{$_.LogName -like "*AzureADPasswordProtection*"})

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD Password Protection, Windows Azure Active Directory | Leave a Comment »

 
%d bloggers like this: