How to prevent users from using weak passwords
Last week, fellow MVP Nicolas Blank wrote an interesting article called having an identity crisis and it talked about all kinds of attacks on your environment. Users tend to choose an easy to remember password (which is typically weak and easy to guess), even with some social engineering user passwords are easy to retrieve as can be seen on this YouTube clip What is your password?
The question is how to protect passwords? In Active Directory it is possible to enforce complex passwords, but from an Active Directory point of view “Password123” is complex and so is “Summer2020”. Enforcing a password length of say, 20 characters should help one might think, but the result is that users write down their complex password on a sticky note. That’s not a good idea either.
Azure Active Directory does a better job since it offers something like Password protection. If a user tries to change the password to something that’s easy to guess (I have tried ‘Summer2020’) an error is raised:
The Password protection feature is available in Azure Active Directory. For online users the basic functionality is covered in the Azure AD free license, for synchronized users an Azure AD Premium P1 or P2 license is required.
To access the password protection feature, open the Azure portal (portal.azure.com) and navigate to Azure AD | Security | Authentication Methods. There’s not much to configure, the password protection feature is pre-configured. There’s a basic list of banned passwords inside Azure AD (which is kept secret by Microsoft for obvious reasons) but there’s also a custom list that can be used. Here you can enter your own banned passwords (max 100 entries).
Note. The password protection feature normalizes passwords. So Password01, P@ssword01, Passw0rd01 or Password0! are all treated similar and thus banned.
Password protection for Active Directory
The password protection feature is only available for Azure Active Directory, but Microsoft offers a proxy solution for on-premises Active Directory. Using an agent and a proxy service on-premises, the password policy is downloaded on-premises when a user changes a password. This way a password change can have a password policy applied the same way as in Azure Active Directory.
Please note that the actual new password is not sent to Azure AD, but a request for the password policy is sent to Azure AD. The password policy is then cached on the Domain Controllers and used to protect on-premises password changes.
Installation of the password protection services consist of two steps:
- The Azure AD Password Protection Proxy service (AzureADPasswordProtectionProxySetup.exe) software installer. This is installed on a domain joined computer that has access to the Internet and proxies the password policy request to Azure Active Directory.
- The DC Agent service for password protection (AzureADPasswordProtectionDCAgentSetup.msi). This runs on the Domain Controllers and send the password policy requests to the server running the proxy service.
Both can be downloaded from the Microsoft download center on https://www.microsoft.com/en-us/download/details.aspx?id=57071
During installation and configuration (two PowerShell commands) a Service Connection Point (SCP) is created in Active Directory so that the Domain Controllers know where the proxies are located.
Now when a user on-premises tries to change the password and uses a weak password (like Password01, Summer2020 etc) the change is not accepted and a warning is shown:
User passwords are always challenging. From a security perspective complex and difficult passwords are preferred, users want their passwords easy to remember. Active Directory does not offer much options here, but Azure AD does offer a password protection service.
In late 2019 the password protection service became available for on-premises Active Directory as well. The password policies in Azure AD are retrieved by the proxy agents and cached on the Domain Controllers where they are applied. This way users can no longer use too easy to guess passwords.
Monitor AD FS & MFA with ENow
Proactively monitor AD FS from the end-users perspective with ENow's industry leading monitoring platform. ENow monitors all of your AD FS servers and performs synthetic transactions, including performing a Single-Sign-On against Office 365 from inside your organization and outside (remote tests).