As long as we’ve had passwords, people have
tried to guess them. Let us get up to speed on a common attack called password
spray which has become MUCH more frequent recently. There are some best practices that we can
adopt to defend against this sophisticated attack.
In a password spray attack, the bad guys
try the most common passwords across many different accounts and services to
gain access to any password protected assets they can find. Usually these span
many different organizations and identity providers.
Four easy steps to disrupt password spray
Step 1: Use cloud authentication
In the cloud, we see billions of sign-ins
to Microsoft systems every day. Microsoft’s security detection algorithms allow
them to detect and block attacks as that are happening. Because these are real
time detection and protection systems driven from the cloud, they are available
only when doing Azure AD authentication in the cloud (including Pass-Through
In the cloud, Microsoft uses Smart Lockout
to differentiate between sign-in attempts that look like they’re from the valid
user and sign-ins from what may be an attacker. They can lock out the attacker
while letting the valid user continue using the account. This prevents
denial-of-service on the user and stops overzealous password spray attacks.
This applies to all Azure AD sign-ins regardless of license level and to all
Microsoft account sign-ins.
Tenants using Active Directory Federation
Services (ADFS) will be able to use Smart Lockout natively in ADFS in Windows
Server 2016 starting in March 2018. They can look for this ability to come via
IP lockout works by analyzing those
billions of sign-ins to assess the quality of traffic from each IP address
hitting Microsoft’s systems. With that analysis, IP lockout finds IP addresses
acting maliciously and blocks those sign-ins in real-time.
Now available in public preview, Attack
Simulator as part of Office 365 Threat Intelligence enables customers to launch
simulated attacks on their own end users, determine how their users behave in
the event of an attack, and update policies and ensure that appropriate
security tools are in place to protect an organization from threats like
password spray attacks.
Step 2: Use multi-factor authentication
A password is the key to accessing an
account, but in a successful password spray attack, the attacker has guessed
the correct password. To stop them, we need to use something more than just a
password to distinguish between the account owner and the attacker. The three ways
to do this are below.
Risk-based multi-factor authentication
Azure AD Identity Protection uses the
sign-in data mentioned above and adds on advanced machine learning and
algorithmic detection to risk score every sign-in that comes in to the system.
This enables enterprise customers to create policies in Identity Protection
that prompt a user to authenticate with a second factor if and only if there’s
risk detected for the user or for the session. This lessens the burden on your
users and puts blocks in the way of the bad guys.
Always-on multi-factor authentication
For even more security, Enterprises can use
Azure MFA to require multi-factor authentication for their users all the time,
both in cloud authentication and ADFS. While this requires end users to always
have their devices and to more frequently perform multi-factor authentication,
it provides the most security for the enterprise. This should be enabled for
every admin in an organization.
Azure MFA as primary authentication
In ADFS 2016, Microsoft has the ability use
Azure MFA as primary authentication for passwordless authentication. This is a
great tool to guard against password spray and password theft attacks: if
there’s no password, it can’t be guessed. This works great for all types of
devices with various form factors. Additionally, enterprises can now use
password as the second factor only after an OTP has been validated with Azure
Step 3: Better passwords for everyone
Even with all the above, a key component of
password spray defence is for all users to have passwords that are hard to guess.
It’s often difficult for users to know how to create hard-to-guess passwords.
Microsoft helps you make this happen with these tools.
In Azure AD, every password change and
reset runs through a banned password checker. When a new password is submitted,
it’s fuzzy-matched against a list of words that no one, ever, should have in
their password (and l33t-sp3@k spelling doesn’t help). If it matches, it’s
rejected, and the user is asked to choose a password that’s harder to guess. Microsoft
builds the list of the most commonly attacked passwords and updates it
Custom banned passwords
To make banned passwords even better, Microsoft
is going to allow tenants to customize their banned password lists. Admins can
choose words common to their organization—famous employees and founders,
products, locations, regional icons, etc.—and prevent them from being used in
their users’ passwords. This list will be enforced in addition to the global
list, so enterprises don’t have to choose one or the other. It’s in limited
preview now and will be rolling out this 2018.
Banned passwords for on-premises changes
This spring, Microsoft is launching a tool
to let enterprise admins ban passwords in hybrid Azure AD-Active Directory
environments. Banned password lists will be synchronized from the cloud to the
on-premises environments and enforced on every domain controller with the
agent. This helps admins ensure users’ passwords are harder to guess no matter
where—cloud or on-premises—the user changes his/her password. This launched to
limited private preview in February 2018 and will go to GA this year.
Change how you think about passwords
A lot of common conceptions about what
makes a good password are wrong. Usually something that should help
mathematically actually results in predictable user behaviour: for example,
requiring certain character types and periodic password changes both result in
specific password patterns. If an enterprise is using Active Directory with PTA
or ADFS, they have to update their password policies. If they are using cloud
managed accounts, enterprises need consider setting their passwords to never
Step 4: More awesome features in ADFS and Active Directory
If an enterprise is using hybrid
authentication with ADFS and Active Directory, there are more steps they can
take to secure their environment against password spray attacks.
The first step: for organizations running
ADFS 2.0 or Windows Server 2012, plan to move to ADFS in Windows Server 2016 as
soon as possible. The latest version
will be updated more quickly with a richer set of capabilities such as extranet
lockout. Microsoft has made it really easy to upgrade from Windows Server
2012R2 to 2016.
Block legacy authentication from the Extranet
Legacy authentication protocols don’t have
the ability to enforce MFA, so the best approach is to block them from the
extranet. This will prevent password spray attackers from exploiting the lack
of MFA on those protocols.
Enable ADFS Web Application Proxy Extranet Lockout
If enterprises do not have extranet lockout
in place at the ADFS Web Application proxy, they should enable it as soon as
possible to protect their users from potential password brute force compromise.
Deploy Azure AD Connect Health for ADFS
Azure AD Connect Health captures IP
addresses recorded in the ADFS logs for bad username/password requests, gives admins
additional reporting on an array of scenarios, and provides additional insight
to support engineers when opening assisted support cases.
(To deploy, admins must download the latest
version of the Azure AD Connect Health Agent for ADFS on all ADFS Servers
(2.6.491.0). ADFS servers must run Windows Server 2012 R2 with KB 3134222
installed or Windows Server 2016).
Use non-password-based access methods
Without a password, a password can’t be
guessed. These non-password-based authentication methods are available for ADFS
and the Web Application Proxy:
Certificate based authentication allows username/password endpoints to be blocked completely at the firewall.
Azure MFA, as mentioned above, can be used to as a second factor in cloud authentication and ADFS 2012 R2 and 2016. But, it also can be used as a primary factor in ADFS 2016 to completely stop the possibility of password spray.
Windows Hello for Business, available in Windows 10 and supported by ADFS in Windows Server 2016, enables completely password-free access, including from the extranet, based on strong cryptographic keys tied to both the user and the device. This is available for corporate-managed devices that are Azure AD joined or Hybrid Azure AD joined as well as personal devices via “Add Work or School Account” from the Settings app.
- Based on a blog from Microsoft Security