Microsoft 365 Security Basics: Password Protection

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everybody back with another M365 security basic today we're going to be talking all about uh securing weak and easily guessable passwords in preventing your users and maybe even your Tech admins from setting terrible passwords that really help weaken your environment we all know that you know the long-term goal would be to get rid of passwords entirely but until then we not need to put some like compensating controls in place so people aren't using password one as their password or the name of your company plus a one and an exclamation pointer is your password or heaven forbid the all too common help desk summer 2023 fall 2022 passwords that helped us lots of times will set so today I'm going to show you how you can prevent those passwords from being in your Office 365 Cloud environment as well as let's not leave active directory out of the mix we'll go ahead and secure active directory today a and I'll walk you through the various options that are available in your Microsoft 365. so let's get into it and let's go all right here we are in Azure active directory so let's look at the options available for protecting passwords in our environment so we want to go first to security and then authentication methods and then finally password protection a couple of settings that we want to look at here um are the custom Smart lockout options and the custom band password list custom Smart lockouts typically I'm going to recommend that you set that to whatever you do in your current active directory this lockout threshold this essentially is how many times someone can type their password in wrong before they're locked out for your environment the default here is pretty pretty crazy right um so you know I would definitely go down to you know something like five failed passcodes and then lock them out for you know maybe like uh 3600 uh uh 100 seconds or something like that a little longer add a little bit more uh uh protection onto someone that's failed or forgetting their password lock them out friend what makes this smart is the Smart component of it is supposed to be region aware so if your end user getting sprayed with passwords from someone in China it's supposed to lock out the China region or the Russia region and not your users in the United States obviously it's not a huge um you know Saving Grace since vpns are so common and people can just hop on and password spray from the United States but it can help with cutting out of hey your end users are impacted by having a lockout component right so that can be very helpful next the most important of these features that we really want to focus on is this custom band list and this is your opportunity to put in your own set of controls for doing this protection so in my case since I'm uh working under the fictitious company of contoso things that you would want to put in here are names of things that are related to you as an organization right so in my case I would probably put contoso if contoso is a manual medical manufacturer I would put you know like nurse or doctor right so that people can't use you know passwords that maybe meet password complexity requirement um or other things and it's locked out so nobody putting in the you know the word doctor one or you know doctor one with an exclamation point we can you know say hey that's we know that our users are probably using that and we can lock it out from them I also would commonly recommend doing passwords that your help desk is very keen on doing and using in your environment so things like fall summer winter these are the the items that you know you can take and say yeah we know our help desk uses this I've used this when I was in help desk uh and let's let's stop them from putting in all of those type of things you know um obviously one of the bigger hacks lately that we've seen all started with solarwinds one two three as a password and so it's important to protect these type of names and these types of passwords in your environment um and it makes sense right we we've all sat there in a pen test and seen the list of uh or I don't know if you've seen that but oftentimes when I've been through pen test I've seen the list of password sprays that they're using against my environment and it's things that are similar to this you know just complex enough but also easily guessable doctor password all of those things and we can assembly since essentially eliminate the end user from using it one important note with this is that this is only on a go forward basis anytime you enter uh in password protection it's only implemented at the next password change for the end user so if you can go and start adding to this list know that you're going to come in and it's only going to handle um that go for it no one's gonna get locked out of your environment um and you'll be protected that way so cool capability there now I only added in the list of things that are custom to me as an organization and the reason for that is that Microsoft maintains a list of 1 000 passwords that or maybe it's even more than that passwords in an environment to that they are handling right so things like password one two three we don't need to do because built into Azure active directory is already uh protections on that techno onto on that so if your end users are using sspr or Cloud password reset to reset their their passwords they're going to be good to go that's already baked in so our responsibility is essentially just coming in and putting in all of the items that are important to us that we want to eliminate great so that's easy the end user experience is great when you're doing Cloud reset um it kind of gives them that information not meeting password complexity and all that kind of jazz as they're putting in those key terms the biggest thing that you want to do with this technology is train your help desk so when they get a call they are protected okay so great Cloud easy it's done now you'll notice down here there is also an option for protecting Azure active directory and this is going to be really critical for a successful deployment here in 95 of uh your environments out there most organizations haven't gone Cloud only and you really want to secure active directory as well and so Microsoft gives you this option for deployment it's at a deployment that you're going to need to put on each of your DC's and this is the architectural diagram on it it's really two big components the first one that you're going to need to put in your environment is a proxy agent right this can be on any server in your environment obviously you want two in your environment typically I recommend using the Azure 80 connect server as an additional proxy this process is really light but you can put it on any other server as a shared workload and it'll kind of sit there and run so put this proxy agent out there and make sure you're securing that server what this will do is that this proxy will go ahead and download from Microsoft your custom list of passwords as well as the Microsoft built-in list of passwords and it'll come help secure that environment so it's downloading that from the cloud and then the second component is each of your DCS need a dll loaded onto them for securing it and that's pretty much it you'll put the proxy somewhere in your environment you'll register the DC or install the DC component and then you're good to go it will start protecting that passwords one of the great features of it is you can always start in audit mode so if you want to and I would highly recommend putting things in audit mode so you know how many of your end users are doing it right so you can say hey we're going to do one month audit mode see what the results are and then you can go kind of give your help desk a warning hey when you get calls you're probably gonna get you know 50 calls that someone's using a weak or easily guessable password um the next time they call right and you can kind of load balance and say hey how much how much impact is it going to do and so that audit mode can be super valuable one thing to note about password protection and once you have it deployed is you actually can still use some of those words in the environment so I really want you to spend some time looking at this uh logical breakdown of how passwords are evaluated it's kind of a cool system that they use for evaluating these passwords but it's kind of um it might not work as as well as you think it would or how you expect it to so it's important to like understand what the process is that's actually happening when each of those terms that we put in there is being evaluated and banned from our environment so first step is normalization so if people are using lead speak such as you know or character substitutions such as you know an at for an a all of those things are normalized and removed from being you know as part of that password so in this case this complicated blank with capitals and ones and ATS becomes the word blank right and so even though it's in here is that it's Banning it uh or it's evaluating it as then next uh it's going to check if the password is considered banned right and it's going to do fuzzy matching on it right so it's going to come in and see oh the word blank is in our list and it doesn't matter the fact that they may have put a you know a character substitution or a fuzzy match in this you know a b c d e f is banned so if they put a g or you know appending it something like that or slightly different it will come in and you know match it even though hey yeah it's maybe slightly different right and so these passwords are rejected then it will do substring matching on uh these things as well right so if the word you know is pole three two FB it will convert it to this and then that pull will be matched in there and say hey because it's a substring of it we're going to add a point to it now the Fret next is the score calculation so this is really the Crux of where it becomes interesting and where pass phrases are going to be allowed if people are doing complicated phrases and some of those can be in here so it's a five point scoring system so if the words in our case contoso and blank are banned and the pat end user does this you know contoso blank 12. it's going to come in and convert those complicated lead speak character substitution words into contoso blank and then the one and two and each of those terms becomes one points and because this is even though it may look complicated it's going to be banned from our environment because it's still four points if they add an exclamation station point also on top of that then it will be considered a five point password and it's going to be accepted so totally different than maybe what you're expecting really good um documentation for Microsoft that explains it and walks it through it so familiar yourself familiarize yourself with it and do some testing of it all right well that's it for today if this helps you please let me know um if you would like to see me do the full deployment of an Azure act directory and active directory um let me know happy to create some videos walking through all of the intricate steps of creating that um and that's all I got um I really like this technology I think it can really help I've seen it in my environment help protect end users and the IT team from using poor passwords um and I think you really should take advantage of it it's and use it can really help with increasing that security of your environment so that's it that's all I got um good luck out there and stay safe

Info

Channel: Doug Does Tech

Views: 1,023

Rating: undefined out of 5

Keywords:

Id: um_l6M1NRzI

Channel Id: undefined

Length: 12min 41sec (761 seconds)

Published: Fri May 05 2023