Azure AD Password Protection to Prevent Password Spraying Attacks

Security Hero

In today’s Ask the Admin, I look at Azure AD Password Protection and why Microsoft believes it will improve Active Directory security.

Azure AD Password Protection is a new feature that recently went into preview for Azure Active Directory. Azure Active Directory is Microsoft’s cloud-based version of Active Directory that offers identity and access capabilities for applications running in Microsoft Azure and on-premises. Windows Server Active Directory can be extended to Azure Active Directory in hybrid cloud/on-premise environments. Some features, like Password Protection, self-service password resets, and multi-factor authentication, are only available for Windows Server Active Directory when it is connected to an Azure Active Directory tenant.

Azure AD (AAD) Password Protection is a new tool that aims to prevent password spray attacks. If a hacker tries to guess a user’s AD password, they will be locked out quickly because policy limits the number of incorrect login attempts. To get around that, hackers use password spraying. Instead of hammering a single account continuously, a common password, like Password123, is used against many accounts in the hope that one will use it.

Hackers are often able to gain privileged access to Active Directory even if the starting point is a standard user account. Lateral movement around the network and elevation of privilege isn’t so hard because most organizations ignore security best practices, like removing local administrative rights from end users and not using privileged AD accounts for everyday IT administration tasks.

Password Best Practices

While it has long been an accepted best practice to enforce the use of complex passwords and regular password changes, Microsoft argues that these measures aren’t effective because users tend to pick passwords that are easy to remember or a word that is followed by a few random special characters.

It’s a numbers game for hackers. And password spraying is a good way to avoid detection because it looks like there have been several isolated failed logins rather than a persistent attack. Microsoft advises using AAD, or Windows Server Active Directory with AAD Pass-Through Authentication, to help protect against password spray attacks. AAD uses real-time detection and protection algorithms.

Smart Lockout can understand which login attempts look valid and which may be a malicious actor, locking out the hacker while allowing the real user to carry on working. IP Lockout analyzes billions of logins to determine if malicious login attempts are coming from an IP address, or range of addresses, and can block addresses in real-time. Multi-factor authentication is more expensive to deploy but is also a good way to defend against password spray attacks.

Azure AD Password Protection

Released recently in preview, AAD Password Protection uses a list of banned passwords that is updated automatically based on data from billions of authentications and leaked credentials that find their way onto the Internet. The banned password list can be synchronized with Windows Server Active Directory if that’s where users change their passwords. Administrators can also create a custom banned password list.

If you want to deploy AAD Password Protection for Windows Server Active Directory, you’ll need to install the Azure AD Password Protection proxy service on up to two domain-joined devices. The proxy forwards requests from domain controllers (DCs) to AAD. DCs require the Azure AD Password Protection DC agent service, which receives password validation requests and processes them according to local policy. The service contacts AAD hourly to update the local password policy.

All servers where Azure AD Password Protection proxies and agents are installed must be running Windows Server 2012 or later. Domain controllers don’t need access to the Internet but must have access to at least one server running the proxy service. Azure AD Password Protection requires an AAD Premium license. The global banned password list protects all AAD users, but the custom banned password list requires AAD Basic licenses.

For more information about system requirements and installing Azure AD Password Protection on Windows Server, see Microsoft’s website here.

Passwords Get Harder to Create

AAD Password Protection is likely to help reduce compromises caused by password spray attacks but at the same time make it harder for users to create strong passwords. Deploying AAD Password Protection for Windows Server Active Directory also introduces three additional software components, adding complexity to on-premises AD. I’d like to see AAD Password Protection, and Azure AD Connect, added to Windows Server 2019 as optional features on demand.

Despite the additional protection that AAD Password Protection is likely to offer, multi-factor authentication is still the best bet if you are serious about securing AD passwords.

Follow Russell on Twitter @smithrussell.