Blog Post

Core Infrastructure and Security Blog
6 MIN READ

Do I Have Weak Passwords In My Organization...?

ZohebShaikh's avatar
ZohebShaikh
Icon for Microsoft rankMicrosoft
Sep 10, 2020

Hi Everyone,

 

Zoheb here again with my colleague Peter Chaukura from Microsoft South Africa and today we will be sharing some details on how we helped one of our SMC customers reduce the attack vector by enabling Azure AD Password Protection.

 

If you have not read the 1st blog which covers the background do give it a read now before continuing here. How the Microsoft Mission Critical Team helped secure AAD

Hope you found the initial blog a valuable read.

 

Let me continue our story about Protecting your Passwords in Azure AD.

 

The Problem:

Through internal audits our customer had found that there is a high usage of “Common Passwords” in their organization. They discovered that password spray attacks were on the rise and had no solution other than the “password meets complexity requirements” setting under the password policy in their Active Directory environment.

 

This SMC customer urgently needed a way to block weak passwords from the domain and understand the usage of these weak passwords across the organization as well as the impact these may have.

In other words, they were looking to find out how many users have weak passwords in the organization before enforcing Password Protection in their environment.

 

The Solution:

As the Mission Critical Trusted Advisor, we stepped in and informed our customer that it is possible to block weak passwords by using Azure AD Password Protection. We also had the answer to their more critical question “is it even possible to view how many users have weak password in my organization?”

 

Before I share details on how we helped implement this, let us try to understand the basics of this feature.

 

Azure AD Password Protection detects, and blocks known weak passwords and their variants from a global Microsoft curated list. In addition, you can specify custom banned words or phrases that are unique to your organization. The on-premises deployment of Azure AD Password Protection uses the same global and custom banned password lists that are stored in Azure AD, and it does the same checks for on-premises password changes as Azure AD does for cloud-based changes. These checks are performed during password changes and password reset events against on-premises Active Directory Domain Services (AD DS) domain controllers.

 

There are two modes in Azure AD Password Protection as described below:

 

AUDIT MODE: Microsoft recommends that initial deployment and testing always starts out in Audit mode.

  • Audit mode is intended to run the software in a “what if” mode.
  • Each DC agent service evaluates an incoming password according to the currently active policy.
  • “bad” passwords result in event log messages but are accepted.

 

ENFORCE MODE: Enforce mode is intended as the final configuration.

  • A password that is considered unsecure according to the policy is rejected.
  • When a password is rejected by the Azure AD password protection DC (domain controllers) Agent, the end user experience is identical to what they would see if their password were rejected by traditional on-premises password complexity enforcement.

 

Read more details here. Ban-Weak-Passwords-on-premises

 

The Solution

 

Our SMC customer was specifically looking at enabling Password Protection and some mechanism which can give more details on the present weak password status before enforcing “Azure AD Password Protection” feature.

 

We told them events has more details. to see the sample events please refer the blog below. https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-monitor

 

 

Peter also gave an option of Get-AzureADPasswordProtectionSummaryReport cmdlet generates a summary report as shown.

 

But customer was not happy with the above output and they were looking for something more and detailed, they asked Peter that they needed something with the below capabilities: -

  1. Status of Weak Passwords across Domains in Forest
  2. Password Compliance report based on Microsoft banned Password list.
  3. User details who have weak passwords
  4. Did users change Password or reset?
  5. Password Policy count
  6. Visual dashboard which can be updated regularly/Automatically.

 

Clearly nothing is built by default which can help us give a visual view of organization “Password compliance".

 

So, Peter helped build PowerBI Dashboards to ingest data extracted from domain controller event logs \Applications and Services Logs\Microsoft\AzureADPasswordProtection\DCAgent\Admin.

 

NOTE: This dashboard gets fully populated only after all/most of the users have reset/Changed password at least once, so you can assume this may take a full Password Life cycle of your organization to get an overview of weak Passwords in your organization.

 

The Custom Azure AD Password Protection Power BI Dashboard

 

How do we collect the data and build the dashboard?

 

  • We collected events(10024, 30010) from all domain controllers where the Azure AD Password Protection DC agent is installed and exported them into a csv file.
  • The collection of event log entries is done via a PowerShell script that is configured to run a scheduled task.
  • Further ingests the Csv into a Power BI dashboard.
  • Build a dashboard view in Power BI using this data as shown below!

 

If you are new to Power BI and not sure how to create a dashboard using data from an Excel file, go check out this small video and the blog on step by step instructions to do this. https://docs.microsoft.com/en-us/power-bi/create-reports/service-dashboard-create

 

POWERB dashboard break down.

 

Result Count

 

The view shows the overall status in terms of total statistics relating to account with weak passwords and policy compliant passwords.

The default view shows the result without any filters turned on and will change when filters are applied, like the domain filter, as shown below.

 

Username Count by Operation

 

Azure AD Password Protection operations take place whenever a password is changed or reset and this view helps to draw a nice picture around how many passwords are being set and changed, as well as the total.

A password change is when a user chooses a new password after proving they have knowledge of the old password. For example, a password change is what happens when a user logs into Windows and is then prompted to choose a new password.

A password set (sometimes called a password reset) is when an administrator replaces the password on an account with a new password, for example by using the Active Directory Users and Computers management tool.

 

 

User details

 

This view shows all the details about the operations to answer questions like:

  • Which user account?
  • On which domain controller?
  • At what time?
  • What password policy applied for?
  • Was it a password set or change operation?

 

The information can easily be exported to csv from the PowerBI to leverage the data for further analysis or targeting specific users for training around weak passwords.

 

Password Policy Count

 

 

Publishing the Dashboard

 

PowerBI allows you to publish the dashboard via the PowerBI gateway, which allows users and administrators with permission to view the dashboard from any location or device.

We assisted the customer to publish this Dashboard and with the data being updated daily via the scheduled task it allows for most recent data to viewed.

 

This can also be implemented on free Power BI Desktop version.

 

Indicators

 

  • A lot of password sets operations resulting in failures to comply with policy might be an indicator that password admins\service desk is setting initial weaker passwords for users.
  • Many operations for password sets compared to password changes might be an indication that the Service Desk is resetting passwords and not checking the “change password at next logon" tick box.
  • High failure rate means greater impact of Policy change in the environment, ideally try to reduce the failure count before changing AAD Password Protection to Enforce mode
  • Many passwords matching the customer policy might indicate a greater risk of password spray attacks from internal bad actors using commonly used passwords in the environment.

 

 

CONCLUSION

 

In conclusion, we tremendously raised the awareness about Password Security at our customer and their Identity Admins can view the status on their Password Security from anywhere with our Power BI Dashboard.

 

If you want this to be implemented for you, feel free to contact your Microsoft Customer Success Account Manager (previously known as TAM) and someone can help you.

 

Hope this helps,

Zoheb & Peter

Updated Sep 11, 2020
Version 3.0
ZohebShaikh

10 Comments

  • Fabrice LAIR's avatar
    Fabrice LAIR
    Copper Contributor
    Jan 20, 2023

    Thanks for the blog very interesting.

    You can also collect the log (AAD PAssword protection) from each DC with Azure monitor . It"s avoid to put in place script and scheduled tasks with high privileges on DC :).

    Is It possible to have only the PBX file, indeed i encountered issue during the consolidation step, it seems indeed sometimes multiple events are present (in few differents second) from the same user name (10014, 30010, 1024) in audit mode. In this context , difficult to find the correct password policy relevant for him.

     

    Thanks for your help 🙂

    Fabrice

  • MIE_Tech's avatar
    MIE_Tech
    Copper Contributor
    Jun 29, 2021

    Again, the point is that for a company with hundreds or thousands of employees, there is a high likelihood of MANY of these employees bringing a laptop, or a smartphone, into the company Wifi. If that can not be expressly forbidden, then you would expect that these laptops and phones are ALSO used for personal websites these people visit when out of the office--at home, and the norm could easily be hundreds of stored "password requiring websites" on each laptop or phone--with weak passwords --meaning a range of commonly used passwords can easily be stolen.  My expectation is the failing of the employees with "mediocre" password security knowledge ( 95% of them, even with training) to be aware of the personal use threats that are likely to be a serious problem in their laptop or phone. At home, these employees will do what they always do, regardless of training. it's human nature for the masses. 

    Unless the company wifi forces each person entering the building each day to walk through a DETECT  and CLEAN  room where new exploits from weak passwords are searched for with each person entering the building, you would expect a majority of employees will be connecting daily WITH many hackers already having stolen many key passwords the employees use repeatedly in many of their non-critical and very critical sites. 

     

    So-- How does the company deal with potentially hundreds of Trojan Horses from employees walking in to the building each day?

     

  • ZohebShaikh's avatar
    ZohebShaikh
    Icon for Microsoft rankMicrosoft
    Jun 29, 2021

    MIE_Tech  this is a very broad question but I will try to answer it inline to the queries. Feel free to add if there are any followup questions.

     

    Customers are looking to go Password Less, this is the future. However there might take sometime before you get there and till then in order to protect ourselves we must use AAD Password protection or similar features.

     

    1.) How do you make it easy or even feasible for most people to change between 500 and 2000 passwords--this will be extremely time-consuming, so a method is required--what would this be?
    Zoheb : So here we are talking about your on Prem AD & AAD password which should be really be one. Here we are trying to protect the user Identity in AD.

    What you mean by 500-200 passwords (Which is way to much) is probably for some personal Emails, accounts or subscriptions.

    In general for behavioral analysis we have Microsoft Defender for Endpoint which could help you find. 

     

    2.) How does the company--like a warehouse, check the PC's, phones and all devices of each employee, for potential exploits by pirates getting in with weak passwords on devices they use? How do they check, the first time, and how do they KEEP checking each day? 

    Zoheb : That's an interesting question, however we do have ways to govern this. If you are at remote Site AAD Password protection is primarily an Azure feature.

    If you use Azure SSPR to change password it will still work and this helps ensure your passwords are strong.

  • MIE_Tech's avatar
    MIE_Tech
    Copper Contributor
    Jun 27, 2021

    The issue I want to deal with -- a normal person could have 500 or more weak passwords on their PC/Laptop and again on their phone and again on other device they use.  A company like a warehouse could have 200 people like this, each with multiple devices that could be hacked, and then allow Ransomeware Pirates into the system. 

     

    1.) How do you make it easy or even feasible for most people to change between 500 and 2000 passwords--this will be extremely time-consuming, so a method is required--what would this be?

    2.) How does the company--like a warehouse, check the PC's, phones and all devices of each employee, for potential exploits by pirates getting in with weak passwords on devices they use? How do they check, the first time, and how do they KEEP checking each day? 

  • bspicer's avatar
    bspicer
    Copper Contributor
    May 08, 2021

    I assume this requires a P1 or P2 license for each user in your tenant?

  • TanTran's avatar
    TanTran
    Iron Contributor
    Sep 17, 2020

    Great new feature of Azure for DC on premise. Thanks for the useful post

  • Dean_Gross's avatar
    Dean_Gross
    Silver Contributor
    Sep 15, 2020

    This is an interesting idea, and looks like it could be very helpful. 

  • ZohebShaikh's avatar
    ZohebShaikh
    Icon for Microsoft rankMicrosoft
    Sep 14, 2020

    Glad you found this useful Ejaz, presently the code is Internal only but in this blog we have given Guidance on how you can do this. If you want Microsoft to implement this for you, feel free to contact your Microsoft Customer Success Account Manager (previously known as TAM).

  • Ejaz Rahman's avatar
    Ejaz Rahman
    Copper Contributor
    Sep 10, 2020

    This is great, can we get a copy of the power bi dashboard file so that we can modify and use it for our own purpose?

     

    Would be good to have this as a work book in Azure Sentinel as well on Github page for Azure Sentinel