• Latest
  • Trending
  • All
  • News
  • Business
  • Politics
  • Science
  • World
  • Lifestyle
  • Tech
Assuring Customers About Cross-Border Data Flows

Excluding Words Using Active Directory Password Policy

January 25, 2021
Telecom Provider Migrates Confidently to Microsoft Azure with Fortinet’s Dynamic Cloud Security Solutions

Veeam Backup & Replication 11: Enhanced data management for a multi-cloud environment

February 25, 2021
8×8 makes raft of updates to platform

Advancing the Orchestration of Distributed Edge Applications, ZEDEDA Integrates with Microsoft Azure IoT

February 25, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

Cloud Security in Banking Market to Witness Huge Growth by 2026 | Microsoft Azure, Trend Micro, Salesforce

February 25, 2021
Innovative solutions for IT workers at home

ZEDEDA Announces Integration with Microsoft Azure IoT to Seamlessly and Securely Orchestrate Distributed Edge Computing Workloads at Scale

February 24, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

ZEDEDA integrates with Microsoft Azure IoT to provide full lifecycle management capabilities

February 24, 2021
Innovative solutions for IT workers at home

SolarWinds Attack: Proof That On-Premises Active Directory Still an Effective Initial Access Vector

February 23, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

Microsoft Affirms Solorigate Attackers Saw Azure, Intune and Exchange Source Code

February 23, 2021
How to use Microsoft Sysmon, Azure Sentinel to log security events

OPS101 – Securing your Hybrid environment – Part 1 – Azure Security Center

February 22, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

Microsoft Ending Azure Information Protection Connections to Microsoft Defender for Endpoint

February 22, 2021
8×8 makes raft of updates to platform

Indonesian Mobile Operator Selects NTT for Microsoft Security Project

February 22, 2021
Microsoft To Build New Azure Cloud Data Centers In Greece

NTT completes Microsoft security project for Indonesian mobile operator

February 19, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

Data insights without limit, security without compromise

February 18, 2021
  • About
  • Advertise
  • Privacy & Policy
  • Contact
Friday, February 26, 2021
  • Login
Azure Security News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
    • Home – Layout 4
    • Home – Layout 5
  • News
    • All
    • Business
    • Politics
    • Science
    • World
    A moment of reckoning: the need for a strong and global cybersecurity response

    Cloud Security in Banking Market to Witness Huge Growth by 2026 | Microsoft Azure, Trend Micro, Salesforce

    Innovative solutions for IT workers at home

    ZEDEDA Announces Integration with Microsoft Azure IoT to Seamlessly and Securely Orchestrate Distributed Edge Computing Workloads at Scale

    A moment of reckoning: the need for a strong and global cybersecurity response

    ZEDEDA integrates with Microsoft Azure IoT to provide full lifecycle management capabilities

    Innovative solutions for IT workers at home

    SolarWinds Attack: Proof That On-Premises Active Directory Still an Effective Initial Access Vector

    A moment of reckoning: the need for a strong and global cybersecurity response

    Microsoft Affirms Solorigate Attackers Saw Azure, Intune and Exchange Source Code

    8×8 makes raft of updates to platform

    Indonesian Mobile Operator Selects NTT for Microsoft Security Project

    Microsoft To Build New Azure Cloud Data Centers In Greece

    NTT completes Microsoft security project for Indonesian mobile operator

    A moment of reckoning: the need for a strong and global cybersecurity response

    Data insights without limit, security without compromise

    8×8 makes raft of updates to platform

    What Is Object Storage?

    A moment of reckoning: the need for a strong and global cybersecurity response

    Azure Firewall Premium now in preview

    Trending Tags

    • Donald Trump
    • Future of News
    • Climate Change
    • Market Stories
    • Election Results
    • Flat Earth
  • Tech
    • All
    • Apps
    • Gear
    • Mobile
    • Startup
    Telecom Provider Migrates Confidently to Microsoft Azure with Fortinet’s Dynamic Cloud Security Solutions

    Veeam Backup & Replication 11: Enhanced data management for a multi-cloud environment

    8×8 makes raft of updates to platform

    Advancing the Orchestration of Distributed Edge Applications, ZEDEDA Integrates with Microsoft Azure IoT

    How to use Microsoft Sysmon, Azure Sentinel to log security events

    OPS101 – Securing your Hybrid environment – Part 1 – Azure Security Center

    A moment of reckoning: the need for a strong and global cybersecurity response

    Microsoft Ending Azure Information Protection Connections to Microsoft Defender for Endpoint

    Microsoft To Open Azure Cloud Data Center Region In Spain

    EMC Corporation Townsend security Hewlett-Packard Enterprise Gemalto N.V. Microsoft Azure Google Thales e-security International Business Machines (IBM) Broadcom

    A moment of reckoning: the need for a strong and global cybersecurity response

    Azure Engineer at VillageMD

    Innovative solutions for IT workers at home

    How to Sync On-Premise Active Directory Passwords with Office 365 and Google Apps in Real-Time

    Microsoft Azure Forms Collaboration to Enhance AI in Healthcare

    Azure Defender is now available for all IoT and OT devices

    Telecom Provider Migrates Confidently to Microsoft Azure with Fortinet’s Dynamic Cloud Security Solutions

    Google and Microsoft ID Group Targeting Security Researchers

    Innovative solutions for IT workers at home

    Microsoft Releases Application Guard for Office, Plus Azure Security Center and Azure Defender for IoT Products

    Trending Tags

    • Flat Earth
    • Sillicon Valley
    • Mr. Robot
    • MotoGP 2017
    • Golden Globes
    • Future of News
  • Entertainment
    • All
    • Gaming
    • Movie
    • Music
    • Sports
    Microsoft Flight Simulator Continues to Look Stunning in New Snow Video

    Microsoft Flight Simulator Continues to Look Stunning in New Snow Video

    Meet the woman who’s making consumer boycotts great again

    New campaign wants you to raise funds for abuse victims by ditching the razor

    Twitter tweaks video again, adding view counts for some users

    A beginner’s guide to the legendary Tim Tam biscuit, now available in America

    People are handing out badges at Tube stations to tackle loneliness

    Trump’s H-1B Visa Bill spooks India’s IT companies

    Magical fish basically has the power to conjure its own Patronus

    This Filipino guy channels his inner Miss Universe by strutting in six-inch heels and speedos

    Oil spill off India’s southern coast leaves fisherman stranded, marine life impacted

  • Lifestyle
    • All
    • Fashion
    • Food
    • Health
    • Travel
    Microsoft Seriously Beefs Up Security in Windows Server 2019

    Microsoft Offers More ‘Solorigate’ Advice Using Microsoft 365 Defender Tools

    A moment of reckoning: the need for a strong and global cybersecurity response

    Solar Winds, Office 365 & Shipbuilding…

    Aruba ClearPass Policy Manager Integrates with Microsoft

    Imprivata Expands Collaboration with Microsoft on New Digital Identity Innovations

    Microsoft Seriously Beefs Up Security in Windows Server 2019

    Microsoft Canada’s 10 biggest stories of 2020

    FAA issues new proposed Boeing 737 MAX pilot training procedures

    FAA issues new proposed Boeing 737 MAX pilot training procedures

    AMD breaks revenue records for 2019 and 4Q

    AMD breaks revenue records for 2019 and 4Q

    Microsoft and Analog Devices pair on 3D imaging tech

    Microsoft and Analog Devices pair on 3D imaging tech

    Microsoft is killing off insecure Cloud App Security cipher suites

    Microsoft is killing off insecure Cloud App Security cipher suites

    Rap group call out publication for using their image in place of ‘gang’

    Meet the woman who’s making consumer boycotts great again

    Trending Tags

    • Golden Globes
    • Mr. Robot
    • MotoGP 2017
    • Climate Change
    • Flat Earth
No Result
View All Result
Azure Security News
No Result
View All Result
Home News Business

Excluding Words Using Active Directory Password Policy

by AZURE SECURITY NEWS EDITOR
January 25, 2021
in Business
0
Assuring Customers About Cross-Border Data Flows
491
SHARES
1.4k
VIEWS
Share on FacebookShare on Twitter

Creating enforceable, common-sense password policies has become increasingly critical in today’s business world. One major variable in that equation is terminology. While some words (or strings of characters) are fair game, others are taboo.

Thankfully, Active Directory lets admins define permitted terms with relative ease. The same goes for banned passwords. These are accordingly stored within Active Directory’s Banned Passwords List. This article will cover why an administrator might choose to exclude words, and how they may do so.

Why Exclude Words via Password Policy?

Let’s first consider an outside example: the four-digit PIN. Despite the simplicity of shorter passcodes, users still tend to pick predictable number sequences, like 0000 or 1234. These codes are easy to remember. Unfortunately, they’re also top of mind for thieves with stolen cards, mobile devices and online banking accounts.

Additionally, users often create codes that correspond with personal information, including addresses, birthdates or partial phone numbers. As a bad actor, wouldn’t you explore these obvious avenues first? Passwords have thus always taken center stage in the battle between security and convenience.

The comparison between PINs and alphanumeric passwords, of course, isn’t fully ‘apples to apples.’ However, similar principles reign supreme. It wouldn’t be wise for General Motors employees to include GeneralMotors or GM within their passwords – or terms like vehicle names and prominent office locations. You don’t want to make unauthorized access a relative cakewalk.

Security Breaches and Past Leaks

Lax password policies quickly create issues in the event of brute-force attacks. An attacker will submit flurries of password combinations in hopes of choosing the correct one. As mentioned, it’s a virtual certainty that company-specific terms will be vulnerable. Deferring to obscure combinations will keep remote hackers at bay. These passwords will outlast brute-force efforts, as SecOps teams work to eliminate the threat.

That said, Active Directory Password Policy doesn’t solely focus on excluding ‘easy’ words. Even compliant passwords might be involved in data leaks. It’s important to ban exposed passwords, as these are no longer deemed secure. Continued audits help companies recover from attacks whilst thwarting future ones.

Now that we’ve answered the why, how can admins go about excluding words via Active Directory?

How to Exclude Words within Active Directory Password Policy

At the most basic level, Active Directory’s default complexity option will provide some options out of the box. Company names aren’t all we need to worry about. Users must avoid using strings containing too many account-related characters (such as first name or last name) as well. Domain Password Policy can limit users from using revealing, sequential letters. These characters are inherently more ‘guessable.’ This enforces de facto exclusion of certain terms.

In a similar vein, Active Directory admins may establish password filters. These leverage DLL files for domain accounts, both for 32-bit and 64-bit computers. This requires three main components:

  • A system registry key
  • A Notification Packages subkey
  • An existing password complexity setting or greater Password Policy

Passwords must satisfy any complexity requirements unless this option is disabled. Admins may apply these filters to all relevant domain controllers. This is another way of accomplishing what we’ve outlined in the preceding paragraph, though not calling upon a formal list of excluded words.

Via supplemental programming (e.g. with PowerShell) admins can write their own password DLL filters. This process is more time consuming than working within the GUI. However, it grants more control over both password complexity and character requirements.

Navigation Instructions

It’s worth noting that default password policies are applied to all computers within a domain. This Group Policy Object defines broad guidelines for all users. It’s possible to edit a Password Policy by following this hierarchy:

Group Policy Management > Domains > Chosen Domain > Group Policy Objects > Right-click + Edit.

This launches a new sidebar from which one’s settings are accessible. Next, it’s necessary to navigate to Password Policy. Admins must follow this file path:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy

PowerShell users may instead view these policies using a single cmdlet:

Get-ADDefaultDomainPasswordPolicy

Moving On from Broad Policies

Determining password policies for an entire organization is often sufficient. However, admins may find a team-specific Password Policy is prudent. Instead of applying multiple, new Group Policy Objects (GPOs) to an Organizational Unit (OU), creating fine-grained password policies is required. Only the default domain policy’s password policy will otherwise apply.

Fine-grained policies leverage Active Directory Administrative Center (ADAC). Admins will have to install Remote Server Administrator Tools (RSAT) then launch ADAC to get started. The process is simple thereafter:

  1. Click on the domain
  2. Select the System folder
  3. Select Password Settings Container, and click New in the righthand Tasks sidebar
  4. In the opened Create Password Settings screen, admins can outline password policies and apply them to certain groups or individual users (which you can name or specify)

Security concerns differ from team to team, depending on function or controlled data. Crafting bespoke password policies is commonly needed for compliance reasons. Sensitive industries – typically subject to government regulations – have stringent security requirements that manifest themselves within Active Directory’s password settings.

What If We’re Using Active Directory with Azure?

The great thing about the Azure-AD tandem is that it permits direct usage of a banned passwords list. Admins can create lists of up to 1000 unique terms or phrases. These passwords or fragments are barred from user accounts for a number of reasons, and often for those we’ve outlined in our introduction. This applies to cloud and hybrid environments alike.

Submitted passwords are checked against one’s list(s) of excluded words. Any string match is flagged. The user receives feedback that their password was rejected, and must create a new one that meets organizational requirements. This article on banned passwords lists assesses how passwords are evaluated and scored, and any resulting implications.

Third-Party Tooling

Open and closed-source tools often step in when native configurations aren’t enough. Password policies are no different in this regard. Longstanding tools like OpenPasswordFilter (GitHub here) have given admins the ability to create dual dictionaries and apply them to Active Directory. The tool’s DLLs can be loaded via LSASS, according to its documentation.

For example, each list contains banned passwords and character strings. However, one checks passwords for complete matches to excluded words; the other checks for partial matches. If a password is forbidden, the user is told to create a new password. Maintaining the dictionary is key here, as the security landscape constantly changes. A service executable keeps everything up-to-date.

Specops Software also provides its own tool for password management. The solution supports six different dictionary types:

  • Custom
  • Compliance, via Specops’ Master List
  • Common keyboard sequences and combinations
  • LinkedIn hash leaks
  • Adobe password leaks
  • Gawker password leaks

In conjunction with add-ons, Specops Password Policy accounts for billions of banned passwords. This banned list is updated continuously in response to leaks and other security events.

In any case, we recommend that passwords meet or exceed 15 characters in length. It’s also recommended to put password age requirements in place. Even the best third-party solutions must play well with Active Directory. It’s important that such applications support one another, upholding the security of your infrastructure as a result.

Reference: https://www.infosecurity-magazine.com/blogs/excluding-words-active-directory/

Share196Tweet123Share49
AZURE SECURITY NEWS EDITOR

AZURE SECURITY NEWS EDITOR

Related Posts

Innovative solutions for IT workers at home

ZEDEDA Announces Integration with Microsoft Azure IoT to Seamlessly and Securely Orchestrate Distributed Edge Computing Workloads at Scale

by AZURE SECURITY NEWS EDITOR
February 24, 2021
0

Native integration with ZEDEDA’s orchestration solution for the distributed edge enables end-to-end remote management of the entire Azure IoT Edge...

A moment of reckoning: the need for a strong and global cybersecurity response

Microsoft Affirms Solorigate Attackers Saw Azure, Intune and Exchange Source Code

by AZURE SECURITY NEWS EDITOR
February 23, 2021
0

Microsoft has reconfirmed that the "Solorigate" advanced persistent threat attackers saw some of its source code, although "only a few individual files...

8×8 makes raft of updates to platform

Indonesian Mobile Operator Selects NTT for Microsoft Security Project

by AZURE SECURITY NEWS EDITOR
February 22, 2021
0

NTT last week announced the completion of its first Microsoft Security Project for a cellular operator in Indonesia. The engagement with NTT...

Microsoft To Build New Azure Cloud Data Centers In Greece

NTT completes Microsoft security project for Indonesian mobile operator

by AZURE SECURITY NEWS EDITOR
February 19, 2021
0

NTT has completed its first Microsoft Security Project for a mobile operator in Indonesia. The engagement with NTT includes consulting,...

  • Trending
  • Comments
  • Latest
Microsoft’s CyberX Acquisition Boosts Security of Azure IoT Lineup

AZURE DEFAULT RESOURCE GROUP AND DEFAULT WORKSPACE: WHAT ARE THEY?

December 14, 2020
Microsoft Seriously Beefs Up Security in Windows Server 2019

TCS Launches Cloud Exponence on Microsoft Azure

January 21, 2021
Microsoft Launches Host of Security Products in Time for RSA

Microsoft to add two new Microsoft 365 security, compliance bundles to its line-up

November 26, 2020

Lady Gaga Pulled Off One of the Best Halftime Shows Ever

0

Barack Obama’s Now Mainly Focusing on Wearing This Casual Backwards Hat

0

Watch Justin Timberlake’s ‘Cry Me a River’ Come to Life in Mesmerizing Dance

0
Telecom Provider Migrates Confidently to Microsoft Azure with Fortinet’s Dynamic Cloud Security Solutions

Veeam Backup & Replication 11: Enhanced data management for a multi-cloud environment

February 25, 2021
8×8 makes raft of updates to platform

Advancing the Orchestration of Distributed Edge Applications, ZEDEDA Integrates with Microsoft Azure IoT

February 25, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

Cloud Security in Banking Market to Witness Huge Growth by 2026 | Microsoft Azure, Trend Micro, Salesforce

February 25, 2021
Azure Security News

Copyright © 2020 - Azure Security

Navigate Site

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Follow Us

No Result
View All Result
  • Home
  • News
    • Politics
    • Business
    • World
    • Science
  • Entertainment
    • Gaming
    • Music
    • Movie
    • Sports
  • Tech
    • Apps
    • Gear
    • Mobile
    • Startup
  • Lifestyle
    • Food
    • Fashion
    • Health
    • Travel

Copyright © 2020 - Azure Security

Welcome Back!

Login to your account below

Forgotten Password?

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In