commit 4554305f3a51ae0213d56bea2e52aaeab72d7749 Author: Tomas Kracmar Date: Tue Sep 30 11:30:46 2025 +0200 First batch diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..496ee2c --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.DS_Store \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..13326b2 --- /dev/null +++ b/README.md @@ -0,0 +1,33 @@ +# Organizational Policies Repository + +Welcome to the Organizational Policies repository. This repository serves as the single source of truth for all official policies governing our organization. + +## Purpose + +The purpose of this repository is to centralize and maintain all organizational policies in one place, ensuring consistency, transparency, and easy access for all members of the organization. + +## Repository Structure + +This repository is organized into categories of policies to facilitate easy navigation and management. Each category contains relevant policy documents. + +### Policy Categories + +- **Security** + Policies related to information security, data protection, and cybersecurity practices. + +*Additional categories may be added as needed.* + +## Contribution Guidelines + +We welcome contributions to improve and update organizational policies. To propose changes or additions: + +1. Fork the repository. +2. Make your changes in a new branch. +3. Submit a pull request describing the proposed updates. +4. Your pull request will be reviewed by the policy management team before merging. + +Please ensure that all contributions align with organizational goals and legal requirements. + +## Licensing + +All content in this repository is licensed under the MIT license. \ No newline at end of file diff --git a/Security/password_guidance_generic.md b/Security/password_guidance_generic.md new file mode 100644 index 0000000..e75e565 --- /dev/null +++ b/Security/password_guidance_generic.md @@ -0,0 +1,112 @@ +# Password & Authenticator Guidance (System-Agnostic) + +**Document owner:** [Owner/Role] +**Approved by:** [Steering Committee / CISO] +**Effective date:** [YYYY-MM-DD] +**Review cadence:** [Annually] + +--- + +## 1) Purpose & Scope +This document provides **implementation guidance and hardening requirements** for enforcing the Password & Authenticator Policy across all systems, applications, and identity platforms in [Organization]. +It applies to IT, IAM administrators, and system owners. + +--- + +## 2) Policy Implementation Guidance + +### 2.1 Password Length & Creation +- Configure all systems to **enforce minimum lengths**: + - **15 characters** for single-factor authentication. + - **8 characters** for MFA-protected logins. +- Ensure systems support passwords up to **64 characters** with spaces, ASCII, and Unicode. +- Do not enforce composition rules; instead rely on **length + blocklist screening**. + +### 2.2 Blocklist Screening +- Implement password screening against: + - **Commonly used passwords** (e.g., “Password123”). + - **Breach corpuses** (public leak data). + - **Organization-specific terms** (company name, product names). +- Update blocklists at least **quarterly**. + +### 2.3 Expiration & Rotation +- Disable periodic password expiration for human accounts. +- Enable **risk/event-driven rotation** when compromise is suspected. +- For **service accounts**, enforce **automated rotation** in a secret manager. + +### 2.4 Usability & User Experience +- Enable **copy/paste** to support password managers. +- Provide an optional **“show password”** control on login. +- Prohibit **password hints** and **security questions**. + +### 2.5 Multi-Factor Authentication (MFA) +- Require MFA for: + - All external-facing logins. + - Administrative access. + - Remote access (VPN, SSH, RDP, portals). + - Systems handling **sensitive or regulated data**. +- Prefer **phishing-resistant MFA** (FIDO2, WebAuthn, authenticator apps). +- Allow **SMS/voice** only as fallback. + +### 2.6 Account Lockout & Rate Limiting +- Enforce **rate-limiting** on failed login attempts. +- Apply **escalating timeouts** (e.g., 30s → 1min → 5min). +- Avoid permanent lockouts to reduce denial-of-service risk. + +### 2.7 Password Storage & Transmission +- Transmit all credentials only over **encrypted channels** (TLS 1.2+). +- Store passwords using: + - **Argon2id (preferred)**, or + - **bcrypt** / **PBKDF2** with high work factor. +- Use **unique salts** (≥32 bits) per credential. +- Consider adding a server-side **“pepper”** stored securely (HSM/TEE). + +### 2.8 Resets & Recovery +- Require MFA for password resets. +- Prohibit knowledge-based authentication (KBA/security questions). +- Revoke all active sessions and tokens after a reset due to compromise. + +### 2.9 Administrative & Privileged Accounts +- Enforce **separate admin accounts** for elevated tasks. +- Protect all privileged accounts with **MFA**. +- Provision administrative access **just-in-time** or **time-bound**. +- Prohibit shared admin credentials; vault and monitor any break-glass accounts. + +### 2.10 Service & Machine Accounts +- Prefer **key-based**, **certificate-based**, or **federated identities** over passwords. +- If passwords are required: + - **≥30 characters**, randomly generated. + - Stored only in **approved secret managers**. + - Automatically rotated and logged. +- Prohibit interactive login with service accounts. + +### 2.11 Dormant Accounts +- Disable accounts after **45 days of inactivity**. +- Conduct **quarterly account reviews** for all user and service accounts. + +### 2.12 Application Integration +Applications authenticating users **must**: +- Support policy requirements for **length**, **blocklist checks**, and **no composition rules**. +- Allow **paste/autofill**. +- Not truncate credentials. +- Store credentials with modern password hashing. + +--- + +## 3) Hardening Checklist +✅ Enforce MFA on all sensitive and external-facing systems. +✅ Implement blocklist screening for weak/compromised passwords. +✅ Remove periodic password expiration policies for human users. +✅ Store passwords only with Argon2id/bcrypt/PBKDF2. +✅ Rate-limit login attempts with escalating delays. +✅ Disable accounts inactive for ≥45 days. +✅ Require password manager compatibility (paste/show-password). +✅ Review and disable legacy authentication protocols (e.g., plain text FTP/POP/IMAP, NTLMv1). +✅ Audit password changes, resets, and lockout events. + +--- + +## 4) References +- **NIST SP 800-63B, Digital Identity Guidelines (2023 update)** +- **CIS Controls v8.1 (Controls 5 & 6)** +- **OWASP Authentication Cheat Sheet** diff --git a/Security/password_guidance_m365_ad.md b/Security/password_guidance_m365_ad.md new file mode 100644 index 0000000..afcaa24 --- /dev/null +++ b/Security/password_guidance_m365_ad.md @@ -0,0 +1,136 @@ +# Password & Authenticator Policy (Draft) + +**Document owner:** [Owner/Role] +**Approved by:** [Steering Committee / CISO] +**Effective date:** [YYYY-MM-DD] +**Review cadence:** [Annually] + +--- + +## 1) Purpose & scope +This policy defines requirements for passwords and related authenticator handling for all users and service accounts accessing [Organization] Microsoft 365, Active Directory (AD), and connected systems. + +--- + +## 2) Roles & responsibilities +- **CISO / Security:** Owns this policy, maintains blocklists, monitors compliance. +- **IT / IAM:** Implements enforcement in Microsoft Entra ID (Azure AD), on-prem AD, and Microsoft 365 services. +- **System Owners:** Ensure integrated apps follow this policy. +- **All Users:** Must comply with requirements. + +--- + +## 3) Password requirements (human users) +1. **Length** + - **15+ characters** if used as single-factor (per NIST SP 800-63B). + - **8+ characters** if MFA is enforced. + - Systems should allow up to **64 characters** and support ASCII, spaces, and Unicode. + +2. **No composition rules** + - Do not require complexity like upper/lower/symbol/number. Focus on **length + blocklist checks**. + +3. **Blocklist screening** + - Enforce via **Azure AD Password Protection** to block common, weak, or breached passwords. + - Screen against organization-specific terms (e.g., company name). + +4. **Expiration** + - No scheduled expiration unless compromise is suspected. + - Incident-driven reset is mandatory. + +5. **Usability** + - Allow copy/paste and password managers. + - Provide “show password” toggle. + - Disable hints and security questions. + +6. **CIS Controls alignment** + - CIS Control 5: unique accounts, disable dormant accounts (≥45 days). + - CIS Control 6: enforce access control with MFA. + +--- + +## 4) Multi-factor authentication (MFA) +- **Mandatory MFA** for: Microsoft 365, VPN/remote access, privileged AD accounts, email, SaaS with sensitive data. +- Use **Microsoft Authenticator** push or **FIDO2 security keys** as preferred methods. +- SMS/voice allowed only as fallback. + +--- + +## 5) Rate limiting & lockout +- Use **Azure AD smart lockout**: + - Default: lock after 10 failed attempts, 1-minute auto-unlock (configurable). +- Avoid permanent lockouts to prevent DoS. + +--- + +## 6) Storage & transmission +- All AD/M365 authentication happens over **TLS**. +- Passwords stored as **salted, hashed verifiers** (NTLMv2/Kerberos with AES). +- Domain controllers must disable **NTLMv1** and LM hashes. +- Use **Argon2id/bcrypt** if custom apps store passwords. + +--- + +## 7) Password creation guidance +- Encourage passphrases (e.g., multiple random words). +- Recommend password manager integration with M365 (Edge/Outlook support). +- Discourage personal info and patterns. + +--- + +## 8) Resets & recovery +- Self-service password reset (SSPR) in Azure AD with MFA verification. +- No KBA/security questions. +- After compromise, force change and revoke tokens. + +--- + +## 9) Administrative accounts +- Separate admin accounts from daily-use accounts. +- Enforce MFA on all admin accounts (Azure AD Conditional Access). +- Monitor via **Privileged Identity Management (PIM)** with just-in-time access. +- No shared admin passwords. Break-glass accounts must be vaulted, monitored, and MFA-enabled. + +--- + +## 10) Service, API, and machine accounts +- Use **Managed Service Accounts (MSA/gMSA)** in AD. +- For cloud, prefer **Managed Identities** in Azure. +- If secrets required: + - 30+ chars random secret. + - Store in **Azure Key Vault**. + - Automate rotation. + - No interactive login. + +--- + +## 11) Application integration requirements +Apps authenticating against AD or Entra ID must: +- Support required password lengths and blocklist checks. +- Allow paste/autofill, no hints, no truncation. +- Store verifiers with modern hashing if not using directory federation. + +--- + +## 12) Hardening checklist (Microsoft 365 + AD) +- ✅ Enforce MFA with **Conditional Access**. +- ✅ Enable **Azure AD Password Protection** with custom banned-password list. +- ✅ Configure **smart lockout**. +- ✅ Enable **PIM** for admin accounts. +- ✅ Disable **legacy auth protocols** (POP, IMAP, SMTP Basic, NTLMv1). +- ✅ Review dormant accounts quarterly (disable after 45 days). +- ✅ Require TLS 1.2+ for all endpoints. +- ✅ Audit password changes and lockout events. + +--- + +## 13) Exceptions +- Documented need, CISO approval, compensating controls, and review date. + +--- + +## 14) References +- **NIST SP 800-63B, Digital Identity Guidelines (2023 update)** +- **CIS Controls v8.1** (Controls 5 & 6) +- **Microsoft Security Baselines (Windows, AD, M365)** +- **OWASP Authentication Cheat Sheet** + diff --git a/Security/password_policy_generic.md b/Security/password_policy_generic.md new file mode 100644 index 0000000..fccd22e --- /dev/null +++ b/Security/password_policy_generic.md @@ -0,0 +1,96 @@ +# Password & Authenticator Policy (System-Agnostic) + +**Document owner:** [Owner/Role] +**Approved by:** [Steering Committee / CISO] +**Effective date:** [YYYY-MM-DD] +**Review cadence:** [Annually] + +--- + +## 1) Purpose & Scope +This policy establishes mandatory requirements for password creation, management, and authentication across [Organization]’s IT systems. It applies to all employees, contractors, vendors, and service accounts. + +--- + +## 2) Policy Statements + +### 2.1 Password Length +- Passwords **must** be at least **15 characters** when used as a single factor of authentication. +- Passwords **must** be at least **8 characters** when used in combination with MFA. +- Systems **must** allow passwords up to **64 characters** and **should** support spaces, ASCII, and Unicode characters. + +### 2.2 Complexity +- Passwords **must not** be subject to composition rules requiring upper/lowercase, numbers, or symbols. +- Passwords **must** be screened against a blocklist of weak, common, or compromised passwords. + +### 2.3 Expiration +- Passwords **shall not** expire on a scheduled basis. +- Passwords **must** be changed immediately upon indication or suspicion of compromise. + +### 2.4 Usability +- Systems **must** permit copy/paste from password managers. +- Systems **must** provide a “show password” option. +- Password hints and security questions **must not** be used. + +### 2.5 Multi-Factor Authentication (MFA) +- MFA **must** be enforced for: + - Remote access + - Administrative access + - Access to sensitive data or critical systems +- MFA **should** use phishing-resistant methods (e.g., FIDO2, authenticator apps). +- SMS/voice **shall** only be used as fallback methods. + +### 2.6 Account Lockout +- Failed logins **must** be throttled with rate-limiting or timed lockout. +- Accounts **shall not** be permanently locked out due to failed attempts. + +### 2.7 Storage & Transmission +- Passwords **must** only be transmitted over encrypted channels (TLS 1.2+ or equivalent). +- Passwords **must** be stored as salted and hashed verifiers using Argon2id, bcrypt, or PBKDF2. +- Legacy or weak hashing mechanisms **must not** be used. + +### 2.8 Resets & Recovery +- Password resets **must** require MFA verification. +- Knowledge-based authentication (KBA/security questions) **must not** be used. +- After compromise, passwords **must** be reset and sessions revoked. + +### 2.9 Administrative Accounts +- Administrative accounts **must** be separate from daily-use accounts. +- All administrative accounts **must** be protected with MFA. +- Administrative access **should** be provisioned with just-in-time or time-bound access control. +- Shared administrative passwords **must not** be used. Break-glass accounts **must** be protected and monitored. + +### 2.10 Service & Machine Accounts +- Service accounts **must** use keys, certificates, or managed identities where possible. +- If passwords are required, they **must** be at least **30 characters**, randomly generated, and stored only in approved secret managers. +- Service accounts **must not** allow interactive login. +- Secrets **must** be rotated regularly through automated processes. + +### 2.11 Dormant Accounts +- User accounts inactive for **45 days** **must** be disabled. +- Quarterly reviews of all accounts **must** be conducted. + +### 2.12 Application Integration +Applications authenticating users: +- **Must** support password length requirements and blocklist enforcement. +- **Must** allow paste/autofill and must not truncate passwords. +- **Must** store verifiers using modern password hashing methods. + +--- + +## 3) Enforcement +- Violations of this policy **may** result in disciplinary action, up to and including termination of access or employment. +- System owners **must** remediate applications not compliant with this policy or document exceptions approved by the CISO. + +--- + +## 4) Exceptions +- Exceptions **must** be documented, include compensating controls, and have CISO approval. +- Exceptions **must** have a review date not exceeding 12 months. + +--- + +## 5) References +- **NIST SP 800-63B, Digital Identity Guidelines (2023 update)** +- **CIS Controls v8.1, Controls 5 & 6** +- **OWASP Authentication Cheat Sheet** diff --git a/Security/password_policy_m365_ad.md b/Security/password_policy_m365_ad.md new file mode 100644 index 0000000..60414ee --- /dev/null +++ b/Security/password_policy_m365_ad.md @@ -0,0 +1,99 @@ +# Password & Authenticator Policy (M365 + AD) + +**Document owner:** [Owner/Role] +**Approved by:** [Steering Committee / CISO] +**Effective date:** [YYYY-MM-DD] +**Review cadence:** [Annually] + +--- + +## 1) Purpose & Scope +This policy establishes mandatory requirements for password creation, management, and authentication across [Organization]’s Microsoft 365, Active Directory (AD), and integrated systems. It applies to all employees, contractors, vendors, and service accounts. + +--- + +## 2) Policy Statements + +### 2.1 Password Length +- Passwords **must** be at least **15 characters** when used as a single factor of authentication. +- Passwords **must** be at least **8 characters** when used in combination with MFA. +- Systems **must** allow passwords up to **64 characters** and **should** support spaces, ASCII, and Unicode characters. + +### 2.2 Complexity +- Passwords **must not** be subject to complexity rules requiring upper/lowercase, numbers, or symbols. +- Passwords **shall** be screened against a blocklist of weak, common, and compromised passwords using **Azure AD Password Protection**. + +### 2.3 Expiration +- Passwords **shall not** expire on a scheduled basis. +- Passwords **must** be changed immediately upon indication or suspicion of compromise. + +### 2.4 Usability +- Systems **must** permit copy/paste from password managers. +- Systems **must** provide a “show password” option. +- Password hints and security questions **must not** be used. + +### 2.5 Multi-Factor Authentication (MFA) +- MFA **must** be enforced for: + - Microsoft 365 services + - VPN/remote access + - Privileged AD accounts + - Administrative access to SaaS and production systems +- MFA **should** use phishing-resistant methods (e.g., FIDO2, Microsoft Authenticator). +- SMS/voice **shall** only be used as fallback methods. + +### 2.6 Account Lockout +- Failed logins **must** be throttled using **Azure AD Smart Lockout**. +- Accounts **shall not** be permanently locked out due to failed attempts; instead, time-based delays must be applied. + +### 2.7 Storage & Transmission +- Passwords **must** only be transmitted over encrypted channels (TLS 1.2+). +- AD and M365 **must** store passwords as salted and hashed verifiers. +- NTLMv1 and LAN Manager (LM) hashes **must** be disabled. +- Custom applications **must** use Argon2id, bcrypt, or PBKDF2 for password storage. + +### 2.8 Resets & Recovery +- Password resets **must** require MFA verification (via Azure AD SSPR). +- Knowledge-based authentication (KBA/security questions) **must not** be used. +- After compromise, passwords **must** be reset and tokens revoked. + +### 2.9 Administrative Accounts +- Administrative accounts **must** be separate from daily-use accounts. +- All administrative accounts **must** be protected with MFA. +- Administrative access **must** be provisioned through **Privileged Identity Management (PIM)** with just-in-time elevation. +- Shared administrative passwords **must not** be used. Break-glass accounts **must** be vaulted, monitored, and protected with MFA. + +### 2.10 Service & Machine Accounts +- Service accounts **must** use Managed Service Accounts (MSA/gMSA) or Managed Identities where available. +- Service account passwords **must** be at least **30 characters**, randomly generated, and stored securely (e. g. in **Azure Key Vault**). +- Service accounts **must not** allow interactive login. +- Secrets **must** be rotated regularly through automated processes. + +### 2.11 Dormant Accounts +- User accounts inactive for **45 days** **must** be disabled. +- Quarterly reviews of all accounts **must** be conducted by IT. + +### 2.12 Application Integration +Applications authenticating against AD or Entra ID: +- **Must** support password length requirements and blocklist enforcement. +- **Must** allow paste/autofill and must not truncate passwords. +- **Must** store verifiers using modern password hashing methods if not federated. + +--- + +## 3) Enforcement +- Violations of this policy **may** result in disciplinary action, up to and including termination of access or employment. +- System owners **must** remediate applications not compliant with this policy or document exceptions approved by the CISO. + +--- + +## 4) Exceptions +- Exceptions **must** be documented, include compensating controls, and have CISO approval. +- Exceptions **must** have a review date not exceeding 12 months. + +--- + +## 5) References +- **NIST SP 800-63B, Digital Identity Guidelines (2023 update)** +- **CIS Controls v8.1, Controls 5 & 6** +- **Microsoft Security Baselines (M365 & Windows/AD)** +- **OWASP Authentication Cheat Sheet**