cqrenet/policies
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

First batch

Browse Source
This commit is contained in:
Tomas Kracmar
2025-09-30 11:30:46 +02:00
commit 4554305f3a
6 changed files with 477 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

112
Security/password_guidance_generic.md Normal file
View File

@@ -0,0 +1,112 @@
# Password & Authenticator Guidance (System-Agnostic)
**Document owner:** [Owner/Role]
**Approved by:** [Steering Committee / CISO]
**Effective date:** [YYYY-MM-DD]
**Review cadence:** [Annually]
---
## 1) Purpose & Scope
This document provides **implementation guidance and hardening requirements** for enforcing the Password & Authenticator Policy across all systems, applications, and identity platforms in [Organization].
It applies to IT, IAM administrators, and system owners.
---
## 2) Policy Implementation Guidance
### 2.1 Password Length & Creation
- Configure all systems to **enforce minimum lengths**:
- **15 characters** for single-factor authentication.
- **8 characters** for MFA-protected logins.
- Ensure systems support passwords up to **64 characters** with spaces, ASCII, and Unicode.
- Do not enforce composition rules; instead rely on **length + blocklist screening**.
### 2.2 Blocklist Screening
- Implement password screening against:
- **Commonly used passwords** (e.g., “Password123”).
- **Breach corpuses** (public leak data).
- **Organization-specific terms** (company name, product names).
- Update blocklists at least **quarterly**.
### 2.3 Expiration & Rotation
- Disable periodic password expiration for human accounts.
- Enable **risk/event-driven rotation** when compromise is suspected.
- For **service accounts**, enforce **automated rotation** in a secret manager.
### 2.4 Usability & User Experience
- Enable **copy/paste** to support password managers.
- Provide an optional **“show password”** control on login.
- Prohibit **password hints** and **security questions**.
### 2.5 Multi-Factor Authentication (MFA)
- Require MFA for:
- All external-facing logins.
- Administrative access.
- Remote access (VPN, SSH, RDP, portals).
- Systems handling **sensitive or regulated data**.
- Prefer **phishing-resistant MFA** (FIDO2, WebAuthn, authenticator apps).
- Allow **SMS/voice** only as fallback.
### 2.6 Account Lockout & Rate Limiting
- Enforce **rate-limiting** on failed login attempts.
- Apply **escalating timeouts** (e.g., 30s → 1min → 5min).
- Avoid permanent lockouts to reduce denial-of-service risk.
### 2.7 Password Storage & Transmission
- Transmit all credentials only over **encrypted channels** (TLS 1.2+).
- Store passwords using:
- **Argon2id (preferred)**, or
- **bcrypt** / **PBKDF2** with high work factor.
- Use **unique salts** (≥32 bits) per credential.
- Consider adding a server-side **“pepper”** stored securely (HSM/TEE).
### 2.8 Resets & Recovery
- Require MFA for password resets.
- Prohibit knowledge-based authentication (KBA/security questions).
- Revoke all active sessions and tokens after a reset due to compromise.
### 2.9 Administrative & Privileged Accounts
- Enforce **separate admin accounts** for elevated tasks.
- Protect all privileged accounts with **MFA**.
- Provision administrative access **just-in-time** or **time-bound**.
- Prohibit shared admin credentials; vault and monitor any break-glass accounts.
### 2.10 Service & Machine Accounts
- Prefer **key-based**, **certificate-based**, or **federated identities** over passwords.
- If passwords are required:
- **≥30 characters**, randomly generated.
- Stored only in **approved secret managers**.
- Automatically rotated and logged.
- Prohibit interactive login with service accounts.
### 2.11 Dormant Accounts
- Disable accounts after **45 days of inactivity**.
- Conduct **quarterly account reviews** for all user and service accounts.
### 2.12 Application Integration
Applications authenticating users **must**:
- Support policy requirements for **length**, **blocklist checks**, and **no composition rules**.
- Allow **paste/autofill**.
- Not truncate credentials.
- Store credentials with modern password hashing.
---
## 3) Hardening Checklist
✅ Enforce MFA on all sensitive and external-facing systems.
✅ Implement blocklist screening for weak/compromised passwords.
✅ Remove periodic password expiration policies for human users.
✅ Store passwords only with Argon2id/bcrypt/PBKDF2.
✅ Rate-limit login attempts with escalating delays.
✅ Disable accounts inactive for ≥45 days.
✅ Require password manager compatibility (paste/show-password).
✅ Review and disable legacy authentication protocols (e.g., plain text FTP/POP/IMAP, NTLMv1).
✅ Audit password changes, resets, and lockout events.
---
## 4) References
- **NIST SP 800-63B, Digital Identity Guidelines (2023 update)**
- **CIS Controls v8.1 (Controls 5 & 6)**
- **OWASP Authentication Cheat Sheet**

136
Security/password_guidance_m365_ad.md Normal file
View File

@@ -0,0 +1,136 @@
# Password & Authenticator Policy (Draft)
**Document owner:** [Owner/Role]
**Approved by:** [Steering Committee / CISO]
**Effective date:** [YYYY-MM-DD]
**Review cadence:** [Annually]
---
## 1) Purpose & scope
This policy defines requirements for passwords and related authenticator handling for all users and service accounts accessing [Organization] Microsoft 365, Active Directory (AD), and connected systems.
---
## 2) Roles & responsibilities
- **CISO / Security:** Owns this policy, maintains blocklists, monitors compliance.
- **IT / IAM:** Implements enforcement in Microsoft Entra ID (Azure AD), on-prem AD, and Microsoft 365 services.
- **System Owners:** Ensure integrated apps follow this policy.
- **All Users:** Must comply with requirements.
---
## 3) Password requirements (human users)
1. **Length**
- **15+ characters** if used as single-factor (per NIST SP 800-63B).
- **8+ characters** if MFA is enforced.
- Systems should allow up to **64 characters** and support ASCII, spaces, and Unicode.
2. **No composition rules**
- Do not require complexity like upper/lower/symbol/number. Focus on **length + blocklist checks**.
3. **Blocklist screening**
- Enforce via **Azure AD Password Protection** to block common, weak, or breached passwords.
- Screen against organization-specific terms (e.g., company name).
4. **Expiration**
- No scheduled expiration unless compromise is suspected.
- Incident-driven reset is mandatory.
5. **Usability**
- Allow copy/paste and password managers.
- Provide “show password” toggle.
- Disable hints and security questions.
6. **CIS Controls alignment**
- CIS Control 5: unique accounts, disable dormant accounts (≥45 days).
- CIS Control 6: enforce access control with MFA.
---
## 4) Multi-factor authentication (MFA)
- **Mandatory MFA** for: Microsoft 365, VPN/remote access, privileged AD accounts, email, SaaS with sensitive data.
- Use **Microsoft Authenticator** push or **FIDO2 security keys** as preferred methods.
- SMS/voice allowed only as fallback.
---
## 5) Rate limiting & lockout
- Use **Azure AD smart lockout**:
- Default: lock after 10 failed attempts, 1-minute auto-unlock (configurable).
- Avoid permanent lockouts to prevent DoS.
---
## 6) Storage & transmission
- All AD/M365 authentication happens over **TLS**.
- Passwords stored as **salted, hashed verifiers** (NTLMv2/Kerberos with AES).
- Domain controllers must disable **NTLMv1** and LM hashes.
- Use **Argon2id/bcrypt** if custom apps store passwords.
---
## 7) Password creation guidance
- Encourage passphrases (e.g., multiple random words).
- Recommend password manager integration with M365 (Edge/Outlook support).
- Discourage personal info and patterns.
---
## 8) Resets & recovery
- Self-service password reset (SSPR) in Azure AD with MFA verification.
- No KBA/security questions.
- After compromise, force change and revoke tokens.
---
## 9) Administrative accounts
- Separate admin accounts from daily-use accounts.
- Enforce MFA on all admin accounts (Azure AD Conditional Access).
- Monitor via **Privileged Identity Management (PIM)** with just-in-time access.
- No shared admin passwords. Break-glass accounts must be vaulted, monitored, and MFA-enabled.
---
## 10) Service, API, and machine accounts
- Use **Managed Service Accounts (MSA/gMSA)** in AD.
- For cloud, prefer **Managed Identities** in Azure.
- If secrets required:
- 30+ chars random secret.
- Store in **Azure Key Vault**.
- Automate rotation.
- No interactive login.
---
## 11) Application integration requirements
Apps authenticating against AD or Entra ID must:
- Support required password lengths and blocklist checks.
- Allow paste/autofill, no hints, no truncation.
- Store verifiers with modern hashing if not using directory federation.
---
## 12) Hardening checklist (Microsoft 365 + AD)
- ✅ Enforce MFA with **Conditional Access**.
- ✅ Enable **Azure AD Password Protection** with custom banned-password list.
- ✅ Configure **smart lockout**.
- ✅ Enable **PIM** for admin accounts.
- ✅ Disable **legacy auth protocols** (POP, IMAP, SMTP Basic, NTLMv1).
- ✅ Review dormant accounts quarterly (disable after 45 days).
- ✅ Require TLS 1.2+ for all endpoints.
- ✅ Audit password changes and lockout events.
---
## 13) Exceptions
- Documented need, CISO approval, compensating controls, and review date.
---
## 14) References
- **NIST SP 800-63B, Digital Identity Guidelines (2023 update)**
- **CIS Controls v8.1** (Controls 5 & 6)
- **Microsoft Security Baselines (Windows, AD, M365)**
- **OWASP Authentication Cheat Sheet**

96
Security/password_policy_generic.md Normal file
View File

@@ -0,0 +1,96 @@
# Password & Authenticator Policy (System-Agnostic)
**Document owner:** [Owner/Role]
**Approved by:** [Steering Committee / CISO]
**Effective date:** [YYYY-MM-DD]
**Review cadence:** [Annually]
---
## 1) Purpose & Scope
This policy establishes mandatory requirements for password creation, management, and authentication across [Organization]s IT systems. It applies to all employees, contractors, vendors, and service accounts.
---
## 2) Policy Statements
### 2.1 Password Length
- Passwords **must** be at least **15 characters** when used as a single factor of authentication.
- Passwords **must** be at least **8 characters** when used in combination with MFA.
- Systems **must** allow passwords up to **64 characters** and **should** support spaces, ASCII, and Unicode characters.
### 2.2 Complexity
- Passwords **must not** be subject to composition rules requiring upper/lowercase, numbers, or symbols.
- Passwords **must** be screened against a blocklist of weak, common, or compromised passwords.
### 2.3 Expiration
- Passwords **shall not** expire on a scheduled basis.
- Passwords **must** be changed immediately upon indication or suspicion of compromise.
### 2.4 Usability
- Systems **must** permit copy/paste from password managers.
- Systems **must** provide a “show password” option.
- Password hints and security questions **must not** be used.
### 2.5 Multi-Factor Authentication (MFA)
- MFA **must** be enforced for:
- Remote access
- Administrative access
- Access to sensitive data or critical systems
- MFA **should** use phishing-resistant methods (e.g., FIDO2, authenticator apps).
- SMS/voice **shall** only be used as fallback methods.
### 2.6 Account Lockout
- Failed logins **must** be throttled with rate-limiting or timed lockout.
- Accounts **shall not** be permanently locked out due to failed attempts.
### 2.7 Storage & Transmission
- Passwords **must** only be transmitted over encrypted channels (TLS 1.2+ or equivalent).
- Passwords **must** be stored as salted and hashed verifiers using Argon2id, bcrypt, or PBKDF2.
- Legacy or weak hashing mechanisms **must not** be used.
### 2.8 Resets & Recovery
- Password resets **must** require MFA verification.
- Knowledge-based authentication (KBA/security questions) **must not** be used.
- After compromise, passwords **must** be reset and sessions revoked.
### 2.9 Administrative Accounts
- Administrative accounts **must** be separate from daily-use accounts.
- All administrative accounts **must** be protected with MFA.
- Administrative access **should** be provisioned with just-in-time or time-bound access control.
- Shared administrative passwords **must not** be used. Break-glass accounts **must** be protected and monitored.
### 2.10 Service & Machine Accounts
- Service accounts **must** use keys, certificates, or managed identities where possible.
- If passwords are required, they **must** be at least **30 characters**, randomly generated, and stored only in approved secret managers.
- Service accounts **must not** allow interactive login.
- Secrets **must** be rotated regularly through automated processes.
### 2.11 Dormant Accounts
- User accounts inactive for **45 days** **must** be disabled.
- Quarterly reviews of all accounts **must** be conducted.
### 2.12 Application Integration
Applications authenticating users:
- **Must** support password length requirements and blocklist enforcement.
- **Must** allow paste/autofill and must not truncate passwords.
- **Must** store verifiers using modern password hashing methods.
---
## 3) Enforcement
- Violations of this policy **may** result in disciplinary action, up to and including termination of access or employment.
- System owners **must** remediate applications not compliant with this policy or document exceptions approved by the CISO.
---
## 4) Exceptions
- Exceptions **must** be documented, include compensating controls, and have CISO approval.
- Exceptions **must** have a review date not exceeding 12 months.
---
## 5) References
- **NIST SP 800-63B, Digital Identity Guidelines (2023 update)**
- **CIS Controls v8.1, Controls 5 & 6**
- **OWASP Authentication Cheat Sheet**

99
Security/password_policy_m365_ad.md Normal file
View File

@@ -0,0 +1,99 @@
# Password & Authenticator Policy (M365 + AD)
**Document owner:** [Owner/Role]
**Approved by:** [Steering Committee / CISO]
**Effective date:** [YYYY-MM-DD]
**Review cadence:** [Annually]
---
## 1) Purpose & Scope
This policy establishes mandatory requirements for password creation, management, and authentication across [Organization]s Microsoft 365, Active Directory (AD), and integrated systems. It applies to all employees, contractors, vendors, and service accounts.
---
## 2) Policy Statements
### 2.1 Password Length
- Passwords **must** be at least **15 characters** when used as a single factor of authentication.
- Passwords **must** be at least **8 characters** when used in combination with MFA.
- Systems **must** allow passwords up to **64 characters** and **should** support spaces, ASCII, and Unicode characters.
### 2.2 Complexity
- Passwords **must not** be subject to complexity rules requiring upper/lowercase, numbers, or symbols.
- Passwords **shall** be screened against a blocklist of weak, common, and compromised passwords using **Azure AD Password Protection**.
### 2.3 Expiration
- Passwords **shall not** expire on a scheduled basis.
- Passwords **must** be changed immediately upon indication or suspicion of compromise.
### 2.4 Usability
- Systems **must** permit copy/paste from password managers.
- Systems **must** provide a “show password” option.
- Password hints and security questions **must not** be used.
### 2.5 Multi-Factor Authentication (MFA)
- MFA **must** be enforced for:
- Microsoft 365 services
- VPN/remote access
- Privileged AD accounts
- Administrative access to SaaS and production systems
- MFA **should** use phishing-resistant methods (e.g., FIDO2, Microsoft Authenticator).
- SMS/voice **shall** only be used as fallback methods.
### 2.6 Account Lockout
- Failed logins **must** be throttled using **Azure AD Smart Lockout**.
- Accounts **shall not** be permanently locked out due to failed attempts; instead, time-based delays must be applied.
### 2.7 Storage & Transmission
- Passwords **must** only be transmitted over encrypted channels (TLS 1.2+).
- AD and M365 **must** store passwords as salted and hashed verifiers.
- NTLMv1 and LAN Manager (LM) hashes **must** be disabled.
- Custom applications **must** use Argon2id, bcrypt, or PBKDF2 for password storage.
### 2.8 Resets & Recovery
- Password resets **must** require MFA verification (via Azure AD SSPR).
- Knowledge-based authentication (KBA/security questions) **must not** be used.
- After compromise, passwords **must** be reset and tokens revoked.
### 2.9 Administrative Accounts
- Administrative accounts **must** be separate from daily-use accounts.
- All administrative accounts **must** be protected with MFA.
- Administrative access **must** be provisioned through **Privileged Identity Management (PIM)** with just-in-time elevation.
- Shared administrative passwords **must not** be used. Break-glass accounts **must** be vaulted, monitored, and protected with MFA.
### 2.10 Service & Machine Accounts
- Service accounts **must** use Managed Service Accounts (MSA/gMSA) or Managed Identities where available.
- Service account passwords **must** be at least **30 characters**, randomly generated, and stored securely (e. g. in **Azure Key Vault**).
- Service accounts **must not** allow interactive login.
- Secrets **must** be rotated regularly through automated processes.
### 2.11 Dormant Accounts
- User accounts inactive for **45 days** **must** be disabled.
- Quarterly reviews of all accounts **must** be conducted by IT.
### 2.12 Application Integration
Applications authenticating against AD or Entra ID:
- **Must** support password length requirements and blocklist enforcement.
- **Must** allow paste/autofill and must not truncate passwords.
- **Must** store verifiers using modern password hashing methods if not federated.
---
## 3) Enforcement
- Violations of this policy **may** result in disciplinary action, up to and including termination of access or employment.
- System owners **must** remediate applications not compliant with this policy or document exceptions approved by the CISO.
---
## 4) Exceptions
- Exceptions **must** be documented, include compensating controls, and have CISO approval.
- Exceptions **must** have a review date not exceeding 12 months.
---
## 5) References
- **NIST SP 800-63B, Digital Identity Guidelines (2023 update)**
- **CIS Controls v8.1, Controls 5 & 6**
- **Microsoft Security Baselines (M365 & Windows/AD)**
- **OWASP Authentication Cheat Sheet**