cqrenet/policies
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

First batch

Browse Source
This commit is contained in:
Tomas Kracmar
2025-09-30 11:30:46 +02:00
commit 4554305f3a
6 changed files with 477 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
.DS_Store

33
README.md Normal file
View File

@@ -0,0 +1,33 @@
# Organizational Policies Repository
Welcome to the Organizational Policies repository. This repository serves as the single source of truth for all official policies governing our organization.
## Purpose
The purpose of this repository is to centralize and maintain all organizational policies in one place, ensuring consistency, transparency, and easy access for all members of the organization.
## Repository Structure
This repository is organized into categories of policies to facilitate easy navigation and management. Each category contains relevant policy documents.
### Policy Categories
- **Security**
Policies related to information security, data protection, and cybersecurity practices.
*Additional categories may be added as needed.*
## Contribution Guidelines
We welcome contributions to improve and update organizational policies. To propose changes or additions:
1. Fork the repository.
2. Make your changes in a new branch.
3. Submit a pull request describing the proposed updates.
4. Your pull request will be reviewed by the policy management team before merging.
Please ensure that all contributions align with organizational goals and legal requirements.
## Licensing
All content in this repository is licensed under the MIT license.

112
Security/password_guidance_generic.md Normal file
View File

@@ -0,0 +1,112 @@
# Password & Authenticator Guidance (System-Agnostic)
**Document owner:** [Owner/Role]
**Approved by:** [Steering Committee / CISO]
**Effective date:** [YYYY-MM-DD]
**Review cadence:** [Annually]
---
## 1) Purpose & Scope
This document provides **implementation guidance and hardening requirements** for enforcing the Password & Authenticator Policy across all systems, applications, and identity platforms in [Organization].
It applies to IT, IAM administrators, and system owners.
---
## 2) Policy Implementation Guidance
### 2.1 Password Length & Creation
- Configure all systems to **enforce minimum lengths**:
- **15 characters** for single-factor authentication.
- **8 characters** for MFA-protected logins.
- Ensure systems support passwords up to **64 characters** with spaces, ASCII, and Unicode.
- Do not enforce composition rules; instead rely on **length + blocklist screening**.
### 2.2 Blocklist Screening
- Implement password screening against:
- **Commonly used passwords** (e.g., “Password123”).
- **Breach corpuses** (public leak data).
- **Organization-specific terms** (company name, product names).
- Update blocklists at least **quarterly**.
### 2.3 Expiration & Rotation
- Disable periodic password expiration for human accounts.
- Enable **risk/event-driven rotation** when compromise is suspected.
- For **service accounts**, enforce **automated rotation** in a secret manager.
### 2.4 Usability & User Experience
- Enable **copy/paste** to support password managers.
- Provide an optional **“show password”** control on login.
- Prohibit **password hints** and **security questions**.
### 2.5 Multi-Factor Authentication (MFA)
- Require MFA for:
- All external-facing logins.
- Administrative access.
- Remote access (VPN, SSH, RDP, portals).
- Systems handling **sensitive or regulated data**.
- Prefer **phishing-resistant MFA** (FIDO2, WebAuthn, authenticator apps).
- Allow **SMS/voice** only as fallback.
### 2.6 Account Lockout & Rate Limiting
- Enforce **rate-limiting** on failed login attempts.
- Apply **escalating timeouts** (e.g., 30s → 1min → 5min).
- Avoid permanent lockouts to reduce denial-of-service risk.
### 2.7 Password Storage & Transmission
- Transmit all credentials only over **encrypted channels** (TLS 1.2+).
- Store passwords using:
- **Argon2id (preferred)**, or
- **bcrypt** / **PBKDF2** with high work factor.
- Use **unique salts** (≥32 bits) per credential.
- Consider adding a server-side **“pepper”** stored securely (HSM/TEE).
### 2.8 Resets & Recovery
- Require MFA for password resets.
- Prohibit knowledge-based authentication (KBA/security questions).
- Revoke all active sessions and tokens after a reset due to compromise.
### 2.9 Administrative & Privileged Accounts
- Enforce **separate admin accounts** for elevated tasks.
- Protect all privileged accounts with **MFA**.
- Provision administrative access **just-in-time** or **time-bound**.
- Prohibit shared admin credentials; vault and monitor any break-glass accounts.
### 2.10 Service & Machine Accounts
- Prefer **key-based**, **certificate-based**, or **federated identities** over passwords.
- If passwords are required:
- **≥30 characters**, randomly generated.
- Stored only in **approved secret managers**.
- Automatically rotated and logged.
- Prohibit interactive login with service accounts.
### 2.11 Dormant Accounts
- Disable accounts after **45 days of inactivity**.
- Conduct **quarterly account reviews** for all user and service accounts.
### 2.12 Application Integration
Applications authenticating users **must**:
- Support policy requirements for **length**, **blocklist checks**, and **no composition rules**.
- Allow **paste/autofill**.
- Not truncate credentials.
- Store credentials with modern password hashing.
---
## 3) Hardening Checklist
✅ Enforce MFA on all sensitive and external-facing systems.
✅ Implement blocklist screening for weak/compromised passwords.
✅ Remove periodic password expiration policies for human users.
✅ Store passwords only with Argon2id/bcrypt/PBKDF2.
✅ Rate-limit login attempts with escalating delays.
✅ Disable accounts inactive for ≥45 days.
✅ Require password manager compatibility (paste/show-password).
✅ Review and disable legacy authentication protocols (e.g., plain text FTP/POP/IMAP, NTLMv1).
✅ Audit password changes, resets, and lockout events.
---
## 4) References
- **NIST SP 800-63B, Digital Identity Guidelines (2023 update)**
- **CIS Controls v8.1 (Controls 5 & 6)**
- **OWASP Authentication Cheat Sheet**

136
Security/password_guidance_m365_ad.md Normal file
View File

@@ -0,0 +1,136 @@
# Password & Authenticator Policy (Draft)
**Document owner:** [Owner/Role]
**Approved by:** [Steering Committee / CISO]
**Effective date:** [YYYY-MM-DD]
**Review cadence:** [Annually]
---
## 1) Purpose & scope
This policy defines requirements for passwords and related authenticator handling for all users and service accounts accessing [Organization] Microsoft 365, Active Directory (AD), and connected systems.
---
## 2) Roles & responsibilities
- **CISO / Security:** Owns this policy, maintains blocklists, monitors compliance.
- **IT / IAM:** Implements enforcement in Microsoft Entra ID (Azure AD), on-prem AD, and Microsoft 365 services.
- **System Owners:** Ensure integrated apps follow this policy.
- **All Users:** Must comply with requirements.
---
## 3) Password requirements (human users)
1. **Length**
- **15+ characters** if used as single-factor (per NIST SP 800-63B).
- **8+ characters** if MFA is enforced.
- Systems should allow up to **64 characters** and support ASCII, spaces, and Unicode.
2. **No composition rules**
- Do not require complexity like upper/lower/symbol/number. Focus on **length + blocklist checks**.
3. **Blocklist screening**
- Enforce via **Azure AD Password Protection** to block common, weak, or breached passwords.
- Screen against organization-specific terms (e.g., company name).
4. **Expiration**
- No scheduled expiration unless compromise is suspected.
- Incident-driven reset is mandatory.
5. **Usability**
- Allow copy/paste and password managers.
- Provide “show password” toggle.
- Disable hints and security questions.
6. **CIS Controls alignment**
- CIS Control 5: unique accounts, disable dormant accounts (≥45 days).
- CIS Control 6: enforce access control with MFA.
---
## 4) Multi-factor authentication (MFA)
- **Mandatory MFA** for: Microsoft 365, VPN/remote access, privileged AD accounts, email, SaaS with sensitive data.
- Use **Microsoft Authenticator** push or **FIDO2 security keys** as preferred methods.
- SMS/voice allowed only as fallback.
---
## 5) Rate limiting & lockout
- Use **Azure AD smart lockout**:
- Default: lock after 10 failed attempts, 1-minute auto-unlock (configurable).
- Avoid permanent lockouts to prevent DoS.
---
## 6) Storage & transmission
- All AD/M365 authentication happens over **TLS**.
- Passwords stored as **salted, hashed verifiers** (NTLMv2/Kerberos with AES).
- Domain controllers must disable **NTLMv1** and LM hashes.
- Use **Argon2id/bcrypt** if custom apps store passwords.
---
## 7) Password creation guidance
- Encourage passphrases (e.g., multiple random words).
- Recommend password manager integration with M365 (Edge/Outlook support).
- Discourage personal info and patterns.
---
## 8) Resets & recovery
- Self-service password reset (SSPR) in Azure AD with MFA verification.
- No KBA/security questions.
- After compromise, force change and revoke tokens.
---
## 9) Administrative accounts
- Separate admin accounts from daily-use accounts.
- Enforce MFA on all admin accounts (Azure AD Conditional Access).
- Monitor via **Privileged Identity Management (PIM)** with just-in-time access.
- No shared admin passwords. Break-glass accounts must be vaulted, monitored, and MFA-enabled.
---
## 10) Service, API, and machine accounts
- Use **Managed Service Accounts (MSA/gMSA)** in AD.
- For cloud, prefer **Managed Identities** in Azure.
- If secrets required:
- 30+ chars random secret.
- Store in **Azure Key Vault**.
- Automate rotation.
- No interactive login.
---
## 11) Application integration requirements
Apps authenticating against AD or Entra ID must:
- Support required password lengths and blocklist checks.
- Allow paste/autofill, no hints, no truncation.
- Store verifiers with modern hashing if not using directory federation.
---
## 12) Hardening checklist (Microsoft 365 + AD)
- ✅ Enforce MFA with **Conditional Access**.
- ✅ Enable **Azure AD Password Protection** with custom banned-password list.
- ✅ Configure **smart lockout**.
- ✅ Enable **PIM** for admin accounts.
- ✅ Disable **legacy auth protocols** (POP, IMAP, SMTP Basic, NTLMv1).
- ✅ Review dormant accounts quarterly (disable after 45 days).
- ✅ Require TLS 1.2+ for all endpoints.
- ✅ Audit password changes and lockout events.
---
## 13) Exceptions
- Documented need, CISO approval, compensating controls, and review date.
---
## 14) References
- **NIST SP 800-63B, Digital Identity Guidelines (2023 update)**
- **CIS Controls v8.1** (Controls 5 & 6)
- **Microsoft Security Baselines (Windows, AD, M365)**
- **OWASP Authentication Cheat Sheet**

96
Security/password_policy_generic.md Normal file
View File

@@ -0,0 +1,96 @@
# Password & Authenticator Policy (System-Agnostic)
**Document owner:** [Owner/Role]
**Approved by:** [Steering Committee / CISO]
**Effective date:** [YYYY-MM-DD]
**Review cadence:** [Annually]
---
## 1) Purpose & Scope
This policy establishes mandatory requirements for password creation, management, and authentication across [Organization]s IT systems. It applies to all employees, contractors, vendors, and service accounts.
---
## 2) Policy Statements
### 2.1 Password Length
- Passwords **must** be at least **15 characters** when used as a single factor of authentication.
- Passwords **must** be at least **8 characters** when used in combination with MFA.
- Systems **must** allow passwords up to **64 characters** and **should** support spaces, ASCII, and Unicode characters.
### 2.2 Complexity
- Passwords **must not** be subject to composition rules requiring upper/lowercase, numbers, or symbols.
- Passwords **must** be screened against a blocklist of weak, common, or compromised passwords.
### 2.3 Expiration
- Passwords **shall not** expire on a scheduled basis.
- Passwords **must** be changed immediately upon indication or suspicion of compromise.
### 2.4 Usability
- Systems **must** permit copy/paste from password managers.
- Systems **must** provide a “show password” option.
- Password hints and security questions **must not** be used.
### 2.5 Multi-Factor Authentication (MFA)
- MFA **must** be enforced for:
- Remote access
- Administrative access
- Access to sensitive data or critical systems
- MFA **should** use phishing-resistant methods (e.g., FIDO2, authenticator apps).
- SMS/voice **shall** only be used as fallback methods.
### 2.6 Account Lockout
- Failed logins **must** be throttled with rate-limiting or timed lockout.
- Accounts **shall not** be permanently locked out due to failed attempts.
### 2.7 Storage & Transmission
- Passwords **must** only be transmitted over encrypted channels (TLS 1.2+ or equivalent).
- Passwords **must** be stored as salted and hashed verifiers using Argon2id, bcrypt, or PBKDF2.
- Legacy or weak hashing mechanisms **must not** be used.
### 2.8 Resets & Recovery
- Password resets **must** require MFA verification.
- Knowledge-based authentication (KBA/security questions) **must not** be used.
- After compromise, passwords **must** be reset and sessions revoked.
### 2.9 Administrative Accounts
- Administrative accounts **must** be separate from daily-use accounts.
- All administrative accounts **must** be protected with MFA.
- Administrative access **should** be provisioned with just-in-time or time-bound access control.
- Shared administrative passwords **must not** be used. Break-glass accounts **must** be protected and monitored.
### 2.10 Service & Machine Accounts
- Service accounts **must** use keys, certificates, or managed identities where possible.
- If passwords are required, they **must** be at least **30 characters**, randomly generated, and stored only in approved secret managers.
- Service accounts **must not** allow interactive login.
- Secrets **must** be rotated regularly through automated processes.
### 2.11 Dormant Accounts
- User accounts inactive for **45 days** **must** be disabled.
- Quarterly reviews of all accounts **must** be conducted.
### 2.12 Application Integration
Applications authenticating users:
- **Must** support password length requirements and blocklist enforcement.
- **Must** allow paste/autofill and must not truncate passwords.
- **Must** store verifiers using modern password hashing methods.
---
## 3) Enforcement
- Violations of this policy **may** result in disciplinary action, up to and including termination of access or employment.
- System owners **must** remediate applications not compliant with this policy or document exceptions approved by the CISO.
---
## 4) Exceptions
- Exceptions **must** be documented, include compensating controls, and have CISO approval.
- Exceptions **must** have a review date not exceeding 12 months.
---
## 5) References
- **NIST SP 800-63B, Digital Identity Guidelines (2023 update)**
- **CIS Controls v8.1, Controls 5 & 6**
- **OWASP Authentication Cheat Sheet**

99
Security/password_policy_m365_ad.md Normal file
View File

@@ -0,0 +1,99 @@
# Password & Authenticator Policy (M365 + AD)
**Document owner:** [Owner/Role]
**Approved by:** [Steering Committee / CISO]
**Effective date:** [YYYY-MM-DD]
**Review cadence:** [Annually]
---
## 1) Purpose & Scope
This policy establishes mandatory requirements for password creation, management, and authentication across [Organization]s Microsoft 365, Active Directory (AD), and integrated systems. It applies to all employees, contractors, vendors, and service accounts.
---
## 2) Policy Statements
### 2.1 Password Length
- Passwords **must** be at least **15 characters** when used as a single factor of authentication.
- Passwords **must** be at least **8 characters** when used in combination with MFA.
- Systems **must** allow passwords up to **64 characters** and **should** support spaces, ASCII, and Unicode characters.
### 2.2 Complexity
- Passwords **must not** be subject to complexity rules requiring upper/lowercase, numbers, or symbols.
- Passwords **shall** be screened against a blocklist of weak, common, and compromised passwords using **Azure AD Password Protection**.
### 2.3 Expiration
- Passwords **shall not** expire on a scheduled basis.
- Passwords **must** be changed immediately upon indication or suspicion of compromise.
### 2.4 Usability
- Systems **must** permit copy/paste from password managers.
- Systems **must** provide a “show password” option.
- Password hints and security questions **must not** be used.
### 2.5 Multi-Factor Authentication (MFA)
- MFA **must** be enforced for:
- Microsoft 365 services
- VPN/remote access
- Privileged AD accounts
- Administrative access to SaaS and production systems
- MFA **should** use phishing-resistant methods (e.g., FIDO2, Microsoft Authenticator).
- SMS/voice **shall** only be used as fallback methods.
### 2.6 Account Lockout
- Failed logins **must** be throttled using **Azure AD Smart Lockout**.
- Accounts **shall not** be permanently locked out due to failed attempts; instead, time-based delays must be applied.
### 2.7 Storage & Transmission
- Passwords **must** only be transmitted over encrypted channels (TLS 1.2+).
- AD and M365 **must** store passwords as salted and hashed verifiers.
- NTLMv1 and LAN Manager (LM) hashes **must** be disabled.
- Custom applications **must** use Argon2id, bcrypt, or PBKDF2 for password storage.
### 2.8 Resets & Recovery
- Password resets **must** require MFA verification (via Azure AD SSPR).
- Knowledge-based authentication (KBA/security questions) **must not** be used.
- After compromise, passwords **must** be reset and tokens revoked.
### 2.9 Administrative Accounts
- Administrative accounts **must** be separate from daily-use accounts.
- All administrative accounts **must** be protected with MFA.
- Administrative access **must** be provisioned through **Privileged Identity Management (PIM)** with just-in-time elevation.
- Shared administrative passwords **must not** be used. Break-glass accounts **must** be vaulted, monitored, and protected with MFA.
### 2.10 Service & Machine Accounts
- Service accounts **must** use Managed Service Accounts (MSA/gMSA) or Managed Identities where available.
- Service account passwords **must** be at least **30 characters**, randomly generated, and stored securely (e. g. in **Azure Key Vault**).
- Service accounts **must not** allow interactive login.
- Secrets **must** be rotated regularly through automated processes.
### 2.11 Dormant Accounts
- User accounts inactive for **45 days** **must** be disabled.
- Quarterly reviews of all accounts **must** be conducted by IT.
### 2.12 Application Integration
Applications authenticating against AD or Entra ID:
- **Must** support password length requirements and blocklist enforcement.
- **Must** allow paste/autofill and must not truncate passwords.
- **Must** store verifiers using modern password hashing methods if not federated.
---
## 3) Enforcement
- Violations of this policy **may** result in disciplinary action, up to and including termination of access or employment.
- System owners **must** remediate applications not compliant with this policy or document exceptions approved by the CISO.
---
## 4) Exceptions
- Exceptions **must** be documented, include compensating controls, and have CISO approval.
- Exceptions **must** have a review date not exceeding 12 months.
---
## 5) References
- **NIST SP 800-63B, Digital Identity Guidelines (2023 update)**
- **CIS Controls v8.1, Controls 5 & 6**
- **Microsoft Security Baselines (M365 & Windows/AD)**
- **OWASP Authentication Cheat Sheet**