cqrenet/policies
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
policies/Security/password_guidance_m365_ad.md
Tomas Kracmar 4554305f3a First batch
2025-09-30 11:30:46 +02:00

4.6 KiB
Raw Permalink Blame History

Password & Authenticator Policy (Draft)

Document owner: [Owner/Role]
Approved by: [Steering Committee / CISO]
Effective date: [YYYY-MM-DD]
Review cadence: [Annually]

1) Purpose & scope

This policy defines requirements for passwords and related authenticator handling for all users and service accounts accessing [Organization] Microsoft 365, Active Directory (AD), and connected systems.

2) Roles & responsibilities

  • CISO / Security: Owns this policy, maintains blocklists, monitors compliance.
  • IT / IAM: Implements enforcement in Microsoft Entra ID (Azure AD), on-prem AD, and Microsoft 365 services.
  • System Owners: Ensure integrated apps follow this policy.
  • All Users: Must comply with requirements.

3) Password requirements (human users)

  1. Length

    • 15+ characters if used as single-factor (per NIST SP 800-63B).
    • 8+ characters if MFA is enforced.
    • Systems should allow up to 64 characters and support ASCII, spaces, and Unicode.

  2. No composition rules

    • Do not require complexity like upper/lower/symbol/number. Focus on length + blocklist checks.

  3. Blocklist screening

    • Enforce via Azure AD Password Protection to block common, weak, or breached passwords.
    • Screen against organization-specific terms (e.g., company name).

  4. Expiration

    • No scheduled expiration unless compromise is suspected.
    • Incident-driven reset is mandatory.

  5. Usability

    • Allow copy/paste and password managers.
    • Provide “show password” toggle.
    • Disable hints and security questions.

  6. CIS Controls alignment

    • CIS Control 5: unique accounts, disable dormant accounts (≥45 days).
    • CIS Control 6: enforce access control with MFA.

4) Multi-factor authentication (MFA)

  • Mandatory MFA for: Microsoft 365, VPN/remote access, privileged AD accounts, email, SaaS with sensitive data.
  • Use Microsoft Authenticator push or FIDO2 security keys as preferred methods.
  • SMS/voice allowed only as fallback.

5) Rate limiting & lockout

  • Use Azure AD smart lockout:
    • Default: lock after 10 failed attempts, 1-minute auto-unlock (configurable).
  • Avoid permanent lockouts to prevent DoS.

6) Storage & transmission

  • All AD/M365 authentication happens over TLS.
  • Passwords stored as salted, hashed verifiers (NTLMv2/Kerberos with AES).
  • Domain controllers must disable NTLMv1 and LM hashes.
  • Use Argon2id/bcrypt if custom apps store passwords.

7) Password creation guidance

  • Encourage passphrases (e.g., multiple random words).
  • Recommend password manager integration with M365 (Edge/Outlook support).
  • Discourage personal info and patterns.

8) Resets & recovery

  • Self-service password reset (SSPR) in Azure AD with MFA verification.
  • No KBA/security questions.
  • After compromise, force change and revoke tokens.

9) Administrative accounts

  • Separate admin accounts from daily-use accounts.
  • Enforce MFA on all admin accounts (Azure AD Conditional Access).
  • Monitor via Privileged Identity Management (PIM) with just-in-time access.
  • No shared admin passwords. Break-glass accounts must be vaulted, monitored, and MFA-enabled.

10) Service, API, and machine accounts

  • Use Managed Service Accounts (MSA/gMSA) in AD.
  • For cloud, prefer Managed Identities in Azure.
  • If secrets required:
    • 30+ chars random secret.
    • Store in Azure Key Vault.
    • Automate rotation.
    • No interactive login.

11) Application integration requirements

Apps authenticating against AD or Entra ID must:

  • Support required password lengths and blocklist checks.
  • Allow paste/autofill, no hints, no truncation.
  • Store verifiers with modern hashing if not using directory federation.

12) Hardening checklist (Microsoft 365 + AD)

  • Enforce MFA with Conditional Access.
  • Enable Azure AD Password Protection with custom banned-password list.
  • Configure smart lockout.
  • Enable PIM for admin accounts.
  • Disable legacy auth protocols (POP, IMAP, SMTP Basic, NTLMv1).
  • Review dormant accounts quarterly (disable after 45 days).
  • Require TLS 1.2+ for all endpoints.
  • Audit password changes and lockout events.

13) Exceptions

  • Documented need, CISO approval, compensating controls, and review date.

14) References

  • NIST SP 800-63B, Digital Identity Guidelines (2023 update)
  • CIS Controls v8.1 (Controls 5 & 6)
  • Microsoft Security Baselines (Windows, AD, M365)
  • OWASP Authentication Cheat Sheet