137 lines
4.6 KiB
Markdown
137 lines
4.6 KiB
Markdown
# Password & Authenticator Policy (Draft)
|
|
|
|
**Document owner:** [Owner/Role]
|
|
**Approved by:** [Steering Committee / CISO]
|
|
**Effective date:** [YYYY-MM-DD]
|
|
**Review cadence:** [Annually]
|
|
|
|
---
|
|
|
|
## 1) Purpose & scope
|
|
This policy defines requirements for passwords and related authenticator handling for all users and service accounts accessing [Organization] Microsoft 365, Active Directory (AD), and connected systems.
|
|
|
|
---
|
|
|
|
## 2) Roles & responsibilities
|
|
- **CISO / Security:** Owns this policy, maintains blocklists, monitors compliance.
|
|
- **IT / IAM:** Implements enforcement in Microsoft Entra ID (Azure AD), on-prem AD, and Microsoft 365 services.
|
|
- **System Owners:** Ensure integrated apps follow this policy.
|
|
- **All Users:** Must comply with requirements.
|
|
|
|
---
|
|
|
|
## 3) Password requirements (human users)
|
|
1. **Length**
|
|
- **15+ characters** if used as single-factor (per NIST SP 800-63B).
|
|
- **8+ characters** if MFA is enforced.
|
|
- Systems should allow up to **64 characters** and support ASCII, spaces, and Unicode.
|
|
|
|
2. **No composition rules**
|
|
- Do not require complexity like upper/lower/symbol/number. Focus on **length + blocklist checks**.
|
|
|
|
3. **Blocklist screening**
|
|
- Enforce via **Azure AD Password Protection** to block common, weak, or breached passwords.
|
|
- Screen against organization-specific terms (e.g., company name).
|
|
|
|
4. **Expiration**
|
|
- No scheduled expiration unless compromise is suspected.
|
|
- Incident-driven reset is mandatory.
|
|
|
|
5. **Usability**
|
|
- Allow copy/paste and password managers.
|
|
- Provide “show password” toggle.
|
|
- Disable hints and security questions.
|
|
|
|
6. **CIS Controls alignment**
|
|
- CIS Control 5: unique accounts, disable dormant accounts (≥45 days).
|
|
- CIS Control 6: enforce access control with MFA.
|
|
|
|
---
|
|
|
|
## 4) Multi-factor authentication (MFA)
|
|
- **Mandatory MFA** for: Microsoft 365, VPN/remote access, privileged AD accounts, email, SaaS with sensitive data.
|
|
- Use **Microsoft Authenticator** push or **FIDO2 security keys** as preferred methods.
|
|
- SMS/voice allowed only as fallback.
|
|
|
|
---
|
|
|
|
## 5) Rate limiting & lockout
|
|
- Use **Azure AD smart lockout**:
|
|
- Default: lock after 10 failed attempts, 1-minute auto-unlock (configurable).
|
|
- Avoid permanent lockouts to prevent DoS.
|
|
|
|
---
|
|
|
|
## 6) Storage & transmission
|
|
- All AD/M365 authentication happens over **TLS**.
|
|
- Passwords stored as **salted, hashed verifiers** (NTLMv2/Kerberos with AES).
|
|
- Domain controllers must disable **NTLMv1** and LM hashes.
|
|
- Use **Argon2id/bcrypt** if custom apps store passwords.
|
|
|
|
---
|
|
|
|
## 7) Password creation guidance
|
|
- Encourage passphrases (e.g., multiple random words).
|
|
- Recommend password manager integration with M365 (Edge/Outlook support).
|
|
- Discourage personal info and patterns.
|
|
|
|
---
|
|
|
|
## 8) Resets & recovery
|
|
- Self-service password reset (SSPR) in Azure AD with MFA verification.
|
|
- No KBA/security questions.
|
|
- After compromise, force change and revoke tokens.
|
|
|
|
---
|
|
|
|
## 9) Administrative accounts
|
|
- Separate admin accounts from daily-use accounts.
|
|
- Enforce MFA on all admin accounts (Azure AD Conditional Access).
|
|
- Monitor via **Privileged Identity Management (PIM)** with just-in-time access.
|
|
- No shared admin passwords. Break-glass accounts must be vaulted, monitored, and MFA-enabled.
|
|
|
|
---
|
|
|
|
## 10) Service, API, and machine accounts
|
|
- Use **Managed Service Accounts (MSA/gMSA)** in AD.
|
|
- For cloud, prefer **Managed Identities** in Azure.
|
|
- If secrets required:
|
|
- 30+ chars random secret.
|
|
- Store in **Azure Key Vault**.
|
|
- Automate rotation.
|
|
- No interactive login.
|
|
|
|
---
|
|
|
|
## 11) Application integration requirements
|
|
Apps authenticating against AD or Entra ID must:
|
|
- Support required password lengths and blocklist checks.
|
|
- Allow paste/autofill, no hints, no truncation.
|
|
- Store verifiers with modern hashing if not using directory federation.
|
|
|
|
---
|
|
|
|
## 12) Hardening checklist (Microsoft 365 + AD)
|
|
- ✅ Enforce MFA with **Conditional Access**.
|
|
- ✅ Enable **Azure AD Password Protection** with custom banned-password list.
|
|
- ✅ Configure **smart lockout**.
|
|
- ✅ Enable **PIM** for admin accounts.
|
|
- ✅ Disable **legacy auth protocols** (POP, IMAP, SMTP Basic, NTLMv1).
|
|
- ✅ Review dormant accounts quarterly (disable after 45 days).
|
|
- ✅ Require TLS 1.2+ for all endpoints.
|
|
- ✅ Audit password changes and lockout events.
|
|
|
|
---
|
|
|
|
## 13) Exceptions
|
|
- Documented need, CISO approval, compensating controls, and review date.
|
|
|
|
---
|
|
|
|
## 14) References
|
|
- **NIST SP 800-63B, Digital Identity Guidelines (2023 update)**
|
|
- **CIS Controls v8.1** (Controls 5 & 6)
|
|
- **Microsoft Security Baselines (Windows, AD, M365)**
|
|
- **OWASP Authentication Cheat Sheet**
|
|
|