After spending multiple sessions across cybersecurity and Azure, there seems to be a consensus on what tasks organizations should consider sooner for managing and maintaining their Azure AD environment.
Attack services are cheap. Most are focused on Identity and Hygiene. Zero day attacks, like WannaCry, are costly and rare. Microsoft estimates it costs attackers a mere $150 to attempt to compromise 400 million accounts. Organizations should focus on the cheap attack vectors first. These vectors include Identity and Hygiene services.
The following list contains the top 10 areas that seems to be the consensus and agreed upon tasks to ensure a secure and productive Azure AD environment.
#1 Microsoft Secure Score
Operationalize Microsoft Secure Score. Microsoft has created Secure Score to assist you in your cloud security journey. It is a measurement mechanism to let you know how you are doing against Microsoft’s recommendations related to vulnerabilities and threats.
Secure Score exists for many areas, including Office 365, Compliance, Microsoft Defender ATP, Azure Security Center, and so on. These can be quick fixes and easy wins to increase your security posture plus provide a roadmap for additional layers of security.
Secure Score is now a percentage basis, rather than points.
#2 Protect Administrative accounts with Zero Trust and Least privileged access mentalityMFA, MFA, MFA!!! Passwords can no longer protect against common attacks. No matter the level of privilege, any user account that has elevated privileges within Azure always needs to have MFA turned on for all logins. Microsoft analytics show that a mere 2% of Administrative accounts in the entire Azure realm have been enabled for MFA.
- Use Privileged Identity Management (PIM) with Just In Time (JIT) Access.
- Create a Break glass Administrative account that does not have MFA enabled, but an extremely long, complex password. Microsoft supports up to 256-character passwords. This account should only be used in emergencies. Compare it to a fire alarm. Only pull the alarm if a true fire exists.
- Use a Privileged Access Workstation for all administrative tasks, rather than individual PCs. This can be a designated secure server on-premises or even in Azure with Bastion connectivity. This may seem like an inconvenience for administrators, but it greatly reduces lateral movements and other exposed elements.
- Identity Segmentation for Administrative accounts. Do not assign any synchronized user accounts administrative accounts in Azure. This can potentially provide attackers administrative rights by attacking the on-premises account first. Microsoft provides an onmicrosoft.com domain namespace for all Azure AD tenants. Most administrative accounts do not require any licenses for productivity features.
- Do not synchronize on-premises Administrative users and groups. Any account that has administrative rights within the on-premises Active Directory should not be synchronized to Azure AD. This also includes default groups such as Domain Admins. Synchronizing these groups exposes them to the cloud environment and increases your risk of lateral movement.
#3 Enable MFA and Password Hash Sync for users
99.9% of all phishing attacks today can be prevented with MFA turned on.
Use Conditional Access. Having MFA always enabled for all logins would make the user simply accept the MFA prompt when requested if they are prompted 10 or more times a day.
Azure MFA is now free for all Azure AD tiers. The free option does not come with Conditional Access benefits and will be turned on for all users at all prompts. It also only supports notifications via the Microsoft Authenticator app.
In addition to MFA, Microsoft recommends enabling Password Hash Sync (PHS) opposed to Passthrough Authentication or along with Active Directory Federation Services. This will allow for Azure AD to determine if any user credentials have been leaked and at risk. Microsoft challenged any organization to provide a reason not to enable PHS. Only one valid reason was accepted, that was because the organization was already 100% password-less.
#4 Improve passwords and Start your journey to password-less now
While Microsoft understands most organizations cannot go straight to password-less, they want to express that you should start the journey now. You can begin by improving current password policies to match today’s Modern Workplace guidance. With MFA enabled, password expiration policies and complexities are no longer required. Lengthy passphrases without complexities that are easy to remember helps users create a password they do not have to write down. A strong password now is a strong password a year from now. A reset is only required when forgotten or when a user is at risk.
Microsoft’s Azure AD Password Protection also can assist with this. You can use Microsoft’s algorithm scoring system along with a default and custom banned password list to enforce strong passwords. This algorithm converts all characters to lowercase and common replacements such as 3 for e and @ for a back to the normal character, then scores them. Each unique consecutive character receives a point. Each banned word receives a point. You need 5 points or more to allow for password reset. For example, let’s say you try to use $3cureP@$$w0rd8. This would get converted as follows and only receive 3 points and be banned.
Here is an example roadmap to provide password-less sign on capabilities to all users. FIDO2 key support will be available for Hybrid Azure AD Joined machines early 2020.
#5 Have sufficient insights to your Azure AD environment
There are plenty of reporting capabilities within Azure AD, including Sign-ins, Audit Logs, and Risky events, as well as others depending on what features and services your are using within your tenant. Having a plan on using these reporting mechanisms can allow you to be predictive rather than retroactive in determining attacks and compromised accounts.
New to Azure AD are workbooks as well as free integration to Azure Sentinel, Microsoft’s cloud based SIEM solution. Sentinel can help automate alerts and investigations, providing remediation to risks with no administrative intervention. It is better to inconvenience your user with a password reset than it would be to remediate an attack that has occurred.
Azure AD Identity Protection has also added several new risk vectors announced at Ignite:
#6 Attack your users yourself
Products like Microsoft’s Attack Simulator can perform phishing simulations, Brute force, and password sprays. Knowing who is susceptible can help provide further user education on identifying suspicious emails and threats.
Users are unknowingly giving their passwords out in a phishing attack. Implementing simple features such as a company branded login site within Azure AD can help users identify a real login site versus a fake one.
730K compromised accounts were due to password spray in the past 4 months. Using these tools can quickly identify users with existing weak passwords.
#7 Don’t forget about the on-premises environment
You still need to protect the on-premises environment just as well as you have done in the olden days before the cloud, but this time with a modern mindset. With your on-premises Active Directory synchronized to the cloud, you have potentially exposed your entire on-premises environment to attackers. Have controls and utilities in place to help scan and protect your on-premises environment. Microsoft provides Advanced Threat Analytics (ATA, EMS E3 licenses) or Azure Advanced Threat Protection (AATP, EMS E5 licenses) to scan activities on all your on-premises domain controllers for threats like reconnaissance, lateral movement, or exfiltration of data.
#8 Reduce the surface of an attack
- Keep the number of global admins in the tenant to the absolute minimum, even if JIT Access with PIM is enabled.
- Retire servers and applications that are no longer used in your environment
- Create an offboarding process for disabling and deleting user accounts that are no longer used. Remove these from the synchronization process.
#9 Disable Legacy Authentication.
Legacy authentication is a term that refers to an authentication request made by:
- Exchange Active Sync
- Older Office clients that don't use modern authentication (for example, an Office 2010 client).
- Any client that uses older mail protocols such as IMAP, SMTP, or POP3
Most of all the compromised sign in attempts come from legacy authentication. MFA is not possible with legacy authentication and can be bypassed by an attacker. Azure AD Sign in logs can be used to identify usage of these protocols. You can use Conditional Access policies to disable legacy authentication and allow exceptions as needed.
In addition, if using a Federated model with ADFS or 3rd party provider, that Identity provider is responsible for authentication, including basic auth, and controls should be blocked at that layer as well.
#10 Assume Breach
Regardless of the controls put in place, assume that at some point you will be breached in some facet. Use a Zero trust strategy which means users are not fully trusted just because they are internal to the network. Have a plan ready to go to mitigate the damage quickly rather than retroactively. You need to know where your data is stored and apply the appropriate controls based on its sensitivity. Minimize scope of breach damage and prevent lateral movement by segmenting access via network, user, devices, and application awareness. Use analytics to get visibility and drive threat detection.
Have I mentioned MFA yet? If you take no other actions from the recommendations on this list, please at least enable MFA for administrative accounts. That is the quickest and cheapest way to protect access to critical and sensitive resources within your environment. While there are many more recommendations and controls available to help improve your security posture, these are the items that were mentioned repeatedly throughout many different Ignite sessions related to security and Azure. Enabling Technologies can help you properly prepare for moving to the cloud based on Microsoft Best Practices and utilizing a secure and productive environment. You can check out more in the Security section of our website.
To hear about all the major announcements from Ignite please attend our webinar on Thursday Nov. 14th at 2pm ET: Ignite Debrief Webinar Register here!