Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Azure AD - Password attacks - logging and protections

943 views

Published on

Logging and protections available in ADFS and Azure AD against password brute-forcing / spay.

Published in: Internet

Azure AD - Password attacks - logging and protections

  1. 1. Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 1 Not authenticated Exchange Online Exchange Online accepts the connection, inserts additional metadata and proxies the authentication request to ADFS. Password Brute Forcing / Spray Denial of Service via account lockout. None Exchange Online IP Block List. Listed IP addresses will not be proxied to AD FS for authentication. Set using Set-OrganizationConfig -IPListBlocked. Exchange Online Authentication Policies. Authentication requests for users with disabled protocols will not be proxied to AD FS. A default policy can be configured to block protocols by default for new users.
  2. 2. Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 2 Not authenticated AD FS AD FS accepts the connection from Exchange Online and processes the authentication request. The password is incorrect. Password Brute Forcing / Spray Denial of Service via account lockout. AD FS Auditing – WS2012R2 and above will log event 411 in the Security log containing the username and client IP forwarded by Exchange Online. This script can be used to parse the logs. Additionally, logs can be ingested into a SIEM solution for further analysis and alerting. AD FS Extranet Lockout Protection – WS2012R2 and above can be configured to stop accepting authentication requests for a user after a number of bad passwords, this helps to reduce the number of tries an attacker gets at guessing a user’s password. Additionally, it prevents Active Directory accounts getting locked out if a lockout policy has been configured. Azure AD Connect Health – The Risky IP report provides rich information about bad password attempts and Extranet Lockout events. AD FS Extranet Smart Lockout – Extranet Lockout in WS2016 has been extended to maintain a list of familiar locations (IP addresses) for users to prevent blocking legitimate users. Deploy Azure AD Password Protection to minimise the success rate of password spray attacks by banning common passwords in the organisation.
  3. 3. Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 3 Authenticated AD FS AD FS successfully processes the authentication request as the attacker is in possession of the right password. This can happen due to:  Successful password brute force / spray  Social engineering (i.e.: Phishing)  Breach data re-use Unauthorised Access Azure AD Connect Health provides usage analytics, performance monitoring and alerting for AD FS. Block legacy authentication protocols using Issuance Authorization Rules in AD FS. These rules can be crafted to only block or allow access from specific locations. Due to the complexity of this method, it is recommended to implement the block using Azure AD Conditional Access (see next step). AD FS Auditing provides rich event information . This data is useful when investigating specific events. Additionally, logs can be ingested into a SIEM solution for further analysis and alerting.
  4. 4. Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 4 Authenticated Azure AD Azure AD receives the token issued by AD FS from Exchange Online, evaluates Conditional Access and applies the corresponding controls. Unauthorised Access Risk events reporting in Azure AD uses machine learning algorithms to detect users’ suspicious activities. Each alert is assigned a risk that represents the severity and confidence. Risk events are accessible via Graph API. Azure AD Conditional Access can be configured to block clients using Legacy Authentication. Azure AD logs a sign-in event. Logs can be accessed via the Portal, Graph API, flown to Azure Log Analytics, a SIEM solution via Azure Event Hub or stored in Azure Storage for long-term retention.
  5. 5. Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 5 Authenticated Exchange Online Exchange Online receives the authentication response from Azure AD Unauthorised Access to organization’s data (mailbox, GAL, etc.) Exchange Online mailbox auditing can be enabled to log access and actions performed against a mailbox. Client protocols can be disabled for Exchange Online mailboxes. Always disable protocols not needed like POP3, IMAP, SMTP, etc. Exchange Online Client Access Rules can be used to block access depending on different client properties like authentication type, IP address, etc.
  6. 6. Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 1 Not authenticated Exchange Online Exchange Online accepts the connection, inserts additional metadata and proxies the authentication request to ADFS. Password Brute Forcing / Spray Denial of Service via account lockout. None Exchange Online IP Block List. Listed IP addresses will not be proxied to Azure AD for authentication. Set using Set-OrganizationConfig -IPListBlocked. Exchange Online Authentication Policies. Authentication requests for users with disabled protocols will not be proxied to Azure AD. A default policy can be configured to block protocols by default for new users.
  7. 7. Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 2 Not authenticated Azure AD Azure AD receives the authentication request from Exchange Online and processes it. The password is incorrect. Password Brute Forcing / Spray Denial of Service via account lockout. Azure AD logs a sign-in failure with error code 50126. Logs can be accessed via the Portal, Graph API, flown to Azure Log Analytics, a SIEM solution via Azure Event Hub or stored in Azure Storage for long-term retention. Azure AD Smart Lockout protects each account individually by locking out bad actors after 10 bad passwords (configurable), but lets real users continue access their accounts. It works in all cloud authentication scenarios. IP Lockout is a service-level protection to block attacks coming from specific IP addresses. Deploy Azure AD Password Protection to minimise the success rate of password spray attacks by banning common passwords in the organisation. Microsoft Azure Active Directory
  8. 8. Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 3 Authenticated Azure AD Azure AD successfully processes the authentication request as the attacker is in possession of the right password. This can happen due to:  Successful password brute force / spray  Social engineering (i.e.: Phishing)  Breach data re-use Azure AD evaluates Conditional Access and applies the corresponding controls. Unauthorised Access Azure AD logs a sign-in event. Logs can be accessed via the Portal, Graph API, flown to Azure Log Analytics, a SIEM solution via Azure Event Hub or stored in Azure Storage for long-term retention. Azure AD Conditional Access can be configured to block clients using Legacy Authentication. Risk events reporting in Azure AD uses machine learning algorithms to detect users’ suspicious activities. Each alert is assigned a risk that represents the severity and confidence. Risk events are accessible via Graph API. Microsoft Azure Active Directory
  9. 9. Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 4 Authenticated Exchange Online Exchange Online receives the authentication response from Azure AD Unauthorised Access to organization’s data (mailbox, GAL, etc.) Exchange Online mailbox auditing can be enabled to log access and actions performed against a mailbox. Client protocols can be disabled for Exchange Online mailboxes. Always disable protocols not needed like POP3, IMAP, SMTP, etc. Exchange Online Client Access Rules can be used to block access depending on different client properties like authentication type, IP address, etc. Microsoft Azure Active Directory
  10. 10. Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 1 Not authenticated Exchange Online Attacker uses a browser or a Modern Authentication- capable client (i.e.: Outlook 2016) to connect to Exchange Online. Exchange Online redirects the user to Azure AD. Reconnaissance None N/A
  11. 11. Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 2 Not authenticated Azure AD Azure AD presents sign in screen. Attacker enters random UPN (i.e.: random@contoso.com). Azure AD performs Home Realm Discovery and redirects to Contoso’s IDP. Reconnaissance (IDP endpoint) None None
  12. 12. Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 3 Not authenticated AD FS Attacker uses a tool to perform a password brute forcing / spray against AD FS. Password Brute Forcing / Spray Denial of Service via account lockout. AD FS Auditing – WS2012R2 and above will log event 411 in the Security log containing username and client IP, event 510 provides more details. This script can be used to parse the logs. Additionally, logs can be ingested into a SIEM solution for further analysis and alerting. AD FS Extranet Lockout Protection – WS2012R2 and above can be configured to stop accepting authentication requests for a user after a number of bad passwords, this helps to reduce the number of tries an attacker gets at guessing a user’s password. Additionally, it prevents Active Directory accounts getting locked out if a lockout policy has been configured. Azure AD Connect Health – The Risky IP report provides rich information about bad password attempts and Extranet Lockout events. AD FS Extranet Smart Lockout – Extranet Lockout in WS2016 has been extended to maintain a list of familiar locations (IP addresses) for users to prevent blocking legitimate users. Deploy Azure AD Password Protection to minimise the success rate of password spray attacks by banning common passwords in the organisation. IPs or subnets can be blocked at the network layer. This method does not provide a complete solution.
  13. 13. Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 4 Authenticated AD FS AD FS successfully processes the authentication request as the attacker is in possession of the right password. This can happen due to: • Successful password brute force / spray • Social engineering (i.e.: Phishing) • Breach data re-use Unauthorised Access Azure AD Connect Health provides usage analytics, performance monitoring and alerting for AD FS. Azure Multi-Factor Authentication can be integrated natively with AD FS to protect other applications (Relying Parties) configured in AD FS. However, it is recommended to move these applications to Azure AD to be able to leverage the security reporting capabilities of Azure AD and the automated responses of Identity Protection. AD FS Auditing provides rich event information. This data is useful when investigating specific events. Additionally, logs can be ingested into a SIEM solution for further analysis and alerting. Issuance Authorization Rules or Access Control Policies in AD FS can be used to deny access to applications from outside the network, however it is recommended to apply this and other controls using Azure AD Conditional Access.
  14. 14. Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 5 Authenticated Azure AD Attacker gets redirected to Azure AD, which receives the token issued by AD FS, evaluates Conditional Access and applies the corresponding controls. Unauthorised Access Risk events reporting in Azure AD uses machine learning algorithms to detect users’ suspicious activities. Each alert is assigned a risk that represents the severity and confidence. Risk events are accessible via Graph API. Azure AD Conditional Access can be configured to enforce additional security controls before allowing access to applications. At a minimum, we recommend enforcing at least one of the following controls for extranet access:  MFA  Hybrid Join  Compliant Device Azure AD logs a sign-in event. Logs can be accessed via the Portal, Graph API, flown to Azure Log Analytics, a SIEM solution via Azure Event Hub or stored in Azure Storage for long-term retention. Azure AD Identity Protection can be used to automatically respond to detected suspicious actions related to organisation’s identities.
  15. 15. Microsoft Azure Active Directory Windows Server Active Directory Exchange Online Step AuthN State Platform Description Attack Stage Logging Protections 6 Authenticated Exchange Online Attacker gets redirected to Exchange Online. Unauthorised Access to organization’s data (mailbox, GAL, etc.) Exchange Online mailbox auditing can be enabled to log access and actions performed against a mailbox. Exchange Online Client Access Rules can be used to block access depending on different client properties like authentication type, IP address, etc.

×