Microsoft Azure AZ-801 — Section 4: Secure a hybrid Active Directory (AD) infrastructure
29. Configure password policies
Now, when it comes to managing your password requirements inside of AD DS, Active Directory Domain Services, that is going to be done by group policies. All right. And you’re going to do that on a domain controller. And the domain controller is going to have a tool that is going to let you go in and edit your group policy objects, and you’re going to set your password requirements based on that.
So, first order of business, of course, is to figure out what your password requirements are involving., maybe, like, you want ten-character passwords, you want to make the users reset their password every 30 days, you want to make it where users can’t reuse the same passwords, you want to have complex passwords, uppercase, lowercase numbers, and symbols. You need to figure all that out. And then what you’re going to do, you’re going to sit down at a domain controller such as this server here in my NYC-DC1. I’m going to go to start and then I’m going to go to Server Manager. And then once Server Manager finishes loading up, we can go to the Group Policy Management console Tool. So, we’re going to go to the Tools menu and open up Group Policy Management console. And from there your passwords are configured inside of a GPO called the Default Domain Controller. Default, sorry, Default Domain Policy.
Now, you may not have all these other policies that I’ve got here. Don’t worry about those. The only one that would matter right now, the one we’re talking about is the one called Default Domain Policy. The Default Domain Policy is the GPO that the Group Policy Object, which is the object that’s going to be deployed out to all of your machines, that’s going to allow you to control your policy. So, you’re going to right click that. You’re going to click Edit. And then from there you can go underneath Computer Configuration Policies, Windows Settings, and then Security Settings and then Account Policies. And then here we are, Password Policies.
So, Password Policies are set here. You have the following policies You have Enforce password history. This makes it where a user can’t reuse the same password over and over and over again. In fact, in this case it’s defaulted to 24 passwords, so a user would basically have to cycle through their password 24 times where they could reuse one. You’ve got Maximum password age that’s defaulted to 42 days. That’s the max amount of days they can keep a password before they have to change it. Then you have the Minimum password age. That’s the minimum amount of days that they have to keep a password before they can change it. That’s set to one day by default. You have Minimum password length, which is seven characters by default, so they have to have a seven-character password. You’ve also got Minimum password length audit. So, it’s going to enable auditing for passwords. If you go here, this is kind of a newer policy. That’s why I kind of wanted to illustrate. This is the policy that hadn’t been around. There’s a couple of policies that haven’t been around since the early days, and this is one of them. So, if you look here, Minimum password length audit says the security setting determines the minimum password length. So, they’re getting a warning message and you can set it to a maximum of 128. All right. And so this is just a warning message that tells you that you should only enable and configure this setting when trying to determine the potential impact of increasing the minimum password length setting. They tell you if it’s not defined, then basically the events aren’t going to be audited. If it’s defined and is less than or equal to the minimum password length, the audit events will also not be issued. So, that’s what that’s going to do. It’s going to enable the auditing feature.
Below that you’ve got Password must meet complexity requirements. Complexity requirements require you to have an uppercase, lowercase number and symbol. You have to have at least three of those four combinations: uppercase characters, lowercase characters, numbers, symbols. You have to have at least three of those four things.
The next policy here is also a new one. Relax minimum password length limits. So, you’ll notice that if you try to turn that on here, you’ve got Modify the setting may affect compatibility with client services. And if you click on this little link here that they give you, it’s going to take you to this little article. And the article is going to talk a little bit about this and that this is a relatively new feature. And they also tell you that it’s only supported essentially by the Windows 10 and higher operating systems. And so, basically, what you’re going to get here with the Password Length auditing and enforcement is that this policy is going to have to do back with this policy here. All right. And you’re going to set a minimum password length audit. Right here. We talked about that. And then if you enable the relaxed and password length here, they tell you that the setting is going to basically control a minimum password setting. You can basically go beyond the legacy limit, which was 14. Right. And also they tell you that this is not defined. Then the minimum password length may be configured to a maximum of 14. And they tell you if the setting is defined and disabled, the minimum password length may be configured to a maximum of 14. And if the setting is defined and enabled, then the minimum password is going to be set to our minimum password length is going to be configured to 14. All right. And so these are just a couple of the newer things that were introduced to Active Directory just a few years ago. All right.
Lastly, you have Store password using reverse encryption. This is an old policy. It’s been around since the year 2000. And it was really important when Windows 2000 came out because in those days we still had some legacy computers running DOS and things like that. And they could not authenticate using the level of encryption. They basically could not store their passwords encrypted on their machines. And so you had to enable this feature, Store passwords using reversible encryption. And it meant that the password would not be encrypted on their machine. Keep in mind, turning this on is a security risk. It’s not something you should pretty much ever turn on nowadays. God forbid, you’ve still got some, you know, DOS computers in your environment. But if you did turn this on, even if you turn it on, you still have to go to individual users and turn it on there as well. In other words, I’d have to go into Active Directory users’ computers, for example, and I would have to open up the specific user that I’m wanting to do this with. So, for example, I had a user named Joe Franson and I’d have to go to Joe Franson’s account and I’d have to turn it on here as well for that person.
So, don’t worry, if you were to turn this on, it’s not going to completely screw your whole domain over by turning this on. You have to go to each individual user and turn it on there as well. Whichever user was perhaps using that legacy computer or whatever. Over here, you’ve got Account lockout policy. So, the Account lockout policy involves when an account would be locked out after a certain number of attempts. So, you have the Account lockout threshold. That would be the number of attempts that they get before they get locked out. And then if you set the Account lockout duration, that’s the amount of time they would be locked out. So, if I set this to 30 minutes, then, let’s say, we set the lockout threshold to three and then the lockout duration of 30 minutes. Then after three bad attempts to put in their password and they’d be locked out for 30 minutes.
You’ve also got the Reset account lockout counter after. That is a timer that resets the strikes. So, the threshold is the amount of strikes. If you set it to three, let’s say, you set the lockout counter after the 5 minutes. So, a person put their password in wrong once, this counter would begin taking away. And then they put another password in, another bad password, and that’s two, they’d have two strikes. Well, let’s say, the five-minute counter ran out before the third strike was put in. It would reset the strike. So they could put in two more bad passwords before it would ever lock them out if they put in the third. So, that’s what all that has to do with.
And so those are this is your domain password policy. Keep in mind that you can only have one of those active at a time. You’ll notice that this is attached to the domain and essentially at that domain level if you click on it, you can click on this Group Policy Inheritance here and you can see if there’s ever a conflict, whatever GPO at the top is the one you would get.
Now, ignore the enforced thing. Right now we’re not getting into what that is. But you would want to make sure that… And again, you may not have all of these GPOs that I’ve got. The only one that matters here is this one. But if you had multiple GPOs linked to your domain, the top one is the one that the password policies will come out of, okay. Always. Of course, there is a way, if you wanted to apply GPOs to or a policy, sorry, a password, policies to individual groups, you can do group-based passwords as well. And that is known as what’s called fine grained password policies. You can do that by going into Server Manager tools, opening up the add Active Directory Administrative Center. All right. And this is where you’re going to set that. So, you’re not going to set it through GPOs. You’re going to set it through this tool. And so if you go down here and there’s a little folder here called System. All right. And then there is this thing called Password Settings Container. You can go into there and you can click New, Password Settings and you can create password settings just for specific groups if you want.
So, if you do that, if you apply like, let’s say, I wanted instead of 7 characters for sales people, I want to use 12 characters for sales people; or I could create a password settings object here and set the number to 12 and then I could apply it to the sales group right here. And so that’s how that would work.
So, it is possible to apply password policies directly to a group. By default, the password policies are going to go to the whole entire domain through that group policy that I showed you. But if you wanted to do individual groups, you can they call that fine grained password policies.
And so those are the different ways that you’re going to apply policies in your domain. Keep in mind, if you’re, you know, in a hybrid environment where you’ve got an on-premises domain and it’s connected to Azure AD and all of that Microsoft 365 services, you can set password requirements in the cloud as well. However, they don’t take effect for hybrid users. So, if you’re synchronizing on-premises users out to the cloud, you’re still going to need to set your password policies for those users on-premises. You’re not going to configure those through the cloud, you’re going to configure those on-premises exactly the way I just showed you.
30. Enable password block lists
And one of the things that we can do in an Azure environment if we’ve set up a hybrid connection using Azure AD connect with our on-premises domain and Azure AD is we can actually set up a list of banned passwords. So, I want to show you how to do that.
Here we are on portal.azure.com. We’re going to click the menu button. We’re going to go to Azure AD, Azure Active Directory. Once we get into Azure Active Directory, we’re going to scroll down on the left here and we’re going to take a look where it says Security. So, there’s a blade called Security. We’re going to click on that security blade. All right. And then we’re going to click on Authentication methods. Once we’re on Authentication methods, there is a blade called Password protection. And this is the blade that we’re looking for here. So, if you look right here, we have Custom banned passwords. Now, there is a Custom smart lockout. This is going to be for our Azure AD users. All right. But if you look down here, it says Password protection for Windows Server Active Directory, Enable password protection Windows servers. And if you look at the information, it says, “If you say Yes, password protection is turned on for Active Directory domain controllers when the appropriate agent is installed.” All right.
So, if we click on Learn more right there, let’s pull that up. It’s going to pull up “Plan and deploy on-premises Azure Active Directory Password Protection.” All right. And let’s scroll down here. All right. So, this is Azure Active Directory Password Protection domain control agent. So, you can apply this DC agent machines where the Azure AD Password Protection DC agent software will be installed. It can run basically. These are the requirements that you’ve got. All right. And so, essentially, I can install this Password Protection Agent and it will connect my on-premises with the Azure AD Smart lockout capabilities. All right. So, I can go right here. It says, “There are the two required installers for on-premises Azure AD Password Protection deployment.” You have Azure AD Password Protection DC agent and then a proxy; and the proxy can actually sit in a demilitarized zone if you want. All right.
So, if your company is using a DMZ, then you could set that up. All right. So, from there, Azure AD protection for Windows Server Active Directory, I can click Download and we’ll download the Password Protection Agent setup file here. Go ahead and click Next. All right. So, it’s in the process of downloading that. All right. So, just waiting on that to get done. Now, I’m going to open that file and install it. So, here it is, right here, Install. Installing Azure AD Password Protection Agent. All right. So, you must restart your system for the agent to take effect. So, I would restart…
But what I want to talk about let’s go back. What I want to look at here with you is Password Protection for Windows Server Active Directory. If this password protection is enabled, that’s turn on mode. It says, “If set to Enforced, users will be prevented from setting banned passwords.” So, right now, this is set to Audit. What I can do is I can enforce this list. I can go out and I can get a list of the top most common passwords. So, try this. If you have a moment, go to somewhere like Google and get top 10,000 most common passwords and you can get a list of the top thousands of passwords and you can copy and paste that in here. And then at that point, it will prevent users both in the cloud as well as on-premises from using those passwords. And that is what this is going to do for you. That’s this agent installed out there now on that server and an Active Directory is going to prevent users from using passwords that you’ve banned using this capability right here. All right.
Now, one other thing here. This Custom smart lockout. That is for your Azure AD devices. Your domain policies are still going to override these right here when it comes to sync accounts. So, really, the only thing that matters right here is the banned password list. That’s what that agent is going to take care of for you. So, that’s how you would connect all that together and make those banned passwords work.
31. Manage protected users
I now want to talk about a feature that we have in our on-premises Active Directory that a lot of people have never heard of before. It’s called the Protected Users Group. And by putting users in this group like admins, it’s going to add an additional layer of protection to prevent the users’ passwords and things like that from being exposed.
First, I want to just kind of dive into what Microsoft says about it, because that ultimately is what matters here. And if we pull up our web browser and do a quick search on Active Directory Protected Users Group, there is a nice little article that explains this. And again, I’m just searching for it so that you can, if you ever want to find it yourself, you can find it yourself. This is what the article looks like. Protected User Security Group. Now, if we look down, the benefits of this. All right. So, device protections for signed in Protected Users. So, when a user is part of this group, credential delegation will not cache the user’s plain text credentials even with the Allow delegating default credentials. So, this account was used for like a service account or something. And we had enabled a delegation feature with some kind of older system or something. It’s never going to cache anything in clear text beginning with 8.1 and server 2012 digest will not cache the user’s plain text. We said that already entail and will not cache the user’s plaintext credentials. So, if your company is still using the older protocol called NTLM, maybe, for backwards compatibility, there’s not going to be any plain text. So, this is a guarantee. No plain text caching in memory or anything like that. There’s any kind of spyware on a system. It’s not going to be able to see somebody’s password. Kerberos will no longer create DES or RC4 keys. Those are old, you know. And one of the problems you run into here is that companies will have upgraded their domains over the years, you know, from like Windows 94 to Windows 2000, then in 2003, and then in 2008, and then in 2012, and then in 2016. And then in 2019 to 2022. You run into that whole situation where there’s still all this old configuration that’s been left in place ever since the 1990s. So, this is a guarantee that any of these accounts, it’s not going to allow any of that sort of thing.
So, then it also says, “A cached verifier is not created in sign-in or unlock, so offline sign-in is no longer supported.” That is one thing you do need to consider. If there’s no connectivity with the domain controller at that point, this person is not going to be able to log on if they’re part of the protected user group.
Now, how do we make somebody a protected user? Well, we’ll go to our Server Manager, we’ll go Tools, we’ll open up Active Directory Users and Computers. Here it is. We’ll go to the Users folder. And then from there, there is a group called Protected Users. All you got to do is put the user in this group and at that point they become a protected user. So, if I wanted to put myself in there, I could just double click. But at that point, keep in mind you won’t be able to do the offline cache log on or any of that where if you don’t have a domain or you’re not going to be able to log on.
Hopefully, now that makes sense and helps you understand the concept of the Protected Users group.