1. Preparing your organization for passwordless authentication

Today, the technology exists to make sign-ins simpler and more secure. Two protocols, WebAuthn and CTAP2, form what is known as the FIDO2 standard—which enables organizations to upgrade their authentication methods to strong hardware-backed multifactor authentication options that don’t rely on passwords at all. Instead, you can use a physical key, laptop, or mobile app as your credential. Two questions customers often ask are which method do I choose and how do I get started?

I recently published an update to our Passwordless Protection whitepaper, which breaks down the different authentication methods, adoption strategies, and use cases. This guide gives you a great starting point for thinking through your strategy and a foundational understanding of how passwordless authentication works and the requirements for each of the options.

10 reasons to love passwordless

This year, my colleagues also created a series of blog posts 10 reasons to love passwordless, which expands on many of the concepts in the whitepaper.

1. FIDO2-based credentials developed and adopted by the industry.
2. Compliance with the National Institute of Standards and Technology (NIST) Authenticator Assurance Levels 2 and 3 (AAL2 and AAL3).
3. Biometric authentication stored locally to uniquely and securely identify users.
4. Faster sign-ins with Windows Hello built into your PC.
5. Portable security keys in a variety of form factors that work across platforms.
6. Helpdesk savings from password reset requests.
7. Convenient sign-ins with Microsoft Authenticator app on your smartphone.
8. Phishing-resistant credentials that reduce risk of compromise by over 99.9 percent.
9. Easy setup and recovery of passwordless credentials with Temporary Access Pass.
10. No passwords needed for users to be productive and secure.

2. Planning your passwordless deployment

Check out the passwordless authentication deployment guide, which goes in-depth into how to plan the project, deploy different methods, and manage policies for passwordless authentication based on what we’ve learned from thousands of implementations with customers. Use the passwordless recommendations tool in the Microsoft admin console to help you choose the right method for each of your audiences.

You can also get a hands-on tour of passwordless capabilities in Microsoft Azure Active Directory from the video Microsoft Mechanics with Joy Chik, Corporate Vice President, Identity and Network Access, and host Jeremy Chapman.

3. Learning from experts

Data is useful, but sometimes you want to hear from people with experience. Watch the Your Passwordless Future Starts Now digital event on-demand, where you’ll learn more about passwordless authentication and best practices for adopting an organization-wide passwordless strategy.

You’ll learn how to:

• Reduce your security risk. Alex Simons, Corporate Vice President, Identity Program Management, Alex Weinert, Director of Identity Security, and Pamela Dingle, Director of Identity Standards, will cover the challenges of passwords that customers have faced and the benefits of moving to passwordless technologies. Passwordless methods like biometrics make it much simpler for people to sign in—and much harder for attackers to implement a successful phishing campaign. Developers also have a role in reducing the risk of passwords, which is why Mike Hanley, the Chief Security Officer at GitHub, will share how they’ve adopted passwordless for app development.
• Deploy to your organization. If organization-wide passwordless authentication sounds too good to be true, you’ll want to hear from Mark Russinovich, Azure Chief Technology Officer, and Bret Arsenault, Microsoft Chief Security Officer. In this joint session, they will talk about lessons learned from adopting a passwordless strategy at Microsoft and testing the limits on how far passwordless can extend into your hybrid environment.
• Help make it a smooth transition for users. Transitioning to a passwordless organization isn’t just about the right technology, it’s also about getting people to adopt something new. Charles Duhigg, New York Times bestselling author of The Power of Habit and Smarter, Faster, Better will explain why humans have such a hard time getting passwords right—and why we should stop expecting them to. He will explain the psychology behind password habits and look at history for insights on how cybersecurity leaders can help people be more secure.
• Make the first step on your Zero Trust journey. You’ll also learn from the host of the event, Vasu Jakkal, Corporate Vice President, Security, Compliance, and Identity, on why passwordless is a necessary component of a Zero Trust security strategy, which starts with the premise that you must explicitly verify every access request. There are financial and human costs with cyberattacks, and she advises on the steps to take to fortify your digital security.

Learn more

For additional resources and the latest customer stories, visit the Microsoft passwordless web page.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post 3 key resources to accelerate your passwordless journey appeared first on Microsoft Security Blog.

In a password spray attack, adversaries “spray” passwords at a large volume of usernames. When I talk to security professionals in the field, I often compare password spray to a brute force attack. Brute force is targeted. The hacker goes after specific users and cycles through as many passwords as possible using either a full dictionary or one that’s edited to common passwords. An even more targeted password guessing attack is when the hacker selects a person and conducts research to see if they can guess the user’s password—discovering family names through social media posts, for example. And then trying those variants against an account to gain access. Password spray is the opposite. Adversaries acquire a list of accounts and attempt to sign into all of them using a small subset of the most popular, or most likely, passwords. Until they get a hit. This blog describes the steps adversaries use to conduct these attacks and how you can reduce the risk to your organization.

Three steps to a successful password spray attack

Step 1: Acquire a list of usernames

It starts with a list of accounts. This is easier than it sounds. Most organizations have a formal convention for emails, such as firstname.lastname@company.com. This allows adversaries to construct usernames from a list of employees. If the bad actor has already compromised an account, they may try to enumerate usernames against the domain controller. Or, they find or buy usernames online. Data can be compiled from past security breaches, online profiles, etc. The adversary might even get some verified profiles for free!

Step 2: Spray passwords

Finding a list of common passwords is even easier. A Bing search reveals that publications list the most common passwords each year. 123456, password, and qwerty are typically near the top. Wikipedia lists the top 10,000 passwords. There are regional differences that may be harder to discovery, but many people use a favorite sports teams, their state, or company as a password. For example, Seahawks is a popular password choice in the Seattle area. Once hackers do their research, they carefully select a password and try it against the entire list of accounts as shown in Figure 1. If the attack is not successful, they wait 30 minutes to avoid triggering a timeout, and then try the next password.

Figure 1:  Password spray using one password across multiple accounts.

Step 3: Gain access

Eventually one of the passwords works against one of the accounts. And that’s what makes password spray a popular tactic—attackers only need one successful password + username combination. Once they have it, they can access whatever the user has access to, such as cloud resources on OneDrive. Or use the exploited account to do internal reconnaissance on the target network and get deeper into the systems via elevation of privilege.

Even if the vast majority of your employees don’t use popular passwords, there is a risk that hackers will find the ones that do. The trick is to reduce the number of guessable passwords used at your organization.

Configure Azure Active Directory (Azure AD) Password Protection

Azure AD Password Protection allows you to eliminate easily guessed passwords and customize lockout settings for your environment. This capability includes a globally banned password list that Microsoft maintains and updates. You can also block a custom list of passwords that are relevant to your region or company. Once enabled, users won’t be able to choose a password on either of these lists, making it significantly less likely that an adversary can guess a user’s password. You can also use this feature to define how many sign-in attempts will trigger a lockout and how long the lockout will last.

Simulate attacks with Office 365 Advanced Threat Protection (Office 365 ATP)

Attack Simulator in Office 365 ATP lets you run realistic, but simulated phishing and password attack campaigns in your organization. Pick a password and then run the campaign against as many users as you want. The results will let you know how many people are using that password. Use the data to train users and build your custom list of banned passwords.

Begin your passwordless journey

The best way to reduce your risk of password spray is to eliminate passwords entirely. Solutions like Windows Hello or FIDO2 security keys let users sign in using biometrics and/or a physical key or device. Get started by enabling Multi-Factor Authentication (MFA) across all your accounts. MFA requires that users sign in with at least two authentication factors: something they know (like a password or PIN), something they are (such as biometrics), and/or something they have (such as a trusted device).

Learn more

We make progress in cybersecurity by increasing how much it costs the adversary to conduct the attack. If we make guessing passwords too hard, hackers will reduce their reliance on password spray.

• Read about Azure AD Password Protection.
• Learn more about Attack Simulator in Office 365 ATP.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. For more information about our security solutions visit our website. Or reach out to me on LinkedIn or Twitter.

Provide protection for third-party apps

Microsoft Cloud App Security (MCAS) monitors user sessions for third-party cloud apps, including G-Suite, AWS, and Salesforce. The MCAS detection engine looks for anomalous user activity for indicators of compromise. One indicator, “multiple failed login attempts,” can be used to create a dynamic baseline per user, across the tenant, and alert on anomalous login behavior that may represent an active brute force or password spray attack.

The post Protecting your organization against password spray attacks appeared first on Microsoft Security Blog.

Protecting identities is vital to cybersecurity. Bad actors use compromised identities to gain a foothold in an organization, avoiding detection for an average of 100 days.² Historically, organizations have relied on passwords to safeguard identities, but passwords alone aren’t enough. Eighty percent of hacking related breaches can be attributed to weak or compromised passwords, according to Verizon’s 2019 Data Breach Investigations Report. MFA reduces risk because it’s significantly harder to compromise two or more authentication factors.

Beyond passwords, there are several different authentication factors that organizations can implement to better protect their identities. Basic MFA augments passwords with SMS, one-time passwords (OTP), and codes generated by a mobile device. Strong MFA utilizes high assurance factors such as FIDO security keys and smart cards to authenticate users. Fingerprint scans, facial scans, and other biometrics are secure authentication methods that can simplify sign-in for users. Sixty-four percent of the executives in the survey use basic MFA. Forty-three percent use strong MFA. Biometrics was cited by 11 percent of respondents.

But things are changing fast. Ninety-one percent of executives plan to evolve their MFA implementation in the coming year. Twenty-two percent want to move to strong MFA. Another 13 percent will migrate toward biometrics. Better security is the primary driver of these changes.

2020 is the year to prioritize MFA. You can significantly reduce your risk of identity compromise by augmenting or replacing passwords with other authentication factors. Learn how organizations are using MFA.

¹Pulse Q&A Inc. conducted research for Microsoft in October 2019 with 100 Security and IT executives in North America representing 17 industry sectors.

²The median number of days an organization is compromised before discovering a breach in 2017 is 101 days in comparison to 99 in 2016. Source: FireEye M-Trends 2018 Report

The post IT executives prioritize Multi-Factor Authentication in 2020 appeared first on Microsoft Security Blog.

What PHS is and is not

What is PHS? First, let’s start with what it is not. PHS doesn’t sync actual passwords. Rather, it syncs the hashes of passwords, which have all undergone a per-user salt and 1,000 iterations of the HMAC-SHA256 key hashing algorithm, before being sent to Azure Active Directory (Azure AD). Through our hands-on experiences, we’ve learned that many companies believe that Microsoft may have access to users’ passwords. Microsoft is committed to protecting your privacy, and it’s important to note that the SHA256 hash cannot be decrypted—so the plain-text version of the password is never and can never be exposed to Microsoft.

The second important consideration of PHS is that, with PHS your Identity Management provider is moved from your current provider to Azure AD. This allows the organization to move from an Identity Management provider—which is typically an on-premises server and requires maintenance and potentially server downtime—to a platform-as-a-service (PaaS) provider.

From a security perspective, organizations gain significant reliability advantages and improved capabilities by moving to PHS, including Smart Lockout, IP Lockout, and the ability to discover leaked credentials, as well as the benefits of utilizing Microsoft’s billions of worldwide data points as additional layers of security to your organization’s environment.

More about these key features:

• Smart Lockout assists in blocking bad actors who are attempting to brute force passwords. By default, Smart Lockout locks the account from sign-in attempts for one minute after ten failed attempts. Smart Lockout tracks the last three bad password hashes to avoid re-incrementing the lockout counter. For more information Smart Lockout, see Azure AD Smart Lockout.
• IP Lockout works by analyzing those billions of sign-ins to assess the quality of traffic from each IP address hitting Microsoft’s systems. With that analysis, IP Lockout finds IP addresses acting maliciously, such as an IP that is password spraying the tenant, and blocks those sign-ins in real-time, while allowing the real user to continue to successfully sign in.
• Microsoft Leaked Credentials Service acquires username/password pairs by monitoring public web sites and the Dark Web and by working with:
  • Researchers
  • Law enforcement
  • Microsoft Security teams
  • Other trusted sources

When the service acquires username/password pairs, the passwords are sent through the same hashing algorithm and are checked against Azure AD users’ password hashes. When a match is found (indicating a compromised credential), a “Leaked Credentials Risk Event” is created. Please see Azure AD Risk Events for additional information regarding Leaked Credentials.

Another important benefit to PHS is that, should your tenant experience a Denial of Service (DoS) and/or Password Spray attack, Microsoft will take the brunt of that traffic. That traffic is directed at Microsoft, not your on-premises Active Directory Federated Services (AD FS). When authentication happens via on-premises AD FS your server is responsible for managing the load and potentially causing downtime.

Moving an organization’s identity management provider to Azure AD and utilizing Password Hash Sync allows for both an increase in overall security posture and reduced management overhead. The security benefits, including leaked credentials, IP lockout, and Smart Lockout, all utilize Microsoft’s telemetry that gives organizations the power of Microsoft’s intelligence.

NOTE: If PHS is the secondary authentication method and, if you choose to take advantage of Smart Lockout and IP Lockout, the primary authentication method must support these functionalities. PHS is recommended as secondary in a hybrid environment if Federated or Pass-through Authentication is primary as a redundancy mechanism, as well as the ability to collect information for Leaked Credentials.

Learn more

To learn more about DART, our engagements, and how they are delivered by experienced cybersecurity professionals who devote 100 percent of their time to providing cybersecurity solutions to customers worldwide, please contact your account executive. Also, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Read DART: the Microsoft cybersecurity team we hope you never meet for more about the DART team.

The post Demystifying Password Hash Sync appeared first on Microsoft Security Blog.

• New Strategies and Features to Help Organizations Better Protect Against Pass-the-Hash Attacks
• New Guidance to Mitigate Determined Adversaries’ Favorite Attack: Pass-the-Hash
• Targeted Attacks Video Series
• You asked, we answered: #AskPtH Questions and Answers

Although pass-the-hash credential theft and reuse attacks aren’t new, more recently security researchers have been focusing on attack methods for Kerberos authentication. Kerberos authentication is achieved by the use of tickets enciphered with a symmetric key derived from the password of the server or service to which access is requested. To request such a session ticket, a special ticket, called the Ticket Granting Ticket (TGT) must be presented to the Kerberos service. The TGT is enciphered with a key derived from the password of the krbtgt account, which is known only by the Kerberos service[i].

A stolen krbtgt account password can wreak havoc on an organization because it can be used to impersonate authentication throughout the organization thereby giving an attacker access to sensitive data.

One way to help mitigate the risk of a bad actor using a compromised krbtgt key to forge user tickets is by periodically resetting the krbtgt account password. Resetting this password on a regular basis reduces the useful lifetime of krbtgt keys, in case one or more of them is compromised.

Today we are sharing the krbtgt account password reset script and associated guidance that will enable customers to interactively reset and validate replication of the krbtgt account keys on all writable domain controllers in the domain. By providing this script and associated guidance, we hope to help customers perform the reset in a way which reduces the likelihood of authentication errors caused by delayed distribution of the new krbtgt account keys in their environment.

The Reset-KrbtgtKeyInteractive-v1.4 enables customers to:

1. Perform a single reset of the krbtgt account password (it can be run multiple times for subsequent resets).
2. Validate that all writable DC’s in the domain have replicated the keys derived from the new password, so they are able to begin using the new keys.

The krbtgt account password reset script guide includes detailed information on how to use the reset script and its three modes- Informational, Estimation Mode, and Reset and offers:

1. A step-by-step list of tasks associated with performing the krbtgt account password reset.
2. Information for customers wishing to invalidate all existing TGTs by performing a double reset of the krbtgt account secret during a comprehensive Active Directory recovery.

We’ve also provided a detailed guide which helps system administrators understand the required tasks, impact to the organization, schedule and timeline, and other considerations. Together, this combination covers necessary tasks, tests, and validations that should be performed before and after the reset.

It is important to remember that resetting the krbtgt is only one part of a recovery strategy and alone will likely not prevent a previously successful attacker from obtaining unauthorized access to a compromised environment in the future. We strongly advise that customers create a comprehensive recovery plan using guidance found in the Mitigating Pass-the-Hash and Other Credential Theft, version 2.

[i] https://technet.microsoft.com/en-us/library/cc733924(v=ws.10).aspx

The post KRBTGT Account Password Reset Scripts now available for customers appeared first on Microsoft Security Blog.