5.2.3.3 Ensure password protection is enabled for on-prem Active Directory

Information

Azure Active Directory (Azure AD) Password Protection provides a global and custom banned password list. A password change request fails if there's a match in these banned password list. To protect on-premises Active Directory Domain Services (AD DS) environment, install and configure Azure AD Password Protection.

Note: This recommendation applies to Hybrid deployments only and will have no impact unless working with on-premises Active Directory.

Rationale:

Azure Active Directory protects an organization by prohibiting the use of weak or leaked passwords. In addition, organizations can create custom banned password lists to prevent their users from using easily guessed passwords that are specific to their industry. Deploying this feature to Active Directory will strengthen the passwords that are used in the environment.

Impact:

The potential impact associated with implementation of this setting is dependent upon the existing password policies in place in the environment. For environments that have strong password policies in place, the impact will be minimal. For organizations that do not have strong password policies in place, implementation of Azure Active Directory Password Protection may require users to change passwords, and adhere to more stringent requirements than they have been accustomed to.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To setup Azure Active Directory Password Protection, use the following steps:

Download and install the Azure AD Password Proxies and DC Agents from the following location: https://www.microsoft.com/download/details.aspx?id=57071 After installed follow the steps below.

Navigate to Microsoft Entra admin center https://entra.microsoft.com/.

Click to expand Protection select Authentication methods.

Select Password protection and set Enable password protection on Windows Server Active Directory to Yes and Mode to Enforced.

Default Value:

Enable - Yes

Mode - Audit

See Also

https://workbench.cisecurity.org/benchmarks/12934