Password Protection Not Enabled for On-Premises Environments

This IoE executes only for tenants with an Entra ID P1 or P2 license since these premium licenses are required for this security feature.

Entra ID leverages Microsoft Entra Password Protection to mitigate the risk of users setting easily guessable passwords susceptible to brute-force attacks. This feature uses a global banned password list, enabled by default and cannot be disabled, containing commonly used weak passwords, which Microsoft maintains and regularly updates.

Although Microsoft Entra Password Protection is a cloud-based feature, organizations can extend it to the classic on-premises Active Directory (also known as "Windows Server Active Directory") as described in "Enforce on-premises Microsoft Entra Password Protection for Active Directory Domain Services". They facilitate this integration by installing a dedicated Microsoft agent on the on-premises Active Directory domain controllers while configuring the password protection policies through the cloud-based Entra portal.

This Indicator of Exposure evaluates two Microsoft Entra Password Protection settings that determine its enforcement in the on-premises environment:

• "Enable password protection on Windows Server Active Directory" expected to be "Yes".
• "Mode" expected to be "Enforced".

Note:

1. This IoE executes only for tenants synchronized with an on-premises Active Directory (i.e. Microsoft Entra Connect or Microsoft Entra Cloud Sync). It bases its analysis on the onPremisesSyncEnabled property of the organization.
2. Enabling Microsoft Entra Password Protection for the on-premises Active Directory domain (as outlined in the recommendation section), requires organizations to deploy an agent on all domain controllers within the on-premises environment. This IoE checks the relevant settings within the Entra ID portal, but it cannot validate the actual deployment status of the agent on the on-premises Active Directory domain controllers. As a result, there is a potential for false negatives, where the configuration appears compliant within Entra despite the agent not fully deploying or functioning correctly across all Active Directory domain controllers.

Enabling Microsoft Entra Password Protection, including its extension to on-premises Active Directory domains, helps organizations eliminate the use of weak passwords, thereby reducing the likelihood of attackers successfully guessing these credentials and gaining unauthorized access to the organization's infrastructure.

Although this feature is enabled by default for Entra ID in the cloud, it does not automatically extend to Active Directory domain controllers in the on-premises environment. Extending this feature to Active Directory allows organizations to protect their on-premises AD users as well, provided that the tenant benefits from a premium license: Entra ID P1 or P2.

Tenable recommends that you:

1. understand the concept
2. follow the procedure to deploy a dedicated Microsoft agent that implements a password filter DLL on on-premises domain controllers and enabling
3. enable on-premises password protection by setting "Enable password protection on Windows Server Active Directory" to "Yes", and "Mode" to "Audit" then after evaluation finally to "Enforced".

Name: Password Protection Not Enabled for On-Premises Environments

Codename: PASSWORD-PROTECTION-NOT-ENABLED-FOR-ON-PREMISES-ENVIRONMENTS

Severity: Medium