Control: 1.7 Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization
Description
Microsoft Azure provides a Global Banned Password policy that applies to Azure administrative and normal user accounts. This is not applied to user accounts that are synced from an on-premise Active Directory unless Azure AD Connect is used and you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers. Please see the list in default values on the specifics of this policy. To further password security, it is recommended to further define a custom banned password policy.
Enabling this gives your organization further customization on what secure passwords are allowed. Setting a bad password list enables your organization to fine-tune its password policy further, depending on your needs. Removing easy-to-guess passwords increases the security of access to your Azure resources.
Remediation
From Azure Portal
- From Azure Home select the Portal Menu.
- Select
Azure Active Directory
. - Select
Security
. - Under
Manage
, selectAuthentication Methods
. - Select
Password Protection
. - Set the
Enforce custom list
option toYes
. - Double click the custom banned password list to add a string.
Default Value
By default the custom bad password list is not 'Enabled'. Organizational-specific terms can be added to the custom banned password list, such as the following examples:
- Brand names
- Product names
- Locations, such as company headquarters
- Company-specific internal terms
- Abbreviations that have specific company meaning
- Months and weekdays with your company's local languages.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v200_1_7
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v200_1_7 --share
SQL
This control uses a named query:
ad_manual_control