Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-microsoft365-compliance
Overview
6Dashboards
126Benchmarks
36Queries
2Variables
GitHub

Control: 1.1.5 Ensure that password protection is enabled for Active Directory

Description

Enable Azure Active Directory Password Protection to Active Directory to protect against the use of common passwords.

Note: This recommendation applies to Hybrid deployments only, and will have no impact unless working with on-premises Active Directory.

Azure Active Directory protects an organization by prohibiting the use of weak or leaked passwords. In addition, organizations can create custom banned password lists to prevent their users from using easily guessed passwords that are specific to their industry. Deploying this feature to Active Directory will strengthen the passwords that are used in the environment.

Remediation

To setup Azure Active Directory Password Protection, use the following steps:

  1. Download and install the Azure AD Password Proxies and DC Agents from the following location: https://www.microsoft.com/download/details.aspx?id=57071.
  2. After the installation is complete, login to https://admin.microsoft.com as a Global Administrator.
  3. Go to Admin centers and click on Azure Active Directory.
  4. Select Azure Active Directory then Security on the left side navigation followed by Authentication methods.
  5. Select Password protection and toggle Enable password protection on Windows Server Active Directory to Yes and Mode to Enforced.
  6. Click Save at the top of the right pane.

Default Value: Enabled / Enforced.

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v150_1_1_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v150_1_1_5 --share

SQL

This control uses a named query:

with enable_banned_password_check_on_premises_settings as (
  select
    tenant_id,
    id
  from
    azuread_directory_setting
  where
    display_name = 'Password Rule Settings'
    and (name = 'EnableBannedPasswordCheckOnPremises' and value = 'True')
), banned_password_check_on_premise_mode_settings as (
  select
    tenant_id,
    id
  from
  azuread_directory_setting
  where
    display_name = 'Password Rule Settings'
    and (name = 'BannedPasswordCheckOnPremisesMode' and value = 'Enforce')
),
tenant_list as (
  select
    distinct on (tenant_id) tenant_id,
    _ctx
  from
    azuread_user
)
select
  t.tenant_id as resource,
  case
    when (e.tenant_id is not null) and (b.tenant_id is not null) then 'ok'
    else 'alarm'
  end as status,
  case
    when (e.tenant_id is not null) and (b.tenant_id is not null) then t.tenant_id || ' has password protection enabled.'
    else t.tenant_id || ' has password protection disabled.'
  end as reason
  , t.tenant_id as tenant_id
from
  tenant_list as t
  left join enable_banned_password_check_on_premises_settings as e on e.tenant_id = t.tenant_id
  left join banned_password_check_on_premise_mode_settings as b on b.tenant_id = t.tenant_id;

Tags

category = Compliance
cis = true
cis_item_id = 1.1.5
cis_level = 1
cis_section_id = 1.1
cis_type = manual
cis_version = v1.5.0
microsoft_365_license = E3
plugin = microsoft365
service = Azure/ActiveDirectory