Password Management (part 3)
Windows Hello for Business
- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
- Server breaches can expose symmetric network credentials (passwords).
- Passwords are subject to replay attacks.
- Users can inadvertently expose their passwords due to phishing attacks.
Windows Hello can be considered as the most personal way for your users to sign-in to their Windows 10 devices with just a look or a touch i.e. users can easily acquire enterprise-grade security without any necessity of typing a password.
Using Windows Hello
If you want to use Windows Hello, you have to login with the help of an already setup PIN and after that you can click the Start button, then select Settings > Accounts > Sign-in options to set up Windows Hello. Once you are successfully set-up, you can sign in with the help of a quick swipe on your fingerprint reader or glance at your camera.
Note- Windows Hello features will only appear if your computer includes hardware to support it.
Azure AD Smart Lockout
Smart lockout can also track the last three bad password hashes to avoid incrementing the lockout counter for the same password and if anyone enters the same bad password multiple times, then, this behavior will not cause the account to lockout. However, using smart lockout does not mean that a genuine user cannot be locked out, to prevent this-
- Each Azure AD data center tracks lockout independently. A user will have (threshold_limit *datacenter_count) number of attempts, if the user hits each data center.
- Smart lockout uses familiar location versus unfamiliar location to differentiate between a bad actor and the genuine user.
If you successfully setup smart lockout policies in Azure AD, the attacks can be easily filtered out before reaching the on-premises AD.
Smart Lockout Integration with Pass-through Authentication
While using pass-through authentication, you should ensure that:
- The Azure AD lockout threshold is less than the AD account lockout threshold by setting its values at least two or three times longer than the Azure AD lockout threshold.
- The duration of Azure AD lockout must be longer than AD reset account lockout counter after duration.
Verify On-premises Account Lockout Policy
- Open the Group Policy Management tool.
- Edit the group policy including your organization's account lockout policy, for example, the Default Domain Policy.
- Browse to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policies.
- Verify your Account lockout threshold and Reset account lockout counter after values.
Manage Azure AD Smart Lockout Values
You can use the following steps:
- Sign in to Azure portal and navigate to Azure Active Directory > Authentication methods > Password protection.
- Set the Lockout threshold, according to the failed sign-ins allowed on an account before its first lockout (by default it's 10).
- Set the Lockout duration in seconds, to the length in seconds of each lockout (by default it's 60 seconds).
Note: If the first sign-in after a lockout also fails, then the account will be locked again and if it's done repeatedly, then the lockout duration will increase.
How to determine if Smart Lockout is working?
Whenever the smart lockout threshold is triggered, the following message will appear while the account is locked:
Your account is temporarily locked to prevent unauthorized use. Try again later, and if you still have trouble, contact your admin.
Comments
Post a Comment