Here’s a quick way to identify accounts with bad passwords in your Active Directory (AD). If you’re running StealthAUDIT for Active Directory, this is a very effective yet low-effort way to eliminate compromised passwords from your domain.
Finding the bad passwords:
From your web browser, click through the report tree down to the Active Directory>Users section. The report you want is called ‘Weak Password Checks.’
One of the checks in this report performs a hash comparison between your AD passwords and a dictionary of known compromised passwords identified by STEALTHbits’ threat research team. I also suggest editing the dictionary to include things like lab passwords, your company name, or anything else that should not be part of a production AD password.
Scroll down to the bottom of the report and click on ‘Weak passwords.’ Here you will see a list of every account that currently has a known compromised password.
Automating remediation:
In my small example, I only found one account with a bad password but your production domain will likely have too many to clean up manually. If you own the AD Action Module, you can head over to the action wizard and create a new action that forces all users with bad passwords to change their password next time they log in. Perhaps you’d rather just create an incident in ServiceNow or send emails to the offending users. Check out the ServiceNow Action module as well as the SendMail Action module.
Preventing bad passwords from being applied in the future:
Most importantly, you want to prevent AD users from setting bad passwords in the future. To do this, we’ll turn to the Enterprise Password Enforcer in StealthINTERCEPT. In the templates tree, browse to Microsoft>Password Enforcement.
Next, drag this template into your Blocking policies, configure, and enable. This utilizes the StealthINTERCEPT agent to prevent passwords from being changed to anything in our dictionary of compromised passwords. Optionally, you can also send these alerts to your SIEM in real-time. That is done by checking “Send to SIEM” within the ‘actions’ tab.
Summary
Now you’ve successfully identified and fixed weak passwords as well as prevented these dangerous passwords from being used in the future. You can learn more about the StealthINTERCEPT Enterprise Password Enforcer here.
If you’re not already a STEALTHbits customer, click here to request a trial of StealthAUDIT’s Active Directory Assessment.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Adam Rosen serves as Vice President of Data Access Governance at Stealthbits – now part of Netwrix. An expert on managing and securing unstructured data, Adam has helped organizations of all sizes implement controls and policies to meet security, compliance, and efficiency objectives. In his current capacity at Stealthbits, he manages the industry-leading StealthAUDIT suite that enterprises around the world depend on to defend their most critical information.
Related Posts
- PROTIP – How to Purge Data in StealthAUDIT
- PROTIP – Fulfill a DSAR with StealthAUDIT 11.0
- Best Practices – Setting up StealthAUDIT SQL Server Database
- ProTip: How to Setup User Activity & Server Logon Scan in StealthAUDIT for Oracle
- Pro Tip – StealthINTERCEPT DB Maintenance Best Practices
- PROTIP: Policy Registration & Managing StealthINTERCEPT via PowerShell and Editing StealthDEFEND Investigations & Categorizing Playbooks
- PROTIP: How to Update the “Have I Been Pwned” (HIBP) Breach Dictionary in StealthINTERCEPT Enterprise Password Enforcer and StealthAUDIT
- Protip: How to Setup User Activity & Database Logon Scans in StealthAUDIT for Oracle
- ProTip – The Power of Character Substitution Checks in StealthINTERCEPT Enterprise Password Enforcer
- Protip: How to Setup User Activity & Server Logon Scan in StealthAUDIT for SQL
Leave a Reply