Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Azure AD - Password attacks - logging and protections
1.
2.
3.
4. Microsoft Azure
Active Directory
Windows Server
Active Directory
Exchange Online
Step AuthN State Platform Description Attack Stage Logging Protections
1 Not
authenticated
Exchange
Online
Exchange Online accepts the
connection, inserts additional
metadata and proxies the
authentication request to
ADFS.
Password Brute
Forcing / Spray
Denial of Service
via account
lockout.
None Exchange Online IP Block List. Listed IP addresses
will not be proxied to AD FS for authentication.
Set using Set-OrganizationConfig -IPListBlocked.
Exchange Online Authentication Policies.
Authentication requests for users with disabled
protocols will not be proxied to AD FS. A default
policy can be configured to block protocols by
default for new users.
5. Microsoft Azure
Active Directory
Windows Server
Active Directory
Exchange Online
Step AuthN State Platform Description Attack Stage Logging Protections
2 Not
authenticated
AD FS AD FS accepts the connection from
Exchange Online and processes the
authentication request. The
password is incorrect.
Password Brute
Forcing / Spray
Denial of Service via
account lockout.
AD FS Auditing – WS2012R2 and above
will log event 411 in the Security log
containing the username and client IP
forwarded by Exchange Online. This
script can be used to parse the logs.
Additionally, logs can be ingested into a
SIEM solution for further analysis and
alerting.
AD FS Extranet Lockout Protection – WS2012R2 and above
can be configured to stop accepting authentication requests
for a user after a number of bad passwords, this helps to
reduce the number of tries an attacker gets at guessing a
user’s password. Additionally, it prevents Active Directory
accounts getting locked out if a lockout policy has been
configured.
Azure AD Connect Health – The Risky IP
report provides rich information about
bad password attempts and Extranet
Lockout events.
AD FS Extranet Smart Lockout – Extranet Lockout in WS2016
has been extended to maintain a list of familiar locations (IP
addresses) for users to prevent blocking legitimate users.
Deploy Azure AD Password Protection to minimise the
success rate of password spray attacks by banning common
passwords in the organisation.
6. Microsoft Azure
Active Directory
Windows Server
Active Directory
Exchange Online
Step AuthN State Platform Description Attack Stage Logging Protections
3 Authenticated AD FS AD FS successfully processes the
authentication request as the
attacker is in possession of the
right password. This can happen
due to:
Successful password brute
force / spray
Social engineering (i.e.:
Phishing)
Breach data re-use
Unauthorised
Access
Azure AD Connect Health provides
usage analytics, performance
monitoring and alerting for AD FS.
Block legacy authentication protocols using Issuance
Authorization Rules in AD FS. These rules can be
crafted to only block or allow access from specific
locations.
Due to the complexity of this method, it is
recommended to implement the block using Azure AD
Conditional Access (see next step).
AD FS Auditing provides rich event
information . This data is useful
when investigating specific events.
Additionally, logs can be ingested
into a SIEM solution for further
analysis and alerting.
7. Microsoft Azure
Active Directory
Windows Server
Active Directory
Exchange Online
Step AuthN State Platform Description Attack Stage Logging Protections
4 Authenticated Azure AD Azure AD receives the token
issued by AD FS from
Exchange Online, evaluates
Conditional Access and
applies the corresponding
controls.
Unauthorised
Access
Risk events reporting in Azure AD uses machine
learning algorithms to detect users’ suspicious
activities. Each alert is assigned a risk that
represents the severity and confidence. Risk
events are accessible via Graph API.
Azure AD Conditional Access can be
configured to block clients using
Legacy Authentication.
Azure AD logs a sign-in event.
Logs can be accessed via the Portal, Graph API,
flown to Azure Log Analytics, a SIEM solution via
Azure Event Hub or stored in Azure Storage for
long-term retention.
8. Microsoft Azure
Active Directory
Windows Server
Active Directory
Exchange Online
Step AuthN State Platform Description Attack Stage Logging Protections
5 Authenticated Exchange
Online
Exchange Online receives the
authentication response from
Azure AD
Unauthorised
Access to
organization’s
data (mailbox,
GAL, etc.)
Exchange Online mailbox
auditing can be enabled to log
access and actions performed
against a mailbox.
Client protocols can be disabled for Exchange
Online mailboxes. Always disable protocols not
needed like POP3, IMAP, SMTP, etc.
Exchange Online Client Access Rules can be used
to block access depending on different client
properties like authentication type, IP address, etc.
9.
10. Microsoft Azure
Active Directory
Windows Server
Active Directory
Exchange Online
Step AuthN State Platform Description Attack Stage Logging Protections
1 Not
authenticated
Exchange
Online
Exchange Online accepts the
connection, inserts additional
metadata and proxies the
authentication request to
ADFS.
Password Brute
Forcing / Spray
Denial of Service
via account
lockout.
None Exchange Online IP Block List. Listed IP addresses
will not be proxied to Azure AD for authentication.
Set using Set-OrganizationConfig -IPListBlocked.
Exchange Online Authentication Policies.
Authentication requests for users with disabled
protocols will not be proxied to Azure AD. A
default policy can be configured to block
protocols by default for new users.
11. Windows Server
Active Directory
Exchange Online
Step AuthN State Platform Description Attack Stage Logging Protections
2 Not
authenticated
Azure AD Azure AD receives the
authentication request from
Exchange Online and processes it.
The password is incorrect.
Password Brute
Forcing / Spray
Denial of Service via
account lockout.
Azure AD logs a sign-in failure with
error code 50126.
Logs can be accessed via the Portal,
Graph API, flown to Azure Log
Analytics, a SIEM solution via Azure
Event Hub or stored in Azure Storage
for long-term retention.
Azure AD Smart Lockout protects each account individually
by locking out bad actors after 10 bad passwords
(configurable), but lets real users continue access their
accounts. It works in all cloud authentication scenarios.
IP Lockout is a service-level protection to block attacks
coming from specific IP addresses.
Deploy Azure AD Password Protection to minimise the
success rate of password spray attacks by banning common
passwords in the organisation.
Microsoft Azure
Active Directory
12. Windows Server
Active Directory
Exchange Online
Step AuthN State Platform Description Attack Stage Logging Protections
3 Authenticated Azure AD Azure AD successfully processes
the authentication request as the
attacker is in possession of the
right password. This can happen
due to:
Successful password brute
force / spray
Social engineering (i.e.:
Phishing)
Breach data re-use
Azure AD evaluates Conditional
Access and applies the
corresponding controls.
Unauthorised
Access
Azure AD logs a sign-in event.
Logs can be accessed via the Portal,
Graph API, flown to Azure Log
Analytics, a SIEM solution via Azure
Event Hub or stored in Azure
Storage for long-term retention.
Azure AD Conditional Access can be configured to block
clients using Legacy Authentication.
Risk events reporting in Azure AD
uses machine learning algorithms to
detect users’ suspicious activities.
Each alert is assigned a risk that
represents the severity and
confidence. Risk events are
accessible via Graph API.
Microsoft Azure
Active Directory
13. Windows Server
Active Directory
Exchange Online
Step AuthN State Platform Description Attack Stage Logging Protections
4 Authenticated Exchange
Online
Exchange Online receives the
authentication response from
Azure AD
Unauthorised
Access to
organization’s
data (mailbox,
GAL, etc.)
Exchange Online mailbox
auditing can be enabled to log
access and actions performed
against a mailbox.
Client protocols can be disabled for Exchange
Online mailboxes. Always disable protocols not
needed like POP3, IMAP, SMTP, etc.
Exchange Online Client Access Rules can be used
to block access depending on different client
properties like authentication type, IP address, etc.
Microsoft Azure
Active Directory
14.
15. Microsoft Azure
Active Directory
Windows Server
Active Directory
Exchange Online
Step AuthN State Platform Description Attack Stage Logging Protections
1 Not
authenticated
Exchange
Online
Attacker uses a browser or a
Modern Authentication-
capable client (i.e.: Outlook
2016) to connect to Exchange
Online.
Exchange Online redirects the
user to Azure AD.
Reconnaissance None N/A
16. Microsoft Azure
Active Directory
Windows Server
Active Directory
Exchange Online
Step AuthN State Platform Description Attack Stage Logging Protections
2 Not
authenticated
Azure AD Azure AD presents sign in
screen.
Attacker enters random UPN
(i.e.: random@contoso.com).
Azure AD performs Home
Realm Discovery and redirects
to Contoso’s IDP.
Reconnaissance
(IDP endpoint)
None None
17. Microsoft Azure
Active Directory
Windows Server
Active Directory
Exchange Online
Step AuthN State Platform Description Attack Stage Logging Protections
3 Not
authenticated
AD FS Attacker uses a
tool to perform a
password brute
forcing / spray
against AD FS.
Password Brute
Forcing / Spray
Denial of Service
via account lockout.
AD FS Auditing – WS2012R2 and above will log
event 411 in the Security log containing
username and client IP, event 510 provides more
details. This script can be used to parse the logs.
Additionally, logs can be ingested into a SIEM
solution for further analysis and alerting.
AD FS Extranet Lockout Protection – WS2012R2 and above can be
configured to stop accepting authentication requests for a user after a
number of bad passwords, this helps to reduce the number of tries an
attacker gets at guessing a user’s password. Additionally, it prevents
Active Directory accounts getting locked out if a lockout policy has been
configured.
Azure AD Connect Health – The Risky IP report
provides rich information about bad password
attempts and Extranet Lockout events.
AD FS Extranet Smart Lockout – Extranet Lockout in WS2016 has been
extended to maintain a list of familiar locations (IP addresses) for users to
prevent blocking legitimate users.
Deploy Azure AD Password Protection to minimise the success rate of
password spray attacks by banning common passwords in the
organisation.
IPs or subnets can be blocked at the network layer. This method does not
provide a complete solution.
18. Microsoft Azure
Active Directory
Windows Server
Active Directory
Exchange Online
Step AuthN State Platform Description Attack Stage Logging Protections
4 Authenticated AD FS AD FS successfully
processes the
authentication request
as the attacker is in
possession of the right
password. This can
happen due to:
• Successful password
brute force / spray
• Social engineering
(i.e.: Phishing)
• Breach data re-use
Unauthorised Access Azure AD Connect Health provides usage
analytics, performance monitoring and
alerting for AD FS.
Azure Multi-Factor Authentication can be integrated
natively with AD FS to protect other applications (Relying
Parties) configured in AD FS.
However, it is recommended to move these applications
to Azure AD to be able to leverage the security reporting
capabilities of Azure AD and the automated responses of
Identity Protection.
AD FS Auditing provides rich event
information. This data is useful when
investigating specific events.
Additionally, logs can be ingested into a
SIEM solution for further analysis and
alerting.
Issuance Authorization Rules or Access Control Policies in
AD FS can be used to deny access to applications from
outside the network, however it is recommended to apply
this and other controls using Azure AD Conditional
Access.
19. Microsoft Azure
Active Directory
Windows Server
Active Directory
Exchange Online
Step AuthN State Platform Description Attack Stage Logging Protections
5 Authenticated Azure AD Attacker gets redirected
to Azure AD, which
receives the token
issued by AD FS,
evaluates Conditional
Access and applies the
corresponding controls.
Unauthorised
Access
Risk events reporting in Azure AD uses
machine learning algorithms to detect users’
suspicious activities. Each alert is assigned a risk
that represents the severity and confidence.
Risk events are accessible via Graph API.
Azure AD Conditional Access can be configured to
enforce additional security controls before allowing
access to applications. At a minimum, we recommend
enforcing at least one of the following controls for
extranet access:
MFA
Hybrid Join
Compliant Device
Azure AD logs a sign-in event.
Logs can be accessed via the Portal, Graph API,
flown to Azure Log Analytics, a SIEM solution
via Azure Event Hub or stored in Azure Storage
for long-term retention.
Azure AD Identity Protection can be used to
automatically respond to detected suspicious actions
related to organisation’s identities.
20. Microsoft Azure
Active Directory
Windows Server
Active Directory
Exchange Online
Step AuthN State Platform Description Attack Stage Logging Protections
6 Authenticated Exchange
Online
Attacker gets
redirected to
Exchange Online.
Unauthorised
Access to
organization’s data
(mailbox, GAL, etc.)
Exchange Online mailbox auditing can
be enabled to log access and actions
performed against a mailbox.
Exchange Online Client Access Rules can be used to
block access depending on different client properties
like authentication type, IP address, etc.