After installing Exchange Server, the next step is to configure internal DNS for Exchange. It's…
Security is essential for every organization. When an account password is breached, and access is made to the environment, a lot of confidential stuff will be gathered and leaked. This is a massive problem for every company. Let alone the time that you will spend on this problem. Security starts with implementing fundamentals in the infrastructure and informing users, so they are aware. In this article, you will learn how to audit and secure Active Directory passwords from breaches.
Table of contents
- Audit and secure account passwords
- Install Lithnet Password Protection for Active Directory
- Download HIBP passwords list
- Import HIBP passwords list
- Check Lithnet Password Protection database
- Check breached passwords in Active Directory
- Prevent users from creating breached passwords
Audit and secure account passwords
It’s important to understand that there are two critical configurations that you need to do in the organization:
- Audit account passwords: Create an export and check if there are weak/breached passwords.
- Secure account passwords: Create a policy so users and administrators can’t create weak/breached passwords.
To configure both options above, you must download and install Lithnet Password Protection for Active Directory. That’s because you will use that to check for breached passwords against the HIBP (Have I Been Pwned) passwords list and prevent creating weak/breached passwords in Active Directory (more below).
Note: Suppose you have a hybrid Azure AD configuration, then we recommend you configure Azure AD Password Protection for on-premises.
Install Lithnet Password Protection for Active Directory
Sign in to the Domain Controller.
Download Lithnet Password protection from GitHub.
Start the Lithnet Password Protection for Active Directory Setup and go through the installation wizard. The setup is straightforward, and you can click through it.
Download HIBP passwords list
Once the file is downloaded, move it to the C:\temp folder.
The downloaded .7z file is 11.7 GB.
Extract the pwned-passwords-ntlm-ordered-by-hash-v8.7z file. You can use 7-Zip or WinRar to extract the file.
The extracted .txt file is 28.5 GB.
Remove the 7z file you downloaded because it’s extracted and will save you space.
The plain-text hash file is 28.4 GB, but when you import it into the Lithnet store, it will take 11.1 GB in size (more on that below).
Import HIBP passwords list
Run PowerShell as administrator and run the below command to import the pwned-passwords-ntlm-ordered-by-hash-v8.txt file to the Lithnet store.
PS C:\> Import-CompromisedPasswordHashes -Filename "C:\temp\pwned-passwords-ntlm-ordered-by-hash-v8.txt"
It will take time to read the text file and convert the hashes into a much smaller binary format.
Check Lithnet Password Protection database
Start File Explorer and go to the Lithnet Password Protection database path.
C:\Program Files\Lithnet\Active Directory Password Protection\Store\v3\p
Check that the DB files are created.
The store size is 11.1 GB.
Remove the text file you extracted because it’s imported into the store and will save you space.
Check breached passwords in Active Directory
Download the Audit-Passwords.ps1 script and paste it into C:\scripts on the Domain Controller.
Ensure that the file is unblocked to prevent any errors when running the script. Read more in the article Not digitally signed error when running PowerShell script.
Run PowerShell as administrator. Change the path to the scripts folder. Run the PowerShell script to audit the breached passwords in Active Directory. Wait till it completes.
PS C:\> cd c:\scripts PS C:\scripts> .\Audit-Passwords.ps1
The PS output shows which accounts have a password that’s breached. Also, a CSV file with the name get-pwned-users.csv is generated in C:\scripts.
This is how it looks in our example. Only one account has a password set which is listed in the HIPB pwned password list.
Now that you have the accounts with pwned passwords, you can send an email to them to change their password.
But what if they change the password and insert a breached password again? Do you want to keep checking AD for breached passwords daily or weekly and send the users emails to change their passwords? Well, that’s not something you want. It’s time-consuming, and the organization is not safe.
In the next step, you will configure a group policy that prevents users from creating a pwned password.
Prevent users from creating breached passwords
The best way is to configure a policy that when a user wants to create a password, it will use the HIPB password list for a check.
If the password is in the pwned passwords list, the user can’t use the password. However, if the password is set, it means it’s not breached and is secure enough to apply the password.
Configure Group Policy
Start Group Policy Management. Right-click the Domain Controllers OU and click on Create a GPO in this domain, and link it here.
Give the policy the name LithnetPP and click on OK.
Right-click the LithnetPP GPO object and select Edit.
In the Group Policy Editor, navigate to:
Computer Configuration\Policies\Administrative Templates\Lithnet\Password Protection for Active Directory\Default Policy
Double-click Reject passwords found in the compromised password store.
Check the checkbox Enabled and enable both the options Enable for password set operations and Enable for password change operations. Click on OK.
Note: There are more GPO options, and you should have a look through them. But be aware that the more options you configure, the more complex it will become for the users to create a password.
Reboot the Domain Controller for changes to take effect.
Test password policy
Test that the GPO works and go through the next steps:
- Active Directory Users and Computers: Create a new AD user account with and without a password in the HIBP list.
- Active Directory Users and Computers: Reset a password for an existing AD user account with and without a password in the HIBP list.
- Windows device domain joined: Sign in with a user account and reset the password with and without a password in the HIBP list.
In our example, we will show only the first example.
Start Active Directory Users and Computers. Right-click a user account and select Reset the password.
Fill in a password that appears in the HIBP list, or you can always go to HIBP Pwned Passwords and fill in the password to check if it has previously appeared in a data breach.
Fill in the password twice and click on OK. In our example, we will use Password01.
The error appears:
Windows cannot complete the password change for user because: The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements.
Now do the same steps but with a password that’s not breached, and it will complete the password change successfully.
Read more: Bulk create AD Users with random passwords »
You learned how to audit Active Directory passwords and secure Active Directory passwords from breaches. Always run an audit and inform the management on how to make the password requirements more strict with the help of Lithnet Password Protection. Don’t forget to configure MFA on top of this. So if the password is breached in the future, then there is always a second layer of protection.
Did you enjoy this article? You may also like Force password sync with Azure AD Connect. Don’t forget to follow us and share this article.