PAMonster

Self-Service Password Reset(SSPR): -Benefits of SSPR: -Gives users the ability to quickly change/reset their password -Users can follow prompts to unblock themselves w/o admin involvement -Reduces the most common type of helpdesk(HD) call

-Requirements of SSPR Use: -User must be: -Assigned an Azure AD(AAD) license -Enabled for SSPR by an admin -Registered with the AuthN method they want to use -Note: Two(2) or more AuthN methods are recommended in case one(1) is unavailable. -Tip: Enable SSPR for a group -Note: this tip does require AAD Premium Plan 1

-SSPR Use Cases: -Password Change: When a user knows their password but wants to change it to something new. -Password Reset: When a user cannot sign in because they forgot their password & want to reset it. -Account Lock: When a user cannot sign in because their account is locked out.

-SSPR Supported AuthN Methods: -Email -Mobile App Notification -Mobile App Code -Mobile Phone -Office Phone -Security Questions

-Combined Registration for AAD MFA & SSPR: -Starting 15 Aug 2020 all new AAD tenants will be auto enabled for combined registration -After 30 Sept 2022 all users will register security info through the combined registration experience

Password Protection & Management Capabilities: -AAD Password Protection -Users often choose weak passwords that are susceptible to dictionary attacks -AAD provides both global & custom banned password lists -A password change request fails if there's a match in these banned passwords lists -Supports hybrid environments; AD domain controllers are not put at risk

-Banned Password Lists: -Global Banned Password List: A global banned password list with known weak passwords is auto updated & enforced by Microsoft -Custom Banned Password Lists: Lists of custom banned passwords created by admins to support specific business security needs(Brand/Product names, company location names, etc)

-Azure MFA Requires 2 or more AuthN methods: -Something you know(PIN/Password) -Something you have(Trusted Device) -Something you are(Bio-metrics)

-Additional Verification methods for AAD MFA: -Microsoft Authenticator App -Windows Hello for Business -Fast Identity Online(FIDO)2 Security Key -Open Authentication(OATH) Software Token -SMS/Text Message -Voice Call

-User Registration for AAD MFA: -Users can self register for self-service password reset & AAD MFA in one step for simple on-boarding -Admins can decide which forms of 2ndary AuthN can be used

-Options for Pushing MFA Registration: -Using AAD Identity Protection(Easiest) -Prompt user to register for MFA when they attempt to use an app that requires MFA -Enforcing MFA registration using an AAD Conditional Access policy

-AAD MFA Registration Policy -Can be enabled to require users to register for AAD MFA next time they sign in -Users have 14 days to complete registration -Note: This requires AAD Premium P2

Passwords: -Weakest of authentication methods in AAD -Subject to classic exploitation techniques such as password spraying & bruteforce attacks -Still subject to exploitation even with enforced complexity -Can be combined with other non-controlled application methods to bolster it, such as: -SMS: -SMS is considered less than secure in practical application. -Voice Call

-Can be combined with controlled application methods to bolster it, such as: -Microsoft AuthN App: -Can be used as a primary form of AuthN to sign into an AAD account -Can be used as additional verification option for self-service password reset(SSPR) or AAD multi-factor authentication(MFA) events. -Users must download the phone app & register their account to use this application.

-Open Authentication(OATH) Token One-Time Password(OTP) -Open standard that specifies how time-based OTP(TOTP) codes are generated -Software Token: -AAD generates a secret key, or seed, that is input into the app & used to generate each OTP -Typically an application -Hardware Token: -Small hardware devices that look like a key fob -Secret key/seed programmed into the token -Displays a code that refreshes every 30 or 60 seconds

Passwordless: -Windows Hello -AuthN feature built into Windows 10 -Replaces passwords with strong two-factor AuthN(2FA) on PCs & Mobile Devices -Allows userse to AuthN to: -Microsoft Account -AD Account -AAD Account -Identity Provider Services -Relying party services that support FIDO2 AuthN -Windows Hello is for personal devices. -Uses a PIN or biometric gesture. -Windows Hello for Business is for business owned devices -Uses Key-based or cert-based AuthN -Solves the following problems: -Password reuse -Exposure of symmetric network credentials during/after a server breach -Replay attacks -Password exposure due to phishing

Azure AD identity types: User -Representation of an entity that is managed by Azure AD -Both Guests & Employees are represented as users -Azure AD B2B collaboration: Feature within External Identities that includes the capability to add guest users & enables orgs to securely share apps & services with guest users from other orgs

Service Principal -An Identity for an application -Enables AuthN & AuthZ of the app to resources that are secured by the AD tenant -App must first be registered w/ Azure AD to enable identity & access integration -Once registered a service principal is created in each Azure AD tenant where the app is used.

Managed Identity -Special type of service principal that is auto managed in Azure AD -Eliminates the need for admins & devs to manage credentials -User Assigned: -Identity that can be shared by multiple resources & has a lifecycle independent of said resources -System Assigned: -Identity that is tied to the lifecycle of a specific service or resource & cannot be shared. -When the choice is available using system-assigned managed identities to minimize admin effort.

Device -A piece of hardware(mobile device, laptop, server, printer, etc) -Azure AD Registered: Provides users w/ support for BYOD device scenarios -Azure AD Joined: Device joined to Azure AD through an org account which is then used to sign into the device. -Hybrid Azure AD Joined: Domain joined device to Azure AD & on-prem AD. -Device registry allows for Single Sign-On(SSO) to cloud-based resources. -Azure AD joined devices also benefit from the SSO experience to resources & apps that rely on on-prem AD -Device registry also allows for device management with Intune to control how an org's devices are used -Mobile Device Management(MDM) for company-owned devices -Mobile Application Management(MAM) for personal devices

Overview of the Hybrid Identity Model -All scenarios with Hybrid AD require an on-prem AD instance! -Azure AD password hash synchronization: -Simplest way to enable AuthN for on-prem directory objects in Azure AD -User is authed by Azure AD -Azure AD Pass-through Authentication (PTA) -User is Authed directly against on-prem AD -Can be used to enforce AD restrictions not present in Azure AD(logon hours) -Federated Authentication -AuthN for orgs that need advanced measures not supported by Azure AD(smart cards, certs) -Azure AD passes the request to on-prem AD

Identity is the primary security perimeter

The four(4) pilliars of Identity: -Administration: The creation & management of identities for users, devices, & services. -Authentication: The act of challenging a party for legitimate credentials. -"AuthN" -Service provided by an identity provider -Multi-factor authentication(MFA) can help make authentication more secure -Something you know(pin, password) -Something you have(trusted device) -Something you are(biometrics)-Evaluating conditions around an authentication request(location, device state) can help make authentication more secure. -Evaluating risk around a user's authentication request -Identity Providers create, maintain, & manage identity info whole providing AuthN services to apps. -Can provide Single Sign-On(SSO) which enables access to multiple resources with a single logon.

-Authorization: The act of processing incoming identity data to determine an appropriate level & type of access. -"AuthZ" -Specifies what resources someone is allowed to access & what they can do with those resources -Role-based Access Control(RBAC) is a collection of permissions of actions that can be performed.

-Auditing: The act of tracking who does what when, where, & how in a system or application.

Identity Federation is a system of trust between two parties for authenticating users & conveying info needed to authorize their access to resources -Enables access across org boundaries by establishing trust relationships between the orgs' identity providers -Typically includes AuthN & AuthZ -Allows admins to implement different and/or more rigorous levels of access control -Active Directory Federation Services(ADFS) ensures that all AuthN occurs on premises & enables implementation of stronger access control

Hashing is a one way function designed to scramble plain text into an unique digest in an indecipherable way.

Hashing has the following requirements: -Must accept any length of characters into its input -Must produce a fixed length of characters for its output -Must be relatively easy to compute -Must not be reversible -Must avoid collisions(having two different inputs that produce the same output)

Defense-in-Depth operates on a principle of not leaning on a singular point of failure. Instead it is the philosophy of putting many "smaller" controls at different points within an environment. This allows for more opportunities for vulnerabilities like misconfiguration, poor policy implementation, legacy systems, & the like to act as a single target for threats.

More eyes watching & make bad actors work harder.

Learned about the Shared Responsibility Model in cloud computing: