rules/findings/EntraID/Policy/CIS3.0/eid-custom-banned-password-list-disabled.json
|
{
"args": [ ], "provider": "EntraID", "serviceType": "Identity Protection", "serviceName": "Microsoft Entra ID", "displayName": "Ensure custom banned passwords lists are used", "description": "With Entra Password Protection, default global banned password lists are automatically applied to all users in an Entra ID tenant. To support business and security needs, custom banned password lists can be defined. When users change or reset their passwords, these banned password lists are checked to enforce the use of strong passwords. A custom banned password list should include some of the following examples: * Brand names * Product names * Locations, such as company headquarters * Company-specific internal terms * Abbreviations that have specific company meaning ", "rationale": "Creating a new password can be difficult regardless of one's technical background. It is common to look around one's environment for suggestions when building a password, however, this may include picking words specific to the organization as inspiration for a password. An adversary may employ what is called a 'mangler' to create permutations of these specific words in an attempt to crack passwords or hashes making it easier to reach their goal.", "impact": "If a custom banned password list includes too many common dictionary words, or short words that are part of compound words, then perfectly secure passwords may be blocked. The organization should consider a balance between security and usability when creating a list.", "remediation": { "text": "###### To set a custom bad password list, use the Microsoft Entra ID blade\r\n\t\t\t\t\t1. In `Microsoft Entra ID`, click on `Security`.\r\n\t\t\t\t\t2. Under `Management` select `Authentication`, then `Password Protection`.\r\n\t\t\t\t\t3. Set the `Enforce custom list` to `Yes`.\r\n\t\t\t\t\t4. Double click the custom password list to add a string.\r\n\t\t\t\t\t5. Click `Save`.", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad#custom-banned-password-list", "https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-configure-custom-password-protection" ], "compliance": [ { "name": "CIS Microsoft Azure Foundations", "version": "5.0.0", "reference": "5.2.3.2", "profile": "E3 Level 1" } ], "level": "medium", "tags": [ ], "rule": { "path": "aad_password_protection_policy", "subPath": null, "selectCondition": { }, "query": [ { "filter": [ { "conditions": [ [ "customBannedPasswords.Count", "eq", "0" ], [ "enforceCustomBannedPasswords", "eq", "false" ] ], "operator": "or" } ] } ], "shouldExist": null, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { }, "expandObject": null }, "table": null, "decorate": [ ], "emphasis": [ ], "actions": { "objectData": { "properties": [ "*" ], "expandObject": null, "limit": null }, "showGoToButton": false, "showModalButton": false, "directLink": null } }, "text": { "data": { "properties": { }, "expandObject": null }, "status": { "keyName": [ ], "message": "Custom Bad Password List is not set", "defaultMessage": null }, "properties": { "resourceName": null, "resourceId": null, "resourceType": null }, "onlyStatus": false } }, "idSuffix": "aad_custom_bad_password_disabled", "notes": [ ], "categories": [ ], "immutable_properties": [ ], "id": "entraid_1152" } |