schrolla
commented
1 year ago This item was split from #92 which addresses the simpler issues of incomplete conditional access policy evaluation.
Open schrolla opened 1 year ago
schrolla
commented
1 year ago This item was split from #92 which addresses the simpler issues of incomplete conditional access policy evaluation.
schrolla
commented
1 year ago There are a couple different items to keep in mind here:
Beyond that it gets hazier as to how to treat exclusions. If we allow for user input of break glass or exempted principals that should not fail policy tests, then we would need to support users ability to specify those principals (via GUID or Display Name we would need to use to get the GUID), and then incorporate those exemptions into the tests as well.
schrolla
commented
1 year ago Based on review of all the AADConfig_2.xx_test.rego scripts, it seems the following policies utilize CAPs:
• 2.1. Legacy authentication SHALL be blocked • 2.2 Policy 1. Users detected as high risk SHALL be blocked • 2.3. Sign-ins detected as high risk SHALL be blocked • 2.4 policy 1. MFA SHALL be required for all users • 2.9. Sign-in frequency SHALL be configured to 12 hours • 2.10. Browser sessions SHALL not be persistent • 2.13. MFA SHALL be required for user access to highly privileged roles • 2.17. Managed devices SHOULD be required for authentication
Next step is to adjust the tests to flag anytime exclusions are present in the policy.
schrolla
commented
1 year ago Reviewed the file AADConfig.rego (where policy tests are defined) to identify the instances of "input.conditional_access_policies" as that is the key for being inspected by Rego for CAPs. The following eight policies include that key:
Next step is to try modifying one of the policy tests (e.g., 2.9 as it is most straightforward) to introduce exclusions (e.g., using the "ExcludeUsers" key) and check that the tests can still complete successfully.
schrolla
commented
1 year ago Notes from stand up: Adding these exclusions directly will fail in most real world cases as exclusions for break glass or emergency accounts are common. In the future, one way to handle this is to support an option for users/agencies to specify documented exceptions that would not fail the test, only undocumented exceptions would fail. However, other features must be implemented before we can reasonably accept this input from users.
Until then, we need to determine a way to detect the CAP exclusions (which we have) and modify the result in a way that:
Possible solutions include keeping the color the same, but including additional report details about the policy and its exclusions OR changing the result color to yellow to indicate a partial requirement met or warning about the requirement being met.
schrolla
commented
1 year ago Adding some details in preparation for the meeting. Sorry if this is unclear and will try to clarify at the meeting. Thank you, Shanti
2.1 policy 1: Legacy Authentication SHALL Be Blocked
2.2 policy 1: Users detected as high risk SHALL be blocked
2.3 policy 1: Sign-ins detected as high risk SHALL be blocked
Rego policy definition: This policy applies to all users with sign-ins detected as high-risk and all applications. No users, groups, or rules are excluded. Rego policy unit test: The unit test checks for whether an arbitrary user, group, role is excluded. But since none are excluded, the test passes the double negative check.
2.4 policy 1: MFA SHALL be required for all users.
Rego policy definition: This policy applies to all users and applications. No users, groups, or rules are excluded. Rego policy unit test: The unit test checks for whether an arbitrary user, group, role is excluded. But since none are excluded, the test passes the double negative check.
2.9 policy 1: Sign-in frequency SHALL be configured to 12 hours.
Rego policy definition: This policy applies to all users and applications. No users, groups, or rules are excluded. Rego policy unit test: The unit test checks for whether an arbitrary user, group, role is excluded. But since none are excluded, the test passes the double negative check.
2.10 policy 1: Browser sessions SHALL not be persistent.
Rego policy definition: This policy applies to all users and applications. No users, groups, or rules are excluded. Rego policy unit test: The unit test checks for whether an arbitrary user, group, role is excluded. But since none are excluded, the test passes the double negative check.
2.13 policy 1: MFA SHALL be required for user access to highly privileged roles.
Rego policy definition: This policy applies to all applications and two privileged roles. Rego policy unit test: The unit test verifies that if the role is other than the defined privileged role, then the test for incorrect_role passes (double negative)
2.17 policy 1: Managed devices SHOULD be required for authentication.
Input JSON provider settings are in the ProvidersSettingsExport.json
PASS: 7/7
nanda-katikaneni
commented
1 year ago @schrolla and @ssatyapal123 Based on recent changes to Conditional Access Policy Exclusions (done in Dolphin or v0.3.0) and in view of #232 - do we still need this issue?
schrolla
commented
1 year ago @nanda-katikaneni I don't believe this issue is still needed as the user/group exclusions have been addressed. We do still need to address other CAP conditions that can result in false policy matches where the idea is for the policy to apply to "ALL" though. #92 was supposed to be the split, but I'm afraid that might be too narrow. Might be best to close them both out and create a new, focused item to address CAP session and condition values in policy evaluations that could similarly lead to matches that aren't in line with the specified policy item.
ahuynhMITRE
commented
1 year ago Added details from issue #316 to combine similar issues.
AAD 2.1 "Legacy authentication SHALL be blocked" produced a false positive for an agency pilot. The agency has legacy authentication blocked but only for locations outside of the US. For this they configured the "locations" and "client apps" sections within the conditions for a conditional access policy.
Please email Andrew Huynh for the provider json for further investigation.
P.S. the results was found using the Scubagear module version 0.2.1
tkol2022
commented
10 months ago Via testing, I verified that this is still a problem for all of the conditional access policies.
schrolla
commented
7 months ago The latest version of ScubaGear has largely addressed the assignments portion of the original issue by checking and allowing for defined exceptions via config file. What remains is to also check policy conditions (such as location, device, platform, etc) such that narrowly scoped conditional access policies do not render assessment items requiring broadly scoped CAPs as passing.
AzureAD uses conditional access policies to evaluate access requests. These policies may include references to existing users, groups, and roles with both an inclusion and exclusion condition. As such, evaluating policies against SCB baselines that specify ALL or NONE is both difficult and violates standard practice of having break glass accounts that are highly restricted but do not necessarily have the same protections in place as standard accounts.
If a conditional access policy (CAP) includes exclusions, the conformance automation should evaluate the exclusion and provide feedback to the user about the scope and extent of the exclusion relative to the baseline policy. Possible implementations include, for example, a baseline policy that requires that ALL users have MFA enabled should either fail if an exclusion is present OR pass with warnings and indicate the exclusion as a warning. Alternatively, the automation may allow an agency user to specify acceptable exclusions that would not produce a warning or only produce them if a runtime flag was provided. Either way, CAPs should be evaluated more precisely and additional feedback provided to the user.