search

lithnet / ad-password-protection

Active Directory password filter featuring breached password checking and custom complexity rules
MIT License
467 stars 50 forks source link

Add support for calling the HIBP API #18

Open ryannewington opened 5 years ago

ryannewington commented 5 years ago

Code started

https://github.com/lithnet/ad-password-protection/blob/hibp-integration/src/PasswordFilter/hibp.cpp

ryannewington commented 5 years ago

@AaronG1234

Here is a release with HIBP support for you to test with. (Not LSA signed yet though).

You'll find a new GPO setting to turn on HIBP support

image

Note, this doesn't allow you to audit existing user passwords, only check new passwords being set/changed

Lithnet.ActiveDirectory.PasswordProtection.msi.zip

I'd appreciate any feedback you have to offer as a result of your testing.

AaronG1234 commented 5 years ago

will do! thanks

From: Ryan Newington notifications@github.com Sent: Monday, July 22, 2019 7:35:54 PM To: lithnet/ad-password-protection ad-password-protection@noreply.github.com Cc: Aaron Galbraith Aaron.Galbraith@bcidaho.com; Mention mention@noreply.github.com Subject: [EXTERNAL] Re: [lithnet/ad-password-protection] Add support for calling the HIBP API (#18)

@AaronG1234 [github.com]https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_AaronG1234&d=DwMCaQ&c=NdSJ4ILlWpqW3-KBBqEbZ68qQuJ1JYIOBIexwqzU-qw&r=Bop6lasCjn56jGDBTK-Rq4LAOW2D5E0U-xXgZ9_Cj8A&m=5PN_JdtLh7EzussBioVW3ay_praisS0oSME2EvwysPw&s=p9veGYPi73E9t42lSRbWPZ7c0YXZW2uxjzbZE4425TI&e=

Here is a release with HIBP support for you to test with. (Not LSA signed yet though).

You'll find a new GPO setting to turn on HIBP support

[image] [user-images.githubusercontent.com]https://urldefense.proofpoint.com/v2/url?u=https-3A__user-2Dimages.githubusercontent.com_17229877_61676038-2De817e080-2Dad3d-2D11e9-2D9472-2Ddcb4d586e238.png&d=DwMCaQ&c=NdSJ4ILlWpqW3-KBBqEbZ68qQuJ1JYIOBIexwqzU-qw&r=Bop6lasCjn56jGDBTK-Rq4LAOW2D5E0U-xXgZ9_Cj8A&m=5PN_JdtLh7EzussBioVW3ay_praisS0oSME2EvwysPw&s=U_vWjA4VUoefjPAP92jloU6JtVAXE_Ji1rKMkGU5JZ0&e=

Note, this doesn't allow you to audit existing user passwords, only check new passwords being set/changed

Lithnet.ActiveDirectory.PasswordProtection.msi.zip [github.com]https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_lithnet_ad-2Dpassword-2Dprotection_files_3419742_Lithnet.ActiveDirectory.PasswordProtection.msi.zip&d=DwMCaQ&c=NdSJ4ILlWpqW3-KBBqEbZ68qQuJ1JYIOBIexwqzU-qw&r=Bop6lasCjn56jGDBTK-Rq4LAOW2D5E0U-xXgZ9_Cj8A&m=5PN_JdtLh7EzussBioVW3ay_praisS0oSME2EvwysPw&s=8pgLF28JAtl5_h9Pz_zTDbQTd5MVuOnQoBwmT0rfBe8&e=

I'd appreciate any feedback you have to offer as a result of your testing.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub [github.com]https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_lithnet_ad-2Dpassword-2Dprotection_issues_18-3Femail-5Fsource-3Dnotifications-26email-5Ftoken-3DAMOBT3QDS7IHIFTWB7OVQFLQAZN7VA5CNFSM4IFRO2JKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2RUVBY-23issuecomment-2D514017927&d=DwMCaQ&c=NdSJ4ILlWpqW3-KBBqEbZ68qQuJ1JYIOBIexwqzU-qw&r=Bop6lasCjn56jGDBTK-Rq4LAOW2D5E0U-xXgZ9_Cj8A&m=5PN_JdtLh7EzussBioVW3ay_praisS0oSME2EvwysPw&s=DbvQPNpUeznz1nBoMIzLbcE3YvDTT8WyLRtaOvg7cbM&e=, or mute the thread [github.com]https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AMOBT3XDUXH63KTAZD25X23QAZN7VANCNFSM4IFRO2JA&d=DwMCaQ&c=NdSJ4ILlWpqW3-KBBqEbZ68qQuJ1JYIOBIexwqzU-qw&r=Bop6lasCjn56jGDBTK-Rq4LAOW2D5E0U-xXgZ9_Cj8A&m=5PN_JdtLh7EzussBioVW3ay_praisS0oSME2EvwysPw&s=HUOeLyjXVXY6nSEByK_sbp7ellzrCwGnEOmPgUZlO9A&e=.

NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Blue Cross of Idaho, 3000 E. Pine Ave, Meridian, ID 83642

This Message Was Secured With The BCI PPS Email System

bryan4tw commented 4 years ago

Would it be possible to have it fail back to an offline copy whenever the API is down?

AaronG1234 commented 4 years ago

That would be a nice feature...

Use Online API [checkbox] Fail to local if availble [checkbox]

Fail open OR [radiobullet] Fail closed [radiobullet]

(remember this is password change moment, if the API isn't available, i personally would allow the user to change their password (after meeting other complexity requirements) and write a distinct log about failure to reach api But i agree it would be high available if it could fallback to local

Aaron

From: bryan4tw notifications@github.com Sent: Wednesday, October 30, 2019 2:08:17 PM To: lithnet/ad-password-protection ad-password-protection@noreply.github.com Cc: Aaron Galbraith Aaron.Galbraith@bcidaho.com; Mention mention@noreply.github.com Subject: [EXTERNAL] Re: [lithnet/ad-password-protection] Add support for calling the HIBP API (#18)

Would it be possible to have it fail back to an offline copy whenever the API is down?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub [github.com]https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_lithnet_ad-2Dpassword-2Dprotection_issues_18-3Femail-5Fsource-3Dnotifications-26email-5Ftoken-3DAMOBT3WMTVVLOADH4R2LH3LQRHSTDA5CNFSM4IFRO2JKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECVTDHI-23issuecomment-2D548090269&d=DwMCaQ&c=NdSJ4ILlWpqW3-KBBqEbZ68qQuJ1JYIOBIexwqzU-qw&r=Bop6lasCjn56jGDBTK-Rq4LAOW2D5E0U-xXgZ9_Cj8A&m=8BRXRiQ-QaNFZrujv0QvOdBhc7xRGzSKGmeyL-ZMQ7Y&s=uq7aIbzT3Pg0r4qgxncxZUvSDgiqW4x29QhEQFqv0nc&e=, or unsubscribe [github.com]https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AMOBT3VVZPVD7TJDPOMRNODQRHSTDANCNFSM4IFRO2JA&d=DwMCaQ&c=NdSJ4ILlWpqW3-KBBqEbZ68qQuJ1JYIOBIexwqzU-qw&r=Bop6lasCjn56jGDBTK-Rq4LAOW2D5E0U-xXgZ9_Cj8A&m=8BRXRiQ-QaNFZrujv0QvOdBhc7xRGzSKGmeyL-ZMQ7Y&s=U3qOICX7CdzVLkIyNWnP65ZUMmEwkgOS8K6EWIWjOZs&e=.

NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Blue Cross of Idaho, 3000 E. Pine Ave, Meridian, ID 83642

This Message Was Secured With The BCI PPS Email System

ryannewington commented 4 years ago

The HIBP module is just another policy module, so you can have local store enabled at the same time as HIBP. You can choose if you want a HIBP failure to result in the password being rejected, or passing (fail open/closed).

AaronG1234 commented 4 years ago

But does the module consider a hit in HIBP and a inability to contact HIBP both a equal "failure"?

From: Ryan Newington notifications@github.com Sent: Wednesday, October 30, 2019 9:34:14 PM To: lithnet/ad-password-protection ad-password-protection@noreply.github.com Cc: Aaron Galbraith Aaron.Galbraith@bcidaho.com; Mention mention@noreply.github.com Subject: [EXTERNAL] Re: [lithnet/ad-password-protection] Add support for calling the HIBP API (#18)

The HIBP module is just another policy module, so you can have local store enabled at the same time as HIBP. You can choose if you want a HIBP failure to result in the password being rejected, or passing (fail open/closed).

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub [github.com]https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_lithnet_ad-2Dpassword-2Dprotection_issues_18-3Femail-5Fsource-3Dnotifications-26email-5Ftoken-3DAMOBT3VBKU5H6M7PWXEZ67LQRJG3NA5CNFSM4IFRO2JKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECWOTZQ-23issuecomment-2D548202982&d=DwMCaQ&c=NdSJ4ILlWpqW3-KBBqEbZ68qQuJ1JYIOBIexwqzU-qw&r=Bop6lasCjn56jGDBTK-Rq4LAOW2D5E0U-xXgZ9_Cj8A&m=xUrpcrf2fBUFgkbDXb3lpG2Y98hYTSLRkErzp0dRfdQ&s=PUf5LKaNQ2qQHi-3o8mo6MUh27hFLZwsi9a9ogNE7AU&e=, or unsubscribe [github.com]https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AMOBT3QKOIKAG63K3W2SKYDQRJG3NANCNFSM4IFRO2JA&d=DwMCaQ&c=NdSJ4ILlWpqW3-KBBqEbZ68qQuJ1JYIOBIexwqzU-qw&r=Bop6lasCjn56jGDBTK-Rq4LAOW2D5E0U-xXgZ9_Cj8A&m=xUrpcrf2fBUFgkbDXb3lpG2Y98hYTSLRkErzp0dRfdQ&s=8UqYHo9blxBJt5xadud5sRlsiZ2VscsMnbhWOtTz0Qg&e=.

NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Blue Cross of Idaho, 3000 E. Pine Ave, Meridian, ID 83642

This Message Was Secured With The BCI PPS Email System

ryannewington commented 4 years ago

A positive or negative password test result is different from a failure processing the request such as in the case that the api is not available.

Being 'more expensive' the hibp API call is processed last in the chain, so the password would need to be approved by the on prem module first anyway to even get there. So if the on prem passed it, and the hibp api failed, you can choose to allow the password, or reject it.

bryan4tw commented 4 years ago

Ah, that makes perfect sense.

AaronG1234 commented 4 years ago

Just to solidify my understanding (and I apologize Ryan, I meant to test it sooo much sooner)

Is it true that we can operate in any one of these three “models” 1) On Prem Database has been downloaded and configured to use 2) No On Prem Database exist, The HIBP API has been configured to use 3) On Prem Database has been downloaded and configured to use, the HIBP API has been configured to us

Note: Honestly I think most admins who want #2, would still benefit from a small, organizational propriety On Prem (without the massive imports) and then HIBP API (if so that would be #3)

I know that If Model 2) “API Only” We have a setting via GPO/Registry to Fail open or Fail closed (again for password change moments, fail open means we allow the password to be set NOT KNOWING if it is in HIBP)

I assume, based on your latest feedback, that in Model 3) “BOTH” If the password is in found in the Local “Evil Password” store [via hash, forbidden, regex, or any other method supported by Model 1) “ON Prem Only”] The password will be denied, and there will be a log that states the password was denied by the module (if HIBP has been configured, can this error be specific that it was the LOCAL DB that triggered the deny?) Does the module even check HIBP API in this scenario?

If the password is NOT in Local “Evil Password” store, we query HIBP Password API If there is a hit (Non Zero Count), the password will be denied, and there will be a log that states the password was denied by the module (will this error be specific that it was the HIBP API that triggered the deny? Will the Error have the **hit count in the Data) If HIBP Password API is unreachable, Depending on the policy (there is a GPO/Registry specific for this scenario) (Fail Open) The password change will be allowed, and there will be a log that states the password was allowed by the module, BECAUSE the API Failed and the policy said so? Or a separate log that the API failed? Or both? (Fail Closed) The password change will be denied, and there will be a log that states the password was denied by the module, BECAUSE the API Failed and the policy said so? Or a separate log that the API failed? Or both?

Aaron

• As far as **Hit Counts from HIBP o My own code that is doing this (LSA Notification package, but not even close to as smooth as yours 😝) we decided to log a hit count range, instead of the exact number… we were worried that there are some passwords that have a unique hit count. o So for us, my current logging returns a hit count of:  NONE (0),  UNIQUE (1),  RARE (2-5),  UNCOMMON (6-10),  COMMON (11+)

we almost went with Rare was 2-3, and then common is 4+, but wanted a bit more data. (either range is valuable, the point is hit counts are valuable for Support Staff, communication, education, risk metrics, etc.)

ryannewington commented 4 years ago

@AaronG1234

Each password check type (regex, hibp, banned word, length, complexity, etc) is an independent module. Each is processed one at a time in 'general' order of processing speed. For example, the password length check is faster than regex check, so that happens first. Each module has the opportunity to reject the password, and each have their own specific event id codes.

The HIBP module appears last in the list, as it is the most expensive. If you choose to enable the option in group policy to allow the password change on a hibp failure, a specific event code is logged for this condition. If you don't enable the GPO setting for this, the password will be rejected. As HIBP is called last, all other modules need to approve the password before it gets here.

I can't remember if the hit counts are logged. I think it does. I've been debating including this feature or not in a new api standard we are proposing. It's increases the data transfer amount by an non-trivial amount, for no tangible security benefit. Happy to hear thoughts on this though.

ryannewington commented 4 years ago

Didn't mean to close the issue. Fat-fingered on mobile view.

smwinn commented 1 year ago

Is this any closer to being in the release channel?

SeSeKenny commented 1 year ago

Unless I am misunderstanding something here, adding a call for the new NTLM mode would enhance things as well. The sha1 HIBP isn't the same as the NTLM HIBP lists by the nature of either being OWFs and depending on the raw sources? If I am correct, than having the sha1 API is actually adding more protection too.

NVM I was incorrect - https://twitter.com/troyhunt/status/1635727629021237248