Skip to main content

Security is essential for every organization. When an account password is breached and access is made to the environment, a lot of confidential stuff will be gathered and leaked. This is a massive problem for every company. Let alone the time that you will spend on this problem. Security starts with implementing fundamentals in the infrastructure and informing users, so they are aware. In this article, you will learn how to audit and secure Active Directory passwords from breaches.

Audit and secure account passwords

It’s important to understand that there are two critical configurations that you need to do in the organization:

  1. Audit account passwords: Create an export and check if there are weak/breached passwords.
  2. Secure account passwords: Create a policy so users and administrators can’t create weak/breached passwords.

To configure both options above, you must download and install Lithnet Password Protection for Active Directory. That’s because you will use that to check for breached passwords against the HIBP (Have I Been Pwned) passwords list and prevent creating weak/breached passwords in Active Directory (more below).

Note: Suppose you have a Microsoft Entra hybrid identity configuration, then we recommend you configure Azure AD Password Protection for on-premises.

Setup Lithnet Password Protection for Active Directory

To setup Lithnet Password Protection for Active Directory, go through the below steps.

1. Install Lithnet Password Protection for Active Directory

Sign in to theDomain Controller.

Download Lithnet Password protection from GitHub.

Secure Active Directory passwords download Lithnet

Start the Lithnet Password Protection for Active Directory Setup and go through the installation wizard. The setup is straightforward, and you can click through it.

Secure Active Directory passwords install Lithnet

You installed Lithnet Password Protection for Active Directory successfully.

2. Download HIBP passwords list

Download and get the up-to-date compromised passwords from HIBP. To synchronize the Lithnet password store with the Have I been Pwned API, use the Sync-HashesFromHibp cmdlet.

Note: The HIBP Passwords are updated constantly, and you should run the below cmdlet occasionally. An excellent way is to create a scheduled task that runs the Sync-HashesFromHibp cmdlet every week or month in the background to synchronize the HIBP passwords to the Lithnet password store.

Start Windows PowerShell as administrator and run the below cmdlet.

Sync-HashesFromHibp

It will start downloading the HIBP passwords to the store.

Secure Active Directory passwords sync

Once it’s done, you get an output with the results.

OperationStart          : 1/23/2024 7:13:35 PM
OperationFinish         : 1/23/2024 8:30:35 PM
Duration                : 01:17:00.2187755
PagesRetrieved          : 1048576
PagesWithChanges        : 1048576
PagesUnchanged          : 0
NewHashesImported       : 931856448
ExistingHashesDiscarded : 0
TotalHashesProcessed    : 931856448

3. Check Lithnet Password Protection database

Start File Explorer and go to the Lithnet Password Protection database path.

C:\Program Files\Lithnet\Active Directory Password Protection\Store\v3\p

Check that the DB files are created.

Secure Active Directory passwords store

The store size is 12.2 GB.

Note: The size can vary because the HIBP password database is constantly updated.

Secure Active Directory passwords store size

Lithnet Password Protection for Active Directory is set up successfully.

Check breached passwords in Active Directory

Download the Audit-Passwords.ps1 script and paste it into C:\scripts on the Domain Controller.

Ensure the file is unblocked to prevent errors when running the script. Read more in the article Not digitally signed error when running PowerShell script.

Run PowerShell as administrator. Run the PowerShell script to audit the breached passwords in Active Directory. Wait till it completes.

C:\scripts\.\Audit-Passwords.ps1

The PS output shows which accounts have a password that’s breached. Also, a CSV file with the name get-pwned-users.csv is generated in C:\scripts.

Secure Active Directory passwords CSV file

This is how it looks in our example. These accounts have passwords set that are listed in the HIBP pwned password list.

Secure Active Directory passwords open CSV file

Now that you have the accounts with pwned passwords, you can email the users to change their password.

But what if they change the password and insert a breached password again? Do you want to keep checking AD for breached passwords daily or weekly and send the users emails to change their passwords? Well, that’s not something you want. It’s time-consuming, and the organization is not safe.

In the next step, you will configure a group policy that prevents users from creating a pwned password.

Prevent users from creating breached passwords

The best way is to configure a policy that when a user wants to create a password, it will use the HIBP password list for a check.

If the password is in the pwned passwords list, the user can’t use the password. However, if the password is set, it means it’s not breached and is secure enough to apply the password.

Configure Group Policy

Start Group Policy Management. Right-click the Domain Controllers OU and click on Create a GPO in this domain, and link it here.

Secure Active Directory passwords create GPO

Give the policy the name LithnetPP and click on OK.

Secure Active Directory passwords new GPO name

Right-click the LithnetPP GPO object and select Edit.

Secure Active Directory passwords edit GPO

In the Group Policy Editor, navigate to:

Computer Configuration\Policies\Administrative Templates\Lithnet\Password Protection for Active Directory\Default Policy

Double-click Reject passwords found in the compromised password store.

Secure Active Directory passwords navigate GPO

Check the checkbox Enabled and enable both the options Enable for password set operations and Enable for password change operations. Click on OK.

Secure Active Directory passwords enable reject passwords

Note: There are more GPO options, and you should look through them. But be aware that the more options you configure, the more complex it will become for the users to create a password.

Important: Reboot the Domain Controller for changes to take effect.

Test password policy

Test that the GPO works and go through the next steps:

  1. Active Directory Users and Computers: Create a new AD user account with and without a password in the HIBP list.
  2. Active Directory Users and Computers: Reset a password for an existing AD user account with and without a password in the HIBP list.
  3. Windows device domain joined: Sign in with a user account and reset the password with and without a password in the HIBP list.

In our example, we will show only the first example.

Start Active Directory Users and Computers. Right-click a user account and select Reset the password.

Reset user password

Fill in a password that appears in the HIBP list, or you can always go to HIBP Pwned Passwords and fill in the password to check if it has previously appeared in a data breach.

Check password on HIBP Pwned Passwords

Fill in the password twice and click on OK. In our example, we will use Password01.

Reset password

The error appears:

Windows cannot complete the password change for user because: The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements.

Windows cannot complete the password change

Now, do the same steps but with a password that’s not breached, and it will complete the password change successfully.

Leave a Reply