Add support for calling the HIBP API #18
Comments
|
Here is a release with HIBP support for you to test with. (Not LSA signed yet though). You'll find a new GPO setting to turn on HIBP support
Note, this doesn't allow you to audit existing user passwords, only check new passwords being set/changed Lithnet.ActiveDirectory.PasswordProtection.msi.zip I'd appreciate any feedback you have to offer as a result of your testing. |
|
Would it be possible to have it fail back to an offline copy whenever the API is down? |
|
That would be a nice feature...
Use Online API [checkbox]
Fail to local if availble [checkbox]
Fail open OR [radiobullet]
Fail closed [radiobullet]
(remember this is password change moment, if the API isn't available, i personally would allow the user to change their password (after meeting other complexity requirements) and write a distinct log about failure to reach api
But i agree it would be high available if it could fallback to local
Aaron
…________________________________
From: bryan4tw <notifications@github.com>
Sent: Wednesday, October 30, 2019 2:08:17 PM
To: lithnet/ad-password-protection <ad-password-protection@noreply.github.com>
Cc: Aaron Galbraith <Aaron.Galbraith@bcidaho.com>; Mention <mention@noreply.github.com>
Subject: [EXTERNAL] Re: [lithnet/ad-password-protection] Add support for calling the HIBP API (#18)
Would it be possible to have it fail back to an offline copy whenever the API is down?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub [github.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_lithnet_ad-2Dpassword-2Dprotection_issues_18-3Femail-5Fsource-3Dnotifications-26email-5Ftoken-3DAMOBT3WMTVVLOADH4R2LH3LQRHSTDA5CNFSM4IFRO2JKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECVTDHI-23issuecomment-2D548090269&d=DwMCaQ&c=NdSJ4ILlWpqW3-KBBqEbZ68qQuJ1JYIOBIexwqzU-qw&r=Bop6lasCjn56jGDBTK-Rq4LAOW2D5E0U-xXgZ9_Cj8A&m=8BRXRiQ-QaNFZrujv0QvOdBhc7xRGzSKGmeyL-ZMQ7Y&s=uq7aIbzT3Pg0r4qgxncxZUvSDgiqW4x29QhEQFqv0nc&e=>, or unsubscribe [github.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AMOBT3VVZPVD7TJDPOMRNODQRHSTDANCNFSM4IFRO2JA&d=DwMCaQ&c=NdSJ4ILlWpqW3-KBBqEbZ68qQuJ1JYIOBIexwqzU-qw&r=Bop6lasCjn56jGDBTK-Rq4LAOW2D5E0U-xXgZ9_Cj8A&m=8BRXRiQ-QaNFZrujv0QvOdBhc7xRGzSKGmeyL-ZMQ7Y&s=U3qOICX7CdzVLkIyNWnP65ZUMmEwkgOS8K6EWIWjOZs&e=>.
----------------------------------------------------------------------
NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
Blue Cross of Idaho, 3000 E. Pine Ave, Meridian, ID 83642
----------------------------------------------------------------------
This Message Was Secured With The BCI PPS Email System
|
|
The HIBP module is just another policy module, so you can have local store enabled at the same time as HIBP. You can choose if you want a HIBP failure to result in the password being rejected, or passing (fail open/closed). |
|
But does the module consider a hit in HIBP and a inability to contact HIBP both a equal "failure"?
…________________________________
From: Ryan Newington <notifications@github.com>
Sent: Wednesday, October 30, 2019 9:34:14 PM
To: lithnet/ad-password-protection <ad-password-protection@noreply.github.com>
Cc: Aaron Galbraith <Aaron.Galbraith@bcidaho.com>; Mention <mention@noreply.github.com>
Subject: [EXTERNAL] Re: [lithnet/ad-password-protection] Add support for calling the HIBP API (#18)
The HIBP module is just another policy module, so you can have local store enabled at the same time as HIBP. You can choose if you want a HIBP failure to result in the password being rejected, or passing (fail open/closed).
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub [github.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_lithnet_ad-2Dpassword-2Dprotection_issues_18-3Femail-5Fsource-3Dnotifications-26email-5Ftoken-3DAMOBT3VBKU5H6M7PWXEZ67LQRJG3NA5CNFSM4IFRO2JKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECWOTZQ-23issuecomment-2D548202982&d=DwMCaQ&c=NdSJ4ILlWpqW3-KBBqEbZ68qQuJ1JYIOBIexwqzU-qw&r=Bop6lasCjn56jGDBTK-Rq4LAOW2D5E0U-xXgZ9_Cj8A&m=xUrpcrf2fBUFgkbDXb3lpG2Y98hYTSLRkErzp0dRfdQ&s=PUf5LKaNQ2qQHi-3o8mo6MUh27hFLZwsi9a9ogNE7AU&e=>, or unsubscribe [github.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AMOBT3QKOIKAG63K3W2SKYDQRJG3NANCNFSM4IFRO2JA&d=DwMCaQ&c=NdSJ4ILlWpqW3-KBBqEbZ68qQuJ1JYIOBIexwqzU-qw&r=Bop6lasCjn56jGDBTK-Rq4LAOW2D5E0U-xXgZ9_Cj8A&m=xUrpcrf2fBUFgkbDXb3lpG2Y98hYTSLRkErzp0dRfdQ&s=8UqYHo9blxBJt5xadud5sRlsiZ2VscsMnbhWOtTz0Qg&e=>.
----------------------------------------------------------------------
NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
Blue Cross of Idaho, 3000 E. Pine Ave, Meridian, ID 83642
----------------------------------------------------------------------
This Message Was Secured With The BCI PPS Email System
|
|
A positive or negative password test result is different from a failure processing the request such as in the case that the api is not available. Being 'more expensive' the hibp API call is processed last in the chain, so the password would need to be approved by the on prem module first anyway to even get there. So if the on prem passed it, and the hibp api failed, you can choose to allow the password, or reject it. |
|
Ah, that makes perfect sense. |
|
Just to solidify my understanding (and I apologize Ryan, I meant to test it sooo much sooner) Is it true that we can operate in any one of these three “models”
Note: Honestly I think most admins who want #2, would still benefit from a small, organizational propriety On Prem (without the massive imports) and then HIBP API (if so that would be #3) I know that If Model 2) “API Only” I assume, based on your latest feedback, that in Model 3) “BOTH” If the password is NOT in Local “Evil Password” store, we query HIBP Password API Aaron • As far as **Hit Counts from HIBP we almost went with Rare was 2-3, and then common is 4+, but wanted a bit more data. (either range is valuable, the point is hit counts are valuable for Support Staff, communication, education, risk metrics, etc.) |
|
Each password check type (regex, hibp, banned word, length, complexity, etc) is an independent module. Each is processed one at a time in 'general' order of processing speed. For example, the password length check is faster than regex check, so that happens first. Each module has the opportunity to reject the password, and each have their own specific event id codes. The HIBP module appears last in the list, as it is the most expensive. If you choose to enable the option in group policy to allow the password change on a hibp failure, a specific event code is logged for this condition. If you don't enable the GPO setting for this, the password will be rejected. As HIBP is called last, all other modules need to approve the password before it gets here. I can't remember if the hit counts are logged. I think it does. I've been debating including this feature or not in a new api standard we are proposing. It's increases the data transfer amount by an non-trivial amount, for no tangible security benefit. Happy to hear thoughts on this though. |
|
Didn't mean to close the issue. Fat-fingered on mobile view. |
|
Is this any closer to being in the release channel? |
|
Unless I am misunderstanding something here, adding a call for the new NTLM mode would enhance things as well. The sha1 HIBP isn't the same as the NTLM HIBP lists by the nature of either being OWFs and depending on the raw sources? If I am correct, than having the sha1 API is actually adding more protection too. NVM I was incorrect - https://twitter.com/troyhunt/status/1635727629021237248 |
No description provided.
The text was updated successfully, but these errors were encountered: