How to protect your ADFS from password spraying attacks

A password spraying attack is a specialized password attack commonly used by attackers that is reasonably effective and helps avoid detection by traditional password defenses. Instead of trying many different passwords on a single user account, the password spraying attack may try one or two common passwords across many different accounts and services.

It may even span across many different organizations. It’s one of the top ten most common password attacks happening now.

In this type of attack, the hacker picks passwords commonly used by end-users or found on breached password dumps. Password spraying attacks help avoid detection by many available traditional security monitoring solutions since the attack pattern looks similar to normal failed login attempts.

The attempts do not lock out accounts or trigger other monitoring thresholds since there are only a few attempts for each user.

Password spraying is all about playing the odds—attackers know if they spray common passwords across thousands of accounts, most likely, they will have a few successes in users that have easy-to-guess passwords like these recently found in the 2022 Weak Password Report from Specops.

Your ADFS at risk

Organizations using Active Directory Federation Services (ADFS) will have an Active Directory Domain Services infrastructure that typically uses the traditional ADDS password and account lockout policies. In addition, most organizations will have an account lockout policy that triggers after 3-5 unsuccessful login attempts, locking the user account.

Password spraying stays under this threshold for the targeted user accounts to not trigger an account lockout.

Stolen account passwords provide the "path of least resistance" into a victim network for an attacker. Once compromised credentials are obtained, the attacker can easily access business-critical systems with little effort.

ADFS is a solution that allows federating identity and access management and sharing entitlement and authorization rights across enterprise boundaries.

Threat actors may use these initial successful password spraying victims to comb through emails, look for additional contacts, sensitive information, privileged information, or send phishing links to others in the organization.

Companies often use ADFS IAM between on-premises and cloud environments and provide single sign-on for business-critical resources across infrastructure boundaries.

So how can organizations protect their ADFS environment from password attacks, including password spraying and other threats that attempt to steal and compromise credentials?

Protecting an ADFS from password spraying attacks

Microsoft recommends a multi-tiered approach for securing your ADFS environment from password spraying and other types of password attacks. The recommended security protections apply three levels of security, including:

• Baseline
• Protect your extranet
• Move to passwordless for extranet access

  1. Baseline

One of the first recommendations from Microsoft is to run ADFS 2016, which is also known as AFFS 4.0.

With ADFS 2016 you can implement extranet smart lockout. Extranet smart lockout protects users from account lockouts from malicious activity.

It does this by differentiating from sign-in attempts from a familiar location for user sign-in attempts and those coming from malicious activity.

This protection may trigger even one or two unusual log-in attempts which could foil a password sprayer sooner.

  2. Protect your extranet

Protecting your extranet using ADFS involves using modern authentication with mobile clients as well as using multi-factor authentication (MFA) to secure all extranet access. Modern devices and email clients can use authentication protocols for connecting to your ADFS federated extranet.

MFA can be used with Conditional Access Policies in Azure AD to provide a robust security context around user logins for added protection from these types of attacks.

  3. Move to passwordless for extranet access

Getting rid of passwords altogether obviously reduces the risk posed to user passwords significantly. Microsoft offers several passwordless technologies, including:

• Windows 10 & 11 Hello for Business
• MDM-managed devices can take advantage of certificate-based logons
• Azure MFA OTP

However, many organizations might find that passwordless authentication isn’t mature enough to replace passwords in their environments just yet.

As we saw when Microsoft all but abandoned Active Directory for Azure Active Directory, Microsoft pushing passwordless means passwords themselves are more vulnerable than ever. As we see Microsoft shift focus away from the number one authentication method in the market, organizations can be more vulnerable without a reliable solution.

Rather than jump to technology that might not be able to deliver on the hype, organizations should focus on protecting their current authentication methods and make use of simple strategies like multiple factors, blocking known breached passwords and encouraging the use of passphrases.

Extra security with Specops Password Policy

One of the significant weak points in traditional enterprise datacenter password security is the outdated password policies found in Active Directory Domain Services password policies that allow for easy-to-crack passwords to run rampant throughout an organization.

Unfortunately, the ADDS password policy is not designed for the modern password challenges facing organizations today, including password spraying attacks and dangerous end-user behaviors such as incrementing passwords.

Specops Password Policy is a robust password policy solution built on the Group Policy engine in Active Directory. It enables organizations to overcome the limitations of native Active Directory Password Policy capabilities. Specops protects against known breached passwords and newly discovered passwords using brute force or other password spraying attacks.

The continuous Specops Breached Password Protection uses Specops own network of honeypots worldwide that capture breached password data. This data is then fed back into Specops Breached Password Protection and, by extension, Specops Password Policy.

It’s a good idea to have an additional layer of security protecting your ADFS and Specops Password Policy does just that. You can test out Specops in your AD for free, anytime.

Sponsored and written by Specops.