Key Points
- Password Blacklisting Stops Spraying Attacks: Blocking known, reused, and company-specific passwords makes password spraying harder to pull off.
- Active Directory Cannot Block Custom Passwords by Itself: On-prem Active Directory does not support custom banned password lists without help.
- Entra ID Can Enforce Rules Without Owning the List: Microsoft Entra ID can block bad passwords while letting organizations keep control of what is on the list.
- Keeping Your Own List Prevents Tool Lock-In: Having your own blacklist allows it to be reused across platforms while also preventing dependency on a single security product.
- Blacklisting Works Best as Part of an Operational Process: Monitoring rejected passwords, enabling self-service resets, and updating lists after incidents keeps it effective over time
Learning to create and implement password blacklisting in Active Directory is possible with the right combination of tools. This guide explains how you can create a banned password list that prevents your users from using easily guessable, common, or breached passwords.
What is a password spraying attack?
Creating a password blacklist or filter that prevents users from using banned passwords helps protect your organization from password spraying attacks. These attacks involve trying commonly used or easily guessable passwords, or passwords previously exposed in a breach. Attackers may attempt to access multiple federated accounts that use Active Directory credentials for a variety of cloud or privately hosted services.
A custom banned password list that is tailored for your organization goes further than generic lists: for example, you can include your company name and address from being used in passwords, and blacklist passwords that you know have been breached, disclosed, or shared (for example, employees sharing user accounts).
How to create an Active Directory password blacklist
Active Directory, when hosted on Windows Domain controllers, does not support custom password blacklists on its own. While third party products have traditionally taken this role, this results in lock-in. Microsoft Entra ID is fast becoming the preferred way to manage enterprise authentication with Active Directory due to its tight integration with Microsoft 365, and its improved cloud-based management tools, and has now introduced password blacklisting functionality.
By using Microsoft Entra hybrid join to connect your on-premises Active Directory with Microsoft Entra ID, devices and users are synced across both services, and you can take advantage of the additional features offered by Entra ID. This includes custom password protection with the ability to define your own blocked password lists when you install the required agent on your Domain Controllers. You should also enable password writeback to sync password changes from Entra ID to your Active Directory infrastructure.
Avoiding lock-in by maintaining your own password list
You may also need to use your password blacklist on other platforms outside Active Directory or the Microsoft ecosystem, so it’s important to maintain your own copy to make it readily available for use. This can be done using your IT documentation platform.
It is imperative that your password blacklist is kept secure using encryption and access control, as it could provide attackers with vital clues of passwords to try out in a password spraying attack. Ensure that your chosen IT documentation platform supports robust security and role-based access and allows for uploading encrypted files, so only the technicians who require access to read and update blacklists can do so.
Building an Active Directory password blacklist strategy
When deciding what should be in your banned password list, consider:
- Breached, commonly used, easily guessable passwords, and trivial variants of these (like appending a sequential number or date). For example, company or brand terms and local slang.
- Remain focused on the vulnerable passwords unique to your environment: avoid common terms like ‘password’ as these dictionary attacks should be covered by your authentication provider and/or password complexity policy, and trying to manually manage every possible weak password is an impossible task.
- Normalize and de-duplicate password lists for manageability
You should periodically review your password list, especially after a breach, to ensure any disclosed passwords are covered.
How to ensure that your Active Directory banned password list is effective
Users should be encouraged to self-service password resets using the Entra ID web interface to make sure that their passwords are updated across federated services as quickly as possible. If it becomes known that an easily guessed password is being used by multiple users, a breach has occurred, or accounts are being shared, password resets should be forced after updating the password blacklist to make sure all accounts are using new, secure passwords.
Microsoft Entra ID allows you to monitor for password rejections. This can be combined with your remote monitoring and management (RMM) solution to identify users who are struggling to set a new password so that a support technician can proactively reach out to them. Keep your help desk staff informed of password policies and changes, so that they have the information they need to quickly assist users.
Monitor for password spray attacks and secure password blacklists with NinjaOne
NinjaOne’s suite of IT management tools integrates with on-premises Windows deployments as well as Microsoft 365 and Azure tools like Entra ID, as well as endpoint protection and security platforms. Included are RMM, MDM, and endpoint security solutions, as well as helpdesk and documentation platforms. This gives you what you need to automate and monitor the detection and blocking of password spray attacks, securely document password blacklists, and keep users informed of password policies.
