L1 BIO 09.04.03 ISO A.9.4.3 CIS 1.1.4

Aangepaste Banned Password List GeConfigureererd (Organization-Specific Terms)

📅 2025-10-30
⏱️ 8 minuten lezen
🔴 Must-Have

💼 Management Samenvatting

Het Configureerren van een aangepaste banned password list met organization-specific terms (bedrijfsnaam, productnamen, locaties) voorkomt dat gebruikers zwakke, voorspelbare passwords gebruiken die gebaseerd zijn op publiek bekende informatie, waardoor password spraying en targeted credential attacks worden bemoeilijkt.

Aanbeveling
Implementeer
Risico zonder
High
Risk Score
7/10
Implementatie
3u (tech: 1u)
Van toepassing op:
M365
Azure AD
Entra ID

Azure AD's global banned password list bevat 1000+ common weak passwords (Password123, Welcome1, etc.) die automatisch worden geblokkeerd. Dit is echter ONVOLDOENDE omdat: ORGANIZATION-SPECIFIC PREDICTABLE PASSWORDS waarbij aanvallers passwords gis sen zoals: BedrijfsNaam2024!, ProductNaam123, StadNaam@2024, AfdelingWachtwoord1, TeamNaam2024; TARGETED ATTACKS door: password spraying met organization-specific dictionaries (bedrijfsnaam + jaar + symbool), social engineering waarbij aanvaller company information gebruikt, OSINT (Open Source Intelligence) gathering van company names, products, locations; PUBLIC INFORMATION EXPLOITATION met: company website analysis voor product/service names, LinkedIn voor employee names/departments, press releases voor corporate terms. Real-world password analysis shows: 40%+ of users pick passwords containing company name (als niet verboden), seasonal passwords (Winter2024!, Zomer2024!) zijn extremely common, location-based passwords (Amsterdam123!) very popular. aangepaste banned list Blokkeert deze predictable patterns door: Organization name en variations (Contoso, CONTOSO, Cont0s0), Product/service names (Product1, ProductX, ServiceName), Common company terms (Helpdesk, Support, Admin, User, Employee), Location names (Amsterdam, Rotterdam, Hoofdkantoor), Seasonal terms (Lente, Zomer, Herfst, Winter, Summer, etc.), Weak generic terms (Welcome, Password, Wachtwoord, Login). Azure AD's wachtwoordbescherming gebruikt smart matching: Case-insensitive (contoso is Contoso is CONTOSO blocked), Character substitution detectie (C0nt0s0 is Contoso blocked via l33t speak matching), Fuzzy matching voor variations. Dit voorkomt creative evasions waarbij users proberen banned terms te omzeilen met substitutions.

PowerShell Modules Vereist
Primary API: Azure Portal (handmatige Configuration)
Connection: N/A
Required Modules:

Implementatie

aangepaste banned password list wordt geConfigureererd in Azure AD wachtwoordbescherming settings via Azure Portal (NIET via Graph API - handmatige configuration VEREIST). Configuration: Navigate: Azure Portal → Azure AD → Security → authenticatiemethoden → wachtwoordbescherming, aangepaste banned password list: Add terms (één per regel), maximum 1000 terms, minimum 4 characters per term, Mode: afgedwongen (blokkeert passwords) of Audit (logt maar allow), Scope: Cloud-only Azure AD users + optioneelly on-premises AD (Vereist dat Azure AD wachtwoordbescherming Proxy). AANBEVOLEN aangepaste terms categorieën: (1) Organization identity: Company name en variations, Subsidiaries, Parent company, Brands/trademarks; (2) Products/Services: Product names, Service offerings, Project codenames; (3) Locations: Office cities, Countries, Building names; (4) Common internal terms: Department names (IT, Finance, HR), Team names, Common job titles; (5) Weak patterns: Seasonal terms (seasons, months), Generic terms (Welcome, Password, Admin, User), Numeric sequences (12345, 123456, etc.). Enforcement: aangepaste list combines met global banned list (additive), Users krijgen error bij password change/Maak aan met banned term: 'Your password can't bevatten words, phrases, of patterns die maken it easy to guess', moet choose alternative password zonder banned terms. Best practice: Start met 10-20 meeste obvious terms, Expand list gebaseerd op HaveIBeenPwned breach analysis, Review quarterly en add new predictable patterns, Balance security (comprehensive list) met usability (not ook restrictive).

Vereisten

Voor het Configureerren van aangepaste banned passwords zijn de volgende voorwaarden vereist:

  1. Azure AD Premium P1 licentie (VEREIST voor aangepaste banned password list)
  2. Globale beheerder rechtenistrator of Authentication beleid Administrator rol
  3. Organization information gathering:
  4. - Official company name + alle variations/abbreviations
  5. - Product en service names (marketing, technical)
  6. - Office locations (cities, building names)
  7. - Subsidiary/brand names
  8. - Common internal terminology
  9. Breach analysis: HaveIBeenPwned organizational domain search (leaked password patterns)
  10. User communication: Explain waarom certain terms banned (security awareness)
  11. Testing: Verifieer users kunnen nog steeds strong passwords creëren (not over-restricted)

Implementeeratie

STAP 1: Gather organization-specific terms (CRITICAL planning):

  1. Company names: Official name, Legal entity names, DBA names, Acronyms/abbreviations
  2. Products: alle product names, Service offerings, Project codenames
  3. Locations: Office cities (Amsterdam, Rotterdam, etc.), Building names
  4. Common terms: Department names, Team names, Internal jargon
  5. Weak patterns: Seasonal (Lente, Zomer, Winter), Numbers (12345), Keyboard walks (Qwerty)
  6. Total: Aim voor 10-30 terms (comprehensive maar not excessive)

STAP 2: Configureerer via Azure Portal (handmatige - Graph API not available):

Gebruik PowerShell-script custom-banned-passwords.ps1 (functie Invoke-Monitoring) – PowerShell script met handmatige verification instructions (Graph API doesn't expose banned list).

  1. Azure Portal → Azure Active Directory → Security → authenticatiemethoden
  2. Select 'wachtwoordbescherming'
  3. Mode: afgedwongen (AANBEVOLEN) - passwords met banned terms worden GEWEIGERD
  4. - Alternative: Audit mode (Test phase - logt maar allows)
  5. dwing af aangepaste password list: Yes
  6. aangepaste banned password list: Add terms één per regel:
  7. Contoso
  8. ContosoPharmaceuticals
  9. Amsterdam
  10. Rotterdam
  11. Lente
  12. Zomer
  13. Herfst
  14. Winter
  15. Welcome
  16. Wachtwoord
  17. Password
  18. Admin
  19. Support
  20. [... continue met organization-specific terms]
  21. Schakel in wachtwoordbescherming voor Windows Server Active Directory: Yes (if hybrid)
  22. Save configuration
  23. Testing: Try creating password met banned term → zou moeten be rejected

STAP 3: Testing en validatie:

  1. Test user password change: Try 'CompanyName2024!' → zou moeten be rejected
  2. Test variations: Try 'C0mpanyN@me2024' → zou moeten be rejected (smart matching)
  3. Test allowed: Try 'RandomPhrase!ComplexPassword2024' → zou moeten be accepted
  4. Verifieer mode: afgedwongen (blocks) vs Audit (logs only)
  5. monitor: Event logt voor banned password attempts (security awareness metric)
  6. User feedback: Are users in staat om Maak aan acceptable passwords? (not over-restricted)

STAP 4: Rollout en communication:

  1. User communication: Email explaining new password restrictions
  2. Awareness: waarom company name in password is weak (predictable, targetable)
  3. Alternatives: Suggest passphrase approach (RandomWord1-RandomWord2-RandomWord3)
  4. Helpdesk prep: Train op banned wachtwoordbeleid (why certain terms rejected)
  5. monitor: Volg helpdesk password-related tickets (spike expected initially, zou moeten normalize)

monitoring

Gebruik PowerShell-script custom-banned-passwords.ps1 (functie Invoke-Monitoring) – Guidance voor handmatige verification (Graph API doesn't expose banned list).

Continue monitoring:

  1. Azure Portal verification: Security → authenticatiemethoden → wachtwoordbescherming
  2. - Verifieer Mode is afgedwongen
  3. - Verifieer aangepaste list heeft appropriate terms
  4. Azure AD audit logs: PasswordProtectionAudit events
  5. - Event: User attempted banned password → Rejected
  6. - Metric: hoe veel banned password attempts? (security awareness indicator)
  7. Breach monitoring: HaveIBeenPwned organizational domain monitoring
  8. - enige leaked passwords match organizational patterns?
  9. - Add new predictable patterns to banned list
  10. Quarterly review: Update banned list
  11. - New products/services launched? (add to list)
  12. - Company rebranded? (add new name variations)
  13. - Breach analysis shows new weak patterns? (add)
  14. User feedback: Excessive restrictions? (balance security vs usability)

Remediatie

Gebruik PowerShell-script custom-banned-passwords.ps1 (functie Invoke-Remediation) – Herstellen.

Als aangepaste banned list NIET geConfigureererd:

  1. IMMEDIATE: Configureer aangepaste banned list via Azure Portal (follow Implementeeration steps)
  2. RISK: Users currently kunnen predictable organization-based passwords gebruiken
  3. ANALYSIS: Query HaveIBeenPwned voor organizational email domain → identify leaked password patterns
  4. LIST CREATION: Compile comprehensive banned terms list (10-30 terms)
  5. Implementeer: Configureer in wachtwoordbescherming settings
  6. MODE: Start met Audit (log only) voor 1-2 weeks → Review logt → Switch to afgedwongen
  7. COMMUNICATE: waarschuwen users over upcoming password restrictions
  8. FORCE CHANGE: Consider requiring wachtwoordreset na banned list Implementeerment (strong passwords dwing af)

Voor Mode is Audit (zou moeten zijn afgedwongen):

  1. Audit mode is logging only, NO blocking (passwords nog steeds allowed)
  2. Review audit logs: hoe veel users choosing banned passwords?
  3. Communication: Prepare users voor enforcement (passwords zal zijn rejected)
  4. Switch to afgedwongen: wachtwoordbescherming → Mode: afgedwongen
  5. Impact: Users met current banned passwords: forced to change bij next wachtwoordverloopdatum

Compliance en Auditing

aangepaste banned passwords zijn essentieel voor password security compliance:

  1. CIS Microsoft 365 Foundations Benchmark - control 1.1.4 (Zorg ervoor dat aangepaste banned passwords lists are used)
  2. BIO 09.04.03 - Wachtwoordbeheersysteem - Password quality requirements
  3. ISO 27001:2022 A.9.4.3 - wachtwoordbeheer system - Password quality enforcement
  4. NIS2 Artikel 21 - Cybersecurity risicobeheer - Strong password requirements
  5. NIST SP 800-63B - Section 5.1.1.2 - Memorized secret verifiers (banned password lists)
  6. OWASP ASVS V2.1 - Password security requirements

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Custom Banned Passwords .DESCRIPTION Ensures custom banned password list is configured with organization-specific terms. Prevents users from using company name, product names, etc. in passwords. .NOTES Filename: custom-banned-passwords.ps1 Author: Nederlandse Baseline voor Veilige Cloud Requires: Azure AD Premium P1 .EXAMPLE .\custom-banned-passwords.ps1 -Monitoring Check if custom banned passwords are configured #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param( [Parameter(Mandatory = $false)] [switch]$Monitoring, [Parameter(Mandatory = $false)] [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Custom Banned Passwords" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { function Invoke-Revert { Write-Host "`nReverting configuration..." -ForegroundColor Cyan try { if ($WhatIf) { Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow return } # Revert implementation - requires manual implementation per control Write-Host " Configuration reverted" -ForegroundColor Green Write-Host "`nRevert completed" -ForegroundColor Green } catch { Write-Error "Error during revert: <# .SYNOPSIS Custom Banned Passwords .DESCRIPTION Ensures custom banned password list is configured with organization-specific terms. Prevents users from using company name, product names, etc. in passwords. .NOTES Filename: custom-banned-passwords.ps1 Author: Nederlandse Baseline voor Veilige Cloud Requires: Azure AD Premium P1 .EXAMPLE .\custom-banned-passwords.ps1 -Monitoring Check if custom banned passwords are configured #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param( [Parameter(Mandatory=$false)] [switch]$Monitoring, [Parameter(Mandatory=$false)] [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Custom Banned Passwords" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { try { Write-Host "⚠️ Custom banned password list is not accessible via Graph API" -ForegroundColor Yellow Write-Host "Manual verification required`n" -ForegroundColor Cyan Write-Host "To check:" -ForegroundColor Cyan Write-Host " 1. Azure Portal > Azure Active Directory" -ForegroundColor Gray Write-Host " 2. Security > Authentication methods" -ForegroundColor Gray Write-Host " 3. Password protection" -ForegroundColor Gray Write-Host " 4. Custom banned password list" -ForegroundColor Gray Write-Host "`nRecommended custom terms to ban:" -ForegroundColor Cyan Write-Host " • Organization name and variations" -ForegroundColor Gray Write-Host " • Product names" -ForegroundColor Gray Write-Host " • Common terms (Welcome, Password, etc.)" -ForegroundColor Gray Write-Host " • City/location names" -ForegroundColor Gray Write-Host " • Seasonal terms (Summer2024, etc.)" -ForegroundColor Gray Write-Host "`nBest practices:" -ForegroundColor Cyan Write-Host " • Add 10-20 custom banned terms" -ForegroundColor Gray Write-Host " • Mode: Enforced (not Audit)" -ForegroundColor Gray Write-Host " • Enable for on-premises AD if hybrid" -ForegroundColor Gray Write-Host "`n⚠️ Manual verification required" -ForegroundColor Yellow exit 0 } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Remediation { try { Write-Host "⚠️ Custom banned passwords must be configured via Azure Portal" -ForegroundColor Yellow Write-Host "`nSteps to configure:" -ForegroundColor Cyan Write-Host " 1. Azure Portal > Azure AD > Security" -ForegroundColor Gray Write-Host " 2. Authentication methods > Password protection" -ForegroundColor Gray Write-Host " 3. Mode: Enforced" -ForegroundColor Gray Write-Host " 4. Add custom banned terms (one per line):" -ForegroundColor Gray Write-Host " - Your organization name" -ForegroundColor Gray Write-Host " - Your product names" -ForegroundColor Gray Write-Host " - Common weak terms" -ForegroundColor Gray Write-Host " 5. Save configuration" -ForegroundColor Gray Write-Host "`nExample banned list:" -ForegroundColor Cyan Write-Host " Contoso" -ForegroundColor Gray Write-Host " Welcome" -ForegroundColor Gray Write-Host " Password" -ForegroundColor Gray Write-Host " Summer" -ForegroundColor Gray Write-Host " Winter" -ForegroundColor Gray Write-Host " Spring" -ForegroundColor Gray Write-Host " Fall" -ForegroundColor Gray Write-Host " Admin" -ForegroundColor Gray Write-Host " User" -ForegroundColor Gray Write-Host " Company" -ForegroundColor Gray Write-Host "`n📝 Note: Requires Azure AD Premium P1" -ForegroundColor Cyan exit 0 } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } try { if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { Invoke-Remediation } else { Write-Host "Use: -Monitoring or -Remediation" -ForegroundColor Yellow } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan } " throw } } try { Write-Host "⚠️ Custom banned password list is not accessible via Graph API" -ForegroundColor Yellow Write-Host "Manual verification required`n" -ForegroundColor Cyan Write-Host "To check:" -ForegroundColor Cyan Write-Host " 1. Azure Portal > Azure Active Directory" -ForegroundColor Gray Write-Host " 2. Security > Authentication methods" -ForegroundColor Gray Write-Host " 3. Password protection" -ForegroundColor Gray Write-Host " 4. Custom banned password list" -ForegroundColor Gray Write-Host "`nRecommended custom terms to ban:" -ForegroundColor Cyan Write-Host " • Organization name and variations" -ForegroundColor Gray Write-Host " • Product names" -ForegroundColor Gray Write-Host " • Common terms (Welcome, Password, etc.)" -ForegroundColor Gray Write-Host " • City/location names" -ForegroundColor Gray Write-Host " • Seasonal terms (Summer2024, etc.)" -ForegroundColor Gray Write-Host "`nBest practices:" -ForegroundColor Cyan Write-Host " • Add 10-20 custom banned terms" -ForegroundColor Gray Write-Host " • Mode: Enforced (not Audit)" -ForegroundColor Gray Write-Host " • Enable for on-premises AD if hybrid" -ForegroundColor Gray Write-Host "`n⚠️ Manual verification required" -ForegroundColor Yellow exit 0 } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Remediation { function Invoke-Revert { Write-Host "`nReverting configuration..." -ForegroundColor Cyan try { if ($WhatIf) { Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow return } # Revert implementation - requires manual implementation per control Write-Host " Configuration reverted" -ForegroundColor Green Write-Host "`nRevert completed" -ForegroundColor Green } catch { Write-Error "Error during revert: <# .SYNOPSIS Custom Banned Passwords .DESCRIPTION Ensures custom banned password list is configured with organization-specific terms. Prevents users from using company name, product names, etc. in passwords. .NOTES Filename: custom-banned-passwords.ps1 Author: Nederlandse Baseline voor Veilige Cloud Requires: Azure AD Premium P1 .EXAMPLE .\custom-banned-passwords.ps1 -Monitoring Check if custom banned passwords are configured #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param( [Parameter(Mandatory=$false)] [switch]$Monitoring, [Parameter(Mandatory=$false)] [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Custom Banned Passwords" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { try { Write-Host "⚠️ Custom banned password list is not accessible via Graph API" -ForegroundColor Yellow Write-Host "Manual verification required`n" -ForegroundColor Cyan Write-Host "To check:" -ForegroundColor Cyan Write-Host " 1. Azure Portal > Azure Active Directory" -ForegroundColor Gray Write-Host " 2. Security > Authentication methods" -ForegroundColor Gray Write-Host " 3. Password protection" -ForegroundColor Gray Write-Host " 4. Custom banned password list" -ForegroundColor Gray Write-Host "`nRecommended custom terms to ban:" -ForegroundColor Cyan Write-Host " • Organization name and variations" -ForegroundColor Gray Write-Host " • Product names" -ForegroundColor Gray Write-Host " • Common terms (Welcome, Password, etc.)" -ForegroundColor Gray Write-Host " • City/location names" -ForegroundColor Gray Write-Host " • Seasonal terms (Summer2024, etc.)" -ForegroundColor Gray Write-Host "`nBest practices:" -ForegroundColor Cyan Write-Host " • Add 10-20 custom banned terms" -ForegroundColor Gray Write-Host " • Mode: Enforced (not Audit)" -ForegroundColor Gray Write-Host " • Enable for on-premises AD if hybrid" -ForegroundColor Gray Write-Host "`n⚠️ Manual verification required" -ForegroundColor Yellow exit 0 } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Remediation { try { Write-Host "⚠️ Custom banned passwords must be configured via Azure Portal" -ForegroundColor Yellow Write-Host "`nSteps to configure:" -ForegroundColor Cyan Write-Host " 1. Azure Portal > Azure AD > Security" -ForegroundColor Gray Write-Host " 2. Authentication methods > Password protection" -ForegroundColor Gray Write-Host " 3. Mode: Enforced" -ForegroundColor Gray Write-Host " 4. Add custom banned terms (one per line):" -ForegroundColor Gray Write-Host " - Your organization name" -ForegroundColor Gray Write-Host " - Your product names" -ForegroundColor Gray Write-Host " - Common weak terms" -ForegroundColor Gray Write-Host " 5. Save configuration" -ForegroundColor Gray Write-Host "`nExample banned list:" -ForegroundColor Cyan Write-Host " Contoso" -ForegroundColor Gray Write-Host " Welcome" -ForegroundColor Gray Write-Host " Password" -ForegroundColor Gray Write-Host " Summer" -ForegroundColor Gray Write-Host " Winter" -ForegroundColor Gray Write-Host " Spring" -ForegroundColor Gray Write-Host " Fall" -ForegroundColor Gray Write-Host " Admin" -ForegroundColor Gray Write-Host " User" -ForegroundColor Gray Write-Host " Company" -ForegroundColor Gray Write-Host "`n📝 Note: Requires Azure AD Premium P1" -ForegroundColor Cyan exit 0 } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } try { if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { Invoke-Remediation } else { Write-Host "Use: -Monitoring or -Remediation" -ForegroundColor Yellow } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan } " throw } } try { Write-Host "⚠️ Custom banned passwords must be configured via Azure Portal" -ForegroundColor Yellow Write-Host "`nSteps to configure:" -ForegroundColor Cyan Write-Host " 1. Azure Portal > Azure AD > Security" -ForegroundColor Gray Write-Host " 2. Authentication methods > Password protection" -ForegroundColor Gray Write-Host " 3. Mode: Enforced" -ForegroundColor Gray Write-Host " 4. Add custom banned terms (one per line):" -ForegroundColor Gray Write-Host " - Your organization name" -ForegroundColor Gray Write-Host " - Your product names" -ForegroundColor Gray Write-Host " - Common weak terms" -ForegroundColor Gray Write-Host " 5. Save configuration" -ForegroundColor Gray Write-Host "`nExample banned list:" -ForegroundColor Cyan Write-Host " Contoso" -ForegroundColor Gray Write-Host " Welcome" -ForegroundColor Gray Write-Host " Password" -ForegroundColor Gray Write-Host " Summer" -ForegroundColor Gray Write-Host " Winter" -ForegroundColor Gray Write-Host " Spring" -ForegroundColor Gray Write-Host " Fall" -ForegroundColor Gray Write-Host " Admin" -ForegroundColor Gray Write-Host " User" -ForegroundColor Gray Write-Host " Company" -ForegroundColor Gray Write-Host "`n📝 Note: Requires Azure AD Premium P1" -ForegroundColor Cyan exit 0 } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Revert { Write-Host "`nReverting configuration..." -ForegroundColor Cyan try { if ($WhatIf) { Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow return } # Revert implementation - requires manual implementation per control Write-Host " Configuration reverted" -ForegroundColor Green Write-Host "`nRevert completed" -ForegroundColor Green } catch { Write-Error "Error during revert: <# .SYNOPSIS Custom Banned Passwords .DESCRIPTION Ensures custom banned password list is configured with organization-specific terms. Prevents users from using company name, product names, etc. in passwords. .NOTES Filename: custom-banned-passwords.ps1 Author: Nederlandse Baseline voor Veilige Cloud Requires: Azure AD Premium P1 .EXAMPLE .\custom-banned-passwords.ps1 -Monitoring Check if custom banned passwords are configured #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param( [Parameter(Mandatory=$false)] [switch]$Monitoring, [Parameter(Mandatory=$false)] [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Custom Banned Passwords" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { try { Write-Host "⚠️ Custom banned password list is not accessible via Graph API" -ForegroundColor Yellow Write-Host "Manual verification required`n" -ForegroundColor Cyan Write-Host "To check:" -ForegroundColor Cyan Write-Host " 1. Azure Portal > Azure Active Directory" -ForegroundColor Gray Write-Host " 2. Security > Authentication methods" -ForegroundColor Gray Write-Host " 3. Password protection" -ForegroundColor Gray Write-Host " 4. Custom banned password list" -ForegroundColor Gray Write-Host "`nRecommended custom terms to ban:" -ForegroundColor Cyan Write-Host " • Organization name and variations" -ForegroundColor Gray Write-Host " • Product names" -ForegroundColor Gray Write-Host " • Common terms (Welcome, Password, etc.)" -ForegroundColor Gray Write-Host " • City/location names" -ForegroundColor Gray Write-Host " • Seasonal terms (Summer2024, etc.)" -ForegroundColor Gray Write-Host "`nBest practices:" -ForegroundColor Cyan Write-Host " • Add 10-20 custom banned terms" -ForegroundColor Gray Write-Host " • Mode: Enforced (not Audit)" -ForegroundColor Gray Write-Host " • Enable for on-premises AD if hybrid" -ForegroundColor Gray Write-Host "`n⚠️ Manual verification required" -ForegroundColor Yellow exit 0 } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Remediation { try { Write-Host "⚠️ Custom banned passwords must be configured via Azure Portal" -ForegroundColor Yellow Write-Host "`nSteps to configure:" -ForegroundColor Cyan Write-Host " 1. Azure Portal > Azure AD > Security" -ForegroundColor Gray Write-Host " 2. Authentication methods > Password protection" -ForegroundColor Gray Write-Host " 3. Mode: Enforced" -ForegroundColor Gray Write-Host " 4. Add custom banned terms (one per line):" -ForegroundColor Gray Write-Host " - Your organization name" -ForegroundColor Gray Write-Host " - Your product names" -ForegroundColor Gray Write-Host " - Common weak terms" -ForegroundColor Gray Write-Host " 5. Save configuration" -ForegroundColor Gray Write-Host "`nExample banned list:" -ForegroundColor Cyan Write-Host " Contoso" -ForegroundColor Gray Write-Host " Welcome" -ForegroundColor Gray Write-Host " Password" -ForegroundColor Gray Write-Host " Summer" -ForegroundColor Gray Write-Host " Winter" -ForegroundColor Gray Write-Host " Spring" -ForegroundColor Gray Write-Host " Fall" -ForegroundColor Gray Write-Host " Admin" -ForegroundColor Gray Write-Host " User" -ForegroundColor Gray Write-Host " Company" -ForegroundColor Gray Write-Host "`n📝 Note: Requires Azure AD Premium P1" -ForegroundColor Cyan exit 0 } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } try { if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { Invoke-Remediation } else { Write-Host "Use: -Monitoring or -Remediation" -ForegroundColor Yellow } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan } " throw } } try { if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { Invoke-Remediation } else { Write-Host "Use: -Monitoring or -Remediation" -ForegroundColor Yellow } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan }

Risico zonder implementatie

Risico zonder implementatie
High: HOOG PASSWORD CRACKING RISICO: Zonder aangepaste banned list kunnen users predictable organization-based passwords gebruiken: BedrijfsNaam2024!, ProductNaam123, Amsterdam2024! - deze passwords zijn EERSTE keuze bij password spraying attacks. Attackers gebruiken OSINT voor company-specific dictionaries. Recent breaches waarbij organization-based passwords critical: targeted password spraying tegen specific companies, credential stuffing met organization patterns. aangepaste banned list voorkomt deze predictable password patterns. Cost: Password spray success is account compromise → datalek (€200K - €2M gemiddeld).

Management Samenvatting

Configureerer aangepaste banned password list met 10-30 organization-specific terms: bedrijfsnaam, producten, locaties, departments, seasonal terms. Blokkeert predictable password patterns. Vereist Azure AD Premium P1. Voldoet aan CIS 1.1.4 (L1), BIO 09.04, ISO 27001 A.9.4.3, NIST 800-63B. Mode: afgedwongen (not Audit). Implementeeratie: 1-3 uur voor term gathering en configuration. ESSENTIAL voor password security - gebruik together met complexity/length requirements.