ASD's Blueprint for Secure Cloud

Authentication Hardening

This page provides a template and guidance to assist organisations in documenting their approach to authentication hardening associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Estimated reading time: 4 minutes

Due to the number of applicable controls in ASD’s Guidelines for System Hardening, guidance on system hardening has been split into its five sections for the purpose of this SSP.

Authentication hardening

Applicability

This section of the SSP is applicable to the hardening of authentication methods within the system boundary of <SYSTEM-NAME>.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Organisational policies and processes implemented

<SYSTEM-NAME> provides a central identity store that governs and grants all user access prior to accessing <SYSTEM-NAME> resources. Users are assigned specific user roles according to their business requirements.

Credentials for Break Glass Accounts, local administrator accounts and service accounts are required to be a minimum of 30 characters, uniquely and unpredictably generated, and managed in accordance with the <SYSTEM-NAME> System Administration Process and Procedures, including ensuring that all service accounts are created as Managed Service Accounts.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Technical controls implemented

Technical controls for authentication hardening within <SYSTEM-NAME>’s are configured with reference to ASD’s Blueprint for Secure Cloud and includes the following technical configurations.

Microsoft Entra ID is configured as the central store for identity and access management within <SYSTEM-NAME>, acting as central management for user authentication and authorisation to various Single Sign On (SSO), including as for access to <SYSTEM-NAME> Windows endpoints. Notably, Entra ID implements SAML 2.0, OpenID Connect, and WS-Federation for authentication and authorisation to Microsoft applications and services, with legacy authentication methods disabled.

Technical controls are implemented according to the relevant ISM control topics listed below:

Authenticating to Systems:Microsoft Entra ID is configured to require all users to be authenticated before granting access
Insecure Authentication Methods:legacy authentication methods are disabled
Multi-factor and Single Factor Authentication Methods:Microsoft Entra ID MFA is enforced for all standard and privileged users accessing Microsoft 365 services
Microsoft Entra ID MFA requires Microsoft Entra ID password and Microsoft Authenticator app (either acceptance of push notification or entry of OTP)
Entra ID password/passphrase complexity enforces a minimum of least 4 random words with a total minimum length of 14 characters
none of the authentication factors on their own can be used for single-factor authentication to another system
all authentication attempts are logged in Microsoft Entra ID Sign-ins
Microsoft Entra ID logs are forwarded to a Log Analytics workspace for long-term secure retention
single factor authentication is disabled for all user accounts
Setting and Changing Credentials, including for Break Glass Accounts, Local Administrator Accounts and Service Accounts:these control topics relate solely to processes and procedures described above
Protecting Credentials:standard Windows & iOS functionality is to obscure passwords during logon
Windows Defender Credential Guard is enabled for <SYSTEM-NAME> Windows endpoints
credentials are stored within Microsoft Entra ID
only one previous logon is cached for <SYSTEM-NAME> Windows endpoints
Account Lockouts:Microsoft Entra ID Smart Lockout is configured to lock account after five failed logon attempts
Session Termination, Session and Screen Locking, and Logon Banner:Intune is used to configure Windows and iOS endpoints with with logon banner that reminds users of their security responsibilities when accessing <SYSTEM-NAME> and its resources, and with native screen lock function after 15 minutes of activity

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Security & Governance

Design

External documentation

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra