mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-15 14:57:23 +00:00
Windows/Security: update passwordless-strategy.md
- Grammar corrections - Simplification of double spacing between sentences - Typo corrections - Removal of trailing spaces Closes #3959
This commit is contained in:
illfated
parent
692c9521cc
commit
a2d96c43e0
@ -25,9 +25,9 @@ Over the past few years, Microsoft has continued their commitment to enabling a
|
|||||||
|
|
||||||
|
|
||||||
### 1. Develop a password replacement offering
|
### 1. Develop a password replacement offering
|
||||||
Before you move away from passwords, you need something to replace them. With Windows 10, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single-sign on to Azure Active Directory and Active Directory.
|
Before you move away from passwords, you need something to replace them. With Windows 10, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single sign-on to Azure Active Directory and Active Directory.
|
||||||
|
|
||||||
Deploying Windows Hello for Business is the first step towards password-less. With Windows Hello for Business deployed, it coexists with password nicely. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it.
|
Deploying Windows Hello for Business is the first step towards password-less. Windows Hello for Business deployed coexists nicely with existing password-based security. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it.
|
||||||
|
|
||||||
### 2. Reduce user-visible password surface area
|
### 2. Reduce user-visible password surface area
|
||||||
With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm.
|
With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm.
|
||||||
@ -121,25 +121,25 @@ You will want to balance testing in a lab with providing results to management q
|
|||||||
The journey to password-less is to take each work persona through each password-less step. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like
|
The journey to password-less is to take each work persona through each password-less step. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like
|
||||||
|
|
||||||
1. Password-less replacement offering (Step 1)
|
1. Password-less replacement offering (Step 1)
|
||||||
1. Identify test users that represent the targeted work persona.
|
1. Identify test users representing the targeted work persona.
|
||||||
2. Deploy Windows Hello for Business to test users.
|
2. Deploy Windows Hello for Business to test users.
|
||||||
3. Validate password and Windows Hello for Business work.
|
3. Validate that passwords and Windows Hello for Business work.
|
||||||
2. Reduce User-visible Password Surface (Step 2)
|
2. Reduce User-visible Password Surface (Step 2)
|
||||||
1. Survey test user workflow for password usage.
|
1. Survey test user workflow for password usage.
|
||||||
2. Identify password usage and plan, develop, and deploy password mitigations.
|
2. Identify password usage and plan, develop, and deploy password mitigations.
|
||||||
3. Repeat until all user password usage is mitigated.
|
3. Repeat until all user password usage is mitigated.
|
||||||
4. Remove password capabilities from the Windows.
|
4. Remove password capabilities from Windows.
|
||||||
5. Validate **all** workflows do not need passwords.
|
5. Validate that **none of the workflows** need passwords.
|
||||||
3. Transition into a password-less (Step 3)
|
3. Transition into a password-less (Step 3)
|
||||||
1. Awareness campaign and user education.
|
1. Awareness campaign and user education.
|
||||||
2. Including remaining users that fit the work persona.
|
2. Including remaining users that fit the work persona.
|
||||||
3. Validate **all** users of the work personas do not need passwords.
|
3. Validate that **none of the users** of the work personas need passwords.
|
||||||
4. Configure user accounts to disallow password authentication.
|
4. Configure user accounts to disallow password authentication.
|
||||||
|
|
||||||
After successfully moving a work persona to password-less, you can prioritize the remaining work personas, and repeat the process.
|
After successfully moving a work persona to password-less, you can prioritize the remaining work personas, and repeat the process.
|
||||||
|
|
||||||
### Password-less replacement offering (Step 1)
|
### Password-less replacement offering (Step 1)
|
||||||
THe first step to password-less is providing an alternative to passwords. Windows 10 provides an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory.
|
The first step to password-less is providing an alternative to passwords. Windows 10 provides an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory.
|
||||||
|
|
||||||
#### Identify test users that represent the targeted work persona
|
#### Identify test users that represent the targeted work persona
|
||||||
A successful transition to password-less heavily relies on user acceptance testing. It is impossible for you to know how every work persona goes about their day-to-day activities, or to accurately validate them. You need to enlist the help of users that fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process.
|
A successful transition to password-less heavily relies on user acceptance testing. It is impossible for you to know how every work persona goes about their day-to-day activities, or to accurately validate them. You need to enlist the help of users that fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process.
|
||||||
@ -152,7 +152,7 @@ With the Windows Hello for Business infrastructure in place, you can limit Windo
|
|||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> There are many different ways to connect a device to Azure. Deployments may vary based on how the device is joined to Azure Active Directory. Review your planning guide and deployment guide to ensure additional infrastructure is not needed for an additional Azure joined devices.
|
> There are many different ways to connect a device to Azure. Deployments may vary based on how the device is joined to Azure Active Directory. Review your planning guide and deployment guide to ensure additional infrastructure is not needed for an additional Azure joined devices.
|
||||||
|
|
||||||
#### Validate password and Windows Hello for Business work
|
#### Validate that passwords and Windows Hello for Business work
|
||||||
In this first step, passwords and Windows Hello for Business must coexist. You want to validate that while your targeted work personas can sign in and unlock using Windows Hello for Business, but they can also sign-in, unlock, and use passwords as needed. Reducing the user-visible password surface too soon can create frustration and confusion with your targeted user personas.
|
In this first step, passwords and Windows Hello for Business must coexist. You want to validate that while your targeted work personas can sign in and unlock using Windows Hello for Business, but they can also sign-in, unlock, and use passwords as needed. Reducing the user-visible password surface too soon can create frustration and confusion with your targeted user personas.
|
||||||
|
|
||||||
### Reduce User-visible Password Surface (Step 2)
|
### Reduce User-visible Password Surface (Step 2)
|
||||||
@ -191,12 +191,12 @@ Mitigating password usage with applications is one or the more challenging obsta
|
|||||||
|
|
||||||
The ideal mitigation for applications that prompt the user for a password is to enable those enable those applications to use an existing authenticated identity, such as Azure Active Directory or Active Directory. Work with the applications vendors to have them add support for Azure identities. For on-premises applications, have the application use Windows integrated authentication. The goal for your users should be a seamless single sign-on experience where each user authenticates once-- when they sign-in to Windows. Use this same strategy for applications that store their own identities in their own databases.
|
The ideal mitigation for applications that prompt the user for a password is to enable those enable those applications to use an existing authenticated identity, such as Azure Active Directory or Active Directory. Work with the applications vendors to have them add support for Azure identities. For on-premises applications, have the application use Windows integrated authentication. The goal for your users should be a seamless single sign-on experience where each user authenticates once-- when they sign-in to Windows. Use this same strategy for applications that store their own identities in their own databases.
|
||||||
|
|
||||||
Each scenario on your master list should now have a problem statement, an investigation as to why the password was used, and a mitigation plan on how to make the password usage go away. Armed with this data, one-by-one, close the gaps on user-visible passwords. Change policies and procedures as needed, make infrastructure changes where possible. Convert in-house applications to use federated identities or Windows integrated authentication. Work with third-party software vendors to update their software to support federated identities or Windows integrated authenticate.
|
Each scenario on your master list should now have a problem statement, an investigation as to why the password was used, and a mitigation plan on how to make the password usage go away. Armed with this data, one-by-one, close the gaps on user-visible passwords. Change policies and procedures as needed, make infrastructure changes where possible. Convert in-house applications to use federated identities or Windows integrated authentication. Work with third-party software vendors to update their software to support federated identities or Windows integrated authentication.
|
||||||
|
|
||||||
#### Repeat until all user password usage is mitigated
|
#### Repeat until all user password usage is mitigated
|
||||||
Some or all of your mitigations are in place. You need to validate your solutions have solved their problem statements. This is where you rely on your test users. You want to keep a good portion of your first test users, but this is a good opportunity to replace a few or add a few. Survey test users workflow for password usage. If all goes well, you have closed most or all the gaps. A few are likely to remain. Evaluate your solutions and what went wrong, change your solution as needed until you reach a solution that removes your user's need to type a password. If your stuck, others might be too. Use the forums from various sources or your network of IT colleague to describe your problem and see how others are solving it. If your out of options, contact Microsoft for assistance.
|
Some or all of your mitigations are in place. You need to validate your solutions have solved their problem statements. This is where you rely on your test users. You want to keep a good portion of your first test users, but this is a good opportunity to replace a few or add a few. Survey test users workflow for password usage. If all goes well, you have closed most or all the gaps. A few are likely to remain. Evaluate your solutions and what went wrong, change your solution as needed until you reach a solution that removes your user's need to type a password. If your stuck, others might be too. Use the forums from various sources or your network of IT colleague to describe your problem and see how others are solving it. If your out of options, contact Microsoft for assistance.
|
||||||
|
|
||||||
#### Remove password capabilities from the Windows
|
#### Remove password capabilities from Windows
|
||||||
You believe you have mitigates all the password usage for the targeted work persona. Now comes the true test-- configure Windows so the user cannot use a password.
|
You believe you have mitigates all the password usage for the targeted work persona. Now comes the true test-- configure Windows so the user cannot use a password.
|
||||||
|
|
||||||
Windows provides two ways to prevent your users from using passwords. You can use an interactive logon security policy to only allow Windows Hello for Business sign-in and unlocks, or you can exclude the password credential provider.
|
Windows provides two ways to prevent your users from using passwords. You can use an interactive logon security policy to only allow Windows Hello for Business sign-in and unlocks, or you can exclude the password credential provider.
|
||||||
@ -224,8 +224,8 @@ The name of the policy setting is **Exclude credential providers**. The value to
|
|||||||
|
|
||||||
Excluding the password credential provider hides the password credential provider from Windows and any application that attempts to load it. This prevents the user from entering a password using the credential provider. However, this does not prevent applications from creating their own password collection dialogs and prompting the user for a password using custom dialogs.
|
Excluding the password credential provider hides the password credential provider from Windows and any application that attempts to load it. This prevents the user from entering a password using the credential provider. However, this does not prevent applications from creating their own password collection dialogs and prompting the user for a password using custom dialogs.
|
||||||
|
|
||||||
#### Validate all workflows do not need passwords
|
#### Validate that none of the workflows need passwords
|
||||||
This is the big moment. You have identified password usage, developed solutions to mitigate password usage, and have removed or disabled password usage from Windows. In this configuration, your users will not be able to use a passwords. Users will be blocked is any of their workflows ask them for a password. Ideally, your test users should be able to complete all the work flows of the targeted work persona without any password usage. Do not forget those low percentage work flows, such as provisioning a new user or a user that forgot their PIN or cannot use their strong credential. Ensure those scenarios are validated as well.
|
This is the big moment. You have identified password usage, developed solutions to mitigate password usage, and have removed or disabled password usage from Windows. In this configuration, your users will not be able to use a password. Users will be blocked if any of their workflows ask them for a password. Ideally, your test users should be able to complete all the work flows of the targeted work persona without any password usage. Do not forget those low percentage work flows, such as provisioning a new user or a user that forgot their PIN or cannot use their strong credential. Ensure those scenarios are validated as well.
|
||||||
|
|
||||||
### Transition into a password-less deployment (Step 3)
|
### Transition into a password-less deployment (Step 3)
|
||||||
Congratulations! You are ready to transition one or more portions of your organization to a password-less deployment. You have validated the targeted work-persona is ready to go where the user no longer needs to know or use their password. You are just few steps away from declaring success.
|
Congratulations! You are ready to transition one or more portions of your organization to a password-less deployment. You have validated the targeted work-persona is ready to go where the user no longer needs to know or use their password. You are just few steps away from declaring success.
|
||||||
@ -238,7 +238,7 @@ An awareness campaign is introduces the users to the new way of authenticating t
|
|||||||
#### Including remaining users that fit the work persona
|
#### Including remaining users that fit the work persona
|
||||||
You have implemented the awareness campaign for the targeted users. These users are informed and ready to transition to password-less. Add the remaining users that match the targeted work persona to your deployment.
|
You have implemented the awareness campaign for the targeted users. These users are informed and ready to transition to password-less. Add the remaining users that match the targeted work persona to your deployment.
|
||||||
|
|
||||||
#### Validate **all** users of the work personas do not need passwords.
|
#### Validate that none of the users of the work personas need passwords
|
||||||
You have successfully transitioned all users for the targeted work persona to password-less. Monitor the users within the work persona to ensure they do not encounter any issues while working in a password-less environment.
|
You have successfully transitioned all users for the targeted work persona to password-less. Monitor the users within the work persona to ensure they do not encounter any issues while working in a password-less environment.
|
||||||
|
|
||||||
Track all reported issues. Set priority and severity to each reported issue and have your team triage the issues appropriately. As you triage issues, some things to consider are:
|
Track all reported issues. Set priority and severity to each reported issue and have your team triage the issues appropriately. As you triage issues, some things to consider are:
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user