Workflow Templates for Systems Administration: Password Management Checklist

Password Policy Enforcement

Align password policy with NIST 800-63B

Current NIST guidance: minimum 8 characters (15+ for privileged accounts), no forced periodic rotation, no composition rules, screening against known-breached password lists. If your Entra ID or AD policy still mandates 90-day rotation and special characters, update the policy and document the change for SOC 2 / ITGC evidence.

Enable breached-password screening

Turn on Entra ID Password Protection (cloud + on-prem agent) or equivalent screening against the HIBP / Pwned Passwords list. Add a custom banned-list entry for company name, product names, and local sports teams — those dominate the helpdesk-reset tail.

Configure account lockout thresholds

Smart lockout: 10 failed attempts, 60-second lockout, increasing on repeat. Tune so password-spray hits the lockout but a user fat-fingering once doesn't get paged. Review the lockout event log for spray patterns from a single source IP.

Block legacy authentication protocols

Conditional Access policy blocking IMAP, POP, SMTP AUTH, and other legacy auth endpoints org-wide. MFA on modern auth doesn't help if basic auth is still reachable — that's the most common bypass we see in IR reports.

Review default-credential exceptions

Walk the network inventory for printers, switches, IPMI/iLO/iDRAC, and appliances still on vendor defaults. These rarely show in vuln scans but are the soft entry point on flat networks.

Privileged Account Hygiene

Inventory Tier 0 admin accounts

Enumerate Domain Admins, Enterprise Admins, Schema Admins, Global Admins, and any group with delegated DCSync rights. Confirm each has a named human owner with a separate non-privileged daily-driver account. Helpdesk technicians should not appear here.

Rotate stale service account passwords

Pull the service-account inventory and flag any password older than 365 days. Migrate to gMSA where the host supports it; for the rest, rotate via the vault and validate every dependent service before closing the change ticket. This is where the "temporary" 6-year-old service account hides.

Verify MFA on every privileged account

Phishing-resistant MFA (FIDO2 / WebAuthn / certificate-based) for all Tier 0 and Tier 1 accounts. SMS and voice are not acceptable for admins. Confirm break-glass accounts have hardware tokens stored in the safe with a documented sign-out log.

Audit standing privileged access

Use Entra PIM, CyberArk, or BeyondTrust reports to confirm just-in-time elevation is the norm and standing rights are exceptions with documented justification. Note any "Bob in accounting needs Domain Admin to install QuickBooks"-class exceptions for remediation.

Vault and Storage Controls

Confirm vault encryption and key custody

For Keeper, 1Password Business, Bitwarden, Hudu Vault, or Passportal: verify zero-knowledge architecture, master-password key derivation (PBKDF2 / Argon2 iterations), and that recovery keys are escrowed in a separate physical safe — not the same vault.

Enforce per-client vault separation

MSP-only: each client's credentials live in a dedicated vault or folder with role-scoped access. One technician compromise should not expose 50 clients. Audit cross-client access grants and revoke any that aren't currently needed for active engagements.

Disable browser password caching on managed endpoints

Push Intune / GPO to disable Chrome, Edge, and Firefox password save prompts on corporate devices, redirecting users to the sanctioned vault. Caching credentials in the browser profile is what makes laptop theft a credential incident.

Verify TLS coverage for auth endpoints

Run an external SSL Labs scan on all login surfaces (SSO, VPN portal, RMM, helpdesk). Flag anything under TLS 1.2, weak ciphers, or expiring certs within 60 days. Internal app certs should be tracked in the same renewal calendar — expired internal certs erode security culture.

User Enablement

Deploy the password manager to all users

Capture the percentage of active users with the vault deployed and at least one credential stored. Coverage under 80% means users are still keeping passwords in spreadsheets or sticky notes — schedule a follow-up campaign with HR and the affected managers.

Run targeted phishing simulation

Send a credential-harvest simulation through KnowBe4 or Hoxhunt focused on M365 / Okta login lookalikes. Repeat-clickers (3+ in 12 months) get manager-notified remediation training rather than another monthly round of generic content.

Document the self-service reset workflow

Confirm SSPR (Entra ID self-service password reset) or Okta equivalent is enabled with at least two verification methods, neither being SMS-only. Update the IT Glue / Hudu runbook with the current verification questions helpdesk uses for assisted resets — voice phishing of the helpdesk is how MGM-class incidents start.

Monitoring and Incident Response

Validate auth log ingestion in the SIEM

Confirm Entra ID sign-in logs, AD security events (4624/4625/4740/4771), VPN auth, and vault access logs are flowing into Sentinel / Splunk / Sumo. Spot-check yesterday's events end-to-end; broken log pipelines tend to fail silently.

Tune password-spray detections

Review the past 90 days of failed-auth alerts. Tune analytics for low-and-slow spray (one attempt per account across many accounts) and impossible-travel sign-ins. Document tuning decisions for SOC 2 evidence.

Run a credential-compromise tabletop

Walk the team through a scenario: a Tier 1 admin's session token is stolen via Evilginx. Test session revocation, token invalidation in Entra ID, conditional access enforcement, and customer-comms timing. Ninety minutes; one named scribe captures gaps.

Quarterly sign-off and audit packet

Bundle policy doc, screening config screenshots, Tier 0 inventory, vault coverage metric, tabletop notes, and SIEM tuning records into the quarterly evidence folder. This is the packet auditors ask for during SOC 2 Type II and ISO 27001 fieldwork.