And pay for subscription vs just the Windows Server license. And that’s true, if you want to chose to migrate to Azure and use Office365. Microsoft would say, of course, that their Azure AD supports many MFA options and is great and modern and secure and everything. Of course, there may be users without smartphones, and so the option to not enroll for MFA may be available to certain less-privileged AD groups.īy not doing that, Microsoft exposes all on-premise AD deployments to all sorts of authentication attacks mentioned above. Ideally, it should be enabled by a single click, which would prompt users to enroll their smart phone apps (Google Authenticator, Microsoft Authenticator, Authy or other) on their next successful login. Yes, that would require Kerberos upgrades, but it is completely feasible. What Microsoft should have done is introduce standard, TOTP-based MFA and enforce it through native second-factor screens in Windows, Exchange web access, Outlook and others. We all know the power of defaults and built-in features in security – it should be readily available and simple in order to have wide adoption. But they incur additional cost, and are complex to setup and manage.
Yes, there are things like Microsoft Hello for Business, but that can’t be used in web and email context – it is tied to the Windows machine.
And the sad reality is that Microsoft doesn’t offer native MFA for Active Directory. What is the most recommended measures for preventing authentication attacks? Multi-factor authentication. Last, but not least, simply browsing the active directory once authenticated with a compromised account, provides important information for further exploitation (finding other accounts, finding abandoned, but not disabled accounts, finding passwords in description fields, etc).īasically, having access an authentication endpoint which interfaces the Active Directory allows attackers to gain access and then do lateral movement. Standard attacks like password spraying, credential stuffing and other brute forcing also apply, especially if the Exchange web access is enabled. Whether it would be weaknesses of Kerberos, “pass the ticket”, golden ticket, etc. While that may be changing in recent years with more advanced and cloud IAM and directory solutions, the landscape in the last two decades is a domination of Microsoft’s Active Directory.Īs a result of that dominance, many cyber attacks rely on exploiting some aspects of Active Directory. From my observation, the majority of organization rely on Active Directory for their user accounts. Active Directory is dominant in the enterprise world (as well as the public sector).
0 kommentar(er)
