Organizations usually roll out multi-factor authentication (MFA) and assume stolen passwords are not sufficient to entry programs. In Home windows environments, that assumption is commonly unsuitable. Attackers nonetheless compromise networks every single day utilizing legitimate credentials. The difficulty will not be MFA itself, however protection.
Enforced by an id supplier (IdP) resembling Microsoft Entra ID, Okta, or Google Workspace, MFA works nicely for cloud apps and federated sign-ins. However many Home windows logons rely solely on Energetic Listing (AD) authentication paths that by no means set off MFA prompts. To cut back credential-based compromise, safety groups want to know the place Home windows authentication occurs exterior their id stack.
Seven Home windows authentication paths that attackers depend on
1. Interactive Home windows logon (native or area joined)
When a person indicators in on to a Home windows workstation or server, authentication is often dealt with by AD (by way of Kerberos or NTLM), not by a cloud IdP.
In hybrid environments, even when Entra ID enforces MFA for cloud apps, conventional Home windows logons to domain-joined programs are validated by on-prem area controllers. Until Home windows Good day for Enterprise, sensible playing cards, or one other built-in MFA mechanism is applied, there’s no extra think about that movement.
If an attacker obtains a person’s password (or NTLM hash), they’ll authenticate to a domain-joined machine with out triggering the MFA insurance policies that shield software-as-a-service apps or federated single sign-on. From the area controller’s perspective, it is a customary authentication request.
Instruments like Specops Safe Entry are key to limiting the danger of credential abuse in these eventualities. By imposing MFA for Home windows logon, in addition to for VPN and Distant Desktop Protocol (RDP) connections, this instrument makes it more durable for attackers to achieve unauthorized entry to your community. This even extends to offline logins, that are secured with one-time passcode authentication.
 |
| Specops Safe Entry |
2. Direct RDP entry that bypasses conditional entry
RDP is among the most focused entry strategies in Home windows environments. Even when RDP will not be uncovered to the web, attackers typically attain it by lateral motion after preliminary compromise. A direct RDP session to a server doesn’t robotically move by cloud-based MFA controls, which implies the logon could rely solely on the underlying AD credential.
3. NTLM authentication
NTLM is a legacy authentication protocol that, regardless of being deprecated in favor of the safer Kerberos protocol, nonetheless exists for compatibility causes. Additionally it is a typical assault vector as a result of it helps methods like pass-the-hash.
In pass-the-hash assaults, the attacker doesn’t want the plaintext password; as a substitute, they use the NTLM hash to authenticate. MFA doesn’t assist if the system accepts the hash as proof of id.
NTLM may also seem in inside authentication flows that organizations could not actively monitor; solely an incident or an audit will floor it to safety groups.
4. Kerberos ticket abuse
Kerberos is the first authentication protocol for AD. As a substitute of stealing passwords straight, attackers steal Kerberos tickets from reminiscence or generate solid tickets after compromising privileged accounts. This permits methods resembling:
- Go-the-ticket
- Golden Ticket
- Silver Ticket
These assaults permit long-term entry and lateral motion and in addition scale back the necessity for repeated logons, which lowers the possibility of detection. These assaults can persist even after password resets if the underlying compromise will not be totally addressed.
5. Native administrator accounts and credential reuse
Organizations nonetheless depend on native administrator accounts for assist duties and system restoration. If native admin passwords are reused throughout endpoints, attackers can escalate one compromise into broad entry.
Native admin accounts often authenticate on to the endpoint bypassing MFA controls completely. Entra ID conditional entry insurance policies don’t apply. That is one motive why credential dumping stays so efficient in Home windows environments.
6. Server Message Block (SMB) authentication and lateral motion
SMB is used for file sharing and distant entry to Home windows assets. It’s additionally probably the most dependable lateral motion paths as soon as an attacker has legitimate credentials. Attackers generally use SMB to entry administrative shares resembling C$ or to work together with programs remotely utilizing legitimate credentials.
If SMB authentication is handled as inside visitors, MFA is never enforced at this layer. If the attacker has legitimate credentials, they’ll use SMB to maneuver between programs rapidly.
7. Service accounts that by no means set off MFA
Service accounts exist to run scheduled duties, functions, integrations, and system companies. They typically have steady credentials, broad permissions, and lengthy lifetimes.
In lots of organizations, service account passwords don’t expire and are hardly ever monitored. They’re additionally tough to guard with MFA as a result of the authentication is automated. Continuously, these accounts are utilized in legacy functions that can’t assist trendy authentication controls.
That is one motive why attackers goal helpdesk credentials and endpoint admin entry early in an intrusion.
How one can shut Home windows authentication gaps
Safety groups ought to deal with Home windows authentication as its personal safety floor. There are a number of sensible steps safety groups can take that scale back publicity:
1. Implement stronger password insurance policies in AD
A powerful password coverage ought to implement longer passphrases of 15 or extra characters. Passphrases are simpler for customers to recollect and more durable for attackers to crack. Sturdy insurance policies also needs to stop password reuse and block weak patterns that attackers can guess.
2. Block compromised passwords constantly
Credential theft will not be at all times the results of brute power assaults. Billions of passwords are already out there in breach datasets for attackers to reuse in credential assaults. Blocking compromised passwords on the level of creation reduces the possibility that customers set credentials that attackers have already got.
3. Scale back publicity to legacy authentication protocols
The place attainable, organizations ought to prohibit or get rid of NTLM authentication. Safety groups ought to set themselves the objective of understanding the place NTLM exists, lowering it the place attainable, and tightening controls the place it can’t be eliminated.
4. Audit service accounts and scale back privilege creep
Deal with service accounts as high-risk identities. Organizations ought to stock them, scale back pointless privileges, rotate credentials, and take away accounts which are not wanted. If a service account has domain-level permissions, the group ought to assume will probably be focused.
How Specops can assist
Sturdy password insurance policies and proactive checks in opposition to identified compromised credentials are two of the best methods to scale back the danger of credential-based assaults. Specops Password Coverage helps by making use of versatile password controls that transcend what’s out there natively in Microsoft.
 |
| Specops Password Coverage |
Its Breached Password Safety function constantly checks Energetic Listing passwords in opposition to a database of greater than 5.4 billion uncovered credentials, alerting you rapidly if a person password is discovered to be in danger. In case you’re considering seeing how Specops can assist your group, converse to an skilled or guide a demo to see our options in motion.
