With a significant percentage of workers having now moved from inside the network perimeter to outside, remote workforce security has unsurprisingly become a hot topic. As a result, there are many articles and blog posts detailing the management and patching of devices, VPN split tunnelling and endpoint security.
Whilst all of these are important, the fact remains that the majority of data breaches begin with compromised user account credentials. Everywhere you look, there are reports of large increases in COVID-19 themed malicious cyber activity targeting the remote workforce, so it’s prudent to strengthen security controls wherever you can.
Attackers use a few common methods to compromise accounts, such as password spraying and credential stuffing, which are often targeted against legacy authentication protocols, along with phishing campaigns.
In this article I will detail a few (relatively) simple controls you can implement to reduce the risk of compromise via credential theft.
Enable MFA
I cannot stress this enough. If you have not already, enforcing Multi-Factor Authentication for all users is the number one thing you can do to improve security. According to Microsoft, Enabling MFA prevents 99.9 % of automated account takeover attacks.
Microsoft has made this as simple as possible. MFA is included in all Microsoft 365 and Azure AD plans, and using the combined registration portal (excellent article here) makes onboarding your users relatively painless.
As easy as Microsoft has tried to make implementing MFA, there can be complexities around registering and onboarding large numbers of users. Arinco recently assisted a client by pre-registering 10,000 users MFA data and configuring additional sign in methods such as Microsoft Authenticator, to make the first day experience smoother for users.
Disable Legacy Authentication
Legacy authentication protocols that do not support MFA such as POP, IMAP, SMTP, and MAPI are a common attack vector for obtaining valid account credentials via password spray and credential stuffing attacks. Microsoft had planned to deprecate basic authentication for exchange online in October 2020, but due to the COVID-19 crisis this has now been pushed back to the second half of 2021 to give organisations more time to prepare.
Microsoft has published a lot of documentation on blocking legacy authentication. Unfortunately, many organisations still rely on legacy authentication for business-critical apps and are unable to block it entirely.
As a first step, you can gauge the impact of disabling legacy authentication by implementing a CA policy in report-only mode which recently came out of preview.
You can also identify where legacy authentication is being used by examining your Azure Active Directory sign-in logs, and applying a Client App filter for all legacy authentication protocols.
Where you cannot disable Legacy Auth across all services, it is possible to create a user, location, or device exception for via a Conditional Access policy. As an example, you could allow ActiveSync from certain devices only.
Strengthening your passwords
Since not all organisations are able to block legacy authentication protocols, enforce MFA everywhere, or move to passwordless authentication such as Windows Hello for Business, passwords alone are often relied upon for preventing unauthorised access.
Unfortunately, humans are terrible at choosing secure passwords, and standard complexity rules for Active Directory (Uppercase, lowercase, number, symbol) often result in easily guessed “complex” passwords such as “Winter2020!”. Regular password changes can actually make the problem worse with users selecting easier passwords to begin with, and incrementing them in predictable ways.
Microsoft has developed a mitigation for this problem: Azure AD Password Protection. This allows you to eliminate weak passwords both in the cloud, and on-premises, as you can enable Azure AD password protection for Windows Server Active Directory.
Once enabled, every time a user changes their password, AADPP evaluates the password to check if it is easily guessed, on the Microsoft global banned password list, or on a custom banned password list. The global list contains passwords sourced from real-world telemetry of password spray attacks.
Deploying Azure AD password protection on-premises involves installing a proxy service to communicate with Azure AD, and a DC Agent password filter .dll on all domain controllers.
Once installed, you can enable AADPP in audit mode rather than enforced, to obtain a view of the organisation’s password strength.
While running in audit mode, it is common to find that up to 50% of passwords changed by users and passwords reset by admins in an organisation would be evaluated as weak or easily guessed.
If you find a sizeable percentage are logged as audit-fail, we recommend that there is a communication campaign about Azure AD password protection to users before enforcing it.
With AADPP, if the user changes their password from Outlook on the web (or any Azure/O365 service) and chooses a weak password, they will receive an error along the lines of “Unfortunately, your password contains a word, phrase or pattern that makes it easily guessable”.
However, when an on-prem user performs a password change from Windows and it is evaluated as weak, there is no indication to the user beyond the normal “does not meet the length, complexity, or history requirements” error. This can result in a many calls to support, and frustration for users.
Implementing Azure AD Password Protection also presents a good opportunity to review your organisations password policies. Traditionally, good password policy was considered to be an 8-character random string consisting of uppercase, lowercase, and a number, along with password changes required every 30, 60 or 90 days.
These expiration policies are outdated, with Microsoft, NCSC, NIST, and the Australian Government all recommending that passwords do not expire as it leads to weaker passwords over time.
Communicating and encouraging users to spend the time understanding the longer and different complexity requirements to what they are used to, will allow for a more secure environment, that will no longer require them to regularly change their passwords anymore.
Local administrator accounts
Managing local admin account credentials in an Active Directory network has always been difficult, and as a result it is extremely common for organisations to set a standard password for local administrator accounts, both on end user devices and servers.
A common breach scenario is a remote workstation getting compromised via phishing, and an attacker using that endpoint to pivot to the internal network via VPN.
Adversaries will often use tools such as Mimikatz to retrieve a local admin account password from a compromised workstation, and then use those credentials to move laterally across a network. If we are re-using that same password on all workstations, an attacker now has local admin access to every workstation in the organisation, which will very quickly lead to gaining domain admin rights.
For the technically inclined, here’s a writeup of a penetration tester utilising common local admin credentials to compromise servers, from a machine that wasn’t even domain joined!
Local Administrator Password Solution (LAPS) is a Microsoft tool for managing local admin credentials across domain joined operating systems.
LAPS Sets a randomly generated password per machine, and allows:
- Automatically changing the Local Administrator Password every x days
- Stores Local Administrator Passwords as an attribute of the Computer Object in Active Directory
- Password is protected in AD by AD ACL, so granular security model can be easily implemented
- Audit logging can be configured to create an event when a local admin password is viewed in AD
- Password is protected during transport via Kerberos encryption
LAPS is a good mitigation tool against lateral movement. By forcing all local Administrator accounts to have unique, complex passwords, a single compromised local admin account cannot be used to gain access to other endpoints in the organisation.
To further reduce the risk of lateral movement via Pass the Hash techniques, consider implementing a policy for IT staff that domain accounts with elevated privileges are not used to manage end user devices, and only LAPS credentials are used when elevation is required.
Windows Admin Center is an excellent tool for this, as it natively supports the use of LAPS passwords for authentication. In my opinion, WAC also happens to be one of the best admin tools released by Microsoft in recent times.