Image generated by OpenAI's DALL·E
Multi-factor authentication (MFA) has established itself as an important security measure to ensure the integrity of digital identities, protect access to sensitive information and prevent misuse of credentials. As the number of challenges increases and attack techniques become more sophisticated, MFA is being adopted by more and more users and organizations worldwide.
According Microsoft, Microsoft's systems are exposed to over 1,000 password attacks every second, a clear sign of the serious cyber threats of our time. Over 80% of Fortune 500 companies use MFA to protect their digital assets. However, many small businesses and personal users are still unprotected, putting them at increased risk of identity theft and other security breaches.
Multi-factor authentication (MFA) is one of the most efficient security measures against user account takeover. It prevents attackers with compromised credentials from using our resources, even if they get their hands on usernames and passwords. Thus, MFA serves as a crucial barrier against misuse of credentials.
Despite its widespread acceptance and effectiveness in many areas, there are aspects and security gaps that are rarely discussed. In particular, integrating MFA with certain types of networking tools such as PsExec and Remote PowerShell remains problematic. These tools are crucial for network administration and show where MFA reaches its limits.
MFA Coverage Gap
Have you ever thought that not all MFAs are the same?
This question arises in different contexts, particularly the difference between the use of multi-factor authentication for external and internal logins in companies. Although many companies use MFA for all external logins and SaaS services, only about one in ten companies also use MFA for internal logins to servers and services.
For the remainder of this article, we will assume that MFA is comprehensively implemented both externally and internally across all systems. What is the best case - in a worst case, several points are added.
Still, workstations and servers remain vulnerable to lateral movement, ransomware spread, and other identity threats. Attackers can exploit these vulnerabilities by logging in via command-line commands such as PsExec or Remote PowerShell instead of using RDP. In this way, they bypass the MFA security measures as if there were no protections in place.
In system administration, command line tools such as CMD and PowerShell are used to remotely access user devices. However, these tools, including PsExec and Remote PowerShell, do not natively support MFA. This is because the underlying authentication protocols, NTLM and Kerberos, were developed before the introduction of MFA.
The security risks are significant because this remote access path, used in most networks, is vulnerable to lateral movement. Even if MFA is in place and protects the RDP connection, for example, access via command line tools such as PsExec remains unprotected. This allows attackers to easily access other workstations on the network from an infected device without encountering resistance. Attackers choose these methods because they can access sensitive areas of the network more easily and with minimal effort.
A look into the past: The origins of NTLM and Kerberos
NTLM (NT LAN Manager) and Kerberos are two core protocols for authentication within networks, especially in Windows environments. NTLM, an older protocol, is based on a challenge-response mechanism where the server sends a challenge and the client sends back a response based on the user password to authenticate. Kerberos, on the other hand, uses a sophisticated ticketing system: a ticket-granting ticket helps a user obtain additional "service tickets" for various network services without having to resend passwords. Both systems were developed before multi-factor authentication (MFA) became commonplace and are primarily designed to verify identity with a single factor (something the user knows - the password). This makes the integration of additional authentication methods, as is common with MFA, technically more complex and was not originally planned. This makes certain administrative tools that rely on these protocols challenging to secure using modern MFA methods.
The harsh reality: Partial MFA protection is no protection
Implementing multi-factor authentication (MFA) on all critical servers and workstations can be a tedious task and often provides limited protection against identity threats. Even if it partially meets the requirements of certain standards such as ISO 27001 or BSI IT-Grundschutz, some areas are unprotected and offer little resistance to attackers. Like a weak link in a chain, a single flaw in a security architecture can put the entire network at risk. Even if MFA protects Remote Desktop Protocol (RDP) access and desktop logins, these measures become irrelevant if attackers can gain lateral intrusion into the environment by leveraging compromised command-line tool credentials.
The limits of MFA in hybrid IT environments
Many organizations have a hybrid identity infrastructure that includes AD-managed workstations and servers as well as SaaS applications and cloud workloads. Despite cloud integration, both on-premises resources such as legacy applications and SaaS applications are at risk from the use of compromised credentials, often due to a lack of adequate MFA protection.
Innovative Shift: From Traditional MFA to Unified Identity Protection
Traditional MFA integration has weaknesses because it is tied to specific resources. A forward-looking approach is to move MFA implementation to the directory level. This strategy enables centralized and unified review of all access requests, regardless of the access type or supporting technology of the resources. This closes existing security gaps and ensures complete and continuous security. In addition, the following measures could be considered:
Expansion of authentication methods
Use of access control solutions
Use of Privileged Access Management
Customization of protocols
Training and awareness raising
Finally, it should be emphasized that multi-factor authentication (MFA) is an essential security measure. This article is not intended to question the importance of MFA, but to show how it can be made even more effective. MFA remains a critical part of network security.
Commentaires