The search for MFA solutions

Topic

New Reply

I’ve been looking into MFA solutions for our Windows domain the last couple of months. I read Suzan Bradley is about to publish an article on the subject and I can’t wait to see what she has to say.

So the last couple of months I’ve been testing DUO, ADselfServicePlus and Userlock. With Userlock, I encountered something that in my opinion, could cause a security risk. All three solutions use an Agent to be installed on a PC. You log on using name and password and then the Agent pops up requesting a code, generated by Google Authenticator or alike. With Userlock, logging on is a bit different compared to the other two.  After entering username and password, Windows starts downloading the user profile and when finished, the Userlock agent pops up requesting a security code. And that poses a security problem, for which I made up a quite convoluted and hypothetical scenario:

Suppose a company where most users are added to the group Domain Admins. They use MFA, so there’s no immediate harm if a hacker has got hold of someones login name and password. That hacker would need the token or authenticator as well to get access to the domain. One day, a hacker indeed has got hold of someones login name and password. He manages to hook up his pc to their network and to his surprise, he’s able to join his pc to the domain. That’s a nice bonus, he thought, I’m already Admin so this is a simple job. Then he tries to logon, but darn, they use MFA. But he does note the user profile is downloaded to his machine. So lets have a look what this user has stored in his profile. My documents, My pictures, the whole lot is there. And there’s another bonus – on the desktop there’s a text file with the Userlock emergency key, placed there when enrolled with Userlock. The user didn’t see a need to store that file in a safe place since they are protected with MFA.

That’s the scenario I came up with. I contacted Userlock about this and they fail to see the problem. To enlighten them, I did some more testing. Then it dawned on me the scenario above is way too complicated – it’s far more easy to get access to that companies network. Thing is, the MFA Agent ONLY kicks in when installed on a machine. Machines without the Agent simply don’t do MFA at all. So in the above scenario, the hacker doesn’t need to join his pc to the companies network; the only thing he has to do is find some way to connect to their network, open Explorer, type the name of a server / share, Windows pops up a window to enter user credentials, and you’re in. No need for Admin-permissions as well. So I talked about this new insight with Userlock and their answer is their solution is to protect machines.

That’s not the way MFA should work, in my opinion. I want MFA to protect accounts. So no matter what’s the source used to access our domain, as soon as you have to enter your user credentials, there should always be the second authentication method. Not able to supply a code or token or whatever you use as second method? Then access is denied.

Now I wonder – do all MFA solutions work like this? If so, then they are completely useless??

Reply | Quote

Replies

You can’t join a machine to a domain without valid admin credentials, so it’s much safer to deny domain join rights to admins and use a separate domain join account.

Admins should never be allowed to logon to a PC, only to a server which is physically secured and does not have internet access. If you need admin rights on a PC you open a Command Prompt as admin.

Why do you see MFA as a solution for physical access? I would use it for remote access, but any domain joined PC is already secure physically – if it’s not then it should have a generic user with virtually no rights (kiosk).

cheers, Paul

1 user thanked author for this post.

windbg

Reply | Quote

“Suppose a company where most users are added to the group Domain Admins”

No company in 2021 should be set up in this manner.  Domain admins use their own credentials.  Users log into workstations, and no user should ever have a domain administrator right.

The struggle I have right now is that I have certain applications that update on a regular basis and I have to have some sort of local admin rights.  I also don’t want the SAME local admin rights across all of my workstations. Some people can actually run their network without any local admin rights on user workstations.  I can’t do that.

In your case what you need to do is deny YOUR user account on that network location and always require a second user account to be entered to gain access to that mapped drive. Then it would pop a mfa.

Now that said, my people in my office would kill me if each time they accessed a network location that they’d be reaching for their phone for mfa. So it comes to a balance always in these setups.  What can I do that moves protection but then doesn’t cause my peoples to want to string me up and hurt me due to the annoying things I make them do.

It’s always a balance.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

windbg

Reply | Quote

@Suzan:

In your case what you need to do is deny YOUR user account on that network location and always require a second user account to be entered to gain access to that mapped drive. Then it would pop a mfa.

I don’t quite get this? Could you explain?

As for Userlock; I contacted them again and outlined the steps I’ve taken to circumvent their MFA solution. And they confirm my findings to be by design. A product to avoid, IMO.

Reply | Quote

MFA are useless now. Hackers have been able to bypass them for several years now. Now with MFA on cell phone has made that easier. Before people had a separate hard token to use for MFA but now everyone uses cell phone that have ways to get around MFA. Even zdnet person had his account taken over and MFA was bypass with a sim swap. Plus Windows 10 flaws allow anyone to get into any computers as long as login is an email address. MS is pushing that rather than local accounts. Currently MS does not offer good bounty reward for bugs and people feel that can make more money than reporting them. Even if report, MS takes long time to fix it. This is why google engineers have been force to release the flaws to get MS to move faster to fix it.

Reply | Quote

IMHO that’s a stretch. It takes a very targeted and incentivized attacker to bypass MFA.  Look at all of the recent attacks and typically it’s an account *without* mfa.  Colonial pipeline reported was a VPN account that didn’t have mfa.  MFA isn’t perfect by it’s certainly not useless. The goal is for the attacker to go after the other guy first.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Where I worked, there have been four breaches with MFA turn on in last seven years. Two of those breaches IT still has not figured out how it happen. The third breach IT found out the person does not have a password on the cell phone and lost cell phone 7 times last year and only 4 times this year.   IT has given up on the person and use a call in system to let person log in.  The fourth breach was done by cloning the cell phone sim card and bypassing the MFA.

I agree MFA has lost its value in current times.

1 user thanked author for this post.

Alex5723

Reply | Quote

To clarify my post; the situation described is a hypothetical one. And I don’t think it’s that far-fetched. Improved security makes people act more relaxed, thinking they are safe. Human nature.  The question I have boils down to:

That’s not the way MFA should work, in my opinion. I want MFA to protect accounts. So no matter what’s the source used to access our domain, as soon as you have to enter your user credentials, there should always be the second authentication method. Not able to supply a code or token or whatever you use as second method? Then access is denied.

Reply | Quote

As Susan said, your users will hate you and invent ways around your restrictions.
There are better ways to be secure.

cheers, Paul

Reply | Quote

Paul T wrote:

As Susan said, your users will hate you and invent ways around your restrictions.
There are better ways to be secure.

cheers, Paul

That’s not the point, but for what it’s worth – the solutions I tested offer options as to when / how often MFA should be used. For example, Userlock has a setting to offer MFA one time per day for a particular device. So no, users won’t necessarily be flooded with MFA requests.

I DO wonder what other ways besides MFA there are to improve domain security? Could you elaborate on this?

Reply | Quote

Domain security starts at the physical level. Don’t allow just anything plugged into the network to communicate with your equipment. Use IPsec.

Limit access by users to things they don’t need, including the internet.

Check for unusual domain logons by users – multiple logon on different devices and times.

Limit admin rights on the network. Admins get lazy.

Use disk systems that allow snapshots and take them regularly. Restore is then very simple.

cheers, Paul

Reply | Quote

It’s been a while. Busy with other things. As outlined above, I want MFA to protect accounts. And that seems a weird thought. Last week, I gave Duo a thorough try as MFA solution. Set up the free version for ‘Windows logon/RDP’. The fact I had to install a Duo client on the Windows pc’s made me suspicious. Surely Duo doesn’t work the same way as Userlock? Long story short – it does. At least in case of Windows logon.

Don’t get me wrong – Duo and the like are fine for on-line services. Thing is, they protect a service or device but not so much the account using those services or devices.

There’s one solution I haven’t tried yet and that’s Windows Hello for Business. Anyone here having experience with that?

Reply | Quote

Nobody using Windows Hello for Business?

Reply | Quote