Multi-factor authentication is a powerful and effective control against stolen/guessed passwords in web-based applications and interactive logons whether at the local console or via RDP. However, MFA isn’t a silver bullet, and in this webinar, we’ll look at several logon scenarios that occur constantly on any Windows network where MFA doesn’t play a role. We are talking primarily about network logons both by people and programs, service startups, scheduled tasks and related activities.
These logon scenarios are core to any network so there’s no way you can just disable them.
How can attackers take advantage of this? One big way is via Pass-the-Hash. We’ll take you through how PtH works and it’s connection with logon scenarios that aren’t protected by MFA. PtH has a connection to NTLM so can you just disable NTLM and depend on Kerberos? Not so much. First, the number of real world environments that can function without NTLM are too few to even consider. In fact, Microsoft specifically points out that smart cards and other multifactor authentication provides “minimal” effectiveness in their “Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft” guidance.
So, what can you do? Here’s some of the mitigations we’ll explore:
- 7 Windows hardening steps
- Remove Administrative credentials and enforce least privilege
- Go full blown with the ESAE / red forest design
Jeff Warren, from our sponsor STEALTHbits, is working with me on this session and he will briefly show you a new capability in their technology that allows you to monitor for likely PtH exploitation and immediately use MFA in response, to determine if the user is in control – or an attacker.
Please join us for this real training for free event.