2FA? We've heard of it: White hats weirded out by lack of account security in enterprise Few companies bother to secure employee accounts with simple protections like two-factor authentication (2FA) and lockouts, an analysis by security company Rapid 7 has found. These were only the most glaring weaknesses that emerged from 268 real-world penetration tests carried out by its security staff since 2017 for the …
You're clearly not going to like this, what with that hornet's nest in your collective bonnet, but that didn't sound unreasonable to me. Most places would have you use a 2fa code at every authentication. Once per 24hrs on non-school-owned devices seems fair enough. I'm kind of amazed that educational establishments still allow byod, what with the extra-sensitive nature of most of their PII.
Places of education tend to have terrible IT security, and this is exactly the type of reaction when anyone tightens it.
The other argument that gets used a lot to block security tech is "academic freedom".
Sadly, the rest of the world is slowly doing this shit, and you're no different. Even if you think you are. Sorry!
We don't have many external-facing systems that matter, but when we implemented one recently we used TOTP (Time-based One-Time Password that is, not Top Of The Pops.) No licenses to buy it is all either free or Free software.
Many of us resist using our own phones for corporate stuff but for people who use Google Authenticator for everything anyway it was not really a hardship to add one more entry to its list. People who couldn't or didn't want to got shown how to install the Authenticator browser extension instead which is at least 1.75FA and better than nothing.
I take the point from @Caff above "what about the auditing costs" but we had to have it audited anyway no matter how many FA we put in.
I had some Fun and Games™ recently after my iphone decided to uninstall the RSA app that does 2FA for our "secret" server. Of course when I next needed to get into God Mode on the server during a support call I was unable to which made me look rather stupid in front of a vendor.
Of course I then reinstalled the app and then had to get the Hell Desk to reinitialise the token which of course took a couple of goes as for some reason it never works first time...
Once I had that sorted the secret server had to have its browser plugin reinitialised yet again and then I was finally able to do the software install needed. All in all it took several hours of faffing before I did the install that took less than five minutes.
Rant over, time to go home and sob a bit...
Seeing as I just did this at my place, yes cost does come up. 2FA on Windows login is - indeed - stupendously expensive.
We rolled out multiOTP on all RDP remote desktops (with the multiOTP "credential provider" in Windows). Takes a bit of fiddling but free and compatible with Google Authenticator. There's LDAP integration and a Hyper-V test image if you want to give it a whirl, or it can run on any Windows server. Works for RDP on standalone machines (if you want to use it at home), not just terminal servers (with central querying and offline caching).
By default it only applies it to RDP logins on the machines you install it on. But it can also block ordinary logins and demand TOTP keys just the same, so test with RDP and if it works like you want, roll it out for all desktop logins. And it can also function as a RADIUS server which gives you a lot more scope for usage.
Wordpress we have deployed a 2FA login for.
I'm slowly working down to Exchange OWA and basic-website-wrapping (it's possible but it's a faff involving reverse proxies and splash screens). If anyone knows a good free solution for either, that doesn't involve that Microsoft Forefront thing, or emailled tokens (pointless for securing webmail!) then let me know!
At the moment looking at Apache wrapped in a module that pushes unknown users to a form, which can be used to query multiOTP but it's a bit of hack.
How would you get there without a) a RADIUS-authorised network port / computer, b) running network health reporting where Windows has to certify that it's online and clean and policy-compliant, c) your users would then have to log in via 2FA, d) only such users would be on that VLAN, able to talk to that server, etc.?
SMB is largely an exposed protocol. You don't 2FA that, you can't, not securely at all. You secure access TO the network that would allow you to see it. It's like asking whether WSUS requires 2FA... it shouldn't be exposed to people who aren't already authenticated properly.
P.S. multiOTP is a RADIUS server. Configured right your machines could use it for network access and you'd be stuck on an unprivileged VLAN without it.
But in reality for most setups, the 2FA here is "you're physically connected to the internal network and/or you've logged in over the VPN". Not "does SMB support OTP?".
I have a login to my company's private server, but there really isn't much damage that an attacker could do, because all that's on it is my daily calendar (when I bother to update it), current project status, leave applications and a few other things that allow damagement to get a basic picture of employee availability and what we are all currently working on. We are not a high-profile company doing secret stuff that leaked project statuses would be of benefit to anyone.
If there's nothing that really needs protecting, then anything that makes things a bit more difficult to log on is a disadvantage. Not many people fit steel doors with separate deadbolt locks on all 4 sides of the door to their house, because in most cases the risk is not high enough to warrant the expense and inconvenience of doing so. If however you were at significant risk of murderous attack, it might be worth doing.
"
Actually there are many ways that an attacker with a tiny foothold on the network could use that foothold to elevate their privileges and gain access to far more resources.
"
You have "gained a foothold" onto this site by logging in to comment. Explain how that makes it easier for you to elevate your privileges.
Why would you implement account lockouts? that's a monumentally stupid idea...
Usernames are often predictable, and frequently not even secret at all. An attacker can work out all your usernames and then intentionally get all the accounts locked, irrespective of how good those user's passwords were.
Similarly even if you lock accounts after say 5 attempts, that means an attacker can still perform 4 attempts per user - if you have many users, at least some of them will have common passwords like Password1 or Welcome1 etc.
A network based brute force is slow and will only ever succeed against extremely weak passwords anyway, so long as you have a half decent password policy no such attempts will succeed. And you should have half decent monitoring too, so you notice attacks. Simply relying on account lockouts is stupid.
Most of the phishing attempts I see are aimed at O365, and without MFA it's really trivially easy for an attack to persuade SOMEONE in the organisation to let them in.
As far as I can tell, out-of-the-box there are four options.
1) An MFA phone call, where Microsoft's automated systems ring you on a predefined number and you have to press "#" to let them in. This is the simplest and by far the most worthless level of MFA they offer. Users get so used to authorising MFA that they'll happily do it when it's the Lads from Lagos logging in. Worse still, I've seen the MFA call go to hunt groups and really anything can happen then.
2) A push notification to an Authenticator app. A tiny bit better than a phone call, but I believe it can be used even when the phone is locked, the phone also needs access to a data network. Still quite easy to authorise an attacker without thinking about it.
3) A text message. A bit better because it isn't quite so easy to authorise the attackers accidentally, but it does require the phone to have a signal when you want to log on. Works with dumb phones, but on most devices these days the SMS message can be read with the phone locked, so an attacker with physical access to the phone can easily see it. Or they can hijack the SIM. Or they can simply phish for the MFA token as well in real time or use an evil proxy. However, random MFA SMS messages arriving is a good sign that something is wrong.
4) An RSA-style access token from the authenticator app. Unlike the first two "push" notifications where it's quite possible to authorise an attacker accidentally, you actually have to enter this into the login screen. Potentially you could install malware on the phone to subvert this, but by far the simplest method around it is to phish for the token and then the attacker can log in within the time window the token is still valid, through an evil proxy for example.
So the problem with installing any one of these MFA techniques is that they'll only keep you safe-ish, and as more people migrate to them then the attackers will be more sophisticated too. I've certainly seen several successful phishes bypassing the first type of MFA. I don't think the others will be far behind.
It's not a reason not to install MFA though. Even if it just blocks 90% of harvested credential attacks, it's a damned sight better than none.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
