The Colonial Pipeline attackers likely got in using old, compromised VPN credentials. This advice will force attackers to work much harder. Credit: Thinkstock Every time I read about another attack, I am always interested in how the attackers gained initial access into the network. With the recent Colonial Pipeline attack, the initial infection point was reportedly an old, unused, but still open VPN account. The password had been found on the dark web rather than obtained via phishing, implying that it had been leaked or reused by a Colonial employee. The VPN account did not have two-factor authentication (2FA) enabled, allowing the attacker to merely log in.The manner of attack made me consider my own network. Do I have remote access credentials that do not have 2FA? Are there other ways attackers could enter my network? Have I been lax in how I handle log-ins? Do I have old, unused accounts with weak passwords or worse, passwords that can be found on underground websites?These four tips will help eliminate easy attacker access to your Windows network. 1. Finding old devices and accounts in Active DirectoryOne tool I recommend to find old and unused computer accounts is Oldcmp. You can use PowerShell to locate inactive user accounts or determine who hasn’t logged in 90 days or more as follows: Get-ADUser -Filter * -Properties LastLogonDate | Where-Object {$_.LastLogonDate -lt (Get-Date).AddDays(-90)}To determine if there are stale devices in Azure Active Directory (Azure AD), you’ll need to use the console or PowerShell. Open PowerShell with administrator rights and run the following commands: Install-Module -Name AzureADInstall-Module msonlineImport-Module -Name AzureADImport-Module msonlineConnect-MsolServiceYou’ll be asked for your administrator credentials and be connected to Azure AD. Now run the following PowerShell command to export a list of Azure stale devices in csv format. Get-MsolDevice -all | select-object -Property Enabled, DeviceId, DisplayName, DeviceTrustType, ApproximateLastLogonTimestamp | export-csv “C:tempaz-devices.csv”Log into Azure Portal using your administrative credentials. Search Intune and open “Intune Blade”. Next select “Devices” from the left menu, then select “Device cleanup rules and turn on “Delete devices based on last check-in date”. Set the number of days after which you want it removed if it hasn’t been accessed. Susan BradleyTo find inactive user accounts in Azure AD, evaluate the lastSignInDateTime property exposed by the signInActivity resource type of the Microsoft Graph API. Follow this post to create this report. If the information is blank, the user never logged in or the user logged in before December 2019, both indicating stale accounts that need to be removed.VPN access may also be integrated with an edge device, so review your perimeter devices for stale user information. 2. Add 2FA for account accessFrom Active Directory to cloud services, nearly everything can have 2FA added to it. In my office I have added Duo.com 2FA to remote access as well as user log in. Other options include Saaspass.com, which adds 2FA to websites via a browser plug in.Bottom line, If you haven’t already started reviewing options to move away from passwords, do so now. Microsoft offers solutions such as Windows Hello for Business for biometric authentication, Microsoft Authenticator for push notifications to mobile devices, and FIDO2 security keys.3. Review user loginsNext, review user logins to see who in your organization is being targeted. Often a quick Azure AD login review filtering on “failure” will showcase who in your organization is getting the most login attempts. Educate these users on the risks of having their credentials compromised. Review what access they have and if necessary increase the security and protection on their accounts. If you have Azure AD you can add conditional policies that monitor for risky behavior.4. Train users on password best practicesNext, urge your users to be more aware of their personal habits with passwords. It’s acceptable to store passwords securely. It’s not okay to reuse passwords. HaveIbeenpwnd.com is a great resource for applications, websites, and integrations that review your existing passwords for possible breaches. One such integration will review your Active Directory infrastructure for these issues. As the k-Anonymity project indicates, if you are concerned about using an API, you can use an offline database to check the status of your users’ passwords. Educate your users to select better passwords. The group policy setting of “Password must meet complexity requirements” is a great place to review how your password policy impacts what users pick. I’ve often seen these policies set in a manner that forces users to change passwords too often, merely change one letter to manage a password change, and end up selecting easily guessed passwords. Ensure that you review your settings and ensure that you are allowing your users to select better passwords that will protect them and your firm better. Related content brandpost Sponsored by Microsoft Security Building an AI strategy for the modern SOC Transforming SOC teams with the power of AI—identify the highest risk areas, cybersecurity maturity, existing architecture and tools, and budgetary constraints…just to name a few. By Microsoft Security May 23, 2024 5 mins Security news Tracking manual attacks may deliver zero-day previews According to analysis from LexisNexis, human-based digital fraud attacks are increasing more quickly than bot-based attacks — a difference CISOs should leverage for their defenses. By Evan Schuman May 23, 2024 4 mins Cyberattacks Fraud Cybercrime news analysis Microsoft amps up focus on Windows 11 security to address evolving cyberthreats In addition to its Copilot+ secure-cored PC, the company announced enterprise security enhancements, admin privilege changes, and the deprecation of legacy authentication protocols. By Lynn Greiner May 23, 2024 7 mins Windows Security news LockBit no longer world’s No. 1 ransomware gang After dominating for eight months, LockBit has been overtaken by ransomware gang Play in the wake of a law enforcement crackdown and unmasking of LockBit’s alleged creator. By Viktor Eriksson May 23, 2024 2 mins Ransomware Cybercrime PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe