4 tips to prevent easy attacker access to Windows networks

Every time I read about another attack, I am always interested in how the attackers gained initial access into the network. With the recent Colonial Pipeline attack, the initial infection point was reportedly an old, unused, but still open VPN account. The password had been found on the dark web rather than obtained via phishing, implying that it had been leaked or reused by a Colonial employee. The VPN account did not have two-factor authentication (2FA) enabled, allowing the attacker to merely log in.

The manner of attack made me consider my own network. Do I have remote access credentials that do not have 2FA? Are there other ways attackers could enter my network? Have I been lax in how I handle log-ins? Do I have old, unused accounts with weak passwords or worse, passwords that can be found on underground websites?

These four tips will help eliminate easy attacker access to your Windows network.

1. Finding old devices and accounts in Active Directory

One tool I recommend to find old and unused computer accounts is Oldcmp. You can use PowerShell to locate inactive user accounts or determine who hasn’t logged in 90 days or more as follows:

Get-ADUser -Filter * -Properties LastLogonDate | Where-Object {$_.LastLogonDate -lt (Get-Date).AddDays(-90)}

To determine if there are stale devices in Azure Active Directory (Azure AD), you’ll need to use the console or PowerShell. Open PowerShell with administrator rights and run the following commands:

Install-Module -Name AzureAD

Install-Module msonline

Import-Module -Name AzureAD

Import-Module msonline

Connect-MsolService

You’ll be asked for your administrator credentials and be connected to Azure AD.  Now run the following PowerShell command to export a list of Azure stale devices in csv format.

Get-MsolDevice -all | select-object -Property Enabled, DeviceId, DisplayName, DeviceTrustType, ApproximateLastLogonTimestamp | export-csv “C:tempaz-devices.csv”

Log into Azure Portal using your administrative credentials. Search Intune and open “Intune Blade”. Next select “Devices” from the left menu, then select “Device cleanup rules and turn on “Delete devices based on last check-in date”. Set the number of days after which you want it removed if it hasn’t been accessed.

Susan Bradley

To find inactive user accounts in Azure AD, evaluate the lastSignInDateTime property exposed by the signInActivity resource type of the Microsoft Graph API. Follow this post to create this report. If the information is blank, the user never logged in or the user logged in before December 2019, both indicating stale accounts that need to be removed.

VPN access may also be integrated with an edge device, so review your perimeter devices for stale user information.

2. Add 2FA for account access

From Active Directory to cloud services, nearly everything can have 2FA added to it. In my office I have added Duo.com 2FA to remote access as well as user log in. Other options include Saaspass.com, which adds 2FA to websites via a browser plug in.

Bottom line, If you haven’t already started reviewing options to move away from passwords, do so now. Microsoft offers solutions such as Windows Hello for Business for biometric authentication, Microsoft Authenticator for push notifications to mobile devices, and FIDO2 security keys.

3. Review user logins

Next, review user logins to see who in your organization is being targeted. Often a quick Azure AD login review filtering on “failure” will showcase who in your organization is getting the most login attempts. Educate these users on the risks of having their credentials compromised. Review what access they have and if necessary increase the security and protection on their accounts. If you have Azure AD you can add conditional policies that monitor for risky behavior.

4. Train users on password best practices

Next, urge your users to be more aware of their personal habits with passwords. It’s acceptable to store passwords securely. It’s not okay to reuse passwords. HaveIbeenpwnd.com is a great resource for applications, websites, and integrations that review your existing passwords for possible breaches. One such integration will review your Active Directory infrastructure for these issues. As the k-Anonymity project indicates, if you are concerned about using an API, you can use an offline database to check the status of your users’ passwords.

Educate your users to select better passwords. The group policy setting of “Password must meet complexity requirements” is a great place to review how your password policy impacts what users pick. I’ve often seen these policies set in a manner that forces users to change passwords too often, merely change one letter to manage a password change, and end up selecting easily guessed passwords. Ensure that you review your settings and ensure that you are allowing your users to select better passwords that will protect them and your firm better.