Protecting Windows Domain Logon Credentials

windows network logon password security

Windows domain passwords are not going away any time soon. It’s crucial for enterprises to start taking stock of their password threat exposure.

2016 saw a significant rise in worldwide breaches and data theft and by far the most common attack vendor is the theft of user credentials. Fully 91% of attacks begin with a phishing email, according to a recent report by vendor PhishMe cited in Dark Reading.

Once in possession of an employee’s login credentials, the attacker can masquerade as the user and pass right through typical security controls into the ‘trusted’ interior networks and systems. Your anti-virus, anti-intrusion, firewall and other technologies are not going to flag anything unusual. Your system believes that person on the network is who they say they are.

An increasing problem for all organizations it highlights a general trend for the user to be seen as an attack vector. In a round up of 2017 cyber security predictions, NTT Security state “We see more alerts and events indicating attacks against the end-user Workstation than the corporate infrastructure.”

Looming large is also the EU’s General Data Protection Regulation (GDPR), which comes into force in May next year. With both the increased risk and threat of financial penalties in the many millions of Euros, it’s crucial enterprises start taking stock of the threat from compromised network credentials.

Password death greatly exaggerated

As major data breaches continue to make headlines from compromised credentials, it’s become popular to predict the death of the password. Passwords are however, still in heavy use.

Where biometric authentication is deployed, it’s been an adjunct to passwords, not a replacement. According to Joseph Carson, head of global strategic alliances at Thycotic Software, “The biometrics are used for ease of access to systems but passwords are used to establish the initial trusted relationship, and as a fall back when the biometrics fail. Biometrics will never replace passwords.”

Stronger security measures to protect passwords

Accessing any type of data on the network does need to be supported with stronger security measures. And this should certainly involve more than just usernames and passwords.

Two-factor authentication or biometric data offers additional control and authorization but for all users are not widely adopted. Most likely because they impede end-users with additional security steps that prove costly, complex and time-consuming for the IT department to set up and manage.

If there’s an alternative to multi-factor authentication, that achieves the same high level of security, but is easy to roll out, simple to manage, and doesn’t impede the end user by forcing them to jump through hoops, that alternative has to be worth a look.

A viable alternative to MFA – context-aware security

Context-aware security uses supplemental information to decide whether access is genuine or not when someone attempts to connect. This supplemental information includes what workstation or device the user is logging in on, what geographical location they’re logging in from, the number of concurrent logins, and many other factors that build up a profile of the person logging in.

Administrators can easily set the rules as to what constitutes ‘normal’ logon behavior, to automatically grant or deny access. For example logins from particular workstations located in a particular department on your office premises. Any login attempt that falls outside of those rules is flagged and access denied automatically. Restricting access in this way means that even if a cyber-criminal gets their hands on an employee’s network password, they still won’t be able to get access meaning sensitive data remains safe.

Crucially, this form of transparent access security doesn’t impede the end user like MFA does, and just complements any existing security technology you’ve already got in place.

As more enterprises embrace contextual access security, users are starting to be better protected rather than blamed for data breaches.

Discover how UserLock uses context-aware security to allow or deny domain logons on a Windows Server-based network.

Share this post :


Chris Bunn is the Directeur Général Adjoint of IS Decisions, a global cybersecurity software company, specializing in access management and multi-factor authentication for Microsoft Active Directory environments and the cloud.