IS Decisions logo

IS Decisions Blog

Protecting Windows domain logon credentials

Windows domain passwords are not going away any time soon. Discover how context-aware security protects all user credentials, even when compromised.

Updated October 24, 2023
Windows network logon password security

Windows domain passwords are still the way most companies authenticate users. It’s beyond time to do something about password threat exposure.

The most common attack vector is the theft of user credentials. Fully 91% of attacks begin with a phishing email, according to Deloitte.

Once in possession of an employee’s login credentials, the attacker can masquerade as the user and pass right through typical security controls into the "trusted" interior networks and systems. Your anti-virus, anti-intrusion, firewall and other technologies are not going to flag anything unusual. Your system believes that person on the network is who they say they are.

An increasing problem for all organizations, credential compromise highlights a general trend: user as attack vector.

Looming large is also the EU’s General Data Protection Regulation (GDPR), alongside similar pieces of legislation worldwide. With both the increased risk and threat of financial penalties in the many millions of euros, it’s crucial enterprises start taking stock of the threat from compromised network credentials.

Password death greatly exaggerated

As major data breaches continue to make headlines from compromised credentials, it’s become popular to predict the death of the password. Passwords are however, still in heavy use.

Where biometric authentication is deployed, it’s been an adjunct to passwords, not a replacement. And there are many reasons why other passwordless methods aren't ready or suited for widespread adoption.

Stronger security measures to protect passwords

Accessing any type of data on the network does need to be supported with stronger security measures. And this should certainly involve more than just usernames and passwords.

Multi-factor authentication

Two-factor authentication, or multi-factor authentication (MFA) is the most common answer to password security. And for good reason. But MFA all users is not yet widely adopted. Most likely because of how MFA is usually implemented. It tends to get in end-users' way and slow them down. Meaning, less work gets done. And IT teams also can be skeptical of taking on another time-consuming solution that's complex to manage and set up.

But it doesn't have to be that way. There is a way to ensure MFA is granularly applied, so it doesn't slow down productivity. And, it can be easy to manage.

If there’s an alternative to multi-factor authentication, that achieves the same high level of security, but is easy to roll out, simple to manage, and doesn’t impede the end user by forcing them to jump through hoops, that alternative has to be worth a look.

The secret to effective MFA: Context-aware security

Context-aware security uses supplemental information to decide whether access is genuine or not when someone attempts to connect. This supplemental information includes what workstation or device the user is logging in on, what geographical location they’re logging in from, the number of concurrent logins, and many other factors that build up a profile of the person logging in.

Administrators can easily set the rules as to what constitutes ‘normal’ logon behavior, to automatically grant or deny access. For example logins from particular workstations located in a particular department on your office premises. Any login attempt that falls outside of those rules is flagged and access denied automatically. Restricting access in this way means that even if a cyber-criminal gets their hands on an employee’s network password, they still won’t be able to get access meaning sensitive data remains safe.

Crucially, this form of transparent access security doesn’t impede the end user like MFA does, and just complements any existing security technology you’ve already got in place.

As more enterprises embrace contextual access security, users are starting to be better protected rather than blamed for data breaches.

With UserLock, admins can use context-aware security to allow or deny domain logons on a Windows Server-based network.

Try UserLock for free

  • 30-day trial
  • Full technical support
  • No credit card required
UserLock screenshot