Single Sign-On (SSO) security issues with Active Directory

Single sign-on (SSO) is a powerful productivity tool. It can facilitate access to on-premises and cloud-based applications, all based on the user authenticating once. This dramatically simplifies the user experience, allowing the user to simply logon to Windows, and open any and every application provisioned for them by IT.

But how do businesses ensure they benefit from the convenience of single sign-on without compromising security?

The risk in SSO exists only if you see SSO as a means to gain access. But by recognizing the inherent security gaps that exist, and compensating by implementing additional controls in the form of multi-factor authentication, contextual access security and session management, you effectively reduce SSO risk, making it a source of elevated productivity and security.

Single Sign-On (SSO) Security

Working in IT is a constant battle to find the perfect balance of security and productivity. This is no better personified than in the need for Active Directory (AD) users to access multiple systems through the use of Single Sign-On (SSO).

SSO solutions eliminate the need for users to remember a unique, complex password for each application and platform they access, replacing it with a single logon facilitating access to multiple systems and applications.

Offering faster access times to applications, with reduced password requirements (usually, one), it’s a no-brainer technology that reduces administrative overhead and support costs, while being a non-disruptive technology with a high adoption rate.

It also does come with some security benefits: Since SSO only utilizes a single credential it often equates to requiring a very complex single password. Additionally, the act of disabling access enterprise-wide becomes as simple as disabling the initial account. But, as with any technology designed to improve productivity, there are often losses on the security side. And in the case of SSO, there are some implied security risks.

What are the Security Risks in SSO?

In general, SSO is more concerned with providing access than restricting it. And, at a time when malware-based attacks are rampant, it’s not the perfect time to be giving it all away. Despite the benefits previously mentioned, there are quite a few risks that come along with utilizing SSO:

  1. 1. Instant Access to More Than Just the Endpoint

    Logon credentials are a major focus for external attackers (81% of data breaches involve credential misuse). With SSO in place, once a malicious user has initial access to an authenticated SSO account, they automatically have access to all linked applications, systems, data sets, and environments the authenticated user is provisioned for.. While great for users, it’s terrible for security!

    External attacks using malware to gain control over an endpoint would have post-logon access to everything connected via SSO immediately after infection, increasing an attacker’s footprint within the organization.

  2. 2. Less-Than-Perfect Control over Access Once Granted

    Let’s say a user has successfully logged on via SSO and is granted access to additional external applications in the cloud. Then the user falls prey to a phishing attack, giving an attacker access to the endpoint.

    If detected, the account certainly can be disabled, but given the way Windows works, the user remains logged on and, depending on the SSO solution in place and the linked application’s security model, it’s possible for the attacker to remain logged on with access to a given application.

  3. 3. Little-to-No Adherence to the Principle of Least Privilege

    The principle of least privilege dictates that users should have access to the minimum data, applications and systems necessary to do their job, and usually involves requiring separate credentials for elevated access.

    Because SSO is all about giving you access with a single authentication, it runs contrary to the idea of requiring the user to authenticate each and every time they need to access something new.

Even with risks, organizations like the benefit of the improvement in productivity and reduction in support costs. So how can you facilitate the simplified access of SSO while still maintaining a solid security posture?

Reducing the Risk in Active Directory SSO

The answer doesn’t lie in getting rid of SSO. On the contrary, it’s about filling in the security gaps by taking a few additional steps in a way that is as non-disruptive as possible.

Step 1: Retain Windows Server Active Directory as the authoritative user directory for maximum security and ease.

Continue to use Microsoft Active Directory which streamlines all account management. It provides the central place to create and configure an employee’s roles and services and remove them on their departure or when they no longer needs access.

Ideally, once an employee’s AD identity is created, it should also be used to determine which cloud applications any employee needs to access (and only those applications).

This way, an employee cannot bypass the SSO access via their AD identity, and browse directly to the application. With the ability to deny access to the entire Windows session, you know every accessible data set, system and application is equally secure, whether on premise or in the cloud.

With UserLock SSO, organizations can now retain Windows Server AD as their identity management solution, while extending it to work with the cloud.

  • No need to consolidate or integrate user identities into a new directory
  • Leverage your existing investment in AD
  • Accounts, services, roles and group policies continue to be enforced
  • Retain on site authentication for maximum security

Step 2: Combine SSO with multi-factor authentication (MFA) to address password vulnerabilities

Combining SSO with multi-factor authentication introduces an additional security layer of security to verify the identity of users and protect AD accounts. Surprisingly, 2FA solutions are still not widely adopted and most likely because they are thought to impede end-users with additional security steps that prove costly, complex and time-consuming for the IT department to set up and manage. Well, that’s not true, those are 2FA myths.

  • It can stop a data breach before any damage is done
  • It protects all users, including the most privileged ones
  • It makes compromised credentials useless to the attacker
  • It can be customized for any user, user group or organizational unit

With UserLock, granular MFA can be easily combined with SSO to provide the protection you need but without unnecessarily impeding employees. With support for authenticator applications and one-click programmable tokens such as YubiKey and Token2, the conditions for MFA can be customized to ensure less friction for users. Administrators can also use the context of the users’ authentication attempt to set access policies and balance the need of convenience and security.

Step 3: Context aware technology to further secure single sign-on

Context-aware security analyses the situation in which an access attempt takes place to determine whether the person trying to log in is exactly who they say they are. It can reduce the size of the opportunity for would-be attackers.

For example, security controls around the initial Windows login can include:

  • Restrictions on when and from which endpoint(s), geolocation or IP addresses a particular user account can logon
  • Restrictions on logon frequency and concurrency
  • Restrictions based on session type (local, RDP, etc.)
  • Real time monitoring and alerts on potentially suspicious access
  • Warnings to end users themselves of the use of their own AD identities.

With UserLock, context aware security is run as an integrated part of the logon process. It acts as a non-disruptive technology that aligns perfectly with the productivity-focused mindset of those implementing SSO.

Achieve Both Elevated Security & Productivity with SSO & MFA on AD Logon

SSO has a place in any organization and with UserLock SSO you can continue to use AD as the system of record for all external access. What’s more by combining SSO with solid AD logon security (such as multi factor authentication and context aware security), you create a secure foundation for SSO.

Use on premise Active Directory Identities for
Single Sign-On (SSO) to Microsoft 365 & cloud applications

UserLock combines SSO with Multi-Factor Authentication (MFA) for secure and frictionless access to both network resources and multiple cloud services.

Learn more about UserLock