Microsoft Lays Out Identity and Access Best Practices for IT Pros
Organizations should get rid of ADFS, use MFA and check for misconfigured policies, among other things.
The Microsoft Incident Response (IR) team this month published a fairly comprehensive guide for IT pros responsible for securing computing environments.
The long "lessons learned" IR team post is for organizations with premises-managed workloads, workloads that leverage cloud services, and hybrid arrangements. It's credited to Microsoft's IR team, but is specifically bylined by Matthew Zorich of the that team. Here are some highlights.
Highlighted up front in the long "lessons learned" post is that there's lots of risks involved in using federated identity providers for authentication. A big risk is Microsoft's own Active Directory Federation Services (ADFS), which is a Windows Server role for linking local Active Directory to Microsoft Entra ID services (formerly "Azure Active Directory").
The IR team indicated that "a single misconfiguration can lead to a significant compromise of an organization's entire identity plane." Moreover, federated identity providers are "a favored target of some nation-state actors."
Attackers have accessed "on-premises federation servers" to steal Token Signing Certificates, which was then further used to forge SAML tokens and "authenticate successfully to Microsoft Entra ID," the IR team explained. It's likely a reference to espionage by a "Nobelium" group (Russia) that used various methods, including exploiting ADFS, to tap Exchange Online e-mails two years ago.
Organizations should ditch ADFS and shift to Microsoft Entra ID authentication, the IR team advised:
Microsoft IR strongly recommends moving to native Microsoft Entra ID authentication and decommissioning AD FS (or other federated identity providers) where possible. This reduces the overall complexity of the organization's identity plane and makes it easier to secure identities.
Avoid Identity System Complexity
The IR team sometimes sees "tenant-level compromise of Microsoft Entra ID" happening because of poor security or misconfiguration on a component within a business system. They recommended keeping authentication and authorization mechanisms simple.
Organizations should "treat the entire authentication system as tier 0, as compromise of a single link within it can lead to complete compromise," the IR team indicated. Microsoft also suggested that organization should retain log information (for detection and forensics) "for a long period of time, preferably 2 years or more."
Don't Sync Privileged Admin Accounts from AD
Organizations using hybrid authentication methods may typically sync standard user accounts from Active Directory on premises to Microsoft Entra ID. However, IT pros should not do the same with their privileged administrative accounts, the IR team emphasized.
Synced service accounts are particularly vulnerable to exploitation. Microsoft IR commonly sees service accounts used to manage both on-premises Active Directory and Microsoft Entra ID targeted by threat actors.
Moreover, these synced admin accounts typically "aren't subject to the same controls such as MFA [multifactor authentication] or Microsoft Entra Privileged Identity Management (PIM)."
The IR team recommended using "native" (nonsynced) Microsoft Entra ID accounts for admin accounts. Also recommended was the use of phishing-resistant methods, such as FIDO2-protected authentications, the use of Privileged Identity Management, plus Conditional Access to block access from "non-approved locations or IP addresses."
Take Steps To Thwart Token Theft
Attackers use credential-stealing malware to "steal tokens from end user devices," or they leverage adversary-in-the-middle approaches to "steal tokens during authentication," the IR team explained. These stolen tokens surpass MFA challenges.
The IR team recommended that Global Administrator Accounts be strengthened via phishing-resistant FIDO2 keys and certificate-based authentication methods. These Entra ID accounts should not be synced from Active Directory. Also, "to remove the attack vector of direct phishing attempts, users that hold privilege in Microsoft Entra ID should not have a mailbox assigned." Management should happen via "hardened workstations known as privileged access workstations."
Microsoft has developed a token protection solution, but it "is currently in preview in Microsoft Entra Conditional Access."
Audit Privileged Role Assignments
It turns out that some privileged roles can be used to do things like reset the password of a Global Administrator. Lessor roles could be leveraged by attackers to take control of a tenant.
The IR team recommended auditing role assignments. Organizations also can map possible Entra ID attack paths using "AzureHound, the cloud sibling of BloodHound." Assigning just-in-time access for roles using Microsoft Entra PIM was also recommended.
Limit Workload Identity Privileges
Nonhuman authentications by applications, called "service principals," can have too high privileges. They get overlooked, and there's no MFA check for machine identities. These app identities should be made to follow the "least-privilege principle."
Organizations also should set up detection alerts for "new credentials, additional privileges being added to existing applications, and anomalous sign-in activity," which may indicate attacker actions.
Microsoft advised using "Conditional Access for workload identities," which is a "feature in Microsoft Entra Workload ID." It lets IT pros specify "access from specific IP locations or block access based on elevated risk patterns detected by Microsoft."
Microsoft advocates the use of "certificates, for applications, instead of client secrets." It turns out that client secrets typically get put into e-mails or get "saved in easy to find locations," the IR team explained.
Require MFA, Check for Conditional Access Misconfigurations
The IR team's "lessons learned" article is well worth reading in full, but here a few other summaries.
Organizations should "require MFA when joining or registering a device" to address the phishing problem. Alerts should be set up for things like "registering multiple devices, suspicious device names, or unusual times." Attackers that have breached an account typically use the MyApps portal to request a new privileged account, Microsoft noted, but organization can use Microsoft Entra ID to "restrict access to applications, and to hide the visibility of applications in the MyApps portal."
Enforce "granular delegated admin privileges" for Cloud Solution Provider partners, since they are typically targeted by attackers to gain access to their customers.
Organizations should set up alerts for any changes to Conditional Access policies. The IR team noted that it has seen exploits due to misconfigurations of Conditional Access policies, too, so it recommended setting up periodic policy reviews. It's possible to "simulate sign-in events" using the 'What If' tool, the IR team noted.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.