Microsoft's Commandment: Thou Shalt Not Worship (Password) Idols

Why do we have a situation where hackers are able to take advantage of Microsoft's Active Directory bugs?

No matter how you slice it, the error in the model can be traced to one factor – the password. If that were not compromised, hackers would not have an opportunity to carry out attacks in the first place.

AD centralizes authentication and authorization for domain resources, but also creates a critical single point of failure - the account password that grants access to all resources. If the password is stolen, the attacker can gain access to all systems/resources authorized for the account.

One way to mitigate the problem is to deploy a policy requiring complex passwords that are hard to guess and require frequent updates, another option is to deploy a second factor of authentication. Demanding password policies and strong authentication adversely impact user experience and productivity.

The need for users to constantly update passwords - and the need by organizations to deploy staff to manage the updates of lost and expired passwords - underscore the dangers of relying on a single factor. 

AD has plenty of tools imposing automatic expiration of passwords, so administrators can set up a password policy they are comfortable with. The high priests of AD will no doubt say that this is enough – but we reject that.

The truth is that the only solution to the password dilemma is elimination of the password altogether (according to NIST, there are security issues with all the second-factor authentication schemes that make them inadequate for primary authentication, as are passwords). Running a help desk to assist users who lose their passwords (as many as a third of people on a regular basis) can cost an organization a pretty penny.

The answer does not lie in passwords. One solution that Microsoft has been promoting is Windows Hello, which the company describes as “a more personal way to sign in to your Windows 10 devices with just a look or a touch.” With Hello, users can use fingerprint or even face authentication to log onto their systems and AD accounts. 

Yet Hello is far from a replacement for current popular authentication methods such as passwords. Hello is strictly limited to the Microsoft environment, and even among MS customers, it has not been widely adopted.

In addition, Hello authentication is based in part on certificates, which don’t offer full protection against hackers. In essence, Hello replaces one single-factor authentication system with a second one - with vulnerabilities inherent in both.

Even more secure would be a scheme where users could connect to the separate authentication server with classic “what you have” authentication - a hardware token or a device - which is almost impossible for a hacker to breach unless they are present. 

Hardware tokens are a well-known method of authentication (they are often used as a second authentication factor along with passwords). Such tokens are very secure, but not always convenient; you have to remember to take it with you, it's a hassle to schlep around, and if lost, it can be a major project to replace.

Another possibility for “what you have” authentication is a mobile device with push-based authentication. Using an app, a user could connect to the separate authentication server which would approve them, and then log them into their AD account - no password needed. It’s a much more secure system than what is currently used in most organizations that base their IT infrastructure on direct AD password authentication.

Additional benefits include eliminating the need to remember/constantly change/retrieve passwords, resulting in fewer headaches for users/managers/IT personnel. It’s classic “what you have” authentication, almost impossible for a hacker to breach unless they are present.

Beyond security and user experience considerations, for many companies, password management is expensive, especially when good password security policies are put in place.

With an average cost per password reset call ranging from $17 to $25 (according to Forrester Research, Gartner and HDI), and an estimated one in four helpdesk calls being password related, password management spending quickly mounts up, even for small organizations.

It may seem odd to remove password authentication directly from AD and conduct the authentication on a server dedicated to that as after all, one of AD’s functions is to authenticate users. But the stakes for AD-based organizations are far too high today, and the risks of password authentication in an era when it appears very easy to purloin passwords are too great.

With a system like this, authentication becomes more secure, AD becomes more secure as well – and we can confidently face the future with new faith in security.

What’s Hot on Infosecurity Magazine?