Posted by:
root
3 years, 6 months ago
We've recently had more questions about deploying WiKID for two-factor authentication for AD admins to thwart potential privilege escalation in ransomware attacks. We've done a proof-of-concept showing that WiKID can make privilege escalation quite difficult. We realized that we missed a key question about deploying two-factor authentication for admins: how do I know I won't lock out all my admins? That's a damn good question. And here's the answer:
When an admin requests a one-time password from WiKID, it overwrites the current AD password with the OTP. The admin logs in and after the OTP expires, it overwrites it with a random long string. No one knows the value of this string and it's never used on the network. If Mimikatz or any other pass-the-hash malware attempts to log in with the OTP, it will fail. It should also trigger an alarm that there's something nasty in your network.
The WiKID server is really just acting like a password reset service (and yes, we have that functionality too). In order to 'turn off' two-factor for any account, just manually replace the random string with a password for that user. Obviously, you want these account credentials secured and not used remotely.
Recent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)