Most of Us Are Vulnerable

  • Comments posted to this topic are about the item Most of Us Are Vulnerable

  • My company has MFA setup on our VPN connection and any time we RDC into a server. The default is Microsoft Authenticator. Most of the time it works fine and I have a prompt on my phone before I can even pick it up. But lately, MA has had some "really bad" days. Bad enough I've had to text my boss to say, I'm trying to log in but MA is not responding. The connection times out before I get a response on my phone. When it can take more than 10-15 minutes to get into a server, that can get really frustrating.  Should we stop using MFA? Of course not, but the MFA providers need to be absolutely rock solid about their service.

    I'm curious about the experience others are having with Microsoft Authenticator and other MFA options.

  • I haven't experienced major delays with Microsoft Authenticator sofar

  • The most significant threat to any organization is the DBA who downloads from GitHub an executable containing a remote desktop trojan. The trojan is running on a PC behind the firewall (no network hacking required), and it runs with privileged access  (no password required). There is is even a link to SQL Server Management Studio conveniently sitting there on the user's desktop. In most cases, the MFA is just a popup dialog that requires clicking a button to proceed using saved credentials.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • All PCs connected to our network must have a client tool installed called 'Admin By Request' by FaskTrack Software. It intercepts any attempt by an executable to run as local admin or with elevated privileges and pops up a dialog requiring manual authentication to proceed. It also asks user to enter details about why they are requesting admin access and each request is reported to IT support. Also, some of the SQL Server instances containing more sensitive data cannot be authenticated using our personal domain account directly, but require use of a secondary domain account with auto-rotating password as well. Just a few precautionary measures that aren't a burden to implement by network administrators and don't block users from getting our usual work done.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply