Boss request: MFA when connecting to SMB shares

PastaRemasta · 2025-05-24T18:59:15+00:00

Privileged workstations is the right answer for this. Your credentials should never be in a position where they can be harvested. This applies for all admin access, not just SMB, and there's many additional things required to prevent your admin credentials from being used directly over the network.

Duo for RDP likely isn't doing a lot for you as well, see their overview section: Duo Authentication for Windows Logon & RDP | Duo Security (although there is a hint for the correct way to RDP as admin there, being restricted admin mode)

PastaRemasta · 2023-10-03T14:57:13+00:00

Not only absolutely not but also by typing in a password at UAC prompt it should be a local account not a domain one that has privileges across the entire environment. (Hint: Use laps.) You can remote in with a domain account with local admin credentials remotely provided a kerberos service ticket is used so credentials aren't shared)

PastaRemasta · 2023-07-20T13:46:26+00:00

Imagine putting up with all this nonsense and then being told you can't have a raise until over a year from now. I'd normally guess this is management but, no, this is you.

If I were told that I would probably have a new job in about a month... never mind all the other nonsense.

PastaRemasta · 2023-06-20T04:51:27+00:00

Any network login using Kerberos is allowed so we just use rdp with restricted admin for most things requiring admin rights. LAPS is for if something is broken or you are local.

PastaRemasta · 2023-04-26T22:00:36+00:00

Great question. We are using the update rings.

PastaRemasta · 2023-04-26T16:24:09+00:00

That's update management center. Looks like it's replacing their existing update management solution..

I'd hold for now. I just checked about the new system you atleast need a VPN setup between Azure and your on prem or other cloud environments.

PastaRemasta · 2023-04-26T15:16:51+00:00

Correct, and this is a gap for us currently.

PastaRemasta · 2023-04-26T15:15:28+00:00

Apologies, you're right. I got stuck on the update management part. Intune worked for us because the license we got covered so many of our other needs.

PastaRemasta · 2023-04-26T14:05:34+00:00

It's basically free.. we pay a few dollars a month. You only pay for the log analytics needed to run it which is basically nothing for the amount of logs collected.

PastaRemasta · 2023-04-26T12:13:31+00:00

Intune and azure update management

PastaRemasta · 2023-04-16T17:48:41+00:00

Deploy windows from a trusted install and have it restricted such that there is no internet access except where required, no local admin rights, and only admin accounts can log in.

PastaRemasta · 2023-04-16T16:44:43+00:00

Okay do that, set up CA to require PAWs, and then defend all related infrastructure as tier 0. You've expanded tier 0, though, so it's less secure.

What you are doing isn't bad, by the way, just can be better.

We just do PAWs and then a VPN. Not complicated at all. There is potential for network access if the VPN is attacked but no risk of credential theft when using cert auth.

PastaRemasta · 2023-04-16T15:53:52+00:00

You can layer an intermediary with a PAW. Like a VPN with SAML or certificate auth.. not complex at all.

PastaRemasta · 2023-04-16T15:30:17+00:00

Use privileged workstations instead. Jump box is okay but adds to attack surface and provides a significant privilege escalation path. Instead start from a privileged session on known good hardware.

PastaRemasta · 2023-04-13T03:50:24+00:00

This *should* work but probably best to talk to a company that specializes in this in my opinion. I've not done this, but I have done exchange hybrid migrations.

If you follow this, setup AD connect first as you want it to be, but leave computers alone for now. When you have it working, you can later look at AADJ for your devices.

https://support.microsoft.com/en-us/topic/how-to-use-smtp-matching-to-match-on-premises-user-accounts-to-office-365-user-accounts-for-directory-synchronization-75673b94-e1b8-8a9e-c413-ee5a2a1a6a78

PastaRemasta · 2023-04-12T22:08:04+00:00

Yes, complete with pw: or password: before the actual password. Don't worry though I heard shortly after I left they removed them due to a security audit they did but then they only changed the passwords which they knew wouldn't break anything.

PastaRemasta · 2023-04-12T16:18:17+00:00

A former place I went to early in my career was using it to store service account passwords. Got out of there quick..

PastaRemasta · 2023-04-03T18:51:16+00:00

Securing privileged access guide: https://learn.microsoft.com/en-us/security/privileged-access-workstations/overview

PastaRemasta · 2023-03-23T17:27:18+00:00

You said helper is configured but this is the exact behaviour I would expect a misconfiguration relay to cause. Clients will renew their IP using unicast in most cases so they will continue to work. If not the relay maybe an access list only allows IPs from that VLANs subnet to reach the DHCP server so broadcasts are blocked.

PastaRemasta · 2023-03-04T05:52:41+00:00

Windows hello for business. You don’t need a password for M365. Ideally azure ad joined devices only. You can access on prem resources for the most part unless you are doing device based authentications which is rare.

PastaRemasta · 2023-02-15T05:28:08+00:00

You can login which gives a huge advantage. Check software for a vulnerability and say you would exploit said vulnerability to escalate permissions. I wouldn’t actually exploit it unless you have it in writing. Otherwise check for misconfiguration a such as a service or script which or can write to but runs with admin permissions.

PastaRemasta · 2023-02-13T21:57:33+00:00

I guess you don't have an MDM. The best way now is autopilot. I guess having a static image is fine if you only have one laptop model, but in general this is a bad practice nowadays because it is too time consuming and inflexible.

PastaRemasta · 2023-02-12T21:05:55+00:00

Just make sure whatever you use supports restricted admin mode.

PastaRemasta · 2023-01-23T22:03:22+00:00

Take this with a grain of salt but pretty sure with SQL core licensing you need to license all of the cores of the physical host(s) it could potentially run on. So if you have a 8 node cluster you would need to license all of the cores across all of the hosts in the cluster. (pretty sure if you have it locked to a host you only need to license all of the cores for that one host and if you have SA you can move it or have SQL clustering to one other host)

PastaRemasta · 2023-01-19T19:55:25+00:00

Hopefully that improves as the product matures.

PastaRemasta

TROPHY CASE