This is my first blog post for 2023, and I usually write fairly technical and practical articles, but this time I wanted to stop for a few minutes and give you some insight of what’s going on in my head related to Microsoft cloud security. If you’re not interested, feel free to skip this one 🙂
The ongoing cyber war in Europe is affecting everyone. Here in Sweden, we’ve had multiple cyber attacks on important services that the society relies on. The Swedish government is asking everyone, organisations, companies, individuals, to step up their IT hygiene and cyber security posture. They’ve even included practical steps on how to do so. This fuels my motivation on sharing cyber security knowledge and tools with the community. Together we can become stronger against the threats of both state sponsored attacks, and private cyber threat initiatives!
With that, let us talk a little bit about the the state of Microsoft cloud security.
We All Have Break Glass Accounts Now – But Why Make It So Obvious?
There has been much debate over the best practices for break glass accounts over the years. I stated my opinion back in 2019, and I still think it hold up. I see break glass accounts in every tenant I visit and that is great. Mission accomplished! Break glass accounts gives us some more room for failure when we’re tightening up security. However, I still see some basic mistakes out there. People are still naming their break glass accounts in a way that will attract attackers. If the account is named breakglass, emergency or bg_account, as an attacker, I would target that account and take it into consideration when building my attack path.
In a privilege escalation path finder tool like Bloodhound / AzureHound the attacker would mark the obvious break glass account as a “high-value target” and the tool would take that into consideration when calculating privilege escalation paths. A better solution would be to make the break glass account look as normal as possible. Of course, if the attacker has a list of all global admins, that might not help, but at least it would be harder for the attacker to understand which account is missing MFA and Identity Protection enforcement. Also, keep monitoring your break glass accounts and treat every alert as high severity. Since they should never be used without you knowing, you can alert on every occurrence of the account in your logs.
Are We Still Using Human Accounts to do the Robot Stuff?
With the termination of legacy authentication (at least the majority of it), we can finally start the next improvement phase. Great job Microsoft! Organizations really must inventory service accounts and their privileges. Every week I discover tenants with:
- Highly privileged service accounts, doing basic stuff.
- Non-monitored service accounts.
- Service accounts that can sign in from any location, from any device.
- On-prem service accounts synced to the cloud.
- Service accounts doing stuff that could be replaced by a workload identity instead.
We have to limit and eliminate these scenarios since they only exists because “that’s how we did it on-prem”. In 2023 we don’t need human-accounts to do robot-stuff, there are computer service principals for that purpose, better suited for the task. I hear people complain that “but we really need this global admin service account because our app stops working without it”. Well, developers and software providers also have to step into 2023 and understand that human-accounts are made for humans. Use the API for robot stuff.
The Current State of Conditional Access
With the December 2022 release of Conditional Access features, it struck me that Microsoft is finally done with the base implementation of Conditional Access. It took many years, but now it seams mature and ready. Most (or all) important features are out of preview, and we can finally enforce different levels of strong authentication. The December release proves this since Microsoft is now focusing on more advanced user- and nice-to-have features like JSON import, policy duplication, and template API management.
The cross-tenant access options also adds a new level to access controls which is important for secure collaboration and account provisioning. We will see more good stuff in this area for sure!
I encourage everyone working with Conditional Access to, ones again, read my previous blog post “The Attackers Guide to Azure AD Conditional Access” to fully understand how Conditional Access works, and how to NOT configure it. Also check out my Conditional Access baseline on HOW to configure it.
Remove Those Passwords Already!
My final thoughts goes out to all those poor users, still having to use passwords to get their work done 😦 I really thought that more people would have gotten rid of passwords by now. I see so many organisations using passwords and blame it on legacy apps, but in reality, they’re afraid of it, or the work it might require to get them their. You really don’t wan’t to be the last org with passwords in your AD, so start your journey now. Take the leader role instead! It’s not as hard as it seams, and the users will thank you when it’s done. The user experience is excellent!
It is now possible to roll-out passwordless and enforce it user by user. You can do this in any tempo you like, but please do it soon!
According to the Microsoft Digital Defense Report 2022 we make it too easy for the bad guys to pwn us. Why would they break in when they can just sign in? With that, I’m gonna go back to my workshop and build more useful tools that me and you (if you find them useful) can use to improve your cyber security posture in the cloud. Have a safe 2023!
Please follow me here, on LinkedIn and on Twitter!