smash and grab protections
Some things that will prevent attacks like these ‘smash and grabs’ from succeeding:
- Password Policies
- simple 3 word pass-phrases
- 3 or 6 month password rotation policy (ALL USERS!)
- User housekeeping
- make sure there are no stale users
- make sure any user with priviliege still needs that privilige (privilige creep)
- also, privilige should ideally be ‘Just In time’ and ‘Just Enough’
- try not to use default usernames; and/or commonly used names (like itsupport)
- Role Based Access Control (RBAC) and PIM/PAM are good things to think about doing and enforcing (if not already :-))
- MFA/passwordless (i.e. fingerprint): please make sure every single possible Remote User has some kind of multi-factor auth enforced
- no excpetions
- make sure remote users are their own AD group and none of them should have privilege for admin type tasks please
- Restrict access hours for the remote VPN: 7am - 7pm for instance
- you make exceptions for travellers; important folks who work too hard
- Watchguard to DUO/NPS
- the user on watchguard that queries the AD/Duo: make sure this user on the watchguard can ONLY do this (i.e. check to auth the remote users): the trust relationship in other words.
- i.e. don’t put the domain admin acount on the watchguard for auth purposes: I am SURE you did not do this but always worth checking just in case
- the user on watchguard that queries the AD/Duo: make sure this user on the watchguard can ONLY do this (i.e. check to auth the remote users): the trust relationship in other words.