Hi, folks.
We currently enforce NLA on our domain controllers but it's proving something of a mixed blessing.
Our admins use Tier 0 admin accounts for work on these servers that require it, but for some that isn't very frequent so from time to time they get locked out when the account password expires as CredSSP doesn't support password change on login.So far as we're aware NLA offers two main advantages:
1. decoupling authentication from the RDP service so that where we haven't patched against CVE-2019-0708 we aren't vulnerable to a BlueKeep-style attack
2. not launching a full RDP session until after authentication so unauthenticated RDP sessions can't be used as a medium for DoS attacks through resource exhaustion
Well - we're patched and as we don't expose RDP we're talking about a bad actor who'se already on our network and therefore may well have other fish to fry.
Sadly, we're unlikely to be introducing stronger authentication methods such as biometrics or keys any time in the very near future, so for on-prem access we still rely on the strength of the username/password pair. Unsure of the future of NLA in the modern world, too. Lengthening password lifetimes will just kick the can down the road and make it less likely that the thwarted admin will remember what s/he did last time
So - we're considering ditching NLA. I'd be interested to learn whether anyone thinks it's a lousy idea (and why)
@TimG wrote:...
Sadly, we're unlikely to be introducing stronger authentication methods such as biometrics or keys any time in the very near future, so for on-prem access we still rely on the strength of the username/password pair. Unsure of the future of NLA in the modern world, too. Lengthening password lifetimes will just kick the can down the road and make it less likely that the thwarted admin will remember what s/he did last time
So - we're considering ditching NLA. I'd be interested to learn whether anyone thinks it's a lousy idea (and why)
Tin,
First, thank you for an extremely well formed and described question. Your description of the overall situation really helps focus on the core issue.
Next, I cannot address the question of whether to abandon NLA, but I do have two suggestions on handling your password management.
Good luck!
Craig
Thanks, Craig.
The debate goes on here about password construction, and I for one am strongly in favour of a decently long phrase in preference to a shorter string of unmemorable gobbledegook (nice side-benefit is it'll never get stored as a LM hash, either). Likewise no time-expiry, though there are extra controls I'd want in its place. The hard bit is convincing the others who we need on board. In the UK, the NCSC has long been an advocate of password adequacy and of reminding us that time-expiry likely introduces more risks than it mitigates.
We do run a centrally-managed (and partitioned!) password management service but there are some things that aren't kept in there as users' access is defined by their AD accounts. There's little sense in having a separate password for an admin's Tier 0 account if knowing the password for the day-to-day account is enough to find it out.
Meanwhile, we don't have "pure" T0 workstations, so there's nowhere for the owner of an expired password to log in and reset it as part of the login process before attempting to RDP to the domain controller. Ho hum.
Best
Tim