Organizations typically deploy multi-factor authentication (MFA) and assume that a stolen password is not sufficient to gain access to a system. In Windows environments, that assumption is often incorrect. Attackers still use valid credentials to breach networks every day. The problem isn’t MFA itself, it’s coverage.
MFA enforced through an identity provider (IdP) such as Microsoft Entra ID, Okta, or Google Workspace works well with cloud apps and federated sign-ins. However, many Windows logons rely solely on Active Directory (AD) authentication paths that do not trigger MFA prompts. To reduce credential-based compromises, security teams need to understand where Windows authentication occurs outside of the identity stack.
7 Windows Certification Paths Attackers Rely on
1. Interactive Windows logon (local or domain joined)
When users sign in directly to a Windows workstation or server, authentication is typically handled by AD (via Kerberos or NTLM) rather than by a cloud IdP.
In a hybrid environment, even though Entra ID enforces MFA for cloud apps, traditional Windows logons to domain-joined systems are validated by on-premises domain controllers. There are no additional elements to that flow unless Windows Hello for Business, smart cards, or another integrated MFA mechanism is implemented.
Once an attacker has a user’s password (or NTLM hash), they can authenticate to a domain-joined computer without triggering the MFA policies that protect Software-as-a-Service apps or federated single sign-on. From the domain controller’s perspective, this is a standard authentication request.
Tools like Specops Secure Access are key to limiting the risk of credential misuse in such scenarios. This tool makes it harder for attackers to gain unauthorized access to your network by enforcing MFA on Windows logons as well as VPN and Remote Desktop Protocol (RDP) connections. This also applies to offline logins, which are protected by one-time passcode authentication.
Specops Secure Access
2. Direct RDP access bypassing conditional access
RDP is one of the most targeted access methods in Windows environments. Even if RDP is not exposed to the Internet, attackers often reach it through lateral movement after an initial compromise. Direct RDP sessions to the server do not automatically pass cloud-based MFA controls. This means that logon can depend only on the underlying AD credentials.
3. NTLM authentication
NTLM is a legacy authentication protocol that still exists for compatibility reasons, even though it has been deprecated in favor of the more secure Kerberos protocol. This is also a common attack vector as it supports techniques such as pass-the-hash.
In a pass-the-hash attack, the attacker does not need the plaintext password. Instead, use NTLM hashes to authenticate. MFA is useless if the system accepts hashes as proof of identity.
NTLM can also appear in internal authentication flows that an organization does not actively monitor. Only incidents or audits surface to security teams.
4. Abuse of Kerberos tickets
Kerberos is AD’s primary authentication protocol. Rather than stealing passwords directly, attackers steal Kerberos tickets from memory or generate forged tickets after compromising a privileged account. This allows techniques such as:
Commuter Pass Golden Ticket Silver Ticket
These attacks allow long-term access and lateral movement, reducing the need for repeated logons and reducing the likelihood of detection. These attacks can continue even after a password reset if the underlying compromise is not fully resolved.
5. Reusing local administrator accounts and credentials
Organizations still rely on local administrator accounts for support tasks and system recovery. If local administrator passwords are reused across endpoints, an attacker can potentially amplify a single breach with widespread access.
Local administrator accounts typically authenticate directly to the endpoint, bypassing MFA controls entirely. Entra ID conditional access policies do not apply. This is one reason why credential dumps are so effective in Windows environments.
6. Server Message Block (SMB) Authentication and Lateral Movement
SMB is used for file sharing and remote access to Windows resources. It is also one of the most reliable lateral movement paths if an attacker obtains valid credentials. Attackers typically use SMB to access administrative shares such as C$ or to interact with the system remotely using valid credentials.
If SMB authentication is treated as internal traffic, MFA is rarely enforced at this layer. If an attacker has valid credentials, SMB can be used to quickly move between systems.
7. Service accounts that don’t trigger MFA
Service accounts exist to run scheduled tasks, applications, integrations, and system services. They often have stable credentials, broad privileges, and long lifetimes.
In many organizations, service account passwords never expire and are rarely monitored. It’s also difficult to protect with MFA because authentication is automated. These accounts are often used by legacy applications that cannot support modern authentication controls.
This is one reason why attackers target help desk credentials and endpoint administrator access during the early stages of a compromise.
How to close the Windows authentication gap
Security teams must treat Windows authentication as its own security aspect. There are several practical steps security teams can take to reduce risk.
1. Enforce stronger password policies in AD
A strong password policy should enforce long passphrases of at least 15 characters. Passphrases are easy for users to remember and difficult for attackers to crack. A strong policy should also prevent password reuse and block weak patterns that an attacker can guess.
2. Continuously block leaked passwords
Credential theft is not necessarily the result of a brute force attack. Billions of passwords already exist in compromised datasets for attackers to reuse in credential attacks. Blocking compromised passwords at creation reduces the likelihood that users will set credentials that an attacker already has.
3. Reduce exposure to traditional authentication protocols
If possible, organizations should limit or remove NTLM authentication. Security teams should understand where NTLM exists and set the goal of reducing it where possible and tightening controls where it cannot be removed.
4. Audit service accounts and reduce privilege creep
Treat service accounts as high-risk identities. Organizations should inventory accounts, reduce unnecessary privileges, rotate credentials, and delete accounts that are no longer needed. If a service account has domain-level permissions, organizations should assume that it will be targeted.
How Specops can help
Strong password policies and proactive checks for known compromised credentials are two of the most effective ways to reduce the risk of credential-based attacks. Specops Password Policies help by applying flexible password controls beyond those natively available in Microsoft.
Specops password policy
Compromised Password Protection continuously checks Active Directory passwords against a database of over 5.4 billion exposed credentials and immediately alerts you if a user password is found to have been compromised. If you’re interested in how Specops can help your organization, talk to an expert or schedule a demo to see the solution in action.
Source link
