Omschrijving
- Type: CUSTOMER
- Severity: CRITICAL
- Protection from: HACKING > STOLEN CREDS
This Customer Check looks for administrative accounts without a registered method for MFA.
Why this check?
Accounts with administrative rights have special access to information from the organization. The level of access varies per role, but every type of access is valuable to attackers. That is why multi-factor authentication is important for these accounts. In CHK-1328 - MFA enabled for all admin users, Attic checks whether MFA is automatically enforced via a policy rule in general.
But this check examines per admin user whether at least 1 MFA method is registered. The reason for this is that Microsoft is in the process of making MFA mandatory for certain administrative functions. The emergency access or break-glass account will also have to comply with this.
CHK-1137 therefore maps out which admin accounts still need to register an MFA method so that no problems arise if this is not made mandatory.
What are the possible outcomes of the check?
This check has two possible outcomes. In Attic this is expressed as follows:
- Okay: all admin accounts, minus any explicit exceptions, have at least 1 MFA method set up
- Warning: there are 1 or more admin accounts that have not yet set up an MFA method.
How should this be followed up?
If the output is Warning, we advise you to register an MFA method for the management accounts in question. Preferably this would be a "phishing-resistant" method, such as passkeys or FIDO2 security keys (such as Yubikeys)
Specifically for the Emergency account, a physical security key is recommended that is stored in a safe. Including the necessary organizational measures so that this key can be used by authorized employees in the event of an emergency. In Attic, a manual Fix will be offered with the instructions to set up MFA per account.
These instructions mean that, with the account in question, an MFA method can be set up via this page: https://mysignins.microsoft.com/security-info
Comments
0 comments
Please sign in to leave a comment.