MFA is not enough in Windows: discover the authentication paths that still allow to move through the network

Many organizations have welcomed the arrival of multi-factor authentication (MFA) as the panacea that would suddenly close the problem of stolen credentials. However, in Windows environments that confidence is sometimes premature: attackers continue to access networks with valid accounts because much of the authentication in Windows does not go through the cloud identity provider and therefore does not force a second factor.

It's not that MFA fails; the problem is that it doesn't cover all the ways Windows values identities. When the sessions are checked against local domain controllers using Kerberos or NTLM, policies applied in Azure AD, Okta or other IDP are not activated. Microsoft describes these protocols and their implications in its documentation on Kerberos and NTLM, which serves as a reference to understand why certain login starts are out of reach of cloud solutions: Kerberos and NTLM.

Signing directly on a Windows computer attached to the domain - either a user laptop or a server - is usually a process managed by Active Directory. If the organization has not integrated second factor mechanisms for local login (e.g. Windows Hello for Business or smart cards), that access is validated with the password or with the hash stored in memory. As a result, an attacker who obtains that password or its cryptographic representation can move over the network without activating the conditional access policies imposed on the IDP. Microsoft explains the options for modernizing the login and reducing this risk in the documentation of Windows Hello for Business and in guides on the protection of credentials such as Credimentary Guard.

Another usual vector is the Remoto Desktop (RDP) sessions. Although RDP is not exposed to the Internet, attackers often use it to move laterally after initial access. An RDP connection to a server does not guarantee that the access control layer of the IDP is crossed; often authentication is resolved locally with AD, leaving access exposed to stolen credentials. This is why it is key to apply access controls on the perimeter and in teleadministration, as well as solutions that integrate MFA into these flows.

NTLM, a legacy but still present for compatibility, remains an attractive target. Techniques such as the "pass-the-hash" take advantage of the fact that NTLM allows to authenticate with the hash instead of the password in clear text, so an attacker does not need to know the password to be validated. MITRE documents these techniques and their variants, which helps to understand the abuse mechanics in Windows environments: Pass- the- Hash and Pass-the-Ticket.

Kerberos is not immune either. Instead of stealing passwords, intruders can extract memory authentication tickets or forge tickets from privileged credentials, creating scenarios known as Golden Ticket or Silver Ticket. These attacks allow persistent access and laterality with fewer visible authentication, and can survive password changes if the root cause is not exceeded. The operational and detection implications are well collected by MITRE and in the specialized literature on Kerberos abuses.

A recurring factor in intrusions are local accounts with administrative privileges and the reuse of passwords. Many organizations maintain local accounts for support or recovery, and when these credentials are repeated in several teams, a single leak can open many doors. Microsoft offers tools to mitigate this problem, including Local Administrator Password Solution (LAPS), which automates the rotation of local passwords and reduces the risk derived from static passwords: LAPS.

The SMB protocol, used to share files and manage remote resources, is another highly used side motion vector. With valid credentials, an attacker can access administrative resources and move through the network quickly. This is why authentication controls on services such as SMB and internal traffic audits are essential; the MITRE technology catalogue includes remote service routes and how they are used for laterality: SMB / Windows Admin Shares.

Service accounts are a discrete but serious risk. They are designed to automate tasks, integrations and services, so they usually have long passwords in place for years and extensive permissions. By not being able to incorporate MFA into automated processes easily, these accounts become privileged targets for attackers. Auditing, rotating and minimizing privileges in service accounts are indispensable measures that many organizations postpone and which unfortunately facilitate the escalation and persistence of threats.

What can security teams do to close these holes? The answer goes by treating Windows authentication as a risk surface with its own rules and controls. Start by tightening password policies at Active Directory, promoting the use of longer passage phrases and avoiding reuse, already reduces the likelihood of brute force or reuse of credentials. The NIST recommends modern approaches to the management of passwords and screening of committed credentials, whose reading clarifies why long passwords and filtering verification are best practices: NIST SP 800-63B.

In addition, implementing controls that detect and block passwords known to be exposed to gaps further reduces the vulnerability window. Services like Have I Been Pwned have popularized password verification against large committed credentials repositories, and many commercial solutions incorporate that function to prevent users from choosing already filtered keys: Have I Been Pwned - Passwords.

Moving towards the elimination or restriction of old protocols - especially NTLM - and enabling measures that integrate MFA into local flows (e.g. Windows Hello for Business or third-party solutions that add MFA to RDP and to local login) is another key piece. Microsoft and other suppliers explain how to combine hybrid identity and perimeter controls so that remote and administrative access also requires additional verification: Conditional access in Azure AD.

In addition, identity hygiene remains essential: inventing and auditing service accounts, segregating accounts with minimum privileges, rotating credentials on a regular basis and removing unnecessary access are practices that limit the attack surface. Password management and privileged access tools help automate many of these tasks and reduce the likelihood that a single account will compromise the entire environment.

Finally, detection and rapid response are non-negotiable. Telemetry controls that alert on side movements, atypical uses of Kerberos tickets, removal of hashes in memory or access to shared resources from unusual hosts increase the likelihood of interrupting an intrusion before it exploits accounts in multiple systems. Complementing preventive policies with endpoints protection and behavior monitoring technologies can make the difference between an isolated incident and an extended gap.

There are commercial solutions that focus precisely on extending MFA and password controls to the traditional Windows world, as well as blocking leaked passwords and strengthening password policies in Active Directory. If products are evaluated, they should be compared to the technical documentation and good practice guides mentioned here to understand how they fit into the global identity and access strategy. Recommended approaches include the integration of MFA in local session start-ups, the elimination of NTLM where possible, automatic rotation of local passwords and continuous monitoring of anomalies in authentication flows.

In short, adopting MFA is an essential step forward, but it is not enough in itself. It is necessary to identify and protect the authentication roads that are outside the scope of the IPP, modernize protocols, rigorously manage privileged accounts and provide the security team with effective detection and mediation. This is the only way to reduce the risk of committed credentials in Windows environments in a sustained way.

Recommended sources and readings: Microsoft documentation on Kerberos and NTLM ( Kerberos, NTLM), conditional access guides in Azure AD ( Conditional Access), NIST SP 800-63B on authentication ( NIST SP 800-63B), filtered password repositories as Have I Been Pwned and the MITRE ATT & CK catalogue for credentials abuse and side movement techniques ( MITRE ATT & CK).