Break things, write reports

Jumpboxes are not a mitigation for credential theft

Advice no one reads from Microsoft, but probably should have. Jumpservers are Fake News(TM)

Tags — | windows | active-directory | Categories: — windows |
Posted at — Aug 5, 2019

tl;dr

Microsoft said it themselves, Jumpservers aren’t a mitigation for credential theft

What

From Microsoft, Windows 10 Credential Theft Mitigation Guide: https://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows%2010%20credential%20theft%20mitigation%20guide.docx

Assume breach: two words that should change the way defenders think about compromise in their organization. Microsoft investigations of attacks on customers all too often reveal success in compromising user and administrator account credentials, including domain and >enterprise administrator credentials. Technical features and capabilities alone are not enough: the most effective solution requires a planned approach as part of a >comprehensive security architecture that includes proper system administration and operation.

This was initially published in 2016, and appears to have more recent advice.

The parts people didn’t read

Jump Servers

From section Use jump servers to administer isolated network segments:

Although jump servers can provide utility in security architectures, they don’t directly mitigate credential theft and reuse attacks. You cannot maintain security >integrity if a user connects to an administrative jump server from a lower-trust workstation.

Primary Technical Controls - Credential Guard

Primary Technical Controls - Restrict and protect high-privilege domain accounts

Some organizations allow high-privilege accounts like those that are members of the Domain Admins group to perform general administrative tasks or log on to user desktops or other systems used for email and Internet browsing, exposing these credentials to potential attackers.

This is stuff like:

Notably, this is one of the easy wins keeps appearing:

Do not configure services or schedule tasks that use privileged domain accounts on lower-trust systems, such as user workstations.