Jumpboxes are not a mitigation for credential theft
Advice no one reads from Microsoft, but probably should have. Jumpservers are Fake News(TM)
tl;dr
Microsoft said it themselves, Jumpservers aren’t a mitigation for credential theft
What
From Microsoft, Windows 10 Credential Theft Mitigation Guide: https://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows%2010%20credential%20theft%20mitigation%20guide.docx
Assume breach: two words that should change the way defenders think about compromise in their organization. Microsoft investigations of attacks on customers all too often reveal success in compromising user and administrator account credentials, including domain and >enterprise administrator credentials. Technical features and capabilities alone are not enough: the most effective solution requires a planned approach as part of a >comprehensive security architecture that includes proper system administration and operation.
This was initially published in 2016, and appears to have more recent advice.
The parts people didn’t read
Jump Servers
From section Use jump servers to administer isolated network segments:
Although jump servers can provide utility in security architectures, they don’t directly mitigate credential theft and reuse attacks. You cannot maintain security >integrity if a user connects to an administrative jump server from a lower-trust workstation.
Jumpboxes are not a mitigation for credential theft
Jumpboxes are not a mitigation for credential theft
Jumpboxes are not a mitigation for credential theft
Primary Technical Controls - Credential Guard
- Seems simple enough. Bypasses and tradecraft exist to work around this, but doesn’t seem like bad advice all the same https://jblog.javelin-networks.com/blog/why-cant-credentials-guard-stop-lateral-movement/
Primary Technical Controls - Restrict and protect high-privilege domain accounts
Some organizations allow high-privilege accounts like those that are members of the Domain Admins group to perform general administrative tasks or log on to user desktops or other systems used for email and Internet browsing, exposing these credentials to potential attackers.
This is stuff like:
- Not having 90 users in the Domain Admins group
- Not allowing DA to log into workstations
Notably, this is one of the easy wins keeps appearing:
Do not configure services or schedule tasks that use privileged domain accounts on lower-trust systems, such as user workstations.