Here below few best practices to optimize the security standard and mitigate activities such as remote access, file launching and data transmission etc. by Intruders.
- Reset passwords for accounts targeted in a password spray attack, especially those with system-level permissions.
- Revoke any changes to multifactor authentication (MFA) settings made by attackers on compromised accounts.
- Implement Azure Security Benchmark and general best practices for identity infrastructure security.
- Create conditional access policies based on defined criteria to control environment access.
- Block legacy authentication with Microsoft Entra ID using Conditional Access to prevent password spray attacks.
- Enable AD FS web application proxy extranet lockout to protect against password brute force compromise.
- Practice the least privilege and audit privileged account activity in Microsoft Entra ID environments.
- Deploy Microsoft Entra ID Connect Health for AD FS to capture failed attempts and IP addresses in logs.
- Use Microsoft Entra ID password protection to detect and block weak passwords and variants.
- Turn on identity protection in Microsoft Entra ID to monitor and create policies for risky sign-ins.
- Employ MFA for privileged accounts and risk-based MFA for normal accounts to mitigate password spray attacks.
- Consider transitioning to passwordless authentication methods like Azure MFA, certificates, or Windows Hello for Business.
- Secure RDP or Windows Virtual Desktop endpoints with MFA to harden against attacks.
- Treat AD FS servers as Tier 0 assets, protecting them with measures similar to domain controllers.
- Practice credential hygiene, including logon restrictions and controls like Windows Firewall on easily compromised systems.
- Consider migrating to Microsoft Entra ID authentication to reduce the risk of on-premises compromises.
Thank You!