Is there a more secure way for users to log into the domain other than just passwords?

Question

Say you have this:

An NPS server that grants access to users using client certificates (EAP-TLS).

So for example someone managed to snatch the domain administrator's password and they log in to the computer using the domain administrator's username and password. Then using their regular user certificate, the NPS server grants them access to the network and, based on their certificate, places them in a regular Users VLAN. That Users VLAN would be able to access the domain controller, otherwise no domain users could log in.

So now that this person has access to the network, they can log in to the domain controller as an administrator even though they don't have the administrator's certificate. All they needed was to know the administrator's password. So certificates here are essentially useless.

Why isn't there a way to log in to a domain controller other than just using a plain password? (I know there's smart cards, but they are too complicated and expensive to set up). Like why can't you make the domain controller log users in using their certificates?

Answer 1

The EAP-TLS authentication mechanism deployment as described only proves that an authorised user is operating the device. This could be a certificate in the local user's profile, the computer's profile, or linked to a TPM. In the end though, once that authentication is done, the network can only assume all subsequent network traffic is authorised.

The attack you mention is conceptually the same as a person accessing an unlocked workstation to connect to a resource using stolen credentials. As far as the session is concerned, the authorised user is performing the action.

If you're talking about network (file sharing/remote administration) then locking that down with extended authentication mechanisms is very difficult. Blocking local console (RDP) access is as simple as firewalling that port to hosts that are strongly authenticated and network segregated.

The root of your troubles is the domain admin account's password. Good practice is to grant permissions only as required, and membership of Domain Admins is then restricted so that administrators are not members of that group in the normal course of work.

Should a function need to be performed with those privileges, a well-controlled process for granting those permissions temporarily will have more benefits than trying to augment Windows' authentication mechanisms.

Answer 2

Block domain admin login from interactively logging into regular user workstations. You can do this with Group Policy.

Restrict admin connections to trusted admin hosts. The firewall on your domain controller (or VLAN ACL) should be restricting RDP and PowerShell remoting connections to trusted admin hosts.

Use 2FA. You imply it's too expensive but it is a common requiredment to meet most serious security standards these days.