A A
Silversands Logo
Microsoft 365 logo Microsoft 365

Provide your users with the productivity & collaboration tools they need, wherever they are working

Find out more
Azure logo Azure

Overcome the burdens and cost of on-premises infrastructure with powerful, resilient cloud-based services & solutions

Find out more
Microsoft Power Platform logo Microsoft Power Platform

Solve complex business application and process requirements with Microsoft Power Platform

Find out more
On-Premises Solutions logo On-Premises Solutions

Maintain your on-premises environments and migrate legacy solutions to the cloud.

Find out more
Devices logo Devices

Track, manage and maintain your endpoint devices.

Find out more
Custom Development logo Custom Development

Build bespoke solutions that extract maximum value from your Microsoft investment.

Find out more
Support Services logo Support Services
Business Process Digitisation & Automation logo Business Process Digitisation & Automation
Cloud Migration logo Cloud Migration
Collaboration logo Collaboration
Device Management logo Device Management
Hybrid Working logo Hybrid Working
Identity & Access Management logo Identity & Access Management
Intranet logo Intranet
Governance & Compliance logo Governance & Compliance
Organisation Mergers & Demergers logo Organisation Mergers & Demergers
Power Platform Proactive Support logo Power Platform Proactive Support
Security logo Security
User Adoption & Change Management logo User Adoption & Change Management
Windows Desktop logo Windows Desktop

01202 360000 (Switchboard) 01202 360360 (Service Desk)

getstarted@silversands.co.uk

Silversands Ltd, Albany Business Park, Cabot Lane
Poole, Dorset, BH17 7BX

Customer Portal
Accountancy firm taxed by external access vulnerabilities hero image

Accountancy firm taxed by external access vulnerabilities

This long-established firm provides tax and accountancy services across several sectors including sport, media and non-profits.

Technology used :

Conditional Access

Multi-Factor Authentication

Self-Service Password Reset

Accountancy firm taxed by external access vulnerabilities hero image
What is the background?
  • An accountancy firm relied on Conditional Access (CA) and Multi-Factor Authentication (MFA) to protect against malicious logins.
  • However, a malicious attack triggered an access control and external threat review
What were the findings?
  • Existing access rules were based primarily on user location
  • CA was not being applied to all users and login attempts
  • Many access attempts were from unmanaged or non-compliant devices
  • Password reset policies were not enforced
  • Similar policies were in place for Corporate and personal devices
  • Some users were not enabled for MFA
What were the recommendations?
  • Changes were proposed to improve the firm’s security posture
  • CA policies needed to be reconfigured based on best practice approach
  • Additional compliance policies needed to be created
  • MFA needed to be enabled for all users
  • MFA policies should use best practice

background

A recent malicious attack on this accountancy firm was identified and ultimately thwarted, but it triggered a general concern about the potential for bad actors to gain access to the firm’s services and data. Considering that many of the security solutions had been implemented several years ago, the partners wanted to be sure that the protections which were currently in place were still relevant in today’s hybrid working world and operating effectively.

Following a referral from one of our existing customers, this firm requested that we review its external security protections.

User login screen
Background
  • Conditional Access (CA) and Multi-Factor Authentication (MFA) is deployed
  • A malicious attack triggered an external threat review
<p><em>“Although this firm had a great level of security protection enabled, there can still be gaps that can be exploited by malicious actors. This is why it is important to regularly review the configuration of your security solutions to ensure that they are taking advantage of the latest configuration options and that they meet your current requirements.”</em></p>

“Although this firm had a great level of security protection enabled, there can still be gaps that can be exploited by malicious actors. This is why it is important to regularly review the configuration of your security solutions to ensure that they are taking advantage of the latest configuration options and that they meet your current requirements.”

Colin Gray, Account Manager, Silversands

Review & Findings

In the first instance, an analysis was undertaken so that we could understand the existing configuration and use of the Microsoft Intune Conditional Access (CA) and Multi-Factor Authentication (MFA) solutions, the primary targets of this particular review.  CA controls which devices can access the firm’s services, and how those devices must be configured to be valid. Using a specially configured mobile device that only the user has, MFA provides an additional login authentication step, which a malicious actor does not have.

More specifically, this analysis reviewed:

  • Access for managed and unmanaged Windows, non-Windows and mobile devices
  • Configured rules for allowing or preventing network and service access
  • User profiles and access requirements for different roles among the firm’s staff
  • The configuration of the MFA service
  • The Self-Service Password Reset configuration
Hacker working in the dark

Following our analysis, we found a number of issues with the external access security for this firm.  Specifically:

  • In the 7 days before the review, over 140 users had managed to sign in without being challenged by Conditional Access
  • Two-thirds of those sign-ins were from unmanaged or non-compliant devices
  • There was no differentiation between corporate and personal devices
  • There was no consideration for guest accounts or privileged roles
  • Several users had not been assigned to use MFA
  • Password reset had a fairly weak set of requirements to allow a reset to be performed
Person blocked from login by failed MFA

These issues have been caused by several factors such as policies that are too broad, that don’t use key parameters like device state or compliance status and that don’t differentiate between corporate and personal devices.

Equally, not having MFA enabled for every account means that there are easy opportunities for bad actors to attempt to hack these accounts.

Ultimately, the clear conclusion that we can draw from these findings is that there are lots of opportunities for bad actors to bypass the access controls and policies that have been put in place, resulting in the potential for compromised accounts, data loss, reputational damage or even worse.

Findings
  • Existing access rules were limited in scope
  • Conditional Access not applied to all scenarios
  • Unmanaged or non-compliant device controls were poor
  • Same policies applied to corporate and personal devices
  • MFA not enabled for all users
  • Password reset policies not enforced

Recommendations

Based on our review and findings, we made several recommendations across CA, MFA and password reset, including:

  • Reconfiguring CA policies to cover more specific scenarios
  • Creating policies for corporate and personal devices with different configurations
  • Creating compliance policies to check devices have valid antivirus and patch configurations
  • Ensuring that all users are MFA-protected
  • Hardening the self-service password reset requirements
  • Adding Privileged Identity Management to enhance protection for admin-level access

 

The firm has taken our recommendations on board and immediately made several changes to the configuration of the various services. It is fortunate that the many holes we found had not been exploited to date.

The benefits gained through the implementation of these changes include:

  • The opportunities for malicious actors to gain access through device manipulation or compromised user logins will be removed
  • Devices with incorrect or compromised configurations (such as disabled antivirus) will be denied a connection
  • Personal devices will be treated with much more suspicion than corporate devices
  • Admin-level accounts will be much more secure
  • The firm will be much better secured against external threats

 

Of course, access control is only one part of an organisation’s security protection, and we continue to work with this firm to identify other areas of weakness and threat opportunities.

<p>“While there are many external threats to any organisation, two of the main defences are Conditional Access and Multi-Factor Authentication. However, if these are incorrectly configured or have bad policies, they may as well not be there. Therefore, it is extremely important to make sure these services are designed properly and regularly reviewed to ensure continued protection.”</p> <p> </p> <p>Mark Ison, Lead Device Management Consultant, Silversands</p>

“While there are many external threats to any organisation, two of the main defences are Conditional Access and Multi-Factor Authentication. However, if these are incorrectly configured or have bad policies, they may as well not be there. Therefore, it is extremely important to make sure these services are designed properly and regularly reviewed to ensure continued protection.”

 

Mark Ison, Lead Device Management Consultant, Silversands

Recommendations
  • Several policy and config changes were proposed
  • CA policies needed modification inline with best practice
  • Additional compliance policies were required
  • MFA coverage needed to be improved
  • Self-service password reset need to be hardened

Other Case Studies you may be interested in