Smart card multi-factor authentication (MFA) is one of the strongest forms of MFA available, but is it enough to secure access?
Following several high-profile breaches, much of the Department of Defense, Federal government, and commercial market upgraded the “door locks” on their systems and applications from basic username/password authentication to smart card MFA (e.g. PIV or CAC authentication). Over the past decade, Federal agencies have been mandated to comply with White House directives (e.g. HSPD-12, OMB M-11-11), and industry standards (e.g. NIST SP-800-63) which require the use of PIV/CAC smart card credentials for authentication to facilities, networks, and information systems. Achieving full compliance with MFA mandates increases an organization’s security posture but even organizations who have achieved full smart card MFA compliance risk creating a false sense of security regarding their authentication mechanisms.
Some organizations may believe that if their devices are PIV/CAC-enabled, they are compliant and therefore secure – that they do not need a privileged access management (PAM) solution to manage sensitive credentials and devices. Contrary to this belief, properly implementing a PAM solution can often provide stronger access security than a traditional MFA solution that only consists of PIV/CAC enablement. The following sections highlight some of the reasons why organizations with smart card MFA should consider incorporating a PAM solution into their security architecture.
The Risks of Static Hashes
In Active Directory (AD) environments, user accounts leverage NT hashes to support single sign-on (SSO) operations after the initial user authentication. After a user logs into their workstation with their credentials (username/password or smart card) an NT hash is created so that they can subsequently access various AD services and applications without having to enter their credentials again. Since this hash is temporarily cached on systems, it becomes vulnerable to pass-the-hash attacks.
One of the strongest mitigations for a pass-the-hash attack is to rotate account NT hashes frequently. For accounts that leverage username and password authentication, the NT hash is generated from the specified password of the account; therefore, changing the password will change the hash. This is one of the reasons why organizations implement a frequent password change policy for users.
Why smart card MFA doesn’t address this issue
The need for SSO NT hashes does not go away when smart cards are used. The AD SSO mechanism is built into the Microsoft AD protocols. The only difference when adding smart cards into the scenario is that there is no user-specified password to be leveraged for the generation of the NT hash and therefore the NT hash is system generated. As described above, NT hashes are changed when users change their passwords but since there is no user-specified password in the smart card scenario, the system generated hash never changes (applicable to Windows servers below 2016, more below). With an everlasting NT hash, an attacker has unlimited time to steal a hash and, even worse, unlimited time to use that hash.
How PAM stops pass-the-hash attacks
According to NIST’s “Best Practices for Privileged User PIV Authentication,” the authentication model for PAM session brokering can be classified as a “Transitional Proxy Architecture.” The following diagram illustrates a PAM solution that has integrated with smart card MFA for authentication to the PAM application.
Figure 1 Transitional Proxy Architecture
As depicted in the diagram, strong authentication is leveraged between the user and the PAM application but not between PAM and the target endpoint. The PAM solution stores password (or SSH key) credentials in an encrypted vault and then leverages those credentials to broker sessions to endpoints on behalf of the user. PAM session brokering solutions sometimes receive criticism for the fact that strong authentication is not used directly at the target endpoint. Counter to this criticism, the fact that a password is still available for privileged accounts enables the ability to frequently rotate the password, and by extension, change the NT hash.
One of the most valuable features offered by most PAM vendors is the automated rotation of credentials after each use. Since the PAM service will broker connections to endpoints with a credential stored in the vault, credential rotations can happen more frequently and reliably than in traditional environments where users are responsible for executing password changes.
What about the weak authentication to the target?
The concerns related to weak authentication center on the risk that a malicious actor could crack the authentication mechanism and gain access. A PAM solution offers the following mitigations in the case of passwords:
- Frequent password rotations: This limits the window an attacker has to crack a valid password. This can be as frequent as after every session.
- Extremely complex passwords: Since users no longer need to type in their passwords, passwords can be as long, complex, and random as possible.
- Block the doors to the target: A PAM best practice is to leverage firewalls and access control lists (ACLs) to ensure only the PAM server can establish a connection to target endpoints. This means attackers will have extremely limited avenues to reach endpoints.
- Passwords are no longer in users’ memories or spreadsheets: Passwords are stored in an encrypted digital credential vault which reduces the risk of “credential carelessness.”
How PAM Augments Native Microsoft Features
Although the NT hash scenario is primarily an Active Directory issue, AD is often the heart of an organization and therefore compromising a privileged hash can eventually do damage to non-AD resources as well.
Microsoft now provides a feature which will automatically rotate NT hashes every 60 days for accounts that are smart card enforced. Organizations should note that this feature is only supported for domains with the Windows Server 2016 functional level and up. Even for Windows Server 2016+ domains, PAM is still worth strong consideration as it can provide password rotations on a much more frequent basis as well as the additional benefits described in the following section.
PAM Session Management Strengthens Security
Advocates of MFA-only solutions often reject PAM session brokering due to the fact that some PAM solutions require direct smart card enforcement to be disabled on endpoints in order for proxy services to authenticate to the endpoint on behalf of the user with username/password credentials. Organizations must evaluate the full spectrum of PAM security measures and benefits that can compensate for disabled endpoint enforcement. When determining whether to leverage PAM session management or to maintain direct smart card enablement it is important to weigh the pros and cons.
|Direct Smart Card MFA||PAM Session Management||Justification|
Video and keystroke recording of a session
|Since PAM is the “man-in-the-middle” proxy it provides session recording abilities. Session recordings have signifcant value when identifying and auditing inappropriate user behavior and access.|
Shadow a user session for audit or security purposes
|PAM provides the ability to shadow or “tap” a session. Session shadowing is a powerful security tool for dealing with insider threats.|
Strong MFA to Endpoint
Authentication to privileged devices leverages strong MFA
Automatic PAM session brokering leverages username/password credentials or SSH keys for authentication to the endpoint.
* Some PAM vendors support smart card pass-through which allows for the user to perform a second manual strong authentication at the endpoint (see below for more).
Centralized Privileged Session Oversight
Ability to see and manage all privileged sessions in an enterprise
|The ability to see and manage what people access is one of the strongest benefits of a centralized PAM solution.|
Minimal Credential Exposure
Privileged credentials are not exposed to non-privileged machines
|With PAM, privileged credentials are stored in a credential vault and are only exposed to the session manager and the privileged endpoint. With direct MFA, privileged credentials are often exposed to non-privileged workstations during the establishment of remote sessions (i.e. a user inserts an admin PIV into an unprivileged workstation in order to remote into a privileged device).|
For organizations that want or need to continue to use smart card MFA, there are ways to take advantage of some of the benefits of PAM while maintaining strong MFA to the target. Some PAM vendors support a feature which allows users to re-authenticate at the target with a smart card credential. In this case, strong authentication is performed at the endpoint and session recording/monitoring can still take place.
Smart card MFA is a strong form of authentication, but it is not perfect. In many use cases, implementing a PAM solution can provide greater security and value than relying on smart card MFA alone. It is important for organizations to recognize that the threat landscape is ever-changing and that threat vectors have drastically increased: in order to properly secure privileged access you need more than just strong authentication.