Skip to main content

Every time I read about another attack, I am always interested in how the attackers gained initial access into the network. With the recent Colonial Pipeline attack, the initial infection point was reportedly an old, unused, but still open VPN account. The password had been found on the dark web rather than obtained via phishing, implying that it had been leaked or reused by a Colonial employee. The VPN account did not have two-factor authentication (2FA) enabled, allowing the attacker to merely log in.

The manner of attack made me consider my own network. Do I have remote access credentials that do not have 2FA? Are there other ways attackers could enter my network? Have I been lax in how I handle log-ins? Do I have old, unused accounts with weak passwords or worse, passwords that can be found on underground websites?

These four tips will help eliminate easy attacker access to your Windows network.

1. Finding old devices and accounts in Active Directory

One tool I recommend to find old and unused computer accounts is Oldcmp. You can use PowerShell to locate inactive user accounts or determine who hasn’t logged in 90 days or more as follows:

Original article source was posted here

All rights reserved Jenson Knight.