Is it possible to protect the Primary Refresh Token (PRT) if attacker has hands on keyboard
Hi everyone,
I want to ask if anyone know if possible to defend against pass-the-prt attack? We are about to embark on a journey to deploy privilege access workstations to all IT admins with more or less no internet access. The idea is to have a clean source and heavily reduce an attacker getting hold of the credentials / PRT of an admin account. But because it is so heavily locked down it is already causing issues for us.
So I want to find out how big of an issue it is if an attacker was able to get a foothold on a device which is used by a standard user account that has Microsoft Entra ID roles assigned via PIM.
So we have Defender for Endpoint installed on all devices, Tamper protection is on and the ASR rule “Block credential stealing from the Windows local security authority subsystem (lsass.exe)” is set to block. further to that we require a FIDO2 security key for all IT admins and CA policies are set to require both MFA and a compliant device.
But as mentioned above, if an attacker gets a foothold on a device used by an IT admin user who logs in with his or hers standard account and elevate into an Entra admin role, is it game over by then?
If that is the case, it seems to me that the PRT is the weekend and we would be better off not having the device used for admin privileged joined Microsoft Entra.
Hi everyone, I want to ask if anyone know if possible to defend against pass-the-prt attack? We are about to embark on a journey to deploy privilege access workstations to all IT admins with more or less no internet access. The idea is to have a clean source and heavily reduce an attacker getting hold of the credentials / PRT of an admin account. But because it is so heavily locked down it is already causing issues for us.So I want to find out how big of an issue it is if an attacker was able to get a foothold on a device which is used by a standard user account that has Microsoft Entra ID roles assigned via PIM.So we have Defender for Endpoint installed on all devices, Tamper protection is on and the ASR rule “Block credential stealing from the Windows local security authority subsystem (lsass.exe)” is set to block. further to that we require a FIDO2 security key for all IT admins and CA policies are set to require both MFA and a compliant device.But as mentioned above, if an attacker gets a foothold on a device used by an IT admin user who logs in with his or hers standard account and elevate into an Entra admin role, is it game over by then? If that is the case, it seems to me that the PRT is the weekend and we would be better off not having the device used for admin privileged joined Microsoft Entra. Read More