I haven’t posted here in a while. When I started watching teksyndicate I was building my first computer (2011) and found the assistance of @wendell at some point; and followed ever since but fell off the forums a few years ago. Anyway, i found these guys 10 years ago and since then I’ve held an IT coordinator position for a ~100 person medical clinic, infosec for a ~250 employee bank, and now do infosec for a software development company. I mainly specialize in Layer 2 network security, identity management, hardware auth (yubikeys), MFA, and windows endpoints.
Have a question about getting into I.T., or something technical? Maybe I can help, ama.
Disclaimer: I’m actually an idiot and know almost nothing about anything. Take everything i say with a grain of salt.
Further to that… have you had any experience with the Azure MFA add-in for Microsoft NPS? I’m looking to add that to my NPS servers for MFA on my Radius authenticated VPN, wifi, etc…
If you’re using azure AD it’s best to start considering using FIDO2 instead as a passwordless authentication method. PIV has to built in vulnerabilities that have some concerns initially, where a dedicated hacker could gain access; specifically around the arbitrary subject name of hte certificate that the template has to have in order for certificates to be generated. One way you can mitigate, which also help with your other question, is have a centralized ‘kiosk’ system that’s whitelisted for certificate management where a powershell script is ran that automatically revokes any duplicate PIV certificates. There’s a lot of questions about how to do that securely that I don’t have answers to though.
IIRC no you’ll need to be full cloud auth. Local/AD auth doesn’t allow for that since the uath chain is one directional (AD->365). Naturally if you SSO with 365 anyhting under that saml auth umbrella will get access to FIDO2 but nothing that’s ldap based will. (I don’t manage our 365 auth.)
Edit: I’d like to clarify that PIV auth is extremely satisfactory for the majority of corporation so I don’t want to turn you off that. There are just considerations about it you need to look at.
Roger. Unfortunately have an extensive legacy network with mostly on-prem, AD SSO applications. PCs are hybrid domain joined. So at the moment I’m doing PIV for on-prem AD auth, and FIDO2 on same key for 365.
I thought I did read somewhere about integrating the two but the documentation on all this is scattered all over the place and full of acronyms, etc. Gradually figuring it out, but this is only one of my hats at work (official title is IT Infrastructure Team Lead - so it covers a bit; we do not have dedicated security staff, that defaults to me as I’m the most paranoid ).
Fortunately 1 yubikey will do both PIV and FIDO2 for the same account so there’s coverage there. You’re awesome for considering security in your decisions instead of pushing forward with less friction. You should ask for a promotion to a newly made security team and a substantial bonus; since you’re already doing the work.
For sure. I’d say ask for promotion to CISO then but that job (usually) is a ruber stamp ‘risk accepted’ job until the company get popped because Susan opened an email, and then fired.
At the moment, as no position for it exists, its “best effort”, and not that I’m looking for an out, but its unlikely I’d be the one to lose my job as I’ve articulated risk, doing the best I can with limited resources, etc.
Get your CISSP or CASP+ (Gov’t loves CompTia), and then ask for CISO if you want to go that route. You are on the right path and honestly, CISSP will open doors for you in the InfoSec CyberSec world. Honestly, if you are right under the CIO, if things go well, then there is not reason why they should not promote you to that position.
).