The article explains that Multi-Factor Authentication (MFA) often fails to protect Windows environments because many common authentication paths bypass cloud-based identity providers. It details seven specific Windows authentication methods that attackers exploit using stolen credentials, including interactive logons, RDP, NTLM, and Kerberos. These methods rely on Active Directory and do not trigger standard MFA prompts. The core issue is the lack of MFA coverage across all authentication vectors, leaving networks vulnerable to credential-based attacks.
Organizations typically roll out multi-factor authentication (MFA) and assume stolen passwords are no longer enough to access systems. In Windows environments, that assumption is often wrong. Attackers still compromise networks every day using valid credentials. The issue is not MFA itself, but coverage.
Enforced through an identity provider (IdP) such as Microsoft Entra ID, Okta, or Google Workspace, MFA works well for cloud apps and federated sign-ins. But many Windows logons rely solely on Active Directory (AD) authentication paths that never trigger MFA prompts. To reduce credential-based compromise, security teams need to understand where Windows authentication happens outside their identity stack.
Seven Windows authentication paths that attackers rely on
1. Interactive Windows logon (local or domain joined)
When a user signs in directly to a Windows workstation or server, authentication is typically handled by AD (via Kerberos or NTLM), not by a cloud IdP.
In hybrid environments, even if Entra ID enforces MFA for cloud apps, traditional Windows logons to domain-joined systems are validated by on-prem domain controllers. Unless Windows Hello for Business, smart cards, or another integrated MFA mechanism is implemented, there’s no additional factor in that flow.
If an attacker obtains a user’s password (or NTLM hash), they can authenticate to a domain-joined machine without triggering the MFA policies that protect software-as-a-service apps or federated single sign-on. From the domain controller’s perspective, this is a standard authentication request.
Tools like Specops Secure Access are key to limiting the risk of credential abuse in these scenarios. By enforcing MFA for Windows logon, as well as for VPN and Remote Desktop Protocol (RDP) connections, this tool makes it harder for attackers to gain unauthorized access to your network. This even extends to offline logins, which are secured with one-time passcode authentication.
2. Direct RDP access that bypasses conditional access
RDP is one of the most targeted access methods in Windows environments. Even when RDP is not exposed to the internet, attackers often reach it through lateral movement after initial compromise. A direct RDP session to a server doesn’t automatically pass through cloud-based MFA controls, which means the logon may rely solely on the underlying AD credential.
3. NTLM authentication
NTLM is a legacy authentication protocol that, despite being deprecated in favor of the more secure Kerberos protocol, still exists for compatibility reasons. It is also a common attack vector because it supports techniques like pass-the-hash.
In pass-the-hash attacks, the attacker does not need the plaintext password; instead, they use the NTLM hash to authenticate. MFA does not help if the system accepts the hash as proof of identity.
NTLM can also appear in internal authentication flows that organizations may not actively monitor; only an incident or an audit will surface it to security teams.
4. Kerberos ticket abuse
Kerberos is the primary authentication protocol for AD. Instead of stealing passwords directly, attackers steal Kerberos tickets from memory or generate forged tickets after compromising privileged accounts. This enables techniques such as:
- Pass-the-ticket
- Golden Ticket
- Silver Ticket
These attacks allow long-term access and lateral movement and also reduce the need for repeated logons, which lowers the chance of detection. These attacks can persist even after password resets if the underlying compromise is not fully addressed.
5. Local administrator accounts and credential reuse
Organizations still rely on local administrator accounts for support tasks and system recovery. If local admin passwords are reused across endpoints, attackers can escalate one compromise into broad access.
Local admin accounts usually authenticate directly to the endpoint bypassing MFA controls entirely. Entra ID conditional access policies do not apply. This is one reason why credential dumping remains so effective in Windows environments.
6. Server Message Block (SMB) authentication and lateral movement
SMB is used for file sharing and remote access to Windows resources. It’s also one of the most reliable lateral movement paths once an attacker has valid credentials. Attackers commonly use SMB to access administrative shares such as C$ or to interact with systems remotely using valid credentials.
If SMB authentication is treated as internal traffic, MFA is rarely enforced at this layer. If the attacker has valid credentials, they can use SMB to move between systems quickly.
7. Service accounts that never trigger MFA
Service accounts exist to run scheduled tasks, applications, integrations, and system services. They often have stable credentials, broad permissions, and long lifetimes.
In many organizations, service account passwords do not expire and are rarely monitored. They are also difficult to protect with MFA because the authentication is automated. Frequently, these accounts are used in legacy applications that cannot support modern authentication controls.
This is one reason why attackers target helpdesk credentials and endpoint admin access early in an intrusion.
How to close Windows authentication gaps
Security teams should treat Windows authentication as its own security surface. There are several practical steps security teams can take that reduce exposure:
1. Enforce stronger password policies in AD
A strong password policy should enforce longer passphrases of 15 or more characters. Passphrases are easier for users to remember and harder for attackers to crack. Strong policies should also prevent password reuse and block weak patterns that attackers can guess.
2. Block compromised passwords continuously
Credential theft is not always the result of brute force attacks. Billions of passwords are already available in breach datasets for attackers to reuse in credential attacks. Blocking compromised passwords at the point of creation reduces the chance that users set credentials that attackers already have.
3. Reduce exposure to legacy authentication protocols
Where possible, organizations should restrict or eliminate NTLM authentication. Security teams should set themselves the goal of understanding where NTLM exists, reducing it where possible, and tightening controls where it cannot be removed.
4. Audit service accounts and reduce privilege creep
Treat service accounts as high-risk identities. Organizations should inventory them, reduce unnecessary privileges, rotate credentials, and remove accounts that are no longer needed. If a service account has domain-level permissions, the organization should assume it will be targeted.
How Specops can help
Strong password policies and proactive checks against known compromised credentials are two of the most effective ways to reduce the risk of credential-based attacks. Specops Password Policy helps by applying flexible password controls that go beyond what’s available natively in Microsoft.
Its Breached Password Protection feature continuously checks Active Directory passwords against a database of more than 5.4 billion exposed credentials, alerting you quickly if a user password is found to be at risk. If you’re interested in seeing how Specops can help your organization, speak to an expert or book a demo to see our solutions in action.
Meridiano
