Idea ID: 2874131

Protect accessing to Network Share with MFA.

Status: New Idea

For now it is possible to bypass AA Windows Client Credentials Provider when accessing Network Share from machine where AA Client installed. 

How to reproduce:

--

1. Make sure that AA Client installed on machine you accessing Netwotk Share from. 

2. e.g. open "This Computer"

3. Input Shared resource path into as address 

4. Press "Enter"

5. Windows Security windows pop ups

6. It is possible to input only username name and password with no MFA

Parents
  • The suggestion is that security groups could be implemented with the Logon filter installed on the Domain Controller. Only authorized accounts should belong to the security group and to become a member of this security group should follow a strict request/approval workflow.

  • Hi Bruno,

    Thanks for idea, but as I know AA Logon Filter is not "popular" component. Moreover, AA guide says that the main goal of AA Logon Filter is "..prevent users to log in without the Advanced Authentication Windows Client.". But it is possible to bypass MFA with AA Windows Client installed.

Comment Children
No Data