Detections
Analytics

7.8 Ensure only MFA enabled identities can access privileged Virtual Machine

Information

Verify identities without MFA that can log in to a privileged virtual machine using separate login credentials. An adversary can leverage the access to move laterally and perform actions with the virtual machine's managed identity. Make sure the virtual machine only has necessary permissions, and revoke the admin-level permissions according to the least privileges principal

Rationale:

Integrating multi-factor authentication (MFA) as part of the organizational policy can greatly reduce the risk of an identity gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.

An Adversary may log into accessible cloud services within a compromised environment using Valid Accounts that are synchronized to move laterally and perform actions with the virtual machine's managed identity. The adversary may then perform management actions or access cloud-hosted resources as the logged-on managed identity.

Impact:

this recommendation requires an Azure AD P2 License to implement.

Ensure that identities that are provisioned to a virtual machine utilizes an RBAC/ABAC group and is allocated a role using Azure PIM, and the Role settings require MFA or use another PAM solution (like CyberArk) for accessing Virtual Machines.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From Azure Portal

Log in to the Azure portal.

This can be remediated by enabling MFA for user, Removing user access or Reducing access of managed identities attached to virtual machines.

Case I : Enable MFA for users having access on virtual machines.

Navigate to Azure AD from the left pane and select Users from the Manage section.

Click on Per-User MFA from the top menu options and select each user with MULTI-FACTOR AUTH STATUS as Disabled and can login to virtual machines:

From quick steps on the right side select enable.

Click on enable multi-factor auth and share the link with the user to setup MFA as required.

Case II : Removing user access on a virtual machine.

Select the Subscription, then click on Access control (IAM).

Select Role assignments and search for Virtual Machine Administrator Login or Virtual Machine User Login or any role that provides access to log into virtual machines.

Click on Role Name, Select Assignments, and remove identities with no MFA configured.

Case III : Reducing access of managed identities attached to virtual machines.

Select the Subscription, then click on Access control (IAM).

Select Role Assignments from the top menu and apply filters on Assignment type as Privileged administrator roles and Type as Virtual Machines.

Click on Role Name, Select Assignments, and remove identities access make sure this follows the least privileges principal.

See Also

https://workbench.cisecurity.org/benchmarks/12346

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), CSCv7|4.5

Plugin: microsoft_azure

Control ID: 626e40ad8f41af2dba5eb7dc0a321ddf8fdcaab8c58770d8cf3e5ddd48c1e20b