undefined | Better HN

0 pointsXylakant14d ago0 comments

My 95% bet is that the attacker just gained access to an account with suitable privileges and then went on to use existing automation. The fact that it’s intune is largely irrelevant - I’m not aware of any safeguards that any provider would implemen.

So the options here are MDM or no MDM and that’s a hard choice. No MDM means that you have to trust all people to get things as basic as FDE or a sane password policy right. No option to wipe or lock lost devices. No option to unlock devices where people forgot their password. Using an MDM means having a privileged attack vector into all machines.

0 comments

neo_doom14d ago

No MDM just isn’t an option for most enterprises but ideally the keys to the kingdom are properly secured.

mulmen14d ago

How does that look exactly? Someone has to be able to use MDM to manage devices or there’s no point in having it. This scenario is firmly in rubber hose/crescent wrench cryptanalysis territory. Can updates have delays with approval gates built in? Does MDM need a break glass capability?

heraldgeezer14d ago

"Principle of least privilege" as MS calls it.

Do not use global admin or admin account as daily driver for one. Dont save it in browser etc either.

Limit roles, even within the application, here Intune.

Office 365 also has conditional access and many policy leavers to tweak, many cases of people locking themselves OUT of 365. So the gates work but you need to configure them.

"Break glass" global admin accounts now also require MFA. https://learn.microsoft.com/en-us/entra/identity/authenticat...

2 more replies

j / k navigate · click thread line to collapse