The firm uses a remote desktop connection to provide access to a custom line of business application. The only security in place was a username and password to log in. With the security flaws found and patched last year for remote desktop services, hackers are still busy looking for and finding remote desktop connections to attack. Since a password manager was not used to create the password, the password is insecure. I recommend reading the blog post “Your Pa$$word doesn’t matter” to understand how insecure passwords alone are.
So the first thing the firm did was confirm that log-in attempts for a user were limited to 3 before locking out the account. The next step was the implementation of multi-factor authentication (MFA).
There are lots of great options for the implementation of MFA. The MFA chosen by the firm is called Duo, and the reason it was selected is the simplicity of setup. On a test system, I learned how and completed the configuration in under an hour.
You can have password policies, provide password managers, train people on the use of the tools, and in the end, they may or may not comply. There is no choice for an organization but to implement MFA on every computer, application and service. MFA will provide a significant increase in security and, in this case, is now a requirement to connect to the remote desktop. A significant improvement over just using a password, which was most likely not secure.
Organizations must take the necessary steps to protect their networks and data. Implementation of MFA is the least we can do.