Skip to content

Network - 25398 - Domain controller RDP access is protected by phishing-resistant authentication through Global Secure Access #873

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
Manoj-Kesana wants to merge 2 commits into
base: main
Choose a base branch
from
+449 −0
Draft

Network - 25398 - Domain controller RDP access is protected by phishing-resistant authentication through Global Secure Access #873

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
617638a
Feature-25398
Manoj-Kesana Feb 6, 2026
9f00260
Merge branch 'main' of https://github.com/microsoft/zerotrustassessme…
Manoj-Kesana Feb 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions src/powershell/tests/Test-Assessment.25398.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
When administrators use Microsoft Entra Private Access to reach domain controllers via Remote Desktop Protocol (RDP), they authenticate through Microsoft Entra ID before the Global Secure Access client tunnels their connection to the on-premises network. If this authentication step relies solely on password-based or standard multifactor authentication, threat actors can intercept credentials during phishing campaigns or adversary-in-the-middle attacks, replay stolen session tokens, and establish persistent RDP connections to domain controllers.

Once connected, the threat actor can execute DCSync attacks to harvest all password hashes in the domain, create golden tickets for indefinite domain persistence, modify Group Policy Objects to deploy ransomware or backdoors across all domain-joined machines, and extract DPAPI master keys that decrypt enterprise secrets. Domain controllers hold the cryptographic keys to the entire Active Directory forest; compromising one domain controller typically means compromising every identity and resource in the organization.

By requiring phishing-resistant authentication—FIDO2 security keys, Windows Hello for Business, or certificate-based multifactor authentication—organizations ensure that even if users are successfully phished, threat actors cannot replay credentials because these methods require cryptographic proof of possession that is bound to the legitimate sign-in session and cannot be intercepted or forwarded.

**Remediation action**

- [Create a Private Access application for domain controller RDP access with appropriate application segments](https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-configure-per-app-access)
- [Configure authentication strength policies to require phishing-resistant MFA](https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-strengths)
- [Create a Conditional Access policy targeting Private Access applications with authentication strength grant control](https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-grant#require-authentication-strength)
- [Deploy FIDO2 security keys or configure Windows Hello for Business for administrators](https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-passwordless-security-key)
- [Configure certificate-based authentication for phishing-resistant access](https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-certificate-based-authentication)

<!--- Results --->
%TestResult%
Loading