@aaronssh said in Solved: Two factor authentication for admin login:
And as a Windows admin I have no way to retrieve a user's password, they are encrypted using non-reversible encryption
How? Is there any change in Windows itself about that? Because there were multiple ways to actually hack into/"retrieve" a user PW from AD as they are not encrypted but hashed and the hashing wasn't that good the last few times a MS patch came up. But perhaps they are safer now.
@aaronssh said in Solved: Two factor authentication for admin login:
So if an admin did reset a password, it would immediately show up in the logs. CMMC requires that all logs are required to be centrally stored in a repository designed to store logs in a way that they can't be edited or modified by anyone. It would be possible to reset another Windows admin's password but would be easily traceable and alerts would go off.
Ah so there would be logs about the PW reset and thus a breadcrumb to an admin to follow. Understandable.
@aaronssh said in Solved: Two factor authentication for admin login:
I agree with your premise that a sophisticated admin attacker could probably find a way somehow, my opinion is it just shouldn't be THAT incredibly easy and obvious.
But if a hacker could (very) probably find a way to it, WHY should you place security by obscurity and obfuscate the key? Again, every TOTP solution ever has the key saved in an easy to recover way. The only way they perhaps "protect" it better is by encrypting their configuration. But at the end, e.g. a phone app for TOTP stores the TOTP key in plain sight as it is needed to generate the token. Yes you can protect the app. But pfSense is a firewall so only admins have access - and in normal situations that is a "key to the castle" scenario. As root/admin you already have deepest levels of access. Compared with AD which is LDAP, Radius seems limited to the way it is - PAP to use TOTP. And other then Windows Logins - or pfSense local logins for that matter that are also encrypted via bcrypt - Radius needs various things in clear text to hand it over to services via PAP. So as far as my understanding of the service goes, that's not a pfSense problem per se but a limitation of Radius (protocol) and handling things - @jimp may correct me if I assume wrong.
but having some type of effort required to break in is sometimes enough
If you know that Radius needs things in clear text, and that is easy to check on, you can easily assume, that things are most likely not hashed but encrypted somehow and thus the code to do so would be in the open e.g. in the Radius or pfSense files. So the point would be a simple matter of reverse engineering, reading code and using the same decode part that pfSense/radius would be using and thus be rather pointless I assume.
@aaronssh said in Solved: Two factor authentication for admin login:
Many people who would never break glass to steal something will walk in an open door to steal something; it's just an uncomfortable part of human nature that we all have to deal with at some level.
I get the intention, but the comparison is bad. A storefront would also be in plain sight of others that would see it. And at night, at least there would be an alarm etc. added to the closed door. But implementing pointless encryption, that anyone can reverse with a few clicks (or build a tool to do it automatically) would be more like having already keys to the shop. It's not "a hacker" that can do the stuff, it's "the owners/workers that also tend the register". And yeah, those people could also take things from the register and simply go. That's why they're normally trusted.
But yes, I get your point, perhaps there are other measures that can be applied but in that case I think Radius + TOTP aren't the tools that match the use case to be covered.
Cheers :)
