Remediation
Home Archive by Category "Remediation"

Category: Remediation

Cloud SecurityRemediation

How to Disable Device Code Authentication in Microsoft 365

A big phishing trend abuses the OAuth Device Code Authentication flow against Microsoft 365 tenants. This type of attack consists of abusing Microsoft’s device code flow by coercing targeted users to enter a generated code into Microsoft’s OAuth device authentication portal here, which will then grant API access to the user’s account. A few reasons this type of attack is very popular and powerful:

1) Microsoft hosts this authentication flow, so it doesn’t require any untrusted third-party links. Typical phishing safety training (like checking the domain in a link) is less effective here.
2) Targeted users simply copy and paste a short code into the authentication prompt. Some tooling now generates the code automatically, so a user just clicks through a Microsoft prompt, “Are you trying to sign in to Microsoft Authentication Broker”
3) A successful phish gives the attacker an access token and allows them obtain a Primary Refresh Token (PRT) to create access tokens scoped however they want. PRTs last for 90 days (with some exceptions and a bit of additional complexity but not important to get into the details here).

Common Device Code Phishing Tooling

There are several tools to perform this type of phishing attack. Lucid uses several open-source frameworks on a regular basis for authorized phishing for our clients:

How to Disable Device Code Authentication

It is typical of Microsoft to introduce something that is a security risk, enable it by default, and not make it very obvious to users that there is a risk / how to disable it. M365 tenants enable device code authentication by default. The main way to disable it is via Conditional Access, per Microsoft.

Create a Conditional Access Policy as follows, per Microsoft. Note: this creates the policy in Report-only mode. If you do not have an established use of device code authentication, enable the policy.
1. First, Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
2. Browse to Protection > Conditional Access > Policies.
3. Select New policy.
4. Under Assignments, select Users or workload identities.
Include, select the users you want to be in-scope for the policy (all users recommended).
Exclude:
– Select Users and groups and choose your organization’s emergency access or break-glass accounts and any other necessary users this exclusion list should be audited regularly.
5. Under Target resources > Resources (formerly cloud apps) > Include, select the apps you want to be in-scope for the policy (All resources (formerly ‘All cloud apps’) recommended).
6. Under Conditions > Authentication Flows, set Configure to Yes.
– Select Device code flow.
– Select Done.
7. Under Access controls > Grant, select Block access.
– Select Select.
8. Confirm your settings and set Enable policy to Report-only.
9. Select Create to create your policy.

Once this policy is active, device code authentication is restricted for users.

Conclusion

Lucid performs authorized phishing campaigns on a regular basis, and it is still rare to find tenants with device code authentication disabled. Given the danger of these types of real-world phishing attacks, take action to restrict this authentication flow and further secure your tenant. Need help? Lucid can perform a Microsoft 365 / Azure Configuration Review to help secure your tenant against these types of threats, and others. See our “5 Default M365 Settings to Change Immediately” for additional M365 / Azure security recommendations.

Read More
June 5, 2025 0 Comments by Lucid Security
Best PracticeInternal Penetration TestingPenetration TestingRemediation

How to Disable Machine Account Creation

user creating machine account

Disabling Machine Account Creation

Since Windows 2000, Microsoft has enabled the ability for all users to create up to 10 machine accounts by default. This is a “feature” implemented by Microsoft that inadvertently introduces potential vulnerabilities within an Active Directory environment. Secure deployment should ensure that Machine Account creation is limited to specific users or groups; Lucid Security strongly recommends making this quick change to bolster your Active Directory environment’s security. This article demonstrates how to set the MachineAccountQuota to 0 instead of the default 10.

Dangers of User Machine Account Creation

First off, let me briefly highlight why having a MAQ of anything over “0” for users is a bad idea. First, once an attacker has valid user credentials, a machine account is trivial to add. This opens up attack paths for a threat actor that often lead to domain compromise. These include:

  • Resource Based Constrained Delegation Attacks.
  • Possibility of elevating computer account to domain admin via relaying attacks.
  • Active Directory Certificate Services (AD CS) attacks.
  • Additional persistence for an attacker should a user or administrator change existing user credentials.

How to Disable User Machine Account Creation

First, this is what it looks like from an attacker viewing the Machine Account Quota (MAQ) remotely from an attacker controlled device:

Second, this is what it looks like for an attacker creating a machine account:

Log into your domain controller and perform the following:

  1. Press Windows Key + R and type adsiedit.msc
  2. Right click on the “DC=” drop down menu and select Properties
  3. Scroll down until you see ‘ms-DS-MachineAccountQuota’ and select it and then click Edit
  4. Modify the value to “0” and hit OK
  5. Apply

Assuming you’ve done everything correctly, this is what it will look like when a user checks the MAQ:

Lastly, when attempting to create a computer account, an attacker will be met with an error stating the relayed user machine quota is exceeded, or they do not have sufficient privileges:

Final Thoughts

Restricting the ability for users to create machine accounts is an important step in hardening an Active Directory environment and is often overlooked by IT administrators as it is an default value set by default by Microsoft. Lucid Security recommends having annual or bi-annual penetration testing to uncover settings such as this.

Contact us today at [email protected] or fill out our Contact Us form to speak with a qualified expert to determine the best solution for you!

Read More
May 15, 2025 0 Comments by Lucid Security
Best PracticePenetration TestingRemediation

How to Remediate HTTP Response Header Information Disclosure

Lucid Security Engineers regularly encounter HTTP headers during web application or network penetration testing that reveal potentially sensitive information such as application architecture, server versions, or information about the underlying host system. These types of information disclosure vulnerabilities can be utilized by attackers to quickly determine vulnerable server versions and perform more targeted attacks. As a developer, system administrator, or IT manager you probably find these types of findings frustrating! Here’s how to remediate “HTTP Response Header Information Disclosure”:

Nginx

To remove the “Server” or “X-Powered-By” headers for a Nginx server, implement the following:

  • In the nginx.conf file, set:
    “server_tokens off”
  • In the case of a load balancer, remove the “Server” header from responses
  • To completely remove the “Server” header, compile Nginx with the Headers More module and add:
    “more_clear_headers ‘Server’;”

References

https://serverfault.com/questions/214242/can-i-hide-all-server-os-info

https://github.com/openresty/headers-more-nginx-module#readme

Apache

Like Nginx, you can either rewrite the “Server” header value or add an additional module to completely remove it:

  • Utilize the URL Rewrite module and configure an outbound rule to change the “Server” header value. This can also be set to a blank value.
  • To completely remove the “Server” header, utilize the StripHeaders module to rewrite all HTTP response headers.

References

http://httpd.apache.org/docs/current/mod/mod_headers.html

IIS

Microsoft IIS makes removing HTTP headers pretty easy, with the notable exception of the “Server” header. Luckily we dug around and found a way to do this on Windows Server 2016, 2019 and newer.

  • Open the web.config file in the root directory of the site, after <system.web> add:
    <httpRuntime enableVersionHeader="false" />
  • To remove the “Server” header (Windows Server 2016/2019), configure requestFiltering in the web.config system.webServer node:

<security>

  <requestFiltering removeServerHeader ="true" />

</security>

References

https://techcommunity.microsoft.com/t5/iis-support-blog/remove-unwanted-http-response-headers/ba-p/369710

https://www.ibm.com/support/pages/disabling-iis-web-banner-and-other-iis-headers

Conclusion

Fixing information disclosure issues can be painful, but we’re here to help. Hopefully this short post on how to remediate HTTP response header information disclosures was helpful. For up to 90 days after a penetration test, Lucid Security offers free retesting of discovered vulnerabilities. Reach out to us and schedule a security assessment today!

Read More
March 26, 2024 0 Comments by Lucid Security