The need to have Multi-Factor Authentication (MFA) implemented cannot be overemphasized. From leaked and phished accounts etc, there is a super-effective solution for protecting our accounts, therefore MFA is quite simple, and organizations are focusing more than ever on creating a better user experience.

MFA which is often referred to as two-factor authentication (2FA), is a security enhancement that adds a second layer of security which allows you to present two pieces of evidence (your credentials) when logging in to an account.

The goal is to implement the MFA on all IT systems and ensure everyone uses it.

Implementing MFA is most times, not a flawless procedure due to some challenges that you might face technically and otherwise. Here are some reasons to this impedements.

• Some reasons may be the right MFA solution to choose.
• Not all users (employee) will welcome this idea, prepare for it! I met a strong resistance when deploying MFA in one of my previous jobs.
• While some will accept this idea due to security enhancement and protection of the IT Systems, some employees will never agree to have any Authenticator Application running on their personal devices. Prepare for this shock too 😉 The solution to this is to
  – Provide a company phone to these employees and have the Authenticator App installed for them.
  – Or have a desktop version of the Authenticator App installed on their workstation. This works but not seamless as the user will have to be with the device before he can access organisation resources remotely.

Prerequisites to rolling out MFA: Before planning a rollout, these important steps need to be considered.

• Does the MFA support self-service password reset (SSPR)? This is very vital when a user forgets his/her password.
• Decide on the technology to employ such as Azure AD because of its advanced functionalities or any other 3rd party MFA system.
• With this in mind, you can decide if you will be protecting on-premise IT infrastructure alone or both on-premise and cloud (hybrid environment).
• Also, are you going to have multiple MFA systems in the organization, because some applications have their own inbuilt MFA, in this way, you will have a different account for each application in the authenticator app. Or have an MFA Server deployed to handle all that in a unified manner.
• Identify the core IT systems that MFA will be implemented on.
• Identify the potential impact it will have in your environment (if a complaint arises in the future or issues arises from the implementation).
• Lastly, know rolling out MFA is an organization-wide decision and as such everyone should be involved ranging from the IT security team, Human resources, stakeholders, etc., in this way everyone will be in the loop and if any issue arises in the future, it will be taken likely.
• Provide documentation and support (guide) on how to set-up their MF-Authenticator app and usage of the app and communicate to them the essence of the setup (to protect their data and account etc).
• Data of rollout should be communicated upfront via email etc.
• Investigate applications that are not capable of utilizing MFA (due to its legacy and basic authentication mechanism configured. If this is the case, have them upgraded and updated in order to support modern authentication and MFA. These are the IT systems you want to protect. When this is currently not feasible, set firewall rules or policies to protect these applications and make access possible only via the corporate network or via VPN only.

What MFA options are recommended

1. It is advisable to deploy MFA with less friction by using biometrics in devices or FIDO2 compliant factors such as Feitan or Yubico security keys. It is preferable (advisable) to use these solutions without overhead than using SMS.
2. Phone-based authentication apps such as Google and Microsoft Authenticator are very good options to protect user accounts as they do not have to share this device with other users etc.,
3. Also consider, frequent travelers when implementing MFA in your organization as they may travel to locations without roaming possibilities or connectivity issue. To resolve this issue, select the OATH verification code option.

Note: NIST is no longer recommending Two-factor Authentication using “Out-of-band authentication [SMS or voice] because of its vulnerability risk that SMS messages may be intercepted or redirected, or SIM swapped). This is the reason, Banks are changing from SMS based 2FA. The links below for further information.
– https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html
– https://www.theregister.co.uk/2016/12/06/2fa_missed_warning/
– https://pages.nist.gov/800-63-3/sp800-63b.html
– https://www.theregister.co.uk/2016/12/06/2fa_missed_warning/

Here are some reports on SIM Swap for further reasons why NIST no longer recommends this method of authentication.
– https://www.theguardian.com/money/2015/sep/26/sim-swap-fraud-mobile-phone-vodafone-customer
– https://www.dos.ny.gov/consumerprotection/scams/att-sim.html

Note: Using SMS as a 2FA is still far better than not using any MFA option. When you don’t use two-factor authentication, someone only needs your password to sign into your account. When you use two-factor authentication with SMS, someone will need to both acquire your password and gain access to your text messages to gain access to your account.

SMS is much more secure than nothing at all. As discussed above, using an Authenticator App such as Microsoft or Google Authenticator App is recommended. But when this is far fetched, and it is the only option left to you, please deploy it as it relatively better than not having a second layer of security at all.

Note: Never allow your application to trust your browser. In this way, when the device is compromised, access to these applications (resources) will not be possible.

Rolling out MFA
It is advisable to start off with the IT departments as proof of concept for the entire organization. (Implement this for some privilege users) as they are the highest-value target.
– Plan a pilot deployment after successfully testing with the IT department, you can continue rolling MFA on a bulk process across the organization without hampering the productivity of your colleagues.

Alternatives to MFA
The biometric option is an alternative to MFA using a fingerprint or facial sign-in option available via Windows Hello for Business. See the following link for more information https://techdirectarchive.com/2020/01/19/preparing-guild-to-deploying-windows-hello-for-business/
– Depending on your MFA solution you are deploying, include the mobile device management (MDM), so devices can be managed via MDM and conditional Access can be defined also as this will add an additional layer of security to your organisation.

It is worthy to note that Azure provides ways to protect your application by using condition access polities and Azure AD Identity Protection and when this triggers an additional two steps verification when risks are detected. When you do not have Azure AD to defines these criteria, kindly make MFA registration mandatory for everyone in the organization and part of the onboarding process for new employees.

Have a Support Plan in Place
In case of failed sign-ins and account lockouts, have a plan for lost devices. (Some MFA solutions have the ability to have these associated phone number changed or the Authenticator added).
– Also, have a messaging (ticketing) platform in place for reporting known MFA issues.

SQL Vulnerability Assessment is a new feature embedded in some of the most recent versions of SQL Server Management Studio (SSMS).

This feature is relatively very easy to use and it will show you all the security vulnerabilities and anomalies in your SQL database. Following best practice, it is recommended to apply strict security practices thereby ensuring that client’s data are not compromised.

If you currently do not have SQL Server Management Studio (SSMS) installed on your PC or Server, kindly follow this link to have it downloaded. https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms?view=sql-server-ver15

Click on Download SSMS as shown in the link above.

In this example, I will be performing Vulnerability Assessment of one of my databases named “SolarWindOrion” as shown below.
Note: Orion is a performance management and fault management application that allows you to view the real-time statistics of your network directly from your web browser. This Db is actually used for this task in my laboratory and I wish to remediate and protect the Database.

-Right-click on the database "SolarWindOrion" in SSMS, 
- Navigate to “Tasks”, 
- Then to “Vulnerability Assessment” and 
- Click on “Scan for Vulnerabilities” as shown below

Select the right location where the report will be saved as shown below.

Now Click on Okay and This will execute and prompte any found vulnerability below. See associated errors from my scans below.

Now you will be able to view the scan reports in SSMS. The details of the performed security checks such as failed checks and other information are available in a readable format.

Click on one of the errors displayed. Let’s click on the first error as shown above. See the new image of the detailed checks below.

Since these details are self-explanatory, I will proceed and attached a new image showing the fix (remediation) as suggested by Microsoft in order to fix this issue.

Note: The Suggested remediation can be opened in the Querry Editor on a new SQL Querry Window and executed as shown below. In this way, we can have our database protected as suggested by Microsoft (Baseline)

Note: It is recommended to review the scan report, perform the necessary actions and run the scan again to ensure that all security risks are mitigated.