Full Report
Passing MFA doesn't mean a session is safe, attackers can hijack tokens and bypass identity checks. Specops Software explains why Zero Trust must verify both user identity and device health. [...]
Analysis Summary
# Best Practices: Zero Trust & Device Health Verification
## Overview
These practices address the vulnerability of "identity-only" authentication. Traditional Multi-Factor Authentication (MFA) verifies *who* a user is but fails to verify the safety of the *environment* from which they are connecting. By integrating device health into the Zero Trust workflow, organizations can prevent session hijacking and token theft—attacks where hackers bypass MFA by stealing the browser cookies of an already authenticated user.
## Key Recommendations
### Immediate Actions
1. **Audit Active Directory Passwords:** Use free tools to identify weak or compromised credentials already present in your environment.
2. **Enable MFA Everywhere:** If not already implemented, enforce MFA for all remote and privileged access.
3. **Inventory Unmanaged Devices:** Identify "Shadow IT" where personal, unpatched, or third-party devices are accessing corporate resources.
### Short-term Improvements (1-3 months)
1. **Implement Conditional Access:** Configure policies that require more than just a username/password, adding signals like geographical location or IP reputation.
2. **Deploy Phishing-Resistant MFA:** Move away from SMS or push-based MFA toward FIDO2 or hardware tokens to counter "MFA fatigue" and callback phishing.
3. **Blacklist Compromised Passwords:** Implement a dynamic password policy that blocks the use of known leaked credentials (over 4 billion known compromised passwords).
### Long-term Strategy (3+ months)
1. **Integrate Device Trust Posture:** Embed automated checks into the login workflow. Access should be denied if a device is unpatched, lacks active Antivirus, or is missing disk encryption.
2. **Continuous Monitoring:** Transition from "static" authentication (checking identity once at login) to continuous session verification to detect token theft in real time.
3. **Zero Trust Architecture (ZTA):** Eliminate the concept of "trusted" network segments; treat internal and external traffic with equal scrutiny.
## Implementation Guidance
### For Small Organizations
- Focus on low-overhead SaaS-based security policies.
- Prioritize blocking compromised passwords in Active Directory and enforcing MFA for all cloud services (M365/Google Workspace).
### For Medium Organizations
- Implement **Specops Device Trust** or similar solutions to bridge the gap between identity and endpoint health.
- Enforce strict policies for third-party contractors, requiring them to pass health checks before accessing internal portals.
### For Large Enterprises
- Focus on **Lateral Movement Prevention**. Use micro-segmentation to ensure that a compromised token on one device cannot be used to move throughout the entire network.
- Automate remediation: If a device fails a health check, provide a self-service path for the user to update their OS or Antivirus to regain access.
## Configuration Examples
* **Device Health Signals:** Configure your identity provider (IdP) to check for the following "Healthy" flags before issuing a session token:
* `OS_Version` >= [Current Patch Level]
* `Antivirus_Status` == "Active/Updated"
* `Firewall_Status` == "Enabled"
* `Disk_Encryption` == "True"
* **Session Token Policies:** Shorten session lifetimes for high-risk users to limit the window of opportunity for stolen tokens.
## Compliance Alignment
- **NIST 800-207:** Directly aligns with Zero Trust Architecture (ZTA) tenets.
- **CIS Controls (v8):** Supports Control 6 (Access Control Management) and Control 13 (Network Monitoring).
- **ISO/IEC 27001:** Addresses access control and endpoint security requirements.
## Common Pitfalls to Avoid
- **The "Identity Vacuum":** Assuming a successful MFA login means the session is safe.
- **Ignoring Managed vs. Unmanaged Devices:** Allowing personal laptops to connect with the same privileges as company-issued, hardened devices.
- **Static Trust:** Failing to re-verify a session once it has started, allowing "living-off-the-land" attacks.
## Resources
- **Specops Device Trust:** hxxps[://]specopssoft[.]com/product/infinipoint/
- **Password Auditor:** hxxps[://]specopssoft[.]com/product/specops-password-auditor/
- **Zero Trust Maturity Model:** hxxps[://]www[.]cisa[.]gov/zero-trust-capability-maturity-model
- **NIST Zero Trust News:** hxxps[://]www[.]nist[.]gov/topics/zero-trust-architecture