MFA or logging for brute force attempts
Good afternoon all,
I am currently in the process of testing FOG for use in deployment of Windows 10. All testing has gone well so I sent the machine over to our IT Security team for testing. They came back and said the device was secure, but they are concerned of a brute force attack on the FOG management client, at which point a malicious user could upload and deploy tainted images or perform other malicious tasks.
To cure this, I am curious as to if there is a way to enable MFA for the main login page? Or, is there logs stored somewhere of login attempts that I can have our IT Security team create alerts for? If not, has anybody created a script to create these logs?
Either one of these two solutions should abate the concerns of our security team. Thank you in advance.
ust to clarify, what George meant was not actually AD logging done by FOG but using the LDAP plugin
Yes thank you for clarifying. I WAS talking about AD event driven logging. Since they are concerned about brute force attacks, I assume that there is already in place some kind of reporting against AD password hacking. Then from FOG’s standpoint there is nothing to monitor since everything is hitting AD.
Just to clarify, what George meant was not actually AD logging done by FOG but using the LDAP plugin to connect FOG to an existing AD and keeping an eye in the login attempts there.
An yes, George is right that there are a couple of things that should be improved security wise in FOG but we’d need more people to work in FOG to be able to add those.
@george1421 Thanks George, I’m going to look into AD logging. Confirmed what I was thinking. I appreciate your help!
Would connecting FOG web ui to AD suffice in the logging parts?
FOG currently does not support 2FA and is relatively insecure using today’s threat intelligence standards.
TBH there are a number of areas where FOG falls short, but in regards to your question if AD authentication is used then your monitoring of FOG login activities would follow along with what ever controls you have in place for monitoring your AD brute force attacks.
In regards to someone tweaking the install images, while its possible it would be more involved than just dropping a rootkit file in a directory and infecting a target system.