MANY organisations implement multi-factor authentication (MFA) and assume stolen passwords are no longer a threat, but in Windows environments that assumption is often wrong. The article explains that MFA is typically enforced through IdPs like Microsoft Entra ID, Okta, or Google Workspace, and that Windows logons to domain-joined systems are usually validated by on‑prem Active Directory rather than a cloud IdP.
It outlines seven Windows authentication paths attackers rely on, including interactive Windows logon, direct RDP access, NTLM authentication, Kerberos ticket abuse, local administrator accounts, SMB authentication and lateral movement, and service accounts that never trigger MFA. It notes that, even with MFA for cloud apps, these on‑prem and legacy pathways can bypass MFA controls and enable credential abuse.
Practical steps include enforcing stronger AD password policies, blocking compromised passwords, reducing exposure to legacy authentication, and auditing service accounts to limit privilege creep, with Specops Secure Access cited as a tool to help enforce MFA for Windows logon and VPN/RDP connections. Overall, the piece argues that closing Windows authentication gaps requires treating Windows authentication as its own security surface and addressing both modern and legacy paths.