In the world of cybersecurity, trust in your Managed Service Provider (MSP) is critical. They’re responsible for safeguarding your organization’s IT infrastructure, maintaining compliance, and responding to threats. However, during a recent internal penetration test, I discovered serious gaps in how an MSP was managing their client’s network. These vulnerabilities allowed me to gain domain admin privileges in just over an hour—a result that underscores the importance of ensuring your MSP is doing more than the bare minimum to protect your business.
Let’s break down what went wrong, why it matters, and what your organization should be demanding from your MSP to avoid similar risks.
How the Test Played Out: A Step-by-Step Breakdown
During the penetration test, I encountered a network with no network access controls, weak protocols in use, and limited visibility into suspicious activity. Here’s a closer look at the critical missteps:
1. Lack of Network Access Control (NAC)
One of the most glaring issues was the complete absence of network access control. This meant that once I connected to the internal network, I had free rein to scan and interact with devices without restriction. Network access control is a foundational security measure that ensures only authorized devices can connect to a network. Without it, attackers can quickly move laterally and escalate their privileges.
2. No Detection or Prevention of Scanning Activity
Despite conducting scans and probing for vulnerabilities, the network had no mechanisms in place to detect my activities. While some detections were logged later, the lack of active blocking allowed me to continue my attack unhindered. A well-configured Security Information and Event Management (SIEM) system or Intrusion Detection System (IDS) should have flagged my scans in real-time and triggered appropriate responses.
3. Weak Protocols Like LLMNR Were Enabled
Link-Local Multicast Name Resolution (LLMNR) is a legacy protocol that attackers often exploit to intercept authentication traffic and steal credentials. In this case, LLMNR was enabled, allowing me to capture and crack user hashes easily. Disabling weak protocols like LLMNR and NetBIOS is a simple yet effective way to reduce an attacker's ability to gain a foothold.
4. Password Reuse at the MSP Level
One of the most alarming discoveries was that the MSP was reusing passwords across multiple systems. This practice made it trivial for me to escalate my privileges once I captured a single hash. MSPs are entrusted with managing sensitive systems and credentials, so password hygiene must be a top priority.
5. Gaining Domain Admin in Just Over an Hour
Within a little over an hour, I successfully elevated my access to domain admin. This level of control allowed me to manage the entire network, access sensitive data, and disrupt operations. The speed at which this was achieved highlights the ease with which a poorly managed network can be compromised.
6. No Effective Blocking Mechanisms
While some detections were logged, the client and their MSP lacked the ability to block my activity in real-time. Without proper endpoint detection and response (EDR) tools, the ability to act on detections is significantly hampered. Logging alone isn’t enough—you need systems in place to actively prevent malicious actions as they occur.
Lessons Learned: What Your MSP Should Be Doing
This penetration test revealed systemic failures in the MSP’s approach to network management and security. Here’s what every organization should demand from their MSP to avoid similar risks:
1. Implement Network Access Control (NAC)
Your MSP should ensure that only authorized devices can connect to your network. This includes implementing VLAN segmentation, device authentication, and strict access controls to prevent lateral movement.
2. Proactively Monitor and Respond to Threats
Detection without response is like a burglar alarm with no police backup. Your MSP should deploy EDR solutions capable of identifying suspicious activity and stopping attacks in their tracks. This includes real-time alerts and automated responses to prevent escalation.
3. Disable Weak Protocols
Protocols like LLMNR and NetBIOS should be disabled across all systems. Your MSP should regularly audit your network for legacy configurations and implement modern, secure alternatives.
4. Enforce Strong Password Policies
Password reuse is inexcusable, especially at the MSP level. Your MSP should enforce unique, complex passwords across all systems and implement multi-factor authentication (MFA) for added security.
5. Conduct Regular Penetration Tests
Penetration tests aren’t just for checking compliance boxes—they’re essential for identifying weaknesses before attackers can exploit them. Your MSP should either conduct regular internal and external tests or partner with experts who can.
6. Review and Improve Incident Response Plans
Detections are only as good as the response they trigger. Your MSP should have a robust incident response plan in place, with clear protocols for containing and mitigating threats. This includes immediate isolation of affected systems and thorough post-incident analysis.
Why This Matters
The vulnerabilities exposed during this penetration test serve as a cautionary tale for organizations relying on MSPs to manage their cybersecurity. An MSP is not just a service provider—they’re a partner in protecting your business. If they’re cutting corners, the risks extend directly to you.
Organizations must hold their MSPs accountable by asking tough questions about their security practices, demanding transparency, and ensuring proactive measures are in place to defend against modern threats.
Conclusion
Cybersecurity isn’t a one-size-fits-all solution, but there are basic practices that every MSP should follow to protect their clients. If your MSP isn’t implementing network access control, disabling weak protocols, or monitoring and responding to threats effectively, you’re at risk of becoming the next headline.
At iFlock Security Consulting, we specialize in identifying and addressing vulnerabilities like the ones described above. Whether it’s through penetration testing, MSP evaluations, or implementing robust defenses, we help businesses secure their networks and hold their partners accountable.
To learn more about our services or to schedule a penetration test, contact us at 1-833-4-HAXORS or visit iflockconsulting.com. Don’t let what your MSP isn’t doing become your biggest vulnerability.
