How users prove who they are and what they can do decides how far an attacker gets. Add MFA, tighten sudo, and grant privilege narrowly and temporarily.
Why: passwords alone are routinely stolen or guessed, so multi-factor authentication (something you have/are on top of the password) is the single highest-impact access control — it stops most credential attacks even when the password is known. When: require MFA for all remote and privileged access; harden SSH to keys and no root login. Where: this directly defeats the credential attacks from the pentest and detection courses.
# Harden SSH — a top target — in /etc/ssh/sshd_config:
PermitRootLogin no # no direct root login
PasswordAuthentication no # keys only (defeats password brute force)
PubkeyAuthentication yes
AllowUsers alice bob # explicit allowlist of who may log in
# Then require MFA for remote + privileged access everywhere it's supported.
# MFA is the biggest single win against stolen/guessed credentials.Why: users and services should hold the minimum rights needed, granted narrowly (and ideally temporarily) — because broad standing privileges turn any compromise into a disaster. When: replace shared admin logins with per-user sudo scoped to specific commands, and use role-based groups. Where: tight sudo and no NOPASSWD wildcards directly close the privilege-escalation paths from the pentest course.
# Grant narrow sudo instead of blanket root (in /etc/sudoers.d/, via visudo):
# %webops ALL=(root) /usr/bin/systemctl restart nginx # ONLY this command
# Avoid:
# alice ALL=(ALL) NOPASSWD: ALL # passwordless full root = a privesc gift
# Use groups for role-based access; audit membership regularly:
getent group sudo
# Prefer just-in-time elevation over standing admin rights where possible.Why: administrative access is the crown jewels, so it is funneled through controlled, monitored paths — a bastion/jump host, separate admin accounts, and no direct internet exposure of management interfaces — to shrink and watch the ways in. When: require admins to route through a hardened jump host and use dedicated admin identities. Where: this both limits lateral movement and creates a chokepoint you can log heavily.
Protect the privileged paths (attackers hunt for admin access):
[ ] a bastion / jump host is the ONLY route to admin interfaces
[ ] management ports (SSH/RDP) never exposed directly to the internet
[ ] separate admin identities from day-to-day accounts (no email on them)
[ ] MFA on every privileged login; heavy logging at the chokepoint
[ ] just-in-time / time-boxed elevation instead of standing admin
Fewer, monitored paths to power = less lateral movement, more visibility.