This scenario was discoverd in the real world.
A VPN solution which had a device verification functionality which is all fine but the problem was that the verification is executed only on the client side.
And you don’t only want to protect from external attackers but also users connecting their home PC to the internal network.
We only want managed devices on the inside and one unmanaged home device with i.e. no AV and lots of keyloggers and other malicious code running.
When this kind of verifications are executing on the client side there is no guarantee that the outcome is correct (which is why certificate based authentication is prefered as one of the factors since you can assure that it’s your internal device)
In this example there was a client side verification which was querying (amongst other things) a file on the local system.
The endpoint compliancy failed due to some security setting
Remediation required
Let’s do the same thing again with procmon running
The service tries to query for a file in the c:\windows\system32 folder xxx.dll
So we create an empty dummy file, xxx.dll.
When we try to connect again with process monitor running we have a different result.
And we are prompted for user name and password, and hopefully this customer has an extra factor of protection, like SMS or certificate
Certificate is the best way to verify a device, to verify a user it depends on your identity management and how you choose to manage the identities and how to verify them