Universal Identity Defense for Legacy and On-Prem Applications with Beyond Identity and CrowdStrike

The Problem: Legacy Protocols Lack MFA

Legacy applications still rely on authentication protocols like New Technology LAN Manager (NTLM) and Kerberos. These protocols were never designed to support phishing-resistant MFA, creating critical coverage gaps that adversaries exploit.

Identity-based attacks are the leading cause of breaches, according to the Verizon DBIR. Attackers routinely abuse NTLM and Kerberos for:

• Initial access into enterprise networks
• Lateral movement between systems
• Privilege escalation to gain domain-level control

Modern identity protocols — OAuth 2.0, Security Assertion Markup Language (SAML), and OpenID Connect (OIDC) — enable stronger authentication flows and MFA enforcement, but many legacy systems cannot support these standards. Organizations are forced to maintain weak entry points that undermine their broader security posture, and in turn render them as vulnerable as they are valuable. 

Closing the Gap with Beyond Identity + CrowdStrike

Beyond Identity, an identity and access management (IAM) platform, has expanded its integration with CrowdStrike to bring phishing-resistant MFA and device trust to Active Directory resources.

Organizations can now enforce strong authentication on any resource that authenticates against AD — without rewriting applications or changing infrastructure. This integration works within the CrowdStrike Falcon® Identity Threat Detection and Response (ITDR) module, extending protection across hybrid and legacy environments.

How the Integration Works

• The CrowdStrike ITDR  agent runs on AD domain controllers and inspects authentication requests in real time.
• CrowdStrike ITDR policies trigger Beyond Identity authentication and access controls  when specified legacy protocols are detected.
• Beyond Identity validates the user with device-bound credentials for phishing-resistant MFA and checks device posture with 45+ CrowdStrike risk signals and native real-time device posture signals.
• Access is granted only when the user is strongly authenticated and risk policy conditions are met.

Benefits of Beyond Identity + CrowdStrike ITDR

• Extend phishing-resistant MFA to Kerberos, NTLM, LDAP, and SMB.
• Secure RDP, SSH, and VPN access without code changes.
• Protect legacy and homegrown applications.
• Enforce device trust using real-time risk signals from CrowdStrike.

Use Cases

This capability allows organizations to eliminate the #1 cause of security incidents, identity attacks, to a wide range of use cases across their IT environment, including:

• IT Infrastructure and Admin Access: Secure administrative access through Remote Desktop Protocol (RDP), Secure Shell protocol (SSH), and desktop logins. When an administrator uses a privileged access tool that authenticates via Kerberos or NTLM, Beyond Identity’s policy can enforce a cryptographic identity verification step, ensuring privileged sessions are initiated only by authorized and verified users and devices.
• Legacy and Homegrown Applications: Mitigate the risks associated with critical business applications that cannot be easily updated. By enforcing a step-up authentication for requests using NTLM or LDAP, you can add a layer of modern security without modifying application code.
• File Systems, Databases, and Remote Access: Protect access to sensitive data on file shares (via SMB) or through remote access solutions like VPNs and VDI/Citrix environments. This ensures that every connection to internal resources is authenticated with a high degree of trust.

Stop Lateral Movement that Exploits RDP with Beyond Identity + CrowdStrike ITDR

Consider a common lateral movement technique where an attacker, having acquired legitimate credentials, uses Remote Desktop Protocol (RDP) to access a high-value server. Since RDP natively relies on Kerberos or NTLM, stolen credentials alone are often sufficient to gain access.

With this integrated solution, organizations can effectively mitigate this risk. An IT security administrator can configure a policy in the CrowdStrike Falcon console to monitor for authentication requests using the NTLM protocol.

How the Integration Stops an RDP Attack

Consider a common lateral movement technique where an attacker, having acquired legitimate credentials, uses Remote Desktop Protocol (RDP) to access a high-value server. Since RDP natively relies on Kerberos or NTLM, stolen credentials alone are often sufficient to gain access.

With this integrated solution, organizations can effectively mitigate this risk. An IT security administrator can configure a policy in the CrowdStrike Falcon console to monitor for authentication requests using the NTLM protocol.

‍How the Integration Stops an RDP AttackThis process provides a frictionless experience for the authorized user while establishing an effective control that prevents an attacker with compromised credentials from successfully completing the RDP login.

1. The attack begins: An adversary steals valid NTLM credentials and attempts to open an RDP session to a domain-joined server.
2. Access request detected: The Falcon agent on the domain controller sees the NTLM authentication request tied to the RDP attempt.
3. Policy enforcement activated: Falcon ITDR policy recognizes the high-risk trigger and immediately enforces authentication through Beyond Identity (configured as an OIDC connector).
4. The roadblock: The attacker can’t successfully respond to the challenge because they don’t have a device-bound, hardware-backed credential..
5. Device posture evaluation: Beyond Identity simultaneously verifies device posture — geolocation, MDM/EDR status, jailbreak/root indicators, and more including 80+ CrowdStrike XDR signals. 
6. Outcome: Access is denied before the RDP session is established. The stolen NTLM credential is worthless without the right device, posture, and device-bound cryptographic token.

This process provides a frictionless experience for the authorized user while establishing an effective control that prevents an attacker with compromised credentials from successfully completing the RDP login.

Integration Demo

In this demonstration, we show how to configure an Identity Verification policy within the CrowdStrike Falcon ITDR console. We walk through the steps to create a rule that triggers the Beyond Identity OIDC connector when the NTLM protocol is detected, providing immediate protection for services like RDP and other legacy applications against credential-based attacks.

Together, a Comprehensive Approach to Identity Defense

This capability deepens the Beyond Identity and CrowdStrike integration. Beyond Identity’s IAM platform already queries device risk signals from CrowdStrike Falcon XDR during authentication. Now, with ITDR integration, identity threats can be blocked in real time across legacy environments.

The result is a system that enforces phishing-resistant MFA at every critical access point, eliminating the login risk adversaries exploit most often.

‍See how it works in your environment. Register for our webinar "Stop Lateral Movement in On-Prem Apps," or get a personalized demo.

‍

Crowdstrike customers can turn CrowdStrike Marketplace CrowdCredits into free Beyond Identity users! Thanks to CrowdStrike's CrowdCredits giveaway promotion during Fal.con 2025, customers can secure more and pay less (up to 500 users free for 1 year)  if they invest in Beyond Identity in alignment with the promotion's terms and conditions. Reach out or visit us at booth #1423 for more information.