Re: Active Directory - a clear and present danger

[Peter Bance via Dailydave <dailydave () lists aitelfoundation org>]

Funnily enough, I’ve just decommissioned our last Domain Controller - as you rightly say, AD is just too much pain/risk 
to keep in place. Azure AD for us - still not 100% ideal, but rapidly improving, and transfers a lot of the 
infrastructure/config pain to Microsoft themselves.

Obviously admins can still make horrible mistakes, but that’s easier to monitor than all config across an on-prem 
forest, and it’s far simpler to limit (or even eliminate) accidental or inherited elevated privileges.

There are other advantages - AAD enrolment for devices plus Autopilot provides very close control and visibility over 
device config/security and eliminates the need for (ugh) GPOs.

AAD won’t fit all use cases (e.g. heavily regulated environments, complex/legacy LDAP needs), but if an organisation 
only uses AD for identity (people+devices), it may be an option. There’s a lot of pain involved in migration, but in my 
view it was absolutely worth it.

If, however, an organisation is hell-bent on running their own infrastructure (in 2021?), I’m not sure there’s a “neat” 
alternative. Red Hat Directory Server, perhaps, but that would probably involve retraining/replacing admins (and 
undoubtedly lots of anomalies to work through in a Windows estate).

As for Google, I wouldn’t consider that as a primary identity provider - I’m simply uncomfortable with their business 
model (all services are designed to improve their ad-targeting). But each to his own…

---
Peter Bance

> On 24 Jul 2021, at 19:52, Dave Aitel via Dailydave <dailydave () lists aitelfoundation org> wrote:
>
> 
> So I definitely have a different mental history of active directory than most people, and recently I was doing a 
> Glasshouse podcast with Pablo Breuer and here he says basically the same thing everyone says, which is that it's 
> impossible to move off of technology even when that technology has a history of severe flaws, or a design flaw that 
> means it cannot be secured. 
>
> This is the current mental stance among CIOs familiar with large companies, or even medium size companies! And I get 
> it! But if leopards keep eating your face, and every hacker in the world keeps recommending you stop giving them a 
> cuddle, and you say "I can't, I have legacy systems in my head that love to hug large dangerous cats" then that stops 
> being the government's problem, in a way. Like when people ask why Cyber Insurance Markets are obvious catastrophic 
> failures, and we point at how they can't really change any meaningful behavior, and they have to insure the total 
> market value of whatever company they are insuring because the cost of risk is basically a sliding scale of whatever 
> the Russian ransomware team thought up that morning over kasha, then everyone gets that surprised face and it's all 
> very annoying.
>
> So anyways, that brings us back to AD. AD is a system where any time you hack any computer on the network, you can 
> become the domain controller, and own the whole company. That's just how it works. Every hacker/penetration tester 
> has known that for two decades and the specific incantation on how you do that changes slowly over time, but it's 
> always true. And then at INFILTRATE one year two Microsoft Research team members demonstrated an automation of the 
> lateral movement piece which is now what Bloodhound is. So in theory everyone knows this right now, even though they 
> like to blame EternalBlue for all their problems in life.
>
> But when you point that out on Twitter, people ask you what the alternative is, and I have to admit I disagree with 
> DDZ that it's "Zero Trust". That sounds like adding more complexity to a system that is already SO COMPLEX even 
> lifetime specialists not named James Forshaw don't understand the BASICS of the authentication system. 
>
> Like here's a paper that came out today that's in my queue all about Service credentials, and look - no matter how 
> many new auditing tools or visualization thingies or AI anomaly detection alerts you deliver to your customers, if 
> the underlying system is NOT UNDERSTANDABLE BY HUMANS then you can't secure it. I guarantee you that about 80% of the 
> Russian ransomware affialiates understand Service Credentials and delegation better than your current AD management 
> lead. Most of the time your AD ACLs are just you fooling yourself that you have a security boundary where you, in 
> fact, don't. 
>
> Also, the problem is not NTLM. Everyone stop talking about NTLM. It wouldn't matter if AD was re-implemented to use 
> purely quantum key exchange because only Gandolf can mentally visualize the transitive trust structures implicit in 
> how you configured your AD Forests. 
>
> Ok so that brings us back to: What do you do instead? And honestly, I don't know. I've enjoyed reading the snippets 
> that Grapl Security has been posting about their setup. As far as I can gather, the TL;DR is just use Google as your 
> directory server and use Chromebooks as much as possible. 
>
> This is what I do right now - but I'm not sure how scalable this is. Maybe y'all can pitch in on this thread and 
> suggest a solution?
>
> Thanks,
> Dave Aitel
>
> _______________________________________________
> Dailydave mailing list -- dailydave () lists aitelfoundation org
> To unsubscribe send an email to dailydave-leave () lists aitelfoundation org
_______________________________________________
Dailydave mailing list -- dailydave () lists aitelfoundation org
To unsubscribe send an email to dailydave-leave () lists aitelfoundation org