Speaking for a heavily regulated EU business here: a US cloud based solution will most probably not fit our needs. Both GDPR and rules about not being dependent on 3rd party businesses to conduct our own mean we’re stuck with an on-prem AD.
I’m very interested to hear about any potential alternative.
François
Le dim., juil. 25, 2021 à 07:50, Peter Bance via Dailydave dailydave@lists.aitelfoundation.org a écrit :
Funnily enough, I’ve just decommissioned our last Domain Controller - as you rightly say, AD is just too much pain/risk to keep in place. Azure AD for us - still not 100% ideal, but rapidly improving, and transfers a lot of the infrastructure/config pain to Microsoft themselves.
Obviously admins can still make horrible mistakes, but that’s easier to monitor than all config across an on-prem forest, and it’s far simpler to limit (or even eliminate) accidental or inherited elevated privileges.
There are other advantages - AAD enrolment for devices plus Autopilot provides very close control and visibility over device config/security and eliminates the need for (ugh) GPOs.
AAD won’t fit all use cases (e.g. heavily regulated environments, complex/legacy LDAP needs), but if an organisation only uses AD for identity (people+devices), it may be an option. There’s a lot of pain involved in migration, but in my view it was absolutely worth it.
If, however, an organisation is hell-bent on running their own infrastructure (in 2021?), I’m not sure there’s a “neat” alternative. Red Hat Directory Server, perhaps, but that would probably involve retraining/replacing admins (and undoubtedly lots of anomalies to work through in a Windows estate).
As for Google, I wouldn’t consider that as a primary identity provider - I’m simply uncomfortable with their business model (all services are designed to improve their ad-targeting). But each to his own…
Peter Bance
On 24 Jul 2021, at 19:52, Dave Aitel via Dailydave dailydave@lists.aitelfoundation.org wrote:
So I definitely have a different mental history of active directory than most people, and recently I was doing a Glasshouse podcast with [Pablo Breuer](https://www.linkedin.com/in/pablobreuer/) and [here](https://youtu.be/Z0d6qNLevUY?t=2714) he says basically the same thing everyone says, which is that it's impossible to move off of technology even when that technology has a history of severe flaws, or a design flaw that means it cannot be secured.
This is the current mental stance among CIOs familiar with large companies, or even medium size companies! And I get it! But if leopards keep eating your face, and every hacker in the world keeps recommending you stop giving them a cuddle, and you say "I can't, I have legacy systems in my head that love to hug large dangerous cats" then that stops being the government's problem, in a way. Like when people ask why Cyber Insurance Markets are obvious catastrophic failures, and we point at how they can't really change any meaningful behavior, and they have to insure the total market value of whatever company they are insuring because the cost of risk is basically a sliding scale of whatever the Russian ransomware team thought up that morning over kasha, then everyone gets that surprised face and it's all very annoying.
So anyways, that brings us back to AD. AD is a system where any time you hack any computer on the network, you can become the domain controller, and own the whole company. That's just how it works. Every hacker/penetration tester has known that for two decades and the specific incantation on how you do that changes slowly over time, but it's always true. And then at INFILTRATE one year two Microsoft Research team members demonstrated an automation of the lateral movement piece which is now what [Bloodhound](https://mcpmag.com/articles/2019/11/13/bloodhound-active-directory-domain-ad.... So in theory everyone knows this right now, even though they like to blame EternalBlue for all their problems in life.
But when you point that out on [Twitter](https://twitter.com/dinodaizovi/status/1418909301746327559?s=20), people ask you what the alternative is, and I have to admit I disagree with DDZ that it's "Zero Trust". That sounds like adding more complexity to a system that is already SO COMPLEX even lifetime specialists not named James Forshaw don't understand the BASICS of the authentication system.
Like [here's a paper](https://twitter.com/DebugPrivilege/status/1418884269376671755?s=20) that came out today that's in my queue all about Service credentials, and look - no matter how many new auditing tools or visualization thingies or AI anomaly detection alerts you deliver to your customers, if the underlying system is NOT UNDERSTANDABLE BY HUMANS then you can't secure it. I guarantee you that about 80% of the Russian ransomware affialiates understand Service Credentials and delegation better than your current AD management lead. Most of the time your AD ACLs are just you fooling yourself that you have a security boundary where you, in fact, don't.
Also, the problem is not NTLM. Everyone stop talking about NTLM. It wouldn't matter if AD was re-implemented to use purely quantum key exchange because only Gandolf can mentally visualize the transitive trust structures implicit in how you configured your AD Forests.
Ok so that brings us back to: What do you do instead? And honestly, I don't know. I've enjoyed reading the snippets that [Grapl Security](https://www.graplsecurity.com/) has been posting about their setup. As far as I can gather, the TL;DR is just use Google as your directory server and use Chromebooks as much as possible.
This is what I do right now - but I'm not sure how scalable this is. Maybe y'all can pitch in on this thread and suggest a solution?
Thanks, Dave Aitel _______________________________________________ Dailydave mailing list -- dailydave@lists.aitelfoundation.org To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org