Speaking for a heavily regulated EU business here: a US cloud based solution will most
probably not fit our needs. Both GDPR and rules about not being dependent on 3rd party
businesses to conduct our own mean we’re stuck with an on-prem AD.
I’m very interested to hear about any potential alternative.
François
Le dim., juil. 25, 2021 à 07:50, Peter Bance via Dailydave
<dailydave(a)lists.aitelfoundation.org> a écrit :
Funnily enough, I’ve just decommissioned our last
Domain Controller - as you rightly say, AD is just too much pain/risk to keep in place.
Azure AD for us - still not 100% ideal, but rapidly improving, and transfers a lot of the
infrastructure/config pain to Microsoft themselves.
Obviously admins can still make horrible mistakes, but that’s easier to monitor than all
config across an on-prem forest, and it’s far simpler to limit (or even eliminate)
accidental or inherited elevated privileges.
There are other advantages - AAD enrolment for devices plus Autopilot provides very close
control and visibility over device config/security and eliminates the need for (ugh)
GPOs.
AAD won’t fit all use cases (e.g. heavily regulated environments, complex/legacy LDAP
needs), but if an organisation only uses AD for identity (people+devices), it may be an
option. There’s a lot of pain involved in migration, but in my view it was absolutely
worth it.
If, however, an organisation is hell-bent on running their own infrastructure (in 2021?),
I’m not sure there’s a “neat” alternative. Red Hat Directory Server, perhaps, but that
would probably involve retraining/replacing admins (and undoubtedly lots of anomalies to
work through in a Windows estate).
As for Google, I wouldn’t consider that as a primary identity provider - I’m simply
uncomfortable with their business model (all services are designed to improve their
ad-targeting). But each to his own…
---
Peter Bance
On 24 Jul 2021, at 19:52, Dave Aitel via
Dailydave <dailydave(a)lists.aitelfoundation.org> wrote:
>
> So I definitely have a different mental history of active directory than most people,
and recently I was doing a Glasshouse podcast with [Pablo
Breuer](https://www.linkedin.com/in/pablobreuer/) and
[here](https://youtu.be/Z0d6qNLevUY?t=2714) he says basically the same thing everyone
says, which is that it's impossible to move off of technology even when that
technology has a history of severe flaws, or a design flaw that means it cannot be
secured.
>
> This is the current mental stance among CIOs familiar with large companies, or even
medium size companies! And I get it! But if leopards keep eating your face, and every
hacker in the world keeps recommending you stop giving them a cuddle, and you say "I
can't, I have legacy systems in my head that love to hug large dangerous cats"
then that stops being the government's problem, in a way. Like when people ask why
Cyber Insurance Markets are obvious catastrophic failures, and we point at how they
can't really change any meaningful behavior, and they have to insure the total market
value of whatever company they are insuring because the cost of risk is basically a
sliding scale of whatever the Russian ransomware team thought up that morning over kasha,
then everyone gets that surprised face and it's all very annoying.
>
> So anyways, that brings us back to AD. AD is a system where any time you hack any
computer on the network, you can become the domain controller, and own the whole company.
That's just how it works. Every hacker/penetration tester has known that for two
decades and the specific incantation on how you do that changes slowly over time, but
it's always true. And then at INFILTRATE one year two Microsoft Research team members
demonstrated an automation of the lateral movement piece which is now what
[
Bloodhound](https://mcpmag.com/articles/2019/11/13/bloodhound-active-direct….
So in theory everyone knows this right now, even though they like to blame EternalBlue for
all their problems in life.
>
> But when you point that out on
[
Twitter](https://twitter.com/dinodaizovi/status/1418909301746327559?s=20), people ask you
what the alternative is, and I have to admit I disagree with DDZ that it's "Zero
Trust". That sounds like adding more complexity to a system that is already SO
COMPLEX even lifetime specialists not named James Forshaw don't understand the BASICS
of the authentication system.
>
> Like [here's a
paper](https://twitter.com/DebugPrivilege/status/1418884269376671755?s=20) that came out
today that's in my queue all about Service credentials, and look - no matter how many
new auditing tools or visualization thingies or AI anomaly detection alerts you deliver to
your customers, if the underlying system is NOT UNDERSTANDABLE BY HUMANS then you
can't secure it. I guarantee you that about 80% of the Russian ransomware affialiates
understand Service Credentials and delegation better than your current AD management lead.
Most of the time your AD ACLs are just you fooling yourself that you have a security
boundary where you, in fact, don't.
>
> Also, the problem is not NTLM. Everyone stop talking about NTLM. It wouldn't
matter if AD was re-implemented to use purely quantum key exchange because only Gandolf
can mentally visualize the transitive trust structures implicit in how you configured your
AD Forests.
>
> Ok so that brings us back to: What do you do instead? And honestly, I don't know.
I've enjoyed reading the snippets that [Grapl
Security](https://www.graplsecurity.com/) has been posting about their setup. As far as I
can gather, the TL;DR is just use Google as your directory server and use Chromebooks as
much as possible.
>
> This is what I do right now - but I'm not sure how scalable this is. Maybe
y'all can pitch in on this thread and suggest a solution?
>
> Thanks,
> Dave Aitel
> _______________________________________________
> Dailydave mailing list -- dailydave(a)lists.aitelfoundation.org
> To unsubscribe send an email to dailydave-leave(a)lists.aitelfoundation.org