I am always in shock when people cannot see the forests from the tree's even when
talking to peers. First things first, Azure AD and many IdP's are not impervious to
attack. Through Oauth2 and other privilege abuse angles in the IdP itself, backdooring
systems are (and will continue to be) a thing. For those on defense, I hope you are
checking on those MS Graph enabled Service Principals while I am waving at the other end
(hello).
It's been nearly 25 years since we've been dealing with this Legacy LAN stuff. It
has been stable, I'll grant it that, but with all its stability and potential
scalability, the fact is these systems have fatal architectural flaws in the "Will
Not / Cannot Fix" category. It seems every other week we are now seeing a
"Getting your Users Hashes" one way or another, which ends up being a trivial
30-minute effort to crack because <reasons>. One of the ways to "fix" the
scenario that machines get compromised with leads to your enterprise being compromised is
to remove the mechanism that facilitates machine to machine pivots.
Why haven't we moved on? I suspect it's the industries lack of will as well as the
internal objections you hear about. Let's talk about objective handling. Active
Directory Domain Services (ADDS) – Kill it with fire, now. The first thing I typically
hear is the fact that they cannot move away because they have legacy needs:
* SMB Shares
* Windows SQL Support
* Someone wrote a VB6 app with an IE6 thingy that needs DCOM support, which salesforce
could replace but would require moving data...
* Other ugly SPNs
* Management of Windows Desktops
* Because it's what I know, and I can Wizard you a Windows 7 machine with this
Enterprise Key so YOLO: Security
About ten years ago, removing Active Directory from your environment was rarely done.
Mainly because what on earth could you ever replace it with? When you have been working on
systems for a long time, you remember when displacing Novell was unheard of. How many of
those TN3270 monitors do you have? Active Directory as it is designed is innately insecure
in today's world. There is no realistic and operational way to secure it. It is also
unnecessary when you consider that 30-50% of your user base may be sitting at home for
more than another 36 months. Let's talk objection handling then.
* Azure AD replaces Microsoft AD. Don't like Azure AD? Well, there are
alternatives like Okta/Ping/Etc, etc. Use something else if you must, but Azure AD lets
you hybrid join the system. Yes, I am aware of PRT. Use a different IdP then; at least
it's not backed by NTLM in which responder can own you.
* Microsoft Intune (or other competitors) manage your windows desktop, although I
would probably avoid Kaseya, just saying. Many MSPs out there do it; I'm pretty sure
your organization can too. Don't you use JAMF on OSX already?
* What about those Files?! Sharepoint, Box, Dropbox, Google Drive, basically anything
modern.
What about ALL these legacy systems?! Triage them, how many systems 'require'
Active Directory. Let's say it's 20%; ok, I'll be VERY gracious; it's 50%
of your server environment. Great! You can build a directory forest for that 50%. Cleave
those systems off; their trustworthiness should be less than that of other systems. I
would argue the amount of actual Active Directory needed is less than 50% of servers in
many organizations, but I said I was gracious. Most modern enterprises will have modern
applications. How many of those applications may require Active Directory? I suspect that
many of them need SAML or Oauth, which is back to any old IdP (Azure AD). In other words,
just like we moved off Novell (No one went to NDS, so let's just say Bindery), you can
move off Active Directory. It'll arguably make my life easier, but I mean you do get
bored of getting DA every few days...
P.S. Don't Hybrid join the stuff either; it's still basically Active Directory on
one side.
-Moses
From: Dave Aitel via Dailydave <dailydave(a)lists.aitelfoundation.org>
Date: Saturday, July 24, 2021 at 2:50 PM
To: dailydave(a)lists.aitelfoundation.org <dailydave(a)lists.aitelfoundation.org>
Subject: [Dailydave] Active Directory - a clear and present danger
So I definitely have a different mental history of active directory than most people, and
recently I was doing a Glasshouse podcast with Pablo
Breuer<https://www.linkedin.com/in/pablobreuer/> and
here<https://youtu.be/Z0d6qNLevUY?t=2714> he says basically the same thing everyone
says, which is that it's impossible to move off of technology even when that
technology has a history of severe flaws, or a design flaw that means it cannot be
secured.
This is the current mental stance among CIOs familiar with large companies, or even medium
size companies! And I get it! But if leopards keep eating your face, and every hacker in
the world keeps recommending you stop giving them a cuddle, and you say "I can't,
I have legacy systems in my head that love to hug large dangerous cats" then that
stops being the government's problem, in a way. Like when people ask why Cyber
Insurance Markets are obvious catastrophic failures, and we point at how they can't
really change any meaningful behavior, and they have to insure the total market value of
whatever company they are insuring because the cost of risk is basically a sliding scale
of whatever the Russian ransomware team thought up that morning over kasha, then everyone
gets that surprised face and it's all very annoying.
So anyways, that brings us back to AD. AD is a system where any time you hack any computer
on the network, you can become the domain controller, and own the whole company.
That's just how it works. Every hacker/penetration tester has known that for two
decades and the specific incantation on how you do that changes slowly over time, but
it's always true. And then at INFILTRATE one year two Microsoft Research team members
demonstrated an automation of the lateral movement piece which is now what Bloodhound
<https://mcpmag.com/articles/2019/11/13/bloodhound-active-directory-domain-admin.aspx#:~:text=BloodHound%20is%20an%20application%20developed,their%20privileges%20within%20the%20domain.>
is. So in theory everyone knows this right now, even though they like to blame EternalBlue
for all their problems in life.
But when you point that out on
Twitter<https://twitter.com/dinodaizovi/status/1418909301746327559?s=20&…20>, people ask
you what the alternative is, and I have to admit I disagree with DDZ that it's
"Zero Trust". That sounds like adding more complexity to a system that is
already SO COMPLEX even lifetime specialists not named James Forshaw don't understand
the BASICS of the authentication system.
Like here's a
paper<https://twitter.com/DebugPrivilege/status/1418884269376671755?s=20… that came
out today that's in my queue all about Service credentials, and look - no matter how
many new auditing tools or visualization thingies or AI anomaly detection alerts you
deliver to your customers, if the underlying system is NOT UNDERSTANDABLE BY HUMANS then
you can't secure it. I guarantee you that about 80% of the Russian ransomware
affialiates understand Service Credentials and delegation better than your current AD
management lead. Most of the time your AD ACLs are just you fooling yourself that you have
a security boundary where you, in fact, don't.
Also, the problem is not NTLM. Everyone stop talking about NTLM. It wouldn't matter if
AD was re-implemented to use purely quantum key exchange because only Gandolf can mentally
visualize the transitive trust structures implicit in how you configured your AD Forests.
Ok so that brings us back to: What do you do instead? And honestly, I don't know.
I've enjoyed reading the snippets that Grapl
Security<https://www.graplsecurity.com/> has been posting about their setup. As far
as I can gather, the TL;DR is just use Google as your directory server and use Chromebooks
as much as possible.
This is what I do right now - but I'm not sure how scalable this is. Maybe y'all
can pitch in on this thread and suggest a solution?
Thanks,
Dave Aitel