Funnily enough, I’ve just decommissioned our last Domain Controller - as you rightly say,
AD is just too much pain/risk to keep in place. Azure AD for us - still not 100% ideal,
but rapidly improving, and transfers a lot of the infrastructure/config pain to Microsoft
themselves.
Obviously admins can still make horrible mistakes, but that’s easier to monitor than all
config across an on-prem forest, and it’s far simpler to limit (or even eliminate)
accidental or inherited elevated privileges.
There are other advantages - AAD enrolment for devices plus Autopilot provides very close
control and visibility over device config/security and eliminates the need for (ugh)
GPOs.
AAD won’t fit all use cases (e.g. heavily regulated environments, complex/legacy LDAP
needs), but if an organisation only uses AD for identity (people+devices), it may be an
option. There’s a lot of pain involved in migration, but in my view it was absolutely
worth it.
If, however, an organisation is hell-bent on running their own infrastructure (in 2021?),
I’m not sure there’s a “neat” alternative. Red Hat Directory Server, perhaps, but that
would probably involve retraining/replacing admins (and undoubtedly lots of anomalies to
work through in a Windows estate).
As for Google, I wouldn’t consider that as a primary identity provider - I’m simply
uncomfortable with their business model (all services are designed to improve their
ad-targeting). But each to his own…
---
Peter Bance
On 24 Jul 2021, at 19:52, Dave Aitel via Dailydave
<dailydave(a)lists.aitelfoundation.org> wrote:
So I definitely have a different mental history of active directory than most people, and
recently I was doing a Glasshouse podcast with Pablo Breuer and here he says basically the
same thing everyone says, which is that it's impossible to move off of technology even
when that technology has a history of severe flaws, or a design flaw that means it cannot
be secured.
This is the current mental stance among CIOs familiar with large companies, or even
medium size companies! And I get it! But if leopards keep eating your face, and every
hacker in the world keeps recommending you stop giving them a cuddle, and you say "I
can't, I have legacy systems in my head that love to hug large dangerous cats"
then that stops being the government's problem, in a way. Like when people ask why
Cyber Insurance Markets are obvious catastrophic failures, and we point at how they
can't really change any meaningful behavior, and they have to insure the total market
value of whatever company they are insuring because the cost of risk is basically a
sliding scale of whatever the Russian ransomware team thought up that morning over kasha,
then everyone gets that surprised face and it's all very annoying.
So anyways, that brings us back to AD. AD is a system where any time you hack any
computer on the network, you can become the domain controller, and own the whole company.
That's just how it works. Every hacker/penetration tester has known that for two
decades and the specific incantation on how you do that changes slowly over time, but
it's always true. And then at INFILTRATE one year two Microsoft Research team members
demonstrated an automation of the lateral movement piece which is now what Bloodhound is.
So in theory everyone knows this right now, even though they like to blame EternalBlue for
all their problems in life.
But when you point that out on Twitter, people ask you what the alternative is, and I
have to admit I disagree with DDZ that it's "Zero Trust". That sounds like
adding more complexity to a system that is already SO COMPLEX even lifetime specialists
not named James Forshaw don't understand the BASICS of the authentication system.
Like here's a paper that came out today that's in my queue all about Service
credentials, and look - no matter how many new auditing tools or visualization thingies or
AI anomaly detection alerts you deliver to your customers, if the underlying system is NOT
UNDERSTANDABLE BY HUMANS then you can't secure it. I guarantee you that about 80% of
the Russian ransomware affialiates understand Service Credentials and delegation better
than your current AD management lead. Most of the time your AD ACLs are just you fooling
yourself that you have a security boundary where you, in fact, don't.
Also, the problem is not NTLM. Everyone stop talking about NTLM. It wouldn't matter
if AD was re-implemented to use purely quantum key exchange because only Gandolf can
mentally visualize the transitive trust structures implicit in how you configured your AD
Forests.
Ok so that brings us back to: What do you do instead? And honestly, I don't know.
I've enjoyed reading the snippets that Grapl Security has been posting about their
setup. As far as I can gather, the TL;DR is just use Google as your directory server and
use Chromebooks as much as possible.
This is what I do right now - but I'm not sure how scalable this is. Maybe y'all
can pitch in on this thread and suggest a solution?
Thanks,
Dave Aitel
_______________________________________________
Dailydave mailing list -- dailydave(a)lists.aitelfoundation.org
To unsubscribe send an email to dailydave-leave(a)lists.aitelfoundation.org