Funnily enough, I’ve just decommissioned our last Domain Controller - as you rightly say, AD is just too much pain/risk to keep in place. Azure AD for us - still not 100% ideal, but rapidly improving, and transfers a lot of the infrastructure/config pain to Microsoft themselves.

Obviously admins can still make horrible mistakes, but that’s easier to monitor than all config across an on-prem forest, and it’s far simpler to limit (or even eliminate) accidental or inherited elevated privileges.

There are other advantages - AAD enrolment for devices plus Autopilot provides very close control and visibility over device config/security and eliminates the need for (ugh) GPOs.

AAD won’t fit all use cases (e.g. heavily regulated environments, complex/legacy LDAP needs), but if an organisation only uses AD for identity (people+devices), it may be an option. There’s a lot of pain involved in migration, but in my view it was absolutely worth it.

If, however, an organisation is hell-bent on running their own infrastructure (in 2021?), I’m not sure there’s a “neat” alternative. Red Hat Directory Server, perhaps, but that would probably involve retraining/replacing admins (and undoubtedly lots of anomalies to work through in a Windows estate).

As for Google, I wouldn’t consider that as a primary identity provider - I’m simply uncomfortable with their business model (all services are designed to improve their ad-targeting). But each to his own…

--- Peter Bance

On 24 Jul 2021, at 19:52, Dave Aitel via Dailydave dailydave@lists.aitelfoundation.org wrote:

 So I definitely have a different mental history of active directory than most people, and recently I was doing a Glasshouse podcast with Pablo Breuer and here he says basically the same thing everyone says, which is that it's impossible to move off of technology even when that technology has a history of severe flaws, or a design flaw that means it cannot be secured.

This is the current mental stance among CIOs familiar with large companies, or even medium size companies! And I get it! But if leopards keep eating your face, and every hacker in the world keeps recommending you stop giving them a cuddle, and you say "I can't, I have legacy systems in my head that love to hug large dangerous cats" then that stops being the government's problem, in a way. Like when people ask why Cyber Insurance Markets are obvious catastrophic failures, and we point at how they can't really change any meaningful behavior, and they have to insure the total market value of whatever company they are insuring because the cost of risk is basically a sliding scale of whatever the Russian ransomware team thought up that morning over kasha, then everyone gets that surprised face and it's all very annoying.

So anyways, that brings us back to AD. AD is a system where any time you hack any computer on the network, you can become the domain controller, and own the whole company. That's just how it works. Every hacker/penetration tester has known that for two decades and the specific incantation on how you do that changes slowly over time, but it's always true. And then at INFILTRATE one year two Microsoft Research team members demonstrated an automation of the lateral movement piece which is now what Bloodhound is. So in theory everyone knows this right now, even though they like to blame EternalBlue for all their problems in life.

But when you point that out on Twitter, people ask you what the alternative is, and I have to admit I disagree with DDZ that it's "Zero Trust". That sounds like adding more complexity to a system that is already SO COMPLEX even lifetime specialists not named James Forshaw don't understand the BASICS of the authentication system.

Like here's a paper that came out today that's in my queue all about Service credentials, and look - no matter how many new auditing tools or visualization thingies or AI anomaly detection alerts you deliver to your customers, if the underlying system is NOT UNDERSTANDABLE BY HUMANS then you can't secure it. I guarantee you that about 80% of the Russian ransomware affialiates understand Service Credentials and delegation better than your current AD management lead. Most of the time your AD ACLs are just you fooling yourself that you have a security boundary where you, in fact, don't.

Also, the problem is not NTLM. Everyone stop talking about NTLM. It wouldn't matter if AD was re-implemented to use purely quantum key exchange because only Gandolf can mentally visualize the transitive trust structures implicit in how you configured your AD Forests.

Ok so that brings us back to: What do you do instead? And honestly, I don't know. I've enjoyed reading the snippets that Grapl Security has been posting about their setup. As far as I can gather, the TL;DR is just use Google as your directory server and use Chromebooks as much as possible.

This is what I do right now - but I'm not sure how scalable this is. Maybe y'all can pitch in on this thread and suggest a solution?

Thanks, Dave Aitel

---

Dailydave mailing list -- dailydave@lists.aitelfoundation.org To unsubscribe send an email to dailydave-leave@lists.aitelfoundation.org

I am always in shock when people cannot see the forests from the tree's even when talking to peers. First things first, Azure AD and many IdP's are not impervious to attack. Through Oauth2 and other privilege abuse angles in the IdP itself, backdooring systems are (and will continue to be) a thing. For those on defense, I hope you are checking on those MS Graph enabled Service Principals while I am waving at the other end (hello).

It's been nearly 25 years since we've been dealing with this Legacy LAN stuff. It has been stable, I'll grant it that, but with all its stability and potential scalability, the fact is these systems have fatal architectural flaws in the "Will Not / Cannot Fix" category. It seems every other week we are now seeing a "Getting your Users Hashes" one way or another, which ends up being a trivial 30-minute effort to crack because <reasons>. One of the ways to "fix" the scenario that machines get compromised with leads to your enterprise being compromised is to remove the mechanism that facilitates machine to machine pivots.

Why haven't we moved on? I suspect it's the industries lack of will as well as the internal objections you hear about. Let's talk about objective handling. Active Directory Domain Services (ADDS) – Kill it with fire, now. The first thing I typically hear is the fact that they cannot move away because they have legacy needs:

* SMB Shares * Windows SQL Support * Someone wrote a VB6 app with an IE6 thingy that needs DCOM support, which salesforce could replace but would require moving data... * Other ugly SPNs * Management of Windows Desktops * Because it's what I know, and I can Wizard you a Windows 7 machine with this Enterprise Key so YOLO: Security

About ten years ago, removing Active Directory from your environment was rarely done. Mainly because what on earth could you ever replace it with? When you have been working on systems for a long time, you remember when displacing Novell was unheard of. How many of those TN3270 monitors do you have? Active Directory as it is designed is innately insecure in today's world. There is no realistic and operational way to secure it. It is also unnecessary when you consider that 30-50% of your user base may be sitting at home for more than another 36 months. Let's talk objection handling then.

* Azure AD replaces Microsoft AD. Don't like Azure AD? Well, there are alternatives like Okta/Ping/Etc, etc. Use something else if you must, but Azure AD lets you hybrid join the system. Yes, I am aware of PRT. Use a different IdP then; at least it's not backed by NTLM in which responder can own you. * Microsoft Intune (or other competitors) manage your windows desktop, although I would probably avoid Kaseya, just saying. Many MSPs out there do it; I'm pretty sure your organization can too. Don't you use JAMF on OSX already? * What about those Files?! Sharepoint, Box, Dropbox, Google Drive, basically anything modern.

What about ALL these legacy systems?! Triage them, how many systems 'require' Active Directory. Let's say it's 20%; ok, I'll be VERY gracious; it's 50% of your server environment. Great! You can build a directory forest for that 50%. Cleave those systems off; their trustworthiness should be less than that of other systems. I would argue the amount of actual Active Directory needed is less than 50% of servers in many organizations, but I said I was gracious. Most modern enterprises will have modern applications. How many of those applications may require Active Directory? I suspect that many of them need SAML or Oauth, which is back to any old IdP (Azure AD). In other words, just like we moved off Novell (No one went to NDS, so let's just say Bindery), you can move off Active Directory. It'll arguably make my life easier, but I mean you do get bored of getting DA every few days...

P.S. Don't Hybrid join the stuff either; it's still basically Active Directory on one side.

-Moses

From: Dave Aitel via Dailydave dailydave@lists.aitelfoundation.org Date: Saturday, July 24, 2021 at 2:50 PM To: dailydave@lists.aitelfoundation.org dailydave@lists.aitelfoundation.org Subject: [Dailydave] Active Directory - a clear and present danger So I definitely have a different mental history of active directory than most people, and recently I was doing a Glasshouse podcast with Pablo Breuerhttps://www.linkedin.com/in/pablobreuer/ and herehttps://youtu.be/Z0d6qNLevUY?t=2714 he says basically the same thing everyone says, which is that it's impossible to move off of technology even when that technology has a history of severe flaws, or a design flaw that means it cannot be secured.

This is the current mental stance among CIOs familiar with large companies, or even medium size companies! And I get it! But if leopards keep eating your face, and every hacker in the world keeps recommending you stop giving them a cuddle, and you say "I can't, I have legacy systems in my head that love to hug large dangerous cats" then that stops being the government's problem, in a way. Like when people ask why Cyber Insurance Markets are obvious catastrophic failures, and we point at how they can't really change any meaningful behavior, and they have to insure the total market value of whatever company they are insuring because the cost of risk is basically a sliding scale of whatever the Russian ransomware team thought up that morning over kasha, then everyone gets that surprised face and it's all very annoying.

So anyways, that brings us back to AD. AD is a system where any time you hack any computer on the network, you can become the domain controller, and own the whole company. That's just how it works. Every hacker/penetration tester has known that for two decades and the specific incantation on how you do that changes slowly over time, but it's always true. And then at INFILTRATE one year two Microsoft Research team members demonstrated an automation of the lateral movement piece which is now what Bloodhound https://mcpmag.com/articles/2019/11/13/bloodhound-active-directory-domain-admin.aspx#:~:text=BloodHound%20is%20an%20application%20developed,their%20privileges%20within%20the%20domain. is. So in theory everyone knows this right now, even though they like to blame EternalBlue for all their problems in life.

But when you point that out on Twitterhttps://twitter.com/dinodaizovi/status/1418909301746327559?s=20, people ask you what the alternative is, and I have to admit I disagree with DDZ that it's "Zero Trust". That sounds like adding more complexity to a system that is already SO COMPLEX even lifetime specialists not named James Forshaw don't understand the BASICS of the authentication system.

Like here's a paperhttps://twitter.com/DebugPrivilege/status/1418884269376671755?s=20 that came out today that's in my queue all about Service credentials, and look - no matter how many new auditing tools or visualization thingies or AI anomaly detection alerts you deliver to your customers, if the underlying system is NOT UNDERSTANDABLE BY HUMANS then you can't secure it. I guarantee you that about 80% of the Russian ransomware affialiates understand Service Credentials and delegation better than your current AD management lead. Most of the time your AD ACLs are just you fooling yourself that you have a security boundary where you, in fact, don't.

Also, the problem is not NTLM. Everyone stop talking about NTLM. It wouldn't matter if AD was re-implemented to use purely quantum key exchange because only Gandolf can mentally visualize the transitive trust structures implicit in how you configured your AD Forests.

Ok so that brings us back to: What do you do instead? And honestly, I don't know. I've enjoyed reading the snippets that Grapl Securityhttps://www.graplsecurity.com/ has been posting about their setup. As far as I can gather, the TL;DR is just use Google as your directory server and use Chromebooks as much as possible.

This is what I do right now - but I'm not sure how scalable this is. Maybe y'all can pitch in on this thread and suggest a solution?

Thanks, Dave Aitel