What Are You Doing Right Now
-
One of the simplest things to do for a DC is enable BitLocker, especially if it's virtualized. Encrypting the data at rest on a virtual disk is essential.
-
This is the session i attended... well, the session's slides, which doens't say mcuh at all... but it's a breadcrumb:
https://4f2bcn3u2m2u2z7ghc17a5jm-wpengine.netdna-ssl.com/wp-content/uploads/2019/10/techdayssweden_credentialsecurity_paulajanuszkiewicz.pdfAbove link is from here:
https://cqureacademy.com/blog/techdays-sweden-2019-2 -
@Obsolesce said in What Are You Doing Right Now:
@scottalanmiller said in What Are You Doing Right Now:
@Obsolesce said in What Are You Doing Right Now:
@scottalanmiller said in What Are You Doing Right Now:
@Obsolesce said in What Are You Doing Right Now:
@scottalanmiller said in What Are You Doing Right Now:
@popester said in What Are You Doing Right Now:
@scottalanmiller said in What Are You Doing Right Now:
@popester said in What Are You Doing Right Now:
Trying to wrap my brain around adding a CA to our domain so we can encrypt traffic between servers. OMG... Where do I start....
For AD, I assume?
Yes sir. What brought it about was we run Citrix xenapp and nothing is encrypted this side of the ADC
Well, the passwords are. That's the only important bit in a typical domain communications chain. Not to belittle "encrypt everything", because that's a good idea in general. Just saying that AD is decently secure even when at its least secure.
AD (and everything using it) is only as secure as the DC.
DCs are pretty secure unless you screw something up. However, the DC does not hold passwords, so even a compromised DC does not divulge passwords. So technically, it can be more secure than the DC
That's the thing, if you compromise a DC, you don't need any passwords... There was a whole session on this that I have been to.
Depends on how you compromise it. What can someone do if they only have the data from the DC?
They can access any data on any Domain PC.
Using what means?
-
@Obsolesce said in What Are You Doing Right Now:
One of the simplest things to do for a DC is enable BitLocker, especially if it's virtualized. Encrypting the data at rest on a virtual disk is essential.
But what's the real world attack vector? I'm not saying that a DC is impervious or anything. I say all the time that AD adds a lot of risk, there is just so much more to fail.
But their attacks seem to be focused on big, offline attacks where they are getting a copy of your drive (physical theft let's say) and you don't change your passwords, and they have lots of time to brute force them.
While that's a real risk, it's a really unlikely one. There are so many steps needed one the attackers side to make it work, and so many ways to protects on the other side, even after the attack has begun.
-
@scottalanmiller said in What Are You Doing Right Now:
@Obsolesce said in What Are You Doing Right Now:
One of the simplest things to do for a DC is enable BitLocker, especially if it's virtualized. Encrypting the data at rest on a virtual disk is essential.
But what's the real world attack vector? I'm not saying that a DC is impervious or anything. I say all the time that AD adds a lot of risk, there is just so much more to fail.
But their attacks seem to be focused on big, offline attacks where they are getting a copy of your drive (physical theft let's say) and you don't change your passwords, and they have lots of time to brute force them.
While that's a real risk, it's a really unlikely one. There are so many steps needed one the attackers side to make it work, and so many ways to protects on the other side, even after the attack has begun.
That's one way. If you compromise any domain joined PC, you can likely move laterally, it may be possible to compromise everything.
It all depends of course. AD and AD domains can be very secure, but they can also be their own major vulnerability if not properly secured.
-
There's a lot more to it, but it was a while ago I attended and no longer remember enough details to keep going... but I remember the take-aways. I'm sure there's a lot about it around, but I can't look atm.
-
RojoLoco's audio tip of the week: if you want to add some serious bass to your home theater or music system, get a powered sub from monoprice. I got the 12" one for $100.... The thing is a beast. Tight and accurate too, on a variety of genres of music. Highest recommendation.
-
@jmoore said in What Are You Doing Right Now:
Leaving work because its now Margarita time!
Here here. I'm grabbing a space kitty.
-
-
Party day around here. Been partying for hours already.
-
Just finished the first week's training session for the DevOps course at cloudskills.io.
It was fantastic!
-
Catching up on some E-mail / comments from YouTube videos.
-
Just got home from Rachel's 30th birthday party.
-
Wondering if I can get into work tomorrow. More flooding and more rain to come ️
-
@EddieJennings said in What Are You Doing Right Now:
Catching up on some E-mail / comments from YouTube videos.
Oh what a horrible thing to do. The Internet is full of haters.
-
@scottalanmiller said in What Are You Doing Right Now:
Party day around here. Been partying for hours already.
You at work?
-
@hobbit666 said in What Are You Doing Right Now:
Wondering if I can get into work tomorrow. More flooding and more rain to come ️
Yep, gee you guys have been copping some rain.
-
@scottalanmiller said in What Are You Doing Right Now:
@Obsolesce said in What Are You Doing Right Now:
@scottalanmiller said in What Are You Doing Right Now:
@popester said in What Are You Doing Right Now:
@scottalanmiller said in What Are You Doing Right Now:
@popester said in What Are You Doing Right Now:
Trying to wrap my brain around adding a CA to our domain so we can encrypt traffic between servers. OMG... Where do I start....
For AD, I assume?
Yes sir. What brought it about was we run Citrix xenapp and nothing is encrypted this side of the ADC
Well, the passwords are. That's the only important bit in a typical domain communications chain. Not to belittle "encrypt everything", because that's a good idea in general. Just saying that AD is decently secure even when at its least secure.
AD (and everything using it) is only as secure as the DC.
DCs are pretty secure unless you screw something up. However, the DC does not hold passwords, so even a compromised DC does not divulge passwords. So technically, it can be more secure than the DC
Hey Scott, can you enlighten me here? I'm no expert on this topic, but I expect the passwords to be stored someplace and somehow in the AD database?????????
-
@siringo said in What Are You Doing Right Now:
@EddieJennings said in What Are You Doing Right Now:
Catching up on some E-mail / comments from YouTube videos.
Oh what a horrible thing to do. The Internet is full of haters.
Ha! The couple of things I'm responding to are folks asking questions about stuff.
-
@siringo said in What Are You Doing Right Now:
@scottalanmiller said in What Are You Doing Right Now:
@Obsolesce said in What Are You Doing Right Now:
@scottalanmiller said in What Are You Doing Right Now:
@popester said in What Are You Doing Right Now:
@scottalanmiller said in What Are You Doing Right Now:
@popester said in What Are You Doing Right Now:
Trying to wrap my brain around adding a CA to our domain so we can encrypt traffic between servers. OMG... Where do I start....
For AD, I assume?
Yes sir. What brought it about was we run Citrix xenapp and nothing is encrypted this side of the ADC
Well, the passwords are. That's the only important bit in a typical domain communications chain. Not to belittle "encrypt everything", because that's a good idea in general. Just saying that AD is decently secure even when at its least secure.
AD (and everything using it) is only as secure as the DC.
DCs are pretty secure unless you screw something up. However, the DC does not hold passwords, so even a compromised DC does not divulge passwords. So technically, it can be more secure than the DC
Hey Scott, can you enlighten me here? I'm no expert on this topic, but I expect the passwords to be stored someplace and somehow in the AD database?????????
AD never stores passwords. AD only stores a password hash, ever. It has no way to recreate the original password or retrieve it. The only time to get the original password is to grab it at the time that it is typed in.
This is a fundamental part of the security system - AD never knows, stores, or has your passwords at any step of the process. They aren't told to the server ever, they are never sent over the network, etc.
Now, if you can completely compromise an end point to the point that you are on the network and sending your own direct hash to AD, you can still authenticate even without a password. But if you can do that, you've completely compromised the system anyway and didn't need to do so.