Re: Active Directory - a clear and present danger

[Moses Frost via Dailydave <dailydave () lists aitelfoundation org>]

I am always in shock when people cannot see the forests from the tree's even when talking to peers. First things first, 
Azure AD and many IdP's are not impervious to attack. Through Oauth2 and other privilege abuse angles in the IdP 
itself, backdooring systems are (and will continue to be) a thing. For those on defense, I hope you are checking on 
those MS Graph enabled Service Principals while I am waving at the other end (hello).

It's been nearly 25 years since we've been dealing with this Legacy LAN stuff. It has been stable, I'll grant it that, 
but with all its stability and potential scalability, the fact is these systems have fatal architectural flaws in the 
"Will Not / Cannot Fix" category. It seems every other week we are now seeing a "Getting your Users Hashes" one way or 
another, which ends up being a trivial 30-minute effort to crack because <reasons>. One of the ways to "fix" the 
scenario that machines get compromised with leads to your enterprise being compromised is to remove the mechanism that 
facilitates machine to machine pivots.

Why haven't we moved on? I suspect it's the industries lack of will as well as the internal objections you hear about. 
Let's talk about objective handling. Active Directory Domain Services (ADDS) – Kill it with fire, now. The first thing 
I typically hear is the fact that they cannot move away because they have legacy needs:

  *   SMB Shares
  *   Windows SQL Support
  *   Someone wrote a VB6 app with an IE6 thingy that needs DCOM support, which salesforce could replace but would 
require moving data...
  *   Other ugly SPNs
  *   Management of Windows Desktops
  *   Because it's what I know, and I can Wizard you a Windows 7 machine with this Enterprise Key so YOLO: Security

About ten years ago, removing Active Directory from your environment was rarely done. Mainly because what on earth 
could you ever replace it with? When you have been working on systems for a long time, you remember when displacing 
Novell was unheard of. How many of those TN3270 monitors do you have? Active Directory as it is designed is innately 
insecure in today's world. There is no realistic and operational way to secure it. It is also unnecessary when you 
consider that 30-50% of your user base may be sitting at home for more than another 36 months. Let's talk objection 
handling then.


  *   Azure AD replaces Microsoft AD. Don't like Azure AD? Well, there are alternatives like Okta/Ping/Etc, etc. Use 
something else if you must, but Azure AD lets you hybrid join the system. Yes, I am aware of PRT. Use a different IdP 
then; at least it's not backed by NTLM in which responder can own you.
  *   Microsoft Intune (or other competitors) manage your windows desktop, although I would probably avoid Kaseya, just 
saying. Many MSPs out there do it; I'm pretty sure your organization can too. Don't you use JAMF on OSX already?
  *   What about those Files?! Sharepoint, Box, Dropbox, Google Drive, basically anything modern.

What about ALL these legacy systems?! Triage them, how many systems 'require' Active Directory. Let's say it's 20%; ok, 
I'll be VERY gracious; it's 50% of your server environment. Great! You can build a directory forest for that 50%. 
Cleave those systems off; their trustworthiness should be less than that of other systems. I would argue the amount of 
actual Active Directory needed is less than 50% of servers in many organizations, but I said I was gracious. Most 
modern enterprises will have modern applications. How many of those applications may require Active Directory? I 
suspect that many of them need SAML or Oauth, which is back to any old IdP (Azure AD). In other words, just like we 
moved off Novell (No one went to NDS, so let's just say Bindery), you can move off Active Directory. It'll arguably 
make my life easier, but I mean you do get bored of getting DA every few days...

P.S. Don't Hybrid join the stuff either; it's still basically Active Directory on one side.

-Moses

From: Dave Aitel via Dailydave <dailydave () lists aitelfoundation org>
Date: Saturday, July 24, 2021 at 2:50 PM
To: dailydave () lists aitelfoundation org <dailydave () lists aitelfoundation org>
Subject: [Dailydave] Active Directory - a clear and present danger
So I definitely have a different mental history of active directory than most people, and recently I was doing a 
Glasshouse podcast with Pablo Breuer<https://www.linkedin.com/in/pablobreuer/> and 
here<https://youtu.be/Z0d6qNLevUY?t=2714> he says basically the same thing everyone says, which is that it's impossible 
to move off of technology even when that technology has a history of severe flaws, or a design flaw that means it 
cannot be secured.

This is the current mental stance among CIOs familiar with large companies, or even medium size companies! And I get 
it! But if leopards keep eating your face, and every hacker in the world keeps recommending you stop giving them a 
cuddle, and you say "I can't, I have legacy systems in my head that love to hug large dangerous cats" then that stops 
being the government's problem, in a way. Like when people ask why Cyber Insurance Markets are obvious catastrophic 
failures, and we point at how they can't really change any meaningful behavior, and they have to insure the total 
market value of whatever company they are insuring because the cost of risk is basically a sliding scale of whatever 
the Russian ransomware team thought up that morning over kasha, then everyone gets that surprised face and it's all 
very annoying.

So anyways, that brings us back to AD. AD is a system where any time you hack any computer on the network, you can 
become the domain controller, and own the whole company. That's just how it works. Every hacker/penetration tester has 
known that for two decades and the specific incantation on how you do that changes slowly over time, but it's always 
true. And then at INFILTRATE one year two Microsoft Research team members demonstrated an automation of the lateral 
movement piece which is now what Bloodhound 
<https://mcpmag.com/articles/2019/11/13/bloodhound-active-directory-domain-admin.aspx#:~:text=BloodHound%20is%20an%20application%20developed,their%20privileges%20within%20the%20domain.>
 is. So in theory everyone knows this right now, even though they like to blame EternalBlue for all their problems in 
life.

But when you point that out on Twitter<https://twitter.com/dinodaizovi/status/1418909301746327559?s=20>, people ask you 
what the alternative is, and I have to admit I disagree with DDZ that it's "Zero Trust". That sounds like adding more 
complexity to a system that is already SO COMPLEX even lifetime specialists not named James Forshaw don't understand 
the BASICS of the authentication system.

Like here's a paper<https://twitter.com/DebugPrivilege/status/1418884269376671755?s=20> that came out today that's in 
my queue all about Service credentials, and look - no matter how many new auditing tools or visualization thingies or 
AI anomaly detection alerts you deliver to your customers, if the underlying system is NOT UNDERSTANDABLE BY HUMANS 
then you can't secure it. I guarantee you that about 80% of the Russian ransomware affialiates understand Service 
Credentials and delegation better than your current AD management lead. Most of the time your AD ACLs are just you 
fooling yourself that you have a security boundary where you, in fact, don't.

Also, the problem is not NTLM. Everyone stop talking about NTLM. It wouldn't matter if AD was re-implemented to use 
purely quantum key exchange because only Gandolf can mentally visualize the transitive trust structures implicit in how 
you configured your AD Forests.

Ok so that brings us back to: What do you do instead? And honestly, I don't know. I've enjoyed reading the snippets 
that Grapl Security<https://www.graplsecurity.com/> has been posting about their setup. As far as I can gather, the 
TL;DR is just use Google as your directory server and use Chromebooks as much as possible.

This is what I do right now - but I'm not sure how scalable this is. Maybe y'all can pitch in on this thread and 
suggest a solution?

Thanks,
Dave Aitel

_______________________________________________
Dailydave mailing list -- dailydave () lists aitelfoundation org
To unsubscribe send an email to dailydave-leave () lists aitelfoundation org