When we designed Active Directory environments in the last decade we thought that domains were a security boundary. Turns out they aren't. That was also before pass-the-hash and other APT type attacks were really a thing.
All that has changed. Most organizations find themselves with one or more big forests with all types of user accounts (privileged and end-user), resources, and system roles mixed together. And that leaves us especially vulnerable to persistent attackers who are willing to take the time to follow a horizontal kill chain jumping from system to system until they reach the pot of gold at the end of the rainbow.
We need to make it much more difficult for bad guys
- to jump from a compromised end-user’s account to the account of an admin or other end-user who has access to critical information
- to exploit credential artifacts found on one endpoint to leap to other systems and collect yet more credentials and access
To do that AD environments need more internal security boundaries and levels of security and in this webinar we will delve into how to do just that.
Microsoft is aware of these trends and needs and has been feeling the same pressure as the rest of us. They've responded with some interesting enhancements to AD. So, first, I will bring you up to date on little used features introduced in Windows Server 2012 Active Directory and more new stuff coming in Windows Server 2016 Active Directory such as:
- Password Setting Objects
- Authentication Policies
- Authentication Silos
- Kerberos enhancements like Kerberos Armoring
- Bastion forest for isolating privileged accounts
- Shadow security principals
- Expiring group memberships
All of these new features are designed to create those boundaries and slow down horizontal movement by bad guys – especially with regard to privileged accounts. I'll explain how these feature work and look at what it takes to implement them and give my take on cost vs. benefit.
But protecting information requires more than just protecting admin accounts. After all, there are many more end-users with access to the information you are trying to protect than there are admins so you don't have to necessarily get admin authority in order to steal information.
There are other ways build a more layered AD environment that can be additive or alternative to these new features in AD. Alvaro Vitta from our sponsor, Dell Software, will briefly show you how their AD security methodology coupled with enabling functionality in their suite allows you to reduce your AD environment's surface attack area. Dell Software's AD solutions were solving these problems years in advance of where we find ourselves today.
Don't miss this real training for free ™. Please register now.