The so-called “red-forest” (aka ESAE) design for securing AD is getting a lot of attention these days and that's good given the sophistication of today's attacks.
But let's take a step back and look at the broader picture. Doing red-forest on your own is a lot of work and it doesn't address every AD infrastructure risk. After reviewing AD security assessments I perform and comparing notes with another colleague who regularly perform AD risk assessments I've come up with 6 infrastructure level security findings that are important to address, non-trivial to fix and commonly encountered
- Security of Virtualization Infrastructure Hosting Domain Controllers Insufficient
There are a lot of good reasons to run domain controllers as virtual machines but most organizations that do this have not taken into account that AD is then exposed to all the risks, vulnerabilities and privileged users of your virtualization infrastructure which includes many more pieces than just your hypervisors.
- Insecure Endpoints Used with Active Directory Privileged Accounts
Just using 2 different accounts and Runas simply doesn't cut it anymore; that leaves you terribly exposed to pass-the-hash, golden ticket and other credential artifact attacks.
- Lack of Human Presence 2-Factor Authentication for Privileged Accounts
Notice I stress not just 2-factor but human presence. This is important whenever accessing a privileged account where there is any possibility at all of the local endpoint being compromised either now or even in the future.
- Inability to Certify Platform: Clean Source, Provenance, Secure Boot
You may put a lot of work into configuring a secure domain controller, hardening it and then monitoring it. But if it was installed from media, ISO or an image that was tampered with, all bets are off.
- Lack of Fine-Grained Network Control around Domain Controllers and Dependent Systems
We are basically talking about micro-segmentation but there's a lot involved in really locking down every packet between domain controllers and related systems.
- No Enforcement of Secure Protocols
How to enforce that administrators and integrated systems refrain from using insecure configurations and versions of RDP, LDAP, NTLM and others?
In this webinar I'll dive into the details of these 6 risks and discuss how you can address them. Then Bhavik Shah will briefly show you how Skyport Systems provides a secure-domain-controller-hosting environment-in-a-box that accomplishes all of this and more.
Please join us for this comprehensive but technical training for free ™ webinar on the subject of Active Directory infrastructure risks and how to address them.