Daily Dave - Active Directory - a clear and present danger
AD is a system where any time you hack any computer on the network, you can become the domain controller - Dave Aitel
One of the odd things about Information Security is the insistence on using nonsense technologies to back everything, whine about how it’s all fundamentally broken, and then write a report about TLS findings instead of recommending actual changes.
Anyway, this gets often re-iterated, but when it’s said so succinctly, it needs to be preserved for the sake of posterity: I’d like to quote Dave Aitel directly from https://seclists.org/dailydave/2021/q3/0 on Active Directory: """ AD is a system where any time you hack any computer on the network, you can become the domain controller, and own the whole company. That’s just how it works. Every hacker/penetration tester has known that for two decades and the specific incantation on how you do that changes slowly over time, but it’s always true. """
Being a penetration tester for what seems like either “a while”, “long enough”, or perhaps “too bloody long”, I know the above to be accurate; there’s always another iteration of some form of Potato, be it hot, rotten, some kind of nightmare, or just some long-standing issue with cryptography using all zeroes in a nonce, like zerologin.
BloodHound seemed to make this a significantly easier problem to enumerate (and exploit), and efforts were made to “automate the specific incantation” on becoming the domain controller (Like Deathstar), but ultimately - it seems like a lost fight.
Microsoft seems to be in a situation where they’ve put all efforts into making Azure perform worse than Linode (https://elixirforum.com/t/azure-disk-i-o-performance-is-extremely-low-compared-to-other-cloud-providers/24446); with the security aspects being about as bad. With efforts going into Azure, everything on-prem performing as poorly with the series of Exchange issues and the reimplementation of the Y2k bug (https://www.theverge.com/2022/1/2/22863950/microsoft-exchange-y2k22-bug); ironically in the Security component (The antimalware engine).
With a vendor who seems to have given up on anything on-prem while producing terrible “as a service” offerings, it’s unclear why anyone would want to stay with this line of products.
What’s the solution? Aitel nails it by picking understandable technology and going as far as to say, “the TL;DR is just use Google as your directory server and use Chromebooks as much as possible.”, which I agree with - make everything a web app (Web Assembly is pretty nice at this point too) and buy more Chromebooks - get rid of Active Directory.