From Workstation to Domain Admin: Why Secure Administration Isn't Secure and How to Fix It

Organizations have been forced to adapt to the new reality: Anyone can be targeted and many can be compromised. This has been the catalyst for many to tighten up operations and revamp ancient security practices. They bought boxes that blink and software that floods the SOC with alerts. Is it enough?

The overwhelming answer is: No. The security controls that matter most are the ones that best protect those with the keys to the enterprise, the Active Directory administrators. With this access, an attacker can do anything they want in the environment: access all sensitive data, change access controls and security settings, embed to persist (for years), and often fully manage and control routers, switches, the virtualization platform (VMWare or Microsoft Hyper-V), and increasingly, the cloud platform.

Administrators are being dragged into a new paradigm where they have to more securely administer the environment. This involves protecting privileged credentials and limiting access Again the question is: Are the new ways to securely administer Active Directory enough to protect against attackers? Join me in this session to find out.

Introduction & About Me This talk covers several of the most common methods of Active Directory administration and the key weaknesses to these approaches. While the organization thinks this will protect them, I cover the reasons why it won’t and demonstrate how to exploit these lesser methods.

Where we Were - Old-school Active Directory Administration In the beginning, there were admins everywhere. Some environments actually had almost as many Domain Admins as users. This resulted in a target rich environment with multiple paths to exploit. The traditional methods of administration are trivial to attack and compromise due to admin credentials being available on the workstation.

Where we Are Now - The New School of AD Administration Organizations are slowly and gradually improving defenses. Key to this is limiting who has privileged rights (reducing admin group membership and stripping rights down to what’s actually required) and controlling where they logon (via Group Policy or user logon controls). This is definitely a step in the right direction, but still does not solve the issues with how administration is typically done (which is all too often still performed from a regular workstation).

The latest, “Best” way to Admin Active Directory and how to get around it
There are a number of “best practices” for secure administration described on the internet and by security vendors, but what is the truth behind these claims? How effective are these “advanced” methods to securely perform administration? This section walks through these “best of breed” secure administration methods and demonstrates how attackers could exploit the weaknesses and still own the admin accounts (and Active Directory).

Keys to secure administration: How to design and implement a secure administrative method So far we have covered the flaws with most common administration methods. What is the best way to securely administer the environment? This near final section of the talk discusses the most important components in designing a secure administrative system and focuses on how to work with executives, operations, and the security team for successful implementation.

Conclusion The concluding section starts off by summarizing the methods shown and how/why they fail. Most organizations have done “something” to better secure their environment. It’s not enough and while some attention has been paid to improve the security of administration (via two-factor/multi-factor authentication).

About the Speaker