[MUSIC PLAYING] One of the most important hurdles to making the move to the cloud is security. Everybody is challenged with that. How do you address this new hybrid environment? How do you solve any of the challenges you're dealing with?
And I'm really looking forward to bringing up Randy Franklin Smith. He is a Microsoft MVP. Randy writes on Windows security issues for publications like Windows IT Pro. Everybody familiar with that?
Yeah, so if you are familiar with that-- you're already clapping. That's amazing right there. Nicely done. I do want to bring Randy up to the stage. Randy? He's our next speaker.
So when Quest gave me the choice of a topic, which is really cool when you get to do that, I said I want to do something that's really valuable. And I said, let's make a session about the one command that if you run it in your Active Directory environment, and if all of these companies that you saw in the opening video had run beforehand on their domain controllers, they would have shut down all of these attacks. They just would not have happened.
So good, I see some laptops out. You're ready. I'm going to spell this command for you. S-H-U-T.
[LAUGHTER]
But then I got to thinking, it's going to be a pretty short presentation. So seriously, though, if you have some chewing gum, put it in your mouth. Start chewing, because we're going to drop in altitude really fast, pretty much down to ground level, because I did want to make this a technical and practical session. So here goes.
Recent security features in Active Directory. And I think it's safe to say, and I am really happy. I want to hear from you guys later. I'll be over at some of these other venues here at Quest later. And I'd like to hear about which ones you're currently-- that you're already using.
But when I talk to your colleagues, we're not using most of these. Even though I think recent may be a little bit of a stretch, because when we look at Active Directory 2019, there's nothing to talk about, in fact, in terms of new security features. There's one really cool one that I look forward to showing you in 2016.
Now, the rest of these, believe it or not, were introduced-- when you start counting up the years-- a long time ago. But the funny thing about it is the way they were introduced in 2008, they were kind of buried. You had to use PowerShell or other commands, or sometimes there was nothing. You just had to go into ADSI edit in order to use them.
And so no momentum happened with those features. Then in 2012, they were surfaced higher in the UI and made more accessible. But we'd kind of forgotten about them by then. And I think that is maybe why most of us aren't making good use of these.
So to wit, what are we talking about? All right. In the next few minutes, we'll talk about password setting objects, authentication silos. That's probably my favorite one right there. We could be doing a lot to combat one of the things that you saw.
Did you see him typing or playing with Mimikatz in the opening video? It's a really cool video. But right there, we could knock down a lot of credential harvesting attacks. But I'm getting ahead of myself.
Dynamic access control, a way of setting up your audit policy globally for the whole forest, group managed service accounts. So managed service accounts got a bad name. That got fixed with the next version of AD. But again, we kind of lost momentum there.
So I look forward to showing you that. And then there's a couple other cool things. And I'll finish up with the most truly recent feature, and that's temporary group membership.
So password setting objects. How many of you are using those already, know what they are? OK, good. So it's good I put this in here.
Back in the day, when I was teaching Active Directory security and auditing, one of the things I always had to break to the audience is if you want more than one password policy-- so you want some users with this password policy. You want other users with a different minimum password length or password lockout policy. Multiple domains. You actually had to set up multiple domains to do that.
Well, that went away a long time ago. In 2008, we got the ability to have granular password policy. So if you want your privileged users to have stronger passwords or you want to make exceptions for a certain set of users-- very bad practice. And I hope it doesn't happen anymore.
But back in the day, your C-level executives-- we have a special requirement. We want to relieve them from ever having to change their password or even have a password, maybe. So we had to create another domain to do that. And I'm sure none of you guys ever did anything like that.
But when is this valuable? There's some interesting things going on about passwords right now. Of course, passwords are still here. We've got to deal with them. And sometimes our compliance requirements get very prescriptive and specific. And we have to implement those.
So that's one place where we could use password setting objects. The other thing is-- and this is, I'm kind of channeling BOFH here-- but users that complain. This is a feature that can really give you some satisfaction with dealing with those users that complain. I'll show you how to do this.
So this has been surfaced since Windows 2012 in the UI. And it's simply a matter of creating an object, password setting objects. You can see where it is in the screen print there. And now you get all of those same password settings that we used
40:00