[MUSIC PLAYING] Sean Metcalf is a Microsoft Certified Master. Fun fact, he was 1 of 100 people that holds that on this planet. So he's going to come up here and talk a little bit about Active Directory Security. Let's give him a big round of applause. Sean, where are you? There you are.
So as mentioned, I'm a Microsoft Certified Master. I am Sean Metcalf. Also, I've run a little site called adsecurity.org, which hopefully many of you have used. Let me see hands if you've heard of it at least. If you haven't, talk to the people who are raising their hands as to why. I won't talk about that.
I've spoken to a number of conferences. Very happy to be a TEC. This is great.
I have worked as an Active Directory engineer for a long time, pretty much soon after Active Directory was released. And I've worked in a large number of organizations or a lot of different types of organizations with their Active Directory and started really pivoting towards the security side of it in say 2003, 2004, 2005, when a lot of the focus was on who can change passwords, who's a member of Domain Admins. And then certainly in the last five years or so, things got a lot more complicated. So let's talk about that. There we are.
So I'm going to go over the current state of Active Directory, not just on-prem but also Azure AD, because a lot of organizations have decided to make that move to the cloud. And we'll talk about why. So we're going to focus on attacking Active Directory, some of the most common types of attacks and the related security issues that we see at Trimarc when we're doing security assessments and working with customers to help them tighten things up, as well as the attacks against Azure AD and Office 365.
So attacking Active Directory, this is something that is interesting to me personally, of course, because I'm an Active Directory person, as I'm sure many are in this room. The issue with Active Directory certainly is that everything gets integrated into it. So we have environments with large VMware farms. And the VMware Admins Group is an Active Directory. We have large networking configurations and the network admins are in directory.
So attackers have realized that it's not just data, it's about control. So they're going after Active Directory. They're taking control of it.
But attackers require a few different things. They need an account, which are the credentials. They need the rights, the privileges, associated with that account. And they need the access. They need to be able to connect to those resources.
So when you're thinking about defending or protecting your AD environment, and really any resource, you want to look at these three things, because if you can protect the credentials of that account and that account has the rights all the time and has access all the time, then you have one control point that you're able to protect that environment against an attacker. Or if the credential is a concern, then you can protect one of the other two things. The best thing you can do is protect all three of these. And we'll talk a little bit about that.
Because ultimately the attackers capability depends on the defender-- how you set up the environment? Jessica Payne at Bsides Charms keynote last year talked about building the attacker's playground. As a defender, as an IT architect, as an IT system engineer, I want you to think that way.
Your environment, that's your home base. You get to configure that and set that up however you like within political, bureaucratic, et cetera, reasons or possibilities. But you have that control.
And the problem is that traditionally this has been very tough. We've had everyone's a domain admin to administration from anywhere. Search count with AD rights goes in a Domain Admins. We have backups on regular user workstations. We're going to throw that backup system into Backup Operators, because sure, why not? We have management systems that control everything.
But, ultimately, agents are everywhere. And a full compromise is very likely, because if we continue to manage things the way we have since the beginning of AD-- so 2000 time frame-- as we are due now in 2019, we're going to have some problems.
And one of the things that I talk to people about is as an attacker, is Domain Admins what they need? No, not at all, because these rights are everywhere, these different avenues of compromise. There's GPO permissions. There's AD permissions. There's group nesting, over-permissioned accounts. I'm going to talk about a number of these and why these are problematic and a lot of organizations, because, as I said, these rights are everywhere.
We have workstation admins. We have server admins. What happens with this? OK, you can't get domain admin, so what I'm going to do is in order for you to have admin rights on all the workstations, I'm going to create a group called workstation admins and nest that into every workstation in the organization. Or in large organizations, I'm going to do that, but then I'm also going to have OU admins that then are nested in the workstations within that OU on those workstations.
And server admins or exchange admins, they're often application admins. They have control over all the servers, because that's the way it's always been. And sometimes the server admins end up being admins of domain controllers. Help desk admins have rights on a number of things. It gets more complicated from there, as you know.
So one of things I did in my free time, because I have interest in security and permissions, is I went through and looked at a lot of the different documentation that vendors put out, software vendors. And I found that there was a theme of what they wanted-- domain user
56:06