MJFChat: How to Secure Active Directory
We’re doing a twice-monthly interview show on Petri.com that is dedicated to covering topics of interest to our tech-professional audience. We have branded this show “MJFChat.”
In my role as Petri’s Community Magnate, I will be interviewing a variety of IT-savvy technology folks. Some of these will be Petri contributors; some will be tech-company employees; some will be IT pros. We will be tackling various subject areas in the form of 30-minute audio interviews. I will be asking the questions, the bulk of which we’re hoping will come from you, our Petri.com community of readers.
We will ask for questions a week ahead of each chat. Readers can submit questions via Twitter, Instagram, Facebook and/or LinkedIn using the #AskMJF hashtag. Once the interviews are completed, we will post the audio and associated transcript in the forums for readers to digest at their leisure. (By the way, did you know MJFChats are now available in podcast form? Go here for MJF Chat on Spotify; here for Apple Podcasts on iTunes; and here for Google Play.)
Our next MJFChat, scheduled for August 18, is focused on how best to secure your Active Directory implementation. My special guest is Semperis Director of Services and Microsoft MVP Sean Deuby We want you to submit any and all of your questions for Sean ahead of our chat.
Sean is ready to discuss ways to protect the core of the whole zero trust cloud security model – your Active Directory. Even though most organizations are already implementing, if not at least dabbling with, cloud configurations, there is still a lot of Active Directory out there. And it’s not going away anytime soon. With hybrid-computing models, Active Directory is actually more important than ever. Sean has lots of ideas regarding best practices and more.
If you know someone you’d like to see interviewed on the MJFChat show, including yourself, send me a note at [email protected] (Let me know why you think this person would be an awesome guest and what topics you’d like to see covered.) We’ll take things from there….
Mary Jo Foley (00:01):
Hi, you’re listening to the Petri.com MJF Chat show. I am Mary Jo Foley, AKA your Petri.com community magnate. And I am here to interview tech industry experts about various topics that you, our readers and listeners want to know about. Today’s MJF Chat is going to be all about securing Active Directory and who better to talk about this than Sean Deuby, a former Microsoft Identity MVP, and current Director of Services for Semperis, which is a vendor of Enterprise Identity Protection Solutions. Welcome Sean, and thank you so much for doing this with me.
Sean Deuby (00:39):
Hi, Mary Jo. It’s always great to have any excuse to get together with you.
Mary Jo Foley (00:43):
I agree. Thanks. So I really liked this topic because I feel like it’s something many people kind of gloss over, Active Directory. I feel like we talk a lot about Azure Active Directory, but we don’t talk enough about Active Directory itself. I feel like, you know, with everybody talking about the cloud these days, especially when more and more people are working remotely during the pandemic, people just say, yeah, Active Directory, it’s there, but it’s not going away anytime soon. Right?
Sean Deuby (01:15):
No. And I think you brought up a great point. You know, AD is not as sexy as cloud video conferencing or TikTok videos.
Mary Jo Foley (01:27):
Oh, you had to go there didn’t you TikTok.
Sean Deuby (01:31):
Well, AD is kind of the opposite of interesting and sexy things, you know, but yeah the reality is AD remains fundamental to pretty much every company that’s been around for more than, I don’t know, five years, something like that. It’s arguably one of the most installed Windows services. And I don’t know, a long time ago, there was a Microsoft quote that said that worldwide, every company that has more than about 500 users, about 90% of those companies have Active Directory installed in some way, shape or form. So AD’s everywhere. And you know, if you think about it and people always ask me, so when is AD going away, is AD dead? AD has got far more penetration than mainframes ever did, and mainframes are still around,
Mary Jo Foley (02:30):
Sean Deuby (02:31):
So AD will be around in some way, shape or form for many, many companies long after you and I retire.
Mary Jo Foley (02:40):
And also I think, a point that people forget is Active Directory on premises is still key to your cloud security too. Right? I mean, I think people just immediately jumped to AAD Azure Active Directory, but I feel like AD itself on prem is also really, really important in terms of security. And I feel like that’s probably something you have seen a lot in your work at Semperis.
Sean Deuby (03:07):
Yes, that’s true. And actually across my whole career has sort of been this, as somebody pointed out to me the other day, an arc, where I started in Active Directory actually before Active Directory to NT, but Active Directory, a lot of time in Active Directory for Intel Corporation and then times consulting on it. And then a lot of cloud work. You know, when I did my stint as a technology journalist writing about the rise of cloud computing and some of the first articles on Azure Active Directory and then consulting on it, and now here I am, I’ve come back full circle to talk about Active Directory because it really is so fundamental. The logic goes like this. So most organizations use Active Directory for their corporate accounts. And now that they’re doing cloud activity, most orgs want their users to use their corporate accounts, to do all this cloud stuff, Office 365, Salesforce and you know, much of the drive in cloud activity, in cloud applications is to integrate with these big cloud identity services, Azure Active Directory, Okta, these others to get single sign on through SAML or OAuth.
Sean Deuby (04:34):
But the reality is what happens is they use some kind of utility for Azure Active Directory it’s AD connect to project their on premises, Active Directory identities up into the cloud. So the reality is these cloud services, most of the identities in the cloud services are sourced from on-prem Active Directory.
Mary Jo Foley (04:59):
Sean Deuby (05:01):
Yeah, exactly. Because I mean, from a security viewpoint, the last thing that organizations want is everybody to create new separate user IDs and passwords for all these proliferating cloud services. Because the reality is what they do is they choose, they put their corporate credentials in there. So their corporate credentials are scattered everywhere. So the idea is to use one set of credentials, which for most companies is on-premises Active Directory populated up into Azure Active Directory. Now there may be also a subset of users that also have cloud only credentials and that’s growing more substantially, but the bulk is still Active Directory. So what that means is not only is AD not going away, it’s more important than it’s ever been. And you could even put, as we do for so many things, put a COVID spin on it, which is, as everybody is stampeded to remote work, everybody’s stampeded to the cloud more, a lot of organizations that were on the fence or going to cloud computing, have been pushed off the fence into it with their remote access and all that. And they’re using Active Directory as well. So if you map across AD’s on premises influence into the cloud, it’s only increased in 2020.
Mary Jo Foley (06:34):
All right. So we’ve just basically established Active Directory is key to companies who are doing hybrid type scenarios, but it still feels like even though that’s true, IT is often lackadaisical in beefing up their AD security. It’s like, it’s almost an afterthought. So how do you get IT to change this mindset?
Sean Deuby (06:57):
Well, I think what you’re saying is pretty true. I talked to a lot of companies and I talked to a lot of Active Directory administrators and security people. I mean, if you think about it, AD has been around 20 years, last spring, it was 20 years ago that I helped install Active Directory in Intel. That’s forever in IT years.
Mary Jo Foley (07:18):
Sean Deuby (07:18):
And what, it’s a fantastic design because it just works. It’s super fault tolerant against things like power failures, hurricanes, tornadoes, you know what we historically think of for disaster recovery situations. So management has gotten complacent that it’s just there and it’s just working. The analogy that, we use a couple of analogies talking about Active Directory. One is plumbing, which is a little less palatable, but a much better one I think is electricity. It’s fundamental to the way a company operates. It’s fundamental to things moving forward, but you don’t think about it. It’s always there until it’s not there.
Mary Jo Foley (08:10):
Sean Deuby (08:12):
So back to your question, because it’s so ubiquitous and it’s so reliable, it’s easy to lose focus on how fundamental AD security is to everything. AD security, AD availability, you know, your line of business applications depend on it, file services on the network, logging into your PC, even even getting badged into your local data center may rely on AD security and AD availability. We do a lot of work on AD disaster recovery. And in some of the workshops that we do, you know, we’ll ask the customer, okay, have you thought about if AD is not available, how are you going to do X, Y, or Z? And sometimes maybe it comes down to, Oh yeah, that means throwing a chair through the window of the data center, because we can’t get in there because we can’t badge in because Active Directory is not available. So we can’t fix Active Directory.
Sean Deuby (09:15):
So there’s usually some moment of realization where something they thought that they had it all. They thought they had all the dependencies figured out. But there is inevitably something that isn’t figured out that causes them to scratch their head and go off. Now, you know, how do you change the mindset for people paying attention to Active Directory? I think what’s changing the mindset is the rise of ransomware or more broadly. What I think of is denial of availability malware. So in other words, not just ransomware, but the really bad wiper wear type stuff like NotPetya, right. And I think the key is that it’s a completely different type of disaster recovery scenario. Traditional disaster recovery tends to be sorry, traditional disaster tends to be geographically focused, a power failure, or a hurricane, a tornado, that sort of thing. When you get hit by a ransomware wiper, where it’s not limited to physical location, the location is your corporate network.
Sean Deuby (10:30):
So everything on the network can be hit as fast as those electrons as those packets can get across the network. For the point of Active Directory. The point is that it can hit all of your Active Directory. Previous disasters would hit some of it an AD can bounce right back. But if you hit all of your Active Directory, that is a serious, serious issue because when AD is really clobbered, when all of the domain controllers that support it are down, it’s really difficult to get back. It’s a complex, yeah, it’s a multithreaded operation. There’s about 28 steps and they have to be coordinated, exactly. Or you have to do it all over again. And that while the executives are running around screaming with their hair on fire, because the company has stopped.
Mary Jo Foley (11:24):
Sean Deuby (11:25):
So, I mean, for those of us that have been in bad situations like that, I use the joke. Yeah. You know, you can work issues and all that, but you haven’t really worked issues until you’ve had someone on a crisis bridge in your ear, screaming to get it back up again.
Mary Jo Foley (11:39):
Yeah. I know. I feel like this comes up even for Microsoft, you know, when they have an outage with Azure, a lot of times what also goes down simultaneously is the portal for communicating to people what’s happening. And so, people look at the portal and they see, Oh, wait, everything’s good. The green light is on, but why is everything down? And even down to the actual point of how do you communicate to people when every single thing is down, that’s connected to Active Directory too, right?
Sean Deuby (12:08):
Yes. Well, and it’s the prevalence of this too. It’s the, you know, in the traditional risk, in a risk analysis, you look at the threat and you look at the impact of the threat and you look at how likely is that threat to happen. And boy, ransomware, pegs those. We’re seeing them every day. We just saw, Canon I think is still ongoing in it’s ransomware scenario. Garmin was hit last month. University California, San Francisco was hit the month before. And, you know, the smallest stuff seems to be happening almost every day. In the wiper wear area and talking about the danger or the difficulty of this, really the best known example of this is when Maersk got hit by NotPetya.
Mary Jo Foley (13:06):
Sean Deuby (13:08):
I think a lot of security professionals are aware of it, but I’ve done some really deep reading into it. And it’s really, you know, Andy Greenberg has got a great article, but the best known example of it is Andy Greenberg Wired article about NotPetya. He wrote a book called Sandworm that goes into it in a little more detail. And actually the CSO has done a couple of presentations about it as well. And when they were hit by this, you know, they’re not an unprepared company, they are the world’s largest global shipping company. I think it’s one fifth of the world’s containers travel on their stuff. But when they were hit, it encrypted 55,000 devices across their network within seven minutes.
Mary Jo Foley (13:58):
Sean Deuby (13:59):
I mean, that’s faster than you can run across the room and start tearing network cables out. And to the point of Active Directory and Active Directory disasters, they knocked out 146 of 147 Active Directory domain controllers within those seven minutes.
Sean Deuby (14:18):
And the only reason that they had any AD left at all is because one of the domain controllers was in a branch office in Ghana, Africa.
Mary Jo Foley (14:32):
Sean Deuby (14:32):
And I hear a couple of different variations of the story, but it’s a great story. So the network admin for that office got himself to Lagos, Nigeria because he didn’t have a visa to go to England where the IT headquarters was, is. So he went to Lagos handed over the drives to a sysadmin in Lagos, who then flew on the company’s Gulf stream, G450 jet, got his own personal trip up to England where he delivered the hard drives to the IT staff. And they proceeded to start piecing AD back together. It took them a total of nine days to put AD back together. And none of the other line of business systems could come up until you brought AD backup. Well, you’ll appreciate this. The first domain controller that they brought up on the recovered forest was on a Surface Pro 4.
Mary Jo Foley (15:36):
Sean Deuby (15:36):
Yeah. So all this to say, you know, Maersk is the best known, but NotPetya hit a lot of other companies for a lot more money. They hit Merck, they hit Mondelēz, a bunch of other ones and like ransomware, you know, you just can’t reasonably expect that you’re not going to be hit by something like this, and you have to be prepared for it. And you have to be prepared for the full on forest recovery. Everything is down type situation, that historically companies have not really been ready for because it’s really difficult and because it’s really rare.
Mary Jo Foley (16:21):
Worst case scenario for sure. Okay. We’re going to switch gears now with a listener question. And this is like a total 180 from what we were just talking about, but still an interesting scenario. Matt Levy on Twitter said, I’d like to hear Sean rate in order of priority the following. And now he’s got a list of different security related technologies. So he’s got MFA, block legacy auth, app admin consent, workflow, identity protection, and PIM. And he said, especially consider those customers that don’t have AAD plan one. So this is a very specific question, but I think he’s trying to get you to say, you know, there’s so many different things that we have to pay attention to here in the security world, but what would be like your first order of business,
Sean Deuby (17:16):
Right. And also what is the least, the implication is what is the least expensive way to get into it?
Mary Jo Foley (17:21):
That’s true. Yeah.
Sean Deuby (17:23):
So, yes, Azure Active Directory has three levels. The first is free, which incidentally you automatically get, this is the smoothest. This is Microsoft repeating. What they did, their Active Directory success only in the cloud. So when you get, when you buy Office 365, for example, and you set it up for your company, what happens underneath is that you have an Azure Active Directory tenant that is created for you. And so all of a sudden, you know, everybody that wants, let’s face it, nobody wants identity services because they love identity. Identity is just a road bump to get to what, you know, to what you really want to get to. So all of a sudden, bang, you got an Azure Active Directory tenant, and that is the free version.
Sean Deuby (18:12):
And as an aside, this is how Microsoft conquered the world with Active Directory because people, they didn’t care about Active Directory. They didn’t want Active Directory. What they wanted was Exchange and Exchange was AD integrated. So you had to install Active Directory to get Exchange. It’s the same model. They just repeated it with Azure AD. So you’ve got an Azure AD free version. You’ve got an Azure AD P1, plan one, and you’ve got an AZure AD P2, obviously more expensive, more features. Azure AD free gets you a lot of the fundamental capabilities of it, but not so much of the security. What is available with Azure AD free? The main thing that’s available is a MFA, multifactor authentication that they’ve, Microsoft has fairly recently made that available to all additions. So you can enable multifactor authentication, which still remains the single most important step you can take to preventing credentials compromise.
Sean Deuby (19:17):
So that’s number one is get MFA installed. The free version also has basic security reports. So you can look at the sign in reports, that sort of thing there, after the fact sign in reports that may show issues. They’re not proactive, they don’t send you warnings. So the next step up is the P1 or the P2 additions, which are more expensive, but you have, you know, ways you can mitigate that a little bit, the single most important thing that you get when you step up to P1 is a conditional access. You know, conditional access, Alex Simons, I believe is, you know, he called conditional access, the secret sauce that makes Azure AD so secure. The ability to evaluate a sign in session and a user session on a bunch of different parameters, what’s their identity. Have they done MFA? What device are they on?
Sean Deuby (20:15):
What location are they in? What the risk is? All of that. That gives you, the P1 gives you the core components of conditional access. Moving up from that, P2, some companies are moving to P2, not so many companies, but there’s a lot of penetration with P1. One of the things that I recommend instead of paying for all of P2, is privileged identity management or PIM is you can buy privileged identity management licenses just for your administrative accounts in Azure Active Directory. So, you know, PIM gives you the ability to do workflow elevation, to privileged accounts, to privileged access. So you can have a regular user that submits a request to be elevated to global administrator role in Azure Active Directory, they have to get it approved, and then they’ll have it for some designated period of time. Their activity is logged and then they’re automatically demoted again. So that’s a great security feature, and it’s not expensive if you just turn it on for your administrative users.
Mary Jo Foley (21:26):
Okay. Yeah. That’s good. So this is a much broader question I’m going to ask now, but what’s the very first step that you would recommend a company to take if they have, what might be considered lax AD security? Like if we just kind of prioritized these Azure Active Directory features, but if you were just going into a company and saying, all right, you guys are kind of a mess with your Active Directory. What’s the first thing you would say for them to do?
Sean Deuby (21:58):
Get rid of your domain administrators.
Sean Deuby (22:03):
Probably the single most overused aspect of this are too many users with administrative accounts and yeah, and more broadly than domain administrators. I say that to focus on it, but there’s a collection of roles that are elevated, just, you know, just as there are in Azure Active Directory, that tend to get used and abused account operators, backup operators, you know, domain administrators and others. And historically what happens, and this is classic IT, and it’s also human nature is when people want something, they want it right away.
Mary Jo Foley (22:46):
Sean Deuby (22:46):
Busy people say, okay, well, I know if I give them domain admin rights, then they’ll be able to get their work done. But when people are done with, what they need, they never say, Oh, you can take it back, please. I don’t want it anymore.
Sean Deuby (23:01):
Nobody says that. So, you know, what I see almost universally in AD because it’s been around for so long for so many companies is just all this cruft, just this accumulated accumulation of rights and access that even, most of them are no longer applicable, but even if they are applicable, there are ways to pin it down. You know, a fundamental resource for anyone that wants to get better with AD security that I would recommend is a what I jokingly call the otherSean, Sean Metcalf, who is much better known in the AD security world. His website, ADsecurity.org is the place to go for learning everything about Active Directory security, Active Directory attacks. What is a golden ticket attack? What is a passthe hash attack? What is an overpass the hash attack, you know, how do you abuse group policy? My colleague, Darren Mar-Elia also known as the GPO guy has published seminars on, you know, how do you, cause it’s a double edged sword it’s attack and defend, how do you attack Active Directory, with the group policy, and then conversely, how do you defend against it by closing down those attack vectors?
Mary Jo Foley (24:31):
Where can you find that information about the GPO stuff?
Sean Deuby (24:35):
What I would recommend is actually going to our company website semperis.com, and we have a list of information or on LinkedIn, of the webinars we’ve done on Active Directory security, attacking and defending Active Directory, attacking and defending group policy. A lot of those topics that are near and dear to us.
Mary Jo Foley (24:59):
Good, okay. Any other, you’re giving us some great resources, anything else you’d list under resources for IT Pros who want to get more serious about AD security?
Sean Deuby (25:09):
Yes. it is to download and learn how to use a tool called BloodHound. BloodHound is an attack and a defense. It’s an AD attack graph tool. So in other words, it will find when you install and test BloodHound in your environment, it will show you all the routes to domain admin via all the different resources that you have available, how you can get from your workstation to domain admin through a jump box, through here, through this vulnerability, through there, because that’s what the bad guys are going to use. You can guess, you can do these broad guidelines, you know, minimize domain administrator accounts, that sort of thing will definitely reduce your attack surface. The bad guys are going to use something like BloodHound to find how many steps, what is the quickest path to gain domain dominance. And if you know what that path is also, you can close that off, rerun it, refine it, rerun it, refine it to make your AD more resilient.
Mary Jo Foley (26:17):
Okay. That’s good. Well, we are out of time, unfortunately, but I just want to say, thanks again for doing this chat with me. This has been really great and the resources have been excellent. So thank you.
Sean Deuby (26:29):
Yeah, this is my thing now. I love to talk to people about how to secure Active Directory and about the need to secure it, because it’s such a great thing, but it is more vulnerable than ever now that there are, not only is it more vulnerable than ever, there are more tools than ever to attack it. So as a result, the attacks are more successful
Mary Jo Foley (26:53):
Words to live by everyone listening. And for everybody else I will be posting more information soon on Petri about who my next guest is going to be. Once you see that you can submit questions directly on Twitter for the guest. In the meantime, if you know of anyone else or even yourself who might make a good guest for one of these MJF Chats, please do not hesitate to drop me a note. Thank you very much.
Sean Deuby (27:20):
And thank you, it was fun.
Mary Jo Foley (27:24):
Great. Thanks, Sean.
More in Podcasts
Most popular on petri