This Anti-Cast was originally published on November 20, 2024.
In this video, Kent Ickler and Jordan Drysdale discuss the intricacies of designing job functionality and functional security, focusing on least privilege principles within Active Directory environments. They delve into their experiences with a university’s chaotic file share and the compliance challenges that arose, emphasizing the importance of a structured approach to managing roles and resources. Through anecdotes and practical insights, they provide a comprehensive guide on implementing job functional security groups, aiming to streamline administrative processes and enhance organizational security.
- The principle of least privilege (Plop) involves assigning users and groups only the minimum level of access they need to perform their duties.
- Implementing job functional security involves defining job functions and mapping them to resources to ensure proper access control.
- Proper management and organization of Active Directory using a well-defined strategy can significantly improve security and operational efficiency.
Highlights
Full Video
Transcript
Daniel Lowrie
Thank you gentlemen for joining us and having this wonderful webinar and presentation prepared for us, which is, labeled Designing Ad Job Functionality Functional Security One Group Release Privilege: Plop It Like It’s Hot.
I love this title, by the way. And we’re going to get into why it is so darn funny, I’m sure momentarily. But boys, tell us a little bit about yourself and a little bit about what we’re going to learn today.
Kent Ickler
Oh, man. So, my name is Kent Ickler, and, I’ve been at bhs, I don’t know, for a while. And prior to that I worked someplace else. And prior to that I worked at a university in higher ed where, a story that we kind of bring, to light today in the presentation.
So it’s kind of interesting. pen tester for bhis. Prior to that I was doing systems administration work, Excuse me, Prior to that, worked in MSP. And then, where this all comes into play. Of course, lots of experience with active Directory, from an administration side and now as a. From a hacking side. So bringing those two pieces together, it gives me good exposure to, kind of be able to joke about it sometimes when the absolute chaos ensues.
Jordan Drysdale
Absolutely. Thank you, Kent. My name is Jordan. Been doing this a while with BHIS. Prior, worked at the MSP with Kent. Prior worked at the uni with Kent. So we’ve been working together now going on 15 years here pretty quick, which is just absolutely wild to think about.
And we do. Go ahead. Yeah, go ahead.
Kent Ickler
So I’ve got a, uncommon name, so it’s easy to find stuff about me. If you search too hard, you’ll find other things about me. Jordan is a less, uncommon name, we’ll say.
So, there’s a great photographer named Jordan Drysdale.
Jordan Drysdale
I love that you missed the one edit I made in this slide. So here’s how you’ll find the doppelganger of me.
Kent Ickler
Yeah, take that plus, make it a minus. And yeah, that’s Jordan Drysdale.
Daniel Lowrie
Well, that’s awesome.
Jordan Drysdale
I’m gonna. One more thing, Daniel. I’m gonna introduce this story. At the uni, There were like 20, 000 staff members and students and there was one file share with everyone write permissions.
Kent Ickler
And it was awful.
Jordan Drysdale
It was awful. And then they went publicly traded so they become subject to compliance requirements. And it was an opportunity for us to learn how to turn that into something.
Kent Ickler
Man. They had like 30 years of organic growth prior to that.
Jordan Drysdale
It was awful.
Kent Ickler
and then they went, for profit, which, about 15, 20 years ago, that’s what the, universities were doing that they wanted to make money, for better, for worse. Anyways, so because they went for profit, they then became, subject to Sarbanes Oxley, which from the perspective of this would have been 20, 2010 somewhere there it was obviously after Enron, after Lehman Brothers.
And the net result of that was all this organic growth was like unmanageable essentially. And Sarbanes obviously came in and said, hey, like, give us a report how you’re managing things. And obviously it was a complete mess because, they weren’t, weren’t really managing things.
We were just doing reactive support all the time and it was not sustainable. So we need to do something to address it. and one of the biggest things we had is there was no concept of least privilege.
It was essentially all privilege. It was kind of all privileges pretty close. I mean, effectively what it was is, yes, there was privileges set up, but like, I said kind of in pre show banter, right? It was like a new employee is hired and the systems team would eventually find out there’s a new employee.
Prior to that, employees would just use the employee login of another employee that worked there that had the same mission job title. So like they never, the help desk would eventually find out that there was a new employee.
And when they did find out there’s a new employee, yeah, they set up a new user account, but they just did it by copying an employee with the same job title. So it was, it was kind of a mess when we go through it. And obviously Sarbanes is like, hey, you should maybe not do that.
and that’s kind of where it started. The cool thing about Sarbanes at the time, and I don’t know if it’s still that way as much anymore, but at the time it was, hey, you’re for profit now. You’ve got 30 years of legacy. So let’s get you in a better place.
Give us all these reports. This year we’re going to write you a thousands of exceptions because you’re not doing it right. And next year we want less than a thousand, and the year after that we want less than that number.
Jordan Drysdale
All right, Daniel wants out of here. Let him talk.
Daniel Lowrie
I feel like you set the stage of. Yes, well, the dumpster fire that was the impetus behind this entire talk. And it’s probably reflective, of many of other organizations that are out there.
So I’m going To jump into the backstage. You guys take it away. Obviously you got a lot to get through, but this is a very useful talk and a very important one. So I’m so glad you guys are here to make it today, and I look forward to seeing you at the end of it.
I’ll jump back in and then we’ll do some, Q and A afterwards.
Kent Ickler
All right, awesome.
Jordan Drysdale
Thank you, thank you, thank you.
Kent Ickler
I was just going to hold him hostage.
Jordan Drysdale
I know you were. You’re going to keep right on rolling. Right on.
Kent Ickler
All right, so the story here, huge, huge, university, lots of students, lots of staff, lots of faculty. And how do we manage it all? And it was a mess. So we needed an eps, an Executive Problem statement, right?
And we kind of went through and said, okay, what do we need to resolve with this? Of course, our UPS at the time, we didn’t know it at the time. Retrospect, now we do. Service desk was overburdened with many, many, many, many security, permissions requests.
Essentially, when there was a new hire, it’d be for the next three months, a new service request every couple days. Hey, this new employee needs this. They need this, they need this. On and on and on. and occasionally the service desk would make accidental or incorrect script, provisions.
Sometimes they would provision something like, there’s always a thing where, you have a new integration need to make and you’re not really sure what privileges it needs because the privileges are listed in the integration document on page, like, 20.
So instead of reading 20 pages of stuff, you just make it Domain Admin. Because it’ll work. Right? That’s the cool thing about Active Directory is it’ll work. it might cause some problems later on.
Another question they had, in the university is we didn’t know who needed access to what. Right. Jordan mentioned we had this file share. It was like FS01. It was a huge file share, and all the company’s data was there.
And all we knew is that some people needed some of the data that was in there, but we had no idea. And we definitely weren’t aligned with Least privilege at all. In no way whatsoever.
The last thing was AD was a mess. It was an absolute mess. It was challenging to try to administer. It was all a mess. So let’s talk about principle of least privilege.
Microsoft might not call it Pulp or Pulp. They might call it Plop. in fact, they did call it Plop. There’s a KB article out there that’s rather interesting.
If you’d like to know more about that. You’d have to look sideways and find the URL on the side of the screen there. But, essentially, if you Google search the principle of least privilege, Microsoft Entra ID governance, you’ll find it there.
I checked last night. They have not fixed it yet. However, I mean, it’s possible that it’s not a typo, but it sure looks like a typo. Either way, we’re calling it. It’s plop. So a little bit about Plop.
Okay, I know least privilege.
Jordan Drysdale
Okay.
Kent Ickler
It’s a principle and identity governance that involves assigning users and groups only the minimum level of access they need, to perform their duties. Right.
Jordan Drysdale
So plop today, that has not been addressed.
Kent Ickler
Okay, so from the concept of what this sounds like is they’re saying perform their duties, their job duties. Right. And if we were looking at this at the university, what do you mean perform duties?
Like, that’s okay. What do you mean minimum level? What do you mean, groups? Like, how does this all play together? So we kind of did some analysis, some research on it, and this is kind of where we came up with.
After a while, let’s say a while, we came up with this theory of job functional security. And the reason for that is at the whole time we were doing this, we were also uncovering things at the university that were.
Just made no sense whatsoever. For example, there was people being hired that HR didn’t know about. Yeah. Let that sink in. There were people that no longer worked for the organization that HR didn’t know about.
Okay. So there’s these things that are, like, what we would today call core functionalities of, like, the human resources department. That human resources department just wasn’t aware of what’s happening. It was insane.
so this whole process that we, we went through, was kind of a mess. And I want you to think about this. We had all these different groups, all these different, different job functions in the university a lot.
Right. And there’s these big. There’s big sections of the company that we could call. Like there’s an administration department and there’s faculty. And if anybody is in higher ed, they know they are always.
That’s a dichot. Dichotomy that will live on forever. Oh, no. all right, so stay close to Mike from that perspective. We kind of took an analysis.
Now, what we’ve got on the screen here is similar to what we did at the university, but not. It’s a little bit fictionalized here, but I wanted to consider some things Here, for example, in the upper right, we’ve got a sales guy.
And the security context the sales guy needs is like sales guy or gal, whichever. Right. And Mary and logistics in the middle there, she’s logistics coordinator.
She might need the security context that the logistics coordinator might need. Right. And you probably going to find a pattern here. No, in the service desk, he’s the service desk analyst. He needs service desk analyst, security contacts, like privileges that, a security desk analyst would need.
Just like the doctor. The doctor is an interesting one. Upper left. doctor is also a partner. He’s also part owner. Right. So in that case, they might have two contacts, one as a physician and then one as a partner.
Of course, then there’s the interns, which might be domain admins. I don’t know. Don’t make it to make your interns domain admins. But if you do. Listen, if you do make your domain admins, if you do make interns domain admins, everything might be fine because Active Directory will just continue to work.
All right, let’s talk about some strategy here about trying to get to where we want to go in this idea of job functional security groups rather than where we are or where we were.
Okay, so some strategies. first we need to talk about some prerequisites. because if you, if you are having your interns do this, that, that would be interesting.
you probably need to have a really, really solid understanding of Active Directory. In fact, if you go through this, if you go through this with us today, you might have enough of a understanding of Active Directory that you’ll be just fine.
All right, so the next section there is going to be define the job functions. think hr. In hr, you have hr. Should. They didn’t at the time we did this, but they should have, essentially a list of job functions or roles.
But they might not think of it that way. They might say, here’s the job titles. And then you say, can I have a job description for every one of those job titles? And they should have that. If they don’t, there’s an opportunity for you to work with HR and make things better.
Of course, then you need to go through and define the resources that you have out there. So we talked about file one, right? FS01, that file share that had all the company’s data just kind of scattered throughout. But think a little bit bigger picture.
You’ve got printers, you’ve got email addresses, you’ve got web applications, you’ve got desktop applications, maybe you’ve got Citrix RDP access, essentially anything that you can do on the network, anything that exists on the network becomes a resource.
Something that needs security context too. Okay, so then we’re going to map the job functions to those resources and then we’re going to manage some exceptions. And here’s the best part. You’re going to automate it.
That’s it. Job done. Do that. But for how, let’s talk about some prerequisites. we mentioned in presale banter, we have a lot of webcasts.
I don’t know, a lot, a lot of them are talking about Active Directory best practices and how to hack Active Directory. You might think those two are directly opposed to each other.
And they kind of are. The irony about that though is when you talk about Active Directory best practices and what no one talks about when you do that is that you’re actually talking about how to not hack Active Directory and how to prevent it and how prevent hacks and how to defend against it.
So there’s a lot. We’ve got a lot of webcasts on there. There’s a few there. I’m going to talk a bit more about those prerequisites though. And the way I’m going to do that is I’m going to take slides from a previous webcast so you don’t have to go watch that webcast if you don’t want.
The first thing that you need to do in your environment is you need to select a naming convention. I know it’s wild theory here. You essentially need to go through and create a naming convention for all these different types of things.
User accounts, email addresses, user principal name groups, service accounts, admin file shares, resources, printers, remote desktops, server names, all of it. All that need to have a consistent naming convention.
But you might say, but for why, why must we need a naming convention? I like my chaos. The easiest reason, okay, actually there’s the theory of security by obscurity, right?
There’s a problem with security by obscurity. If your user, maybe Microsoft, will have something to say about this. If you work with Microsoft, you’ll know that their email addresses are mostly obscured from their actual names.
Kind of. They’re like employee number plus id. Interesting. But from that perspective, if you start giving things illogical names, right, you might think, well, our, domain admins are all fictitious names, therefore no one will be able to find the domain admins.
It’s rubbish. What will actually happen is that you’ll have.
Jordan Drysdale
Well said.
Kent Ickler
Yeah. What you’ll actually have is you’ll end up with an accident where someone misconfigures something because they didn’t know who the fictional user account was. They said, what is this fictional domain Admin?
Clearly I must delete it because this isn’t secure. Right. The point here is that your naming conventions reduce accidental privileges in the environment. They reduce accidental mistakes that cause pain in environments.
So have good naming conventions. What are good naming conventions, you might ask? Well, let’s talk about file shares. The naming convention of a file share should really answer these questions.
Who owns the data, who’s that data shared with? And where the server locations are. So an example of that might be FS01 is where our file share was.
We might have HR department. Okay, so we’ve now got an indication of this data is owned. Owned, Primary point of contact, HR department. And they might have another subfolder that says everybody that tells you that this file share is owned by the hr, but it’s shared with everybody.
Right. Or it could be HR department and then payroll and that’s indicating that it’s HR department’s data, but it’s being shared with payroll. Something along those lines that gives you an idea what it is. Of course, you might have more information in there as well.
It might be, the, I don’t know, the admissions department for the eastern region. And then it’s shared with, I don’t know, the academic department. Something along those lines where you can build a chain of, what that looks like based off solely the file share name and the folder structure.
All right, groups. This is the key. This part is key. Your groups absolutely must have a good naming convention. Now you might say, what are good naming conventions?
I don’t know. I’ve always landed on a couple ways of doing this. One is we’re going to be talking. We are talking about job functional security. So the first thing we’re going to talk about is how to make this practical in the environment.
And doing that we need to rely on job titles, job roles, we’ll say. So first off, we’re going to have groups in active directory that are job roles.
That might sound weird, but it’s literally going to be something like accounts payable as a group. And you might say, what is this accounts payable thing? We’ll get there. But aside from that, we’ll also need security groups, something like a security group for a file share might be SCCFS for file share underscore.
And then the context to the rest of the file share, where it goes just like to be able to print to something might be sccbrd, underscore the printer, name something along those lines.
There’s lots of different types of groups there. User groups, security groups, distribution groups, mail enabled, security groups into exchange. Of course, then there’s also domain local, global and universal groups. Speaking of domain local and universal groups, why do they exist?
Well, they exist because active directory has been around for a really long time. In fact, there was a time when an active directory domain could not contain more than 50,000 objects. And because it could not contain more than 50,000 objects, if you were an employer that had more than 50,000 employees, you might have to have more than one domain.
Because you could have more than one domain. You could have multiple domains in a forest. And now we have the concept of forest. Of course, then the question becomes, if you’ve got multiple domains in a forest and multiple domain controllers in each domain, how does the domain controller in the other domain know about the changes in the domain controller in a different domain?
Well, great, you could just have it replicate all that traffic between all the domains and all domain controllers. But at the time that this was happening, domain controllers, get this, we’re replicating traffic over dial up.
So is it practical to replicate changes of 50,000 user objects over dial up? And the answer was no. So what we did instead is we had these different levels of groups.
So essentially we have these user groups and they were global groups, universal groups, and domain local groups. Of course, domain local groups meant m that they were replicated within the domain. Global groups meant they were replicated, to all the, was replicated to the global address list and all the domains in the forest.
And then finally universal groups were absolutely replicated across the entire domain forest. That’s why it mattered. It seems weird, right? Okay, there’s a really easy way to remember what we’re gonna talk about next.
And that is a jugular right up here. Right. Got a juggler. It doesn’t go well. Here’s what you need to know. This is the form in which you add memberships into groups. And if you follow this, this, it’s gonna make sense, I swear.
So you’re gonna have J because we, we needed to. It couldn’t be uglier. That would be weird. So it’s jugular. Okay, J just because. And then we need users. We’ve got our list of user objects.
Those user objects are going to be put into global groups. That’s a user groups into global groups. Those global groups will be into universal groups. There’s one exception Here, if you use Exchange, Exchange operated off the gal, and the gal needed to be fully replicated across the domain and, the forest.
So to use Exchange, you had to use universal groups. Aside from that. Keep going. Right, so you’ve got users and global groups, Global groups and universal groups. The final piece here is universal groups in domain, Local groups or the local access to resources.
Why does it matter? Okay, so I want you to think of this jugular. It’s the users, global, universal domain, local access to resources. I know I’m flying through this, but they’re prereqs.
Okay. That was it. That was your prereq talk. Now let’s talk about relationships. I mentioned that when we started this project, HR didn’t know who worked for the company. That seems wild.
Seems wild. Just as wild as it is now. Like, it was worse back then. In fact, we’d have people that were on payroll, didn’t even work there anymore. It was absolutely insane. And the process we went through with them, helped HR to get control of that, but it wasn’t easy.
What I want to talk about here is, as you go through this process, you might be thinking, I don’t know who needs access to what, because I don’t know what people are doing. I don’t know what their role is.
We worked in an organization that had faculty that had admissions. They had accounts payable, they had payroll, they had hr. We had pilots. Like, it was a relatively big organization.
And from that concept, we needed to understand what all those roles were and what they actually need to do and what resources they needed access to. We leveraged HR for that. That was a key piece of that.
Now, you do need a great relationship with department managers, because there was a time, right, when we would go to HR and they say, yeah, we don’t actually know what that person does. So we’d go to the department manager and pull them into HR and be like, listen, department manager, your employee over here that you have this weird job title for.
We don’t know what they do. And HR says they don’t know what you. They do either. So can you fill us in? And this prompted an entire cultural shift at the organization.
I’m not going to say it was like Lawless or Wild west, but, like, it was weird. We had people that were working on projects that were completely misaligned with what their assigned job title was.
It was weird, right? So this whole process of going through and defining out roles actually helps the HR department to find out what people were working on and help Them build job titles, have these great relationships.
Okay, strategy, Step one. Job functions. The users define out those job functions, define out the departments, define regions, define units, go through and build this hierarchical structure of that.
So at the example at the university, we had central administration, which was like a region, basically. It was almost all the admin staff. But then we had regions. So we had three, four or five different regions, like east, west, central, et cetera.
And then each one of those regions were campuses. So our hierarchical thing was like the organization and then regions and then a bunch of campuses. Each campus had departments.
So in each campus there might be an academic department, an admissions department, a customer service department, an IT department at every campus, of course. Then at the regional level, you had the regionals IT department, the regionals academics department, the regionals admissions department, so on and so forth.
And then again as, central administration, get payroll, hr, the corporate it, all of that. So we’re building this hierarchical structure of what this looked like. Okay, so next step, after we think about that strategy of finding out the hierarchical structure.
Now you want to look for those overlap in user accounts. So we realized that there was overlap at every campus, right? Every campus had these admissions roles. Every campus had an IT department of some sort.
And then we could group those admissions department roles. We realized that there was also different regions that had the same roles in the other campuses in other regions. So we could start to build that out as well.
Eventually, we end up with a list of job functions that overlay with regions that overlay with campuses that overlaid, with different things that kind of mold together to build an idea of what the organization looks like.
Mind you, at the time, HR didn’t actually have a hierarchical org chart. They did at the end of this process. All right, let’s keep going. Step two, right? Now that you’ve got that whole hierarchical structure of what your employees are doing in their job desk and their job duties.
Now we need to talk about the resources. Look at those file shares, look at those printers, look at email accounts, look at who has access to websites. Look at, I, don’t know, RDP access, VPN access, wireless access, all of it.
Anything that you’ve ever applied a security provision to. Now put it in scope for this project and define them out very granularly. Right. For example, there was a printer in the documents department.
And all that printer did, it was loaded with, Was it, diploma paper?
Jordan Drysdale
Oh, God, the expensive kind.
Kent Ickler
The expensive kind. It was like $5 per page to print. So that printer we did not want someone to accidentally print a 500 page book to that printer, because that’d be expensive.
Right? So what we did is we use a security group to lock down that printer to only the job functions that require to print diplomas. Right. Like, if you look at it from that perspective, it kind of starts to make sense.
But do that for every single network resource in the environment. And not just network resources, any resource. Oh, it’s a lot. Okay.
Privilege, investigation. This is probably the hardest part. So in theory, you’ve got this list, this hierarchical list of what the organization looks like in terms of workforce. And now you also have this massive list of resources.
And by the way, those resources have overlap as well. You’ve got a printer, right? But then you’ve also got all the printers out of region or at a campus, and then all the printers out of reach and then all the printers across the entire environment.
So, for example, might you want someone that’s coming from central administration to log into a workstation at a campus and get all the printers at that campus? Absolutely.
You do that with groups, angry policy. It is massive. But the point is here, this is highly fluid, highly functional. And we’re getting to the point where you’ll have one user account in one group.
Sorry, one group for the user account. Okay, privileged, investigation. Need to now go look at all those different resources you’ve defined and say, who needs access to this? And this is huge. This is massive. This is ugly.
After you figure out who needs access to it, which might involve HR and lots of meetings with part managers, then need to identify the overlap, which is massive.
We’re now talking like it’s close to 40 chess. I don’t know, it’s. It’s kind of wild. Am I talking too fast to keep zoom up to date with?
Jordan Drysdale
that is wild.
Kent Ickler
It might be. I’ll talk slower. No, I won’t. All right, keep going. So let’s talk about that.
Overlap all those printers together, right? Make a group for all those printers and.
Hold on, getting a message. Want to make sure it’s not about audio? Jordan, you should talk.
Jordan Drysdale
I’m happy to talk. This involved a massive amount of interviews. And the interviews included from department heads to staff in the middle.
It was up and down the chain of who owns these individual chunks of data and why. Everyone has access to, say, sensitive HR materials and finance related documents.
And I can’t even imagine how in the several hundreds, maybe five hundreds.
Kent Ickler
But let me tell you my favorite, my absolute favorite security group to create, right? And it was The SEC Underscore email. Underscore.
Distro. Underscore all. Now the naming convention might imply that it’s a security group that controls the distribution group for all. Because prior to this, yes, we had a group called everyone or all or something along those lines.
And anyone could email it. It would send out an email to 20,000 user accounts. There was a story one time where we had someone do just that. they sent out this was the hip thing back in the day.
This is probably going to date the whole thing. But it was jib jab. It was like, I don’t know, videos. And someone sent a jib dab link to all 20,000 accounts and nationwide.
Right. And here’s the thing. Back at the time we had all these campuses, had T1s back to our central administration. All that network traffic for Internet flowed out that T1 to a data center and then it went about from there.
Right. So we could web filter from a central location. The jib jab video was, I don’t know, maybe 100 megabytes in size, might.
Jordan Drysdale
Have even been less. But I don’t think it mattered.
Kent Ickler
It didn’t matter.
Jordan Drysdale
It didn’t matter.
Kent Ickler
That single email destroyed the entire organization for about two days because people would try to load those videos everywhere, on every campus and overload everything everywhere.
It was chaos. So anyways, so we restricted the the ability to send to all, which was a great idea. Okay, next thing here, three out of four step identify.
This is, this is the tough one. Identify the largest unrolled user group requiring privilege that does not violate plot or bulb.
And of course the next step is to apply those permissions. Okay, so we’re going to give you an example here in just a minute because this is like highly. It’s not fictional anymore because we actually did it, but it is very hypothetical and we’re kind of doing in about 15 minutes what took about six months to do.
It was a huge endeavor. Right? I’m not trying to downplay that at all. It was very massive. But applying those permissions again, largest unrolled groups. So we’re going to talk about what those groups look like in a minute and what I mean by unrolled group and what I mean by being able to apply that without violating least privilege.
But it’ll make sense here in a second. We’re essentially going to assign those job functions to the resource security groups. All right, so let’s talk about that. What do those user groups look like and what do I mean by enrolled.
So we’re going to talk about a fictitious environment here. this is m. Maybe more relevant today than it was back then. But what we’ll have at the very top of that hierarchical structure of job functions is all.
It is literally everyone. It could be all everyone, but that sounds kind of weird. It’s just all okay. And then we’ve also got an accounting department. So we’re going to have another group called All Accounting and the accounting department will have maybe more roles.
But two that I can think of right away is Accounts Receivable, Accounts Payable. So let’s create two more user groups. All AP or sorry All Accounting. AP and All Accounting ar.
Those are both members of All Accounting and All Accounting is a member of All. Now if you have a user that is an Accounts Payable associates, they belong in the All Accounting Accounts Payable user group.
They will have two user accounts. There are two user groups, Domain Users and All Accounting Accounts Payable. Makes sense right now if you were to email all at that point that user would get that email because it’s going to flow down the chain.
That email will go to all, which includes All Accounting, which includes All Accounts Paid. Do the same thing with other departments as well. So we’ve got Development from All Development. The development might have business analysts.
We have all Development Business analysts and all Development project managers and then all Development developers which kind of sounds weird and redundant but it’s almost necessary here. Sales, All Sales, all Sales Representatives and all Sales Engineers and then hr, all hr, All HR Director, All HR Associate.
You kind of see the pattern here, right? Those all become into this hare structure to make that all work so that you can effectively go through and define out user accounts to a single user group.
Now this is like three dimensional. Maybe that’s two dimensional. No, it’s three dimensional. Right there is the third dimension here, which is regions. So take this now and expand it like into the monitor that you’re looking at and you’ll have All East Accounting and All East Accounting Accounts Receivable.
All East Accounting Accounts payable. But then you might also have all West Accounting accounts payable, so on, so forth. Which means that you also get All West All West Accounting.
Now with that you’ll also have All West Development, All West Development Business Analysts, All Development, All West Development Project managers. But get this, let’s go back to making that three dimensional, back to two minute dimensional.
You’ll also have All Accounts Account payable, sorry All Accounting Accounts payable. Which means you’ll be Able to email all the accounts payable associates across all the regions with one group.
Or more specifically, not email, but you can provide a file share to all the account payable associates. All the accounting accounts payable associates across all the regions with one group.
You apply that one group that all accounting accounts payable to file share, perhaps. All right, let’s talk about an example here.
So this example has Bill Smith. Bill Smith is a sales engineer. Bill Smith has two user groups, domain users and all sales engineer. Now if we go to look at the, all sales engineer group, it has one group, all sales.
Now we look at the all sales group, it has one group, all. so you’d be able to email all sales. You’d be able to email all sales engineer. You’d be able to email all any one of those cases. I’m using email as a provision.
But what I really mean is maybe there’s a printer called, I don’t know, everyone can print here. You could apply to all. If you have a printer that’s intended for all sales, you would call that printer prt underscore sales printer.
And you would apply that security group. That permission would be. Sorry, all sales would be a member of that security group. Of course, if it’s a, maybe a big, wide, wide format printer that’s used for blueprints for the engineering department, which doesn’t make sense for a salesperson.
But maybe, you would apply all sales engineer into that group for that security printer, for that screen group, for that printer. It’s a bit massive. But then you go further, right?
So now let’s talk about those resources. I like file share. File share here because it becomes ridiculous in the nature. Because I said there’s gonna be a lot of security groups, right?
We’re going to have a security group, potentially multiple security groups per file share per folder in the file share. It’s wild. In fact, I’ve worked for an organization before that said there’s too many groups and I say nay is absolutely 100% okay for you to have more groups than you have users.
That is okay. That is maybe a sign that you’re doing principle of least privilege. It is absolutely okay. It is absolutely okay for you to have a user group with one user in it.
That is, in fact, it’s okay to have a job, functional user group with no users in it. That might be a sign that there’s an open job filing somewhere. Right? Job, availability somewhere.
This is massive. So talk about printers. Maybe banner printers, sales printers. What those look like the whole point here is that we’re going through now you can also create security groups that provide access to all of the printers, right?
And then you give all access to all printers. You can give. Maybe the CEO wants to be able to print to anywhere, or maybe the CEO wants access to all file shares. You put them into a security group that’s SEC FS01 underscore everything and it’s there.
You have one security group that’s applied to the all CEO job or functional, group. Okay? So you do all of that.
When you do all of that, I, want you to think about what’s happening in the service desk because previously a new employee that HR might not have known about, now at least the service desk is going to know about it because a new employee won’t be getting a user account without all the hr, paperwork being done.
A new employee won’t get any job functional security group without the IT department knowing what their job function is. And best of all, if you look at this from the perspective of what we saw in the service desk, a new employee was, was hired, right?
And then for the next six months, like every couple of weeks, it was a new service request. New service request, new service request. Oh, this new employee doesn’t have access to this. All this new employee doesn’t have access to this new employee doesn’t have access to this.
It was repetitive. When you hire 500 people, right? We were getting these 500 service requests were exactly the same every single week, just for different context.
Take all of that away, all that is off the table. And here’s why. You go through that process of figuring out who needs access to what, building that hierarchical list of job functions, building that hierarchical list of security groups and then meshing them together, you end up in a scenario where every single employee on day one, or maybe after onboarding, they have access to all the privileges they need to do their job at that point at that day, right?
So what happens then when they’re giving a new project and that new project says accounts, payable now needs to go work in, I don’t know, the facilities department to install a new air conditioner and they need access to the H VAC system to do it and it’s a security group.
This seems weird, right? Like a normal person would look at that. Be like, I wonder if we’re misusing our workforce by having someone in accounts payable work on the air conditioning unit. But previous to this entire project that was happening because it was workforce, everybody was it was able bodied.
They were just kind of doing whatever that they could help with. And it kind of violated a lot of least privilege. So this function in doing this changes a little bit. We stop worrying about getting access, that people need to do their job, and we start worrying about security provision changes, security context changes.
Talking about when someone changes their job title, right? When they’ve moved between different departments, moved between different campuses, we start identifying these things that don’t make sense.
For example, when the accounting department says, hey, we’re going to go, loan our employee off to the facilities department for a week. And you say, well, we should go talk to HR first.
Now this brings up an interesting perspective because at the time the service desk was just there to deal with this responsive things that came up and they were, how do I say this?
not backed up by the organization. They were just a body there to access, to make provisioning requests, right? So from that perspective, you now had HR supporting the IT department, the service desk, with everything that the service desk needed to do for this project, which meant when someone needed to be loaned off to a different department, the answer was not like, hey, manager, no.
The answer is no. The answer was, let’s go talk to hr. And HR was fully on board with that conversation. So in the service desk, we stopped worrying about all those service requests that would come in every single week about requesting new permissions.
And we started focusing on what needed to change across our entire scheme of provisioning. So we started looking at job function changes and we need to ask those questions.
Like we turned our service desk into almost always being skeptics, right? Because we never, we had to question everything. We enabled the service desk to ask, why are we getting the service request?
So is it a job function change or a job function necessity? Right. Is this person changing job titles or did the job function for everybody change? We needed to ask that question because if the job function for everybody changed, we wanted to make the security context change once and affect everybody that we needed to special projects.
It’s an interesting one. So special projects can come up and you might need to create security groups for them. But what kind of role found out is that these special projects oftentimes weren’t actually authorized by anybody.
You would have someone in accounts payable and this is fictitious, obviously working on an H VAC unit, right? And it brings into massive questions about the ethics of doing that in terms of least privilege in terms of your workforce management.
We started coming to these projects and we’re like, okay, are we Doing this. Right? Like, should this be happening? HR would commonly be like, no, you need to go hire an employee for that. Right. We’re trying to get our corporate environment structured in a way that made sense.
And we’re now. Service desk is supporting HR in that effort. Sometimes we did have dual functions. right. We did have accounts payable that were also accounts receivable.
Oftentimes when we had these service requests come up, it was very seldom that the service desk would be able to answer the question on their own. They either needed to talk to a program manager or maybe hr.
And that meant that we did due diligence and being able to answer these questions. And here’s the cool thing about the service request. We saw it once, there was a context change. We saw it once and we’d never have to deal with it again.
It didn’t matter if a new employee came in because that security scheme had now changed for that entire role. Essentially, the exceptions, you didn’t necessarily need to document them because the exceptions were always part of that scheme.
The exceptions became a redefinition of the function of the functional role of the security context. Next piece of this to make this all kind of mold together and work well was reporting.
And this was a piece that we’re now six months into this. It’s all working well. We sometimes ran into things that were weird, right? So what we got is a list from HR of everybody’s job title.
And then we’d compare that to the job group and we do that every day. What we’d end up with is a list of sometimes, it’d get through job functions that had changed and be able to account for those inside of a report.
We’d sometimes have unexpected department job functional, job functions in resource groups. So we’d have that in a report and we could just go through and be like, oh, yeah, we need to go address this. Here’s the reason why this is important.
Accidents happen. Active Directory will still just work. You can make domain users domain admins. An active directory will still just work for a while and it happens.
Especially if you had poor naming conventions. It is absolutely possible that an accident happened. And by creating this reporting mechanism them you can be on the day the state after a change is made. You’re like, wait, why does accounts payable, all accounts payable now have access to the CEO’s documents?
It’s all there in a report. You can address it the next day and then do IR if you need to. Okay, so there’s another piece here that was interesting. Resource provisions with redundant membership.
this hierarchical scheme, the two hierarchy hierarchies that were overlaid resources and job functions. There were some overlap there. You might run into, a thing where at some point accounts payable needed access to a file share and accounts receivable also needed access to that file share.
At some point, once you realize that the only two groups that’s part of all accounting needs access to the same thing, you would remove those two job functional security groups from the, from the security group that gives it to them. And you would place in Yall county right, to remove that redundant membership.
And then of course, exception management going through and creating a report of the exceptions that you have in the environment. We say one user group to be able to provide all these permissions. Sometimes it didn’t work.
We had a few occasions where it didn’t. And we had to have more than one. That exception management was in a report. And we could go through and say every quarter, every week, whatever. We’d say, well, it looks like Bob in accounting still has access to the air conditioner.
And we’d all kind of scoff and be like, when is it going to be fixed? And eventually you talk to HR about them. Like, okay, yeah, we do need to remediate that. We do need to update a job title somewhere. Obviously that’s like an obscene fictitious scenario, but that’s the process we went through.
These exceptions were something we could take to HR and have a discussion about what it actually meant. I flew through this for you, so we have time.
Jordan Drysdale
You didn’t just fly 120 miles an hour. It’s almost like this thing’s about to crash. How’s the audio now?
Kent Ickler
Now that I slowed down, it might be better.
Daniel Lowrie
Hey guys, that was awesome, man. What? I love your slides by the way.
Jordan Drysdale
it was a 50 minute presentation for WWHF and we’re not sure if it was recorded there. We haven’t seen anything come of that.
Daniel Lowrie
Oh man. Well, we got to make sure that happens. Then we’ll just have to put you in the bunker again and make sure that it does get recorded in some way, shape or form.
Jordan Drysdale
Yeah, with proper audio streams, maybe we could do a V3 of this.
Kent Ickler
Okay, what? Speaking, of that, we did have a discussion at the conference about this and I said, is there any questions? Anybody have questions? And someone stood up and said, yeah, why does Active Directory suck?
I said, well, all right, let’s have that. Here we go, let’s go.
Daniel Lowrie
How much time you got buddy.
Kent Ickler
So here’s the thing. After Directory can suck if you. If and and I had to be as political as possible here, but I’m not going to be now. It’ll suck if you use it wrong.
Jordan Drysdale
Can I drop the chunk of bullet points I have from my next blog? Because it’s awful at default, Active Directory is absolutely abysmal. At providing security, someone might.
Kent Ickler
Okay, I will. I’ll counter that. He’s saying the default is abysmal. And I will counter it by saying it doesn’t matter how abysmal m it is. Active Directory will still just work. An intern could manage it.
It will still just work for a while. It’ll be a complete mess, but it’s still going to continue to work until, something bad happens. and that whole discussion about, like, why does it suck? it sucks because no one’s managing, no one’s administering strategy for Active Directory in your environment that’s making it work for the organization rather than against the organization.
Those are the biggest things. When someone says Active Directory sucks. Oh, let’s not even talk about Active Directory. Let’s talk about this thing sucks. The reason this thing sucks is because you’re not using it right. That is almost always the case.
This EDR product sucks. Well, yeah, because you’re not configuring it properly. You’re not putting the effort into it. And easy buttons suck. Easy button sucks because it’s not an easy button. You actually have to manage it.
Jordan Drysdale
Curious.
Daniel Lowrie
In their defense, marketing does a phenomenal job of lying to them very effectively and making them believe that that’s exactly how these things work. So what, though? We do have a question from Discord.
It says, what is a good resource to learn at ad? The right way, from first principles. That, that would be a good place to start.
Kent Ickler
I think it would be. So here’s the thing. And this, this will. Okay, so transparency. Where did I learn this traditional education?
I, went to Western Governors University. I have like 14 certificates, including an MCSE. So the point here is that why does AD suck? Well, it doesn’t suck to me because I’m certified in it. I understand how it works. I understand the strategy behind it.
Jordan Drysdale
Would you mind addressing all these default configurations that you want me to go through?
Kent Ickler
The whole list?
Jordan Drysdale
These are the, these are the configuration settings that allow Attack to legitimately turn most environments upside down. And it happens so consistently that somewhere in this list you’re almost always going to find something you can take advantage of.
Kent Ickler
At default hot take. Those are all vulnerabilities, as Jordan states. I counter they are all features. every single one of them is a feature. Default machine account quota. Well, I’ve got a campus I need to set up and I can’t send a help desk person there to go do it.
So I’m going to go have the accounting person at that department go join computers to the account. Every single one of those is a feature. Actually, I don’t know. I need to go scroll. Are they all features? Lack of SMB. And I’ll say it’s compatibility, access.
You don’t have to log a hundred.
Jordan Drysdale
Miles an hour anymore.
Kent Ickler
Take a deep breath, buddy. High fidelity endpoint monitoring. Yeah, because hard drives spinning disk weren’t fast enough to be able to record.
Jordan Drysdale
They are now. Is it still acceptable to leave people blind?
Kent Ickler
Depends on your. Your appetite for logs. Really bad password policy.
Jordan Drysdale
Seven characters out of the box. Still 20, 25. What, what the hell year is it now? It’s still seven characters. M by default.
Kent Ickler
You can change.
Jordan Drysdale
We’re arguing defaults right now.
Kent Ickler
It’s a feature NGLM authentication you have to have.
Daniel Lowrie
Here’s a good question. Here’s a good question. Comes from the chat. They’re asking about, learning AD and then learning. Oh, like where do you focus? If, if you had a. You parachuted into someone’s organization, they got ad, which they probably do, where would you start your focus on securing them up?
Like, what would be the first? Like. Well, you always get this wrong. Everybody always gets this wrong.
Kent Ickler
Okay. So first thing is, have a really good understanding for who works in your environment or, sorry, your organization and what that organization’s role in the world is.
It sounds weird, but higher ed is a relatively easy one. It’s education. And because it’s education, there’s going to be admin and faculty and they’re going to be diatonically opposed to each other. And there’s all kinds of politics about that.
Have that understanding. And I know it’s weird to say where you start with Active Directory is not Active Directory at all. It’s the people. Think about the people. Think about the workforce now think about everything that needs to support that workforce.
All the resources, the printers, the workstations, the domain, the email addresses, the web applications, the applications, everything. Everything that needs to support that workforce. Understand that once you have those two pieces together, you can start to build that picture of what your organization should look like from a strategy perspective.
Now, in terms of tooling, yeah, let’s Remove the From. Let’s talk. Take a step back from strategy and talk about, like, actual. What you might be interested in is vulnerability management from an 80 strategy perspective.
Pincastle is really good. Use, Bloodhound. I would probably be biased to Plumhound, because I wrote it for Bloodhound. Use those things, and those help you identify these problems, that are oftentimes related to default.
They’re related to default, they’re related to legacy conditions, and they’re related to accidents, accidental mistakes that someone in your environment, because you hired an intern, made him an accounts operator. And they made mistakes because they were interns.
Right. It’s okay. Active Directory is still working. It’s just vulnerable. You need to manage it from an attacker perspective.
Jordan Drysdale
Shoshana is a. Shoshana is 100% correct in that the number one entry point for our continuous testing team this year CPT, was guess what help desk calls password resets.
Kent Ickler
Boom.
Jordan Drysdale
Like, that’s social engineering and game over. However, if you give me a foothold in an environment, the first thing I’m testing for is LLM and R MDNs and WPAD. If I can hijack your network protocols, I don’t need any credentials to make my first move in your environment and likely gain some form of credentialed access to it.
And then I just follow Gabe’s techniques here. the first credential is almost always the deepest meaning. It doesn’t matter what cred I get. I’m going to use it to find your ad defaults that allow us to turn it inside out.
Kent Ickler
Ryan, can you switch back to my screen just briefly? So the question was, what do I mean by the largest unrolled user group? So what I mean by the largest unrolled user group.
Remember, we had like, all in all accounting and all accounts payable. So I want you to unroll every one of those groups. When I say unenroll, enroll. enroll. Unenroll, enroll.
Jordan Drysdale
Unenroll, enroll.
Kent Ickler
So let’s just. The easiest one to think about is all. Okay, so all at the very top, when we unroll it, we get down to all the users that are eventually in all in one list normalized to just the distinct users.
So when I say largest unrolled user group, I mean those distinct users that did not violate Plot. So at the very top, you have all. And that’s everybody in the organization. Everybody in the organization.
Let’s. Let’s give the idea of maybe it’s a printer in accounting. Right? Everybody at the very top, all enrolled is Everybody in the organization distinctively listed. We know that that group violates plop or pull, right?
Because you don’t want someone in HR printing to the accounts printer. Okay, so that’s too much. That’s, that’s, that violates plot. So now let’s look at the next largest group. is going to be all accounting.
Okay, so we look at all accounting. We unroll that to the users. We say, okay, do all of these users need access to this printer? Is the answer yes or no? Maybe it’s an accounts payable printer.
Right? So accounts receivable doesn’t have access to get to all accounting unrolled, you say, nope, there’s some accounts receivable people in here. They don’t need access to accounts payable printer. So let’s say, nope, we gotta go down a bit further.
Now we’re at the all accounts account payable user group. Unrolled, we said, yes, all of those users needs access to this printer. That is the group all accounts account payable that we assign to the account payable printer.
So we unroll those every single time. Now, it might be a scenario where you’ve got overlap where it’s a printer in a common area that is two distinct. maybe it’s a common area between accounts payable and.
Sorry, between accounting and hr. Maybe it’s geographically regioned between the two. There’s like a print kiosk right there and you need both of those departments to be able to print to that. When you unroll that right, you’ll end up finding that there’s two unrolled groups that need access to that printer.
So you apply both of those user groups into that security group for the printer. So the largest unrolled user group might be more than one into that security group for the printer.
Daniel Lowrie
Awesome. Somebody asks in, is Cyber Insight asks, is it advisable to manage firewall policies through ad group policies, tie them exclusively to zones like VLANs, or implement a combination of both?
Kent Ickler
I love it.
Jordan Drysdale
Complicated. That’s a very complicated question. And it’s a little difficult to unroll. So if we begin the unrolling process, say, of, firewall management, I’m just going to say that none of your workstations should be able to talk to other workstations.
There’s generally zero reason for a workstation to be able to talk to a workstation. Now, you may have implemented protected workstations and those should have some level of access to say, a WinRM M or RDP or some kind of Desktop support software but managing firewall zoning through active directory.
I would say if you split up your organizational units in a meaningful way, east laptops people go home, they get one firewall set of firewall rules because they’re going to be able to pick up their laptops and carry it into a coffee shop.
You’re also going to need to apply public firewall policies to those. However, your desktops that probably should never get up and walk off might not need that level of granular configuration. However, you would want to make sure that on the domain they get your domain configuration and trusted service allowances.
Now networking, I mean that’s my jam. But still if you’re going to manage firewall zoning, unless you’re specifically wanting to provide access to your server environment.
All, all, any, any. That type of rule set that we see so consistently is inconsistent with the principle of least privilege meaning workstations and users who drop cell phones onto your corporate network probably shouldn’t have full access to the server environment.
I mean it’s generally full unfettered access. Any, any. I rarely see properly constructed zone configurations with routers underneath it.
And ACLs, I mean layer three ACLs even you could step up and go to layer four ACLs. Most people aren’t doing this yet. And it’s 2024. We’re still like I don’t remember the last time I said hey, your, some of your ad sites seem restricted.
I can’t, I can’t talk to that segment over there. It’s usually any, any, all, all and sadly that that type of restriction should be pushed more broadly.
Daniel Lowrie
Well like you said, you like to get the complicated questions right there at the very end. Always a lot of fun to try to answer those with the ticking clock beaten down on your back. That said, we are going to move on to the backstage, the the breakout room for the AMA for people in Z cord, watchers.
Thank you so much for joining us today. Thank you so much Kent and Jordan for being a part of this was a great and very useful webinar series on, on this topic. It’s a very important one that I hope a lot of people took many, many good points away from are going to be able to utilize in their organizations.
So we’re going to go ahead and jump back into that breakout room and for the rest of you, thanks for watching. We’ll see you next time. Until then, have a great day.
Kent Ickler
Thank you.