5 Things You Can Do RIGHT NOW to Protect Your AD Against Attackers
A Completely Normal Clickbait Listicle
You live in a constant state of fear. Fear that at any moment, Bob from accounting is going to click that email link promising a free $25 gift card as thanks for his unwavering loyalty to Chipotle. And the next morning you'll be greeted by a very intimidating character named Petya who wants millions in either Dogecoin or Walmart gift cards in exchange for restoring all your data and pinky promising they won't sell it to the highest bidder.
Luckily for you, I have 5 tactics that I've discovered in my 35 years of Active Directory experience to guarantee that you will never have to worry again.
1. Just get rid of AD
You know it's not secure, and you're not entirely sure how to truly fix it. Sure, you have some ideas, but every time you suggest them your executive leadership reminds you that they're too busy and important to deal with the hassle of remembering any password that isn't "password" and that you have more important things to focus on like giving them Domain Admin permissions. Why's that taking so long by the way? You said it would take "about a week" to "program that feature" but you remind them that you're still waiting on critical updates to complete for Adobe Flash.
You decide to take the internet's most common advice. Lawyer up, hit the gym, delete Active Directory. Something like that. You think to yourself "this year will definitely be the year of the Linux desktop". You said that last year and the year before as well, but you're just as confident about it now as you are about finally upgrading your domain controllers off of Server 2003. You daydream of a glorious day in the office, a fresh breeze wafting the cool taste of Mint into your mouth, the rich smell of Cinnamon deep into your nostrils, and the sweet sounds of computer mice being thrown in the trash while keyboards tap away dumping text into terminals. At lunch you sit as a team, sharing Kerberoast beef sandwiches while you Pass the Hashbrowns, moving laterally around the table handing out Golden Tickets to show how much you appreciate everyone, especially Mimi the office cat.
And then the ping of a fresh email from Bob who locked himself out for the 4th time this week snaps you back to the reality that your abusive relationship with AD isn't ending any time soon.
2. Set Ludicrously Strong Passwords
Look, you don't want "the hackers" to get your passwords and you sure as hell don't trust your users to stick with the pass phrases you've been yelling about since you started. You know for a fact that the 10 people you wrangled for a trial just copied Bob and used "correct horse battery staple", so it falls on you. And you're up for the task. You wrote the perfect password generation script last year and spend every weekly status meeting practically begging to enforce its use as a requirement.
You go through all the magnificent details. It generates a random assortment of the hex values of 128 non-repeating characters from a set including numbers & symbols, the English, Cyrillic, Arabic, Bengali, and Hebrew alphabets, and a selection of your favorite emojis. Then it generates a SHA-512 hash, salted with the answer to a random Lichess puzzle concatenated with a random cat fact from the catfact.ninja API. Finally, it uses that as a seed to generate a random number that's thrown at the end for good measure.
You know good and well they'd just write it down so they can remember it. That's why you spearheaded a company initiative to go completely paperless, under the guise of caring about your environmental impact. You also personally show up first to the office and remove every piece of paper people sneak in anyway, knowing you won't get caught because you never manage to get budget for the security cameras you keep asking for. You put on a huge show-and-tell ensuring everyone is aware that any complaints would lead to their laptop getting replaced with the leftover stock from 6 years ago running a build of Gentoo. You use Arch, btw.
But you can breathe a sigh of relief. There's no way the hackers are logging in now. Actually no one is logging in now. You're fine with that.
3. Lock Down Permissions
You're sure you've been breached when you discover a stealthy foothold the hackers clearly left behind, an account named with some random letters they thought you wouldn't notice. Goodbye "krbtgt", whoever you are. You pat yourself on the back and resolve to clean up everything else.
First off, why does EVERYONE have read permissions to the entire directory? That sounds like a bad idea, you just go ahead and turn that off. And where the hell did all these service accounts come from? You see svc_sql, svc_smb, svc_cert, so many more. There's no owner, no description, and they have weird group memberships like "PostGres_PRD_RW" and "CertSvAdm" which seem particularly sketchy. You just go ahead and delete those.
Speaking of, better clean up all those other group memberships. Just a quick little bit of powershell.
ForEach ($Group in (Get-ADGroup -Filter *)) {
$Group | Set-ADGroup -Clear member
}
You sign out for the day and turn off your work phone to enjoy the weekend.
4. Quit Your Job
It's not your AD anymore.
5. Become a LinkedInfluencer
You're not a disillusioned former admin from a now-defunct company that went bankrupt after failing to recover from a ransomware attack that exposed the fact your CISO was embezzling millions of dollars from the security budget. No, you're a battle-hardened cyber warrior hunting threats in the shadows, yearning to share the gospel of your knowledge as a veritable guru of IT Security. With gusto, you embrace your newfound career, sharing photos of you in a black hoodie, your blurred-out face staring down 6 monitors scrolling green text on a black background as you mash your keyboard on Hacker Typer.
Immediately after, it's you in a tailored bespoke suit, hair slicked back and wrapped into a tidy man bun, obvious fake Rolex front and center right above your favorite quote "I am enlightened by my intelligence". And then, to show how far you've come, an old picture of you as a fresh pimply-faced youth, not yet scarred by the rigors of experience, toasting the camera with a 2-liter bottle of mountain dew that left an obvious stain on the cargo pants you unironically called "business tactical".
All this, accompanied by a list of your greatest hits. The captivating thought pieces that rocketed you into the spotlight of immense fame, riches, and success gathered from all 571 of your loyal followers.
6 Ways to Tell if Someone is a Hacker Just by their Smell (number 4 will SHOCK you!)
Do You Have What It Takes to Perform a Successful Multi-Factor Cryptographic Authentication Against a Domain-Joined Virtual Appliance? Take this quiz to find out!
Why The Best IT Admins Wear the Same Shirt to Work Every Day
Your Domain Controller Does NOT Need SMB Signing, and Here's Why.
How to Become a Successful IT Guru Like Me for Only $150 (buy this book!)
Conclusion
By following these 5 easy steps, you too can build a successful career and massively inflate your ego overnight, while you sleep soundly on your mom's 1992 IKEA sleeper sofa, just like me.