What do you feel is the most common barrier to getting or keeping an Active Directory environment secure?
Examples: Insecure defaults, lack of resources, red tape, training/knowledge gaps, no tiering, config drift, the VP's nephew who set it up originally, technical debt
Checking my assumptions and posting around a few platforms to get input and reach.
Aloha Jim! All of the above, but I've found tiering is a huge one. If people that don't understand AD and the security implications of their changes to it are allowed to change AD, whatever security you have is temporary. By tiering and limiting admin access to AD, you can tighten things down and constrain changes that would adversely impact the security of the environment.
Second, I would say lack of automation. If you can automate updates to AD, you can minimize manual changes and thus fat-finger opportunities.
@JimSycurity The obvious one is red tape, but there are some real messes around implementation.
For example, pentester recommendations 101 involve dealing with Responder. LLMNR has a GPO - but look into what people do to disable NetBIOS over TCP.
Putting forward "well for security, I want to copy a Powershell script off some guy's blog that changes settings Microsoft don't seem to document into a startup script and deploy to all our desktops" is an extremely hard sell. Similar reference, look at how useful LSAppl is for security but try deploying it via InTune.
I could probably writes pages in answer your general question.
@jsmall Wow. Just wow.
I'm guessing management never ponied up for ESU years 1-3 and those server workloads aren't in Azure Infrastructure, which is the only way 2008 can get security patches today?
Jim Sykora
Joel M. Leo
Joshua Small