Jim SykoraJun 6, 2023

What do you feel is the most common barrier to getting or keeping an Active Directory environment secure?

Examples: Insecure defaults, lack of resources, red tape, training/knowledge gaps, no tiering, config drift, the VP's nephew who set it up originally, technical debt

Checking my assumptions and posting around a few platforms to get input and reach.

#activedirectory

Show threadJoshua Small

@JimSycurity The obvious one is red tape, but there are some real messes around implementation.

For example, pentester recommendations 101 involve dealing with Responder. LLMNR has a GPO - but look into what people do to disable NetBIOS over TCP.

Putting forward "well for security, I want to copy a Powershell script off some guy's blog that changes settings Microsoft don't seem to document into a startup script and deploy to all our desktops" is an extremely hard sell. Similar reference, look at how useful LSAppl is for security but try deploying it via InTune.

I could probably writes pages in answer your general question.

Jun 6, 2023 at 11:04pmWeb
Show threadJoshua SmallJun 8, 2023
@JimSycurity Since I had a stunning example today.. I had a vendor inform a manager that they cannot understand why I'm pushing to replace perfectly good Windows 2008 servers, and maybe my motives should be questioned.
Show threadJim SykoraJun 8, 2023

@jsmall Wow. Just wow.

I'm guessing management never ponied up for ESU years 1-3 and those server workloads aren't in Azure Infrastructure, which is the only way 2008 can get security patches today?