John TimaeusMaybe giving an external firewall an Active Directory service account wasn't such a brilliant idea after all.
https://thehackernews.com/2026/03/fortigate-devices-exploited-to-breach.html
fuzzyfuzzyfungus@johntimaeus Any bets on 'badly overprivileged service account" vs. "look who didn't adjust ms-ds-MachineAccountQuota from its alarming default"?
Por que no los dos?
@johntimaeus Can't really argue with that.
There are cases where you want the firewall to treat different people differently, which makes a case for AD access; but if the thing is joining workstations you've clearly erred one way or another.
I haven't done AD design in a while, but this is a case where I'd consider limiting all LDAP traffic from the firewall to Read Only DCs. After I'd walked the permissions set on the service account twice.
@johntimaeus We award the head->desk of diligence to anyone who implements this precaution by using rules on the fortinet to block the fortinet's access to non-RO DCs. For when you want to miss the point; but none of the steps.
Look no further than the ICS/OT world, where all the network segmentation and firewalling is done on a single edge-facing combined VPN/firewall.