Transforming AD Security in the Public Sector

From Vulnerable to Resilient: Transforming Public Sector AD Security

Estimated read time: 1:20

    Summary

    In a comprehensive webinar led by MTI Technology, the transformation of Active Directory (AD) security from a state of vulnerability to resilience was discussed in depth. The session, primarily aimed at public sector organizations but relevant to any institution using AD, stressed the importance of strengthening AD security frameworks to fortify against rising cybersecurity threats. Key speakers highlighted strategies like implementing administrative zoning and reducing configuration drift to enhance security. Emphasizing the critical need for resilience in a climate of increasing ransomware attacks, the webinar provided actionable insights and offered attendees a chance for a free AD security assessment.

      Highlights

      • The webinar highlighted the journey from a vulnerable state to a resilient environment in Active Directory security. 🌟
      • Implementing administrative zoning is a key strategy for mitigating risks associated with Active Directory. ⚙️
      • Configuration drift is a significant threat to AD security; consistent monitoring and updating are necessary. 🔄
      • Resilience in cybersecurity is essential, especially with the growing threat of ransomware. 💪
      • Attendees were engaged with opportunities for further assessment and consulting on AD security. 🎁

      Key Takeaways

      • Understanding the importance of transforming Active Directory security from vulnerability to resilience is crucial for public sector organizations. 🔐
      • MTI Technology emphasizes administrative zoning and reducing configuration drift to enhance AD security. 🚀
      • Ensuring AD security contributes significantly to overall cybersecurity resilience, especially against ransomware attacks. 🛡️
      • The webinar stresses the need for strategic risk-based approaches alongside compliance-driven strategies. 📊
      • Attendees were offered a free Active Directory security assessment to evaluate their current security posture. 📈

      Overview

      Active Directory (AD) security was the focal point of a recent webinar by MTI Technology, shedding light on transforming a typically vulnerable structure into a highly resilient one. As public sectors increasingly face cyber threats, strengthening AD becomes imperative. Experts discussed strategies such as administrative zoning and reducing configuration drift, which are crucial to safeguarding this essential component of any organization's cybersecurity framework.

        During the session, speakers emphasized that improving Active Directory security is not just about tackling current threats but also about preparing for future challenges, especially considering the rise of more sophisticated ransomware attacks. By adopting measures like administrative zoning, organizations can protect their infrastructures more robustly.

          Finally, the discussion encouraged a shift in mindset towards a strategic, risk-based approach that goes beyond mere compliance with standards. With an offer for a free AD security assessment, attendees left with actionable steps to redefine their cybersecurity postures, ensuring a stronger, more resilient Active Directory environment.

            Chapters

            • 00:00 - 02:30: Introduction and Housekeeping The chapter introduces the webinar titled 'From Vulnerable to Resilience,' focusing on enhancing organizational resilience, particularly for those in the public sector using Active Directory. It emphasizes the importance of transforming Active Directory environments as a crucial aspect of Identity Management (IM) security.
            • 02:30 - 05:30: Public Sector Active Directory Security The chapter titled 'Public Sector Active Directory Security' discusses the process of moving from a vulnerable state to an improved resilient state, and potentially transforming further. The chapter begins with housekeeping notes, mentioning the availability of a Q&A or chat option for any questions during the session. Participants are encouraged to put their questions in either the chat or the Q&A section, and the host will try to address them.
            • 05:30 - 10:00: Active Directory Risks and Solutions The chapter focuses on the risks associated with Active Directory and the potential solutions to mitigate those risks. During the session, viewers are informed that there will be a dedicated Q&A period towards the end, where Harry, the speaker, and Dominic will stay on to answer any remaining questions. If there are too many questions to address during the session, they plan to send a follow-up note with all the attendees' questions and corresponding answers. The session emphasizes proactive communication and engagement with attendees to ensure all concerns are addressed.
            • 10:00 - 15:00: The Future Tech Landscape and Its Impact on Security The chapter titled 'The Future Tech Landscape and Its Impact on Security' presents initiatives to address future security challenges. It discusses a free AD security assessment offered by Quest and supported by MTI consultants. Additionally, a consultancy service is available through a randomized draw. The focus is on providing security solutions and outreach to interested parties, with flexibility for those not willing to participate.
            • 15:00 - 20:00: Challenges in AD Security The chapter titled 'Challenges in AD Security' discusses the complexities and the intricate requirements involved in securing Active Directory (AD) systems. It introduces key team members, such as Dominic Bland, the Technical Director from First Response. MTI and First Response have collaborated for over a decade, focusing intensely in the last five years on large-scale Active Directory projects. This ongoing partnership highlights the demand for in-depth consultancy and specialized skills in the AD security landscape.
            • 20:00 - 25:00: Implementing Administrative Zoning Chapter Title: Implementing Administrative Zoning Summary: The chapter discusses various discovery and review exercises as well as remediation support within the public sector, specifically targeting NHS organizations through technical remediation services offered by NHS England. It highlights the collaborative work done by the author and Dominic over the years focusing on common issues in Active Directory (AD) security, primarily for on-prem AD systems. The chapter also notes the shift towards Entra, indicating a transition or evolution in this area.
            • 25:00 - 30:00: Building AD Resilience The chapter titled 'Building AD Resilience' focuses on the prevalence and dominance of Active Directory (AD) as the primary authentication mechanism in many public sector environments, particularly on-premises. The discussion involves Harry Sweetman from Quest, who possesses significant experience and understanding in the management and monitoring of Active Directory. The chapter promises insights into building resilience in AD environments, highlighting critical aspects of security defenses.
            • 30:00 - 35:00: The Importance of Monitoring In this chapter, the speaker discusses the increasing significance of monitoring in the context of cybersecurity, specifically focusing on Active Directory (AD). The speaker highlights the essential role of AD recovery in responding to ransomware attacks, which have become a significant threat. The agenda includes an examination of the evolving threat landscape and predictions for the next five years, emphasizing the need to understand AD within its broader context as part of a comprehensive security strategy.
            • 35:00 - 40:00: Disaster Recovery Planning In this chapter titled "Disaster Recovery Planning," the discussion begins with an exploration of identity and access management security within the broader context of digital transformation. The conversation transitions to Dominic, who focuses on the risks associated with Active Directory and provides guidance on configuring the environment to safeguard against common risks. Harry then takes over to discuss the monitoring, management, and recovery processes of Active Directory. The chapter concludes with a Q&A session and a highlight slide.
            • 40:00 - 53:00: Q&A and Closing Remarks The chapter, titled 'Q&A and Closing Remarks,' discusses the future steps for those interested in the topics covered, specifically focusing on the context around Active Directory. It notes that Active Directory is now 25 years old, having been first implemented in the year 2000. The chapter includes celebratory remarks on its anniversary.

            From Vulnerable to Resilient: Transforming Public Sector AD Security Transcription

            • 00:00 - 00:30 So thank you everyone for joining. Um I hope you're expecting to see uh the webinar uh as uh indicated on the on the screen there. So from vulnerable to resilience, it's a uh a session specifically to look at uh how organizations principally in the public sector but um you know the same applies to any organization with active directory um how they can move their uh active directory uh environment uh as a critical component of IM security generally uh
            • 00:30 - 01:00 from uh what is quite frequently a fairly vulnerable state uh to one that uh is uh improved resilience. um and then uh potentially transform. So uh we'll start with a bit of housekeeping. So um we will have uh a Q&A or chat uh option. So if you've got any questions as we run through, excuse me. Um either put the question in the chat or the Q&A. Uh it doesn't really matter which one. Um we will try to
            • 01:00 - 01:30 respond to all of those at the end of the session. So from about 40 45 minutes onwards. Uh if you've got time to stay on past um uh quarter two then uh that's fine. We uh the team that that you see on the screen there, Harry, um myself and Dominic will be staying on for about another 15 minutes to answer any questions. If we don't get any uh or uh there's so many that we can't answer, we'll respond back and just send a note out to all of the attendees with all of the questions on um just highlighting
            • 01:30 - 02:00 what our responses are to to to to each in turn. Um, somebody will reach out anyway with uh the offer of a free uh AD security assessment uh that uh is kindly being provided by Quest uh and will be supported by MTI consultants as well. Uh and also we've got a consultancy uh piece that we're offering as a a free um consultancy by way of a draw that we'll do uh that we random. We'll reach out to the to winner of that. If you're not interested in that when we've reached out, we'll just uh hit the next one. And I know some people aren't able to avail
            • 02:00 - 02:30 themselves of of that, but that'll be a piece of more in-depth consultancy. Um, so the uh the team on the call then um so I'm joined by Dominic Bland uh who's technical director from First Response. uh first response and MTI have worked together for oh a long time over 10 years certainly uh and in the last uh five years uh particularly have been really heavily engaged in a number of fairly widescale uh active directory um
            • 02:30 - 03:00 discovery and review exercises as well as uh a lot of uh remediation support uh in uh in the public sector any NHS organizations on might know uh that service uh that's offered from um technical remediation within NHS uh England. Um so we've done a lot of work Dominic and I over the last few years on understanding the common problems in uh AD security. We are talking about on-prem AD security. Um there is certainly a move towards uh entra and uh
            • 03:00 - 03:30 hybrid state but certainly in lots of environments in the public sector active directory on prem is still uh the prevalent and the dominant um uh authentication uh mechanism um for all services. And then Harry Sweetman's joining us from Quest. Harry's CISP and uh has got some really great uh experience and an understanding of um management of uh AD and monitoring of active directory. Um and also really critically the the final piece in the puddle puzzle if if all your defenses do
            • 03:30 - 04:00 um um somehow go ary then uh recovery of active directory we'll touch on as well at the end which is absolutely critical component of uh recovering systems in the event of uh particularly ransomware attacks. Um so the agenda will run through I'll quickly touch on um the rising threat landscape what we know from all those reports what we think is going to happen in the next 5 years particularly um essentially to nest AD uh within its wider context uh
            • 04:00 - 04:30 of uh identity and access management security and actually um digital transformation uh more generally. Uh Dominic will then pick up on Active Directory uh risks specifically and how to and what to do to uh configure uh your uh environment to try and protect against the most common risks and then Harry will pick up on the um the piece around monitoring and management and recovery of active directory. We'll finish off at the end very quickly with the Q&A uh and highlight um slide of
            • 04:30 - 05:00 what to do uh as next steps if you're interested in any of the um uh those reviews that we talked about. So the um the nesting of of Active Directory into uh into a bit of context. So um Active Directory is now 25 years old. So it's happy birthday to um uh to Active Directory. Um year 2000 was when the first directories went in. Um so it's been um it's been effectively
            • 05:00 - 05:30 the most um commonly used uh authentication and authorization really uh point within Windows uh infrastructure for the last 25 years. Um it has obviously been developed at a time where um particularly human operated ransomware was far less um prevalent and far uh less sophisticated than it is today. So uh we wanted to sort of touch on what the world was like a little bit uh in in the year 2000 um and a little bit about where we are
            • 05:30 - 06:00 today the 2025 number um and a little look forward to 2030 um principally because you know most of you are public sector um uh uh entities and organizations and uh the government cyber security strategy sets out a really very clear uh vision for 2030 uh by which time it wants all of public uh service providers is to be uh resilient to uh known vulnerability. Um and if you are going to pick a known vulnerability
            • 06:00 - 06:30 then uh the one that you would and attackers do uh pick mo most frequently is those around Active Directory because it it's it's such a great way to get access to uh everything in your environment. Um it wasn't designed to be uh a security tool. I think Dominic will touch more closely on uh on that. Uh so yeah though I mean you know there's obviously been a huge proliferation in data uh in IoT devices uh in a number of people in the world actually since uh um since 2020 um and critically the amount
            • 06:30 - 07:00 of coverage and the quality of coverage that people have uh to be able to access uh workloads on devices wherever they are really on the globe. uh and by 2030 uh you know that's predicted to double the amount of data in the world uh to um you know 300 zetabytes uh by 2030 the number of IoT devices again predicted to double from what it is today um you know is less than 200 million in uh in in the year 2000 and you know we're looking at
            • 07:00 - 07:30 nearly 30 billion by the end of um by the end of this decade. um people not necessarily growing at such an exponential rate, thank goodness, um but certainly their ability to access services on digital devices uh is absolutely going through the roof. So all of that will mean there is far greater access to um uh devices and services from outside the um traditional security perimeter um between now and uh and 2030. That's only going to get
            • 07:30 - 08:00 worse. So the that the the critical things that we've seen on environments in the last um few years of work are that you know there's been 25 years really of um configuration drift and active directory far too many tier zero um assets are out there. So by that I mean um enterprise admins or domain admins. Um and that there are a lot of access controls that people don't really understand what they are should they be there. Um they're not documented particularly well. Um and there isn't really any tiering in uh in active
            • 08:00 - 08:30 directory. Certainly it's not done to a degree where it's effective. Um so there's no separation of tier zero tier one tier two uh accounts. So if you add those problems effectively their problems of uh technical or digital debt uh to the current geopolitical landscape that we're we're seeing in the world um to the thing that's really driving that proliferation in assets and data uh which is going to be AI and developments in technology um to the ability of attackers to then
            • 08:30 - 09:00 really leverage those developments in technology to get inside networks and uh move in an automated way across networks. uh then hopefully you know the picture that we're that we're building here is is one that points towards the really critical importance of getting active directory security um as hardened as possible as quickly as possible because in the next 5 years um it's going to be very easy for attackers using whatever which of those um methods on the screen there to to really utilize
            • 09:00 - 09:30 active u AI to to get into networks and compromise networks extremely easily. So the way that we see that happening, we you know MTI and indeed Quest and lots of uh people in the uh in the industry is the move towards zero trust is absolutely critical uh which can be a bit daunting, can be a bit um complex. You know that slide is meant to be a bit of a complex uh unstraight journey towards uh an end goal. The end goal
            • 09:30 - 10:00 being zero trust. Um it's not a simple uh journey. There are lots of different components to it. Certainly you're not going to get there by just buying a product. Um but you can start really quite well and effectively by picking off targeted elements of a zerorust adoption roadmap. And one of the most critical ones that you need to do is to get to a stable state within IM security generally. So you'd include MFA in uh in this um but absolutely critically uh you would need to include uh a really good
            • 10:00 - 10:30 uh and robust set of hardening activities around active directory. So I'll hand over to to Dominic to pick up on on the detail from there. Thanks Jim. Well hello everyone. Thanks for your time. My name is Dominic. I'm a uh principal consultant and um director at first response. I've been dealing with active directory since 1998 curiously just before it came out. Um and I've spent a long time doing cyber forensics
            • 10:30 - 11:00 and digital security in various different forms. The last few years I've been working very much mostly with Jim and his team um doing audits and assessments across active directories and we developed a very specific um uh audit that we've used in essentially more than 250 um different organizations many of them NHS trusts um that allowed us to see the patterns of behavior u across all of these different quite disperate implementations
            • 11:00 - 11:30 um and understand the patterns within the things that people were getting right and very much the things that people were getting wrong. So the patterns that we discovered while we were looking through all of this data allowed us to to um classify the issues that we were finding into what we call point fixes and structural changes. Point fixes tend to be the smaller things where you can generally flick a switch to fix a problem. uh something like turn off old NLM protocols, disa disable old server
            • 11:30 - 12:00 message block protocols, a lot of it is focused around that area, reset KBR baseline passwords so that they can't be used for persistence by an attacker. So these are these are the point fixes, small things. Sometimes they require a small project to kind of to to check the environment and make sure that flicking the switch isn't going to blow anything up, but generally they're small independent issues. But there were a lot of issues that we came across. Issues around the separation of of user and admin authority, having too many higher authority um identities within the
            • 12:00 - 12:30 system, the littering of of higher identity accounts all over the place. Um and all of these together we we were able to group together as a structural flaw, a structural change. So a structural change is required to fix these things because to fix them you need to fix a whole bunch of things simultaneously and only when you fix enough of those things together do you actually get a security improvement. Each step along the way does give you these little marginal security improvements. But it's um it's only when
            • 12:30 - 13:00 you get to a certain level, a certain structural stability that you've actually got a really powerful change in the system and a change that will last and is maintainable. A lot of this is based around the simple idea that there is a flaw at the heart of the Windows system. And this flaw is to do with caching. Every time an account logs onto anything within the system, um that account is cached on the on either the workstation or the server or the domain controller
            • 13:00 - 13:30 because generally we split the network into workstations. You can see the bottom left of the diagram, servers in the middle on the right and domain controllers as the the controller systems um above them. But whenever an whenever an account is you logs on the cache of that account credential is left behind. You've all come across the pass the hash attack or at least heard of it. This is the ability of an attacker to lift credentials and then use those credentials. The problem we have here is that credentials of all sorts, client
            • 13:30 - 14:00 level credentials, server level credentials, and domain credentials are littered across all of the machines in a Windows infrastructure. It's always been this way. It's always been exploited by attackers, but it's quite hard to deal with for a number of reasons. Um, so it's very rarely dealt with. So keys existing as I said in different levels. There are client keys uh which allow which which would allow an attacker to access user information the area of shared data that they have access to and
            • 14:00 - 14:30 you know and various other low lowgrade functions of the system. If an attacker can get hold of server keys they then have access to the SQL databases the full file shares not just the little pieces of file shares that the users can see and making exfiltration of data uh very very much easier. They also gain access to the support systems for the network, things like DHCP um and and in some cases DNS which allow them to um to create persistence
            • 14:30 - 15:00 within the network to connect and manipulate the way the network functions. If an attacking can can get hold of the domain keys, they basically have full control of the entire infrastructure, not just the Windows infrastructure, the whole of the infrastructure. Because all of your underlying infrastructure components, things like your VPNs, your switches, your routters, your proxy filters that control network access and all all those other devices invariably connect into the active directory for their for the
            • 15:00 - 15:30 for their management identities and to determine user access. So getting hold of the domain level identities in active directory actually gives an attacker pretty much the entire infrastructure. Sadly, getting into a system and escalating through a system are actually depressingly easy. Getting into a system is and as Jim was talking about is getting easier and easier partly because of the advent of IIA but but also because
            • 15:30 - 16:00 um attackers are just getting more experienced. Their code is better. Their processes are better and they become much more professional about it. So you get into a workstation by one of various mechanisms. Uh fishing, more commonly spear fishing, targeted fishing. Um less commonly direct intrusion, but it still happens. Multiffactor authentication can help, but it's not perfect. Once you get into a workstation, you'll see that a client admin account can be lifted. There's always a client admin account on every workstation. And once that's been lifted, an attacker can then move to all the other workstations in in your
            • 16:00 - 16:30 environment. And they will do this in code automatically very very fast. They'll zoom around the client base and finally they'll find a server that they'll find a client that a server admin has logged onto. They pick up those credentials. Now the attacker is a server admin. They go straight to the servers and they move around the servers until they find a server that a domain admin has logged onto. Now the attacker is a domain admin and they own your entire infrastructure. Like I said, depressingly easy. both get in and even
            • 16:30 - 17:00 easier to escalate because the credentials that the attacker needs are just sitting there lying around lying around the system waiting to be picked up. There is a defense against this and it's a damn good one which is zoning. So the idea of zoning is that if the credentials the the server and domain admin credentials are simply not there, they can't be lifted and used by an attacker. It can't be stolen by an attacker when an attacker breaks into a
            • 17:00 - 17:30 workstation. Why doesn't everyone do zoning? It's difficult. It's difficult to organize. The structures required for it are not as difficult as you'd imagine. But the transition to it is quite difficult and to do it at very low risk, to do it fast enough to be effective. Um, and then to enforce it, it's actually quite a terrifying piece of work for the internal administrators. It's a rather specialized piece of work but the need for it and you see so you can see when that when the work is complete you create a situation where
            • 17:30 - 18:00 you have administration accounts or accounts with administrative power bandied into specific zones there will be no domain admin or server admin accounts in the client base anywhere on the client base so the attacker can't pick them up. If an attacker by some fluke managed to get a server credential and get themselves into the server layer, there will be no domain admin credentials in the server layer for them to pick up. Very simple concept and very very powerful once correctly implemented. And the need for this zoning is actually supported by multiple agencies around the world. This is an
            • 18:00 - 18:30 extract from a recent document which was a collaboration between all of the agencies that you can see on the screen there. And the first page of this document, the big gray paragraph on the first page of the document is the best way to protect Active Directory is to protect the keys and do that by zoning. And it specifically it talks there about zone one, but it also mentions zone sorry talks about zone zero as the primary zone. That's the domain zone, but it also talks about tiers one and two, which is the server and client
            • 18:30 - 19:00 zones. Just a little aside from that because the document talks about PA MFA and PAM and we're all very aware of those technologies. It's worth noting that MFAs and um uh PAMS um privileged access managers are more front- end devices. They deal with managing the authorization of accounts. Certainly that's what MFA is about hardening the author the the authentication and PAMS may have some authorization capabilities but again their their strong point is
            • 19:00 - 19:30 focusing the login session recording centralizing audits giving you bits and pieces of validation but role-based authority with administrative zoning actually bakes that validation into the active directory itself. So even someone who can evade a PAM or evade MFA will still have an account that is zoned by the active directory in the Windows infrastructure natively. It's a very powerful layer of defense. So back on
            • 19:30 - 20:00 track, how do you get to administrative zoning? Administrative zoning requires a number of steps and each step has its own benefit, its own security enhancement. But as I said to you before, you have to get a certain way away way along this path before suddenly all of these things that you've done click into place and start to form a really really powerful defense. So the first step is to separate admin accounts from user accounts. Um so that so that your administrators are not opening emails and browsing the web using an admin
            • 20:00 - 20:30 account. It's very obvious separation. We've been used to that for years now. The advice has been there for donkeys years now and most people do it. The second step is to imple implement role-based authority. Again, this these concepts of for role-based authority have been around for ages and many people have role-based authority designed into their systems. Some of it works, some of it doesn't. But the advantage of role-based authority is that you can now scope your admin accounts and it creates the possibility that you can limit your higher authority
            • 20:30 - 21:00 memberships. Those those domain admin accounts that are so powerful and so dangerous to have floating around the system. Once you have enough role-based authority in place and it's working properly, you can actually empty your domain admin accounts of all not only the admin accounts that are in it, but the service accounts that are in it as well. And that's a bit that people stick on very badly. The people's willingness to change the powers associated with service accounts is very low because it's a very frightening thing. Changing those powers may change the way the
            • 21:00 - 21:30 service reacts, may cause a service outage. So, it's something people are are very loathed to do, but it's profoundly important. When you get to this point, you should be able to minimize your number of total number of domain admins down to, you know, a maximum of five actual people, five administrators, and maybe a couple of services that really do things with the active directory, but don't really need uh but but need specific powers. Um, most other um services just need the odd power here or there or the ability to to manipulate a server that they're running on. Once
            • 21:30 - 22:00 you've u minimized the higher authorities, you've taken a huge step towards strengthening the system. And that minimizing the higher authorities allows you to put a domain boundary in. It's a it's what allows you to collect all of the strengths of these three components together and make them really powerful. The next step on from that is to separate the these authorizations and authorities into onto different accounts. So you have anyone who's going to do domain admin work has a domain admin account but they also have a server admin account and 90% of the time
            • 22:00 - 22:30 they do their admin work with their server admin account and they only ever use their domain admin account to log onto domain controllers. Similarly you want to separate server admin from client admin onto different phys actual login so that anyone who wants to do client admin work actually logs on with a client admin account. And finally, once you've separated client admin accounts from server admin accounts from domain admin accounts, you put boundaries in the middle of them. Technical blocks that actually prevent
            • 22:30 - 23:00 those accounts from logging on to zones that they're not supposed to log into. And that's when you get right up into the high end of this security and the system becomes able to protect itself very very strongly. The active directory can do all of this stuff natively. The technology for this is in the active directory. There's no software required. It's a recon. It's just a reconfiguration, a layer of security that you need to put right at the top of the of your Active Directory architecture which then flows down onto
            • 23:00 - 23:30 everything in there. This point around about six where we've where we've separated out the domain admins and we can put in a domain boundary, the higher boundary. That's the minimum place that any organization really needs to get to. But even then you get so much stronger if you take it the full distance. Most organizations think they are about here. They think they've minimized the higher authority membership. But generally speaking when we go and actually do the audit when we
            • 23:30 - 24:00 say how many domain admins have you got and they say oh we've got five what they mean is the people not the actual accounts that have domain admin power. So generally what we're seeing is 30 40 50. We've had 250 as well in that we came across uh early in our run of audits. So most organizations think they are about there but actually most organizations are about here. They have some role-based authority in place. They've done some removal of of separation of administrators from domain admins and hire authorities. But it's
            • 24:00 - 24:30 incomplete. They still have far too many domain admins and it's not normalized. It's not a normalized working pattern to have everyone with a role-based authority separate from domain admins. Tragically, one or sorry, two of the audits we did um uh the first 200 audits that we did were at this level, they hadn't actually separated admin and user capabilities at all. So even though that's, you know, been a marked step for a long time, it's still in place out
            • 24:30 - 25:00 there. So how do we do this natively? The first thing to recognize is that these changes the the this implementation of role based of role-based authority and zoning is a fundamental requirement for the active directory. It's so fundamental in fact that exactly the same architecture to present these capabilities can be used in every active directory that exists. Now I say that quite comfortably because I've been doing this for 25 years and I've used iterations of this technique in the whole of that time. More recently, we've just done a more focused
            • 25:00 - 25:30 streamlined version of this and have implemented in in 10 organizations in the last year and it's working beautifully in all of them. So any organization can benefit from this you know unified standardized highlevel structure but you build it using the directories's own components organization units groups GPOS group policy preferences and you know sets of access control for delineating role-based authority. It's standard Active Directory technology, but you just forge it correctly. You you format
            • 25:30 - 26:00 and configure it correctly to produce this amazingly strong result. But all organizations are not the same and every organization needs to be or when when you put this in, every organization needs to be cleaned up. And there are always things that are specific to individual organizations, specific security controls that you have to modify and present in a slightly different way because you've all seen different active directories. They can be wildly different in their presentation. And the application sets
            • 26:00 - 26:30 and service sets that organizations uses are also wildly different. In this particular example, this was a trust with 2,000 sorry 20,000 users and 700 servers. Um there were 247 domain admins when we started. There were five admins and four services. When we finished putting in the domain boundary, the higher of those two boundaries, when we were surveyed the the server base, there were 385 um there were 385,000 connection points between users
            • 26:30 - 27:00 and and and server administration. So with there were 385 potential server login that we had to assess, handle, make sure they worked. And we have to when we when you do this work you have to pick out what is necessary, what is functional, what is dangerous and what is just legacy and you get rid of the legacy, mitigate the dangerous m and maintain the uh and maintain the necessary because if you go through this process and you don't maintain the necessary functions
            • 27:00 - 27:30 correctly, that's when you start to cause user issues. And we can do this very very precisely. We've developed analytics over the course of the last year to do this. So we know that this can be done if it's done correctly um in a 3 to four month time scale depending on kind of involvement and buyin from the trust and with very little of the ad impact on either the administrator and certainly not on the on the on the users within the environment. So, as we've been doing these projects over the last uh year and a half, we've discovered
            • 27:30 - 28:00 that we're able to do this with very very low risk as long as you understand what data to pull out and how to manage and manipulate that data. And as I said, there's a cleanup required as well. In that same place, we analyzed 40,000 access controls and cleaned out 15,000 of them that were rogue legacies, dangerous because they presented privilege elevations and so on. So there's this very distinct pattern to the work um to building one of these structures, a core structure that presents these role-based authority
            • 28:00 - 28:30 functions and that needs to be tailored a little to the specific environment. So here we end up if you put administrative role-based authority and administrative zoning in place, you end up with a with an infrastructure that is massively harder for an attacker to move through. So hard in fact that the chances are most attackers will just give up unless they really want the prize in your environment. But you're also making it so much harder for them
            • 28:30 - 29:00 to move through the environment having taken away the standard pivoting capability that they then have to prod things in the environment. they have to do much more work, a lot of it manual because there there are less automations for the other techniques and this slowing them down, making them do more, making them behave more weirdly. That's the kind of thing that monitoring processes will spot. So the monitoring processes that Harry is going to talk to about uh in just a moment will be will have their functionality increased and enhanced by a good foundation because a
            • 29:00 - 29:30 good foundation will force attackers to behave more strangely giving the monitoring capability more chance to see it. a strong the strong foundation the directory a very much stronger resistance to attack as a result but it also give it gives it resistance to uncontrolled change and administrative accident. All this higher work that we do that the higher authority boundaries that we put in place mean that only a very limited number of people can substantively ac um
            • 29:30 - 30:00 affect the overall security of the system. But like everything else in the technology universe, this foundation is built on a set of rules and rules that can be broken, rules that may change over time depending on installations and upgrades or an attacker. So it's very very important that the various attributes and and and um configurations that form this foundation are monitored correctly to keep them safe, to keep them sound. So to talk to you a little bit
            • 30:00 - 30:30 more about that, I'll hand over to Harry. Thank you very much, Don. Um, let me just jump to the next slide here. And yeah, so hi everyone. My name is Harris Sweetman. I'm the public sector solutions lead at Quest. I'm also one of our internal cyber resiliencymemes and a CISSP. And Quest Quest work very closely with MTI to help deliver some solutions to a lot of the conversations that we're having about today. Um, I want to talk a bit about building resilience into your AD security. And now that we know what good looks like, um, so we just need to
            • 30:30 - 31:00 sort of approach security as something that's not static, right? It evolves and we need to ensure that our best practices don't drift outside of the good state. Um, and defense and depth can help with this. I'm sure every I'm sure a lot of you have heard the the term defense and depth. And we're going to kind of dive into that a little bit more, but I want you to sort of think about as I go through these next slide, the the idea of fix once fail later. So before we dive into how how we approach AD security, we need to understand some of the challenges that we face with AD and day-to-day. So the
            • 31:00 - 31:30 first one being that active directory attack surface is constantly growing, right? Especially with most of us now being on a hybrid in infrastructure with entry ID. The sheer number of identities that can be leveraged for an attack and the permissions that intertwine those identities, they can be very difficult to keep on top of. We know that 80% of breaches now involve compromised identities. And as Dom mentioned in his previous slides, this is how attackers are getting in. 79% of executives are stating that assessing the exposures within AD is a top security struggle. So we need to think about how we simplify
            • 31:30 - 32:00 this. The second challenge is AD configuration drift. Now attackers love misconfigurations. So how do we stop our AD from drifting outside of that good state that Dom has just presented us with? Uh this is a top three AD security risk according to Microsoft at the moment. The third challenge is then alert fatigue. We get alerts from so many different sources now. Um, natively the logs that get spat out are fairly messy and in and in an active attack scenario, we've got little time and capability to be able to sort through that noise. So,
            • 32:00 - 32:30 how do we make sure that the data works for us and not against us? And finally, neglected on premises. We all know and we we've all worked with a brand new shiny identity infrastructure like enter ID and new emerging technologies like AI. AD often gets left alone and forgotten. Uh most young people in the industry are no longer being trained on Active Directory. And why would they? It's a 25-year-old organic mess. Um this is a prime this is a prime target for an attacker that's looking for a weak spot. We have a growing skills gap for AD and
            • 32:30 - 33:00 a neglect problem. But the issue is AD is not going away anytime soon. So again, how do we simplify to keeping it in a good state? So quest on cyber resilience in AD is that organizations really should always assume breach. uh even the best perimeter defenses nowadays can do nothing to stop the bad guys from eventually breaking through. um that's why we need to implement strong internal security and governance. Um now this is where we use the defense and depth approach for our AD security. So we can
            • 33:00 - 33:30 break this down into different layers. The first layer is remediation and mitigation. So this is spending time to remediate and mitigate vulnerabilities using security, governance and administration. Um Dom covers this um with getting your environment into that best practice state. Um and if possible, the ability to automate this moving forward removes the drift through human error. We can ensure that best practice architecture such as administrative zoning doesn't break through day-to-day changes. The second layer is the ability
            • 33:30 - 34:00 to continually assess. So this is assessing your permissions, identifying vulnerabilities, and proactively hunting for those misconfigurations and ways through your best practice architecture. The idea here is to essentially be the hacker. There's tooling out there to help us do this automatically. And again, this reinforces that day-to-day changes don't break the hard work that you've put into getting into that good state. And any gaps or permission bloat can be rectified proactively instead of reactively. The third layer that we talk about is the ability to detect an alert.
            • 34:00 - 34:30 So we can detect an alert on suspicious activity with real-time auditing and alerting. the the idea with uh with kind of always assuming breach is that attackers will find a way through. So we need to we need to assume here that an attacker can bypass best practice infrastructure. And this is quite easily achieved by something such as a spear fishing attack on a highv value credential such as a domain administrator or perhaps an internal threat even such as a disgruntled employee that already has the access they need to the environment. If we monitor in real time for suspicious activity and key events that drift
            • 34:30 - 35:00 outside of the baseline, then we can indicate an ongoing attack and respond to that quicker. And then the fourth and final layer here is the ability to actually investigate and recover from the disaster. So this is what we like to refer to as your insurance policy. Again, if we're always assuming that an attacker will get through and we're always assuming breach, we need to we need to think about how we minimize the impact of that inevitable scenario, how we recover critical services as quickly and effectively as possible. And this comes along with good DR planning and something like a comprehensive AD
            • 35:00 - 35:30 specific backup solution because as I'll talk about very shortly at is critical to your environment. So first of all starting with monitoring and why monitoring is important. Uh every AD evolves over time shifting business needs can have a major impact on that and the current state of active directory. uh an example such as mergers and acquisitions can bring huge influxes of change to an environment in a short space of time and every change with an active directory adds a risk that the environment drifts outside of
            • 35:30 - 36:00 that good state that Dom was previously talking about. Now configuration drift is unfortunately inevitable. Time is our enemy. Um even the security of environments if they're left alone over time will weaken and attackers love complacency. Uh an an untouched unmonitored environment is a field day for an attacker. outdated permissions, misconfigurations, and blind spots. They're often low-hanging fruit that don't attract much attention when compared with other attacks such as brute forcing. Now, security is constantly evolving. It's great to get your
            • 36:00 - 36:30 environment into a best practice state, but you need to maintain it using best practice monitoring and assessment to keep in line with environmental and industry changes. Attackers are always developing and discovering new ways to leverage weak spots, and so a good configuration left alone very quickly becomes a weak one. So this is where we talk about the trip wire layer. This is some of the kind of the the key points that I wanted to raise with you about monitoring and auditing active directory that that I think are paramount to ensuring resiliency. So we need to start treating
            • 36:30 - 37:00 active directory as a tier zero asset that it is. I'm sure most of you will be aware that there are some there are numerous critical services within your organizations that rely on active directory being up and rely on the security of that relies on the ability to essentially secure that identity and access. Any compromise across active directory um can result in a ripple across the entire environment. We then need to understand that all changes are risk. Any unauthorized accidental configuration changes can open the door to prives lateral movement or persistence based
            • 37:00 - 37:30 attacks. And once we got that, once we understand that, we know we can establish known good states for active directory policies, per objects and permissions. And we can use those known good states as a baseline for our security across our infrastructure. And we can continuously validate those against that to to detect anomalies or drift. Finally, once we've got that baseline, we can then use the ability of that baseline to catch early and contain fast. So again, we perform that real-time detection of suspicious changes on things such as group memberships, GPOs, and trusts. the the
            • 37:30 - 38:00 things that we deem as tier zero so we can help contain threats as and when they appear before they spread. And then finally, the ability to order audit everything but normalize the noise. So collecting audit logs is is all well and good, but obviously they're going to be very messy. So we need to normalize that data to make it work for us. And we like to split it into the five W's. So who made the change, what changed, where in the environment, when did it happen, and which system was used. So we've put monitoring in place and we
            • 38:00 - 38:30 understand the importance of monitoring. But what happens if Active Directory is compromised? Well, obviously we've got the technical we've got the technical impact of Active Directory going down about you know people not being able to gain access to services critical things. Um maybe maybe you know critical services have gone offline. The the the example that I like to use is you know particularly in NHS A&E departments if people can't log into the computers you're you're reduced to paper capability. But it's not just that. There's organizational impact as well. Loss of AD can translate to negative
            • 38:30 - 39:00 media coverage, IP theft, which could break numerous compliance laws, loss of public trust, um, and then finally obviously financial losses themselves. So, we recommend maybe performing an AD security risk assessment to gain insight into the security of your AD environment so that you can actually build a picture on what the loss of active directory might mean to you. So, why is AD disaster recovery critical? Well, again, if we're treating AD as tier zero, we're treating it as the business, right? Without that,
            • 39:00 - 39:30 operations can grind to a halt. So, your recovery strategy needs to treat Active Directory as a first first class priority. We know that AD is often the first target in attack. Um, ransomware and advanced actors, they'll commonly disable or corrupt Active Directory to paralyze response efforts, but also they're using Active Directory to leverage permissions to get to where they need to go. Credential theft can break recovery without isolation. So if attackers get domain admin access, they can destroy backups, tamper with recovery paths, or even embed persistence in your backups themselves. Failing to rec restore
            • 39:30 - 40:00 critical services can quickly violate SLAs's, GDPR, HIPPA, or industry specific uptime requirements. And finally, modern attacks destroy trust, not availability. So it's not just enough and anymore to just bring AD back online. You need to be sure that you're bringing it back clean and uncompromised or you risk reintroducing malware. Attackers are smarter nowadays. They know you're taking backups. they're going after the backups as well. So just a few essential actions for disaster recovery planning to help you. Um the first step is to invent in inventory and assessment. Know your tier
            • 40:00 - 40:30 0 assets. As Dom mentioned before, administrative zoning can help with this. Map dependencies and identify what's critical to you to restore first. From here you can help to set clear recovery objectives. So setting an RTO, an RPO, and MTD, which is recovery time objectives. So that's how fast you must recover. recovery point objective which is how much data loss is tolerable for the organization and the maximum tolerable downtime which is what's the longest your organization can operate without AD before it becoming a disaster scenario then we need to prioritize
            • 40:30 - 41:00 risks and vulnerabilities within AD so we need to run specific assessments to find the gaps before the attackers do this will help you build a more resilient environment altogether before even needing to go through DR planning now the one of the other ones is to mention that backup doesn't always equal recovery you need to ensure that your backup Backups are immutable and isolated from primary systems. And you need to make sure you're preparing for scorched earth attacks where nothing is safe. Attackers are smart. They know you're taking backups. They will go for those backups prior to firing off malware. And finally, test it like you
            • 41:00 - 41:30 mean it. So DR plans aren't really real until they're tested. Something will always go wrong. Something won't be planned. So use teams unfamiliar with that plan to simulate real world pressure because I can guarantee you when you need to when you need to use that plan in real life, the guy that wrote it is going to be on holiday. So make sure that other teams are familiar with it and can use it and understand it and that will implement implement resiliency into your DR planning. And finally before I pass back to Jim here, I just wanted to make a final note on that resiliency is a
            • 41:30 - 42:00 journey, right? All of these changes are not going to happen overnight. They're going to take time. Um there's various frameworks available out there to help you with this. Um one of which is cyber assessment framework. Um but I'm going to pass back to Jim now to talk a little bit more on that. Okay, thanks Harry. Thanks uh Dominic. Hope you you can all hear me. Okay, so I mean just to close uh quite quickly, we've got a couple of minutes left of the main um uh the main uh event and then we will uh there's been a couple of questions asked, so we'll we'll stay on
            • 42:00 - 42:30 for a bit to answer those. So I guess this last um uh slide is just to reiterate that AD uh security is, you know, it's it's an absolutely critical component of um cyber resilience. um organizations have to start uh putting focused effort into getting uh AD security uh back into a better hard more hardened state. Um but it's part of a much wider thing and and you can't just focus in on uh the technical controls in isolation. So um you know compliance is
            • 42:30 - 43:00 always going to be important. Um Harry referenced the the the calf there that's now pretty much ubiquitous across uh UK government. um the calf will take you down a uh a road towards um certainly IM and privileged access security. Those two specific things are called out and there are indicators of good practice for both. Um but it won't specifically get down to a level of detail below that where you're into really what are the specific standards and almost KPIs that
            • 43:00 - 43:30 you need to set around active directory number of domain admins. Um there are several others. So you know compliance will only really get you so far. So you have to absolutely take a more balanced approach between compliance and risk. You shouldn't just be trying to look to comply with frameworks or um or mandates. Uh you should take a risk based approach and there is nothing more risky than having um a um a very vulnerable active directory. Um and then the the approach that you're taking needs to be strategic. So IM should be
            • 43:30 - 44:00 seen as a really critical component of your cyber strategy which should be enabling your digital and your business strategy. So, it's crucial to get if you're a security um uh leader or if you're working in the digital team, you've got to get uh the leadership teams of your organizations to really grasp uh the importance of identity particularly uh as an enabler to their wider business uh programs and you need a plan. Um you know those full zero trust um plans can go on. It can get
            • 44:00 - 44:30 complex. Uh but you have to start somewhere and uh there is no more critical component if you've got an active directory um still on premise uh than making sure that that is in a good and uh wellconfigured state and then getting to that as sort of your your um your stabilization uh phase of that plan before you get into transformation. So um really you know you've got to focus in on compliance. Yes, you need policy, you need process, you need procedures. Uh you've got to furnish in on architecture. You need to bake good
            • 44:30 - 45:00 architecture into your forward thinking uh change program. So secure by design uh architecture particularly around the principle of lease privilege needs to be baked into the organization and then you need to pick up those uh projects that are formative stabilization projects before you get into the transformation piece which is uh you know fully uh automating joiners movers and levers integrating that with uh AD and perhaps PAM tools um you know moving out of onremise active directory particularly in the client layer if you can do it
            • 45:00 - 45:30 move everything out into um cloud manage native into intune um you know that will bring huge security enhancements and enable a lot more uh security benefits as well. So um I think that's about it from us and the team. We do have um a few questions. So I'll pause there for a second. Uh if there are any final questions from anyone that has to leave uh now then by all means start to put them in the chat. Uh otherwise if you don't mind I'll um walk through that soon. Dominic you've been busy answering a couple.
            • 45:30 - 46:00 So yeah, one from Sean that's I think been recognized by a couple of different people. Hello Sean. Uh hello Dan Bataua. Um yes, one around NTLM. Um Dominic, do you want to uh pick up on that question and reiterate the difficulty I suppose of removing NLM? Yes, it's it's um it's a slightly painful process, but it's mostly legacy applications that rely on NLM being available to them. um the process for removing it very is quite
            • 46:00 - 46:30 clear and quite well understood but the pro the basic process is you monitor the use of the NLM protocols because systems that aren't using it just don't fire off the packets across the networks you can you can see which servers and ser and and clients and applications are actually using the protocol. So your first point is discovery. Find out what's using it. Um find out what's using it. Put them in a bubble and let them carry on using it because you can do that with policies and then everything else I is is is blocked from using it. And then for each of those
            • 46:30 - 47:00 systems and applications, you essentially have to go through one at a time. Maybe you'll be able to change that application's validation mechanism. You might be able to make it a SAML service instead of using local NLM. um a lot of services have jumped kind of from old protocol to very new protocol missing the protocols in the middle. Um or you might have to consider um replacing services over time with ones that have more modern versions of authentication. So that's that's the baseline process. It does take it does take time. Thank you for that Dominic. No easy answers uh with uh with NTLM. Um
            • 47:00 - 47:30 so uh what about the access rights to key identities domain server etc to other services and functions outside AD I think um that from go on then yeah and and um um so I I interpret that question to mean what about um systems that are connected via other non-winds protocols so things like LDAP or or SAML maybe going through um as you're online the main protocol that is used to connect um
            • 47:30 - 48:00 non-windows systems into the Windows architecture is LDAP. It's a very old protocol. It's it can you can wrap some security around it, but at its most basic level, it's clear text username and passwords that you can wrap in a security pipeline. And almost all um third party services um third party devices use LDAP to connect into the active directory. Um, as long as you're securing the pipe between those devices
            • 48:00 - 48:30 and the active directory. So, you've got your active directory set to only allow secure LDAP calls, that's a it's a it's a strong enough solution. Um, it's very difficult to attack those devices in the normal way. The pivoting that we just talked about doesn't really work outside the Windows infrastructure. So, you use it within the Windows infrastructure to get higher credentials, which you can then use to get down into the network kit. So, um, yeah. Does that answer your question, Ivan?
            • 48:30 - 49:00 Uh, I think we've disabled the ability for a, uh, a verbal response there. So, um, if that doesn't answer your question, pop it in the chat. We'll reach out again, uh, after this session. Anyway, uh, Iman, so by all means, reach out and we'll just have a more direct one-to-one chat if you feel that's more appropriate to discuss specific uh, issues and vulnerabilities. So, um, hopefully that does answer your question, but if not, just let us know. um recommendation for implementing zoning tiering when the organization has little appetite for implementing privileged access workstations. So poor
            • 49:00 - 49:30 um probably the two things are independent but go on. Yes. So um um the the structure that we've talked about today is uh does not require privilege access workstations for the administrators. And that was a very very deliberate choice because when we assessed kind of the the the the most pragmatic solutions for this, we discovered you can get the overwhelming majority of the benefit without actually physically separating out the workstations. But when you physically separate out the workstations, you get that final 1% of the benefit. That adds
            • 49:30 - 50:00 a lot of administrative restriction and a lot of administrative frustration into the mix and you know and also cost. If you've got a large administrative environment, you're then talking about maintaining you know maybe a hundred or a couple hundred maybe even 300 additional machines depending on the number of administrators that you've got. So the way that the system works is that um so for example any any given administrator in the structure that we've been talking about gets a a single administrator would have both a client admin account and a server admin account
            • 50:00 - 50:30 and a domain admin account. The domain admin account would only be lo be able to log onto domain controllers. Now you would be rdping. So a password would pass through the machine that they the the client machine that the administrator is working on but it doesn't get cached and this reduces the attack window from whenever an attacker chooses to show up and lift the cache credentials which can be months if passwords don't change. It reduces that attack window down to the microscond that those that that username and password actually passes through system
            • 50:30 - 51:00 memory on the client on its way to validate against the remote desktop server. And it raises the requirement that you have to be monitoring system memory in order to get it. You can't just be a user and dig into something that's cached on a machine. You actually have to have a monitoring um attack agent in memory monitoring system memory at the moment that an an administrator connects through. It's not impossible, but it's massively harder. Once again, someone trying to install such an agent in system memory um on a client will
            • 51:00 - 51:30 flag um the the monitoring process because that's not a normal piece of behavior. So once again, by removing the cache, we're forcing an attacker to do something that they that is going to be much much more visible to the defensive software, slowing them down, taking away their standardized pathway. So that's why we that's why we can gain the overwhelm majority of the benefit of zoning while still not actually having to physically zone the accounts on different on different systems. We're
            • 51:30 - 52:00 logically zoning them by separating the administrative powers out onto different login and then and then choosing where those login can can be used. I hope that answers that one. Um, again, if you want some more information on that, just um uh contact the team and and with any further information you want or any further questions you want. Uh, Jim, what's next? Um, so I think that is, um, a wrap. Thank you. There's some kind words in there from Sean.
            • 52:00 - 52:30 Appreciate that. Uh, and Dan, hopefully that does answer. Uh, so there's one final thing. So essentially, uh, we'd avoid running admin tools locally. Yeah, I think that's the answer to that. Yes. Um, in that case, I think we're just about done. If there's any other questions or if you've missed anything, we'll have another double check after the event. We will reach out with um questions and the responses. Uh, if anyone's uh interested in the uh complimentary AD assessment, um we'll we're offering that to everybody that's that's joined. So, we'll reach out and
            • 52:30 - 53:00 ask a question on that. And like I said, we will do we'll there is one sort of um I think we're doing some sort of tomb, are we? uh prize draw um uh offering for a more in-depth consultancy uh that we'll do that um I think we may have done that for a lot of people that are on the call anyway as part of the NHS work that we've done but um anyone that's not NHS based uh will uh help you understand your position and do the audit that we've talked about briefly throughout the um uh throughout the the the event. Um anything apart from that
            • 53:00 - 53:30 by all means get in touch. Uh and if there's nothing else then thank you very much indeed for your uh attendance. Uh it is appreciated. We know you're all very busy. Um and we'll hopefully see you again soon. Thanks guys. Thanks for coming everyone. Cheers. Thanks everyone.