How weak passwords and other failings led to catastrophic breach of Ascension

A deep-dive into Active Directory and how "Kerberoasting" breaks it wide open.

See full article...

 

[Voo42]

Part of Microsoft's responsibility is not making some of the insecure options enabled by default, but part of it is investing in the AD product itself.

AD2025 is clearly just a heartbeat update, AD hasn't had serious work done on it in years as Microsoft tries to drag everyone kicking and screaming into the cloud

I mean.. why would you want regular AD updates? There really aren't that many new features and every update is an incredible risk that has to be tested very carefully and contains the chance for unknown bugs or exploits.

The last really useful AD update I can think of were MSAs - which really made a big difference. But apart from that?

And changing defaults on existing infrastructure particularly with AD seems incredibly dangerous. AD is installed on so many different configurations in so many critical environments that probably still include ancient systems that haven't been updated in years. Just doesn't seem like a practical approach.

Much better to provide explicit guidance and best practices for how to secure your system, which means you can test and configure things separately and in your own time.
And Microsoft has a ton of information available there and it would've been totally possible to configure the system in such a way that the attack couldn't have worked.


No, I'd say the real problem is that large companies are starving their IT departments to death and are trying to be cheap as possible when it comes to security, because even now I doubt any of the responsible C-suite people will have to fear dire consequences.

 

[Voo42]

Because the world evolves and I expect products to evolve with it? Best practices evolve with time and its possible to follow guidance from Microsoft and then lock yourself into a path that prevents you from being able to meet the challenges of a modern threat landscape.


As an example:
Let's take a look at the "State of the art" design in 2003 - 2006 when most companies stood up their AD envs or did a major rebuild coming off of NT Domain Services.

"Empty root" was recommended heavily. there was a schism in MCS where some folks recommended Empty root and some recommended SFSD.

If Microsoft couldn't come to a consensus... well, that says something doesn't it? So you build a system following the recommendations and documentation that is available to you on TechNet/MSDN.

(Empty root for those unfamiliar is where you have an empty root domain and then put everything in a child domain, this was designed to mitigate a specific kind of attack and some issues that are no longer applicable. It made some sense in the NT days, but its no longer relevant)

Now it's a millstone around organizations who are told "You need to stand up a new domain and migrate all your objects to it" which would be great if it wasn't a miserable process that can destroy productivity and access if done even slightly wrong.

That's the only way out of a recommended decision from 2003. New domain. No way to fix that.



Features that would be nice:

Why is the only MFA option in On-Prem AD out of the box "Smart Card" instead of the myriad of options we have available to us today?
(Because it's a major selling point to moving to AAD)

Why can't I officially rotate my DPAPI key in 2025?

Why is Microsoft's answer "New Domain!" to a key rotation that's necessary after a TA has taken the ntds.dit file or compromised a DC?

Fair enough, after writing the post I remembered the rather sorry state of 2FA too.

The remaining issues aren't something I have experience with, but having to set up a new domain is definitely anything but fun.