Cloud Application Blog

Re-constituting Active Directory after a critical compromise or detection of an Advanced Persistent Threat

Microsoft’s Active Directory (AD) provides a secure and stable directory service on which many organizations depend to provide user authentication and authorization.  Because AD represents the preverbal keys to the kingdom it typically receives the appropriate level of care and feeding required maintaining it. Despite proper upkeep, there is still a chance that an Advanced Persistent Threats (APT) may be successful and compromise your Active Directory. Because of the nature of APTs a wide range of attacks vectors may be tried that may or may not attempt to subjugate AD directly. The result is that a successful compromise may go undetected for some time until the attacker decides to exploit the compromise by stealing data or making critical systems unavailable.

Most administrators are now resigned to the fact that their network will be hacked. It’s just a matter of time. It’s no secret that there is a lot of activity around cyber security, and the most serious (damaging?) breach that could happen to any organization is a compromise of their Active Directory (AD) environment. AD is at the heart of many missile critical services, including desktop logins, file print sharing, email other communications and collaboration. And once the compromise happens, it can have far reaching effects. Plus, attackers are much more sophisticated, using many (various?) tactics to penetrate and then stay hidden within your environment. At this point, it is an arms race, and the “bad guys” only have to win once to get in where you must win everyday.

Reducing the immediate threat – Domain Admins role

A quick way to reduce the threat to Active Directory is to reduce the number of privileged accounts that can make major changes to Active Directory. This is especially important for AD users who have the Domain Administrators privilege. Because of the Active Directory design, many organizations have dozens or many dozens of users who hold this role. There are several management solutions on the market today that will allow administrators to perform day-to-day tasks without requiring the Domain Administrator’s role. Another critical way to reduce the threat to your production environment is to ensure your directory auditing and monitoring solutions are up to the task.

Why re-establishing AD after a critical compromise goes beyond normal recovery

Because a critical compromise may only be uncovered long after it was introduced the validity and security of backup data because changes made via. the compromise may be indistinguishable from day-to-day administrative changes. The sheer volume of changes made from the time of the compromise’s introduction to the current state of the directory data make it virtually impossible to identify the changes intentional vs. non-intentional. The best option and certainly the fastest option is to remove the compromise and maintain your directory data is to migrate the data to a new sanitized directory on clean servers.

More on Advanced Persistent Threats

An Advanced Persistent Threat (APT) typically refers a conspiracy by a group of foreign government attempt or complete some a cyber attack. What makes these threats particularly scary is after the group or foreign government perpetrating these attacks the compromise may not be exploited until such time as maximum damage can be achieved or when the highest value theft can be achieved. For more information on Advanced Persistent Threats see: http://en.wikipedia.org/wiki/Advanced_persistent_threat

Windows Credential Editor

If you don’t think people can get past your complex AD password, check out http://www.ampliasecurity.com/research/wcefaq.html.

Bob posted at 2012-5-16
Category: Active Directory, Cloud, Identity, Microsoft | Tags: Active Directory Experts, Active Directory Help, Active Directory Tools, AD Auditing, Advanced Persistent Threat, Privilege Account Management, Robert Bobel, Windows Credential Editor

Article source: http://www.bobbobel.com/active-directory-was-compromised-now-what/

Great article on Fast Company about how start-ups are challenged and almost fail, but can go on to become huge successes. It is pretty clear that the Risk/Reward can be a tough hurdle for many to overcome.

http://www.fastcompany.com/1826976/the-dirty-little-secret-of-overnight-successes

Article source: http://www.bobbobel.com/overnight-sucess-often-takes-more-than-overnight/

Dmitry Sotnikov, my colleague and friend announced on his blog that he has left Quest to join a very-very cool start up called Jelastic. I had the great fortune to work with Dmitry on a number of cool projects at Quest such as our AD Bridge and our my teams AD PowerShell Commandlets. Check out Dmitry’s Blog entry and watch the video of the new technology he will be working with… it is really amazing. http://dmitrysotnikov.wordpress.com/2012/02/10/jump-they-say-off-to-a-start-up/

Bob posted at 2012-2-11
Category: Active Directory, Bobel, Cloud, Microsoft, PowerShell | Tags: AD Bridge, Cloud, Dmitry Sotnikov, Java, Jelastic, PowerGUI, PowerShell AD CMDLETS, Quest Software

Article source: http://www.bobbobel.com/dmitrys-new-quest/

Apple http://en.wikipedia.org/wiki/Steve_Jobs

C http://en.wikipedia.org/wiki/Dennis_Ritchie

LISP http://techcrunch.com/2011/10/24/creator-of-lisp-john-mccarthy-dead-at-84/

Article source: http://www.bobbobel.com/october-was-a-bad-month-for-computing-founders/

You have to be impressed by this guys life – http://www.cnn.com/2011/10/05/us/obit-steve-jobs/index.html?iref=BN1hpt=hp_t1.

Article source: http://www.bobbobel.com/steve-jobs-1955-2011/

Last week development released the 6.7.3663 update for ActiveRoles Server.  Included in the update are some generic fixes as you would expect, but there is also a set of updates for a long standing limitation that only Internet Explorer worked properly. This update adds multi-browser support  and allows the ActiveRoles web interface to be accessed from the following browsers:

• Firefox 5.0 and 6.0
• Google Chrome 13
• Safari 4 and 5
• Windows Internet Explorer 7.0, 8.0 and 9.0

ActiveRoles w/3663 installed running on Google Chrome displayed with altered color scheme.

It is interesting that the release notes don’t mention IE 6.0, but with information like this (http://en.wikipedia.org/wiki/Internet_Explorer_6) being prevalent around the Internet it is not surprising.  With the everyday increase in hacking and exploits attacks – anyone still using IE 6 should be afraid, very afraid and move to a secure and supported browser immediately.  My installation experience was good. Installation went as expected with no surprises and things continued to work including the add-ins for QAS and Defender. Changing the color scheme is a bit tricky since you really are setting a single color that will be used in place of the standard Blue UI color. But for many customers this will be a welcome change from modifying XML files with new color codes.

Customers can download the update from Quest support https://support.quest.com/Search/SolutionDetail.aspx?id=SOL78214.

Article source: http://www.bobbobel.com/activeroles-update-3663-just-released/

A friend of mine is working on NFC and I wondered if my Android device would support it – well it didn’t but there is a new version of the phone in development that was just tested by the FCC for NFC compatibility.

http://www.nfcrumors.com/08-17-2011/is-the-htc-incredible-s-the-next-google-wallet-enabled-nfc-phone-it-just-passed-through-the-fcc/

Article source: http://www.bobbobel.com/htc-incredible-to-support-near-field-communciation-nfc/

While I was in college I worked summers for a glass company. My job was in the engineering drafting department where I drafted furnace parts, conveyor belts and paint bands that hides the goo they use to stick your windshield to your car. During this time American automakers struggling cope with the explosion of Japanese imported cars. Japanese cars had a reputation of low cost and good quality, but the Japanese automakers also had a secret weapon that made them more efficient – Just-in-Time manufacturing.

Just-in-Time manufacturing is a simple concept – rather than keep all the unassembled car parts in expensive warehouses, have them delivered to the factory at the time they are needed to assemble a car.  This idea stuck with me and has been rattling around in the back of my mind for the past twenty years. Dell later used a similar concept steal market share away from IBM and Gateway who were building huge numbers of PCs and storing them until they were sold – while Dell built PCs that were already sold.

A project I have been working on for the past year or so was applying Just-in-Time concept to the process of granting users access to applications or data. The idea is that when a user attempts to access a resource for which they have not been granted access – the access attempt kicks of a self-service process or an automatic grant of access.

While I have seen other applications perform similar activities, many people have seen Microsoft SharePoint’s basic request access feature. The challenge I see with SharePoint is that it only allows generic requests that don’t allow the user to select the level of access they wish nor does it tell the user the state of their access request. Both are needed and both must be components of any more complete solution. A more complete solution must also provide access to more than just SharePoint; files, folders and applications access are also desperately needed.

Today, we posted a technical preview of Just-in-Time Access Provisioning called the ActiveRoles AuthX Provider The provider not only integrates authentication using SAML between AD users and Google Apps, it also can trigger a self-service access request through ActiveRoles if the user does not yet have an account. Once the request is approved a Google account is created. The next time the user points his/her browser to Google Apps URL the Provider seamlessly authenticates the user by doing an account mapping of AD user to the Google account and creates a SAML token that automatically signs the user into their Google Apps account. We created a 2 minute video showing the process so you can see how this works. The video was a little long and choppy at some points so I cut it down to about 2 minutes.

 Video:ActiveRoles Access Provider

Posted in Access, Active Directory, Cloud, Entitlement.

Tagged with Access Management, Active Directory, Active Directory Help, Athentication and Authorization, Google Apps provsioning, Just in time provisoning, SAML.

5 comments

By Bob Bobel
– April 29, 2010

Article source: http://www.bobbobel.com/just-in-time-access-provisioning/

ADFS 2.0 (Active Directory Federation Services) was released to the public May 5th, 2010 and announced on the “Geneva team blog.”  You can download the package from the Microsoft download site and install for free on Windows Server.  Stuart Kwan gives a brief overview of ADFS 2.0 capabilities in a new channel 9 video produced by Microsoft. Why is this important? ADFS 2.0 is a big step forward for Microsoft in their delivery of a new paradigm Identity and Access capabilities within software products based on “claims” rather than traditional Kerberos authentication.

Lacking in the previous version, SAML 2.0 is now officially supported by ADFS 2.0. SAML is the authentication protocol we used to create our Just-in-Time provisioning example I blogged about earlier this week (see JIT Provisioning). With ADFS 2.0 providers can be built for any application that uses either SAML or Claims. SAML is used by Salesforce.com, Google Apps, Service Now, Postini and many other SaaS/cloud services while Claims are now supported in SharePoint 2010 and will be introduced into many additional Microsoft applications.

Posted in Active Directory, Cloud.

Tagged with Active Directory Help, ADFS, Identity Access.

1 comment

By Bob Bobel
– May 5, 2010

Article source: http://www.bobbobel.com/federation-service-2-0-is-now-shipping/

The ActiveRoles Marketprovides additional functional policies that may be downloaded and imported into ActiveRoles Server. An example of the typs of policies on the market is the Group Ownership Reassignment Policythat transfers ownership of a group to a manager when the original owner is deprovisioned. What defines an Extensible Policy was expanded in the 6.7 release to include scripts, workflow aactivities, updates to the web UI and other elements. You can access the Policy Market directly by going to http://wiki.activeroles.inside.quest.com/index.php/Category:Policy_Extension or by clicking the link in the Administrative Policy Wizard or from within the Workflow designer.

ActiveRoles Policy Market Links

Posted in Active Directory, Bobel, Cloud, Directory.

Tagged with ActiveRoles Market, ActiveRoles OnDemand, IT Market, Quest OnDemand.

No comments

By Bob Bobel
– March 7, 2011

Article source: http://www.bobbobel.com/activeroles-it-policy-market/