….if you don't even know your users and what they are accessing. (Ha - I got you there with the clickbait title)
This week I was at Oktane 2019 and this was an actual conversation that transpired:
Me: “so do you know how many domain controllers you have?”
Security Architect: “um, maybe 50 or 60. We really need to figure out who is accessing them.”
Me: “You don’t know who has privileges?”
Security Architect: “Well, I have my domain admins group.”
Me: “Are you confident that someone who isn't in your group cannot access your DCs?”
Security Architect: “Absolutely not. I’m sure I have a ton of shadow admins. I just don't know how to find them.”
This conversation happened multiple times throughout a conference hosted by a cloud-native product. People can’t even figure out who has access to their network resources yet I kept hearing “achieving zero-trust” throughout the entire conference.
To recap for those in the security field who have been living under a rock for the past couple years: Zero Trust is an all-the-rage buzzword these days. According to Forrester: “A Zero Trust (ZT) architecture abolishes the idea of a trusted network inside a defined corporate perimeter. ZT mandates that enterprises create micro-perimeters of control around their sensitive data assets to gain visibility into how they use data across their ecosystem to win, serve, and retain customers.”
In a nutshell: Your VPN is not enough.
Let’s get real for one second. There may be a few select companies that are completely cloud native and are ready to embrace a Zero Trust model where they go all-in to configure a bunch of granular policies around their users, devices, and apps. Let’s give those companies a cookie, but for the rest of us: Zero Trust is impossible if we can’t even figure out users on our network and their privileges.
Customers are still trying to figure out the basics and it’s not easy. For example: in a remote RDP session, only members of the Domain Admins group can have access to the domain controllers by default. However, do you know if those members of the domain admins group are service accounts or user accounts? Hint: You don't want service accounts doing RDP to a domain controller.
Then there are the sneaky little shadow admins that are not in your domain admins group. Shadow admins are overlooked because they usually get their privileges from ACLs (Access Control Lists) on AD objects. How do you find these shadow admins that have access to your most critical network resources? The answer is not easy. Analyzing permissions in Active Directory is complicated: delegation capabilities could be highly complex, the delegation model itself was never defined, and the permissions display may be inaccurate in large deployments.
At a very basic level, let’s get to know our users. Consider this: what about a normal business user who is not a member of any administrative group but has permissions to add members to that group? Or they may have permissions to reset the password of a single administrative user. Assuming we catch this person and limit their privileges, how are we going to keep up and make sure new, unknown accounts aren't being created post-permissions analysis?
This is why we need to go back to the basics: understand your users and what their access privileges are. By doing so, you can protect against threats like shadow admins.
To find out if you have any shadow admins in your network, download Preempt Lite for free and take the first step to the journey that is Zero Trust.