Microsoft’s Active Directory (AD) provides a secure and stable directory service on which many organizations depend to provide user authentication and authorization.  Because AD represents the preverbal keys to the kingdom it typically receives the appropriate level of care and feeding required maintaining it. Despite proper upkeep, there is still a chance that an Advanced Persistent Threats (APT) may be successful and compromise your Active Directory. Because of the nature of APTs a wide range of attacks vectors may be tried that may or may not attempt to subjugate AD directly. The result is that a successful compromise may go undetected for some time until the attacker decides to exploit the compromise by stealing data or making critical systems unavailable.

Most administrators are now resigned to the fact that their network will be hacked. It’s just a matter of time. It’s no secret that there is a lot of activity around cyber security, and the most serious (damaging?) breach that could happen to any organization is a compromise of their Active Directory (AD) environment. AD is at the heart of many missile critical services, including desktop logins, file & print sharing, email & other communications and collaboration. And once the compromise happens, it can have far reaching effects. Plus, attackers are much more sophisticated, using many (various?) tactics to penetrate and then stay hidden within your environment. At this point, it is an arms race, and the “bad guys” only have to win once to get in where you must win everyday.

Reducing the immediate threat – Domain Admins role

A quick way to reduce the threat to Active Directory is to reduce the number of privileged accounts that can make major changes to Active Directory. This is especially important for AD users who have the Domain Administrators privilege. Because of the Active Directory design, many organizations have dozens or many dozens of users who hold this role. There are several management solutions on the market today that will allow administrators to perform day-to-day tasks without requiring the Domain Administrator’s role. Another critical way to reduce the threat to your production environment is to ensure your directory auditing and monitoring solutions are up to the task.

Why re-establishing AD after a critical compromise goes beyond normal recovery

Because a critical compromise may only be uncovered long after it was introduced the validity and security of backup data because changes made via. the compromise may be indistinguishable from day-to-day administrative changes. The sheer volume of changes made from the time of the compromise’s introduction to the current state of the directory data make it virtually impossible to identify the changes intentional vs. non-intentional. The best option and certainly the fastest option is to remove the compromise and maintain your directory data is to migrate the data to a new sanitized directory on clean servers.

More on Advanced Persistent Threats

An Advanced Persistent Threat (APT) typically refers a conspiracy by a group of foreign government attempt or complete some a cyber attack. What makes these threats particularly scary is after the group or foreign government perpetrating these attacks the compromise may not be exploited until such time as maximum damage can be achieved or when the highest value theft can be achieved. For more information on Advanced Persistent Threats see: http://en.wikipedia.org/wiki/Advanced_persistent_threat

Windows Credential Editor

If you don’t think people can get past your complex AD password, check out http://www.ampliasecurity.com/research/wcefaq.html.

http://www.fastcompany.com/1826976/the-dirty-little-secret-of-overnight-successes

C http://en.wikipedia.org/wiki/Dennis_Ritchie

LISP http://techcrunch.com/2011/10/24/creator-of-lisp-john-mccarthy-dead-at-84/

• Firefox 5.0 and 6.0
• Google Chrome 13
• Safari 4 and 5
• Windows Internet Explorer 7.0, 8.0 and 9.0

ActiveRoles w/3663 installed running on Google Chrome displayed with altered color scheme.

It is interesting that the release notes don’t mention IE 6.0, but with information like this (http://en.wikipedia.org/wiki/Internet_Explorer_6) being prevalent around the Internet it is not surprising.  With the everyday increase in hacking and exploits attacks – anyone still using IE 6 should be afraid, very afraid and move to a secure and supported browser immediately.  My installation experience was good. Installation went as expected with no surprises and things continued to work including the add-ins for QAS and Defender. Changing the color scheme is a bit tricky since you really are setting a single color that will be used in place of the standard Blue UI color. But for many customers this will be a welcome change from modifying XML files with new color codes.

Customers can download the update from Quest support https://support.quest.com/Search/SolutionDetail.aspx?id=SOL78214.

http://www.microsoft.com/pathways/bhold/

http://blogs.gartner.com/ian-glazer/2011/09/23/bhold-wins-the-microsoft-iag-lottery/

Token Management from the ActiveRoles Web Console

I was working with a customer this week who had a requirement to manage Quest Defender two factor tokens through the ActiveRoles MMC console. While I knew this was under development, I did not realize you can get it today without waiting for the next release of Defender. Integration with the ActiveRoles MMC can be critical for customers who are primarily using the MMC for day-to-day or help desk operations.

Token Management from the ActiveRoles MMC
(click to enlarge)

The ActiveRoles integration pack on the Defender 5.6 CD installs property pages and commands into the ActiveRoles Web Interface only. Separately, Defender Software update 5.6.0.2593 adds token management and property tabs into the ActiveRoles MMC on user property pages. This update can be obtained through the Quest support site and you will need to install two components 1) Defender ARS Integration Pack_Update_5.6.0.2593 and 2) Defender Administration Console_Update_5.6.0.2593.

http://www.nfcrumors.com/08-17-2011/is-the-htc-incredible-s-the-next-google-wallet-enabled-nfc-phone-it-just-passed-through-the-fcc/

 http://fedscoop.com/tv/quest-federal-cto-dmitry-kagansky-on-security-in-government/

1. Logon as a DS Admin to the web interface you wish to modify.
2. Click “Click here to customize this form”
3. Locate the top field and click (edit…) at the far left end of the entry name.
4. In the Entry name: field enter the text you want to display at the top of the form. Make sure to add any text to the left of the field name already in that entry so that it will continue to display properly.
5. For example:
   Directions<BR>Contacts may not be used for authentication.You have two choices at this point.<BR><BR><ol><li>If the person will need to authenticate against Active Directory, you should create a user account object on their behalf.</i><li>Continue creating this Contact object.</i></ol><BR> First Name
6. Click Save
7. Click Reload

Navigate to the form in the UI so that you can validate your work.

The first thing that struck me was how many good resources are available for learning Microsoft’s PKI. Back in 2000 when I first installed a Microsoft CA (Certificate Authority) there didn’t seem to be enough detailed information and over the past eleven years I have only had infrequent occasions to use the software. At this point I want to recommend Brian Komar’s book Windows Server 2008 PKI and Certificate Security (I got the Kindle version for about $39). I also wanted to mention Vadim Podans’ white paper on PKI and using the Quest AD Commandlets to managed. You can download the white paper here and you can get the latest version of the AD CMDLETS here.

I also wanted to give a special thanks to Chen and John from SafeNet for hooking me up with SafeNet middle-ware tools (above) and smart cards that I used for to prep for the session. The software was both intuitive and easy to deploy.