Secure Active Directory Using the Clean Source Principle

Russell Smith explains how to integrate the clean source principle into your Active Directory design and management practices to keep your systems secure.

The post Secure Active Directory Using the Clean Source Principle appeared first on Petri.

Continue reading Secure Active Directory Using the Clean Source Principle

Is it possible for a network administrator to disable interactive elements on a webpage? (such as text boxes)

As part of my degree, we’re currently looking at a hypothetical scenario in which internet access is introduced to prison cells.
As part of the information risk assessment, I was wondering if it is possible to disable element… Continue reading Is it possible for a network administrator to disable interactive elements on a webpage? (such as text boxes)

Microsoft email servers "require remote control of Android device security features"

Just tried to set up my student email address with the default email client on my Android device. The email servers used by the university are outlook.office365.com (incoming) and smtp.office365.com (outgoing). So I set it up… Continue reading Microsoft email servers "require remote control of Android device security features"

Microsoft email servers "require remote control of Android device security features"

Just tried to set up my student email address with the default email client on my Android device. The email servers used by the university are outlook.office365.com (incoming) and smtp.office365.com (outgoing). So I set it up… Continue reading Microsoft email servers "require remote control of Android device security features"

Securely granting local administrative permissions

I’ve been researching the best method of securely granting local administrative permissions but I’m really struggling to reconcile the security, operational, and cost implications.

I’ve devised a few options:

  1. Create a domain security group (Local Administrators), add the required domain user accounts, and use Group Policy to add the domain security group to the local security group Administrators:
    • Pros:
      • Centrally-managed.
      • Auditable.
      • Free.
    • Cons:
      • Vulnerable to credential theft and lateral movement attacks.
  2. Option #1 but using separate domain user accounts (`firstname.lastname.admin”):
    • Pros: Same as #1
    • Cons: Same as #1. Apparently, even authenticating a UAC prompt creates a logon cache which can be exploited.
  3. Option #1 but disabling cached logons:
    • Pros:
      • Centrally-managed.
      • Auditable.
      • Free.
      • Not as vulnerable to credential theft and lateral movement attacks.
    • Cons:
      • Users will be unable to logon if there’s a problem with the domain or their PC is offsite.
  4. Deploy Microsoft LAPS and issue users with the unique, local administrator credentials:
    • Pros:
      • Centrally-managed.
      • Not vulnerable to credential theft and lateral movement attacks.
      • Free.
    • Cons:
      • Non-auditable.
  5. Add the required domain user accounts to the local security group Administrators:
    • Pros:
      • Auditable (to an extent).
      • Not as vulnerable to credential theft and lateral movement attacks.
      • Free.
    • Cons:
      • Not centrally managed.
  6. Implement MFA:
  7. Implement a system that uses TOTPs and/or only temporarily grants administrative permissions as-and-when needed:
    • Pros:
      • Centrally-managed.
      • Auditable.
      • Not vulnerable to credential theft and lateral movement attacks?
    • Cons:
      • Not free.

What is best practice / advised?

Continue reading Securely granting local administrative permissions