Profile picture
Jerry Bell
@Maliciouslink
, 13 tweets, 3 min read Read on Twitter
I feel an active directory rant coming on. Prepare the mute or unfollow button.
<rant> We need to talk about AD. First, I want to say that I actually like AD. What I do not like is the half assed way that most organizations run their AD environment.

Just because we CAN implement it like it’s running on a home network, doesn’t make mean we should 1/
Designing and implementing a properly secured Windows environment is very difficult. When I point out to people that they need to very carefully structure permissions and tightly control admin rights, what admins can do, and where the can connect from 3/
In line with Microsoft’s guidance here: docs.microsoft.com/en-us/windows-…, it’s seen as overwhelmingly complex and of little value. 4/
See, I think most Corporatey IT people view the adversary as auditors, rather than the Dridex team, or one of the myriad other actors. When auditors are the adversary, AD makes immense sense - I can easily manage IDs, permissions, etc, lowering operational burden and 5/
Easily appeasing those auditors and their pesky checklists. Those other security issues that remain from not implementing the crazy, burdensome tiered permission model, SAWs, and the like? Well... 6/
Recent events also highlight to me that, like an overgrown forest full of dead trees, old growth AD forests probably need to be burned to the ground occasionally to weed out all those bad ideas, unused admin accounts, badly designed trust relationships, and on and on 7/
So here I am, asking you to PLEASE take AD and network design and operations seriously. It is complex. It will impinge on the power mad domain admins. But I know you won’t. It’s too big. Too complex. You have 500 other priorities. But at least do this: 8/
Sketch out what you would do differently and what you would keep. Spend some time to learn the right way to design the environment, and why. If you’re lucky, you just learned some stuff and had some daydreams about how to restructure stuff. 9/
But it’s also possible that you get hammered by one of the many threat actors. Since your company, like all others, care first and foremost about the security and privacy of your clients’ data, you hire Microsoft professional services to come in and help recover. 10/
They’ll rightly point out that you basically need to start over. New network, isolated from the old. Build new. Implement the tiered permission model, SAWs, and piss off those domain admins - who haven’t slept in weeks, so I guess they don’t really care right now. 11/
People often ask “why are so so bad at security?”

It’s not because we don’t know how. People at Microsoft probably spent person-years writing that stuff. It’s because we want to design the environment the way WE want. We want the good parts, but not the inconvenient parts 12/
I’m tired of seeing and reading about the same thing over and over and over. Stop the madness.
</rant>
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Jerry Bell
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @Maliciouslink see all

Profile picture
Jerry Bell
@Maliciouslink
@SwiftOnSecurity ERP deployments are viewed as a strategic business transformation. From the outside and in hindsight, they look like a Benny Hill skit. There is a real desire and expectation to adopt the “best practices” embodied in the chosen ERP, because the leadership damn well knows 1/
@SwiftOnSecurity What happens if they concede to customization. But slowly as processes are boarded into the ERP, the seams start to unravel. “We can’t live with the way Oracle makes us recognize revenue” and “we can’t close our books in the order it requires”, and so on. 2/
@SwiftOnSecurity It becomes death by a thousand cuts. And once you relent on one aspect of customization, damn sales VPs kick open the door the rest of the way. And suddenly you have 2 bus loads of consultants and you’re throwing good money after bad. 3/
Read 5 tweets
Profile picture
☃️ Jerry ❄️Bell 🎄
@Maliciouslink
Reminder that PHP 5.6 goes end of life in 4 weeks. If you think that isn’t important, PHP 5.x runs on 59% of *all* websites where the server side language is known.
Happy new year!
Also note that there are incompatibilities introduced in 7.x relative to 5.6, so not always a direct upgrade. May require application changes. Most are probably running Wordpress, so WP and PHP can be updated simultaneously.
Then again, I’m guessing any site running an old version of WP is probably already completely pwnt 94715 times over.
Read 4 tweets

Related threads

Profile picture
E.
@Personhoodlives
I once had a conversation with someone who I wasn’t “out” to. He asked me why should people who experience same-sex attraction need to come out anyway? Why should they tell anyone? They should keep those things private instead of broadcasting them.

Let’s talk about why:
First. I want to state that I was in an exgay leaning forum that pretty much argued that we shouldn’t come out to anyone. I felt like I was doing a wrong thing when I told my first friend ever. What a tragic place to be. But it allowed me to compile important reasons to come out
#1 finally getting it out. For the longest time I thought I was completely alone in my struggle. I was depressed and alone. So alone. Speaking to someone released a soul crushing weight from upon me.
Read 17 tweets
Profile picture
Stu Cvrk
@STUinSD
Thread: News Summary from the Week that Was (23-29 June)

1. My focus in these weekly news summaries remains on stories that the legacy media either doesn’t report or – if they do – then never provide the proper context and follow-up.
2. Fortunately, there are independent journalists who are more than capable of doing the jobs that they’ve forgotten how to do, and a number of them are here on Tw@tter!
3. Let’s get started. This is an obscure but potentially very important story dealing with prosecutorial political bias and abuse. The outcome could portend the future.

<quote>
Read 102 tweets
Profile picture
Black Gold⚜️Texas Tea
@Sainttea12
#TanteRosa went deep and gave a jaw dropping analysis as to why the media is giving @BetoORourke a hard time and why that makes her think “that boy gone win”. Brace yourselves for this THREAD (Warning this is a Louisianan black woman in her 80’s so all is not PC) 1/
Me: Hey Tante, did you get to see the video I sent you with Beto talking to Robert?
Tante: Yeah, I watched the whole thing.
Me: Everything? I just sent a clip
Tante: I made your cousin get it for me off the Grams.
Me: What you think? /2
Tante: Chile, the way they talked about Beta, I thought he got a $600 haircut like Clinton
Me: I forgot about that!
Tante: Yeah, they didn’t like Clinton either. They doing Beta the same way, that’s because they want that boy to win and he will
Me: Wait what? /3
Read 22 tweets
Profile picture
GeePaw Hill
@GeePawHill
TDD Pro-Tip: Wrap framework collection classes early and often. The Primitive Obsession smell is ubiquitous around collections, and not seeing and fixing it can greatly hamper productivity.
In HollywoodSimulator, a common act of every Person is to spend time manipulating their little black book -- the collection of the contacts they have. The first-pass way to represent this would be to use a framework collection class. In Java/Kotlin, that's List<Person>.
List<Person> is not a primitive, far from it, in java it's actually quite a baggy monster. (It gets worse, in JavaFx it's ObservableList<Person>, which is a bizarre half-list half-not thing.) But it's common, like String, & we tend to see it as primitive, & reach for it quickly.
Read 19 tweets
Profile picture
Mario Pastorelli
@mapastr
Today I'm going to #rant about #haskell libraries. I'm a Haskell supporter, I think it's a great language, but that doesn't mean it doesn't have problems. Some of them are surprising and I want to talk about them.
At the end of the rant I will have tips for developers using Haskell and for libraries developers (in any language, some rules are universal) so bear with me. It's a long rant but there is a good ending ;).
A preamble first: one of the reasons why I decided to study haskell is because haskell had a good way to deal with errors and invalid inputs/states.
Read 17 tweets

Trending hashtags

#CoalitionOfTheDecent #Android #twats #TanteRosa #Qaryat_Al_Fāw #Magisk #BlizzardInLA #SuperSu #BacPhysique2017 #Actually #TransBan #sisterResister #Pornhub #LaMythololgieCestSympa #BlueWave #Chimie1Physique0 #LeaveLiars #xvideos #fact #digression #Boeing #actually #YouTube #BlizzardOfUS #SciencesParticipatives
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!