Tweet

Ryan Newington [MVP] 🇦🇺

21 Mar, 7 tweets, 2 min read

Users having admin rights on *their* desktop is no where near as big as a problem as your support staff having admin rights on *all* desktops. To stop ransomware we need to move away from super-charged admin rights that work everywhere. 💣

Start by removing domain admins from the local admins group of every computer. Windows adds them by default when a PC is first joined to the domain. Setup a group policy to remove them. Domain admins need to be an admin of DCs only. Talk about an overprivileged account! 😫

Then rollout LAPS and have support staff use LAPS passwords instead of their own admin accounts. (why would you type a super-admin account password into a PC where you have no idea what's on it) 😬

Once you have rolled out LAPS, remove everyone from the local administrators group except the built-in admin (now managed by laps). (And the user if they need admin rights on their PC and that's your thing)

You've just broken the primary means to which ransomware can move laterally through your environment. 👍 It's not the end of the job, but with a robust patching process, you've crippled most commodity malware from spreading laterally.

PS. Smooth the organisation change component of moving your support staff to LAPS by not making them suffer with the LAPS GUI. Web based, mobile friendly, MFA support, more secure, better logging github.com/lithnet/laps-w…

Or you can jump on the beta of Access Manager, the next generation of laps web - Lithnet Access Manager github.com/lithnet/access…

• • •

Missing some Tweet in this thread? You can try to force a refresh

This Thread may be Removed Anytime!

Twitter may remove this content at anytime! Save it as PDF for later use!

More from @RyanLNewington

Ryan Newington [MVP] 🇦🇺

@RyanLNewington

12 Aug 20

Here's a digest of my understanding of #CVE-2020-1472 for the Microsoft Netlogon secure channel vulnerability and what you need to do to protect yourself. Thread. ⬇️

Firstly, what's the issue? Well it seems an attacker could essentially become a domain admin, without needing to authenticate to the DC. They just need line-of-site. Yikes.

What is netlogon? Domain-joined systems use the Netlogon Remote Protocol (MS-NRPC) for secure communications between a client machine and a DC for things such as DC discovery, authentication, password changes, etc. Is is also used for trusts between forests.

Read 18 tweets

Ryan Newington [MVP] 🇦🇺

@RyanLNewington

30 Jun 20

[Thread] We discovered the Palo Alto SAML vulnerability (CVE-2020-2012). There's lots of confusion about the role of the 'Disable cert validation' check box in this issue. TLDR; Having this turned off is standard, expected, and not bad practice. Patch your PA, and leave this off.

To understand this properly, we need to understand how SAML works, specifically the 'POST binding' mechanism mostly commonly used in SAML setups today. There are two parties in a SAML trust, the identity provider (IDP) and the service provider (SP).

The IDP job is to auth the user on behalf of an SP. It will then send an XML 'assertion' to the SP when a user logs in. This assertion contains information about the authentication event, including the identity of the user, and possibly other attributes related to authorization.

Read 19 tweets

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Share this page!

Ryan Newington [MVP] 🇦🇺

Try unrolling a thread yourself!

More from @RyanLNewington

Ryan Newington [MVP] 🇦🇺

Ryan Newington [MVP] 🇦🇺

Did Thread Reader help you today?

Like this author's thread?