Rather than go into OrgKit tonight, I want to explain why Windows networks have been historically insecure. 🧵
Computing does not have a long history. Its progression goes industrial IBM solutions with all services included, to piecemeal solutions separating software and hardware, to innumerable OS options and hardware, to standardized hardware and narrowing OS options, to 90’s businesses
As these options narrowed, Windows offered a solution in NT Domains with a compelling, if junior way, to solve the hardest problem in computing: Interoperability and per-user security across server and client. There were others we won’t get into them. It was a huge success.
There is a large history of disparate and converged services in computing. Microsoft eventually combined many academic/corporate solutions into a cohesive offering: Active Directory.
Kerberos for authentication. LDAP for directory. SMB for file services. Group Policy for mgmt etc
Kerberos for authentication. LDAP for directory. SMB for file services. Group Policy for mgmt etc
The problem here was Microsoft created a monstrously powerful solution, with essentially a blank-slate administrative paradigm you had to design and deploy (they didn’t know what was the right way either yet and didn’t want to prematurely designate), and gave it away for free.
Directory solutions and admin delegation of rights had previously been entire jobs that committees debated and defined and slowly developed tools for.
Active Directory had that, in an almost infinitely adaptable way, for people with no experience or knowledge. It just worked.
Active Directory had that, in an almost infinitely adaptable way, for people with no experience or knowledge. It just worked.
Microsoft had tribulations in its management and investment in Active Directory. Some of which I know, most I don’t.
But they had unleashed the greatest networking tool ever for making computers be talking together and be managed. Effortlessly. And, they were mostly all isolated.
But they had unleashed the greatest networking tool ever for making computers be talking together and be managed. Effortlessly. And, they were mostly all isolated.
Some things, I blame Microsoft. Others I say what they were doing had literally never existed at scale. And without hindsight. Others, were a failure to renew an ownership in results.
Anyway. The years go on. The Internet is omnipresent. And the attacks start against customers.
Anyway. The years go on. The Internet is omnipresent. And the attacks start against customers.
Microsoft begins to have a Very Bad Time. A combination of code security issues leading to worms, and executable control+privilege level on arbitrary code – leading to users compromising themselves by installing innocuous-seeming malware – becomes crisis. Guess what. They respond
In 2002, Bill Gates releases one of the most consequential pieces of corporate writing in history. The “Trusted Computing Memo.”
This dramatically led to changes making exploiting Microsoft products substantially harder. It led to internal revolution.
But.wired.com/2002/01/bill-g…
This dramatically led to changes making exploiting Microsoft products substantially harder. It led to internal revolution.
But.wired.com/2002/01/bill-g…
What Microsoft could not do was fix the networks their customers had already built. Further, they failed to radically transform the administrative surface of Active Directory and its default state, to make it administratable by commoners.
This is one of their greatest failures.
This is one of their greatest failures.
Active Directory remains without reasonable roles for segregation or responsibility. Like, “desktop administrator” or “server adninistrator” or “network service querying logged-in user.” They just don’t exist. And most customers do not have the specialization and skill to do it.
Neither do OU (folders) exist to correctly delineate these objects into their roles and ability to access. Or organizationally delegate.
So what do Microsoft customers do? They exploit the worst decision in the history of computer. That I feel bad highlighting.
“Domain Admins”
So what do Microsoft customers do? They exploit the worst decision in the history of computer. That I feel bad highlighting.
“Domain Admins”
Because Microsoft abdicated its role in strongly defining an administrative theory for Active Directory - which all products today have - their customers have rights to everything assigned to innumerable people. Sane account they access their email can ransom the entire company.
Now; there are firms that nominally try to do it right. Where Helpdesk are not Domain Admins. But innumerable network services with hijackabke credentials are. And the helpdesk people are admins to Domain Admins. So they own the domain admins. AD offers nothing to detect/address.
This is just a sample of 2 issues that fostered our reality. Microsoft is now investing again into AD. With a product leader I’d like to call a friendly acquaintance.
But where was the money before. Where was the leadership that obligated the resources. When they made our world.
But where was the money before. Where was the leadership that obligated the resources. When they made our world.
Lucky for Microsoft it kinda seems like Twitter broke this thread somewhere so you won’t see it. But yeah. I’m called a Microsoft shill because my criticisms don’t fit in a funny anecdote about the Start Menu.
If anyone knows a similar write up or course that explains the actual motivating issues into WHY our networks are like this @ me a link so I don’t have to write it and then never do it.
(The AD team has been working on great stuff, public, announced, and stuff I’ve heard. This is NOT a criticism of them. I’m trying to describe the history of how we got to today. Which they may disagree with. But I don’t pass stuff by Microsoft. I’m actually independent.)
• • •
Missing some Tweet in this thread? You can try to
force a refresh
