Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
SwiftOnSecurity Profile picture
@SwiftOnSecurity
Mar 24, 2024 19 tweets 4 min read Read on X
Rather than go into OrgKit tonight, I want to explain why Windows networks have been historically insecure. 🧵
Computing does not have a long history. Its progression goes industrial IBM solutions with all services included, to piecemeal solutions separating software and hardware, to innumerable OS options and hardware, to standardized hardware and narrowing OS options, to 90’s businesses
As these options narrowed, Windows offered a solution in NT Domains with a compelling, if junior way, to solve the hardest problem in computing: Interoperability and per-user security across server and client. There were others we won’t get into them. It was a huge success.
There is a large history of disparate and converged services in computing. Microsoft eventually combined many academic/corporate solutions into a cohesive offering: Active Directory.
Kerberos for authentication. LDAP for directory. SMB for file services. Group Policy for mgmt etc
The problem here was Microsoft created a monstrously powerful solution, with essentially a blank-slate administrative paradigm you had to design and deploy (they didn’t know what was the right way either yet and didn’t want to prematurely designate), and gave it away for free.
Directory solutions and admin delegation of rights had previously been entire jobs that committees debated and defined and slowly developed tools for.
Active Directory had that, in an almost infinitely adaptable way, for people with no experience or knowledge. It just worked.
Microsoft had tribulations in its management and investment in Active Directory. Some of which I know, most I don’t.
But they had unleashed the greatest networking tool ever for making computers be talking together and be managed. Effortlessly. And, they were mostly all isolated.
Some things, I blame Microsoft. Others I say what they were doing had literally never existed at scale. And without hindsight. Others, were a failure to renew an ownership in results.
Anyway. The years go on. The Internet is omnipresent. And the attacks start against customers.
Microsoft begins to have a Very Bad Time. A combination of code security issues leading to worms, and executable control+privilege level on arbitrary code – leading to users compromising themselves by installing innocuous-seeming malware – becomes crisis. Guess what. They respond
In 2002, Bill Gates releases one of the most consequential pieces of corporate writing in history. The “Trusted Computing Memo.”

This dramatically led to changes making exploiting Microsoft products substantially harder. It led to internal revolution.
But.wired.com/2002/01/bill-g…
What Microsoft could not do was fix the networks their customers had already built. Further, they failed to radically transform the administrative surface of Active Directory and its default state, to make it administratable by commoners.
This is one of their greatest failures.
Active Directory remains without reasonable roles for segregation or responsibility. Like, “desktop administrator” or “server adninistrator” or “network service querying logged-in user.” They just don’t exist. And most customers do not have the specialization and skill to do it.
Neither do OU (folders) exist to correctly delineate these objects into their roles and ability to access. Or organizationally delegate.
So what do Microsoft customers do? They exploit the worst decision in the history of computer. That I feel bad highlighting.

“Domain Admins”
Because Microsoft abdicated its role in strongly defining an administrative theory for Active Directory - which all products today have - their customers have rights to everything assigned to innumerable people. Sane account they access their email can ransom the entire company.
Now; there are firms that nominally try to do it right. Where Helpdesk are not Domain Admins. But innumerable network services with hijackabke credentials are. And the helpdesk people are admins to Domain Admins. So they own the domain admins. AD offers nothing to detect/address.
This is just a sample of 2 issues that fostered our reality. Microsoft is now investing again into AD. With a product leader I’d like to call a friendly acquaintance.
But where was the money before. Where was the leadership that obligated the resources. When they made our world.
Lucky for Microsoft it kinda seems like Twitter broke this thread somewhere so you won’t see it. But yeah. I’m called a Microsoft shill because my criticisms don’t fit in a funny anecdote about the Start Menu.
If anyone knows a similar write up or course that explains the actual motivating issues into WHY our networks are like this @ me a link so I don’t have to write it and then never do it.
(The AD team has been working on great stuff, public, announced, and stuff I’ve heard. This is NOT a criticism of them. I’m trying to describe the history of how we got to today. Which they may disagree with. But I don’t pass stuff by Microsoft. I’m actually independent.)

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with SwiftOnSecurity

SwiftOnSecurity Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @SwiftOnSecurity

SwiftOnSecurity Profile picture
Nov 17
I have to be careful with my platform, but the latest experimental GLP-1 "Retatrutide" has seemingly addressed an underlying deficit that is resolving multiple physical and mental health issues now at increased dose, completely unrelated to weight loss of previous GLP-1's...
It seems not unheard of: It's better even when I don't take them, but over the past five years I've had increasing issues with my ADHD medication having a little effect. Eventually switching to one of the most powerful at a high dose with essentially no impact. That's... fixed.
I don't know if I should be posting this you cannot legally or provably safely get this outside of prescription trials right now. But. It's like changing my life and I don't know what to do with that information.
Read 5 tweets
SwiftOnSecurity Profile picture
Oct 19
I'm gonna tell you what happened to IPv6.

It is maybe the most important thing that's ever happened.

And that is NAT. Which is really port address translation but we're not gonna get into that right now.
NAT is the hack that made 15 quadrillion devices fit into the space of 4 billion.

And did it while making them protected.

NAT ruined the world of ideas as to what the Internet was, as it built the Internet we have today.

NAT is the greatest hack that has ever been hacked.
NAT is the greatest sin. It is an imposition on the idea of heaven.

NAT made your world. It is why you need a fundamental understanding of networking theory.

NAT broke it, and remade itself in its own image. It is the idea of something you could do, shouldn't,

but did.
Read 7 tweets
SwiftOnSecurity Profile picture
Oct 11
I'm gonna do something stupidly earnest here.

I'm going to make an analogy as to what Taylor Swift is allowed to do with her seniority and autonomy. others would likely shy from.

And I want to make an analogy to my own experience watching and performing professionally in IT.
Taylor Swift is allowed to write about random characters in Shakespeare, and not care you have no idea who they are. She's allowed to write indulgent songs of purposely cringe lyrics about getting ravaged by soulmate.

But permission is something ENTIRELY different from audacity.
What Taylor Swift has is not permission. She has audacity.

The fact that she has transcended permission is sort of immaterial to my point.

So much of life is not about asking permission. It is having the audacity to simply fucking do it.

This is a constant across any subject.
Read 6 tweets
SwiftOnSecurity Profile picture
Jun 16
USCSB ‼️⚠️ ⁦@chemsafetyboard⁩ proposed to lose all funding under Trump budget. A rare agency with true bipartisan and industry support, recognized for how cheap it is in prevention analysis and education materials. grist.org/energy/trump-q…
From 2020 when Trump admin tried to kill @chemsafetyboard for reasons literally nobody could understand even Congress.
@chemsafetyboard ~$14m/yr for teams that work on stopping incidents that maim/kill and cost hundreds of billions of a year in capital alone, not to mention downstream societal impact. They are broad advisors, tell industry and regulators what went wrong and how to prevent it.
Read 4 tweets
SwiftOnSecurity Profile picture
Feb 18
The thing about Active Directory, is you can't understand any of it unless you begin from the past before it. You cannot examine it from the future. You will get only nonsensicals.
And that's really where most commentators fail. They don't know why. Because there is a reason.
The reasons Active Directory fails is deeper than technology. It is from inception, to ironically be more open than you conceive. It is the sourcing of philosophy in staff whose only job was one portion. Whose users, absolute experts. Whose salary paid one. This... didn't happen.
Active Directory is truly beautiful. But it's a beauty you can only experience in the world it was envisioned for. Outside, it is a horror of hacks trying to address things you can only ascribe hate. Decades later. But trust me, it is beautiful. I wish you could see it, how I do.
Read 9 tweets
SwiftOnSecurity Profile picture
Feb 15
I live on a secluded area of my street with little traffic but I purposefully make it evident my surveillance and you know what every dog walker picks up their poop. Image
👏Always👏be👏engineering👏perception👏

Even on gate I don't lock I have a fake one that makes it appear always padlocked. I have spike strips that are just plastic on areas you could boost over my fence.
I do the same thing in enterprise security. We appear to have three different top-tier antivirus, running on a malware analysis VM, with debug tools running, and more traces like that.

This is your playground they're in and stop denying yourself the freedom to fake it.
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(