Ryan Newington [MVP] 🇦🇺 Profile picture
Microsoft MVP, Identity Architect, .NET Developer and Windows Platform Specialist. Founder of @lithnet_io. Photographer @rnewphotography
21 Mar
Users having admin rights on *their* desktop is no where near as big as a problem as your support staff having admin rights on *all* desktops. To stop ransomware we need to move away from super-charged admin rights that work everywhere. 💣
Start by removing domain admins from the local admins group of every computer. Windows adds them by default when a PC is first joined to the domain. Setup a group policy to remove them. Domain admins need to be an admin of DCs only. Talk about an overprivileged account! 😫
Then rollout LAPS and have support staff use LAPS passwords instead of their own admin accounts. (why would you type a super-admin account password into a PC where you have no idea what's on it) 😬
Read 7 tweets
12 Aug 20
Here's a digest of my understanding of #CVE-2020-1472 for the Microsoft Netlogon secure channel vulnerability and what you need to do to protect yourself. Thread. ⬇️
Firstly, what's the issue? Well it seems an attacker could essentially become a domain admin, without needing to authenticate to the DC. They just need line-of-site. Yikes.
What is netlogon? Domain-joined systems use the Netlogon Remote Protocol (MS-NRPC) for secure communications between a client machine and a DC for things such as DC discovery, authentication, password changes, etc. Is is also used for trusts between forests.
Read 18 tweets
30 Jun 20
[Thread] We discovered the Palo Alto SAML vulnerability (CVE-2020-2012). There's lots of confusion about the role of the 'Disable cert validation' check box in this issue. TLDR; Having this turned off is standard, expected, and not bad practice. Patch your PA, and leave this off.
To understand this properly, we need to understand how SAML works, specifically the 'POST binding' mechanism mostly commonly used in SAML setups today. There are two parties in a SAML trust, the identity provider (IDP) and the service provider (SP).
The IDP job is to auth the user on behalf of an SP. It will then send an XML 'assertion' to the SP when a user logs in. This assertion contains information about the authentication event, including the identity of the user, and possibly other attributes related to authorization.
Read 19 tweets