Top 10 Mistakes Made In Active Directory That Can Lead To Being Compromised

morning or afternoon I have no clue anymore so my problem is is that I'm on the road every single week and I'm across the country and so this is my typical week where I've been on both the west coast and the East Coast on the same week and I actually live on the way in Utah on the weekends so my name is Adam so I'm always hungry I never know when to sleep because I don't know what time zone I'm an same with staying in a Hilton every night you wake up and you don't know what city you're in but so I work for / - we're one of the sponsors here of this great conference I've I've

done probably about probably five five b-sides of this year across the country first off hats off to you guys here in Philly I know this is your first year but this is actually one of the better besides I've been to this year's especially for our first year so at the end of the day what administrators really want to do we really have two goals and purpose in life as administrators the first one is to give the finger to the pen testers the second thing that we want to do in life as an assistant that every systemin wants to do is to get hugs from auditors yes hugs from auditors I have literally gotten hugs from auditors as a sysadmin so

let's we're gonna kind of split this into two acts first we're going to talk about what what are the trends in Active Directory and in Identity Management and the second is well we're gonna talk about why people suck at it

so their first question is is well why do companies even use Active Directory there's so many other great identity management platforms out there think of why we use Active Directory it's actually not as horrible as everyone says it is it's it does a lot of different things it's not like open LDAP that just handles authentication and authorization if handles configure computer configuration management with group policies it's flexible like it's easy for me to make Active Directory do more things than just what comes out of the box it's actually pretty flexible so we have this problem now we have Active Directory now and over the last decade we've seen all these cloud applications put pop up now I used to be a drink

director of InfoSec for an organization and at that organization our our helpdesk it would take them two hours for every time a person was hired or a person was fired because they had 50 different identities that they would have to create for one user and as I've been working with Fortune 500 companies this is not a moot case this is very common that a single person could have a hundred different identities through all these different applications now we are doing the solution to this is we're trying to merge our identities together and have Active Directory become the Authenticator for all these different applications so we don't have to create all these separate identities but we

still have to worry about provisioning and how do I provision these applications and more importantly how do we keep all of these these attributes in sync between all these different applications so for example what your first name is and what your last name is is is Active Directory the the most informed source of that information know most information enacted three the most reliable source is not Active Directory so for example your first and last name the most reliable source for your first and last name is usually in am HR system same with your your email address your phone number that's probably in a phone system not not in the HR system so we have all this

attribute information about a user but how do we keep it all in sync together this is one of the major problems that we see is hey you just get it Bob and accounting just he got promoted and now it works in in over in procurement so how when people change jobs how do you make sure that their access follows with them if your active directory is not current so you have to create a system that all your all your attribute informations about your users are synced together the approach that we tried to take years ago is we create all these different links so we we take our active directory we sync it with our HR system

and then but the trend today is putting everything in into Active Directory and notice these arrows are not one-way arrows these arrows are two-way arrows so for example your phone number on the in the phone system is written into active directory and then active then from the active directory servers there's a there's a service that writes the phone number the correct phone number back to the HR system so you have this convergence of attribute information and remember we're going to keep talking about the importance of attribute information it's very important so how do you do this how do you think all this data together pretty much your most popular solutions today is is through PowerShell scripts that

you write a lot of lot of big organizations small organizations just write a whole bunch of PowerShell scripts that just takes a nightly CSV file of a system imports it in and it's just doing it three scripts the other popular systems are solutions from octa to ping identity to Microsoft to Azure Active Directory there's also a very interesting use case and we're seeing starting to see some a lot of changes because of Azure Active Directory so what I did when I at my last job is we we had all of these these applications we had like 50 different applications and so we created a portal using this is the octave but I've done this with other

applications so that all they have to do is they just go to a web portal and then they click the the application they want

hi folks Angie here unfortunately we had a video problem with OBS and it decided to stop recording audio for the rest of this particular talk sorry for the inconvenience