ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    What Are You Doing Right Now

    Scheduled Pinned Locked Moved Water Closet
    time waster
    88.9k Posts 285 Posters 42.8m Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @popester
      last edited by

      @popester said in What Are You Doing Right Now:

      Trying to wrap my brain around adding a CA to our domain so we can encrypt traffic between servers. OMG... Where do I start....

      For AD, I assume?

      popesterP 1 Reply Last reply Reply Quote 0
      • popesterP
        popester @scottalanmiller
        last edited by

        @scottalanmiller said in What Are You Doing Right Now:

        @popester said in What Are You Doing Right Now:

        Trying to wrap my brain around adding a CA to our domain so we can encrypt traffic between servers. OMG... Where do I start....

        For AD, I assume?

        Yes sir. What brought it about was we run Citrix xenapp and nothing is encrypted this side of the ADC

        scottalanmillerS 1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @popester
          last edited by

          @popester said in What Are You Doing Right Now:

          @scottalanmiller said in What Are You Doing Right Now:

          @popester said in What Are You Doing Right Now:

          Trying to wrap my brain around adding a CA to our domain so we can encrypt traffic between servers. OMG... Where do I start....

          For AD, I assume?

          Yes sir. What brought it about was we run Citrix xenapp and nothing is encrypted this side of the ADC

          Well, the passwords are. That's the only important bit in a typical domain communications chain. Not to belittle "encrypt everything", because that's a good idea in general. Just saying that AD is decently secure even when at its least secure.

          popesterP ObsolesceO 2 Replies Last reply Reply Quote 0
          • popesterP
            popester @scottalanmiller
            last edited by popester

            @scottalanmiller
            I just asked the reason behind it and "Mind Blown" because we have a consultant that is working on stuff already and is willing to do it. Along with it being best practice. So now comes the fun, learning how not to break it. 🙂

            This was not a "Norm" response to my question.

            dafyreD 1 Reply Last reply Reply Quote 0
            • dafyreD
              dafyre @popester
              last edited by

              @popester said in What Are You Doing Right Now:

              @scottalanmiller
              I just asked the reason behind it and "Mind Blown" because we have a consultant that is working on stuff already and is willing to do it. Along with it being best practice. So now comes the fun, learning how not to break it. 🙂

              This was not a "Norm" response to my question.

              Set the Certificates for as long as your CA will allow, lol.

              1 Reply Last reply Reply Quote 0
              • ObsolesceO
                Obsolesce @scottalanmiller
                last edited by

                @scottalanmiller said in What Are You Doing Right Now:

                @popester said in What Are You Doing Right Now:

                @scottalanmiller said in What Are You Doing Right Now:

                @popester said in What Are You Doing Right Now:

                Trying to wrap my brain around adding a CA to our domain so we can encrypt traffic between servers. OMG... Where do I start....

                For AD, I assume?

                Yes sir. What brought it about was we run Citrix xenapp and nothing is encrypted this side of the ADC

                Well, the passwords are. That's the only important bit in a typical domain communications chain. Not to belittle "encrypt everything", because that's a good idea in general. Just saying that AD is decently secure even when at its least secure.

                AD (and everything using it) is only as secure as the DC.

                scottalanmillerS 1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @Obsolesce
                  last edited by

                  @Obsolesce said in What Are You Doing Right Now:

                  @scottalanmiller said in What Are You Doing Right Now:

                  @popester said in What Are You Doing Right Now:

                  @scottalanmiller said in What Are You Doing Right Now:

                  @popester said in What Are You Doing Right Now:

                  Trying to wrap my brain around adding a CA to our domain so we can encrypt traffic between servers. OMG... Where do I start....

                  For AD, I assume?

                  Yes sir. What brought it about was we run Citrix xenapp and nothing is encrypted this side of the ADC

                  Well, the passwords are. That's the only important bit in a typical domain communications chain. Not to belittle "encrypt everything", because that's a good idea in general. Just saying that AD is decently secure even when at its least secure.

                  AD (and everything using it) is only as secure as the DC.

                  DCs are pretty secure unless you screw something up. However, the DC does not hold passwords, so even a compromised DC does not divulge passwords. So technically, it can be more secure than the DC 🙂

                  ObsolesceO siringoS 2 Replies Last reply Reply Quote 0
                  • jmooreJ
                    jmoore
                    last edited by

                    Leaving work because its now Margarita time!

                    DustinB3403D 1 Reply Last reply Reply Quote 0
                    • ObsolesceO
                      Obsolesce @scottalanmiller
                      last edited by Obsolesce

                      @scottalanmiller said in What Are You Doing Right Now:

                      @Obsolesce said in What Are You Doing Right Now:

                      @scottalanmiller said in What Are You Doing Right Now:

                      @popester said in What Are You Doing Right Now:

                      @scottalanmiller said in What Are You Doing Right Now:

                      @popester said in What Are You Doing Right Now:

                      Trying to wrap my brain around adding a CA to our domain so we can encrypt traffic between servers. OMG... Where do I start....

                      For AD, I assume?

                      Yes sir. What brought it about was we run Citrix xenapp and nothing is encrypted this side of the ADC

                      Well, the passwords are. That's the only important bit in a typical domain communications chain. Not to belittle "encrypt everything", because that's a good idea in general. Just saying that AD is decently secure even when at its least secure.

                      AD (and everything using it) is only as secure as the DC.

                      DCs are pretty secure unless you screw something up. However, the DC does not hold passwords, so even a compromised DC does not divulge passwords. So technically, it can be more secure than the DC 🙂

                      That's the thing, if you compromise a DC, you don't need any passwords... There was a whole session on this that I have been to.

                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                      • WrCombsW
                        WrCombs
                        last edited by

                        Counting down til I leave Sunday Evening for KC MO with a few friends.
                        Taking some time off work to go enjoy myself at a concert.

                        1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @Obsolesce
                          last edited by

                          @Obsolesce said in What Are You Doing Right Now:

                          @scottalanmiller said in What Are You Doing Right Now:

                          @Obsolesce said in What Are You Doing Right Now:

                          @scottalanmiller said in What Are You Doing Right Now:

                          @popester said in What Are You Doing Right Now:

                          @scottalanmiller said in What Are You Doing Right Now:

                          @popester said in What Are You Doing Right Now:

                          Trying to wrap my brain around adding a CA to our domain so we can encrypt traffic between servers. OMG... Where do I start....

                          For AD, I assume?

                          Yes sir. What brought it about was we run Citrix xenapp and nothing is encrypted this side of the ADC

                          Well, the passwords are. That's the only important bit in a typical domain communications chain. Not to belittle "encrypt everything", because that's a good idea in general. Just saying that AD is decently secure even when at its least secure.

                          AD (and everything using it) is only as secure as the DC.

                          DCs are pretty secure unless you screw something up. However, the DC does not hold passwords, so even a compromised DC does not divulge passwords. So technically, it can be more secure than the DC 🙂

                          That's the thing, if you compromise a DC, you don't need any passwords... There was a whole session on this that I have been to.

                          Depends on how you compromise it. What can someone do if they only have the data from the DC?

                          ObsolesceO 1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller
                            last edited by

                            Well they can push things out from GPO, I guess.

                            1 Reply Last reply Reply Quote 0
                            • ObsolesceO
                              Obsolesce @scottalanmiller
                              last edited by

                              @scottalanmiller said in What Are You Doing Right Now:

                              @Obsolesce said in What Are You Doing Right Now:

                              @scottalanmiller said in What Are You Doing Right Now:

                              @Obsolesce said in What Are You Doing Right Now:

                              @scottalanmiller said in What Are You Doing Right Now:

                              @popester said in What Are You Doing Right Now:

                              @scottalanmiller said in What Are You Doing Right Now:

                              @popester said in What Are You Doing Right Now:

                              Trying to wrap my brain around adding a CA to our domain so we can encrypt traffic between servers. OMG... Where do I start....

                              For AD, I assume?

                              Yes sir. What brought it about was we run Citrix xenapp and nothing is encrypted this side of the ADC

                              Well, the passwords are. That's the only important bit in a typical domain communications chain. Not to belittle "encrypt everything", because that's a good idea in general. Just saying that AD is decently secure even when at its least secure.

                              AD (and everything using it) is only as secure as the DC.

                              DCs are pretty secure unless you screw something up. However, the DC does not hold passwords, so even a compromised DC does not divulge passwords. So technically, it can be more secure than the DC 🙂

                              That's the thing, if you compromise a DC, you don't need any passwords... There was a whole session on this that I have been to.

                              Depends on how you compromise it. What can someone do if they only have the data from the DC?

                              They can access any data on any Domain PC.

                              scottalanmillerS 1 Reply Last reply Reply Quote 0
                              • ObsolesceO
                                Obsolesce
                                last edited by

                                @scottalanmiller

                                One of the simplest things to do for a DC is enable BitLocker, especially if it's virtualized. Encrypting the data at rest on a virtual disk is essential.

                                scottalanmillerS 1 Reply Last reply Reply Quote 0
                                • ObsolesceO
                                  Obsolesce
                                  last edited by

                                  This is the session i attended... well, the session's slides, which doens't say mcuh at all... but it's a breadcrumb:
                                  https://4f2bcn3u2m2u2z7ghc17a5jm-wpengine.netdna-ssl.com/wp-content/uploads/2019/10/techdayssweden_credentialsecurity_paulajanuszkiewicz.pdf

                                  Above link is from here:
                                  https://cqureacademy.com/blog/techdays-sweden-2019-2

                                  1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @Obsolesce
                                    last edited by

                                    @Obsolesce said in What Are You Doing Right Now:

                                    @scottalanmiller said in What Are You Doing Right Now:

                                    @Obsolesce said in What Are You Doing Right Now:

                                    @scottalanmiller said in What Are You Doing Right Now:

                                    @Obsolesce said in What Are You Doing Right Now:

                                    @scottalanmiller said in What Are You Doing Right Now:

                                    @popester said in What Are You Doing Right Now:

                                    @scottalanmiller said in What Are You Doing Right Now:

                                    @popester said in What Are You Doing Right Now:

                                    Trying to wrap my brain around adding a CA to our domain so we can encrypt traffic between servers. OMG... Where do I start....

                                    For AD, I assume?

                                    Yes sir. What brought it about was we run Citrix xenapp and nothing is encrypted this side of the ADC

                                    Well, the passwords are. That's the only important bit in a typical domain communications chain. Not to belittle "encrypt everything", because that's a good idea in general. Just saying that AD is decently secure even when at its least secure.

                                    AD (and everything using it) is only as secure as the DC.

                                    DCs are pretty secure unless you screw something up. However, the DC does not hold passwords, so even a compromised DC does not divulge passwords. So technically, it can be more secure than the DC 🙂

                                    That's the thing, if you compromise a DC, you don't need any passwords... There was a whole session on this that I have been to.

                                    Depends on how you compromise it. What can someone do if they only have the data from the DC?

                                    They can access any data on any Domain PC.

                                    Using what means?

                                    1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @Obsolesce
                                      last edited by

                                      @Obsolesce said in What Are You Doing Right Now:

                                      @scottalanmiller

                                      One of the simplest things to do for a DC is enable BitLocker, especially if it's virtualized. Encrypting the data at rest on a virtual disk is essential.

                                      But what's the real world attack vector? I'm not saying that a DC is impervious or anything. I say all the time that AD adds a lot of risk, there is just so much more to fail.

                                      But their attacks seem to be focused on big, offline attacks where they are getting a copy of your drive (physical theft let's say) and you don't change your passwords, and they have lots of time to brute force them.

                                      While that's a real risk, it's a really unlikely one. There are so many steps needed one the attackers side to make it work, and so many ways to protects on the other side, even after the attack has begun.

                                      ObsolesceO 1 Reply Last reply Reply Quote 0
                                      • ObsolesceO
                                        Obsolesce @scottalanmiller
                                        last edited by

                                        @scottalanmiller said in What Are You Doing Right Now:

                                        @Obsolesce said in What Are You Doing Right Now:

                                        @scottalanmiller

                                        One of the simplest things to do for a DC is enable BitLocker, especially if it's virtualized. Encrypting the data at rest on a virtual disk is essential.

                                        But what's the real world attack vector? I'm not saying that a DC is impervious or anything. I say all the time that AD adds a lot of risk, there is just so much more to fail.

                                        But their attacks seem to be focused on big, offline attacks where they are getting a copy of your drive (physical theft let's say) and you don't change your passwords, and they have lots of time to brute force them.

                                        While that's a real risk, it's a really unlikely one. There are so many steps needed one the attackers side to make it work, and so many ways to protects on the other side, even after the attack has begun.

                                        That's one way. If you compromise any domain joined PC, you can likely move laterally, it may be possible to compromise everything.

                                        It all depends of course. AD and AD domains can be very secure, but they can also be their own major vulnerability if not properly secured.

                                        1 Reply Last reply Reply Quote 0
                                        • ObsolesceO
                                          Obsolesce
                                          last edited by

                                          There's a lot more to it, but it was a while ago I attended and no longer remember enough details to keep going... but I remember the take-aways. I'm sure there's a lot about it around, but I can't look atm.

                                          1 Reply Last reply Reply Quote 0
                                          • RojoLocoR
                                            RojoLoco
                                            last edited by

                                            RojoLoco's audio tip of the week: if you want to add some serious bass to your home theater or music system, get a powered sub from monoprice. I got the 12" one for $100.... The thing is a beast. Tight and accurate too, on a variety of genres of music. Highest recommendation.

                                            jmooreJ 1 Reply Last reply Reply Quote 4
                                            • 1
                                            • 2
                                            • 3919
                                            • 3920
                                            • 3921
                                            • 3922
                                            • 3923
                                            • 4443
                                            • 4444
                                            • 3921 / 4444
                                            • First post
                                              Last post