Domain Trust, VPN, Remote workers
-
Here is the problem:
We have a large number of people working remotely now (like everyone else). Organizationally we are in a transition between being engineered towards the LAN and having cloud based tools. What this means is that our AD is not fully accessible to remote users without VPN. But, a chunk of users can do their job without needing to use the VPN. For the short term are there any concerns that you all would have about changing (assuming we can, haven't dug in that far yet) the expiration of the machine account/password?I know this is not the best answer. I'm just trying to buy time before we can get some tooling implemented to fix the underlying management problem.
-
I had a place years ago that had set the machine time to something like 180 days for tech laptops that were always in the field. It seemed to work well enough.
-
Thanks for the reply @JaredBusch. I'm getting push back from the server team on my ask for this. They feel like it would introduce some insecurity into the system, but I'm not sure I understand the risks.
-
@Kelly said in Domain Trust, VPN, Remote workers:
Thanks for the reply @JaredBusch. I'm getting push back from the server team on my ask for this. They feel like it would introduce some insecurity into the system, but I'm not sure I understand the risks.
Me either. It simply lets the kerberos tickets last longer to my understanding.
-
I would do what @JaredBusch is recommending, I know companies that had the 90 days password expiration policy have changed it to completely disable it or extend it. I think that is what the server administrators are thinking in the sense of "Security"
-
Can confirm this method works. Did the same thing at my last job. The field guys traveled all over the world and did not always have access to internet - especially when they were offshore. They still needed access to their laptops for reporting. Never had a issue with them not being able to log in.
-
@Kelly said in Domain Trust, VPN, Remote workers:
For the short term are there any concerns that you all would have about changing (assuming we can, haven't dug in that far yet) the expiration of the machine account/password?
We keep this long anyway to discourage bad, short, or repeating passwords. So that kind of stuff would rarely be seen as an issue, anyway.
-
@Kelly said in Domain Trust, VPN, Remote workers:
Thanks for the reply @JaredBusch. I'm getting push back from the server team on my ask for this. They feel like it would introduce some insecurity into the system, but I'm not sure I understand the risks.
Point them to NIST and just standard security knowledge. If they balk at 180 days, ask them why they are pushing for less secure when it also makes it more complicated. In the "real world", short expiration times are considered a security risk outside of when used for security professionals and specialists that can be specifically trained to handle quickly changing passwords and are responsible for the risks.
-
@dbeato said in Domain Trust, VPN, Remote workers:
I would do what @JaredBusch is recommending, I know companies that had the 90 days password expiration policy have changed it to completely disable it or extend it. I think that is what the server administrators are thinking in the sense of "Security"
That would be my guess. It's exposing that they are hung up on old myths that were always myths, but now fall under "well known to have been myths."
-
I was referencing only the machine account expiration stuff.
-
The only risk here is having a laptop stolen and giving the attacker more time to try to breach a system with cached credentials.
You can mitigate that by using bit locker and requiring MFA on all important accounts (should be the standard anyway).
