In this episode, Bastiaan Verdonk and I chat with Victor King from Quest about Active Directory (AD) security. We dive into the murky waters of configuration drift, privileged access, and how to stop attackers from moving laterally. Victor shares some real-world insights and actionable tips to keep your AD environment secure and squeaky clean.
Victor brings over 30 years of IT experience to the table, having worked with Fortune 100s, non-profits, and everything in between. He’s a troubleshooting guru with a knack for identity systems and Active Directory.
The Never-Ending AD Remediation Cycle
One of the key issues we tackle is the recurring nightmare of having to redo AD every few years. Why does this happen, and how can we break the cycle?
Steve Goodman: “How do you stop having to redo the AD every few years?”
Victor King: “You have to constantly go through this exercise of identifying everything that you have and what you’re doing with it. And then from there you start picking out the outliers. Well, here’s something that’s got some privilege that we don’t know what it does. What happens with that? So you got to start looking at those things.”
Victor emphasizes the importance of taking inventory of what you have, identifying privileged access, and using community tools to evaluate misconfigurations. AD drift happens, even under the strictest conditions, so continuous monitoring is key.
Finding Misconfigurations
So, where do you even start looking for these misconfigurations?
Bastiaan Verdonk: “How does someone go about actually finding these misconfigurations, going through logs or what is it that someone can actually, where can they start? What can they do?”
Victor suggests taking a behavioral approach, analyzing activity logs, and identifying who your admins are and what they’re doing. Behavioral analysis software can help surface sketchy activity or overprivileged accounts.
Preventing Lateral Movement
Lateral movement – when attackers use compromised accounts to move deeper into your network – is a serious concern. How can you protect those super high-privileged identities and service accounts?
Victor stresses that there’s no one-size-fits-all answer. It’s a combination of tiering, just-in-time access, privileged access management, behavioral analysis, and more. It’s additive security, but it can get complicated.
Assuming Breach
It’s not a matter of if but when you’ll be breached. So, what can you do?
Victor King: “When your house is not on fire, that’s not a good time to try and figure out what you’ve got to run around and try and save. Right. So that goes straight back to where we started today is you have to identify the stuff in your environment. You have to figure out what’s important and then come up with a plan on how you’re going to protect that.”
Victor emphasizes the importance of defense in depth, business continuity planning, and disaster recovery. Test your recovery plans regularly – at least every six months.
The Importance of Auditing & Good AD Hygiene
Auditing systems are key to finding out what’s happening in your environment. As Victor says, “Yesterday was the right time to do it, but today is the next best time to do it.”
Victor King: “You have to look at the hygiene in your environment constantly because even though it’s good today, it might not be tomorrow because of some change that got pulled off at 9 p.m. last night. And the change might have been executed properly, but that doesn’t mean it was written up properly, right? There might have been an oversight.”
Start with continuous environmental monitoring, get a baseline, and then build from there.
I’ll be back in two weeks’ time with Paul Robichaux, and we’ll be joined by an upcoming TEC 2025 speaker. Until then, subscribe on iTunes, Spotify, or wherever you get your podcasts from.
