 Okay, I'm very happy to announce to you the talk security cannot be bought Had to you by Marides. She's a regular at cars events since 2007 and she's a security engineer who's managing corporate IT. So Marides the stage is yours Three years ago. I was lucky enough to start a new job in a company Where when it came to modern IT infrastructure was a late boomer? Family run company in the business for over 70 years So security didn't have a high value Even only IT only got higher importance in about 2010 imagine that Luckily luckily for me again There was full management commitment on security when I started in that company Just to give you some numbers about the company right now We have around 150 Windows service and about 2000 active directory uses So it's not a small company anymore Active directory is a good keyword today in this talk We will solely focus on Windows active directory Environments, but some parts could be interesting for non active directory environments as well When it comes to security requirements, we have to imagine a scale on That one end of the scale They are like banks high-tech industry electricity suppliers But on that other end of that scale There are small and medium enterprises the digital enterprises Low-tech companies or family run companies and today we will focus on the first third of that scale For that low-tech industry companies because their requirements are way different from that high-tech industry companies And as I have worked in such a company for three years. I want to share my knowledge again in these three years We see you today First we need to define what is the threat we protect ourselves from and In these type of companies, it's not targeted in targeted industrial sabotage Because to be honest, we would have no chance at all. No chance What we protect these companies from is shotgun attacks mainly in the form of automated mower Can't we just Install a super fancy security solution or two or three red and then we are safe No Unfortunately, we have limited resources and these super fancy solutions. They need both people and money And it's in these type of companies. There isn't even One full-time employee responsible for security and also money sometimes is an issue I am a passionate climber and When I'm in front of a wall like this Sometimes I cannot see a way through it seems impossible for me to climb and the same goes for tech measures to improve security There is so much information nowadays that's occurs in a blessing There's ready it blocks conferences So you stand in front of your IT environment That's that wall and you've just salient of ideas in your head But you just don't know where or how to start and today in this talk I want to share the knowledge or want to show you a path through that wall So here are three sections. We want to climb together today That's people Organization and of course tech tech measures Let's start with people first why people because behind that Windows Active Directory user accounts are people The colleagues you work with are people your customs are people and I know it's very very very tempting something happened again Company got hacked millions of credit data records leaked That's what you want to do, right? Facepalm the thing is Security people tend to believe everyone else is stupid incompetent sleazy lazy, whatever But it doesn't matter if it's because of misting knowledge misting technology or even laziness because in the end You are responsible for the security in your company You're responsible for your company dot getting hacked And how do you think a cis admin will feel if you facepalm at him if you blame him? Will he ensure working with you? Will he even come up with your own at this own ideas? Or will he rather play hide-and-seek with you? So Honestly stop complaining Complaining is not acting and not acting is not taking responsibility and not taking responsibility Is failing? That's all what's to say there To add a little practical example what I mean with that Imagine you want to do introduce labs in your company Or probably some of you already have local area password solution where there's for each client a Different password and it's resets. It's automatically so imagine you would have One password for all your clients and you can be the admin there. It's maybe not that good So you try you could use a go to your cis admins and you're in like command that labs needs to be installed or Maybe you could talk to them listen to them And they probably understand the necessity behind it if you explain to them because it's just sometimes just missing knowledge But they should have is you cannot copy the password from the lab screwy to a password request in Windows So when secure desktop is enabled you can see it's it's black you can't do this But once you disable secure desktop that's possible Unfortunately, that's not the password dialogue But even just imagine one and The question here is now will we disable secure desktop? We lose a security feature Or would we keep it if we if we secured if we disabled secure desktop we then Could eat those labs have the full support of all the tech guys What would you choose? When it comes to people and working together with people We need to visualize what we want with them Do you want to work in the 1950? Henry Ford assembly line where you just do one task the whole time Or would you prefer to work in a modern Japanese assembly line where you work together with your colleagues? Where you can bring up your own ideas? In the next part we're going to talk about how to introduce this Japanese assembly line in our security organization When we think about our security organization, there's two Requirements we need to fulfill number one see the overall process like in the assembly line and number two Have goals and have an end in mind See and that's the same security never has an end, right? It's a continuous process. It goes on forever But that's not a concept you can sell People work like this We want task you want to complete the task you want to go home be happy that we achieved something today So our job here is Create these achievement moments. How do we do that? Here's three suggestions Make the current status visible this means create Statistics meaningful statistics. Here's an example total vulnerabilities in the Windows server Environment you can see how this goes down Make a common goal like it always must be below 500 whatever number two Great brick programs make the goals visible For example, we wanted to improve in in Windows and environment security So we draw these fancy little bricks There was goals behind that things we wanted to discuss and once it's done in both colors print that out you can put it Somewhere in the office. It's made visible Number three at one point you probably already have a lot of ideas at best Not only yours, but also from your colleagues or your boss and You need to prioritize them because you can never do all of them But before you prioritize them You need to collect them and group them what we use there is is called red man. That's actually from Software development, so we will have several ideas collect them and we would also rate them You can see it on the right side like a feasibility and effectiveness Unfortunately, this is not a talk about risk management. So I just added a link on how we do that at the end of the slides So for this for this part prioritization is the key and That all comes up in three steps like these are Going building up on each other its past present and future in the past. You see what you did in the current status The brick programs They find what you do now your goals and the idea repository is your future what you want to do Let's climb our last section together when I talk about tech and Venus active directive environments and Attack that's used very often is either past the hash or past the ticket It's meaning you don't try to steal a password. You try to steal a password and Hash or a cabra's ticket from the other can't authentication process So the first core principle to defend against this is the street here model That's also published and very well documented by Microsoft. So what did you you split your assets in three different levels? sometimes more and Typically, these levels would be to assure your domain controllers tier one your servers and tier three your admin clients or clients and On each level you have a user. So you don't only have one user You have two three four five users and the next step is you Restrict access. So this is the technical implementation of the need to know principle. That's so often in security management So tier zero admin cannot log in in a tier one or tier two device Because these core principles, of course, not the only thing we can do I prepared some quick wins I believe easy to implement and do not cost anything these three Favorite ones when it comes to free tools use delegation their account operators. It's a group in active directory where you can Add and remove group or membership and because permissions are often Steered given by active directory groups. That's a sensible group and you could use delegation best done with partial There's a gooey by this partial. It's better. So let's say that from a specific country a branch Just this I mean can just work on specific o's to add or remove membership Partial constraints language mode like partial is often using a text. What you can do is with a GPO That the partial cannot you exit all comment or execute all comments But of course, this is only a small security improvement because that can be reversed But against malware. That's a very good start and the third one. It has the biggest bar Reduce membership in high-rally groups. That's a task that has no and no goal Administrators enterprise administrators shema administrators STTM administrators check these groups all the time There are four more I Just want to quickly note not talking about them because 20 minutes is not enough Maybe passwords in group policy preferences is something just quickly. There is in group policy preferences Sometimes are clear text passwords with a script. You can just check that regularly Of course password manager and password policy is nothing new But it's easy and it's free They're also so-called trackable quick wins because many co-op and companies don't have a security Seem like because that's expensive, but you can build up your own security monetary monitoring and There are five trackable quick wins that I believe are nice What we do is like we have shadowed tasks and these execute a partial script For example, we check if the a sale certificates are running out We check if to this previously managed High-privilege groups users are added if a domain admin logs in because I believe nobody needs to be domain admin so I Want to know when somebody uses its domain admin. I also gave up my domain admin before Christmas There are sometimes passwords in active directed description fields because that's convenient, right? And of course if a new admin is added to a local client or service because we don't want that If you have a little bit more time full of them Reduce Java and flash of course no client and no server needs flash anymore. It's actually going to die in of 2020 Java should just be installed on request of course the SMB Versions and the encryption as well as the database connection You just have to check them all the time what's going on and we are the passwords passwords hashes That's one close to my heart. I ensure that one For four counts, there's five different or six different tps where I can limit what can be done or how that account can be used so for users I believe Only log on locally should be allowed like RDPing or running a shadow task or service is Unnecessary to see for admins. I could imagine what I think through RDP should be as well as allowed and for service accounts These are used as service accounts So these should just be allowed to run services or batch shop, which is a shadow task Of course, every service account is different. So you need to Define it for each account The three last ones the most important one we already talked about labs the GMSA is a group managed service account We want to get rid of these normal service accounts. There's one password for the account never changed It's a never expire and everybody knows it. Sometimes these are service accounts or even domain admins So what you can do is use this group managed service account where the password is Managed by the active director and nobody knows it anymore and also gets changed regularly Or if you can't do that reduce permissions Do this log on restrictions log on times So we have about ten percent of group managed service accounts and we are kind on the in a class Capit and can't really find more to switch What the most important? Measure after that core principle should actually should look like this because if you use smart cards So many attacks don't work anymore Especially for admins and thing is that's the only measure almost like which is not for free But a modern a modern smart card cost about $40. So even if you have 20 30 50 people in that here That's very very affordable and with windows. It's a charm to roll out You just install it and it's just usable At the end of the day and the end of the talk we always need to ask ourselves Did we do the right thing and? How do we know if we did the right thing? Let's go full circle again and listen to the people for me if we did the right thing and When somebody puts himself on that security train and as one of my colleagues who wrote that email where he said I Just removed the last Windows XP machine and I didn't tell him to do that He was just really really proud and he sent out his email and I have 10 15 printed emails like this on my On my desk in the office a second one, which I really really enjoyed by another colleague. I told you we have this monitoring Where we get alarmed when there's this new admin in local admin So that guy found that out and contacted the guy who is responsible in that country and I said Why why is the local admin? Please explain it to me. We don't accept local admins and I just I just love What language are used for this and you know, we we just created this this monitoring and it's so nice to see how people actually use it and in a day-to-day use so Talk is over just to sum it up What's the three ideas we have when we talk about people? We should stop complaining and start listening when it we talk about organization We say make it visible And we talk about tech Keys to prioritization Thank you Thank you Marius for your talk. So unfortunately, we don't have time for questions for this talk. So as always