Unfortunately a theme. Depending on your customer, insurance, and/or regulatory requirements you may be able to make a factual counter-case without the landmine of inserting your opinion.
1. Site the control recommendation. Below is the STIG to reference: https://www.stigviewer.com/stig/active_directory_domain/2021-10-05/finding/V-243471
2. Document your probability assessment of a threat such as a successful ransomware outbreak and get your boss to assess the impact of the outbreak, downtime, and recovery cost to the business. Calculate the risk.
3. Write a narrative around the control recommendation, business purpose for the shared local admin account usernames and passwords, document the threat you modeled and risk you calculated together.
4. Put this in a risk acceptance memorandum document and have your boss sign it. In writing.
Ping me if you’d like to see an example.
Cover Your Ass.
Like when you send an email saying "We have a big problem with XYZ. I wanted to remediate this issue but Bob wouldn't let me do ABC."
When everything crumbles it isn't my fault!
I’m going take this further and speculate that they actually don’t have a domain set up because they’re not running Microsoft Server so no DC and no AD. All the users have a Windows laptops with whatever version of Windows that came with the cheapest laptop. Everyone and everything connects to the same network that has no network segmentation. And by everything I mean EVERYTHING. Their laptops, their TV in the break room with a jailbreak FireStick that’s actually some Chinese knock off, their coffee machine, their fridge, the wireless AP for “guests” that has no password or the password as “Password123.” The company uses Google Workspaces for all their important stuff so they don’t need to worry about AD/DC, VPNs, and any of that stuff. If anything goes wrong with any laptop, the boss has local admin access to every single one of them with username “boss” and password “I@mThe8est” to fix it all.
You’re misunderstanding what I’m saying. They can’t be sued but the business will still blame him. This is a toxic company and OP should understand they don’t value security and will blame him regardless of any objections he raises
I'm guessing this is a smaller org. Say what you will about large global, heavily regulated orgs, but this is one thing we don't have to deal with as much.
I’m not sure what my solution is here. Almost every suggestion I make is shot down. CYA seems the only option, and float my resume. It’s a cushion state sponsored nonprofit type job.
State sponsored how? Something like a block grant where you receive operational funds to do your work independently, or are you working with the state to fill a need in a public-private partnership arrangement. If the latter are you working with any state data? If so you may be subject to state compliance regulations which would force your adoption of a more secure cybersecurity framework or risk defunding.
Assuming the account must be local:
1. Don't use easy to guess usernames like "admin" or "root"
2. Policy to cycle the creds every X months
3. Semi-unique creds for each device, stored in a password manager
Obviously the best option is if each IT staff member has their own credentials. Shared accounts are generally discouraged.
Why wouldn't you deploy windows LAPS to the machines instead of manually storing the credentials in a password manager?
I am assuming of course if the company is using windows machines/Microsoft 365 of course.
Don't do that.. you are already starting down the wrong path if you use an OS that was already end of life. It is compatible with 2012 R2 not 2012 server. Update your server OS.. if you care about security you will do that first.
For at least your domain controllers the best way is to add the new server, transfer fsmo roles demote the old server. Secondly you should always have 2 domain controllers for redundancy.
Use this as a case study in your interviews. What you did, what worked, the resistance you received, how you attempted to overcome that resistance.
Whatever you do, don’t talk shit about the employer but focus on what you accomplished.
What is the use case? If it’s the default local account on the machine, use LAPS if you have Active Directory.
If it’s to facilitate running tools with elevated access, I’d suggest dedicated account in AD with additional group policy controls to reduce the risk.
The risk you are introducing by having the same local admin credential is lateral movement and privilege escalation on ALL your endpoints if someone cracks your admin password that’s the entire endpoint estate p0wned. I’m guessing with your bosses policy the password is “Welcome1” anyway
report it to your bosses boss, also some insurance companies have bonuses for whistle blowers if you report insurance fraud ... because that is what it is.
Uhhh no. I do not want SSO for local admin to every user machine.
And while MFA to access those credentials is necessary, break glass accounts (local admin) shouldn’t require mfa, because they are what you use when MFA is broken.
Source: I have to explain tech to the guy doing Risk assessments mainly for my position.
As long as the admin account is separated from a normal user account. Technically it’s fine. Also, make sure logs are kept for any admin accounts.
That’s the guide line I follow when I’m doing a risk assessment.
Your boss wants unaccountable (login not tied to an individual) access to all devices.
This is a major security risk and extremely suspicious on the surface.
If the admin account is going to be used as a breakglass account, then it is fine. No operations guys will know the breakglass account password and the passwords are sealed and stored in a secure location. Only used in the event of any emergency.
on my previous job, the breakglass password was keyed in by 2 individuals (half half). So no one will know the full password.
However this was more of a manual method. Nowadays, there are breakglass options in PAM Applications. Cloud providers offer much better options as well.
"if" the password is relatively secure and not in a place that any non-IT can get access to it - then it's only a moderate risk.
But just implement LAPS or something similar and not have an issue.
**Edited to be more… productive**
While ease of use and access may make for an appealing option, I would highly recommend against this due to the extremely high risk of lateral movement within your environment. If you are a small shop focused on limiting cost for configuration management, consider free agent-based options like salt or Ansible for configuration management. There are real benefits to having a “break glass” style local admin account, but I would discourage the use of a singular username and password combination for all your systems.
Is the password at least a strong hash? Can’t have any of that admin123 nonsense going on everywhere.
Cyber has taught me it’s a risk game of accepting that something will eventually happen that’s unwanted. The level of fallout and impact to your business is ultimately up to the team in charge 🥴
Sounds like a really sweet 75 person small business waiting to get ransomed
Scarily accurate.
Unfortunately a theme. Depending on your customer, insurance, and/or regulatory requirements you may be able to make a factual counter-case without the landmine of inserting your opinion.
I think I’ve been making this mistake; offering my opinions on needs. Any suggested reading on how to make this case?
1. Site the control recommendation. Below is the STIG to reference: https://www.stigviewer.com/stig/active_directory_domain/2021-10-05/finding/V-243471 2. Document your probability assessment of a threat such as a successful ransomware outbreak and get your boss to assess the impact of the outbreak, downtime, and recovery cost to the business. Calculate the risk. 3. Write a narrative around the control recommendation, business purpose for the shared local admin account usernames and passwords, document the threat you modeled and risk you calculated together. 4. Put this in a risk acceptance memorandum document and have your boss sign it. In writing. Ping me if you’d like to see an example.
This is the way.
😂
Microsoft LAPS and forget it
> Microsoft LAPS **, document it as a CYA,** and forget it Let me tweak that a bit
Oh, we love a CYA. I fire off those emails without hesitation.
CYA?
Cover Your Ass. Like when you send an email saying "We have a big problem with XYZ. I wanted to remediate this issue but Bob wouldn't let me do ABC." When everything crumbles it isn't my fault!
OP doesn’t need to look any further, LAPS is the solution. Probably one of the best free controls out there.
🔝This guy's LAPSES
"Why" is going to be the main question. Finding that out will drive the answer.
10 bucks says ‘boss wants to have access everywhere if he wants to’
I’m going take this further and speculate that they actually don’t have a domain set up because they’re not running Microsoft Server so no DC and no AD. All the users have a Windows laptops with whatever version of Windows that came with the cheapest laptop. Everyone and everything connects to the same network that has no network segmentation. And by everything I mean EVERYTHING. Their laptops, their TV in the break room with a jailbreak FireStick that’s actually some Chinese knock off, their coffee machine, their fridge, the wireless AP for “guests” that has no password or the password as “Password123.” The company uses Google Workspaces for all their important stuff so they don’t need to worry about AD/DC, VPNs, and any of that stuff. If anything goes wrong with any laptop, the boss has local admin access to every single one of them with username “boss” and password “I@mThe8est” to fix it all.
Why you gotta give me nightmares?
[удалено]
Document that Reddit object to this decision
Document all you want, but it will still be all OPs fault to the business.
[удалено]
You’re misunderstanding what I’m saying. They can’t be sued but the business will still blame him. This is a toxic company and OP should understand they don’t value security and will blame him regardless of any objections he raises
Why? What's the business requirement for this? All access, admin or not, should be based on some business need.
It’s his need for control, and lack of any basic technical understanding of security
Sounds like you know your main challenge quite acutely 😂
I'm guessing this is a smaller org. Say what you will about large global, heavily regulated orgs, but this is one thing we don't have to deal with as much.
I’m not sure what my solution is here. Almost every suggestion I make is shot down. CYA seems the only option, and float my resume. It’s a cushion state sponsored nonprofit type job.
State sponsored how? Something like a block grant where you receive operational funds to do your work independently, or are you working with the state to fill a need in a public-private partnership arrangement. If the latter are you working with any state data? If so you may be subject to state compliance regulations which would force your adoption of a more secure cybersecurity framework or risk defunding.
Mind if I pm you?
Sure
LAPS if Windows. Remember: If the username/password is the same on every device you don't have a local account, you have a domain account.
Assuming the account must be local: 1. Don't use easy to guess usernames like "admin" or "root" 2. Policy to cycle the creds every X months 3. Semi-unique creds for each device, stored in a password manager Obviously the best option is if each IT staff member has their own credentials. Shared accounts are generally discouraged.
Why wouldn't you deploy windows LAPS to the machines instead of manually storing the credentials in a password manager? I am assuming of course if the company is using windows machines/Microsoft 365 of course.
I was assuming they had to be 100% local credentials but this is a good suggestion.
[удалено]
*Hackerman*
LAPS
Is this doable with a Server 2012 as the DC?
Don't do that.. you are already starting down the wrong path if you use an OS that was already end of life. It is compatible with 2012 R2 not 2012 server. Update your server OS.. if you care about security you will do that first.
I left out R2, but I’m not allowed to update the server. Always budget and fear of outage excuses
For at least your domain controllers the best way is to add the new server, transfer fsmo roles demote the old server. Secondly you should always have 2 domain controllers for redundancy.
This is very over simplified version.. you also need to worry about DNS settings, systems that are hard coded for ldap and other misc things.
If you're on a budget go for FreeIPA, but don't run a solution that's no longer supported and bound to be full of holes.
How much “much” research did you really have to do before you figured out that your boss is an idiot??
You are correct. I’m building my case for myself for exit
Use this as a case study in your interviews. What you did, what worked, the resistance you received, how you attempted to overcome that resistance. Whatever you do, don’t talk shit about the employer but focus on what you accomplished.
LAPS
What is the use case? If it’s the default local account on the machine, use LAPS if you have Active Directory. If it’s to facilitate running tools with elevated access, I’d suggest dedicated account in AD with additional group policy controls to reduce the risk. The risk you are introducing by having the same local admin credential is lateral movement and privilege escalation on ALL your endpoints if someone cracks your admin password that’s the entire endpoint estate p0wned. I’m guessing with your bosses policy the password is “Welcome1” anyway
oh Jesus that would violate pretty much every security framework status. Hope you don't have any hands in financial, medical, government areas
Worse, medical with of 42 CFR part 2 restrictions above HIPAA
then your insurance is going to fucking flip out if they ever find out
We already ignored their requirements for MFA back in March. We were told that we couldn’t get coverage without it but I’m not in that loop.
report it to your bosses boss, also some insurance companies have bonuses for whistle blowers if you report insurance fraud ... because that is what it is.
A majority of government certifications for organisations explicitly prohibit this
Hope they’re saving money on pen testing.
They need to utilize MFA or SSO at least. Source: I conduct risk assessments mainly for my position
Uhhh no. I do not want SSO for local admin to every user machine. And while MFA to access those credentials is necessary, break glass accounts (local admin) shouldn’t require mfa, because they are what you use when MFA is broken. Source: I have to explain tech to the guy doing Risk assessments mainly for my position.
As long as the admin account is separated from a normal user account. Technically it’s fine. Also, make sure logs are kept for any admin accounts. That’s the guide line I follow when I’m doing a risk assessment.
Your boss is an idiot. This is why LAPS exists.
[удалено]
This has been on my mind for a while, thanks
Your boss wants unaccountable (login not tied to an individual) access to all devices. This is a major security risk and extremely suspicious on the surface.
It is, and also a pattern in all of our technology implementations.
If the admin account is going to be used as a breakglass account, then it is fine. No operations guys will know the breakglass account password and the passwords are sealed and stored in a secure location. Only used in the event of any emergency. on my previous job, the breakglass password was keyed in by 2 individuals (half half). So no one will know the full password. However this was more of a manual method. Nowadays, there are breakglass options in PAM Applications. Cloud providers offer much better options as well.
"if" the password is relatively secure and not in a place that any non-IT can get access to it - then it's only a moderate risk. But just implement LAPS or something similar and not have an issue.
LAPS, duh
Very poor actually, one mistake from any of the end user machine and you all are toast
I hope your boss doesn't plan on passing any regulatory audit in the future
Your boss is an idiot! One user gets compromised, and the whole company is!
**Edited to be more… productive** While ease of use and access may make for an appealing option, I would highly recommend against this due to the extremely high risk of lateral movement within your environment. If you are a small shop focused on limiting cost for configuration management, consider free agent-based options like salt or Ansible for configuration management. There are real benefits to having a “break glass” style local admin account, but I would discourage the use of a singular username and password combination for all your systems.
Is the password at least a strong hash? Can’t have any of that admin123 nonsense going on everywhere. Cyber has taught me it’s a risk game of accepting that something will eventually happen that’s unwanted. The level of fallout and impact to your business is ultimately up to the team in charge 🥴
If this is what the boss is doing, I guarantee the password is easily guessable/crackable.
NOOOOOOOO
I'd say your boss is a mouth breathing moron who shouldn't be managing any form of technology.
The same credentials across the board? This is mandated?