0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/1391 Thanks! 1 00:00:20,440 --> 00:00:22,539 OK. I'm very happy to announce to 2 00:00:22,540 --> 00:00:24,609 you the talks security 3 00:00:24,610 --> 00:00:26,739 cannot be bots held to you 4 00:00:26,740 --> 00:00:27,699 by monitors. 5 00:00:27,700 --> 00:00:29,739 She's a regular at Kyle's events since 6 00:00:29,740 --> 00:00:32,199 2007, and she's a security 7 00:00:32,200 --> 00:00:34,539 engineer who's managing a corporate 8 00:00:34,540 --> 00:00:36,729 I.T., so notice the statue use. 9 00:00:45,180 --> 00:00:47,699 Three years ago, I was lucky enough 10 00:00:47,700 --> 00:00:50,189 to start a new job in a company 11 00:00:50,190 --> 00:00:51,809 where when it came to modern I.T. 12 00:00:51,810 --> 00:00:53,929 infrastructure, was a late bloomer 13 00:00:55,020 --> 00:00:57,449 family run company in the business 14 00:00:57,450 --> 00:00:58,860 for over 70 years, 15 00:00:59,880 --> 00:01:02,099 so secure it didn't have a high 16 00:01:02,100 --> 00:01:03,359 volume. 17 00:01:03,360 --> 00:01:04,979 Even only I.T. 18 00:01:04,980 --> 00:01:07,109 only got higher importance in about 19 00:01:07,110 --> 00:01:08,189 2010. 20 00:01:08,190 --> 00:01:09,190 Imagine that. 21 00:01:10,980 --> 00:01:14,009 Luckily, luckily for me again, 22 00:01:14,010 --> 00:01:16,259 there was full management commitment on 23 00:01:16,260 --> 00:01:18,390 security when I started in that company. 24 00:01:22,490 --> 00:01:24,019 Just to give you some numbers about the 25 00:01:24,020 --> 00:01:26,719 company right now, we have around 150 26 00:01:26,720 --> 00:01:28,009 Windows service. 27 00:01:28,010 --> 00:01:30,769 And about 2000 Active Directory 28 00:01:30,770 --> 00:01:31,729 users. 29 00:01:31,730 --> 00:01:33,859 So it's not a small company anymore. 30 00:01:33,860 --> 00:01:36,199 Active Directory is a good keyword 31 00:01:36,200 --> 00:01:38,599 today. In this talk, we will solely 32 00:01:38,600 --> 00:01:41,389 focus on Windows Active Directory 33 00:01:41,390 --> 00:01:42,559 environments. 34 00:01:42,560 --> 00:01:44,629 But some parts could be interesting for 35 00:01:44,630 --> 00:01:46,729 non Active Directory environments as 36 00:01:46,730 --> 00:01:47,730 well. 37 00:01:49,190 --> 00:01:51,949 When it comes to security requirements, 38 00:01:51,950 --> 00:01:54,259 we have to imagine a scale 39 00:01:54,260 --> 00:01:56,569 on one end of the scale. 40 00:01:56,570 --> 00:01:58,669 They are like banks, high 41 00:01:58,670 --> 00:02:02,059 tech industry, electricity suppliers. 42 00:02:02,060 --> 00:02:05,119 But on the other end of the scale, 43 00:02:05,120 --> 00:02:07,789 they are small and medium enterprises 44 00:02:07,790 --> 00:02:09,888 that these shnll enterprises. 45 00:02:09,889 --> 00:02:11,989 Low tech companies or family run 46 00:02:11,990 --> 00:02:13,219 companies. 47 00:02:13,220 --> 00:02:15,349 And today we will focus on the first 48 00:02:15,350 --> 00:02:17,599 third of the scale forward. 49 00:02:17,600 --> 00:02:19,669 Low tech industry companies because 50 00:02:19,670 --> 00:02:21,799 their requirements are way 51 00:02:21,800 --> 00:02:24,229 different from that high to industry 52 00:02:24,230 --> 00:02:25,230 companies. 53 00:02:25,850 --> 00:02:27,709 And as I have worked in such a company 54 00:02:27,710 --> 00:02:29,629 for three years, I want to share my 55 00:02:29,630 --> 00:02:32,029 knowledge I gained industry as we see you 56 00:02:32,030 --> 00:02:33,030 today. 57 00:02:35,320 --> 00:02:37,479 First, we need to define what is the 58 00:02:37,480 --> 00:02:39,370 threat we protect ourselves from. 59 00:02:40,690 --> 00:02:42,879 And in this type of companies, it's 60 00:02:42,880 --> 00:02:45,249 not targeted in targeted 61 00:02:45,250 --> 00:02:47,409 industrial sabotage because to be 62 00:02:47,410 --> 00:02:49,689 honest, we would have no chance 63 00:02:49,690 --> 00:02:51,999 at all, no chance. 64 00:02:52,000 --> 00:02:54,429 What we protect these companies from 65 00:02:54,430 --> 00:02:56,729 is shotgun attacks, mainly 66 00:02:56,730 --> 00:02:58,479 in the form of automated malware. 67 00:03:01,240 --> 00:03:03,459 Can't we just install 68 00:03:03,460 --> 00:03:05,679 a super fancy security solution 69 00:03:05,680 --> 00:03:07,869 or two or three, right, and then 70 00:03:07,870 --> 00:03:09,179 we'll save? 71 00:03:09,180 --> 00:03:11,349 No, unfortunately, 72 00:03:11,350 --> 00:03:13,539 we have limited resources and is 73 00:03:13,540 --> 00:03:15,349 super fancy solutions. 74 00:03:15,350 --> 00:03:17,589 They need both people 75 00:03:17,590 --> 00:03:18,590 and money. 76 00:03:19,510 --> 00:03:21,849 And in these type of companies, 77 00:03:21,850 --> 00:03:24,009 there isn't even one 78 00:03:24,010 --> 00:03:26,559 full time employee responsible 79 00:03:26,560 --> 00:03:27,729 for security. 80 00:03:27,730 --> 00:03:29,859 And also money sometimes is 81 00:03:29,860 --> 00:03:30,860 an issue. 82 00:03:33,160 --> 00:03:36,009 I am a passionate climber 83 00:03:36,010 --> 00:03:38,409 and one man in front of a wall like this. 84 00:03:40,150 --> 00:03:42,429 Sometimes I cannot see a way through. 85 00:03:42,430 --> 00:03:45,429 It seems impossible for me to climb. 86 00:03:45,430 --> 00:03:47,289 And the same goes for taking measures to 87 00:03:47,290 --> 00:03:48,290 improve security. 88 00:03:49,780 --> 00:03:52,209 There is so much information nowadays 89 00:03:52,210 --> 00:03:54,339 that occurs in the blessing 90 00:03:54,340 --> 00:03:57,219 that Reddit blogs conferences. 91 00:03:57,220 --> 00:03:59,199 So you stand in front of you and tee 92 00:03:59,200 --> 00:04:01,569 environment that said well 93 00:04:01,570 --> 00:04:03,339 and you've Brazilian of ideas in your 94 00:04:03,340 --> 00:04:04,329 head. 95 00:04:04,330 --> 00:04:06,489 But you just don't know where to 96 00:04:06,490 --> 00:04:07,659 start. 97 00:04:07,660 --> 00:04:09,879 And today in the song, I want to share 98 00:04:09,880 --> 00:04:12,369 the knowledge. I want to show you a path 99 00:04:12,370 --> 00:04:13,370 through that whole. 100 00:04:16,560 --> 00:04:18,958 So he asked Resections, We want to climb 101 00:04:18,959 --> 00:04:21,209 together today, it's people 102 00:04:22,320 --> 00:04:23,459 organization. 103 00:04:23,460 --> 00:04:25,230 And of course, Tesch take measures. 104 00:04:27,000 --> 00:04:28,709 Let's start with people first. 105 00:04:28,710 --> 00:04:29,879 Why people? 106 00:04:29,880 --> 00:04:32,099 Because behind that, Reno's 107 00:04:32,100 --> 00:04:34,379 Active Directory user accounts 108 00:04:34,380 --> 00:04:36,599 people, the colleagues you work 109 00:04:36,600 --> 00:04:38,429 with are people. 110 00:04:38,430 --> 00:04:40,740 Your customers are people. 111 00:04:43,430 --> 00:04:45,529 I know it's very, 112 00:04:45,530 --> 00:04:48,469 very, very tempting. 113 00:04:48,470 --> 00:04:50,479 Something happened again. 114 00:04:50,480 --> 00:04:52,579 Company got hacked, millions of credit 115 00:04:52,580 --> 00:04:54,679 data records leaked. 116 00:04:54,680 --> 00:04:55,589 That's what you want to do. 117 00:04:55,590 --> 00:04:56,590 Red faced. 118 00:04:57,980 --> 00:04:58,980 The thing is 119 00:05:00,740 --> 00:05:02,839 security people tend to 120 00:05:02,840 --> 00:05:05,029 believe everyone else is stupid, 121 00:05:05,030 --> 00:05:07,339 incompetent, sleazy, lazy, 122 00:05:07,340 --> 00:05:08,340 whatever. 123 00:05:09,080 --> 00:05:11,329 But it doesn't matter if it's because 124 00:05:11,330 --> 00:05:13,669 of missing knowledge, missing 125 00:05:13,670 --> 00:05:16,369 technology or even 126 00:05:16,370 --> 00:05:18,499 laziness, because in 127 00:05:18,500 --> 00:05:20,599 the end you 128 00:05:20,600 --> 00:05:22,429 are responsible for the security in your 129 00:05:22,430 --> 00:05:24,589 company, you're responsible 130 00:05:24,590 --> 00:05:27,109 for your company getting hacked. 131 00:05:27,110 --> 00:05:29,269 And how do you think a sysadmin 132 00:05:29,270 --> 00:05:31,519 will feel if your face Paul him 133 00:05:31,520 --> 00:05:32,520 if you blame him? 134 00:05:34,780 --> 00:05:37,039 William truly working with you 135 00:05:37,040 --> 00:05:39,019 will even come up with your own his own 136 00:05:39,020 --> 00:05:40,020 ideas. 137 00:05:40,610 --> 00:05:42,769 Or will he rather play hide and seek 138 00:05:42,770 --> 00:05:43,770 with you? 139 00:05:46,490 --> 00:05:47,490 So. 140 00:05:49,860 --> 00:05:51,509 Honestly. 141 00:05:51,510 --> 00:05:52,510 Stop complaining, 142 00:05:54,240 --> 00:05:56,669 complaining is not acting 143 00:05:56,670 --> 00:05:58,199 and not acting is not taking 144 00:05:58,200 --> 00:06:00,239 responsibility and not taking 145 00:06:00,240 --> 00:06:03,209 responsibility is failing. 146 00:06:03,210 --> 00:06:04,610 That's all what's to say there. 147 00:06:06,570 --> 00:06:08,639 To add a little practical 148 00:06:08,640 --> 00:06:09,959 example of what I mean, wish that. 149 00:06:12,360 --> 00:06:14,489 Imagine you wanted to introduce lapse 150 00:06:14,490 --> 00:06:15,409 in your company. 151 00:06:15,410 --> 00:06:16,979 Oh, probably some of you already. 152 00:06:16,980 --> 00:06:19,439 If local area press would solution 153 00:06:19,440 --> 00:06:21,719 where there's for each 154 00:06:21,720 --> 00:06:24,899 client, a different password 155 00:06:24,900 --> 00:06:28,079 and it's resets, it's automatically. 156 00:06:28,080 --> 00:06:30,179 So imagine you would 157 00:06:30,180 --> 00:06:32,549 have one 158 00:06:32,550 --> 00:06:35,309 password for all your clients 159 00:06:35,310 --> 00:06:37,259 and you can be the up and dear. 160 00:06:37,260 --> 00:06:38,760 It's maybe not that good. 161 00:06:39,990 --> 00:06:41,969 So you tried, you could use a go to your 162 00:06:41,970 --> 00:06:44,399 sysadmins and you were in command 163 00:06:44,400 --> 00:06:46,679 with lops needs to be installed. 164 00:06:46,680 --> 00:06:48,959 Or maybe 165 00:06:48,960 --> 00:06:51,149 you could talk to them, listen to 166 00:06:51,150 --> 00:06:53,399 them, and they 167 00:06:53,400 --> 00:06:55,229 probably understand the necessary to 168 00:06:55,230 --> 00:06:56,219 behind it. 169 00:06:56,220 --> 00:06:58,169 If you explain to them because it's just 170 00:06:58,170 --> 00:06:59,490 sometimes just music knowledge. 171 00:07:00,690 --> 00:07:02,969 But the issue to her is 172 00:07:02,970 --> 00:07:05,249 you cannot copy the password 173 00:07:05,250 --> 00:07:07,469 from the lab school to a password 174 00:07:07,470 --> 00:07:09,029 request in windows. 175 00:07:09,030 --> 00:07:11,189 So when your desktop is enabled, 176 00:07:11,190 --> 00:07:12,299 you can. So it's it's blank. 177 00:07:12,300 --> 00:07:14,519 You can't do this, but once you 178 00:07:14,520 --> 00:07:17,219 disable secure desktop, that's possible. 179 00:07:17,220 --> 00:07:18,569 Unfortunately, that's not the password 180 00:07:18,570 --> 00:07:20,729 dialog, but just imagine 181 00:07:20,730 --> 00:07:21,730 one. 182 00:07:22,020 --> 00:07:24,299 And the question is now 183 00:07:24,300 --> 00:07:27,089 will disable secure desktop. 184 00:07:27,090 --> 00:07:28,649 We lose the security to future. 185 00:07:30,060 --> 00:07:32,309 Or would you keep it if we if 186 00:07:32,310 --> 00:07:34,139 we secured? If you disable secure 187 00:07:34,140 --> 00:07:36,000 desktop, we then 188 00:07:37,080 --> 00:07:38,819 could introduce labs, have the full 189 00:07:38,820 --> 00:07:40,919 support of all the takeit. 190 00:07:40,920 --> 00:07:41,920 What would you choose? 191 00:07:45,360 --> 00:07:47,009 When it comes to people and working 192 00:07:47,010 --> 00:07:48,010 together with people, 193 00:07:49,110 --> 00:07:51,179 we need to visualize what we want 194 00:07:51,180 --> 00:07:52,649 with them. 195 00:07:52,650 --> 00:07:56,579 Do you want to work in the 1950 196 00:07:56,580 --> 00:07:58,949 Henry Ford assembly line where you just 197 00:07:58,950 --> 00:08:01,229 do one task the whole 198 00:08:01,230 --> 00:08:02,519 time? 199 00:08:02,520 --> 00:08:04,559 Or would you prefer to work in a modern 200 00:08:04,560 --> 00:08:06,779 Japanese assembly line where you work 201 00:08:06,780 --> 00:08:08,069 together with your colleagues, 202 00:08:09,090 --> 00:08:10,740 where you can bring up your own ideas? 203 00:08:13,840 --> 00:08:15,969 In next Pod, we're going to talk 204 00:08:15,970 --> 00:08:18,129 about how to introduce this Japanese 205 00:08:18,130 --> 00:08:19,719 assembly line in our security 206 00:08:19,720 --> 00:08:20,720 organization. 207 00:08:26,150 --> 00:08:27,559 When we think about our security 208 00:08:27,560 --> 00:08:29,869 organization, there's two 209 00:08:29,870 --> 00:08:32,149 requirements we need to fulfill. 210 00:08:32,150 --> 00:08:34,548 Number one, see the award process 211 00:08:34,549 --> 00:08:36,709 like an assembly line and number 212 00:08:36,710 --> 00:08:39,019 two, have goals and have an end 213 00:08:39,020 --> 00:08:40,349 in mind. 214 00:08:40,350 --> 00:08:42,079 See, and that's the thing. 215 00:08:42,080 --> 00:08:45,019 Security never has an end run. 216 00:08:45,020 --> 00:08:46,669 It's a continuous process. 217 00:08:46,670 --> 00:08:49,009 It goes on forever, 218 00:08:49,010 --> 00:08:50,950 but it's not a concept you can sell. 219 00:08:52,790 --> 00:08:54,739 People work like this. 220 00:08:54,740 --> 00:08:56,839 We want just want 221 00:08:56,840 --> 00:08:58,399 to complete the task. 222 00:08:58,400 --> 00:09:00,469 We want to go home, be happy that 223 00:09:00,470 --> 00:09:01,580 we achieved something today. 224 00:09:02,720 --> 00:09:04,999 So our job is to 225 00:09:05,000 --> 00:09:07,189 create these achievement moments. 226 00:09:07,190 --> 00:09:08,509 How do we do that? 227 00:09:08,510 --> 00:09:09,679 He has three suggestions 228 00:09:11,270 --> 00:09:13,189 make the current. That is risible. 229 00:09:13,190 --> 00:09:15,109 This means create 230 00:09:16,190 --> 00:09:18,619 statistics meaningful statistics. 231 00:09:18,620 --> 00:09:19,579 He's an example. 232 00:09:19,580 --> 00:09:21,259 Total vulnerabilities in the Windows 233 00:09:21,260 --> 00:09:23,689 server environment. 234 00:09:23,690 --> 00:09:26,089 You can see how this goes down. 235 00:09:26,090 --> 00:09:27,859 Make a common goal like it always must 236 00:09:27,860 --> 00:09:28,939 be. Below 500. 237 00:09:28,940 --> 00:09:31,129 Whatever number 238 00:09:31,130 --> 00:09:33,709 to create brick programs 239 00:09:33,710 --> 00:09:35,059 make the goals visible. 240 00:09:36,200 --> 00:09:38,479 For example, we wanted to improve in 241 00:09:38,480 --> 00:09:40,999 in windows and environment security. 242 00:09:41,000 --> 00:09:43,099 So we draw this fancy 243 00:09:43,100 --> 00:09:45,139 little bricks. There was goals behind 244 00:09:45,140 --> 00:09:46,849 that, things we wanted to discuss. 245 00:09:46,850 --> 00:09:48,619 And once it's done in most colors, print 246 00:09:48,620 --> 00:09:50,719 that all you can put it somewhere 247 00:09:50,720 --> 00:09:51,619 in the office. 248 00:09:51,620 --> 00:09:52,620 It's made visible 249 00:09:54,380 --> 00:09:56,599 number three at one point. 250 00:09:56,600 --> 00:09:59,119 You probably already have a lot of ideas 251 00:09:59,120 --> 00:10:01,399 at best, not only yours, 252 00:10:01,400 --> 00:10:02,899 but also from your colleagues or your 253 00:10:02,900 --> 00:10:03,900 boss. 254 00:10:04,430 --> 00:10:06,649 And you need to prioritize them 255 00:10:06,650 --> 00:10:08,600 because you can never do all of them. 256 00:10:09,890 --> 00:10:12,200 But before you prioritize them, 257 00:10:13,220 --> 00:10:15,499 you need to collect them and group them. 258 00:10:15,500 --> 00:10:17,779 What we use there is it's called Redmon. 259 00:10:17,780 --> 00:10:20,839 It's actually from software development. 260 00:10:20,840 --> 00:10:23,599 So we will have several ideas collected 261 00:10:23,600 --> 00:10:24,829 and we would also read them. 262 00:10:24,830 --> 00:10:26,899 You considered on the right side like a 263 00:10:26,900 --> 00:10:28,819 feasibility and effectiveness. 264 00:10:28,820 --> 00:10:30,919 Unfortunately, this is not a talk about 265 00:10:30,920 --> 00:10:33,019 risk management, so it just added 266 00:10:33,020 --> 00:10:35,299 the link on how we do that at the end 267 00:10:35,300 --> 00:10:36,300 of the slides. 268 00:10:39,150 --> 00:10:41,219 So for this, for this part, 269 00:10:41,220 --> 00:10:43,140 prioritization is the key. 270 00:10:44,910 --> 00:10:46,979 And it all comes up in 271 00:10:46,980 --> 00:10:49,499 three steps like these are 272 00:10:49,500 --> 00:10:51,419 going building up on each other, it's 273 00:10:51,420 --> 00:10:53,339 past, present and future. 274 00:10:53,340 --> 00:10:55,499 In the past, you see what you did in 275 00:10:55,500 --> 00:10:57,299 the current status. 276 00:10:57,300 --> 00:10:59,369 The BRIC problems defined 277 00:10:59,370 --> 00:11:01,619 what you do now. Your goals and 278 00:11:01,620 --> 00:11:03,899 the idea repository de is a future. 279 00:11:03,900 --> 00:11:04,900 What do you want to do? 280 00:11:07,770 --> 00:11:10,109 What's climbed our last section together? 281 00:11:13,150 --> 00:11:15,549 When I talk about Tesh 282 00:11:15,550 --> 00:11:17,559 and Venus active director environment 283 00:11:19,420 --> 00:11:21,819 and a tech that's used very often 284 00:11:21,820 --> 00:11:23,889 is either the hash or best 285 00:11:23,890 --> 00:11:26,139 a ticket, its meaning you don't try 286 00:11:26,140 --> 00:11:28,419 to steal a password, you try to steal 287 00:11:28,420 --> 00:11:30,849 a password and hash 288 00:11:30,850 --> 00:11:32,859 or a Cabarrus ticket from there, the 289 00:11:32,860 --> 00:11:34,719 authentication process. 290 00:11:34,720 --> 00:11:37,119 So the first core principle 291 00:11:37,120 --> 00:11:39,219 to defend against this is the three 292 00:11:39,220 --> 00:11:41,559 tier model that's also published 293 00:11:41,560 --> 00:11:43,809 and very well documented by Microsoft. 294 00:11:43,810 --> 00:11:45,219 So what did you use? 295 00:11:45,220 --> 00:11:46,899 Split your assets in three different 296 00:11:46,900 --> 00:11:47,900 levels. 297 00:11:48,430 --> 00:11:49,959 Sometimes more. 298 00:11:49,960 --> 00:11:51,939 And typically, these levels would be to 299 00:11:51,940 --> 00:11:53,949 assure your domain controllers to your 300 00:11:53,950 --> 00:11:56,089 one, your servers and your three. 301 00:11:56,090 --> 00:11:57,939 I mean, clients or clients. 302 00:11:57,940 --> 00:12:00,129 And on each level, you have 303 00:12:00,130 --> 00:12:01,119 a user. 304 00:12:01,120 --> 00:12:03,249 So you don't only have one user, you 305 00:12:03,250 --> 00:12:05,049 have two or three or four or five users. 306 00:12:07,540 --> 00:12:10,029 And the next step is you restrict 307 00:12:10,030 --> 00:12:11,979 access. So this is the technical 308 00:12:11,980 --> 00:12:14,049 implementation of the need to know 309 00:12:14,050 --> 00:12:14,949 principle. 310 00:12:14,950 --> 00:12:17,739 It's so often in security management, 311 00:12:17,740 --> 00:12:19,929 so to have zero admin cannot log 312 00:12:19,930 --> 00:12:22,390 in in a Tier one or Tier two device. 313 00:12:27,740 --> 00:12:29,239 Because this core principle is, of 314 00:12:29,240 --> 00:12:31,219 course, not the only thing we can do. 315 00:12:31,220 --> 00:12:33,289 I prepared some quick wins I 316 00:12:33,290 --> 00:12:35,419 believe are easy to implement and do 317 00:12:35,420 --> 00:12:36,420 not cost anything. 318 00:12:39,170 --> 00:12:41,389 This three, my three favorite 319 00:12:41,390 --> 00:12:43,589 ones when it comes to rituals, youth 320 00:12:43,590 --> 00:12:45,949 delegation, their account operators, 321 00:12:45,950 --> 00:12:48,139 it's a group, an active directory 322 00:12:48,140 --> 00:12:49,159 where you can 323 00:12:50,720 --> 00:12:53,239 add and remove group or membership. 324 00:12:53,240 --> 00:12:55,130 And because permissions are often 325 00:12:56,270 --> 00:12:58,549 steered given by Active 326 00:12:58,550 --> 00:13:00,739 Directory groups, that's a sensible group 327 00:13:00,740 --> 00:13:02,539 and you could use delegation based on 328 00:13:02,540 --> 00:13:04,069 this PowerShell. There's a good bye. 329 00:13:04,070 --> 00:13:05,749 This partial is better. 330 00:13:05,750 --> 00:13:07,849 So let's say that from a specific 331 00:13:07,850 --> 00:13:09,739 country, a branch of this government can 332 00:13:09,740 --> 00:13:12,319 just work on specific 333 00:13:12,320 --> 00:13:14,539 rules to add or remove membership. 334 00:13:15,680 --> 00:13:17,899 Partial constraints language mode like 335 00:13:17,900 --> 00:13:19,939 Porsche is often used in attacks. 336 00:13:19,940 --> 00:13:22,039 What you can do is with 337 00:13:22,040 --> 00:13:24,109 a chip you that 338 00:13:24,110 --> 00:13:26,179 the partial Canada you exit all comment 339 00:13:26,180 --> 00:13:28,399 and execute all comments. 340 00:13:28,400 --> 00:13:30,469 But of course, this is only 341 00:13:30,470 --> 00:13:32,659 a small security improvement because 342 00:13:32,660 --> 00:13:34,729 that can be reversed but against 343 00:13:34,730 --> 00:13:35,629 mobile wear. 344 00:13:35,630 --> 00:13:37,009 That's a very good start. 345 00:13:37,010 --> 00:13:39,139 And the third one, it has the biggest 346 00:13:39,140 --> 00:13:41,239 spa reduce membership 347 00:13:41,240 --> 00:13:42,229 in high value groups. 348 00:13:42,230 --> 00:13:44,480 That's a task that has no and no goal. 349 00:13:46,700 --> 00:13:48,199 Administrators, enterprise 350 00:13:48,200 --> 00:13:50,029 administrators, cima administrators, 351 00:13:50,030 --> 00:13:52,519 system administrators, checklist groups 352 00:13:52,520 --> 00:13:53,520 all the time, 353 00:13:55,030 --> 00:13:56,030 there are four more. 354 00:13:57,350 --> 00:13:59,539 I just want to quickly note not talking 355 00:13:59,540 --> 00:14:01,759 about them because 20 minutes is not 356 00:14:01,760 --> 00:14:02,760 enough. 357 00:14:03,620 --> 00:14:04,969 Maybe passwords in group policy 358 00:14:04,970 --> 00:14:07,069 preferences is something just quickly. 359 00:14:07,070 --> 00:14:09,559 There is group policy preferences. 360 00:14:09,560 --> 00:14:11,719 Sometimes a clear text passwords was a 361 00:14:11,720 --> 00:14:13,039 script. You can just check that 362 00:14:13,040 --> 00:14:14,299 regularly. 363 00:14:14,300 --> 00:14:15,669 Of course, password manager and 364 00:14:15,670 --> 00:14:17,959 impossible policy is nothing new, 365 00:14:17,960 --> 00:14:19,219 but it's easy and it's free. 366 00:14:21,200 --> 00:14:23,239 There are also so-called trackable quick 367 00:14:23,240 --> 00:14:25,309 wins because many 368 00:14:25,310 --> 00:14:28,489 companies don't have security 369 00:14:28,490 --> 00:14:30,619 seem like because they're expensive, but 370 00:14:30,620 --> 00:14:32,239 you can build up your own security 371 00:14:32,240 --> 00:14:33,679 monitoring, monitoring, 372 00:14:34,730 --> 00:14:36,799 and there are five trackable quick 373 00:14:36,800 --> 00:14:38,120 wins that I believe are nice. 374 00:14:39,800 --> 00:14:41,989 What we do is like we have scheduled 375 00:14:41,990 --> 00:14:44,270 tasks and these execute a partial script. 376 00:14:45,500 --> 00:14:47,559 For example, we check if the 377 00:14:47,560 --> 00:14:49,909 assails certificates are running out. 378 00:14:49,910 --> 00:14:52,089 We check if previously managed 379 00:14:52,090 --> 00:14:53,719 to hide privilege groups. 380 00:14:53,720 --> 00:14:55,939 Users are added if a domain admin logs 381 00:14:55,940 --> 00:14:58,279 in because I believe nobody needs 382 00:14:58,280 --> 00:15:00,379 to be domain admin, 383 00:15:00,380 --> 00:15:02,629 so I want to know 384 00:15:02,630 --> 00:15:04,729 when somebody uses this domain. 385 00:15:04,730 --> 00:15:06,919 I also gave up my domain at home before 386 00:15:06,920 --> 00:15:07,920 Christmas. 387 00:15:09,230 --> 00:15:11,299 There are sometimes passwords in Active 388 00:15:11,300 --> 00:15:13,459 Directory description fields 389 00:15:13,460 --> 00:15:14,749 because that's convenient, right? 390 00:15:17,030 --> 00:15:19,249 And of course, if a new admin is added 391 00:15:19,250 --> 00:15:21,019 to a local client or service because we 392 00:15:21,020 --> 00:15:22,020 don't want that. 393 00:15:24,110 --> 00:15:26,029 If you have a little bit more time 394 00:15:27,080 --> 00:15:29,269 for them, reduce travel 395 00:15:29,270 --> 00:15:31,579 and flash. Of course, no client and no 396 00:15:31,580 --> 00:15:32,959 server needs flash anymore. 397 00:15:32,960 --> 00:15:36,349 It's actually going to die in 2020. 398 00:15:36,350 --> 00:15:38,419 Java should just be installed on request, 399 00:15:38,420 --> 00:15:41,629 of course, the SMB 400 00:15:41,630 --> 00:15:43,519 versions and encryption, as well as the 401 00:15:43,520 --> 00:15:45,229 database connection, you just have to 402 00:15:45,230 --> 00:15:46,219 check them all the time. 403 00:15:46,220 --> 00:15:47,269 What's going on? 404 00:15:47,270 --> 00:15:49,489 And we are in passwords, passwords, 405 00:15:49,490 --> 00:15:50,490 hashes. 406 00:15:52,370 --> 00:15:53,749 That's why I'm close to my house could 407 00:15:53,750 --> 00:15:56,059 answer that one for 408 00:15:56,060 --> 00:15:57,419 four counts. 409 00:15:57,420 --> 00:15:59,329 There's five different or six different 410 00:15:59,330 --> 00:16:01,489 appeals where I can limit what 411 00:16:01,490 --> 00:16:03,619 can be done or how that account can be 412 00:16:03,620 --> 00:16:04,759 used. 413 00:16:04,760 --> 00:16:07,339 So for uses, I believe 414 00:16:07,340 --> 00:16:09,329 only log on locally should be allowed 415 00:16:09,330 --> 00:16:10,909 like dipping or running. 416 00:16:10,910 --> 00:16:13,099 A scheduled task or service 417 00:16:13,100 --> 00:16:15,829 is unnecessary for admins, 418 00:16:15,830 --> 00:16:17,419 I could imagine. 419 00:16:17,420 --> 00:16:19,489 I think through ADP should 420 00:16:19,490 --> 00:16:21,619 be as well as loud and for service 421 00:16:21,620 --> 00:16:22,620 accounts. 422 00:16:23,420 --> 00:16:26,119 These are used as service accounts, 423 00:16:26,120 --> 00:16:28,249 so this should just be allowed 424 00:16:28,250 --> 00:16:30,319 to run services or pet shop, 425 00:16:30,320 --> 00:16:32,209 which is a scheduled task. 426 00:16:32,210 --> 00:16:33,689 Of course, every service account is 427 00:16:33,690 --> 00:16:35,749 differenza. You need to 428 00:16:35,750 --> 00:16:36,830 define it for each account. 429 00:16:38,750 --> 00:16:40,819 The three last one's the most 430 00:16:40,820 --> 00:16:42,349 important one we already talked about 431 00:16:42,350 --> 00:16:43,309 Lops. 432 00:16:43,310 --> 00:16:45,799 The GMC is a managed service account. 433 00:16:45,800 --> 00:16:47,869 We want to get rid of this normal 434 00:16:47,870 --> 00:16:48,889 service accounts. 435 00:16:48,890 --> 00:16:50,959 Does one password for the account never 436 00:16:50,960 --> 00:16:53,269 changed? It's never expire, and everybody 437 00:16:53,270 --> 00:16:55,249 knows it's sometimes these service 438 00:16:55,250 --> 00:16:57,409 accounts are even domain uplands. 439 00:16:57,410 --> 00:16:59,209 So what you can do is use this group 440 00:16:59,210 --> 00:17:00,919 managed service account, where the 441 00:17:00,920 --> 00:17:03,049 password is managed by 442 00:17:03,050 --> 00:17:04,639 the Active Directory and nobody knows it 443 00:17:04,640 --> 00:17:07,489 anymore and also gets changed regularly. 444 00:17:07,490 --> 00:17:09,649 Or if you can't do that, 445 00:17:09,650 --> 00:17:10,849 reduce permissions, 446 00:17:12,260 --> 00:17:14,299 duties, log on restrictions, log on 447 00:17:14,300 --> 00:17:16,459 times. So we have about 448 00:17:16,460 --> 00:17:18,108 10 percent of group managed service 449 00:17:18,109 --> 00:17:20,899 accounts and we are kind of the 450 00:17:20,900 --> 00:17:23,179 class copied 451 00:17:23,180 --> 00:17:25,419 and can't really find ModeSwitch. 452 00:17:26,839 --> 00:17:28,940 What's the most important 453 00:17:30,110 --> 00:17:33,229 measure after that core principle 454 00:17:33,230 --> 00:17:35,749 to actually should look like this? 455 00:17:35,750 --> 00:17:37,609 Because if you use smart cards, 456 00:17:39,350 --> 00:17:41,539 so many attacks don't work anymore, 457 00:17:41,540 --> 00:17:43,459 especially for admins. 458 00:17:43,460 --> 00:17:46,009 And thing is, that's the only measure 459 00:17:46,010 --> 00:17:48,229 almost leads, which is not for free, 460 00:17:48,230 --> 00:17:49,579 but a modern. 461 00:17:49,580 --> 00:17:52,609 A modern and smart card costs about $40. 462 00:17:52,610 --> 00:17:54,979 So even if you have 20, 30, 50 people 463 00:17:54,980 --> 00:17:57,919 in added, it's very, very affordable 464 00:17:57,920 --> 00:18:00,139 and with winners, it's a chance 465 00:18:00,140 --> 00:18:02,299 to roll out. You just install it 466 00:18:02,300 --> 00:18:03,799 and it's just usable. 467 00:18:07,580 --> 00:18:09,259 At the end of the day and the end of the 468 00:18:09,260 --> 00:18:11,329 talk, we always need to ask 469 00:18:11,330 --> 00:18:13,399 ourselves, did we do 470 00:18:13,400 --> 00:18:14,540 the right thing 471 00:18:15,890 --> 00:18:17,479 and how do we know if we did the right 472 00:18:17,480 --> 00:18:18,439 thing? 473 00:18:18,440 --> 00:18:20,839 Let's go full circle again and 474 00:18:20,840 --> 00:18:21,920 listen to the people 475 00:18:23,960 --> 00:18:26,119 for me if we did the right 476 00:18:26,120 --> 00:18:27,259 thing. 477 00:18:27,260 --> 00:18:29,539 I know when somebody 478 00:18:29,540 --> 00:18:32,029 puts himself on the security train 479 00:18:32,030 --> 00:18:33,929 and as one of my colleagues who wrote 480 00:18:33,930 --> 00:18:36,349 that email where he said, 481 00:18:36,350 --> 00:18:38,659 I just remove the last Windows XP 482 00:18:38,660 --> 00:18:39,649 machine. 483 00:18:39,650 --> 00:18:41,449 And I didn't tell him to do that. 484 00:18:41,450 --> 00:18:43,339 He was just really, really proud. 485 00:18:43,340 --> 00:18:45,559 And he sent out his email and I have 10, 486 00:18:45,560 --> 00:18:48,169 15 printed emails like this on my 487 00:18:48,170 --> 00:18:50,089 on my desk, in the office. 488 00:18:50,090 --> 00:18:51,379 A second one, which I really, really 489 00:18:51,380 --> 00:18:53,599 enjoyed. But another colleague, I told 490 00:18:53,600 --> 00:18:55,189 you, we have this monitoring 491 00:18:56,210 --> 00:18:58,579 where you get alarmed, when there's a new 492 00:18:58,580 --> 00:19:00,409 admin, new local admin. 493 00:19:00,410 --> 00:19:02,419 So that guy from the DOD and contact the 494 00:19:02,420 --> 00:19:04,649 guy who's responsible in the country 495 00:19:04,650 --> 00:19:06,889 and said, Why 496 00:19:06,890 --> 00:19:08,929 are you still looking at me? 497 00:19:08,930 --> 00:19:10,519 Please explain it to me. 498 00:19:10,520 --> 00:19:12,469 We don't accept local governments. 499 00:19:12,470 --> 00:19:14,180 And I just I just love 500 00:19:15,290 --> 00:19:16,669 what language you use for this. 501 00:19:16,670 --> 00:19:18,949 And you know, we we just created 502 00:19:18,950 --> 00:19:21,079 this monitoring, and it's so nice 503 00:19:21,080 --> 00:19:23,179 to see how people actually use 504 00:19:23,180 --> 00:19:24,589 it and then in a day to day use. 505 00:19:26,900 --> 00:19:29,059 So talk is over. 506 00:19:29,060 --> 00:19:30,589 Just to sum it up. 507 00:19:30,590 --> 00:19:32,809 What's the three ideas we have 508 00:19:32,810 --> 00:19:34,879 when we talk about people? 509 00:19:34,880 --> 00:19:37,249 We should stop complaining 510 00:19:37,250 --> 00:19:38,959 and start listening. 511 00:19:38,960 --> 00:19:41,599 When we talk about organization, 512 00:19:41,600 --> 00:19:43,220 we're seeing it make it visible 513 00:19:44,390 --> 00:19:45,680 and we talk about hash 514 00:19:47,180 --> 00:19:48,759 keys. The very same issue. 515 00:19:51,440 --> 00:19:52,440 Thank you. 516 00:20:00,210 --> 00:20:01,889 Thank you, Moses, for your talk. 517 00:20:01,890 --> 00:20:04,079 So unfortunately, we don't have time 518 00:20:04,080 --> 00:20:05,439 for questions for this talk. 519 00:20:05,440 --> 00:20:07,649 So as 520 00:20:07,650 --> 00:20:08,650 always.