As I write this, Netflix is bringing back a new version of "Lost in Space". Hopefully, it is better than the movie and truer to the original series. Bob has been on a roll with US-Cert announcements (danger, danger Will Robinson) about threats the last few weeks. I thought I'd take a more direct and practical approach to an issue most of you have:
Change your domain admin levels passwords.
I was just talking about a recent district technology audit by the state. It was noted that all the domain admin passwords were "do not expire" and there were three. The comment I heard was the state auditor thought to have three, "wasn't bad." I have seen school districts with 14-22 domain admins! I once read in a technical forum that Ford Motor Company has only three domain admins worldwide!
True to the research that says 31% of the the technical statff don't follow their own internal security policies I know many of you have cleaned up your end users with more robust password policies. However, many have domain admin passwords that have been the same since the day the network went in. Many lack currently accepted minimum password complexity standards.
Please put this on your July 1st "to do list" to fix. If you are uncomfortable doing this alone, contact us and we'll do it together. It is generally less of a big deal than you think it is to do this.
I realize it is an immense pain and admin passwords are probably embedded in various servers services and software programs. That is why I said July 1st. The school year will be over. Grades will be in. The number of users you have to worry about is substantially less day to day. You'll pick a day on the calendar to change these passwords. After the change, you'll reboot everything and re-evaluate your software and servers. Whatever got hung up and didn't start, you can go in and edit and restart. Paladin Sentinel monitoring will catch many of the misconfigured services that need to be touched. I can quickly show you how to quickly evaluate the Services.MSC list to see what services need to be edited. There is also a PowerShell script that will show what IDs are being used with what passwords.
Microsoft implemented Service Accounts to perhaps cut down on the use of the domain admin account just to run services.
Once you have that flipped, remember that the authority accounts used by you and your techs should not be set to "never expires", but be forced to be changed periodically like everyone else.
Assuming you are on a roll doing this, then simply keep going and remove all generic local admin rights to your end-users computers and ensure that the local Windows firewall is on with every server and workstation. There are still a number of you out there that are holdouts - refusing to remove those rights and turn the firewalls on. A few months ago we encountered a district like this. Because of a major virus attack, we were forced to turn on the Windows firewall everywhere and remove local admin rights everywhere.
You know what happened?
Almost nothing. There was one Windows firewall rule to make one piece of software run properly and that was about it. Thousands of users went on with their lives unaware that the network suddenly became substantially more secure. Despite tech fears the network did not meltdown and those "extra" rights were completely unnecessary almost everywhere.
Remember Bob's password spraying tidbit a few weeks ago. 81% percent of compromise comes through weak admin credentials - not all those firewall firmware levels, Windows patch levels, etc. - we simply gave up the keys to the network too easily. And then remember that other studies have said that around 84% of the bad things in Windows that can hurt you simply can't - if you are not an admin.
We always must maintain a layered defense and all those firewalls and IPS sensors and antivirus signatures are also vitally important, but let's firm up the foundation of our Windows network security as we start the busy summer project time.
If you need help planning or implementing this, give us a call.