We have spent two decades linking all sorts of servers and processes to Active Directory for "ease of use". Sadly ease of use now can also mean "ease of hacking". Therefore, we must be much more critical of when integration is genuinely helpful (LDAP for instance), vs. when it is just a nice feature with a lot of downside risk to it. If you haven't already done so, it is time to start breaking some of these vital parts of your network apart. Here are a few to start with:
- Break VCenter from Active Directory. During the NotPetya attack by the Russian government in Ukraine, the company that was hit had their entire VMware infrastructure wiped out. The VMs and ESX hosts were deleted! The easiest way to shut down this attack vector is to disconnect VCenter from Active Directory. Setup separate credentials for those few people authorized to access VCenter. Setup access rules limiting where access requests to VCenter and the ESX hosts console can originate from.
- Secure your Remote Access cards. Your Dell DRAC, HP ILO, and Cisco CMIC cards are wonderful back doors to the true console of your servers and ESX hosts. However, that means BIOS access, OS reloads, and potentially bypassing MFA RDP restrictions. Change the passwords on all your Dell DRAC, HP ILO, and Cisco CMIC cards. Setup access rules limiting where remote access cards can be accessed from.
- Disconnect your backup server from Active Directory. Also disconnect your backup storage from Active Directory. Make sure AD credentials don't work on your backup servers and your backup storage. Create access rules to limit where remote access requests come from on your network.
- Create access rules to limit RDP access only from approved, secure locations to your servers or critical workstations. You know who can RDP. You know where they sit. Formalize what you already do.
There is a lot more to talk about, but if you can get through this list, you are in a much better place that most of your peers. There is a lot of work that must be done to reconfigure all these items.
Give us a call. We are happy to work through this with you.