I learned to drive "on the wrong side of the road" on a Monday morning in downtown London. I hit my first object in about 50 feet when I ran over the cross beam of a crowd fence and it bounced up and tapped my car. It was scary, but I eventually got to the "M roads" and into the countryside where things were easier.
I was advised not to try to drive back into London until well after 7 pm due to the extreme traffic. I took the advice of the locals and started driving first on the M roads (I-84). Then the A roads (Rt 9). Then the equivalent of paved cow paths from the 1600s that were a car width wide. Roads appeared and vaporized before my eyes without warning. To top it off everything is "one-way".
Finally, it was 10 pm. I was frazzled. I could see the Tower Hotel by the Tower of London in front of me. However, I was faced with a one-way road going the wrong way. There wasn't anyone on any roads.
Frustrated, I drove down the perfectly clear, one-way road the wrong way and directly into the hotel parking lot.
I took advantage of the situation because I could. The road was wide and well-paved and led directly to where I wanted to be. No one was looking.
For many of you, the "highway" inside your network is wide and clear and can lead attackers directly to where they want to be when no one is looking.
It is now extremely common for the bad guys to maximize their avenues of attack. They use administrator-level credentials and then push out malware via UNC, PSEXEC remote sessions, GPOs, etc.
We need to shut as many of these attack vectors down as possible:
- Segment your network and aggressively limit access to only what is necessary. Does the elementary secretary need to see into the district office or middle school? Probably not.
- Limit Domain Administrator access - less is more here. Delegate management functions to lower-level IDs.
- Have different passwords on each workstation or server (i.e. Microsoft LAPS).
- Deny access to group policy management tools to only those that require it.
- Turn off SMB v1 and the older NTLM and LANMAN protocols.
The last bullet is an extremely weak spot for the majority of you. These older protocols are turned on by default "to be backward compatible". They make your network significantly less secure.
The bad guys love it when you leave your network in that configuration because you have opened up your highway for them to exploit to do bad things to you.
Previously many of you had to dumb down your network because KACE only supported SMB v1. It was also done for older MFA printers that needed the scanners to save to users' folders. That puts you at risk.
If you have never fixed this, it is time to resolve this significant internal security issue.
We can quickly and easily flip this to more secure standards via a few group policies and a single reboot of every device.
If this is you, give us a call, and let's get this simple security issue resolved today.
You must be logged in to post a comment.