Betrayed by Vendors and Consultants

Started by deanwebb, October 08, 2015, 10:44:33 AM

Previous topic - Next topic

deanwebb

My company is very picky about security settings.

In the NAC project, we want to use an AD account to log on to devices for information gathering and posture management purposes.

The vendor said to just use a Domain Admin account.

Our compliance guys said no way, least privileges, please.

Vendor said, well, OK... how about a Backup Operator account? Try that. It should work. Yeah, Backup Operator.

:vendors:

Oh, that didn't work? Well, how about Backup Operator with log on locally privs? That should work. Try that.

:vendors:

Hmmm... well, we're puzzled. That should have worked.

At this point, I make a decision.

:rtfm:

Now I know what is needed, and the list is crazier and longer than anyone other than the author of that documentation imagined. I'm going down DCOM, WMI, and security policy rabbitholes to come up with the goods on the least rights needed for this account.

Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

#1
go back to them and tell them that you can use an elevated account, but it MUST use certificate based authentication...


:professorcat:

My Moral Fibers have been cut.

LynK

Man.... I thought Texas we the birthplace of all the high end engineers..


:problem?: :problem?: :problem?: :problem?: :problem?:
Sys Admin: "You have a stuck route"
            Me: "You have an incorrect Default Gateway"

Otanx

Security vendors are the worst too. They want their software installed on every box in the environment, and it needs to run as admin/root. So now I have either 800 independent accounts to manage passwords for, or I have one account that if compromised has full access to every device I own. Don't ask what ports it uses so you can lock down access at the firewall. They don't know, and want permit IP to and from their box. We won't mention the vendor that also required that UAC be disabled on everything.

-Otanx

AnthonyC

Quote from: Otanx on October 08, 2015, 05:29:14 PM
Security vendors are the worst too. They want their software installed on every box in the environment, and it needs to run as admin/root. So now I have either 800 independent accounts to manage passwords for, or I have one account that if compromised has full access to every device I own. Don't ask what ports it uses so you can lock down access at the firewall. They don't know, and want permit IP to and from their box. We won't mention the vendor that also required that UAC be disabled on everything.

-Otanx

Reminds me of that vulnerability where FireEye ran Apache as root. What can possibly go wrong?  :awesome:
"It can also be argued that DNA is nothing more than a program designed to preserve itself. Life has become more complex in the overwhelming sea of information. And life, when organized into species, relies upon genes to be its memory system."

wintermute000

#5
Quote from: AnthonyC on October 08, 2015, 09:25:59 PM
Quote from: Otanx on October 08, 2015, 05:29:14 PM
Security vendors are the worst too. They want their software installed on every box in the environment, and it needs to run as admin/root. So now I have either 800 independent accounts to manage passwords for, or I have one account that if compromised has full access to every device I own. Don't ask what ports it uses so you can lock down access at the firewall. They don't know, and want permit IP to and from their box. We won't mention the vendor that also required that UAC be disabled on everything.

-Otanx

Reminds me of that vulnerability where FireEye ran Apache as root. What can possibly go wrong?  :awesome:

The problem I find is that security is, by its very nature, all about the detail, and the plebs they pull off the street just don't cut it.

I need the consultant to know more than what I know about dot1x, about the exact order of operations, about specific radius VSAs, the specific way proxy X uses kerberos vs NTLM vs Win2008 vs Win2012 vs R2 and on and on it goes.....

Trouble is 90% of them don't (and apparently they're worse at simply reading as well LOL). Not only is it a specialist field, but the products move so fast, and you just cannot be a specialist across too many things. To make things even worse, you're dealing with a lot of cross-domain knowledge (identity/LDAP and AD, PKI, 802.1X+Radius, etc.)
So what happens is that a lot of them simply know the surface, and how to get something running quickly using the defaults, but they don't really understand. Hence, just join it with a domain admin account LOL. I've been through similar issues with say WAN accelerators as well and their specific kerberos delegation / service account privileges issues.

Most security stuff actually works with least privilege, but the trick is discovering what exactly this is.


And yeah, endpoint NAC/posture assessment software is kinda like the eighth level of hell. Esp. if its from Cisco. Or McAfee. Or Symantec.

deanwebb

I'm tellin' ya, good help is hard to find.

My advice to young people everywhere is to get your hands on a manual, read it, and then write your own ticket to IT stardom.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

dlots

Pfff manuals are total squares man, they are probably printed on LOOSER-leaf paper (it's funny cause it sounds like loose-leaf which is an actual kind of paper).  If you read a manual your a total newb and the only thing worse than being a newb is being a n00b.