Betrayed by Vendors and Consultants

deanwebb · October 08, 2015, 10:44:33 AM

My company is very picky about security settings.

In the NAC project, we want to use an AD account to log on to devices for information gathering and posture management purposes.

The vendor said to just use a Domain Admin account.

Our compliance guys said no way, least privileges, please.

Vendor said, well, OK... how about a Backup Operator account? Try that. It should work. Yeah, Backup Operator.

Oh, that didn't work? Well, how about Backup Operator with log on locally privs? That should work. Try that.

Hmmm... well, we're puzzled. That should have worked.

At this point, I make a decision.

Now I know what is needed, and the list is crazier and longer than anyone other than the author of that documentation imagined. I'm going down DCOM, WMI, and security policy rabbitholes to come up with the goods on the least rights needed for this account.

icecream-guy · October 08, 2015, 11:20:43 AM

go back to them and tell them that you can use an elevated account, but it MUST use certificate based authentication...

LynK · October 08, 2015, 12:45:23 PM

Man.... I thought Texas we the birthplace of all the high end engineers..

Otanx · October 08, 2015, 05:29:14 PM

Security vendors are the worst too. They want their software installed on every box in the environment, and it needs to run as admin/root. So now I have either 800 independent accounts to manage passwords for, or I have one account that if compromised has full access to every device I own. Don't ask what ports it uses so you can lock down access at the firewall. They don't know, and want permit IP to and from their box. We won't mention the vendor that also required that UAC be disabled on everything.

-Otanx

AnthonyC · October 08, 2015, 09:25:59 PM

Quote from: Otanx on October 08, 2015, 05:29:14 PM
Security vendors are the worst too. They want their software installed on every box in the environment, and it needs to run as admin/root. So now I have either 800 independent accounts to manage passwords for, or I have one account that if compromised has full access to every device I own. Don't ask what ports it uses so you can lock down access at the firewall. They don't know, and want permit IP to and from their box. We won't mention the vendor that also required that UAC be disabled on everything.

-Otanx

Reminds me of that vulnerability where FireEye ran Apache as root. What can possibly go wrong?

wintermute000 · October 09, 2015, 05:38:52 AM

Quote from: AnthonyC on October 08, 2015, 09:25:59 PM
Quote from: Otanx on October 08, 2015, 05:29:14 PM
Security vendors are the worst too. They want their software installed on every box in the environment, and it needs to run as admin/root. So now I have either 800 independent accounts to manage passwords for, or I have one account that if compromised has full access to every device I own. Don't ask what ports it uses so you can lock down access at the firewall. They don't know, and want permit IP to and from their box. We won't mention the vendor that also required that UAC be disabled on everything.

-Otanx

Reminds me of that vulnerability where FireEye ran Apache as root. What can possibly go wrong?

The problem I find is that security is, by its very nature, all about the detail, and the plebs they pull off the street just don't cut it.

I need the consultant to know more than what I know about dot1x, about the exact order of operations, about specific radius VSAs, the specific way proxy X uses kerberos vs NTLM vs Win2008 vs Win2012 vs R2 and on and on it goes.....

Trouble is 90% of them don't (and apparently they're worse at simply reading as well LOL). Not only is it a specialist field, but the products move so fast, and you just cannot be a specialist across too many things. To make things even worse, you're dealing with a lot of cross-domain knowledge (identity/LDAP and AD, PKI, 802.1X+Radius, etc.)
So what happens is that a lot of them simply know the surface, and how to get something running quickly using the defaults, but they don't really understand. Hence, just join it with a domain admin account LOL. I've been through similar issues with say WAN accelerators as well and their specific kerberos delegation / service account privileges issues.

Most security stuff actually works with least privilege, but the trick is discovering what exactly this is.

And yeah, endpoint NAC/posture assessment software is kinda like the eighth level of hell. Esp. if its from Cisco. Or McAfee. Or Symantec.

deanwebb · October 09, 2015, 07:30:56 AM

I'm tellin' ya, good help is hard to find.

My advice to young people everywhere is to get your hands on a manual, read it, and then write your own ticket to IT stardom.

dlots · October 09, 2015, 02:39:06 PM

Pfff manuals are total squares man, they are probably printed on LOOSER-leaf paper (it's funny cause it sounds like loose-leaf which is an actual kind of paper). If you read a manual your a total newb and the only thing worse than being a newb is being a n00b.