False sense of security prevention. RRS feed

  • Question

  • We have members of management who somehow got the idea that using MS ATA (and jump boxes) makes it redundant to have dedicated administrative workstations. Can you please do something - anything - to bring the foolishness of this position into the light? They think having RDS servers that all admins must use to access domain controllers addresses credential-stealing vulnerabilities. Can you do something in your marketing to reverse this misconception? The workstations that admins must use to get to this glorified jump-box (not an ATA box) are the same ones they must use to access the Internet and email. Please help make it clear that there is no substitute for properly-protected and segregated administrative workstations.


    Sunday, May 29, 2016 2:25 PM

All replies

  • You are not making any sense?  marketing misconception? what Jump box?

    Monday, May 30, 2016 7:57 AM
  • No, I don't blame Microsoft's marketing for our management's misconceptions. I was asking if Microsoft would do something within their marketing to reverse such misconceptions (no matter who/what caused them). What misconception? For example, they (some members of management) actually think that if you are an Active Directory (AD) admin, and you must connect to an RDS server or jump box that has been hardened, then it does not matter what sort of workstation you logon to in order to RDP from your desk/cubicle to that RDS server or jump box down in the server room, and from there, RDP or otherwise connect to AD domain controllers. (Please see http://radar.oreilly.com/2014/01/is-the-jump-box-obsolete.html if you don't know what I mean by a jump box.) My point is that the ATA server could reinforce that way of thinking, unless the marketing material for it makes it clear that the ATA server alone is not enough, since it only finds lateral movement via credential stealing -after- it has already happened. You cannot safely logon to a workstation that is used to surf the web and check email, then safely "jump" to a hardened server where you present your elevated credentials to administer AD. Why? Getting a key logger onto that workstation via a zero-day exploit or via physical access to the workstation is just one example of ways an attacker could capture your elevated AD credentials at the workstation - before they ever get to the RDS server or jump box. So yet, ATA is great for finding out how successful you have been in your efforts to prevent such attacks - perhaps by providing your AD admins with a dedicated AD management workstation that is NEVER used for web/email or even management of lower-tier workstation or servers. That's a big part of how you stop credential stealing/lateral movement/escalation of privilege attacks. So sell ATA as a way to check -after- you do what it takes to stop such attacks, not as a way to stop them itself.



    Monday, February 13, 2017 11:06 PM
  • It doesn't mention ATA, but this piece about Privileged Access Workstations explains your point about jump servers very well and has a Microsoft label on it.
    Tuesday, February 14, 2017 4:08 PM