AD-Sicherheit in kompakter Form: Praktische Schritte zur Stärkung von Active Directory und Entra ID in 45 Minuten

Hi, everyone, and, welcome to today’s webinar. I’m Paul Kelly, Director Enterprise Sales and Solutions at Renaissance, and I’m delighted you could join us. This morning, we’re tackling Active Directory security. We all know AD is one of the top targets for ransomware and cyberattacks, yet the reality is that many IT and cyber teams simply don’t have the time to deal with it properly. Years of small misconfigurations and technical debt pile up until something breaks or worse until attackers get in. But there’s good news. You don’t need a massive project or weeks of downtime to make real progress. That’s why we’re here today. This session will show you how to take a practical bite-sized approach to strengthening both Active Directory and Entra ID security in a way that actually fits into your day. We’ll be focusing on Purple Knight, a free assessment tool from Semperis that can scan your environment, highlight security gaps, and give you a prioritized plan to fix the most urgent issues first. We’re joined by Kriss Stephen, Principal Solutions Architect at Semperis, who will be walking us through the best practices and showing you how Purple Knight works in action so you can start closing those security gaps without the heavy lifting. But just before we kick off, a little bit of housekeeping. Today’s session is being recorded, so if you’d like to share it with colleagues after, we’ll make sure to send the recording out afterwards. All attendees are currently muted, but if you have a question at any point, free to raise your hand, pop it into the Q&A box, or send it directly to me. We really like to encourage participation. We’ll unmute attendees for the Q&A, so don’t hesitate to get involved. The more interactive the session, the better. So with that said, I’ll now hand over to Kriss to kick things off. Thank you very much. So, yeah, first of all, to give you a little bit of background who I am, what I do, what Semperis does, we are an identity company. We focus on Active Directory, Entra ID, backup recovery and resiliency across those platforms. This will probably be the least interesting slide we see today because it’s all about me. I’m not super interesting, but to give you some information, my background is 20 or so years in IT. I came from the old-fashioned route from help desk all the way through help desk, desktop support, server admin, IT manager. Didn’t like that at all. Didn’t enjoy having people reporting to me, so moved back into technical roles. Last three years, being at Semperis, where I came to Semperis as a customer. So I came from an organization that actually deployed the tools that Semperis provides in an organization, seen the value of those tools, and decided to come take a take a journey on the presale side of things and been here the last three and a bit years. So to give you an idea where this webinar came from, a long time ago, longer than I can remember, when I was trying to learn PowerShell, there’s a series of books called Learn Something in a Month of Lunches, and one of those was PowerShell, where you can learn PowerShell whilst you’re having your lunch at your desk, you spend 30, 35 minutes a day doing a little bit of modules, making a really big impact in your ability to upscale in other solutions. So I took the idea, and I was like, could we apply that to Active Directory security? Could we take Purple Knight, which I’ll show you today, and could we start fixing those issues that we have in Active Directory? Because after all, Active Directory is the source of truth for more organizations, so why do we even need to care about it? Why do we need to care about identity? I’m sure if you work in any form of IT, you’ve probably heard or seen “identity is the new perimeter.” Controversially, I disagree with that. I think identity has always been the perimeter. I think identity has been the perimeter the whole time. We’re just catching on to it. If I think about 20 years ago, where I was battling things like Conficker or Blaster worm, they always involved somebody clicking on something or somebody being lured or tricked into clicking something. What then happened was Active Directory was the foundational IT store. COVID came along, I was working in operations at the time when COVID came along and then for almost every organization I’ve ever spoke to, COVID rapidly accelerated their move to cloud and their move to cloud adoption. So we started expanding Active Directory into Entra ID, Entra ID into Salesforce Monday, work from home, VPN, kind of accelerating these plans that were, oh, that’s a two, three-year project. Now, guess what? That’s a two, three-week project now because otherwise the business is going to slow down. So what we then did was—because we have 90% percent of organizations worldwide, it doesn’t matter if you’re a Fortune 100 company or you’re a small-medium enterprise, it doesn’t matter. If you’re in medical, healthcare, government—Active Directory, it’s the same in each of those. Okay, it’s a foundation. You speak to Zero Trust, it’s going to assume hybrid identity. Cloud identity extends from Active Directory, so like I said, we kind of came to COVID, we’re like, oh, we need all these people to work from home, how do we do that? Let’s just synchronize them all to Entra ID, give them M365, give them Teams, give them Zoom, just give them whatever it takes to keep the business running. The sad thing is 80% of breaches involve credential abuse. The weaknesses in Active Directory make it a very, very soft target, easy target for people to do bad things. And it’s easy. It’s easier to compromise a human, okay, through social engineering than it is to say and try and attack a firewall, just looking for weaknesses to try and get through. If you can phone up the help desk of an organization, if you can convince them to reset the password, allow you to get in, you can then control the environment. It’s old. It’s 25 years old this year. It’s been around since approximately 2000, a little bit earlier if you were an earlier adopter, but once it’s had a foothold in an organization, it stayed there ever since. Yes, it’s been updated. We went from 2000, 2003 to 2012, 2012 R2, etcetera, etcetera—the core foundation of the Active Directory has always remained the same. It’s very, very complex. It’s very easy to stand up an Active Directory, it’s very easy to add users to groups, remove people from groups. It’s really hard to design a secure and safe Active Directory. And unfortunately, that rapid adoption to the cloud has taken this legacy design and moved it into the modern threat landscape. What was once just our infrastructure is now our critical identity infrastructure. Now to give you some context around this: 25 years ago, so circa 2000, what else were we using in 2000? Well, Windows Millennium Edition; Internet Explorer 5; Clippy, my favorite. This links this router that almost everybody that had broadband in the year 2000 had at home, and the Nokia 3310. Okay? This is the technology that we were using in the year 2000. I don’t think anybody would still be using any of these today, except maybe Clippy because AI is coming back, if you think about it, Clippy was the first ever AI. Okay. So if we’ve upgraded everything except our identity, we need to start thinking about when’s the last time we looked at identity, Active Directory, Entra ID through the lens of security, not through operations, but through security. What we need to start thinking about is how can we assess, understand our security posture? Now what I prefer to say is how can we provide visibility into what we don’t know? Well, that’s where Purple Knight comes in, and that’s what we’re gonna do today. So part of this is gonna be running through a live demo. I’m gonna show you exactly how quick it is to run Purple Knight, how quick it is to get those quick wins in an organization and make that positive impact. So what are we gonna look for? Well, we’re gonna look for over 100 different indicators in Active Directory. Today, we’re not gonna connect to Okta and we’re not gonna look at Entra ID. We’re just focused on Active Directory because it’s a little bit quicker. Scanning Okta and Entra ID does take a little bit longer. But what we’re gonna look for is over 100 different things against Active Directory. We’re gonna give you a score, now that score is gonna be our baseline. Within the time that we have, what we wanna do is we wanna try and increase that score. 33% is terrible. I can’t remember what we’ll get in this environment, but we’ll find out together, but the plan is that we’re gonna improve that score. And how are we gonna do that? Well, we’re gonna figure out what we can fix based on the actionable insights that you’re gonna get. Every single indicator is gonna be ranked a severity, somewhere between critical and low. Critical being look, you really need to pay attention to this because it can be used against you. If somebody doesn’t have access to your environment, they could use this to get access to the environment. If they’re already in your environment, chances are they could use this to elevate privilege to the next step. For the security conscious people on the call, people working with the SOC teams, the security teams, we’re gonna explain where these lie on the techniques, tactics, and procedures that threat actors use. K? Where do they map against MITRE ATTACK, MITRE DEFANT? And for some of these, you may not even know what they mean, which is fine because we’re gonna tell you what they mean. We’re gonna tell you what ADVNSD older means, what the impact of having this in your environment is, what’s involved in this incident, and any remediation guidance around. Now I ran Purple Knight against multiple iterations of Windows. Every version of Windows I could get to run in Hyper V, I run against it. Ironically, 2003 R2 was the most secure. It’s about the highest score, but that’s because 90% of the features that we were looking for don’t exist in 2003. In most real-life environments, you’re gonna see a score of around 45%. It will be near impossible to get a 100% in an environment that’s actually being used. 80%, and you’re doing really good. Okay? So what we’re gonna do, we’re just gonna dive into demo. Now what I’ll do is if you have questions, just type them in the chat, raise your hand. We can get to them. So let’s take a look at the demo. Now I do have an environment here, a little bit bloopy, what I created earlier. On the surface, it looks like a really well-designed Active Directory environment. Nice OU structure, everything named accordingly, departments, tier and model, but, unfortunately, under the hood, it does have some issues. So what we’re gonna do, we will go to the Semperis website. You’ll get the URL after the call. You’re gonna get the URL for Purple Knight. You’re gonna download Purple Knight. You’re gonna extract it. When you extract it, it’s just gonna be a self-contained folder. Inside that folder is gonna be everything you need to run Purple Knight. You can run it as a standard user. Okay? You don’t need to run it as a domain admin. If you run it as a domain admin, you will see one or two additional indicators. If you run it as a standard indicator, you’ll see what a threat actor would see if they were looking at your environment. When you launch it, it’s gonna look a little bit like this. You have the ability to connect to Active Directory, Entra, if you create an application registration, and Okta, if you have an Okta API key. I am literally just gonna do Active Directory. I just need to reboot this. So just start up. It’s because I left everyone sitting. What I’m gonna do is I’m gonna select AD when it comes up. It does support multiple forests. It does support multiple domains. So if you have a large domain structure, it will scan an entire domain structure. It will take a little bit more time. Okay? But it’s still gonna be quicker than you could possibly ever do this manually. So this will take a couple of seconds to load up, and what it’s gonna do is it’s gonna run a bunch of PowerShell checks behind the scenes. If you’re interested in what it’s running, all the PowerShell scripts are in the scripts folder. You can take a look at them. I’m just interested in Active Directory. And we’re gonna select the forest. We’re start the scans. So what we scanned it for, 118. Okay? There is one in here that is disabled by default. That’s the Zerologon detection because it will mimic a Zerologon attack, and it will alert your SOC team very quickly. So we’re scanning across different categories, AD delegation, security, group policy, Kerberos security. If I did connect this environment to Entra ID, we will scan hybrid. Okay. Now what that means is we’re gonna look for the bridge. We’re gonna look for the bridge between the on-premises environment, we’re gonna look for the bridge to the cloud environment. Do you have admins on prem that are also admins in Entra ID? Hopefully you don’t. If you do, we’ll highlight them, bring them to the surface and that’s something that you really want to remediate. Because what you don’t want to have happen is you don’t want your on-premises admins to be compromised, which leads to a cloud compromise or vice versa. Okay? So we’re almost there. It’s running a couple more, couple more, and we should be good to go in just a second. So 33% is our starting point. Click review report. What it’s gonna do is it’s gonna take this report. It’s gonna show me. It’s gonna give me a nice, easy to read, simple report. It says, hey. Scan your environment. Now you’ve got 33%. What did we find? We find 43 indicators of exposure—that’s what IOE stands for. We had one that wasn’t selected, we had two that failed to run and three that are not relevant. Not relevant will be those hybrid ones, not relevant because I’m not in a hybrid environment here. It’s gonna list the most critical ones first. I hope that you do not see many of these in your environments. If you do, don’t worry. You can still fix it. Unfortunately, if you see something like maybe cats in your environment, you probably need to phone in some support because you have bad people doing bad things in your environment. Some of these make sense. Print spooler services running on a domain controller. Everybody should know what the print spooler is. Some of them don’t make sense initially. Non default principles with DC sync rates on the domain. What does it mean? Well, click on it, and that’s where we’re gonna get the insight. K. What are we looking why is it why is this important to us? Well, it’s critical. Where does it map against MITRE ATT and DEFEND? Credential access. ANSI is a French government framework that maps Active Directory attacks against their framework. This means that there’s somebody at the root of the domain or multiple people at the root of the domain that have the ability to replicate passwords around an environment. Very important because if you can replicate passwords or if you have the permission to replicate passwords, you can own the entire environment. I start with this one because it exists in nearly every single hybrid environment today because of Entra ID. Entra ID does password hash sync. How does it get the password? It uses DC sync permissions. So what you’ll see here in this environment is here’s my Entra ID Group Manager service account, okay, a very secure account type, password rotates every seven days in my environment, it’s 128 characters long, chances of that account being compromised are very slim, It’s in a secure role, nobody can tamper with it, etcetera, etcetera. The bottom two is where we’re starting to raise to the surface things that you otherwise wouldn’t be able to see. SharePoint, I don’t have SharePoint in this environment. I did have SharePoint. That’s, true of a legacy environment where I came from where SharePoint was on premises, and actually nowadays SharePoint is back full circle. You can now get M365 on premises, which is interesting. But when we had SharePoint on prem, SharePoint required these permissions. And if you were to go through the rest of this report, you’re gonna see that SharePoint account appear multiple times. It’s an old service account. The application’s being decommissioned. The servers have been decommissioned, but what people are really, really bad for is cleaning up the delegations in Active Directory. We leave the service account enabled. We leave the service account enabled with the permissions that initially had. And guess what? If you look at the SharePoint account, it has things like a service principal name. Password hasn’t been changed in the last 10 years. This is a really easy point for an attacker to elevate their privilege. Okay? With a service principal name against a privileged account, you can do what’s referred to as a Kerberos attack, where you can request a ticket granting ticket from the Kerberos system, take that offline, attempt to crack it, then take over the domain. Third one, standard user. There is no way a standard user E344953, whoever that is, requires these permissions. Now I’ll show you how to remediate this one really quickly, and then I’ll show you a better way to use the information that Purple Knight is showing you. If we look at this account here, and we’ll look at the root of the domain, very quickly, under security, you’ll see there are these two user accounts. They shouldn’t have permission of the root domain, so let’s just remove them. Now please take this with a pinch of salt. What I’m gonna show you from this point on, this is my lab environment. I don’t have to go through change requests. I don’t have to go through change control. I don’t have to do any due diligence in this environment because I know it’s my test environment. Some of these will be very, very easy for you to remediate with very low impact on an environment. Some of them will be a little bit more complicated, you will have to do some due diligence. If you can’t remediate them, you may have to put them on like a risk register or you may have to wrap some compensating controls around them. K? When you run Purple Knight, in the output folder, what you’ll see is what is the date today? 26th. You’ll see you get the HTML report. You get an Excel spreadsheet, and you can also export everything to CSV or to PDF. I am not an Excel wizard. K? This is what the Excel looks like. You’re gonna have the tabs along the bottom, the assessment, this is what that little 33% is made up of. Indicator results, this looks unwieldy to start with, every single indicator, and the result of every single indicator. So when I’m using this to prioritize what am I going to fix, all I do, insert a pivot table, use IOE found as a filler, All I care about is the stuff that’s causing me problems today. I don’t care about the stuff that’s green. If it’s green, good. That’s fine. If it’s red, I need to remediate it. I can see very quickly, here’s my most critical, here’s my high, here’s my medium, here’s my low, here’s my informationals, this is what I need to fix. Now some of these are gonna be super easy. So print spooler is enabled on a domain controller. I’m not serving partners from a domain controller. Now, ideally, you do this via group policy. You do it once, and all your domain controllers go, disable the service, but simply use command print spooler, set the startup type to disabled. No impact to anybody. We’re not hosting printers on the domain controller. We don’t need to be running the print spooler on the domain controller. So let’s just mark that one down. Knowing these whole principles with DC sync rights, well, we took a quick look at it, and I know that those two users don’t need those permissions. The SharePoint one, we don’t have SharePoint anymore. We decommissioned SharePoint 10 years ago. We are pretty certain that that could be remediated just by and I apologize. I’ve been clicking on the screen. I’ll try to slow down a little bit. Here’s the SharePoint account. If we look into it, we’ll see it as replicate changes replicate changes all. SharePoint doesn’t exist. Let’s remove the permissions. Let’s find the account. Oh, and we’ll type in. It’d be alright. Let’s just disable the account. We won’t delete it just now just in case we have to turn it back on for some reason, but we’ll disable it. We’ll write down on the ledger that we disabled it. We’ll wait seven days. If nobody complains, then we’ll consider to fill in the account afterwards. Some of the other ones that we can tackle that are gonna be really easy, computer accounts and privilege groups. You’ll see this in most environments where a customer or an organization has SCCM. SCCM being system center configuration manager. What that means and I hope you don’t see this, and if you do see it, you should really take a look at it because what it means is when I find that in here, I’m gonna look at it, and it says this attack box, which is aptly named hopefully, you don’t have computers named attack box in your environment. Anybody that logs onto this box as an administrator inherits the permissions of this account very, very easily. Okay? So this attack box is a member of account operators. Account operators can reset the password of 99.9% of users in an environment. We shouldn’t have that. We shouldn’t do it. So we can just go ahead. We can remediate it. And all we’re gonna do is we’re just gonna move it from the account operator script. Doesn’t need the ability to reset passwords for users. There’s no need for that. Some of these that we can pick them through very easily, domain controller owner is not administrator, maybe once upon a time the server team before we had server admin credentials, before we had separation of duty, somebody joined a computer to the main that the bank that computer then got promoted to the main controller. All I’m checking is the security permissions on the domain controller, are you going to see Amelia has these permissions and what we’ll do just really quickly is we’ll just reset it back to what it should be, Should be set to administrators. Very, very low impact because this is how it’s meant to be. K. There is no reason that Amelia has the ability to reset the computer account password. Okay. Same as Howard, we’re looking at this one, we look at the security, we find this other AD that Howard has full control over domain controller, pure object, absolutely not. Remove it, Low impact to no impact. Finding these little things that we can go ahead and figure out. Now we don’t have to just use the user interface. We can use PowerShell to do some of this. Okay. So if we’re looking at things like users where passwords are not required, now it is possible to create a user account in Active Directory. It is possible to create that user account without a password. And what does that mean? Well, it means that when Michelle’s account was created, no password was set. So if I’m an attacker and the password’s never been set and I go to the log on screen, I just type in Michelle’s user ID, I hit enter, can log on as Michelle. We don’t want that to happen, shouldn’t have that happen in any environment. So with PowerShell, all I’m gonna do really quickly, get the user, set the password to not required to false. That one’s done. Okay. Other another ones that we can do with this is things like the guest account is enabled in this environment. Get the guest user. Guest account should never be used. It should never be enabled. Let’s just quickly turn off. Now some of these, you may have to do some due diligence around because some of these could be a sign of attack. If you see anything like history and you’re not going through a domain migration, okay, if you’re not familiar with what SID history is, SID history gives you the ability to take on the permissions of a previous group normally done during domain migration where you will see that somebody has this elevated rights where they have taken the domain admin group SID, added it to a user account, what they get is they get the permissions of that user. So if we look at this and it will appear on our Purple Knight report, it will appear in the Excel, but what it’s going to tell you is these two users here in the SID history, now this is a sign of compromise, this is a sign of persistence, so if you see this pay attention to it. For those who don’t know the two groups in here, 512, domain admins, 519, enterprise admins. When Laura logs on or when Herman logs on, they will be effectively a domain admin or an enterprise admin. Where this becomes important is when bad people do bad things in your environment. Okay? When those threat actors are coming along and they are trying to maintain persistence in the environment, they’re not creating John Wick accounts, they’re not creating Darth Vader accounts. They’re creating standard user accounts. They’re creating these accounts so they can blend in, and then what they’re gonna try and do is they’re gonna try and inject persistence in that. And one of the ways is through things like this. If you see this in your environment and you’re not going through a domain migration, you can very easily clear these values out, remove the risk. All I’m doing is setting the PowerShell command that just says, hey. Remove the SID history from these users. Check the user again. They’re gonna have no SID history. Now there are some other ones in here that are really, really silly. Weak encryption algorithms. Starting to delve into some of the medium ones, all around user hygiene. User accounts with reversible passwords, that just makes it incredibly easy to somebody to reverse your password from your password hash if they can get it. User accounts are using DES encryption. DES encryption is about 25 years old now. You may see this in environments with a lot of legacy technical stuff. I had this when we had an ES 400. If you know what an ES 400 is, you’re probably of a certain age. This does exist, but it shouldn’t exist in a modern environment. Users with Kerberos pre-authentication disabled. Kerberos preauthentication means that you can request ticket granting ticket without even authenticating to the domain. So if I have a list of user accounts, I don’t need to know your password. I can run this against your account. It’s gonna return me a ticket granting ticket hash that I can then take offline and decrypt. So for these ones, what we’ll do is really quickly, we’ll just identify them. Now they will appear in the report, or they will appear in PowerShell, and I’ll show you how to find them. So that’s gonna be Sophie Curtis. And if we look at where this exists on here oh, type. Go into account what we’re gonna see down here somewhere. Only the Kerberos. Worst decision ever. Take that away. The other ones that we have, I’ve already cheated a little bit, Blue Peter. The account for Ellie, you’re gonna see that Kerberos pre authentication. There is no need for users to have this, and you will see this in environments. Just come in, clear it out. You don’t need it. These are the low, simple hanging fruit. K. These are the ones. Fix it in the lunchtime because you don’t need to do much due diligence around this. If somebody comes back and says, hey. I needed this. You’d be like, why do you need Kerberos pre authentication disabled? There is no real reason for that nowadays. Those are the simple ones. Longer term, what we maybe need to think about is some of the critical ones here. You will see in any environment I see it in any environment when I do a Purple Knight review, when we when we’re speaking to customers, when we’re looking at any environment, when we’re active on the on the forums. One of the biggest weaknesses in Active Directory is things like PKI. PKI, public key infrastructure, Active Directory certificate services. This is where you start needing to think about, okay. We’ve done the short term. Now we need to do some medium-term planning here. We don’t just check users, groups, OUs. We will check if you have a PKI ADCS environment, and we will check the certificates in there. One of the easiest ways to get domain admins domain dominance is by abusing certificates. We will check your certificates or certificate templates and look for misconfigurations in them. This one here, for example, allows anybody in the organization to request a certificate on behalf of anyone else and have that certificate granted to them automatically. I’m sure you can understand why that sounds like a bad idea. If you are not familiar with what certificate is, think of it as the ability to request a passport for anybody in the country, but just have your picture on it, but you can assume the identity of anybody. Within twenty to thirty seconds, you go from zero privilege to entire domain compromise. However, the flip side is you need to put some compensate control in on this one. Okay? So it’s gonna take you a little bit longer to go ahead and fix those issues. Okay? So that’s gonna be put on the medium term. IDRP end loop, you can fix some of it, you can’t fix all of it, and some of it’s going be a longer term strategy. Put it on a risk register, wrap some compensating controllers around it. So for this one, if I did require the ability for somebody to be able to specify a name in a certificate request, all I’m gonna do is add manager approval. What will happen is when somebody submits that certificate, it’s gonna come to me or a member of the team just to review it, and we can go, okay. No. Why are you requesting this on behalf of the domain admin? Okay. Let’s reject that. Let’s go and see why that user account has requested this. You speak to the user, hey. That wasn’t me. Okay. Their account’s likely being compromised, and somebody’s trying to use it to elevate privilege in an environment. What we’ll do, we’ll just do a couple more, super easy ones. Okay? And then we’ll just rescan Purple Knight and see what difference we made. Active Directory has a bunch of built-in groups, okay, referred to as the operator groups. Account operators, backup operators, print operators, server operators. Unfortunately, commonly misunderstood. Print operators doesn’t mean that you can manage printers. Print operators means that you can actually log on to domain controllers in the environment. Try not to use the built-in operator groups if possible. Try to delegate the granular access that you need to provide people the ability to do their role. So we’ll see even in some of these ones here, dispute comm users, which allows people to, remotely execute commands. We’re gonna empty out. We shouldn’t have standard users in these. If we remove somebody from here that’s a standard user and it causes an impact, Personally, I would rather know about that because I’d rather it makes a noise so we can figure out what it’s doing, why it’s doing it, also referred to as a screen test. K. So we’ve done a couple of configurations. There’s not been anything major. There’s not been anything huge. We do still have a lot of work to do. We need to look at the resource-based constraint delegation against the Kerberos TGT account. That’s a mouthful, that’s one that you’re probably going to have to go and look up and figure out what it actually does. We fixed that well-known privileged SIDS and SIDS history and as a byproduct of that what we’ve done is we’ve actually launched a security investigation to figure out how this happened in the first place. You can’t do that without elevated rights. Okay? We’ve discussed such as certificate templates, how we’re gonna put that on the medium term. We’ve removed some users from those operator roles using standard user accounts. We’ve fixed some of those old legacy delegations. Some of the objects in here will have things like user accounts not used in X amount of days. That’s a housekeeping issue. K? Get with your HR. If you don’t have an ILM system, get with your HR, give them a list of these accounts and say, hey. Are these still active employees? HR will tell you no. You go ahead. You just disable them in AD. Now my best practice would have been disable them for seven days, nobody screams, move them to a terminated OU so they’re no longer synchronized with Entra ID, for example. After seven days, if nobody still complains, I’m resetting the passwords. And then after seven days, I’m just deleting that user account. K? And by spreading it over that period of time, it gives you the ability to roll back really quickly at any time. So we made some changes. Let’s see if it’s made any impact. We were at 33%. So let’s take a quick look and see what happens. So it’ll take a few seconds. It’s gonna go through. It’s gonna run the scan again. Now when the scan runs, it’s gonna give me a new output. It’s gonna get the new HTML report and a new PDF report, and we’ll get new Excel spreadsheet that we could go ahead and run the same pivot table against. All the time, remember, and the Purple Knight is free, by the way. You could go ahead, download it today, run it in your environment. It’s gonna take you about, at most five minutes to download it, run it. Come back with that score, show it to your boss, show it to your security team, and say, look. We need to start making improvements in Active Directory. Because in some organizations, it’s not a matter of when if sorry. It’s a matter of when. Now we made some changes that were very, simple, and we increased that by 6% percent. There is a whole bunch of other things that we could do in this environment to push that score right up. Okay? Within a day, you could have this environment sitting at 50% with minimum impact. The next step would be taking 50% to 70 to 80. Once it gets to 80, you want to maintain it there, and that’s going to be the hard part, is making sure that you don’t fall back into the bad practices. So what do you do next? Well, I kind of already spoke to this. Okay? Prioritize from most critical to least critical, then take that list, map it to short term, medium term, long term. What can we do now, today, tomorrow, Friday to be able to reduce risk in the environment? What can we do next week? Okay. What changes do we make that we’re I’m fairly certain this isn’t going to cause an issue, but you know what? If it causes an issue, I’m probably just going to raise a change request just to make sure that I’m protected and we have a backup plan if we ever have to. Longer term, some of these, you may not be able to get rid of really quickly. Okay? If you’re like me, you have a lot of legacy tech applications in your previous organization that do require things like DaaS encryption. Let’s make sure that that’s a long-term plan that we really need to get off of this. We need to move from DaaS to AES, or we may move from DAS to triple DAS at least. If we can’t do anything about it, let’s add it to the risk register and let’s put some serious control around it. Let’s configure our SIEM to alert us if that account is used anywhere else except the approved location. Okay? But speaking as a pessimistic Scottish person, what you need to remember here is any improvement is an improvement. Going from that 33% to that 39%, that’s made it a little bit harder for somebody to get access. That’s made it a little bit harder for somebody to get elevated rights in Active Directory. And that’s the aim of the game is that we need to make this as hard as possible Because when you see how easy it is to compromise AD, you’ll see it on the news. You’ll see that, hey. Somebody got in. They’ve phoned up the help desk. They convinced somebody in the help desk to let them reset their password. They go into AD. They poked around AD. They’re using tools that are freely available on GitHub, things like Rubius, things like Mimikatz, to just go ahead, elevate all around the environment, compromise that domain, and, unfortunately, shut the business down. What we did today is we looked at the Purple Knight. Purple Knight is free community tool. K? We have a secondary community tool, which is focused around the delegations in Active Directory. Purple Knight looks for the misconfigurations. What settings exist that somebody could take advantage of? Is anonymous access to AD enabled? If it is, it absolutely shouldn’t be. Let’s turn that off. Forest Druid, if you’re familiar with attack path management, and if you’re not, you really should be if you’re looking after AD, is thinking about in graphs. It’s providing you a graphical representation of attack paths within your environment, focusing on your tier zero. Now what we refer to as Tier 0 is things like your domain admin account, your account operators, your domain controllers, who can directly impact them, and that’s what you need to fix from a delegation standpoint of view. That’s a completely free tool. Again, community tools. You download them. You run them in your environment. Everything you need is built into these tools. You don’t have to have any dependencies or anything. So with that being said, I don’t know if we have any questions in the chat. If anybody has any questions, if they wanna come off mute, you can you can absolutely come off mute. Thank you, Kriss. That was very insightful. Yes, feel free to put your hand up, add questions into the chat. I can also see that the link to download Purple Knight has also been added, so feel free to access that. Or if you’d like us to send it on directly, let us know. Yeah. Just a couple a few questions in already, Kriss. First one, which Purple Knight checks typically deliver the highest risk reduction across hybrid AD and Entra ID? Yeah. So when we’re looking when you do connect that to that enterprise application, okay, so when you scan an Active Directory and you also choose to scan the Entra ID category, what it will unlock is that hybrid category that we’re gonna scan. Now mitigating risk across that hybrid is all about severing the connection for privilege. You do not want to have your privileged on-prem users synchronized to Entra ID and be privileged there as well. So there are checks in there that will check for that. They’ll also check to make sure that, hey, you don’t have a standard user that’s also privileged in Entra ID. What you want to do is you want to have your cloud administered by Cloud Identity, your Active Directory administered by Active Directory. So the hybrid category as a whole when it is enabled that will provide you with that information. Okay, yeah, thanks Kriss. Second question just coming in now. How do you align on-prem AD with Entra ID findings into a single remediation plan so teams don’t fix one side while leaving the hybrid exposure? Yeah. So it’s kind of interesting because nowadays what we’re seeing is it’s not necessarily the Active Directory team that also manages Entra ID. What you’ll see is that are maybe segregated. You have the cloud team and you have the Active Directory team. With Purple Knight, what you can do is you can still take away that Entra ID report. You can take away that Excel report. But in that Excel report, you can actually add a separate category, and that category will be the ability to split it out. So we will show you, hey. These are the Active Directory ones. These are the Entra ID ones, and these are the hybrid ones. There will be some overlap where if I fix something on premises, it will also fix certain things in Entra ID. So if I decide that, hey, we’re not gonna, we’re gonna reduce the sync scope of Entra ID to not include our admin accounts. Great choice. That will fix the issues with the Entra ID admins. Entra ID admins, they’re gonna have their own things that they’re gonna have to fix. They’re gonna have to fix the ability for guests to invite other guests into an in tenant or control who can accept applications. So there will be a very small overlap, kind of focuses on that hybrid category again, but otherwise you can you can put a clear delineation between, hey. This is an AD issue. This is an Entra ID issue, and this is the bit in between. Okay. Thanks, Kriss. If we still have a bit of time, if anybody has any more questions, please feel free to add them. We’ve another one just I’m looking at now. How do you validate that a remediation actually reduced risk regarding the scan strategy acceptance criteria and rollback plan if something breaks? Yeah, so that’s exactly what we kind of demonstrate in the webinar today is though, let’s scan it today, Let’s take that list. Let’s put that list into practice. Now some of these, I would still go through it, and I to be honest with you, I would still document what I have. If I’m gonna be changing memberships to group, what I’m gonna do is I’m just gonna make sure I have that group original group membership backed up. Now that could be a PowerShell command just saying, hey. Get group member. Save it to file. Give me a backup plan. Once I’ve done that remediation, I will rerun Purple Knight, and I’ll see if we’ve made any improvements. If you’re familiar with something like Six Sigma, okay, Six Sigma being continuous improvement, this is actually a continuous improvement. The whole thing is what we fix today, if you’re just using Purple Knight, may revert in a week, in a month. You may onboard a new admin. They do something slightly differently, guess what? They’ve reintroduced risk into the environment. So for me, this would become a continuous improvement process. Once you it gets a little bit addictive. Once you start making the improvement and you actually see that score going up, 33%, 36%, 40%, 50%, 70%, 80%. What I found with a lot of customers when they’ve been using Purple Knight, that starts to become the metrics that they’re actually providing to their manager. That starts to become some of the basis of when you’re having your yearly review with your manager, hey, yeah, my project, I increased the security of Active Directory from 30% to 80% and we maintained that for the last six months. It becomes really powerful when it becomes something that you actually start paying a lot of attention to. Yeah, so we’ve had some very good questions and that was very insightful. Thank you again, Kriss. If we don’t have any more questions, then we can sign off shortly then. And if there are anything that comes up, remember, you have my email address. You can reach out to me if after the call you go, oh, I wish we really had asked this or I wish we discovered this. Please reach out. There is a Slack channel if you have any issues with Purple Knight or your query and how things are run, what the indicator is telling you, you can be checked at the community channel on Slack as well. Thank you very much everybody. Really appreciate everybody attending as well. And as Kriss said, please feel free to follow-up with any of us. We’ll be more than happy to respond to any questions that you have. So thanks again everybody.