Caution: More Software May Be Hazardous to Your Network Health
Far too often, we think all our problems can be solved by adding more software. Well, that is logical. After all, we are technologists. Technology is cool, and our technology of choice is software. After all, more toys must be a good thing, right? Not necessarily . There are many examples where software caused more problems than it solved .
For instance, it is not at all uncommon to deploy some sort of centralized logging solution or intrusion detection system (IDS) to detect attacks. Remember the name of the service account in Chapter 2, "Anatomy of a Hack: The Rise and Fall of Your Network"? PYN-DMZ\_ids. There is a reason for that name . A couple of years ago while doing a penetration assessment on a large network, one of the authors discovered a service account with that name. As in this case, it was the service account used to run the IDS service. The IDS service relied on an agent to collect the logs from all the protected machines. Since this is a privileged operation, the IDS service ran in the context of an administrator. Once we had compromised one of the systems running the IDS, it was a simple matter of dumping out the LSA Secrets to take over all the other systems with that service, which in this instance was the entire network, including domain controllers. When building the demo network for Chapter 2, we named the service account _ids as a silent memorial to that faithful network.
WARNING: Consider this when deploying domain-wide management software: A domain is only as secure as the least-secure system running a service under a domain admin account.
Any given system is only as secure as the least-secure system with which it shares administrative or service accounts.