Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
JackSlateur 5 days ago

Anyone who cares about AD security has left AD for a long time, no ?

stefanfisk 5 hours ago | parent | next [-]

What’s the alternative?

JackSlateur 2 hours ago | parent | next [-]

What is your need ? DNS ? Auth ? File sharing ? Print sharing ? GPO ? Remote control ? SSO ? Authentication or authorization ?

stefanfisk an hour ago | parent [-]

Yes.

polski-g 3 hours ago | parent | prev | next [-]

FreeIPA

qubex 5 hours ago | parent | prev [-]

NetInfo.

I’ll show myself out.

cryptonector 2 hours ago | parent | next [-]

Wow, NetInfo. What a blast from the past.

To be clear NetInfo is not an alternative. It's just not generic enough and not really a good fit for Windows. NetInfo is too much a Unix solution, so there's no cross-realm/domain "forest" functionality, no support for SIDs, etc.

chuckadams 2 hours ago | parent | prev [-]

No takers for NIS?

brendoelfrendo 4 hours ago | parent | prev [-]

AD is perfectly fine. It's actually really good at what it is: a highly-available Kerberos implementation with an integrated directory server. It's not as dominant as it used to be because there are better ways to handle identity for web applications and zero-trust environments, but I don't think that diminishes what AD was good at.

JackSlateur 2 hours ago | parent [-]

AD has built-in mecanisms where a random person can execute code on the AD themselves

You just have to not make a mistake (easy, just be perfect!)

Most people are not perfect; Hence, most people have security issue with AD (see the never ending tail of cryptolocked companies)

brendoelfrendo an hour ago | parent [-]

> AD has built-in mecanisms where a random person can execute code on the AD themselves

Could you provide an example? I'm sure I know what you're talking about, but the way you put it I'm having a hard time figuring out what you mean.

> Most people are not perfect; Hence, most people have security issue with AD (see the never ending tail of cryptolocked companies)

Yeah, but, how many of those ransomware attacks exploit misconfigured AD environments rather than something more banal like harvesting credentials accidentally checked into Git, or spear phishing for a target? Identity, in general, is hard.

JackSlateur an hour ago | parent [-]

AD allows connections between two computers that are registered against the active directory, including a random laptop and the AD themselves

This is a fundamental difference versus something like oauth: in the former, everything is done to allow RCE on the AD: the code exist; in the later, everything is done to prevent RCE on the issuer;

Identity is hard ? Identity is a lot simpler once you assume that:

  - people make mistakes
  - code is buggy
  - infrastructure has issue
This is why using things like oauth instead of AD's authentication mecanism is good: because it is secured by default and you must try really hard to allow a wide range of attack
Dylan16807 25 minutes ago | parent [-]

"allows connections" isn't code execution. An actual example would be really helpful here.