Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
brendoelfrendo 4 hours ago

AD is perfectly fine. It's actually really good at what it is: a highly-available Kerberos implementation with an integrated directory server. It's not as dominant as it used to be because there are better ways to handle identity for web applications and zero-trust environments, but I don't think that diminishes what AD was good at.

JackSlateur 2 hours ago | parent [-]

AD has built-in mecanisms where a random person can execute code on the AD themselves

You just have to not make a mistake (easy, just be perfect!)

Most people are not perfect; Hence, most people have security issue with AD (see the never ending tail of cryptolocked companies)

brendoelfrendo an hour ago | parent [-]

> AD has built-in mecanisms where a random person can execute code on the AD themselves

Could you provide an example? I'm sure I know what you're talking about, but the way you put it I'm having a hard time figuring out what you mean.

> Most people are not perfect; Hence, most people have security issue with AD (see the never ending tail of cryptolocked companies)

Yeah, but, how many of those ransomware attacks exploit misconfigured AD environments rather than something more banal like harvesting credentials accidentally checked into Git, or spear phishing for a target? Identity, in general, is hard.

JackSlateur an hour ago | parent [-]

AD allows connections between two computers that are registered against the active directory, including a random laptop and the AD themselves

This is a fundamental difference versus something like oauth: in the former, everything is done to allow RCE on the AD: the code exist; in the later, everything is done to prevent RCE on the issuer;

Identity is hard ? Identity is a lot simpler once you assume that:

  - people make mistakes
  - code is buggy
  - infrastructure has issue
This is why using things like oauth instead of AD's authentication mecanism is good: because it is secured by default and you must try really hard to allow a wide range of attack
Dylan16807 25 minutes ago | parent [-]

"allows connections" isn't code execution. An actual example would be really helpful here.