AD has built-in mecanisms where a random person can execute code on the AD themselves

You just have to not make a mistake (easy, just be perfect!)

Most people are not perfect; Hence, most people have security issue with AD (see the never ending tail of cryptolocked companies)

▲ brendoelfrendo an hour ago | parent [-]

> AD has built-in mecanisms where a random person can execute code on the AD themselves

Could you provide an example? I'm sure I know what you're talking about, but the way you put it I'm having a hard time figuring out what you mean.

> Most people are not perfect; Hence, most people have security issue with AD (see the never ending tail of cryptolocked companies)

Yeah, but, how many of those ransomware attacks exploit misconfigured AD environments rather than something more banal like harvesting credentials accidentally checked into Git, or spear phishing for a target? Identity, in general, is hard.

▲ JackSlateur an hour ago | parent [-]

AD allows connections between two computers that are registered against the active directory, including a random laptop and the AD themselves

This is a fundamental difference versus something like oauth: in the former, everything is done to allow RCE on the AD: the code exist; in the later, everything is done to prevent RCE on the issuer;

Identity is hard ? Identity is a lot simpler once you assume that:

  - people make mistakes
  - code is buggy
  - infrastructure has issue

This is why using things like oauth instead of AD's authentication mecanism is good: because it is secured by default and you must try really hard to allow a wide range of attack

	▲	Dylan16807 28 minutes ago \| parent [-]
		"allows connections" isn't code execution. An actual example would be really helpful here.