Welcome. This is Quest Unscripted.
A vlog series on trending topics.
And Quest solutions related to Active Directory.
Office 365.
Oh, and don't forget, Azure AD.
You are here because you have questions.
We're here because we have answers.
I think.
We will address questions we've received from customers--
Experiencing the same challenges as you.
All with the goal of helping you confidently move--
Manage--
And secure your Microsoft environment.
We call the show Quest Unscripted because--
Except for this intro--
Nothing we say is scripted or rehearsed.
And we're pretty sure you'll notice that right away.
Hey guys, thanks for joining.
Greetings, guys.
Today, we're going to be talking about migrations and security. We've got Jeff and Bryan. I'm just going to ask a question and I'll let you guys answer it, and we'll go back and forth. In a nutshell, can doing a migration help us become more secure as an organization?
It can, if you change the behavior of how you're managing your network. If you haven't changed how you're managing your network, if you haven't categorized tier zero type stuff, then no. But if you have changed your management methodology and you're moving and consolidating, there's a lot less objects you have to look at. So in that instance, it would be a yes. So it's that one famous thing. It depends. It depends on you, as a customer, right?
Yeah, I mean, Jeff, you've been doing this for a long time. What's your opinion into it? What's the benefits? I guess security has changed the migration landscape, or vice versa. What's your thoughts?
Really, by changing the way you manage in a lot of distributed domains, forests, they're all managed differently by different people. Everybody's got their own fiefdom. And you need to consolidate these fiefdoms, and run by one policy, not by 12 policies because you have 12 forests. You don't have 12 CIOs. So you should only have one of everything that the CIO has to manage.
Bryan, what are some of the AD compromises that may be a result of not consolidating on premises Active Directory environments?
Well, it's just a matter of your having limited resources. So those resources have to manage multiple different environments. It means they can't focus their energies across absolutely everything.
So it's kind of a trick question, right? Because compromise of one AD, it feels completely siloed. Well, hopefully it contains that AD, unless you've got to trust they can actually go out to yet another AD.
So I feel like simpler management, like to Jeff's point, less to manage, less objects, less that we have to police and take care of. But it's a matter of actually establishing the behavior and understanding current best practices.
I've seen many organizations just do a migration to do a migration. But if they still have to meet admins logging on to workstations as an example, that hash is still sitting out there, well, they did this migration. They haven't changed the behavior.
So they're going to muddy up the water. And their new environments could be the same conditions as their old environment pretty quickly.
Jeff, any thoughts?
Yeah, a lot of customers still have an empty route that they built back in 2000 when they initially came out with Active Directory, and managed as such. I mean, are they prepared today for the hacks and ransomware that's coming their way today?
Are they ready for the cloud? I think when Microsoft went from just a single domain within a forest to be synchronized up into the cloud, and allowed multiple domains to go into forest, and multiple forests, it caused kind of-- people stop migrating. Now, they've got to worry about the cloud, and so they just left everything in place.
Yeah. So if I'm a customer listening to this and I'm about to embark on a migration, what's the best course of action for me to look at it from a security angle? I mean, where do I go?
My recommendation, I'm a big fan of BloodHound. Use BloodHound Enterprise, do the security assessment, understand where you're exposed. So you can use that different data to figure out what the new environment should be like, if it's going to be a green belt.
Even if you're doing a merchant acquisition, maybe you run out BloodHound Enterprise. If I have a very low exposure rate in my existing environment, yet the other environment has a 90% or 100% exposure rate, maybe I do a little bit of policing, and it's going to change how I do migrations. So a little bit of information on the front end can help you keep things secure as you're going through any kind of migration project.
And for those customers who don't know what BloodHound is, what is BloodHound?
BloodBorne is-- or BloodHound is a tool that's built for defenders for the BloodHound Enterprise, which will visually show you all different exposure to tier zero.
If you don't know what tier zero is, think about group holds his links at the domain level, your domain admins, your built in administrators, your domain controllers. Any of those different things are automatically categorized by BloodHound Enterprise.
Then you actually manually add in like your Azure AD Connect, ADFS, your AD backup servers. If I can get access to those things, I have all I need to take over in a full compromise of your environment. So I think identifying where those issues exist first, it's really probably a good idea.
And Jeff, we're talking here. It doesn't matter what kind of migration it is. This is what Bryan was talking about, something we can help with regardless of source target, correct?
Correct. So whether they're on-prem or you want to migrate into Azure and Azure exclusively, I mean, we're here for it.
Great. Appreciate it. Thank you guys so much.
06:18
