Active Directory, LDAP and SSO weakens security | Altaware, Inc. Cyber Security Blog

Active Directory, LDAP and SSO weakens security

We've got to stop arming our enemies, various central authentication systems make it so much easier to defeat cyber security. Throw in a few clouds and cyber crime never looked so sunny.

Have you suffered from an audit or reputable penetration testing and you fell victim to "weak" or crackable passwords? There are so many ways to get valid passwords and after all it just takes one… Whether it's password cracking, brute force attempts, phishing, leaked passwords from other sites, shoulder surfing, phone based recordings of someone entering them, keyloggers, weak or stupid passwords, the result is the same, the thief gets a password.

The problem is we use this same password throughout the entire organization and thanks to LDAP synchronizations, MS AD synchronizations or SSO (Single Sign On) with offsite clouds, the thief can go anywhere. You thought your cloud provider was safe, but they cracked/stole/borrowed your local password and now your Office365 or other Email and cloud storage was breached by someone without even being onsite!

What's strange is we don't do this in real life. We have car keys, house keys, maybe work keys, safe/vault combos/keys, ATM cards and PIN codes and the list goes on. We would be stupid to use the same password for various levels of progressively more sensitive areas, so why do we do that in the corporate world?

Here's an idea, don't! If you have special sensitive files or systems, consider using different logins/passwords not in the central AD. Sure there are stale password issues, ex-employees, etc. However, use remote access via central corporate logins and of course some kind of multi-factor. That makes sure that as employees change passwords, leave or are let go (including contractors) they cannot access internal resources any longer except by first coming through the remote access with fresher passwords and hopefully multi-factor authentication.

Use different file servers for more sensitive documents, limit access and use unique logins. The idea is to make things more complex/harder for criminals and force them to need more credentials than just ONE to get everywhere.