Comments
Poor Visibility, Weak Passwords Compromise Active Directory
Newest First  |  Oldest First  |  Threaded View
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
2/3/2018 | 3:08:56 PM
AD's inherent limitations
Active Directory is powerful; and something like it is necessary with enterprise networks.  However, I think Microsoft locked themselves into the wrong data topology (and the wrong mindset).  AD was (and I assume still is), hierarchical, rather than relational. 

While performance advantages are important, you lose the built-in safeguards of a Relational Model compliant schema. 

Perhaps more importantly is that application domain modeling methodologies used to generate RM schemas, provide better correspondence between the facts (objects and relationships - business rules), in the domain and the data structure.  The result is that the models are more comprehensible, in the terms used within those domains.  Because the business rules are integrated into the transactional processes of a RDBMS (rather than applied and processed externally), rule changes are reflected in an updated schema, and enforced by mechanisms of the transactions. 

Security and data integrity are inherently better with a transaction based system.  When domain specific (your enterprise network assets and rules, in this case), RM compliant schemas are generated by means of a fact-based methodology, the conceptual level model is created using the terms and rules actually used by your domain-experts/knowledge-workers -- rather than imposing someone's idea of how things should work, or shoehorning the specifics of your enterprise to fit a template.

Object Role Modeling (a fact-based methodology), results in a perspective of roles and rules, rather than types and labels.  This leads to thinking in terms of workflows and individuals, rather than job titles and groups, when it comes to permissions and restrictions.  Consider how that would impact network security concerns. 

I don't know if a solely RDBMS solution could meet the speed and scale performance levels of AD; probably not.  Still, a hybrid system could offer the benefits of each; and result in a better overall solution to enterprise network/asset management, efficiency and security.   


Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15504
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. The server mishandles some HTTP request fields associated with time, which results in a NULL pointer dereference, as demonstrated by If-Modified-Since or If-Unmodified-Since with a month greater than 11.
CVE-2018-15505
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. An HTTP POST request with a specially crafted "Host" header field may cause a NULL pointer dereference and thus cause a denial of service, as demonstrated by the lack of a trailing ']' character in an IPv6 a...
CVE-2018-15492
PUBLISHED: 2018-08-18
A vulnerability in the lservnt.exe component of Sentinel License Manager version 8.5.3.35 (fixed in 8.5.3.2403) causes UDP amplification.
CVE-2018-15494
PUBLISHED: 2018-08-18
In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid.
CVE-2018-15495
PUBLISHED: 2018-08-18
/filemanager/upload.php in Responsive FileManager before 9.13.3 allows Directory Traversal and SSRF because the url parameter is used directly in a curl_exec call, as demonstrated by a file:///etc/passwd value.