Yonke into efunwa ngumhlaseli lixesha kunye nenkuthazo yokungena kwinethiwekhi yakho. Kodwa umsebenzi wethu kukumthintela ekwenzeni oku, okanye ubuncinane ukwenza lo msebenzi ube nzima kangangoko kunokwenzeka. Kufuneka uqale ngokuchonga ubuthathaka kwi-Active Directory (emva koku ebizwa ngokuba yi-AD) enokusebenzisa umhlaseli ukufumana ukufikelela kunye nokujikeleza inethiwekhi ngaphandle kokubhaqwa. Namhlanje kweli nqaku siza kujonga izibonakaliso zengozi ezibonisa ubuthathaka obukhoyo kumbutho wakho wokukhusela i-cyber, usebenzisa i-AD Varonis dashboard njengomzekelo.
Abahlaseli basebenzisa ulungelelwaniso oluthile kwi-domain
Abahlaseli basebenzisa iindlela ezahlukeneyo zobuchule kunye nobuthathaka ukuze bangene kuthungelwano lweshishini kunye nokunyusa amalungelo. Obunye bobu buthathaka luseto loqwalaselo lwesizinda olunokutshintshwa ngokulula nje ukuba luchongiwe.
Ideshibhodi yeAD iya kukwazisa ngoko nangoko ukuba wena (okanye abalawuli benkqubo yakho) awutshintshanga igama eligqithisiweyo le-KRBTGT kwinyanga ephelileyo, okanye ukuba kukho umntu ongqiniweyo ngeakhawunti yoMlawuli eyakhelwe-ngaphakathi engagqibekanga. Ezi akhawunti zimbini zibonelela ngokungena mda kuthungelwano lwakho: abahlaseli baya kuzama ukufikelela kubo ukuze badlule ngokulula naziphi na izithintelo kumalungelo kunye neemvume zofikelelo. Kwaye, ngenxa yoko, bafumana ukufikelela kuyo nayiphi na idatha enomdla kubo.
Ewe kunjalo, ungazifumana obu buthathaka ngokwakho: umzekelo, seta isikhumbuzi sekhalenda ukujonga okanye ukuqhuba iskripthi sePowerShell ukuqokelela olu lwazi.
Ideshibhodi yeVaronis iyahlaziywa ngokuzenzekelayo ukubonelela ngembonakalo ekhawulezayo kunye nohlalutyo lweemetriki eziphambili eziqaqambisa ubuthathaka obunokubakho ukuze uthathe inyathelo elikhawulezileyo lokuzilungisa.
Izalathi ezi-3 zeNqanaba eliPhambili loMngcipheko
Ngezantsi inani lamawijethi akhoyo kwideshibhodi yeVaronis, ukusetyenziswa kwayo kuya kuphucula kakhulu ukukhuselwa kwenethiwekhi yenkampani kunye neziseko ze-IT ngokubanzi.
1. Inani lemimandla apho igama lokugqitha le-akhawunti ye-Kerberos lingatshintshwanga ixesha elibalulekileyo
I-akhawunti ye-KRBTGT yi-akhawunti ekhethekileyo kwi-AD esayina yonke into . Abahlaseli abafumana ukufikelela kumlawuli wesizinda (DC) bangasebenzisa le akhawunti ukwenza , eya kubanika ukufikelela okungenamkhawulo phantse kuyo nayiphi na inkqubo kwinethiwekhi yenkampani. Sadibana nemeko apho, emva kokufumana ngempumelelo iTikiti yeGolden, umhlaseli wayenokufikelela kwinethiwekhi yombutho iminyaka emibini. Ukuba igama eligqithisiweyo leakhawunti ye-KRBTGT kwinkampani yakho ayitshintshwanga kwiintsuku ezingamashumi amane ezidlulileyo, iwijethi iya kukwazisa malunga noku.
Iintsuku ezingamashumi amane zingaphezulu kwexesha elaneleyo lokuba umhlaseli afikelele kwinethiwekhi. Nangona kunjalo, ukuba unyanzelisa kwaye ulungelelanise inkqubo yokutshintsha le phasiwedi rhoqo, iya kwenza kube nzima ngakumbi kumhlaseli ukuba aphule kwinethiwekhi yakho yenkampani.
Khumbula ukuba ngokokuphunyezwa kukaMicrosoft kweKerberos protocol, kufuneka I-KRBTGT.
Kwixesha elizayo, le widget ye-AD iya kukukhumbuza xa ilixesha lokutshintsha igama lokugqitha le-KRBTGT kwakhona kuzo zonke iindawo ezikunethiwekhi yakho.
2. Inani lemimandla apho i-akhawunti yoMlawuli eyakhelwe-ngaphakathi isanda kusetyenziswa
Ngokutsho - abalawuli benkqubo babonelelwa ngeeakhawunti ezimbini: eyokuqala yi-akhawunti yokusetyenziswa kwansuku zonke, kwaye okwesibini ngumsebenzi wolawulo ocwangcisiweyo. Oku kuthetha ukuba akukho mntu kufuneka asebenzise iakhawunti yomlawuli ongagqibekanga.
Iakhawunti yomlawuli eyakhelwe-ngaphakathi isoloko isetyenziselwa ukwenza lula inkqubo yolawulo lwenkqubo. Oku kunokuba ngumkhwa ombi, okhokelela ekuqhekezeni. Ukuba oku kuyenzeka kumbutho wakho, uya kuba nobunzima ukwahlula phakathi kosetyenziso olululo lwale akhawunti kunye nofikelelo olubi.
Ukuba iwijethi ibonisa nantoni na ngaphandle kwe-zero, ngoko umntu akasebenzi ngokuchanekileyo ngeeakhawunti zolawulo. Kule meko, kufuneka uthathe amanyathelo okulungisa kunye nokunciphisa ukufikelela kwi-akhawunti yomlawuli eyakhelwe-ngaphakathi.
Emva kokuba ufezekise ixabiso lewijethi ye-zero kunye nabalawuli benkqubo abasayisebenzisi le akhawunti kumsebenzi wabo, ngoko kwixesha elizayo, nayiphi na inguqu kuyo iya kubonisa ukuhlaselwa kwe-cyber.
3. Inani lemimandla engenalo iqela labasebenzisi abaKhuselweyo
Iinguqulelo ezindala ze-AD zixhase uhlobo loguqulelo olubuthathaka - RC4. IiHacker zagqekeza i-RC4 kwiminyaka emininzi eyadlulayo, kwaye ngoku ngumsebenzi omncinci kakhulu ukuba umhlaseli aqhekeze iakhawunti esasebenzisa i-RC4. Uguqulelo lwe-Active Directory yaziswa kwi-Windows Server 2012 yazisa uhlobo olutsha lweqela labasebenzisi elibizwa ngokuba liQela labasebenzisi abaKhuselweyo. Ibonelela ngezixhobo ezongezelelweyo zokhuseleko kunye nokuthintela ukuqinisekiswa komsebenzisi usebenzisa i-RC4 encryption.
Le widget iya kubonisa ukuba nayiphi na i-domain kumbutho ilahlekile iqela elinjalo ukuze ukwazi ukuyilungisa, oko kukuthi. yenza iqela labasebenzisi abakhuselweyo kwaye ulisebenzise ukukhusela iziseko zophuhliso.
Ujoliso olulula lwabahlaseli
Iiakhawunti zabasebenzisi ziyinombolo enye ekujoliswe kuyo kubahlaseli, ukusuka kwiinzame zokuqala zokuzama ukuqhubeka nokunyuka kwamalungelo kunye nokufihla imisebenzi yabo. Abahlaseli bajonga iithagethi ezilula kuthungelwano lwakho besebenzisa imiyalelo esisiseko yePowerShell edla ngokuba nzima ukuyibhaqa. Susa uninzi lwezi njongo zilula kwi-AD kangangoko kunokwenzeka.
Abahlaseli bafuna abasebenzisi abanamagama ayimfihlo angaphelelwanga (okanye abangafuni magama ayimfihlo), iiakhawunti zobuchwepheshe ezingabalawuli, kunye neeakhawunti ezisebenzisa uguqulelo oluntsonkothileyo lwe-RC4 yelifa.
Nayiphi na kwezi akhawunti ayibalulekanga ukufikelela kuyo okanye ayijongwanga ngokubanzi. Abahlaseli banokuthatha ezi akhawunti kwaye bahambe ngokukhululekileyo ngaphakathi kwesiseko sakho.
Nje ukuba abahlaseli bangene kumda wokhuseleko, banokufikelela ubuncinane kwiakhawunti enye. Ngaba ungabanqanda ekufikeleleni kwidatha ebuthathaka ngaphambi kokuba uhlaselo lubonwe kwaye luqulethwe?
Ideshibhodi yeVaronis AD iya kukhomba iiakhawunti zomsebenzisi ezisesichengeni ukuze ukwazi ukusombulula iingxaki ngokukhawuleza. Okukhona kunzima ukungena kuthungelwano lwakho, kokukhona amathuba akho okunciphisa umhlaseli phambi kokuba enze umonakalo omkhulu.
4 Iimpawu zoMngcipheko eziPhambili kwiiAkhawunti zaBasebenzisi
Apha ngezantsi kukho imizekelo yeewijethi zedeshibhodi yeVaronis AD eziqaqambisa ezona akhawunti zabasebenzisi ezisesichengeni.
1. Inani labasebenzisi abasebenzayo abanamagama ayimfihlo angaze aphelelwe lixesha
Kuba nawuphi na umhlaseli ukufumana ukufikelela kwi-akhawunti enjalo kuhlala kuyimpumelelo enkulu. Kuba igama eligqithisiweyo alize liphelelwe lixesha, umhlaseli unendawo yokuhlala esisigxina ngaphakathi kwenethiwekhi, enokuthi isetyenziswe okanye iintshukumo ngaphakathi kweziseko ezingundoqo.
Abahlaseli banoluhlu lwezigidi zendibaniselwano yegama-password abayisebenzisayo kuhlaselo lokugrumba, kwaye okunokwenzeka kukuba.
ukuba indibaniselwano yomsebenzisi onegama lokugqitha "lanaphakade" ikolunye lwezi luhlu, inkulu kunoziro.
Iiakhawunti ezinamagama ayimfihlo angaphelelwanga kulula ukuzilawula, kodwa azikhuselekanga. Sebenzisa le widget ukufumana zonke iiakhawunti ezinamagama ayimfihlo. Guqula olu seto kwaye uhlaziye igama eliyimfihlo.
Nje ukuba ixabiso lale widget limiselwe kuqanda, naziphi na ii-akhawunti ezintsha ezenziwe ngelo gama lokugqithisa ziya kuvela kwideshbhodi.
2. Inani lee-akhawunti zolawulo ezine-SPN
I-SPN (iGama eliyiNqununu yeNkonzo) sisichongi esisodwa somzekelo wenkonzo. Le widget ibonisa ukuba zingaphi ii-akhawunti zenkonzo ezinamalungelo apheleleyo omlawuli. Ixabiso kwiwijethi kufuneka libe nguziro. I-SPN enamalungelo olawulo yenzeka kuba ukunika amalungelo anjalo kulungele abathengisi besoftware kunye nabalawuli bezicelo, kodwa kubeka umngcipheko wokhuseleko.
Ukunika inkonzo yenkonzo amalungelo olawulo kuvumela umhlaseli ukuba afumane ufikelelo olupheleleyo kwiakhawunti engasetyenziswayo. Oku kuthetha ukuba abahlaseli abanokufikelela kwii-akhawunti ze-SPN banokusebenza ngokukhululekileyo ngaphakathi kweziseko zophuhliso ngaphandle kokuba imisebenzi yabo ibekwe esweni.
Ungawusombulula lo mba ngokutshintsha iimvume kwiiakhawunti zenkonzo. Iiakhawunti ezinjalo kufuneka zixhomekeke kumgaqo welona lungelo lincinci kwaye zibe nofikelelo oluyimfuneko ekusebenzeni kwazo.
Usebenzisa le widget, unokubhaqa zonke ii-SPN ezinamalungelo olawulo, ususe amalungelo anjalo, kwaye emva koko ubeke iliso kwii-SPNs usebenzisa umgaqo ofanayo wofikelelo olungenalungelo.
I-SPN esanda kuvela iya kuboniswa kwideshibhodi, kwaye uya kukwazi ukujonga le nkqubo.
3. Inani labasebenzisi abangayifuniyo i-Kerberos pre-athentication
Ngokufanelekileyo, i-Kerberos ibhala itikiti lokuqinisekisa usebenzisa i-AES-256 encryption, ehlala ingenakophulwa nanamhla.
Nangona kunjalo, iinguqulelo ezindala ze-Kerberos zisebenzisa i-RC4 encryption, enokuthi ngoku yaphulwe ngemizuzu. Le widget ibonisa ukuba zeziphi ii-akhawunti zomsebenzisi ezisasebenzisa i-RC4. I-Microsoft isaxhasa i-RC4 yokubuyela umva, kodwa oko akuthethi ukuba kufuneka uyisebenzise kwi-AD yakho.
Nje ukuba uchonge iiakhawunti ezinjalo, kufuneka ungachongi "ayifuni ugunyaziso lwangaphambili lweKerberos" kwi-AD ukunyanzela iiakhawunti ukuba zisebenzise uguqulelo oluntsonkothileyo.
Ukufumanisa ezi akhawunti ngokwakho, ngaphandle kwedeshibhodi ye-Varonis AD, kuthatha ixesha elininzi. Enyanisweni, ukwazi zonke ii-akhawunti ezihlelwe ukuba zisebenzise uguqulelo oluntsonkothileyo lwe-RC4 ngumsebenzi onzima ngakumbi.
Ukuba ixabiso kwiwijethi liyatshintsha, oku kungabonisa umsebenzi ongekho mthethweni.
4. Inani labasebenzisi abangenalo igama lokugqitha
Abahlaseli basebenzisa imiyalelo esisiseko ye-PowerShell ukufunda iflegi "PASSWD_NOTREQD" esuka kwi-AD kwiipropati zeakhawunti. Ukusetyenziswa kwale flegi kubonisa ukuba akukho zimfuneko zegama lokugqitha okanye iimfuno ezintsonkothileyo.
Kulula kangakanani ukubiwa i-akhawunti nge-password elula okanye engenanto? Ngoku khawufane ucinge ukuba enye yezi akhawunti ngumlawuli.
Kuthekani ukuba enye yamawaka eefayile eziyimfihlo ezivulekele wonke umntu yingxelo yemali ezayo?
Ukungahoyi imfuneko yegama eligqithisiweyo esisinyanzelo sesinye isishunqulelo solawulo esasisoloko sisetyenziswa kwixesha elidlulileyo, kodwa ayamkelekanga kwaye ayakhuselekanga namhlanje.
Lungisa lo mba ngokuhlaziya amagama ayimfihlo ezi akhawunti.
Ukubeka esweni le widget kwixa elizayo kuya kukunceda uphephe iiakhawunti ngaphandle kwegama lokugqitha.
I-Varonis idibanisa amathuba
Ngaphambili, umsebenzi wokuqokelela kunye nokuhlalutya iimetriki ezichazwe kweli nqaku uthathe iiyure ezininzi kwaye ufuna ulwazi olunzulu lwe-PowerShell, efuna amaqela okhuseleko ukuba abele izixhobo kwimisebenzi enjalo ngeveki okanye ngenyanga. Kodwa ukuqokelela ngesandla kunye nokuqhutyelwa kolu lwazi kunika abahlaseli intloko yokungena kunye nokuba idatha.
Π‘ Uya kuchitha usuku olunye ukuhambisa ideshibhodi yeAD kunye nezinto ezongezelelweyo, ukuqokelela bonke ubuthathaka obuxoxiwe kunye nokunye okuninzi. Kwixesha elizayo, ngexesha lokusebenza, iphaneli yokubeka iliso iya kuhlaziywa ngokuzenzekelayo njengoko imeko yeziseko zophuhliso itshintsha.
Ukwenza uhlaselo lwe-cyber luhlala lugqatso phakathi kwabahlaseli kunye nabakhuseli, umnqweno womhlaseli wokuba idatha phambi kokuba iingcali zokhuseleko zithintele ukufikelela kuyo. Ukufunyanwa kwangethuba kwabahlaseli kunye nemisebenzi yabo engekho semthethweni, kunye nokhuseleko oluluqilima lwe-cyber, sisitshixo sokugcina idatha yakho ikhuselekile.
umthombo: www.habr.com