Konke okudingwa umhlaseli yisikhathi nesikhuthazo sokungena kunethiwekhi yakho. Kodwa umsebenzi wethu ukumvimbela ekwenzeni lokhu, noma okungenani ukwenza lo msebenzi ube nzima ngangokunokwenzeka. Udinga ukuqala ngokukhomba ubuthakathaka ku-Active Directory (kamuva ebizwa ngokuthi AD) umhlaseli angabusebenzisa ukuze athole ukufinyelela futhi azulazule kunethiwekhi ngaphandle kokutholwa. Namuhla kulesi sihloko sizobheka izinkomba zengcuphe ezibonisa ubungozi obukhona ekuvikelweni kwe-inthanethi kwenhlangano yakho, sisebenzisa ideshibhodi ye-AD Varonis njengesibonelo.
Abahlaseli basebenzisa ukulungiselelwa okuthile esizindeni
Abahlaseli basebenzisa amasu ahlakaniphile ahlukahlukene kanye nokuba sengozini ukuze bangene kumanethiwekhi ezinkampani futhi bakhulise amalungelo. Obunye balobu bungozi izilungiselelo zokucushwa kwesizinda ezingashintshwa kalula uma sezikhonjiwe.
Ideshibhodi ye-AD izokwazisa ngokushesha uma wena (noma abaphathi besistimu yakho) bengakashintshi iphasiwedi ye-KRBTGT enyangeni edlule, noma uma othile egunyaze nge-akhawunti yomlawuli eyakhelwe ngaphakathi. Lawa ma-akhawunti womabili anikeza ukufinyelela okungenamkhawulo kunethiwekhi yakho: abahlaseli bazozama ukufinyelela kuwo ukuze badlule kalula noma yimiphi imikhawulo kumalungelo nezimvume zokufinyelela. Futhi, ngenxa yalokho, bathola ukufinyelela kunoma iyiphi idatha abayithandayo.
Yebo, ungathola lobu bungozi ngokwakho: isibonelo, setha isikhumbuzi sekhalenda ukuze uhlole noma uqalise iskripthi se-PowerShell ukuze uqoqe lolu lwazi.
Ideshibhodi ye-Varonis iyabuyekezwa ngokuzenzakalelayo ukuze unikeze ukubonakala okusheshayo nokuhlaziywa kwamamethrikhi angukhiye agqamisa ubungozi obungaba khona ukuze uthathe isinyathelo esisheshayo ukuze ubhekane nabo.
Izinkomba Ezingu-3 Zobungozi Zezinga Lesizinda
Ngezansi kunezinombolo zamawijethi ezitholakala kudeshibhodi ye-Varonis, ukusetshenziswa kwayo kuzothuthukisa kakhulu ukuvikelwa kwenethiwekhi yezinkampani kanye nengqalasizinda ye-IT iyonke.
1. Inombolo yezizinda lapho iphasiwedi ye-akhawunti ye-Kerberos ingashintshwanga isikhathi esibalulekile
I-akhawunti ye-KRBTGT yi-akhawunti ekhethekile ku-AD esayina yonke into . Abahlaseli abafinyelela isilawuli sesizinda (DC) bangasebenzisa le akhawunti ukuze bakhe , okuzobanikeza ukufinyelela okungenamkhawulo cishe kunoma yiluphi uhlelo kunethiwekhi yezinkampani. Sihlangabezane nesimo lapho, ngemva kokuthola ngempumelelo Ithikithi Legolide, umhlaseli wakwazi ukufinyelela kunethiwekhi yenhlangano iminyaka emibili. Uma iphasiwedi ye-akhawunti ye-KRBTGT enkampanini yakho ingashintshwanga ezinsukwini ezingamashumi amane ezedlule, iwijethi izokwazisa ngalokhu.
Izinsuku ezingamashumi amane zingaphezu kwesikhathi esanele sokuthi umhlaseli athole ukufinyelela kunethiwekhi. Kodwa-ke, uma uphoqelela futhi umisa inqubo yokushintsha le phasiwedi njalo, kuzokwenza kube nzima kakhulu kumhlaseli ukuthi agqekeze kunethiwekhi yakho yebhizinisi.
Khumbula ukuthi ngokuya ngokuqaliswa kweMicrosoft kwephrothokholi ye-Kerberos, kufanele I-KRBTGT.
Ngokuzayo, lesi sinqunjwana se-AD sizokukhumbuza uma sekuyisikhathi sokushintsha iphasiwedi ye-KRBTGT futhi kuzo zonke izizinda kunethiwekhi yakho.
2. Inombolo yezizinda lapho i-akhawunti yomlawuli eyakhelwe ngaphakathi isanda kusetshenziswa khona
Ngokusho - Abaphathi besistimu banikezwa ama-akhawunti amabili: eyokuqala i-akhawunti yokusetshenziswa kwansuku zonke, kanti eyesibili ingeyomsebenzi wokuphatha ohleliwe. Lokhu kusho ukuthi akekho okufanele asebenzise i-akhawunti yomlawuli ezenzakalelayo.
I-akhawunti yomlawuli eyakhelwe ngaphakathi ivamise ukusetshenziselwa ukwenza lula inqubo yokuphatha uhlelo. Lokhu kungaba umkhuba omubi, okuholela ekugetshengeni. Uma lokhu kwenzeka enhlanganweni yakho, uzoba nobunzima bokuhlukanisa phakathi kokusebenzisa kahle le akhawunti kanye nokufinyelela okunonya.
Uma iwijethi ibonisa noma yini ngaphandle kweziro, kusho ukuthi othile akasebenzi kahle nama-akhawunti okuphatha. Kulesi simo, kufanele uthathe izinyathelo zokulungisa nokukhawulela ukufinyelela ku-akhawunti yomlawuli eyakhelwe ngaphakathi.
Uma usuzuze inani lewijethi enguziro futhi abaphathi besistimu abasayisebenzisi le akhawunti emsebenzini wabo, khona-ke ngokuzayo, noma yiluphi ushintsho kuyo luzobonisa ukuhlaselwa kwe-inthanethi okungaba khona.
3. Inombolo yezizinda ezingenalo iqembu labasebenzisi Abavikelwe
Izinguqulo ezindala ze-AD zisekele uhlobo lokubethela olubuthakathaka - RC4. Abagebengu bagebenge i-RC4 eminyakeni eminingi edlule, futhi manje kuwumsebenzi omncane kakhulu ukuthi umhlaseli agqekeze i-akhawunti esasebenzisa i-RC4. Inguqulo ye-Active Directory eyethulwe ku-Windows Server 2012 yethule uhlobo olusha lweqembu labasebenzisi elibizwa ngokuthi Iqembu Labasebenzisi Abavikelwe. Ihlinzeka ngamathuluzi engeziwe okuvikela futhi ivimbele ukuqinisekiswa komsebenzisi kusetshenziswa ukubethela kwe-RC4.
Lesi sinqunjwana sizobonisa uma ngabe yisiphi isizinda enhlanganweni sishoda ngeqembu elinjalo ukuze ukwazi ukukulungisa, i.e. vumela iqembu labasebenzisi abavikelwe futhi ulisebenzise ukuvikela ingqalasizinda.
Okuqondiwe okulula kwabahlaseli
Ama-akhawunti abasebenzisi ayinombolo yokuqala okuqondiswe kuyo abahlaseli, kusukela emizameni yokuqala yokungena kuya ekukhuphukeni okuqhubekayo kwamalungelo kanye nokufihlwa kwemisebenzi yabo. Abahlaseli bafuna okuqondiwe okulula kunethiwekhi yakho besebenzisa imiyalo eyisisekelo ye-PowerShell okuvame ukuba nzima ukuyibona. Susa okuningi kwalokhu okuhlosiwe okulula ku-AD ngangokunokwenzeka.
Abahlaseli bafuna abasebenzisi abanamagama ayimfihlo angalokothi aphelelwe yisikhathi (noma abangawadingi amagama ayimfihlo), ama-akhawunti obuchwepheshe angabalawuli, nama-akhawunti asebenzisa ukubethela kwefa kwe-RC4.
Noma yimaphi kulawa ma-akhawunti ayinto encane ukufinyelela kuwo noma ngokuvamile awagadiwe. Abahlaseli bangathatha lawa ma-akhawunti futhi bahambe ngokukhululeka ngaphakathi kwengqalasizinda yakho.
Uma abahlaseli sebengene ku-perimeter yezokuphepha, bazothola ukufinyelela okungenani i-akhawunti eyodwa. Ungakwazi yini ukubavimba ekufinyeleleni idatha ebucayi ngaphambi kokuthi kutholwe ukuhlasela futhi kuqukethwe?
Ideshibhodi ye-Varonis AD izokhomba ama-akhawunti abasebenzisi abasengozini ukuze ukwazi ukuxazulula izinkinga ngokuqhubekayo. Uma kuba nzima kakhulu ukungena kunethiwekhi yakho, aba ngcono amathuba akho okunciphisa umhlaseli ngaphambi kokuba adale umonakalo omkhulu.
4 Izinkomba Zobungozi Ezibalulekile Zama-Akhawunti Womsebenzisi
Ngezansi kunezibonelo zamawijethi edeshibhodi ye-Varonis AD agqamisa ama-akhawunti abasebenzisi abasengozini kakhulu.
1. Inombolo yabasebenzisi abasebenzayo abanamagama ayimfihlo angaphelelwa yisikhathi
Ukuze noma yimuphi umhlaseli athole ukufinyelela ku-akhawunti enjalo kuhlale kuyimpumelelo enkulu. Njengoba igama-mfihlo lingaphelelwa yisikhathi, umhlaseli unendawo ehlala njalo ngaphakathi kwenethiwekhi, engasetshenziselwa noma ukunyakaza ngaphakathi kwengqalasizinda.
Abahlaseli banohlu lwezigidi zezinhlanganisela zephasiwedi yomsebenzisi abazisebenzisa ekuhlaselweni kokuqinisekisa, futhi okungenzeka ukuthi
ukuthi inhlanganisela yomsebenzisi enephasiwedi βyaphakadeβ isolunye lwalezi zinhlu, inkulu kakhulu kunoziro.
Ama-akhawunti anamagama ayimfihlo angaphelelwa yisikhathi kulula ukuwaphatha, kodwa awavikelekile. Sebenzisa lesi sinqunjwana ukuze uthole wonke ama-akhawunti anamagama-mfihlo anjalo. Shintsha lesi silungiselelo futhi ubuyekeze iphasiwedi yakho.
Uma inani lalesi sinqunjwana selisethelwe kuqanda, noma imaphi ama-akhawunti amasha adalwe ngaleyo phasiwedi azovela kudeshibhodi.
2. Inombolo yama-akhawunti okuphatha ane-SPN
I-SPN (Igama Eliyinhloko Lesevisi) yisihlonzi esiyingqayizivele sesenzakalo sesevisi. Le wijethi ibonisa ukuthi mangaki ama-akhawunti esevisi anamalungelo omlawuli agcwele. Inani kuwijethi kufanele libe nguziro. I-SPN enamalungelo okuphatha yenzeka ngenxa yokuthi ukunikeza amalungelo anjalo kulungele abathengisi besofthiwe nabaphathi bezinhlelo zokusebenza, kodwa kubeka engcupheni yokuvikeleka.
Ukunikeza i-akhawunti yesevisi amalungelo okulawula kuvumela umhlaseli ukuthi athole ukufinyelela okugcwele ku-akhawunti engasetshenziswa. Lokhu kusho ukuthi abahlaseli abanokufinyelela kuma-akhawunti e-SPN bangasebenza ngokukhululeka ngaphakathi kwengqalasizinda ngaphandle kokuthi imisebenzi yabo igadwe.
Ungakwazi ukuxazulula le nkinga ngokushintsha izimvume kuma-akhawunti wesevisi. Ama-akhawunti anjalo kufanele abe ngaphansi komthetho welungelo elincane futhi abe nokufinyelela okudingekayo kuphela ekusebenzeni kwawo.
Ngokusebenzisa lesi sinqunjwana, ungathola wonke ama-SPN anamalungelo okuphatha, ususe amalungelo anjalo, bese wengamela ama-SPN usebenzisa isimiso esifanayo sokufinyelela okungenalungelo elingcono kakhulu.
I-SPN esanda kuvela izovezwa kudeshibhodi, futhi uzokwazi ukuqapha le nqubo.
3. Inombolo yabasebenzisi abangakudingi ukuqinisekiswa kwangaphambili kwe-Kerberos
Ngokufanelekile, i-Kerberos ibethela ithikithi lokuqinisekisa isebenzisa ukubethela kwe-AES-256, okuhlala kungenakunqanyulwa kuze kube namuhla.
Kodwa-ke, izinguqulo ezindala ze-Kerberos zasebenzisa ukubethela kwe-RC4, manje okungaphulwa ngemizuzu. Le wijethi ibonisa ukuthi imaphi ama-akhawunti omsebenzisi asasebenzisa i-RC4. I-Microsoft isasekela i-RC4 ukuze ihambisane nemuva, kodwa lokho akusho ukuthi kufanele uyisebenzise ku-AD yakho.
Uma usuwahlonze ama-akhawunti anjalo, udinga ukususa ukumaka ibhokisi elithi "akudingi ukugunyazwa kwangaphambili kwe-Kerberos" ku-AD ukuze uphoqe ama-akhawunti ukuthi asebenzise ukubethela okuyinkimbinkimbi.
Ukuthola lawa ma-akhawunti ngokwakho, ngaphandle kwedeshibhodi ye-Varonis AD, kuthatha isikhathi esiningi. Eqinisweni, ukwazi wonke ama-akhawunti ahlelelwe ukusebenzisa ukubethela kwe-RC4 kuwumsebenzi onzima nakakhulu.
Uma inani lewijethi lishintsha, lokhu kungase kubonise umsebenzi ongekho emthethweni.
4. Inani labasebenzisi abangenalo iphasiwedi
Abahlaseli basebenzisa imiyalo eyisisekelo ye-PowerShell ukuze bafunde ifulegi elithi βPASSWD_NOTREQDβ elivela ku-AD ezicini ze-akhawunti. Ukusetshenziswa kwaleli fulegi kubonisa ukuthi azikho izidingo zephasiwedi noma izimfuneko eziyinkimbinkimbi.
Kulula kangakanani ukweba i-akhawunti ngephasiwedi elula noma engenalutho? Manje ake ucabange ukuthi enye yalawa ma-akhawunti ingumlawuli.
Kuthiwani uma elinye kwezinkulungwane zamafayela ayimfihlo avulekele wonke umuntu kuwumbiko wezezimali ozayo?
Ukuziba imfuneko yephasiwedi eyisibopho esinye isinqamuleli sokuphatha isistimu esasivame ukusetshenziswa esikhathini esidlule, kodwa akwamukeleki futhi akwamukelekile namuhla.
Lungisa le nkinga ngokubuyekeza amagama-mfihlo walawa ma-akhawunti.
Ukwengamela lesi sinqunjwana ngokuzayo kuzokusiza ugweme ama-akhawunti angenayo iphasiwedi.
UVaronis usiza ukubungaza
Esikhathini esidlule, umsebenzi wokuqoqa nokuhlaziya amamethrikhi achazwe kulesi sihloko uthathe amahora amaningi futhi udinga ulwazi olujulile lwe-PowerShell, edinga ukuthi amaqembu onogada abele izinsiza emisebenzini enjalo masonto onke noma inyanga. Kodwa ukuqoqwa nokucutshungulwa kwalolu lwazi kunikeza abahlaseli isiqalo sokuqala sokungena futhi bantshontshe idatha.
Π‘ Uzochitha usuku olulodwa ukuze usebenzise ideshibhodi ye-AD nezinye izingxenye ezengeziwe, uqoqe bonke ubungozi okuxoxwe ngakho nokunye okuningi. Ngokuzayo, ngesikhathi sokusebenza, iphaneli yokuqapha izobuyekezwa ngokuzenzakalelayo njengoba isimo sengqalasizinda sishintsha.
Ukuhlasela ku-inthanethi kuhlala kuwumjaho phakathi kwabahlaseli nabavikeli, isifiso somhlaseli sokweba idatha ngaphambi kokuba ochwepheshe bezokuphepha bavimbe ukufinyelela kuyo. Ukutholwa kusenesikhathi kwabahlaseli nemisebenzi yabo engekho emthethweni, kuhlanganiswe nokuvikela okuqinile ku-inthanethi, kuyisihluthulelo sokugcina idatha yakho iphephile.
Source: www.habr.com