1

I manage IT for a company with 500 to 1,000 workstations. I live in fear every day of being hit by ransomware. I recently read on Crowdstrike (https://www.crowdstrike.com/blog/global-security-attitude-survey-takeaways-2020/) that 56% of companies reported a ransomware attack in the last 12 months.

With mimikatz and emotet, malware can get on an end-user's workstation and the bad guys can then escalate their credentials all the way up. We have spent considerable effort doing everything we can to lock down the domain. However, with more and more of our company's apps delivered via a website, I have to ask myself: why am I spending all of my time trying to protect myself from users on the domain? Why not just remove the domain from end-users' computers and have separate authentication for each app they need to access?

The benefits of a domain (i.e. central management and one credential set for all apps) are the exact reason it is so vulnerable to malware and ransomware.

I would like a real "outside the box" analysis of this. Is using a Windows domain for end-user computers really worth the risk?

windowsadmin9813
  • 11
  • 2
  • 3
    You don't have nearly the budget you'd need to hire all the people you'd need to manage all those computers without a domain, and no sane admin would take the job anyway. – Michael Hampton Nov 30 '20 at 20:58
  • 1
    I work as an IT-Architect in the IT-Outsourcing Business. I dont know any customers, greater then 100 seats, without a windows domain. It's like: Riding a horse because i can have an accident by car. – Berndinox Dec 01 '20 at 10:11
  • Your risk is dramatically reduced simply by practicing some credential hygiene, blocking lateral movement between workstations, and implementing the other pass the hash mitigations. Backups cannot be stressed enough either. The domain is providing you with centralized administration of all your users, computers, and devices. Take that away and you lose visibility of your network very fast. – twconnell Dec 01 '20 at 16:08

0 Answers0