0

I'm not much used to running Windows Servers and need ground to either defend or withdraw from this idea and have found nothing on Google. The company I work for recently suffered a ransomware attack. Sufice to say they gained access to all our servers by compromising the AD domain controllers and that since the attack took place on a Sunday, no workstations were affected.

Not related to the attack itself, but during the recovery tasks I began wondering why would we need to connect the Windows Servers to the company's AD domain. Linux servers, by comparison, do not join the domain and were not compromised during this incident. We already have a PAM solution in place that controls usage of some of those accounts (yes, they managed to circumvent it too).

If anyone has/had a similar experience in leaving Windows Servers out of a domain and managing them only through a PAM solution or have better experience than I in managing Windows Servers and can share experience, I'd like to ask if there are and which are any drawbacks in this setup?

Leonardo Pessoa
  • 1
  • [how do I deal with hacked servers](https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) can be a good starting point for you. however, even servers who are not joined to a domain can be compromised. or should be habdles like very everything is like so – djdomi Aug 05 '22 at 21:49
  • 1
    This is a question asking for “opinions” and is off topic. With that said, any systems admin with even a small amount of knowledge about windows active directory and windows domains, and all the benefits and dependencies of it would never suggest removing a server from AD as a solution to “improve” security. You’re not finding discussion about it because it’s simply not a feasible option in nearly all scenarios. These breaches happen because of lack of experience and investment of resources in to implementing best practices around managing a windows enterprise network. Not because of AD. – Appleoddity Aug 06 '22 at 14:01
  • The only scenario where windows servers are left out of AD are typically special purpose servers in complex networks where they sit in a DMZ. And the decision to do so is done with a clear design and understanding of the overall system. – Appleoddity Aug 06 '22 at 14:03
  • Thanks for all the feedback. Just so you know a bit more, I’m an experienced developer turned information security specialist, not much by choice. Although I have little to no knowledge on AD and domains and server admin at all, I’m trying to understand it and the attack and contribute at least with ideas (even if they may seem dull at first). However, there was no fault in server config, they managed to exploit RDP with a golden ticket to gain access to sysadmin accounts. – Leonardo Pessoa Aug 06 '22 at 22:45
  • There is a faulty server config or substandard practice somewhere. One doesn't just magically get a golden ticket. There are means of protecting against such an attack. https://frsecure.com/blog/golden-ticket-attack/ has some pretty good starter information. – Semicolon Aug 08 '22 at 16:30

0 Answers0