29 October 2020
On October 13th I moderated the anapur Virtual Dialog “Network Monitoring and Anomaly Detection”. During the breaks, some participants from industry talked about a really concerning issue: IT, IT-Security and GRC groups in their companies urge them to integrate their so far isolated production active directories in the corporate directory.
I have been involved in these discussion for 10 years and I never changed my answer:
Don’t do it!
This integration is dangerous. Active Directory simplifies lateral movement once an attacker created a foothold in your network. And it simplifies the distribution of malware through login scripts. Remind the Norsk Hydro attack from March 2019: Divisions with high vertical integration were more affected from LockerGoga than the Alumina production.
In their paper “Seven Strategies to Defend ICSs” from December 2016, DHS ICS-CERT, FBI and NSA provide a very clear active directory strategy:
Never share Active Directory, RSA ACE servers, or other trust stores between corporate and control networks.
For details see chapter 5, “Manage Authentication”.
Hope this helps in discussions with IT, IT-Security and GRC.
In his poem Ulysses, Alfred Tennyson brings it to the point:
Tho‘ much is taken, much abides;
and though we are not now that strength
which in old days moved earth and heaven;
that which we are, we are;
one equal temper of heroic hearts,
made weak by time and fate,
but strong in will to strive, to seek, to find.
And not to yield.
IT Security Matters 
The bigger problem is not integrating AD in my humble opinion. It’s the bad practices that allow for the lateral movement to begin with. Customers aren’t using dedicated administrative machines but are instead mixing accounts across tiers. That’s the real vulnerability. Remaining isolated won’t necessarily fix it as these same people are likely using the same passwords on their production accounts and their isolated accounts. That means the hash is the same and they are still vulnerable to PtH and other credential theft techniques. There’s certainly a time and place to airgap a network, I won’t argue that, but I think the bigger risk is to continue mixing those creds.
Nathan, Thanks for commenting.
I fully agree with regards to pass the hash. But an attacker has no chance to pass the hash because there is, in the best case, no Microsoft protocol based connection between the production and the corporate network.
If I’m forced to use the corporate AD in my production environment, I have to drill a large hole in my firewall to allow all windows systems in the production network access to all domain controllers in the corporate network.
In the case I need a domain controller in my production network, I must allow bi-directional access across the firewalls between the DCs. Crypto worms that spread over the SMB protocol will use these DC to DC connections to jump from the corporate network to the production network.
With this, all my network separation work is just ruined.