now browsing by tag
By Lindsey White Paige Skaufel, sophomore history major, fixes her hair in the mirror and puts on her favorite outfit. Her phone dings with a text from her date letting […]
View full post on National Cyber Security
Three years later, father of Parkland shooting victim calls for meaningful school safety reform | #schoolshooting | #parenting | #parenting | #kids
This Valentine’s Day marks three years since my son Alex, age 14, was one of the 17 innocent victims that was senselessly murdered during the Parkland school massacre. In the […] View full post on National Cyber Security
#parent | #kids | I’m a New Dad Scared About Pandemic-Era Day Care Safety. There’s Only One Expert I Wanted to Call. – Mother Jones | #parenting | #parenting | #kids
Rob Dobi The coronavirus is a rapidly developing news story, so some of the content in this article might be out of date. Check out our most recent coverage of […] View full post on National Cyber Security
#collegesafety | Vancouver Fire Department delivers friendly wake-up knock for fire safety | #parenting | #parenting | #kids
Opening your front door and chatting with strangers is not what most people are eager to do on a Saturday morning during a global pandemic. That didn’t stop four firefighters […] View full post on National Cyber Security
#schoolsafety | As colleges reopen, Congress remains deadlocked on liability limits, safety measures | #parenting | #parenting | #kids
One education expert proposes contractual agreements over federal intervention Even though some students are already back on campus, Congress remains deadlocked on the federal policies needed to ensure schools, including […] View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans Searching Google for “coronavirus” will now send users to a curated search results page with resources from the World Health Organization, safety tips, and news updates, Google and the WHO announced today. This effort, which is just one of Google’s SOS Alerts, is now live. Google […] View full post on AmIHackerProof.com
#nationalcybersecuritymonth | Griffiss Institute marks commitment to Data Privacy Day, shares safety advice
Source: National Cyber Security – Produced By Gregory Evans Griffiss Institute is marking its commitment to Data Privacy Day by signing on as a 2020 “Champion” for the observance, an international effort held annually Jan. 28 to create awareness about importance of respecting privacy and safeguarding data. As a “Champion,” Griffiss Institute recognizes and supports […] View full post on AmIHackerProof.com
A colleague here at Semperis recently looped me into a conversation with the manager of a large Active Directory environment running on Windows Server 2008 R2. With end of support for Windows Server 2008 and 2008 R2 coming up soon (officially January 14, 2020), planning is well underway for upgrade of the company’s forest and 110 domain controllers to Windows Server 2016 (the end state selected by this particular company). But one component of the upgrade plan is proving to be difficult, and I’ll explain why.
Hope for the best, plan for the worst
In this organization, any significant change to IT infrastructure requires an approved project plan that includes remediation measures in the event something goes wrong. In the case of an upgrade, that means a way to “go back” if the upgrade fails for some reason or proves to be problematic (for example, breaks a mission-critical application). While “going back” is fairly straightforward with many upgrades, it’s not the case with AD.
That’s because an AD upgrade is more than upgrading (or rebuilding) individual DCs: you’re also making changes to each domain and to the entire forest, and at least one of those changes is irreversible. Imagine that the mission-critical application that doesn’t work with the new (and more secure) AD functionality is a handwritten dinosaur app whose developers all retired long ago. In this situation, you may be looking at having to restore AD from backup and running on the older version until the application can be updated or replaced.
Better… but there’s still a gotcha
Historically, upgrading AD required three irreversible changes:
1. Schema: A schema upgrade is required before upgrading the first DC in the forest (or introducing the first up-level DC). Schema changes have always been – and still are – irreversible.
2. Domain functional level (DFL): Once all the DCs in a domain have been upgraded (or demoted out of the environment), the next step in the AD upgrade process is raising the DFL. (An exception is upgrading from 2016 to 2019: there’s no functional level for 2019, so there’s no need – or even possibility – to raise the DFL.)
Historically, raising the DFL was an irreversible change. However, starting with Windows Server 2012, it’s possible to roll back the DFL. There are some caveats, as outlined in Microsoft’s Windows Server 2012 and Windows Server 2016 upgrade guides. But for most organizations upgrading AD from 2008 or 2008 R2, rollback is possible.
3. Forest functional level (FFL): Once all the domains in the forest have been upgraded, the next step in the AD upgrade process is raising the FFL. (Again, there’s an exception if you’re upgrading from 2016 to 2019.)
As with DFL, raising the FFL was historically an irreversible change, but rollback is now possible. (Note: Rollback to 2008 FFL is possible only if the AD Recycle Bin has not been enabled.)
While two of the three “point of no return” steps may now be reversible, upgrading AD still requires an irreversible schema upgrade. It’s that moment when you pause before pressing the key to continue. And if you’re upgrading an AD that you inherited or that’s been around for a while, you might pause a bit longer.
If your AD is healthy, upgrading the schema isn’t generally a problem. However, management doesn’t like to hear that there’s no way back. And let’s be honest: Any AD administrator worth the title hesitates before pushing the key to start an irreversible step.
If you do a risk assessment matrix, the risk falls under the category of low probability but high impact, and should therefore have a mitigation plan in place. For an AD upgrade, risk mitigation means forest recovery.
A challenging proposition
Here’s the problem: forest recovery is no simple task. You probably back up DCs regularly, but DC backups aren’t enough – you also need detailed information about your AD topology, as well as a reliable method of recovery. There’s no native tool for forest recovery, and the manual process outlined by Microsoft is very exacting. In my experience, few AD teams have ever attempted a forest recovery, even in a lab environment.
The good news is that third-party tools are available to automate recovery and ensure you have the necessary backups to recover your AD environment. Semperis AD Forest Recovery is one such tool:
Semperis automates forest recovery, thereby providing the required remediation measure for your AD upgrade plan. Semperis’s Anywhere Recovery and IP mapping capabilities also facilitate upgrade testing in the lab prior to the production upgrade.
A permanent safety net
Of course, an upgrade isn’t the only thing that puts your AD at risk. Cyberattacks are a constant threat. For example, a recent article on Wired.com describes how an attacker took out all the DCs for the 2018 Winter Olympics in Seoul, South Korea.
Not all AD recovery tools protect against this type of threat. For example, they may reintroduce malware in system state and bare-metal backups, or struggle to restore to different virtual or physical hardware. So, it’s important to choose a tool that covers cyber scenarios (ransomware, wiper attacks, etc.) and not just operational scenarios (such as schema upgrades or administrative errors, DIT corruption, AD software failures, etc. that were concerns in the early days of AD).
While an AD upgrade might be the impetus (or opportunity) for procuring an AD recovery tool, the right tool can provide value long after the upgrade. This post from Ed Amoroso, cybersecurity expert and former Chief Security Officer at AT&T, is a great place to learn more.
The post Upgrading to WS2016/2019? Consider a Safety Net for AD appeared first on Semperis.
*** This is a Security Bloggers Network syndicated blog from Semperis authored by Sean Deuby. Read the original post at: https://www.semperis.com/blog/upgrading-to-ws2016-2019-consider-a-safety-net-for-ad/
The post #cybersecurity | #hackerspace |<p> Upgrading to WS2016/2019? Consider a Safety Net for AD <p> appeared first on National Cyber Security.
View full post on National Cyber Security
#nationalcybersecuritymonth | Don’t let these scary cyber safety risks creep up on you | Features/Entertainment
Source: National Cyber Security – Produced By Gregory Evans THE CONCERN: October is National Cybersecurity Awareness Month, and the Better Business Bureau is scaring up the latest on cyber security risks and ways to avoid them. Watch out for these spooky dangers lurking in the corners of our everyday digital lives. HOW THE SCAM WORKS: […] View full post on AmIHackerProof.com