Corp.com, Active Directory and Doing the Right Thing
Recently Microsoft announced that it was going to follow in the footsteps of founder Bill Gates and do something cool simply because it was the right thing to do. Microsoft bought the domain corp.com and probably paid at least $1.7m for the privilege.
Why did they do that?
In short, for better security.
There is some background needed here. Active Directory is a directory service or method for networked computer systems to control access and authentication. For many this is where their user IDs and passwords for things like Outlook and SharePoint live. AD has been around for a while and in the time since it was introduced a lot has changed.
When setting up a Windows 2000 Server hosted Active Directory system, one of the settings was for the Active Directory domain name and for whatever reason the default, which was intended to be changed by the admin setting it up, was “corp.” Best practices, even then, dictated that you change that setting to match a domain your company actually owned and controlled, but DNS is tricky and lots of people don’t pay very close attention to instructions. They also get nervous when changing default settings – which is something to consider if you are building software or networking products.
Active Directory will do something called name devolution which was undoubtedly viewed as a convenient feature back in the day when it was not so common to have corporate networks connected to the internet. If your AD directory is named corp and you try to do something that requires name resolution, a common intersection of default and common settings will result in members of your AD trying to resolve unqualified names such as foo to foo.corp.com.
When nobody had internet access from their desktops in an office, this was not such a big deal. If, on the other hand, you are living in the year 2020 and are working from home or with any luck from a coffee shop from a laptop that is almost without a doubt connected to the internet then having your system try to do things by tagging a corp.com onto unqualified domain names could be a problem.
Of course, one might ask why not just change settings in AD to rename the domain? Well, you certainly could do that and there are documented steps and procedures, but even so, it is not for the faint of heart and the cost of getting it wrong are very, very high. A botched AD name change could result in little things like users being unable to login and email not working. Little things.
Fortunately, now the wrong people are not going to be able to get that domain. Hearty salute to Microsoft for doing the right thing.
If you need some help figuring out where your traffic is going or in general getting a better idea of what is really happening on your network, it might be worth thinking about how dynamic network intelligence from a visibility solution could help.
Also, if you are worried about the kinds of gaps that bad guys might find in your network, there are a couple things worth checking out. One is how breach and attack simulation, in this case Keysight Threat Simulator, can help you not only find but plug gaps in your security efforts. If you believe in defense in depth or are facing just too many security alerts, a threat intelligence gateway like ThreatARMOR may be right for you. Learn more about how our approach to blocking bad actors, not just individual threats, can protect against exfiltration and zero days.
Thanks for reading.