Friday, September 29, 2017

Okta... Shame on You

There must be something fundamentally wrong with Identity Management Tools companies. Onelogin, MS MIM CM, and now Okta.

Again, oddly, this vendor seems to know a bit about AD in one part of their document, where they explain how to delegate very specific rights to the Okta service account, yet a few lines above that, they think the only way to create a service account in AD is with domain admin rights....

Thursday, September 28, 2017

SAP NetWeaver on Windows... Say What?

SAP is one of the largest software companies in the world.  Inexplicably SAP thinks you need to give your web server admins Domain Admin rights to integrate with AD.

Like other vendors, they lead with, "needs to be a member of domain admins". Then they fall back to here is what you can do if you aren't domain admin. This is nice to have, but pretty embarrassing for SAP.  All they want is a users and groups created.

Microsoft Identity Manager 2016 Certificate Management

Yes, I am an MS employee, and this makes me mad...

Despite being very simple to delegate out the proper configuration partition rights to you PKI team, MIM CM and FIM CM check to make sure you are a domain admin on installs and upgrades.

Checking ACLs in AD is not hard. Checking group membership for something that should be delegated makes me sad and angry.

Every time I grant my PKI team DA rights, I lose a little piece of my soul.

Wednesday, September 27, 2017

Onelogin... Secure Your Enterprise with a Foundation of Insecure

Cloud Based IAM for the Modern Enterprise? Really?  You'd think they'd want to start off on the right foot with security.

You'd think wrong. In order to do basic AD tasks, the vendor comprehends you just add your service account, for their tool, to domain admins.  They have great docs on proper delegation, but they recommend you don't bother with that security stuff, just hand over the keys...

Bring the Shame

This blog is dedicated to shaming any software vendor, consultant, or pundit who suggests you grant Domain Admin rights to a service or application to "make it work". Almost no one and nothing needs domain admin rights. Active Directory lets you delegate out rights in a very granular way.

Nearly as bad and needless is hard coding your installer to require the user be a domain admin. Unless you are installing a new domain controller, you should never need to install anything as domain admin. One can always delegate out the rights needed by the tool or app.

Granting an application domain admin rights is like giving out the master key to your 120 acre resort to the pool lifeguard. The key grants access to all the guest rooms, the boiler room, the kitchen, etc., when the pool lifeguard just needs access to the guard shack and the pool mechanical room.