Our (Microsoft Windows) computer inventory tools, patching products and security software all rely on one thing: Active Directory. It’s the source of all the information we have about computers on our network, and it controls the security settings on those computers. We have software that installs patches on our computers, and it uses Active Directory to do what it does. Our antivirus product also relies on Active Directory to automatically install and update on our Windows computers. Active Directory is essentially our de facto inventory of Windows PCs. So what happens when we have a computer that’s not on our Active Directory domain I found out last week.
As it turns out, we do have a few computers that are not joined to our Active Directory domain. This means that they are unmanaged and effectively invisible to our patching and antivirus tools. We discovered them from our vulnerability scans on all our network segments. These PCs were not in our inventory. That’s because one of the business units brought in a third-party vendor a few months ago, which installed them on our network without any of our technical staff being involved. It’s some kind of financial news service, and the PCs are there to show headlines and stock prices. The vendor just plugged them in and walked away.
So nobody except the business unit employees knew about these new computers until now, when they started showing up on our vulnerability reports. In their first month of service on our network, they were up to date on patches, so our vulnerability scans ignored them. In their second month, they started appearing on the vulnerability report, but with relatively low quantities of vulnerabilities. In the third month, they made it to the top 10. When I asked what these computers were, nobody knew. We tracked them down by tracing the network cables using their IP addresses, and that’s when we found out they are not on our domain.
I called the vendor and asked how its customers are expected to keep these PCs up to date. I was told that most of their customers actually do join the computers to the domain and install their own antivirus products. It just didn’t happen in our case because nobody from IT was involved, and the business unit employees have no idea about these things. So this was a fairly unusual situation.
We ended up joining the computers to our domain, updating their patches and setting them up with antivirus. We were fortunate that they didn’t contract malware while they were unprotected. But this incident has led me to believe that we should be scanning our entire network for unmanaged devices. That could take a really long time, given the large number of IP addresses in our network range. We’ll have to set up a special system that only does network scanning and let it run until it finishes — probably a few months to scan every IP address. Then we can compare what’s on the network with what’s in Active Directory to make sure there aren’t any more rogue computers lurking in the shadows.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at jf.rice@engineer.com.
Click here for more security articles.