800-53 Rev 5 is such a pain in the ass to implement fully but holy shit is it much needed. Bad actors out there everywhere and if followed to the letter, those controls will save you almost every step of the way. “Almost” because there will always be a new method to infiltrate an organization or agency, but the damage control built into these controls should lessen the impact regardless.
Don’t try to scam me out of my scam messages.
Their marketing dept is probably concerned.
Lol oh I never said it’s a good solution. The worst part isn’t running IIS, it’s running IIS on a domain controller. The better option is using a different domain for AD than your web domain, as long as it’s a publicly registered domain for certificate purposes.
Hilariously, I bet it’s because their Active Directory domain is the same as their public domain, and it becomes a massive pain in the ass to hostname the root domain. Yes, externally you can do it just fine, but then it’s not consistent internally on their private network.
One solution is you run IIS (or any other web server) purely as a permanent redirect for the internal host, but it would then need to run on each domain controller which brings its own set of issues.
I can from personal experience that there is a huge push to get much more secure in the local government space in the US, including adhering to NIST 800-53, and be audited on it. It’s not foolproof, but it’s a much needed step forward towards preventing big events becoming breaches. But if they are a breach they’ll be lower impact. It’s painful to get there, but I’ve been involved heavily in the conversion in policies and procedures to get there.
I wouldn’t say that Windows is malware itself, but rather it wasn’t created with a security-first stance, which we absolutely need for all OSes going forward. I say this as someone who ditched Windows as my DD (“I use Arch, btw”). I left Windows more for their policies and subscription models that are becoming increasingly anti-consumer.
With that said, let’s not pretend that Linux is immune as has been proven in the past week with xz and liblzma being compromised. Yes, it took 3 years to get to the point their long game paid off, but it still happened through a series of credibility social engineering steps by a single person. (Yes I know others were also trying to do exactly this, but only Jia Tan was successful)
I say we name it “Thatsno”
Yes, but are those shoes this sharp?