But That System Isn’t On My Domain! Non-Domain-Joined System Security

In today’s blog, we are going to consider non-domain-joined system security. For most organization’s we test, this can include things like medical devices, systems in kiosk mode in public spaces, IoT devices, or other systems that were forgotten. If these systems are not on the domain, do we care? If so, why? How can an attacker leverage these to gain control of the domain? Let’s dive in!

The Risk Non-Domain Joined Systems Pose

There are several risks we typically encounter with non-domain-joined systems. Most of the time, these systems are not patched (outdated or unsupported) and are not hardened, as they are not getting the group policies that the rest of the systems are getting. Further, in the case of IoT and medical devices, they were built with functionality in mind and security was an afterthought, if it was considered at all. Because of this, these systems can often be the first point of entry for an attacker. As a security expert, we should consider that these are easier to compromise and analyze the impact of that compromise.

The impact is largely determined by what the system is. First, we see systems such as printers and IoT devices that bridge networks. This could be a printer that is connected to Ethernet and comes with its own ad hoc wireless network, for example. An attacker may be able to take over the printer and bridge these networks, essentially gaining access to the corporate network from a nearby parking lot. Another consideration is whether there are shared passwords on a non-domain-joined system that are also in use elsewhere. For example, if you have the same local administrator account and password on this system as the rest of the network, an attacker who is able to gain access will dump the credentials on the system and try them elsewhere. A final consideration is what type of information is on the device itself. If your non-domain-joined system is a smart TV, it is certainly less risk than a kiosk used to collect health information or credit card information.

What to do with Non-Domain-Joined Systems

For systems not used for sensitive information, the best thing to do is to put these devices on a segmented portion of your network that has access to the Internet and nothing else. Further, use a unique password for each of these systems. That way if someone compromises one these devices, they cannot see or access any other device on your internal network.

For systems that process sensitive information or those that are required to be on the local network, additional security controls need to be in place. Similar to ones we can segment, we need unique passwords for each system. Further precautions include making sure the device is up-to-date and has the latest software/firmware, disabling all unnecessary functionality, and enabling any security features that come with the device. Finally, if you have these devices, we would recommend creating a quarterly process to evaluate the risks associated with them, checking for any updates, and searching public databases for any published vulnerabilities with the devices/software you have. As always, if you want to discuss further or have any questions, let us know!