• Gibsonisafluffybutt
    link
    fedilink
    arrow-up
    22
    ·
    edit-2
    7 months ago

    MADE IT TO ROUND 2!!!

    Now I have a week to brush up on some tech stuff (active directory mainly), and we should be good!

    I’ve found a good 6 hour tutorial on YouTube that’ll do the trick.

    • TinyBreak
      link
      fedilink
      arrow-up
      2
      ·
      7 months ago

      Ad? Or AAD? Remember for bonus points call it “extra id” these days. Throw in a reference to conditional access policies. If that don’t give the security guys a semi nothing will.

      • Gibsonisafluffybutt
        link
        fedilink
        arrow-up
        2
        ·
        7 months ago

        That’s fucking hilarious 🤣 but you’re absolutely spot on. They want basic AD knowledge which is pretty straightforward. Just brushing up.

        I actually did work on IAM and conditional access at my last job, but only as a project manager.

        • TinyBreak
          link
          fedilink
          arrow-up
          2
          ·
          7 months ago

          Absolutely bring that up. Fair to assume they are directory synced to the cloud. honestly conditional access is one of the coolest things Microsoft have done in the last 10 years!!

          For inside knowledge: Microsoft apparently working on enabling more complex passwords in entra id. I’m very excited about this because it’s stupid that you have to have an on premises active directory to be able to set minimum complexity requirements.

          • Gibsonisafluffybutt
            link
            fedilink
            arrow-up
            2
            ·
            7 months ago

            Interesting! I’ve been hearing that two factor isn’t enough anymore is that true?

            This job, it’s linked to the courts, so everything is still on prem. Although, maybe if I get this job I can start an initiative to move to the cloud.

            • TinyBreak
              link
              fedilink
              arrow-up
              2
              ·
              7 months ago

              Correct, mfa ain’t enough. Especially in sensitive settings like the courts. Government gets twitchy about data going out of the country. You might even find dealing with the courts the mandate IS on prem.

              But I’ve had clients/customers/whatever click on links and have their auth token stolen from the browser, allowed an attacker to come in totally bypassing mfa. I’ve also had customers have their phone number ported away to steal the sms auth. Shit is scary.

              • Gibsonisafluffybutt
                link
                fedilink
                arrow-up
                2
                ·
                7 months ago

                Pretty sure the court is mandated to be on prem if I recall from the interview. Browser stuff can be mitigated to a degree, but how the fuck do you stop number porting and Sim cloning?

                • TinyBreak
                  link
                  fedilink
                  arrow-up
                  2
                  ·
                  7 months ago

                  So MS are dropping SMS auth totally. MFA requires an app, or it will. Its a VERY slow rollout.