Somfy

挑戰

As a global player in home and commercial control systems, Somfy aims for the highest levels of innovation and advancement in its products and solutions. With several companies under its umbrella, Somfy’s security for intellectual property, design, and customer data spanning a vast directory infrastructure was paramount. As a part of its continuous improvement process, Somfy was seeking the best way to tackle unique AD security challenges. 這個方法必須能對根網域進行目標式評估，找出所有問題所在。

找出現有弱點

Utilizing Tenable.ad for AD’s seamless, instant-on deployment, Somfy was able to immediately investigate and identify problems in real-time, each corresponding to one of Tenable.ad’s Indicators of Exposure (IoE). 其中幾個重大問題與 AdminSDholder、Root 權限和 Kerberos 委派指標有關。AD 的初步評估結果突顯出存在跨多個群組管理員過多的嚴重性。

This initial connection between Tenable.ad and Somfy’s AD was vital, as the solution mapped the AD’s topology and identified any existing hidden attack pathways and weaknesses that could be leveraged by attackers.

複雜的子網域

完成初步連結和根網域分析之後，接下來輪到關注子網域。However, a few challenges with the child domain showed potential loopholes and vulnerabilities. 這些挑戰包括：

• 眾多經營實體分布於全球各個角落
• AD 管理員人數過多
• 夾雜著幾個來自委外第三方資源的管理員

解決方案

Following the initial assessment exploring existing weaknesses, misconfigurations, and attack pathways, the Tenable.ad solution provided step-by-step remediation tactics to prevent vulnerabilities and attacks. Due to Somfy's need to quickly acquire some additional expertise relating purely to AD, Tenable.ad’s reputable partner provided ongoing workshops to analyze each IoE. The partner organized a tailor-made mitigation plan based on Tenable.ad for AD’s real-time results available to Somfy senior staff through an intuitive, consolidated dashboard.

Thanks to the Tenable.ad platform’s consistent real-time AD monitoring, Somfy was able to perform continuous workshops to address each actionable IoE task, while relevant teams were equipped with Tenable.ad-proposed checkers to ensure each step was mitigated. 根據複雜程度，針對每個曝險指標 (IoE) 各舉行一場實作研討會，並協助指導 Somfy 如何發揮 Tenable.ad 解決方案的最大效用。

Once the mitigation steps were complete, Somfy’s security team cross-referenced via the Tenable.ad platform to check the security status. Somfy 能夠監控自身的 AD 合規標準，持續監控 AD，甚至獲得建立合規規則的相關協助。

這種衡量 AD 安全的方法讓資安團隊得以快速獲益。完成所有緩解步驟之後，Tenable.ad 仍持續監控根網域，以保障 Active Directory 的安全。在這之後，子網域的安全問題亦獲得圓滿解決。

成果

An adequate delegation model was put into practice to avoid the use of built-in privileged groups.

• 在一天之內找出 AD 管理員的不當行為所引發的安全問題並予以緩解。
• Systems and jobs configured with wrong credentials were spotted and located by the brute-force detection; their misconfiguration was fixed.
• 稍加改進後的網域設定可確保新加入的機器涵蓋在安全修補 GPO 的範圍之內。
• 重新設定眾多服務帳戶，以降低其破壞網域的威脅性。