Somfy

挑战

As a global player in home and commercial control systems, Somfy aims for the highest levels of innovation and advancement in its products and solutions. With several companies under its umbrella, Somfy’s security for intellectual property, design, and customer data spanning a vast directory infrastructure was paramount. As a part of its continuous improvement process, Somfy was seeking the best way to tackle unique AD security challenges. 这便需要有针对性地评估根域，从而识别所有问题。

识别现有弱点

Utilizing Tenable.ad for AD’s seamless, instant-on deployment, Somfy was able to immediately investigate and identify problems in real-time, each corresponding to one of Tenable.ad’s Indicators of Exposure (IoE). 一些重大问题与指标 AdminSDholder、根权限和 Kerberos 委派密切相关。AD 初始评估结果显示，众多群组中存在过量管理员的问题。

This initial connection between Tenable.ad and Somfy’s AD was vital, as the solution mapped the AD’s topology and identified any existing hidden attack pathways and weaknesses that could be leveraged by attackers.

子域复杂性

在初始对接和分析根域后，工作重点转移到了子域。However, a few challenges with the child domain showed potential loopholes and vulnerabilities. 其中包括：

• 全球众多地点有许多实体
• 许多 AD 管理员
• 一些管理员来自外包、第三方资源

解决方案

Following the initial assessment exploring existing weaknesses, misconfigurations, and attack pathways, the Tenable.ad solution provided step-by-step remediation tactics to prevent vulnerabilities and attacks. Due to Somfy's need to quickly acquire some additional expertise relating purely to AD, Tenable.ad’s reputable partner provided ongoing workshops to analyze each IoE. The partner organized a tailor-made mitigation plan based on Tenable.ad for AD’s real-time results available to Somfy senior staff through an intuitive, consolidated dashboard.

Thanks to the Tenable.ad platform’s consistent real-time AD monitoring, Somfy was able to perform continuous workshops to address each actionable IoE task, while relevant teams were equipped with Tenable.ad-proposed checkers to ensure each step was mitigated. 研讨会的设置基于各 IoE 的复杂程度，并可以帮助 Somfy 了解如何最大化利用 Tenable.ad 解决方案。

Once the mitigation steps were complete, Somfy’s security team cross-referenced via the Tenable.ad platform to check the security status. Somfy 可以监控自身的 AD 是否合乎标准，持续监控 AD，甚至可以获得制定合规规则的协助。

这种度量 AD 安全性的方法让安全团队受益匪浅。在完成缓解步骤后，便会继续监控根域，从而保护 Active Directory。由此，子域问题便已解决。

成果

An adequate delegation model was put into practice to avoid the use of built-in privileged groups.

• 一天内便可识别和缓解由 AD 管理员误引入的新安全问题。
• Systems and jobs configured with wrong credentials were spotted and located by the brute-force detection; their misconfiguration was fixed.
• 域配置的微调确保可将新加入的机器纳入安全修复 GPO 中。
• 重新配置了许多服务帐户，降低其对域的破坏。