I needed a tool which would talk to administrators so they would develop their security awareness and become so talented that they wouldn’t cause any new deviations. Tenable.ad's dashboards, alerts, and search capabilities fit that purpose entirely.
- Continuously monitor in real-time to discover weaknesses and misconfigurations
- Somfy's AD infrastructure comprised of 1 forest and 2 domains
How global manufacturer monitors and protects its Active Directory infrastructure
Founded in France in 1969 and present in 58 countries, Somfy is the leading partner in all areas of building opening automation systems and a pioneer in the connected home sector. The group is constantly innovating to create homes that offer their users comfort, well-being, and safety to fulfill its vision of ‘‘inspiring a better way of living accessible to all.’’
五大应用程序和 13 个互补品牌的产品组合共助实现这一愿景：
The entrepreneurial spirit of Somfy is embodied by the Group’s 6,070 employees in 117 subsidiaries, eight manufacturing plants, and 80 logistics centers and warehouses. Its presence on five continents enables the group to adapt its products and services to the specific needs and characteristics of its markets.
As a global player in home and commercial control systems, Somfy aims for the highest levels of innovation and advancement in its products and solutions. With several companies under its umbrella, Somfy’s security for intellectual property, design, and customer data spanning a vast directory infrastructure was paramount. As a part of its continuous improvement process, Somfy was seeking the best way to tackle unique AD security challenges. 这便需要有针对性地评估根域，从而识别所有问题。
Utilizing Tenable.ad for AD’s seamless, instant-on deployment, Somfy was able to immediately investigate and identify problems in real-time, each corresponding to one of Tenable.ad’s Indicators of Exposure (IoE). 一些重大问题与指标 AdminSDholder、根权限和 Kerberos 委派密切相关。AD 初始评估结果显示，众多群组中存在过量管理员的问题。
This initial connection between Tenable.ad and Somfy’s AD was vital, as the solution mapped the AD’s topology and identified any existing hidden attack pathways and weaknesses that could be leveraged by attackers.
在初始对接和分析根域后，工作重点转移到了子域。However, a few challenges with the child domain showed potential loopholes and vulnerabilities. 其中包括：
- 许多 AD 管理员
Following the initial assessment exploring existing weaknesses, misconfigurations, and attack pathways, the Tenable.ad solution provided step-by-step remediation tactics to prevent vulnerabilities and attacks. Due to Somfy's need to quickly acquire some additional expertise relating purely to AD, Tenable.ad’s reputable partner provided ongoing workshops to analyze each IoE. The partner organized a tailor-made mitigation plan based on Tenable.ad for AD’s real-time results available to Somfy senior staff through an intuitive, consolidated dashboard.
Thanks to the Tenable.ad platform’s consistent real-time AD monitoring, Somfy was able to perform continuous workshops to address each actionable IoE task, while relevant teams were equipped with Tenable.ad-proposed checkers to ensure each step was mitigated. 研讨会的设置基于各 IoE 的复杂程度，并可以帮助 Somfy 了解如何最大化利用 Tenable.ad 解决方案。
Once the mitigation steps were complete, Somfy’s security team cross-referenced via the Tenable.ad platform to check the security status. Somfy 可以监控自身的 AD 是否合乎标准，持续监控 AD，甚至可以获得制定合规规则的协助。
这种度量 AD 安全性的方法让安全团队受益匪浅。在完成缓解步骤后，便会继续监控根域，从而保护 Active Directory。由此，子域问题便已解决。
An adequate delegation model was put into practice to avoid the use of built-in privileged groups.
- 一天内便可识别和缓解由 AD 管理员误引入的新安全问题。
- Systems and jobs configured with wrong credentials were spotted and located by the brute-force detection; their misconfiguration was fixed.
- 域配置的微调确保可将新加入的机器纳入安全修复 GPO 中。