ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Security without AD

    Scheduled Pinned Locked Moved IT Discussion
    21 Posts 5 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • gjacobseG
      gjacobse
      last edited by

      There is a debate - you don't need AD to have security. But then why have AD at all? There are a number of things that AD does - at least in my eyes - that are security related.

      • Password policy
      • Lock out policy
      • Group Policy

      While not all SMBs have Security Policies like HIPPA or SOXs that they have to adhere to, a company of Trade (HVAC, Plumbing, Electrical) won't have but say to 'classes' of employee, Finance and Tech, so basic password(s) should be enough.

      But if you are a SMB in the trade industry, why have AD at all? Is it not a waste of resources?

      scottalanmillerS 2 Replies Last reply Reply Quote 0
      • dbeatoD
        dbeato
        last edited by

        It depends of how centralized you want to get for policies, updates and management for your devices and computers. Also this assumes you are only using Windows as your platform.

        You can use other systems such as JumpCloud and othe AD cloud replacements and even OpenLDAP. They will also have limitations and require same level of management and extra tools as well to manage.

        Security options should be based on the industry, platform and size of the company.

        scottalanmillerS 1 Reply Last reply Reply Quote 0
        • Deleted74295D
          Deleted74295 Banned
          last edited by

          Authentication, you can look at many other options.

          Now as for central management, device control, update management, there are also lots of third party solutions, so instead of rolling AD, you'd roll with an MDM style solution where instead of using pre-made group policies, you start pushing powershell scripts.

          1 Reply Last reply Reply Quote 1
          • scottalanmillerS
            scottalanmiller @gjacobse
            last edited by

            @gjacobse said in Security without AD:

            There is a debate - you don't need AD to have security. But then why have AD at all? There are a number of things that AD does - at least in my eyes - that are security related.

            • Password policy
            • Lock out policy
            • Group Policy

            Group Policy is not security. It's just a mechanism for applying security. None of these things are provided by AD. It's just if you use AD, you can use AD for these things. Except password and lock out policies from AD are not reliable because when moving to cached creds, they stop working. So in many ways, AD cripples security in those areas, rather than enhancing it.

            DashrenderD gjacobseG 2 Replies Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @gjacobse
              last edited by

              @gjacobse said in Security without AD:

              But if you are a SMB in the trade industry, why have AD at all? Is it not a waste of resources?

              AD is about simple, central authentication. If you do a lot of moving between systems or have a lot of apps that integrate with AD and not other tools, AD can be handy for centralizing authentication.

              gjacobseG 1 Reply Last reply Reply Quote 2
              • scottalanmillerS
                scottalanmiller @dbeato
                last edited by

                @dbeato said in Security without AD:

                It depends of how centralized you want to get for policies, updates and management for your devices and computers. Also this assumes you are only using Windows as your platform.

                You can use other systems such as JumpCloud and othe AD cloud replacements and even OpenLDAP. They will also have limitations and require same level of management and extra tools as well to manage.

                Security options should be based on the industry, platform and size of the company.

                You can also use remote scripts, say with PowerShell, or you could use tools like Ansible.

                gjacobseG 1 Reply Last reply Reply Quote 0
                • DashrenderD
                  Dashrender
                  last edited by

                  I thought someone was trying to do all that control stuff with Salt recently?

                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                  • DashrenderD
                    Dashrender @scottalanmiller
                    last edited by

                    @scottalanmiller said in Security without AD:

                    @gjacobse said in Security without AD:

                    There is a debate - you don't need AD to have security. But then why have AD at all? There are a number of things that AD does - at least in my eyes - that are security related.

                    • Password policy
                    • Lock out policy
                    • Group Policy

                    Group Policy is not security. It's just a mechanism for applying security. None of these things are provided by AD. It's just if you use AD, you can use AD for these things. Except password and lock out policies from AD are not reliable because when moving to cached creds, they stop working. So in many ways, AD cripples security in those areas, rather than enhancing it.

                    Isn't this a problem on nearly any cached creds system? It would seem like a huge problem to change centralized passwords while being offline.
                    I suppose a good security option would be a kill switch on timer, i.e. Not online for 30 days (or whatever) and the system won't allow non admin logon until it talks to the central host.

                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @Dashrender
                      last edited by

                      @Dashrender said in Security without AD:

                      I thought someone was trying to do all that control stuff with Salt recently?

                      Salt, Ansible, Chef, Puppet, cfengine, PS scripts, you name it. Many ways to skin that cat.

                      1 Reply Last reply Reply Quote 1
                      • scottalanmillerS
                        scottalanmiller @Dashrender
                        last edited by

                        @Dashrender said in Security without AD:

                        @scottalanmiller said in Security without AD:

                        @gjacobse said in Security without AD:

                        There is a debate - you don't need AD to have security. But then why have AD at all? There are a number of things that AD does - at least in my eyes - that are security related.

                        • Password policy
                        • Lock out policy
                        • Group Policy

                        Group Policy is not security. It's just a mechanism for applying security. None of these things are provided by AD. It's just if you use AD, you can use AD for these things. Except password and lock out policies from AD are not reliable because when moving to cached creds, they stop working. So in many ways, AD cripples security in those areas, rather than enhancing it.

                        Isn't this a problem on nearly any cached creds system? It would seem like a huge problem to change centralized passwords while being offline.
                        I suppose a good security option would be a kill switch on timer, i.e. Not online for 30 days (or whatever) and the system won't allow non admin logon until it talks to the central host.

                        Yes, which is why only locally controlled mechanisms can get past that limitation. No great answer to offline systems.

                        1 Reply Last reply Reply Quote 0
                        • gjacobseG
                          gjacobse @scottalanmiller
                          last edited by

                          @scottalanmiller said in Security without AD:

                          @gjacobse said in Security without AD:

                          There is a debate - you don't need AD to have security. But then why have AD at all? There are a number of things that AD does - at least in my eyes - that are security related.

                          • Password policy
                          • Lock out policy
                          • Group Policy

                          Group Policy is not security. It's just a mechanism for applying security. None of these things are provided by AD. It's just if you use AD, you can use AD for these things. Except password and lock out policies from AD are not reliable because when moving to cached creds, they stop working. So in many ways, AD cripples security in those areas, rather than enhancing it.

                          Ah but that throws a wrench - those that travel are limited to cached creds most of the time. It's not practical or reliable to have the VPN connect prior to authentication as the VPN may be blocked at what ever site you are currently at - Yes, it does happen.. had it happen to someone from a hospital.

                          so in that case, what do you fall back to?

                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                          • gjacobseG
                            gjacobse @scottalanmiller
                            last edited by

                            @scottalanmiller said in Security without AD:

                            @gjacobse said in Security without AD:

                            But if you are a SMB in the trade industry, why have AD at all? Is it not a waste of resources?

                            AD is about simple, central authentication. If you do a lot of moving between systems or have a lot of apps that integrate with AD and not other tools, AD can be handy for centralizing authentication.

                            Right - if you have a large company - very handly

                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                            • gjacobseG
                              gjacobse @scottalanmiller
                              last edited by

                              @scottalanmiller said in Security without AD:

                              @dbeato said in Security without AD:

                              It depends of how centralized you want to get for policies, updates and management for your devices and computers. Also this assumes you are only using Windows as your platform.

                              You can use other systems such as JumpCloud and othe AD cloud replacements and even OpenLDAP. They will also have limitations and require same level of management and extra tools as well to manage.

                              Security options should be based on the industry, platform and size of the company.

                              You can also use remote scripts, say with PowerShell, or you could use tools like Ansible.

                              I have only done a few PS scripts,.. and nothing with Ansible yet.

                              1 Reply Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @gjacobse
                                last edited by

                                @gjacobse said in Security without AD:

                                @scottalanmiller said in Security without AD:

                                @gjacobse said in Security without AD:

                                There is a debate - you don't need AD to have security. But then why have AD at all? There are a number of things that AD does - at least in my eyes - that are security related.

                                • Password policy
                                • Lock out policy
                                • Group Policy

                                Group Policy is not security. It's just a mechanism for applying security. None of these things are provided by AD. It's just if you use AD, you can use AD for these things. Except password and lock out policies from AD are not reliable because when moving to cached creds, they stop working. So in many ways, AD cripples security in those areas, rather than enhancing it.

                                Ah but that throws a wrench - those that travel are limited to cached creds most of the time. It's not practical or reliable to have the VPN connect prior to authentication as the VPN may be blocked at what ever site you are currently at - Yes, it does happen.. had it happen to someone from a hospital.

                                so in that case, what do you fall back to?

                                This isn't really much of a problem in the modern world. Maybe some VPNs from ages past, but this isn't something that people normally run into. Relying on cached creds should be a fallback, not the norm.

                                gjacobseG 1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @gjacobse
                                  last edited by

                                  @gjacobse said in Security without AD:

                                  @scottalanmiller said in Security without AD:

                                  @gjacobse said in Security without AD:

                                  But if you are a SMB in the trade industry, why have AD at all? Is it not a waste of resources?

                                  AD is about simple, central authentication. If you do a lot of moving between systems or have a lot of apps that integrate with AD and not other tools, AD can be handy for centralizing authentication.

                                  Right - if you have a large company - very handly

                                  Actually when you get really big, the value drops off. Sharing equipment becomes less common, rather than more common.

                                  gjacobseG 1 Reply Last reply Reply Quote 0
                                  • gjacobseG
                                    gjacobse @scottalanmiller
                                    last edited by

                                    @scottalanmiller I have seen the case where Cached Creds cause re-mapping issues of drives. Delete the one cred, and poof... 85% of the time, nothing else is needed.

                                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                                    • gjacobseG
                                      gjacobse @scottalanmiller
                                      last edited by

                                      @scottalanmiller said in Security without AD:

                                      @gjacobse said in Security without AD:

                                      @scottalanmiller said in Security without AD:

                                      @gjacobse said in Security without AD:

                                      But if you are a SMB in the trade industry, why have AD at all? Is it not a waste of resources?

                                      AD is about simple, central authentication. If you do a lot of moving between systems or have a lot of apps that integrate with AD and not other tools, AD can be handy for centralizing authentication.

                                      Right - if you have a large company - very handly

                                      Actually when you get really big, the value drops off. Sharing equipment becomes less common, rather than more common.

                                      Eh - Depends on the business model. Take any auto manufacturer - lot of PCs on the line single use, many people. Or on the Help Desk I was on - 16 stations that got rotated by shift,.. not all but some.

                                      1 Reply Last reply Reply Quote 0
                                      • gjacobseG
                                        gjacobse
                                        last edited by

                                        Sliding back to more on topic.. I was asked by a fellow Ham Operator how I would recommend updating his shop computers. which right now only is desktops. No server, no backup, no UPS units. Few large format printers and a CNC table.

                                        He's thinking Server - but is it really needed? Storage yes, backup yes, but is all the 'high end' security really needed - No HIPPA, just job files. No mobile devices, but possible maybe. Oh, and (one of the ) bains of IT - QuickBooks.

                                        Yea,.. running QB with no UPS?? Ugh..

                                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @gjacobse
                                          last edited by

                                          @gjacobse said in Security without AD:

                                          @scottalanmiller I have seen the case where Cached Creds cause re-mapping issues of drives. Delete the one cred, and poof... 85% of the time, nothing else is needed.

                                          Why would cached creds ever be involved at a time when drives could be mapped? Something really wrong there.

                                          1 Reply Last reply Reply Quote 1
                                          • scottalanmillerS
                                            scottalanmiller @gjacobse
                                            last edited by

                                            @gjacobse said in Security without AD:

                                            Sliding back to more on topic.. I was asked by a fellow Ham Operator how I would recommend updating his shop computers. which right now only is desktops. No server, no backup, no UPS units. Few large format printers and a CNC table.

                                            He's thinking Server - but is it really needed? Storage yes, backup yes, but is all the 'high end' security really needed - No HIPPA, just job files. No mobile devices, but possible maybe. Oh, and (one of the ) bains of IT - QuickBooks.

                                            Yea,.. running QB with no UPS?? Ugh..

                                            AD is not security. AD is centralized authentication. Don't equate AD to security. AD isn't "higher end" security than other approaches. It's an authentication mechanism, yes, which is related to security, but it's just one of many password handling systems all of which are basically the same from a security standpoint.

                                            1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 1 / 2
                                            • First post
                                              Last post