ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    domain controller in the cloud for small office?

    Scheduled Pinned Locked Moved IT Discussion
    120 Posts 17 Posters 13.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bigbearB
      bigbear @Obsolesce
      last edited by

      @tim_g said in domain controller in the cloud for small office?:

      There's a difference between Azure AD and running a DC on a VPS.

      Azure AD doesn't use Kerberos or NTLM and is meant to work with web-based services such as O365 and salesforce using SSO.

      WinServer AD isn't meant to work with online services, although there are ways and through federation.

      They are different and it's important to know where they fit in.

      In the beginning Azure AD looked like a web service to replace ADAM (I think it was called) but it definitely evolved beyond that with Windows login support.

      I remember feeling very clever when I discovered Azure Domain Services, I men's it works great with servers on Azure. When I discovered the base charge was $90/month I was pretty much done with Azure for small business ideas

      1 Reply Last reply Reply Quote 0
      • stacksofplatesS
        stacksofplates @PenguinWrangler
        last edited by

        @penguinwrangler said in domain controller in the cloud for small office?:

        My friend who is a tech director for my kids school is having his budget slashed by a superintendent who doesn't think that much of technology. About 750 kids in the district (rural area) he has about 400-500 machines to manage. His budget is $20,000 for the year. So we are moving him to all open source. Moving from Novell eDirectory to a Samba 4 domain. Doing anything and everything to save him money.

        Identity Management (FreeIPA) would be great if you want to expose the kids to Linux.

        One of the easiest things I’ve ever set up.

        1 Reply Last reply Reply Quote 4
        • larsen161L
          larsen161 @Mike Davis
          last edited by larsen161

          @mike-davis do you have an hhs.gov or gpo.gov link to where it mentions the requirement for passwords to be changed?

          How do you create a password change policy that gets enforced without a domain controller?

          Mike DavisM 1 Reply Last reply Reply Quote 0
          • larsen161L
            larsen161
            last edited by

            From what I have ever seen there is no mention of the requirement of invalidating passwords after any period of time. I have seen the following mention about passwords but this is all. Requiring users to change passwords is generally bad practice. Only change them when a security incident is suspected or known.

            45 CFR Subtitle A §164.308 (D) Password management (Addressable). Procedures for creating, changing, and safeguarding passwords.

            1 Reply Last reply Reply Quote 0
            • larsen161L
              larsen161
              last edited by

              For 8 computers use a cloud based LDAP like JumpCloud. It's free for <10 users but as many computers as you have. You install the agent which can then push a standard user profiles to the machines. Passwords of the user are managed in JumpCloud for the devices. It also has a RADIUS service for quick deployment to APs.

              1 Reply Last reply Reply Quote 0
              • larsen161L
                larsen161 @scottalanmiller
                last edited by

                @scottalanmiller said in domain controller in the cloud for small office?:

                They are on here, on SW, were at SpiceWorld with a booth, too. Seems like a cool product.

                who from JumpCloud is on here?

                1 Reply Last reply Reply Quote 0
                • larsen161L
                  larsen161 @Dashrender
                  last edited by

                  Chromebooks for HIPAA is an ideal solution. Ticks all the boxes for encryption and security and then you have Citrix/VMWare/AWS, Chrome Apps/Extensions, Android Apps for pretty much any thing you think you can't do on one but can.

                  @dashrender said in domain controller in the cloud for small office?:

                  Remember, LANLess is the desire now.. so no local servers unless absolutely required - use things like ODfB or Nextcloud.

                  1 Reply Last reply Reply Quote 1
                  • Mike DavisM
                    Mike Davis @larsen161
                    last edited by

                    @larsen161 said in domain controller in the cloud for small office?:

                    @mike-davis do you have an hhs.gov or gpo.gov link to where it mentions the requirement for passwords to be changed?

                    From what I understand §164.308(a)(5)(ii)(D) requires you to define the password policy. Since the "best practice" in many circles was to change your password every XX days in case someone observed your password, many places still have it in their policy to change passwords every 90 days.

                    It was only last year that mainstream media ran that article that explained that a longer pass phrase is better than a short complex password, but getting organizations to change their policies doesn't happen quickly.

                    Do you have a sample policy (or just that part) that you could share to replace the complexity and change requirement?

                    larsen161L scottalanmillerS 3 Replies Last reply Reply Quote 1
                    • larsen161L
                      larsen161 @Mike Davis
                      last edited by larsen161

                      @mike-davis This is what we're meant to be doing before mainstream media makes it popular 🙂

                      I don't have a sample policy but that should be easy to change. Take the requirement for complexity away, give users more characters to use (unicode), require slightly longer password lengths (10+ for example) and enforce 2FA through physical keys if possible (not sms or app based to remove social engineering aspect of obtaining a code), check passwords against dictionary words.

                      There's a lovely 2011 study from CMU Of Passwords and People: Measuring the Effect of Password-Composition Policies that goes on to say quite a lot supporting the NIST publication

                      • "Less predictably, basic16 proved better than the comparable strength comprehensive8 in several respects."
                      • "The comprehensive8 policy condition proved by far the most difficult, as only 17.7% of users in this condition could create a password in one try. By contrast, 52.7%, 56.6%, 88.6%, and 84.8% of participants in the basic16, dictionary8, basic8, and basic8survey conditions respectively created an acceptable password in one try."
                      • "A significantly greater proportion (50%) of comprehensive8 participants stored their passwords than in all other conditions; and basic16 participants were significantly more likely to store (33%) than basic8 and basic8survey participants (26% and 17% respectively)"
                      1 Reply Last reply Reply Quote 0
                      • larsen161L
                        larsen161 @Mike Davis
                        last edited by

                        @mike-davis said in domain controller in the cloud for small office?:

                        @larsen161 said in domain controller in the cloud for small office?:

                        @mike-davis do you have an hhs.gov or gpo.gov link to where it mentions the requirement for passwords to be changed?

                        From what I understand §164.308(a)(5)(ii)(D) requires you to define the password policy. Since the "best practice" in many circles was to change your password every XX days in case someone observed your password, many places still have it in their policy to change passwords every 90 days.

                        It was only last year that mainstream media ran that article that explained that a longer pass phrase is better than a short complex password, but getting organizations to change their policies doesn't happen quickly.

                        Ah, ok I was worried I was missing something. So it's not a HIPAA security requirement but an internal company policy created based on an addressable but not required HIPAA component.

                        Having a policy that just that says, we will make users have a password and advise them to never share with anyone sounds so much simpler.

                        scottalanmillerS DashrenderD 2 Replies Last reply Reply Quote 0
                        • larsen161L
                          larsen161
                          last edited by

                          There's a follow up study to that other one I linked to from the same/similar group of people at CMU: Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms

                          1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @Mike Davis
                            last edited by

                            @mike-davis said in domain controller in the cloud for small office?:

                            @larsen161 said in domain controller in the cloud for small office?:

                            @mike-davis do you have an hhs.gov or gpo.gov link to where it mentions the requirement for passwords to be changed?

                            From what I understand §164.308(a)(5)(ii)(D) requires you to define the password policy. Since the "best practice" in many circles was to change your password every XX days in case someone observed your password, many places still have it in their policy to change passwords every 90 days.

                            It was only last year that mainstream media ran that article that explained that a longer pass phrase is better than a short complex password, but getting organizations to change their policies doesn't happen quickly.

                            Do you have a sample policy (or just that part) that you could share to replace the complexity and change requirement?

                            That's been very well known in IT for a very long time that that mass media backwards security policy was wrong. Sure, in Hollywood they are still just figuring that out, but in IT it's been understood that rapid password changes were a direct attack on security for a decade or more. Really, ever since they were first implemented. That there are things like minimum password change lengths and stuff like that are actually demonstrable proof that the system was known to be flawed in that way. So that goes back to 2000 at a minimum in the official MS documents.

                            1 Reply Last reply Reply Quote 1
                            • scottalanmillerS
                              scottalanmiller @larsen161
                              last edited by

                              @larsen161 said in domain controller in the cloud for small office?:

                              Ah, ok I was worried I was missing something. So it's not a HIPAA security requirement but an internal company policy created based on an addressable but not required HIPAA component.

                              HIPAA just requires "good practice", nothing specific.

                              1 Reply Last reply Reply Quote 1
                              • DashrenderD
                                Dashrender @larsen161
                                last edited by

                                @larsen161 said in domain controller in the cloud for small office?:

                                Ah, ok I was worried I was missing something. So it's not a HIPAA security requirement but an internal company policy created based on an addressable but not required HIPAA component.

                                That's kinda understating it. Addressable are required as well unless you can show a reason why you can't do it, and then also show what you're doing instead.

                                larsen161L scottalanmillerS 2 Replies Last reply Reply Quote 0
                                • larsen161L
                                  larsen161 @Dashrender
                                  last edited by

                                  @dashrender I'm not trying to understate it, just using the HIPAA terms, it's either addressable or required. definitions of the terms

                                  larsen161L 1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @Dashrender
                                    last edited by

                                    @dashrender said in domain controller in the cloud for small office?:

                                    @larsen161 said in domain controller in the cloud for small office?:

                                    Ah, ok I was worried I was missing something. So it's not a HIPAA security requirement but an internal company policy created based on an addressable but not required HIPAA component.

                                    That's kinda understating it. Addressable are required as well unless you can show a reason why you can't do it, and then also show what you're doing instead.

                                    Can you go above and beyond?

                                    DashrenderD 1 Reply Last reply Reply Quote 0
                                    • DashrenderD
                                      Dashrender @scottalanmiller
                                      last edited by

                                      @scottalanmiller said in domain controller in the cloud for small office?:

                                      @dashrender said in domain controller in the cloud for small office?:

                                      @larsen161 said in domain controller in the cloud for small office?:

                                      Ah, ok I was worried I was missing something. So it's not a HIPAA security requirement but an internal company policy created based on an addressable but not required HIPAA component.

                                      That's kinda understating it. Addressable are required as well unless you can show a reason why you can't do it, and then also show what you're doing instead.

                                      Can you go above and beyond?

                                      I feel like this is a trick question.

                                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @Dashrender
                                        last edited by

                                        @dashrender said in domain controller in the cloud for small office?:

                                        @scottalanmiller said in domain controller in the cloud for small office?:

                                        @dashrender said in domain controller in the cloud for small office?:

                                        @larsen161 said in domain controller in the cloud for small office?:

                                        Ah, ok I was worried I was missing something. So it's not a HIPAA security requirement but an internal company policy created based on an addressable but not required HIPAA component.

                                        That's kinda understating it. Addressable are required as well unless you can show a reason why you can't do it, and then also show what you're doing instead.

                                        Can you go above and beyond?

                                        I feel like this is a trick question.

                                        Well, it's a trick requirement, right? HIPAA has cross purposes if they require that insecure methods be used. Are you allowed to secure the environment more than that, or does HIPAA actually require below minimum industry bar security?

                                        DashrenderD 1 Reply Last reply Reply Quote 0
                                        • DashrenderD
                                          Dashrender @scottalanmiller
                                          last edited by

                                          @scottalanmiller said in domain controller in the cloud for small office?:

                                          @dashrender said in domain controller in the cloud for small office?:

                                          @scottalanmiller said in domain controller in the cloud for small office?:

                                          @dashrender said in domain controller in the cloud for small office?:

                                          @larsen161 said in domain controller in the cloud for small office?:

                                          Ah, ok I was worried I was missing something. So it's not a HIPAA security requirement but an internal company policy created based on an addressable but not required HIPAA component.

                                          That's kinda understating it. Addressable are required as well unless you can show a reason why you can't do it, and then also show what you're doing instead.

                                          Can you go above and beyond?

                                          I feel like this is a trick question.

                                          Well, it's a trick requirement, right? HIPAA has cross purposes if they require that insecure methods be used. Are you allowed to secure the environment more than that, or does HIPAA actually require below minimum industry bar security?

                                          Do you have an example of an insecure method being required in HIPAA? If so, please provide it. The law itself doesn't stipulate what type of password policies to have, only that you have a policy. It doesn't stipulate that you have AV, but you must have a policy about AV.

                                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller @Dashrender
                                            last edited by

                                            @dashrender said in domain controller in the cloud for small office?:

                                            @scottalanmiller said in domain controller in the cloud for small office?:

                                            @dashrender said in domain controller in the cloud for small office?:

                                            @scottalanmiller said in domain controller in the cloud for small office?:

                                            @dashrender said in domain controller in the cloud for small office?:

                                            @larsen161 said in domain controller in the cloud for small office?:

                                            Ah, ok I was worried I was missing something. So it's not a HIPAA security requirement but an internal company policy created based on an addressable but not required HIPAA component.

                                            That's kinda understating it. Addressable are required as well unless you can show a reason why you can't do it, and then also show what you're doing instead.

                                            Can you go above and beyond?

                                            I feel like this is a trick question.

                                            Well, it's a trick requirement, right? HIPAA has cross purposes if they require that insecure methods be used. Are you allowed to secure the environment more than that, or does HIPAA actually require below minimum industry bar security?

                                            Do you have an example of an insecure method being required in HIPAA? If so, please provide it. The law itself doesn't stipulate what type of password policies to have, only that you have a policy. It doesn't stipulate that you have AV, but you must have a policy about AV.

                                            So you are saying that they have an addressable policy, meaning that they accept excuses for not having a policy?

                                            DashrenderD 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 6 / 6
                                            • First post
                                              Last post