Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices
-
@jn19 said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
You're very correct about the automation PCs--they're a horror show as far as security goes.
They autologon with admin privileges, and they rarely get updates due to bandwidth and manageability issues. To be clear, the automation PCs don't actually need to be joined to our organization Active Directory, and it'd probably be best if they weren't. If there's a different solution available to monitor/patch/secure them, I'm all for it. Unfortunately, we're stuck with Windows, as a lot of the automation tools we have to interface with only have Windows drivers and utilities available.unfortunately it is not a good idea to keep them update. unless you can recover them.
In theory if you can filter security updates only, those machines should be NOT subject to relevant alterations, but automation software could relay on specifica behaviours (even if the imolementor doesn't know) and any change can be risky.
at least, if you have access to the machines and vendor doesn't put a veto, just keep an image of the system before any update (with stuff like veeam free agent + a recovery usb pen - made by veeam) and then and only then patch the system.manually.
I mean how many of those systems do you have?! treat them as a server patch manually and never do automatic updates on them.
just my 2 cents.
-
@jn19 said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
What's your take on the best way forward? Thanks for any help you can provide!
If you really want AD for that, having a SDN probably makes sense. Something like ZeroTier that allows your AD to exist on every device, everywhere. But to make this work in a reasonable way, you generally either want to do fancy gateway tricks or you want to use a total SDN that extends to every device you have.
-
@dashrender said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
I'm with the rest - What are you trying to accomplish with AD? Can it be accomplished with other means?
I agree, if it were me, I'd not look at AD here at all. This is where Salt or Ansible seems like a better fit.
-
@scottalanmiller said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@dashrender said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
I'm with the rest - What are you trying to accomplish with AD? Can it be accomplished with other means?
I agree, if it were me, I'd not look at AD here at all. This is where Salt or Ansible seems like a better fit.
Can salt and/or ansible be used for user/device authentication?
-
@wrx7m said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@scottalanmiller said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@dashrender said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
I'm with the rest - What are you trying to accomplish with AD? Can it be accomplished with other means?
I agree, if it were me, I'd not look at AD here at all. This is where Salt or Ansible seems like a better fit.
Can salt and/or ansible be used for user/device authentication?
Salt/Ansible is not an authentication platform. It's a systems management or state configuration system.
You can use Salt/Ansible to sync accounts across devices... so that you can control what local users and passwords are on which systems.
-
@tim_g said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@wrx7m said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@scottalanmiller said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@dashrender said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
I'm with the rest - What are you trying to accomplish with AD? Can it be accomplished with other means?
I agree, if it were me, I'd not look at AD here at all. This is where Salt or Ansible seems like a better fit.
Can salt and/or ansible be used for user/device authentication?
Salt/Ansible is not an authentication platform. It's a systems management or state configuration system.
You can use Salt/Ansible to sync accounts across devices... so that you can control what local users and passwords are on which systems.
I didn't think it was, but did not know about the account sync functionality. Thanks for the info.
-
@wrx7m said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@tim_g said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@wrx7m said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@scottalanmiller said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@dashrender said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
I'm with the rest - What are you trying to accomplish with AD? Can it be accomplished with other means?
I agree, if it were me, I'd not look at AD here at all. This is where Salt or Ansible seems like a better fit.
Can salt and/or ansible be used for user/device authentication?
Salt/Ansible is not an authentication platform. It's a systems management or state configuration system.
You can use Salt/Ansible to sync accounts across devices... so that you can control what local users and passwords are on which systems.
I didn't think it was, but did not know about the account sync functionality. Thanks for the info.
WIndows users:
https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.win_useradd.htmlLocal group policy:
https://docs.saltstack.com/en/latest/ref/states/all/salt.states.win_lgpo.htmlAlso, remember you can encrypt stuff in SaltStack Pillars for example, so you don't ever have to provide passwords in plain text.
-
@wrx7m said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@scottalanmiller said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@dashrender said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
I'm with the rest - What are you trying to accomplish with AD? Can it be accomplished with other means?
I agree, if it were me, I'd not look at AD here at all. This is where Salt or Ansible seems like a better fit.
Can salt and/or ansible be used for user/device authentication?
No, but it manages the things that are
-
@wrx7m said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@tim_g said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@wrx7m said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@scottalanmiller said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@dashrender said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
I'm with the rest - What are you trying to accomplish with AD? Can it be accomplished with other means?
I agree, if it were me, I'd not look at AD here at all. This is where Salt or Ansible seems like a better fit.
Can salt and/or ansible be used for user/device authentication?
Salt/Ansible is not an authentication platform. It's a systems management or state configuration system.
You can use Salt/Ansible to sync accounts across devices... so that you can control what local users and passwords are on which systems.
I didn't think it was, but did not know about the account sync functionality. Thanks for the info.
That's a key feature in SodiumSuite's design. Account management across platforms.
-
@scottalanmiller said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@wrx7m said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@tim_g said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@wrx7m said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@scottalanmiller said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@dashrender said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
I'm with the rest - What are you trying to accomplish with AD? Can it be accomplished with other means?
I agree, if it were me, I'd not look at AD here at all. This is where Salt or Ansible seems like a better fit.
Can salt and/or ansible be used for user/device authentication?
Salt/Ansible is not an authentication platform. It's a systems management or state configuration system.
You can use Salt/Ansible to sync accounts across devices... so that you can control what local users and passwords are on which systems.
I didn't think it was, but did not know about the account sync functionality. Thanks for the info.
That's a key feature in SodiumSuite's design. Account management across platforms.
Is that available in SodiumSuite at this time?
-
@syko24 said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@scottalanmiller said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@wrx7m said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@tim_g said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@wrx7m said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@scottalanmiller said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@dashrender said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
I'm with the rest - What are you trying to accomplish with AD? Can it be accomplished with other means?
I agree, if it were me, I'd not look at AD here at all. This is where Salt or Ansible seems like a better fit.
Can salt and/or ansible be used for user/device authentication?
Salt/Ansible is not an authentication platform. It's a systems management or state configuration system.
You can use Salt/Ansible to sync accounts across devices... so that you can control what local users and passwords are on which systems.
I didn't think it was, but did not know about the account sync functionality. Thanks for the info.
That's a key feature in SodiumSuite's design. Account management across platforms.
Is that available in SodiumSuite at this time?
Not quite, but VERY soon.
-
@scottalanmiller said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@syko24 said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@scottalanmiller said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@wrx7m said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@tim_g said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@wrx7m said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@scottalanmiller said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@dashrender said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
I'm with the rest - What are you trying to accomplish with AD? Can it be accomplished with other means?
I agree, if it were me, I'd not look at AD here at all. This is where Salt or Ansible seems like a better fit.
Can salt and/or ansible be used for user/device authentication?
Salt/Ansible is not an authentication platform. It's a systems management or state configuration system.
You can use Salt/Ansible to sync accounts across devices... so that you can control what local users and passwords are on which systems.
I didn't think it was, but did not know about the account sync functionality. Thanks for the info.
That's a key feature in SodiumSuite's design. Account management across platforms.
Is that available in SodiumSuite at this time?
Not quite, but VERY soon.
Every time I login to my account I always click on the Terminal tab hoping there will be some added functionality. Really looking forward to some of the more advanced features of the platform to be implemented.
-
@syko24 said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@scottalanmiller said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@syko24 said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@scottalanmiller said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@wrx7m said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@tim_g said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@wrx7m said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@scottalanmiller said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
@dashrender said in Implement new Active Directory across Azure, on-prem, offsite, and cell-data IoT devices:
I'm with the rest - What are you trying to accomplish with AD? Can it be accomplished with other means?
I agree, if it were me, I'd not look at AD here at all. This is where Salt or Ansible seems like a better fit.
Can salt and/or ansible be used for user/device authentication?
Salt/Ansible is not an authentication platform. It's a systems management or state configuration system.
You can use Salt/Ansible to sync accounts across devices... so that you can control what local users and passwords are on which systems.
I didn't think it was, but did not know about the account sync functionality. Thanks for the info.
That's a key feature in SodiumSuite's design. Account management across platforms.
Is that available in SodiumSuite at this time?
Not quite, but VERY soon.
Every time I login to my account I always click on the Terminal tab hoping there will be some added functionality. Really looking forward to some of the more advanced features of the platform to be implemented.
LOL, honestly I do that from time to time, too. It was actually there at one point, but wasn't tested enough and we made the devs claw it back. That's why the tab is there, because it's working in testing.
