ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    SAMIT: Do You Really Need Active Directory

    Scheduled Pinned Locked Moved IT Discussion
    samitscott alan milleryoutubeactive directory
    135 Posts 10 Posters 18.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • IRJI
      IRJ @Obsolesce
      last edited by

      @Obsolesce said in SAMIT: Do You Really Need Active Directory:

      @IRJ said in SAMIT: Do You Really Need Active Directory:

      @Dashrender said in SAMIT: Do You Really Need Active Directory:

      @IRJ said in SAMIT: Do You Really Need Active Directory:

      @Dashrender said in SAMIT: Do You Really Need Active Directory:

      @IRJ said in SAMIT: Do You Really Need Active Directory:

      @Dashrender said in SAMIT: Do You Really Need Active Directory:

      @IRJ said in SAMIT: Do You Really Need Active Directory:

      @Dashrender said in SAMIT: Do You Really Need Active Directory:

      Toss in a situation where many users must be able to use nearly any computer in the office at any time - and now what? really - how do you manage that?

      100 desktops, 100 users, and they play musical charges daily - now what?

      Everything they access of value is cloud based, so you only care about authentication to that service not authentication to the local system.

      You can prevent users from storing files locally on OD for example and in that case if their workstation is compromised none of the data is sensitive.

      why would you even have OD if you can prevent local storage of files?

      That statement makes no sense. If you prevent local storage you have to have a service like OD to access files.

      Thanks for pulling a scott and not reading the followup where I answered my own question - but left it there anyways for other people who might have had the same thought I originally did.

      that said - the file is still saved locally - in the cache of OD. I don't believe you can work locally with a non cached file.
      I'm prepared to be wrong that account though if you have an article from MS stating as much.

      Why would you need to use Desktop Office? Why not use Office Online?

      Because it gives you a reason to have OD installed - if you don't have any local apps using the files - then OD is pointless (at least the local application) Your files are just 'in the cloud' sure personal files are in something called OD, and shared are in Sharepoint - but again, nothing local.

      @Obsolesce would probably know for sure, but I think you can encrypt that partition and require authentication to access it.

      I would however not even bother with it. Train them to use Office Online and your OS dependency completely goes away.

      Data at rest should always be encrypted, no exceptions. We ensure all user devices are encrypted. Windows bitlocker, androids, ios, macs, everything.

      Yes but can you force authentication when access synced OD files? And by authentication I mean checking the validity of token not logging in each time.

      DashrenderD ObsolesceO 2 Replies Last reply Reply Quote 0
      • DashrenderD
        Dashrender @IRJ
        last edited by

        @IRJ said in SAMIT: Do You Really Need Active Directory:

        @Obsolesce said in SAMIT: Do You Really Need Active Directory:

        @IRJ said in SAMIT: Do You Really Need Active Directory:

        @Dashrender said in SAMIT: Do You Really Need Active Directory:

        @IRJ said in SAMIT: Do You Really Need Active Directory:

        @Dashrender said in SAMIT: Do You Really Need Active Directory:

        @IRJ said in SAMIT: Do You Really Need Active Directory:

        @Dashrender said in SAMIT: Do You Really Need Active Directory:

        @IRJ said in SAMIT: Do You Really Need Active Directory:

        @Dashrender said in SAMIT: Do You Really Need Active Directory:

        Toss in a situation where many users must be able to use nearly any computer in the office at any time - and now what? really - how do you manage that?

        100 desktops, 100 users, and they play musical charges daily - now what?

        Everything they access of value is cloud based, so you only care about authentication to that service not authentication to the local system.

        You can prevent users from storing files locally on OD for example and in that case if their workstation is compromised none of the data is sensitive.

        why would you even have OD if you can prevent local storage of files?

        That statement makes no sense. If you prevent local storage you have to have a service like OD to access files.

        Thanks for pulling a scott and not reading the followup where I answered my own question - but left it there anyways for other people who might have had the same thought I originally did.

        that said - the file is still saved locally - in the cache of OD. I don't believe you can work locally with a non cached file.
        I'm prepared to be wrong that account though if you have an article from MS stating as much.

        Why would you need to use Desktop Office? Why not use Office Online?

        Because it gives you a reason to have OD installed - if you don't have any local apps using the files - then OD is pointless (at least the local application) Your files are just 'in the cloud' sure personal files are in something called OD, and shared are in Sharepoint - but again, nothing local.

        @Obsolesce would probably know for sure, but I think you can encrypt that partition and require authentication to access it.

        I would however not even bother with it. Train them to use Office Online and your OS dependency completely goes away.

        Data at rest should always be encrypted, no exceptions. We ensure all user devices are encrypted. Windows bitlocker, androids, ios, macs, everything.

        Yes but can you force authentication when access synced OD files? And by authentication I mean checking the validity of token not logging in each time.

        Encryption at rest does nothing for you once the OS is booted. So a stolen device is mostly safe. But an unlocked workstation isn't, unless you require authentication for each access - which would drive users crazy...

        Assuming a non local admin user logs into another profile - they likely can't reach the files synced in some other profile in OD, so those are likely safe too.

        ObsolesceO 1 Reply Last reply Reply Quote 0
        • ObsolesceO
          Obsolesce @IRJ
          last edited by

          @IRJ said in SAMIT: Do You Really Need Active Directory:

          @Obsolesce said in SAMIT: Do You Really Need Active Directory:

          @IRJ said in SAMIT: Do You Really Need Active Directory:

          @Dashrender said in SAMIT: Do You Really Need Active Directory:

          @IRJ said in SAMIT: Do You Really Need Active Directory:

          @Dashrender said in SAMIT: Do You Really Need Active Directory:

          @IRJ said in SAMIT: Do You Really Need Active Directory:

          @Dashrender said in SAMIT: Do You Really Need Active Directory:

          @IRJ said in SAMIT: Do You Really Need Active Directory:

          @Dashrender said in SAMIT: Do You Really Need Active Directory:

          Toss in a situation where many users must be able to use nearly any computer in the office at any time - and now what? really - how do you manage that?

          100 desktops, 100 users, and they play musical charges daily - now what?

          Everything they access of value is cloud based, so you only care about authentication to that service not authentication to the local system.

          You can prevent users from storing files locally on OD for example and in that case if their workstation is compromised none of the data is sensitive.

          why would you even have OD if you can prevent local storage of files?

          That statement makes no sense. If you prevent local storage you have to have a service like OD to access files.

          Thanks for pulling a scott and not reading the followup where I answered my own question - but left it there anyways for other people who might have had the same thought I originally did.

          that said - the file is still saved locally - in the cache of OD. I don't believe you can work locally with a non cached file.
          I'm prepared to be wrong that account though if you have an article from MS stating as much.

          Why would you need to use Desktop Office? Why not use Office Online?

          Because it gives you a reason to have OD installed - if you don't have any local apps using the files - then OD is pointless (at least the local application) Your files are just 'in the cloud' sure personal files are in something called OD, and shared are in Sharepoint - but again, nothing local.

          @Obsolesce would probably know for sure, but I think you can encrypt that partition and require authentication to access it.

          I would however not even bother with it. Train them to use Office Online and your OS dependency completely goes away.

          Data at rest should always be encrypted, no exceptions. We ensure all user devices are encrypted. Windows bitlocker, androids, ios, macs, everything.

          Yes but can you force authentication when access synced OD files? And by authentication I mean checking the validity of token not logging in each time.

          I don't know, i haven't used OneDrive for Business in the enterprise for years.

          Right now, we use Google Drive, and that's 2FA enforced. But no, no need to re-login to access them.

          IRJI 1 Reply Last reply Reply Quote 0
          • IRJI
            IRJ @Obsolesce
            last edited by

            @Obsolesce said in SAMIT: Do You Really Need Active Directory:

            @IRJ said in SAMIT: Do You Really Need Active Directory:

            @Obsolesce said in SAMIT: Do You Really Need Active Directory:

            @IRJ said in SAMIT: Do You Really Need Active Directory:

            @Dashrender said in SAMIT: Do You Really Need Active Directory:

            @IRJ said in SAMIT: Do You Really Need Active Directory:

            @Dashrender said in SAMIT: Do You Really Need Active Directory:

            @IRJ said in SAMIT: Do You Really Need Active Directory:

            @Dashrender said in SAMIT: Do You Really Need Active Directory:

            @IRJ said in SAMIT: Do You Really Need Active Directory:

            @Dashrender said in SAMIT: Do You Really Need Active Directory:

            Toss in a situation where many users must be able to use nearly any computer in the office at any time - and now what? really - how do you manage that?

            100 desktops, 100 users, and they play musical charges daily - now what?

            Everything they access of value is cloud based, so you only care about authentication to that service not authentication to the local system.

            You can prevent users from storing files locally on OD for example and in that case if their workstation is compromised none of the data is sensitive.

            why would you even have OD if you can prevent local storage of files?

            That statement makes no sense. If you prevent local storage you have to have a service like OD to access files.

            Thanks for pulling a scott and not reading the followup where I answered my own question - but left it there anyways for other people who might have had the same thought I originally did.

            that said - the file is still saved locally - in the cache of OD. I don't believe you can work locally with a non cached file.
            I'm prepared to be wrong that account though if you have an article from MS stating as much.

            Why would you need to use Desktop Office? Why not use Office Online?

            Because it gives you a reason to have OD installed - if you don't have any local apps using the files - then OD is pointless (at least the local application) Your files are just 'in the cloud' sure personal files are in something called OD, and shared are in Sharepoint - but again, nothing local.

            @Obsolesce would probably know for sure, but I think you can encrypt that partition and require authentication to access it.

            I would however not even bother with it. Train them to use Office Online and your OS dependency completely goes away.

            Data at rest should always be encrypted, no exceptions. We ensure all user devices are encrypted. Windows bitlocker, androids, ios, macs, everything.

            Yes but can you force authentication when access synced OD files? And by authentication I mean checking the validity of token not logging in each time.

            I don't know, i haven't used OneDrive for Business in the enterprise for years.

            Right now, we use Google Drive, and that's 2FA enforced. But no, no need to re-login to access them.

            I would assume it's managed through in tune

            1 Reply Last reply Reply Quote 0
            • ObsolesceO
              Obsolesce @Dashrender
              last edited by

              @Dashrender said in SAMIT: Do You Really Need Active Directory:

              ncryption at rest does nothing for you once the OS is booted. So a stolen device is mostly safe. But an unlocked workstation isn't, unless you require authentication for each access - which would drive users crazy...
              Assuming a non local admin user logs into another profile - they likely can't reach the files synced in some other profile in OD, so those are likely safe too.

              That just comes down to good practices. Stolen device is safe. There are no local accounts, no local admin privileged accounts either, not AD joined, encrypted, 2FA / Windows Hello enforced. (in my environment)

              DashrenderD 1 Reply Last reply Reply Quote 0
              • DashrenderD
                Dashrender @Obsolesce
                last edited by

                @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                @Dashrender said in SAMIT: Do You Really Need Active Directory:

                ncryption at rest does nothing for you once the OS is booted. So a stolen device is mostly safe. But an unlocked workstation isn't, unless you require authentication for each access - which would drive users crazy...
                Assuming a non local admin user logs into another profile - they likely can't reach the files synced in some other profile in OD, so those are likely safe too.

                That just comes down to good practices. Stolen device is safe. There are no local accounts, no local admin privileged accounts either, not AD joined, encrypted, 2FA / Windows Hello enforced. (in my environment)

                Does windows boot before a login is done by the user? If yes, how in an offline mode are you preventing bruteforce attacks? of course they would be so slow - who really cares?

                ObsolesceO 1 Reply Last reply Reply Quote 0
                • ObsolesceO
                  Obsolesce @Dashrender
                  last edited by

                  @Dashrender said in SAMIT: Do You Really Need Active Directory:

                  @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                  @Dashrender said in SAMIT: Do You Really Need Active Directory:

                  ncryption at rest does nothing for you once the OS is booted. So a stolen device is mostly safe. But an unlocked workstation isn't, unless you require authentication for each access - which would drive users crazy...
                  Assuming a non local admin user logs into another profile - they likely can't reach the files synced in some other profile in OD, so those are likely safe too.

                  That just comes down to good practices. Stolen device is safe. There are no local accounts, no local admin privileged accounts either, not AD joined, encrypted, 2FA / Windows Hello enforced. (in my environment)

                  Does windows boot before a login is done by the user? If yes, how in an offline mode are you preventing bruteforce attacks? of course they would be so slow - who really cares?

                  Huh? It's not like you can boot the machine to Windows login screen, and also connect the hard drive to another OS at the same time. No brute forcing, and a per-device problem, not a wide spread one. If it's stolen, it's remote wiped as well.

                  DashrenderD JaredBuschJ 2 Replies Last reply Reply Quote 0
                  • DashrenderD
                    Dashrender @Obsolesce
                    last edited by

                    @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                    @Dashrender said in SAMIT: Do You Really Need Active Directory:

                    @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                    @Dashrender said in SAMIT: Do You Really Need Active Directory:

                    ncryption at rest does nothing for you once the OS is booted. So a stolen device is mostly safe. But an unlocked workstation isn't, unless you require authentication for each access - which would drive users crazy...
                    Assuming a non local admin user logs into another profile - they likely can't reach the files synced in some other profile in OD, so those are likely safe too.

                    That just comes down to good practices. Stolen device is safe. There are no local accounts, no local admin privileged accounts either, not AD joined, encrypted, 2FA / Windows Hello enforced. (in my environment)

                    Does windows boot before a login is done by the user? If yes, how in an offline mode are you preventing bruteforce attacks? of course they would be so slow - who really cares?

                    Huh? It's not like you can boot the machine to Windows login screen, and also connect the hard drive to another OS at the same time. No brute forcing, and a per-device problem, not a wide spread one. If it's stolen, it's remote wiped as well.

                    I was curious if the local TPM (which I assume holds the Bitlocker Key) has to be unlocked before the computer will boot. If yes, then bruteforce attacks against the Windows logon can't happen in a stolen machine, if not - they can.

                    Of course, the drive is encrypted - so if it's removed and placed in another computer now you have to brute force the drive encryption - like much harder.

                    JaredBuschJ ObsolesceO 2 Replies Last reply Reply Quote 1
                    • JaredBuschJ
                      JaredBusch @Dashrender
                      last edited by

                      @Dashrender said in SAMIT: Do You Really Need Active Directory:

                      @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                      @Dashrender said in SAMIT: Do You Really Need Active Directory:

                      @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                      @Dashrender said in SAMIT: Do You Really Need Active Directory:

                      ncryption at rest does nothing for you once the OS is booted. So a stolen device is mostly safe. But an unlocked workstation isn't, unless you require authentication for each access - which would drive users crazy...
                      Assuming a non local admin user logs into another profile - they likely can't reach the files synced in some other profile in OD, so those are likely safe too.

                      That just comes down to good practices. Stolen device is safe. There are no local accounts, no local admin privileged accounts either, not AD joined, encrypted, 2FA / Windows Hello enforced. (in my environment)

                      Does windows boot before a login is done by the user? If yes, how in an offline mode are you preventing bruteforce attacks? of course they would be so slow - who really cares?

                      Huh? It's not like you can boot the machine to Windows login screen, and also connect the hard drive to another OS at the same time. No brute forcing, and a per-device problem, not a wide spread one. If it's stolen, it's remote wiped as well.

                      I was curious if the local TPM (which I assume holds the Bitlocker Key) has to be unlocked before the computer will boot. If yes, then bruteforce attacks against the Windows logon can't happen in a stolen machine, if not - they can.

                      Of course, the drive is encrypted - so if it's removed and placed in another computer now you have to brute force the drive encryption - like much harder.

                      Exactly this.

                      ObsolesceO 1 Reply Last reply Reply Quote 0
                      • ObsolesceO
                        Obsolesce @JaredBusch
                        last edited by

                        This post is deleted!
                        1 Reply Last reply Reply Quote 0
                        • ObsolesceO
                          Obsolesce @Dashrender
                          last edited by Obsolesce

                          @Dashrender said in SAMIT: Do You Really Need Active Directory:

                          @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                          @Dashrender said in SAMIT: Do You Really Need Active Directory:

                          @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                          @Dashrender said in SAMIT: Do You Really Need Active Directory:

                          ncryption at rest does nothing for you once the OS is booted. So a stolen device is mostly safe. But an unlocked workstation isn't, unless you require authentication for each access - which would drive users crazy...
                          Assuming a non local admin user logs into another profile - they likely can't reach the files synced in some other profile in OD, so those are likely safe too.

                          That just comes down to good practices. Stolen device is safe. There are no local accounts, no local admin privileged accounts either, not AD joined, encrypted, 2FA / Windows Hello enforced. (in my environment)

                          Does windows boot before a login is done by the user? If yes, how in an offline mode are you preventing bruteforce attacks? of course they would be so slow - who really cares?

                          Huh? It's not like you can boot the machine to Windows login screen, and also connect the hard drive to another OS at the same time. No brute forcing, and a per-device problem, not a wide spread one. If it's stolen, it's remote wiped as well.

                          I was curious if the local TPM (which I assume holds the Bitlocker Key) has to be unlocked before the computer will boot. If yes, then bruteforce attacks against the Windows logon can't happen in a stolen machine, if not - they can.

                          Of course, the drive is encrypted - so if it's removed and placed in another computer now you have to brute force the drive encryption - like much harder.

                          BitLocker using TPM only protects it if the drive is taken out. Using it with a PIN adds some more protection, but the point is encryption at rest. Not to keep you out of the OS.

                          It's not meant to protect your data while Windows is running.

                          @Dashrender what are you trying to get at? What scenario?

                          JaredBuschJ 1 Reply Last reply Reply Quote 0
                          • JaredBuschJ
                            JaredBusch @Obsolesce
                            last edited by

                            @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                            If it's stolen, it's remote wiped as well.

                            Not they are not. To be remote wiped, they must be online.
                            To be online, they must be booted. and connected to the internet.

                            A laptop is stolen for 2 reasons.

                            1. Someone wants to get your data.
                            2. Someone made an opportunity swipe and doesn't care about your data.

                            In scenario 1, the machine is never brought online when booted. So it is never wiped.

                            In scenario 2, the idiot drops it at pawn shop for $50. The pawn shop boots it once to see if they got lucky and have an unsecured device that they may get data from. Then they wipe it to a factory Windows install.

                            So your tool may wipe it in scenario 2. but they pawn shop doesn't care. They were going to wipe it anyway.

                            ObsolesceO 1 Reply Last reply Reply Quote 1
                            • JaredBuschJ
                              JaredBusch @Obsolesce
                              last edited by

                              @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                              @Dashrender said in SAMIT: Do You Really Need Active Directory:

                              @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                              @Dashrender said in SAMIT: Do You Really Need Active Directory:

                              @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                              @Dashrender said in SAMIT: Do You Really Need Active Directory:

                              ncryption at rest does nothing for you once the OS is booted. So a stolen device is mostly safe. But an unlocked workstation isn't, unless you require authentication for each access - which would drive users crazy...
                              Assuming a non local admin user logs into another profile - they likely can't reach the files synced in some other profile in OD, so those are likely safe too.

                              That just comes down to good practices. Stolen device is safe. There are no local accounts, no local admin privileged accounts either, not AD joined, encrypted, 2FA / Windows Hello enforced. (in my environment)

                              Does windows boot before a login is done by the user? If yes, how in an offline mode are you preventing bruteforce attacks? of course they would be so slow - who really cares?

                              Huh? It's not like you can boot the machine to Windows login screen, and also connect the hard drive to another OS at the same time. No brute forcing, and a per-device problem, not a wide spread one. If it's stolen, it's remote wiped as well.

                              I was curious if the local TPM (which I assume holds the Bitlocker Key) has to be unlocked before the computer will boot. If yes, then bruteforce attacks against the Windows logon can't happen in a stolen machine, if not - they can.

                              Of course, the drive is encrypted - so if it's removed and placed in another computer now you have to brute force the drive encryption - like much harder.

                              BitLocker using TPM only protects it if the drive is taken out. Using it with a PIN adds some more protection, but the point is encryption at rest. Not to keep you out of the OS.

                              It's not meant to protect your data while Windows is running.

                              @Dashrender what are you trying to get at? What scenario?

                              The entire point was a stolen device.

                              1 Reply Last reply Reply Quote 0
                              • ObsolesceO
                                Obsolesce @JaredBusch
                                last edited by

                                @JaredBusch said in SAMIT: Do You Really Need Active Directory:

                                In scenario 1, the machine is never brought online when booted. So it is never wiped.

                                Obviously...

                                So in this case there's two options:

                                1. Boot the device and come to the Windows logon screen.
                                2. Take the drive out / live boot to something else.

                                Scenario 1: Good luck!
                                Scenario 2: BitLockered out, again, good luck!

                                JaredBuschJ 1 Reply Last reply Reply Quote 0
                                • JaredBuschJ
                                  JaredBusch @Obsolesce
                                  last edited by JaredBusch

                                  @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                                  @JaredBusch said in SAMIT: Do You Really Need Active Directory:

                                  In scenario 1, the machine is never brought online when booted. So it is never wiped.

                                  Obviously...

                                  So in this case there's two options:

                                  1. Boot the device and come to the Windows logon screen.
                                  2. Take the drive out / live boot to something else.

                                  Scenario 1: Good luck!
                                  Scenario 2: BitLockered out, again, good luck!

                                  You are obviously having a hard time grasping things here.

                                  Scenario 1 is people that know what they are doing. there is no good luck required.
                                  Scenario 2 is people that don't give a fuck about what data is on the machine.

                                  ObsolesceO 2 Replies Last reply Reply Quote 0
                                  • ObsolesceO
                                    Obsolesce @JaredBusch
                                    last edited by Obsolesce

                                    @JaredBusch said in SAMIT: Do You Really Need Active Directory:

                                    @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                                    @JaredBusch said in SAMIT: Do You Really Need Active Directory:

                                    In scenario 1, the machine is never brought online when booted. So it is never wiped.

                                    Obviously...

                                    So in this case there's two options:

                                    1. Boot the device and come to the Windows logon screen.
                                    2. Take the drive out / live boot to something else.

                                    Scenario 1: Good luck!
                                    Scenario 2: BitLockered out, again, good luck!

                                    You are obviously having a hard time grasping things here.

                                    Scenario 1 is people that know what they are doing. there is no good luck required.
                                    Scenario 2 is people that don't give a fuck about what data is on the machine.

                                    You misunderstood my post. The entire post was regarding your scenario 1, as I quoted it, and only that.

                                    Both of my listed options and scenarios were in regards to your scenario 1.

                                    1 Reply Last reply Reply Quote 0
                                    • ObsolesceO
                                      Obsolesce @JaredBusch
                                      last edited by

                                      @JaredBusch said in SAMIT: Do You Really Need Active Directory:

                                      Scenario 1 is people that know what they are doing. there is no good luck required.

                                      And, you have no idea what you are talking about!

                                      1 Reply Last reply Reply Quote 0
                                      • coliverC
                                        coliver @Dashrender
                                        last edited by

                                        @Dashrender said in SAMIT: Do You Really Need Active Directory:

                                        I am surprised that MS didn't come out with a better solution for this ages ago. That whole Direct Connect or whatever it was called - phone home VPN solution they have for Enterprise edition only - what a kluge.

                                        They are working on phasing this out. DirectAccess was a kludge that is being replaced by Always-On-VPN. Which works on versions of Windows Professional and Up and requires very little outside of a certificate and Group Policies (or Intune).

                                        1 Reply Last reply Reply Quote 0
                                        • 1
                                        • 2
                                        • 3
                                        • 4
                                        • 5
                                        • 6
                                        • 7
                                        • 7 / 7
                                        • First post
                                          Last post