ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Security without AD

    Scheduled Pinned Locked Moved IT Discussion
    21 Posts 5 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @dbeato
      last edited by

      @dbeato said in Security without AD:

      It depends of how centralized you want to get for policies, updates and management for your devices and computers. Also this assumes you are only using Windows as your platform.

      You can use other systems such as JumpCloud and othe AD cloud replacements and even OpenLDAP. They will also have limitations and require same level of management and extra tools as well to manage.

      Security options should be based on the industry, platform and size of the company.

      You can also use remote scripts, say with PowerShell, or you could use tools like Ansible.

      gjacobseG 1 Reply Last reply Reply Quote 0
      • DashrenderD
        Dashrender
        last edited by

        I thought someone was trying to do all that control stuff with Salt recently?

        scottalanmillerS 1 Reply Last reply Reply Quote 0
        • DashrenderD
          Dashrender @scottalanmiller
          last edited by

          @scottalanmiller said in Security without AD:

          @gjacobse said in Security without AD:

          There is a debate - you don't need AD to have security. But then why have AD at all? There are a number of things that AD does - at least in my eyes - that are security related.

          • Password policy
          • Lock out policy
          • Group Policy

          Group Policy is not security. It's just a mechanism for applying security. None of these things are provided by AD. It's just if you use AD, you can use AD for these things. Except password and lock out policies from AD are not reliable because when moving to cached creds, they stop working. So in many ways, AD cripples security in those areas, rather than enhancing it.

          Isn't this a problem on nearly any cached creds system? It would seem like a huge problem to change centralized passwords while being offline.
          I suppose a good security option would be a kill switch on timer, i.e. Not online for 30 days (or whatever) and the system won't allow non admin logon until it talks to the central host.

          scottalanmillerS 1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @Dashrender
            last edited by

            @Dashrender said in Security without AD:

            I thought someone was trying to do all that control stuff with Salt recently?

            Salt, Ansible, Chef, Puppet, cfengine, PS scripts, you name it. Many ways to skin that cat.

            1 Reply Last reply Reply Quote 1
            • scottalanmillerS
              scottalanmiller @Dashrender
              last edited by

              @Dashrender said in Security without AD:

              @scottalanmiller said in Security without AD:

              @gjacobse said in Security without AD:

              There is a debate - you don't need AD to have security. But then why have AD at all? There are a number of things that AD does - at least in my eyes - that are security related.

              • Password policy
              • Lock out policy
              • Group Policy

              Group Policy is not security. It's just a mechanism for applying security. None of these things are provided by AD. It's just if you use AD, you can use AD for these things. Except password and lock out policies from AD are not reliable because when moving to cached creds, they stop working. So in many ways, AD cripples security in those areas, rather than enhancing it.

              Isn't this a problem on nearly any cached creds system? It would seem like a huge problem to change centralized passwords while being offline.
              I suppose a good security option would be a kill switch on timer, i.e. Not online for 30 days (or whatever) and the system won't allow non admin logon until it talks to the central host.

              Yes, which is why only locally controlled mechanisms can get past that limitation. No great answer to offline systems.

              1 Reply Last reply Reply Quote 0
              • gjacobseG
                gjacobse @scottalanmiller
                last edited by

                @scottalanmiller said in Security without AD:

                @gjacobse said in Security without AD:

                There is a debate - you don't need AD to have security. But then why have AD at all? There are a number of things that AD does - at least in my eyes - that are security related.

                • Password policy
                • Lock out policy
                • Group Policy

                Group Policy is not security. It's just a mechanism for applying security. None of these things are provided by AD. It's just if you use AD, you can use AD for these things. Except password and lock out policies from AD are not reliable because when moving to cached creds, they stop working. So in many ways, AD cripples security in those areas, rather than enhancing it.

                Ah but that throws a wrench - those that travel are limited to cached creds most of the time. It's not practical or reliable to have the VPN connect prior to authentication as the VPN may be blocked at what ever site you are currently at - Yes, it does happen.. had it happen to someone from a hospital.

                so in that case, what do you fall back to?

                scottalanmillerS 1 Reply Last reply Reply Quote 0
                • gjacobseG
                  gjacobse @scottalanmiller
                  last edited by

                  @scottalanmiller said in Security without AD:

                  @gjacobse said in Security without AD:

                  But if you are a SMB in the trade industry, why have AD at all? Is it not a waste of resources?

                  AD is about simple, central authentication. If you do a lot of moving between systems or have a lot of apps that integrate with AD and not other tools, AD can be handy for centralizing authentication.

                  Right - if you have a large company - very handly

                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                  • gjacobseG
                    gjacobse @scottalanmiller
                    last edited by

                    @scottalanmiller said in Security without AD:

                    @dbeato said in Security without AD:

                    It depends of how centralized you want to get for policies, updates and management for your devices and computers. Also this assumes you are only using Windows as your platform.

                    You can use other systems such as JumpCloud and othe AD cloud replacements and even OpenLDAP. They will also have limitations and require same level of management and extra tools as well to manage.

                    Security options should be based on the industry, platform and size of the company.

                    You can also use remote scripts, say with PowerShell, or you could use tools like Ansible.

                    I have only done a few PS scripts,.. and nothing with Ansible yet.

                    1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @gjacobse
                      last edited by

                      @gjacobse said in Security without AD:

                      @scottalanmiller said in Security without AD:

                      @gjacobse said in Security without AD:

                      There is a debate - you don't need AD to have security. But then why have AD at all? There are a number of things that AD does - at least in my eyes - that are security related.

                      • Password policy
                      • Lock out policy
                      • Group Policy

                      Group Policy is not security. It's just a mechanism for applying security. None of these things are provided by AD. It's just if you use AD, you can use AD for these things. Except password and lock out policies from AD are not reliable because when moving to cached creds, they stop working. So in many ways, AD cripples security in those areas, rather than enhancing it.

                      Ah but that throws a wrench - those that travel are limited to cached creds most of the time. It's not practical or reliable to have the VPN connect prior to authentication as the VPN may be blocked at what ever site you are currently at - Yes, it does happen.. had it happen to someone from a hospital.

                      so in that case, what do you fall back to?

                      This isn't really much of a problem in the modern world. Maybe some VPNs from ages past, but this isn't something that people normally run into. Relying on cached creds should be a fallback, not the norm.

                      gjacobseG 1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @gjacobse
                        last edited by

                        @gjacobse said in Security without AD:

                        @scottalanmiller said in Security without AD:

                        @gjacobse said in Security without AD:

                        But if you are a SMB in the trade industry, why have AD at all? Is it not a waste of resources?

                        AD is about simple, central authentication. If you do a lot of moving between systems or have a lot of apps that integrate with AD and not other tools, AD can be handy for centralizing authentication.

                        Right - if you have a large company - very handly

                        Actually when you get really big, the value drops off. Sharing equipment becomes less common, rather than more common.

                        gjacobseG 1 Reply Last reply Reply Quote 0
                        • gjacobseG
                          gjacobse @scottalanmiller
                          last edited by

                          @scottalanmiller I have seen the case where Cached Creds cause re-mapping issues of drives. Delete the one cred, and poof... 85% of the time, nothing else is needed.

                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                          • gjacobseG
                            gjacobse @scottalanmiller
                            last edited by

                            @scottalanmiller said in Security without AD:

                            @gjacobse said in Security without AD:

                            @scottalanmiller said in Security without AD:

                            @gjacobse said in Security without AD:

                            But if you are a SMB in the trade industry, why have AD at all? Is it not a waste of resources?

                            AD is about simple, central authentication. If you do a lot of moving between systems or have a lot of apps that integrate with AD and not other tools, AD can be handy for centralizing authentication.

                            Right - if you have a large company - very handly

                            Actually when you get really big, the value drops off. Sharing equipment becomes less common, rather than more common.

                            Eh - Depends on the business model. Take any auto manufacturer - lot of PCs on the line single use, many people. Or on the Help Desk I was on - 16 stations that got rotated by shift,.. not all but some.

                            1 Reply Last reply Reply Quote 0
                            • gjacobseG
                              gjacobse
                              last edited by

                              Sliding back to more on topic.. I was asked by a fellow Ham Operator how I would recommend updating his shop computers. which right now only is desktops. No server, no backup, no UPS units. Few large format printers and a CNC table.

                              He's thinking Server - but is it really needed? Storage yes, backup yes, but is all the 'high end' security really needed - No HIPPA, just job files. No mobile devices, but possible maybe. Oh, and (one of the ) bains of IT - QuickBooks.

                              Yea,.. running QB with no UPS?? Ugh..

                              scottalanmillerS 1 Reply Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @gjacobse
                                last edited by

                                @gjacobse said in Security without AD:

                                @scottalanmiller I have seen the case where Cached Creds cause re-mapping issues of drives. Delete the one cred, and poof... 85% of the time, nothing else is needed.

                                Why would cached creds ever be involved at a time when drives could be mapped? Something really wrong there.

                                1 Reply Last reply Reply Quote 1
                                • scottalanmillerS
                                  scottalanmiller @gjacobse
                                  last edited by

                                  @gjacobse said in Security without AD:

                                  Sliding back to more on topic.. I was asked by a fellow Ham Operator how I would recommend updating his shop computers. which right now only is desktops. No server, no backup, no UPS units. Few large format printers and a CNC table.

                                  He's thinking Server - but is it really needed? Storage yes, backup yes, but is all the 'high end' security really needed - No HIPPA, just job files. No mobile devices, but possible maybe. Oh, and (one of the ) bains of IT - QuickBooks.

                                  Yea,.. running QB with no UPS?? Ugh..

                                  AD is not security. AD is centralized authentication. Don't equate AD to security. AD isn't "higher end" security than other approaches. It's an authentication mechanism, yes, which is related to security, but it's just one of many password handling systems all of which are basically the same from a security standpoint.

                                  1 Reply Last reply Reply Quote 1
                                  • DashrenderD
                                    Dashrender
                                    last edited by

                                    Agreed with Scott, AD while one option, definitely not the only one.

                                    You could use an MDM solution like InTune or the one JB uses (can't recall name).

                                    If you take AD off the table what are the list of things you need to accomplish and let's see what we can do to get solutions for those things.

                                    1 Reply Last reply Reply Quote 1
                                    • 1
                                    • 2
                                    • 1 / 2
                                    • First post
                                      Last post