Security without AD
-
There is a debate - you don't need AD to have security. But then why have AD at all? There are a number of things that AD does - at least in my eyes - that are security related.
- Password policy
- Lock out policy
- Group Policy
While not all SMBs have Security Policies like HIPPA or SOXs that they have to adhere to, a company of Trade (HVAC, Plumbing, Electrical) won't have but say to 'classes' of employee, Finance and Tech, so basic password(s) should be enough.
But if you are a SMB in the trade industry, why have AD at all? Is it not a waste of resources?
-
It depends of how centralized you want to get for policies, updates and management for your devices and computers. Also this assumes you are only using Windows as your platform.
You can use other systems such as JumpCloud and othe AD cloud replacements and even OpenLDAP. They will also have limitations and require same level of management and extra tools as well to manage.
Security options should be based on the industry, platform and size of the company.
-
Authentication, you can look at many other options.
Now as for central management, device control, update management, there are also lots of third party solutions, so instead of rolling AD, you'd roll with an MDM style solution where instead of using pre-made group policies, you start pushing powershell scripts.
-
@gjacobse said in Security without AD:
There is a debate - you don't need AD to have security. But then why have AD at all? There are a number of things that AD does - at least in my eyes - that are security related.
- Password policy
- Lock out policy
- Group Policy
Group Policy is not security. It's just a mechanism for applying security. None of these things are provided by AD. It's just if you use AD, you can use AD for these things. Except password and lock out policies from AD are not reliable because when moving to cached creds, they stop working. So in many ways, AD cripples security in those areas, rather than enhancing it.
-
@gjacobse said in Security without AD:
But if you are a SMB in the trade industry, why have AD at all? Is it not a waste of resources?
AD is about simple, central authentication. If you do a lot of moving between systems or have a lot of apps that integrate with AD and not other tools, AD can be handy for centralizing authentication.
-
@dbeato said in Security without AD:
It depends of how centralized you want to get for policies, updates and management for your devices and computers. Also this assumes you are only using Windows as your platform.
You can use other systems such as JumpCloud and othe AD cloud replacements and even OpenLDAP. They will also have limitations and require same level of management and extra tools as well to manage.
Security options should be based on the industry, platform and size of the company.
You can also use remote scripts, say with PowerShell, or you could use tools like Ansible.
-
I thought someone was trying to do all that control stuff with Salt recently?
-
@scottalanmiller said in Security without AD:
@gjacobse said in Security without AD:
There is a debate - you don't need AD to have security. But then why have AD at all? There are a number of things that AD does - at least in my eyes - that are security related.
- Password policy
- Lock out policy
- Group Policy
Group Policy is not security. It's just a mechanism for applying security. None of these things are provided by AD. It's just if you use AD, you can use AD for these things. Except password and lock out policies from AD are not reliable because when moving to cached creds, they stop working. So in many ways, AD cripples security in those areas, rather than enhancing it.
Isn't this a problem on nearly any cached creds system? It would seem like a huge problem to change centralized passwords while being offline.
I suppose a good security option would be a kill switch on timer, i.e. Not online for 30 days (or whatever) and the system won't allow non admin logon until it talks to the central host. -
@Dashrender said in Security without AD:
I thought someone was trying to do all that control stuff with Salt recently?
Salt, Ansible, Chef, Puppet, cfengine, PS scripts, you name it. Many ways to skin that cat.
-
@Dashrender said in Security without AD:
@scottalanmiller said in Security without AD:
@gjacobse said in Security without AD:
There is a debate - you don't need AD to have security. But then why have AD at all? There are a number of things that AD does - at least in my eyes - that are security related.
- Password policy
- Lock out policy
- Group Policy
Group Policy is not security. It's just a mechanism for applying security. None of these things are provided by AD. It's just if you use AD, you can use AD for these things. Except password and lock out policies from AD are not reliable because when moving to cached creds, they stop working. So in many ways, AD cripples security in those areas, rather than enhancing it.
Isn't this a problem on nearly any cached creds system? It would seem like a huge problem to change centralized passwords while being offline.
I suppose a good security option would be a kill switch on timer, i.e. Not online for 30 days (or whatever) and the system won't allow non admin logon until it talks to the central host.Yes, which is why only locally controlled mechanisms can get past that limitation. No great answer to offline systems.
-
@scottalanmiller said in Security without AD:
@gjacobse said in Security without AD:
There is a debate - you don't need AD to have security. But then why have AD at all? There are a number of things that AD does - at least in my eyes - that are security related.
- Password policy
- Lock out policy
- Group Policy
Group Policy is not security. It's just a mechanism for applying security. None of these things are provided by AD. It's just if you use AD, you can use AD for these things. Except password and lock out policies from AD are not reliable because when moving to cached creds, they stop working. So in many ways, AD cripples security in those areas, rather than enhancing it.
Ah but that throws a wrench - those that travel are limited to cached creds most of the time. It's not practical or reliable to have the VPN connect prior to authentication as the VPN may be blocked at what ever site you are currently at - Yes, it does happen.. had it happen to someone from a hospital.
so in that case, what do you fall back to?
-
@scottalanmiller said in Security without AD:
@gjacobse said in Security without AD:
But if you are a SMB in the trade industry, why have AD at all? Is it not a waste of resources?
AD is about simple, central authentication. If you do a lot of moving between systems or have a lot of apps that integrate with AD and not other tools, AD can be handy for centralizing authentication.
Right - if you have a large company - very handly
-
@scottalanmiller said in Security without AD:
@dbeato said in Security without AD:
It depends of how centralized you want to get for policies, updates and management for your devices and computers. Also this assumes you are only using Windows as your platform.
You can use other systems such as JumpCloud and othe AD cloud replacements and even OpenLDAP. They will also have limitations and require same level of management and extra tools as well to manage.
Security options should be based on the industry, platform and size of the company.
You can also use remote scripts, say with PowerShell, or you could use tools like Ansible.
I have only done a few PS scripts,.. and nothing with Ansible yet.
-
@gjacobse said in Security without AD:
@scottalanmiller said in Security without AD:
@gjacobse said in Security without AD:
There is a debate - you don't need AD to have security. But then why have AD at all? There are a number of things that AD does - at least in my eyes - that are security related.
- Password policy
- Lock out policy
- Group Policy
Group Policy is not security. It's just a mechanism for applying security. None of these things are provided by AD. It's just if you use AD, you can use AD for these things. Except password and lock out policies from AD are not reliable because when moving to cached creds, they stop working. So in many ways, AD cripples security in those areas, rather than enhancing it.
Ah but that throws a wrench - those that travel are limited to cached creds most of the time. It's not practical or reliable to have the VPN connect prior to authentication as the VPN may be blocked at what ever site you are currently at - Yes, it does happen.. had it happen to someone from a hospital.
so in that case, what do you fall back to?
This isn't really much of a problem in the modern world. Maybe some VPNs from ages past, but this isn't something that people normally run into. Relying on cached creds should be a fallback, not the norm.
-
@gjacobse said in Security without AD:
@scottalanmiller said in Security without AD:
@gjacobse said in Security without AD:
But if you are a SMB in the trade industry, why have AD at all? Is it not a waste of resources?
AD is about simple, central authentication. If you do a lot of moving between systems or have a lot of apps that integrate with AD and not other tools, AD can be handy for centralizing authentication.
Right - if you have a large company - very handly
Actually when you get really big, the value drops off. Sharing equipment becomes less common, rather than more common.
-
@scottalanmiller I have seen the case where Cached Creds cause re-mapping issues of drives. Delete the one cred, and poof... 85% of the time, nothing else is needed.
-
@scottalanmiller said in Security without AD:
@gjacobse said in Security without AD:
@scottalanmiller said in Security without AD:
@gjacobse said in Security without AD:
But if you are a SMB in the trade industry, why have AD at all? Is it not a waste of resources?
AD is about simple, central authentication. If you do a lot of moving between systems or have a lot of apps that integrate with AD and not other tools, AD can be handy for centralizing authentication.
Right - if you have a large company - very handly
Actually when you get really big, the value drops off. Sharing equipment becomes less common, rather than more common.
Eh - Depends on the business model. Take any auto manufacturer - lot of PCs on the line single use, many people. Or on the Help Desk I was on - 16 stations that got rotated by shift,.. not all but some.
-
Sliding back to more on topic.. I was asked by a fellow Ham Operator how I would recommend updating his shop computers. which right now only is desktops. No server, no backup, no UPS units. Few large format printers and a CNC table.
He's thinking Server - but is it really needed? Storage yes, backup yes, but is all the 'high end' security really needed - No HIPPA, just job files. No mobile devices, but possible maybe. Oh, and (one of the ) bains of IT - QuickBooks.
Yea,.. running QB with no UPS?? Ugh..
-
@gjacobse said in Security without AD:
@scottalanmiller I have seen the case where Cached Creds cause re-mapping issues of drives. Delete the one cred, and poof... 85% of the time, nothing else is needed.
Why would cached creds ever be involved at a time when drives could be mapped? Something really wrong there.
-
@gjacobse said in Security without AD:
Sliding back to more on topic.. I was asked by a fellow Ham Operator how I would recommend updating his shop computers. which right now only is desktops. No server, no backup, no UPS units. Few large format printers and a CNC table.
He's thinking Server - but is it really needed? Storage yes, backup yes, but is all the 'high end' security really needed - No HIPPA, just job files. No mobile devices, but possible maybe. Oh, and (one of the ) bains of IT - QuickBooks.
Yea,.. running QB with no UPS?? Ugh..
AD is not security. AD is centralized authentication. Don't equate AD to security. AD isn't "higher end" security than other approaches. It's an authentication mechanism, yes, which is related to security, but it's just one of many password handling systems all of which are basically the same from a security standpoint.
