ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    AzureAD and shares

    Scheduled Pinned Locked Moved IT Discussion
    137 Posts 9 Posters 16.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @brandon220
      last edited by

      @brandon220 said in AzureAD and shares:

      @Dashrender said in AzureAD and shares:

      @brandon220 said in AzureAD and shares:

      My best option IMO is to spin up 3 new VMs - 2 AD/DNS and 1 file server.

      Where are you planning on hosting this? I have to assume you don't mean to buy two servers, and setup AD/DNS on each of them, plus then setup a file server on one of them as well? That would be hardware overkill for something like this.
      So assuming you did go with a single server - then you're down to two VMs - 1 AD/DNS and 1 file server.

      Another option would be 1 NAS, and simply map it to everyone's computer.

      You mentioned managing local user accounts - do users move around and use other people's computers? or are they mainly only on their own? If they are mostly single use, a NAS is likely the best option. You'll build the users on the NAS and be done with it.

      Nothing has to be purchased as there are 2 Hyper-V hosts running and are less than 6 months old.
      Users only use 1 machine each. No roaming.

      Why? And they have spare Windows licensing, too?

      1 Reply Last reply Reply Quote 0
      • brandon220B
        brandon220 @Dashrender
        last edited by

        @Dashrender One has 2 Server 2019 VMs running databases and the other has 3 Fedora30 VMs.

        DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 0
        • DashrenderD
          Dashrender @brandon220
          last edited by

          @brandon220 said in AzureAD and shares:

          @Dashrender One has 2 Server 2019 VMs running databases and the other has 3 Fedora30 VMs.

          Do you know why they have two servers instead of one?

          brandon220B 1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @brandon220
            last edited by

            @brandon220 said in AzureAD and shares:

            @Dashrender One has 2 Server 2019 VMs running databases and the other has 3 Fedora30 VMs.

            So likely they still need a lot of licensing for AD.

            1 Reply Last reply Reply Quote 0
            • brandon220B
              brandon220 @Dashrender
              last edited by

              @Dashrender The original was intended to just run databases and did not have enough horsepower to run the other applications. A second was purchased and the plan is to migrate everything to it.

              1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller
                last edited by

                AD + SMB.... it's like designing for ransomware.

                ObsolesceO 1 Reply Last reply Reply Quote 0
                • brandon220B
                  brandon220
                  last edited by

                  Less than desirable internet service is a large factor in having things in-house versus hosted. It is a big factor that cannot be overlooked.
                  AD does not have to be implemented. That is why I'm here discussing it.

                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                  • ObsolesceO
                    Obsolesce @scottalanmiller
                    last edited by

                    @scottalanmiller said in AzureAD and shares:

                    AD + SMB.... it's like designing for ransomware.

                    What does AD have to do with ransomware?

                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @brandon220
                      last edited by

                      @brandon220 said in AzureAD and shares:

                      Less than desirable internet service is a large factor in having things in-house versus hosted. It is a big factor that cannot be overlooked.
                      AD does not have to be implemented. That is why I'm here discussing it.

                      Nothing wrong with in house. File serving over the Internet is basically always bad, regardless of the tech used. WANs just aren't fast, and files are very speed sensitive.

                      ObsolesceO 1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @Obsolesce
                        last edited by

                        @Obsolesce said in AzureAD and shares:

                        @scottalanmiller said in AzureAD and shares:

                        AD + SMB.... it's like designing for ransomware.

                        What does AD have to do with ransomware?

                        A ton. AD and SMB shares authenticated through it are the primary attack vector for ransomware. While AD itself is not a huge vulnerability, it ties many systems together so that a single compromise easily turns into a big one. It's like the authentication equivalent to a LAN. It magnifies exposure and discovery.

                        ObsolesceO 1 Reply Last reply Reply Quote 0
                        • ObsolesceO
                          Obsolesce @scottalanmiller
                          last edited by

                          @scottalanmiller said in AzureAD and shares:

                          @brandon220 said in AzureAD and shares:

                          Less than desirable internet service is a large factor in having things in-house versus hosted. It is a big factor that cannot be overlooked.
                          AD does not have to be implemented. That is why I'm here discussing it.

                          Nothing wrong with in house. File serving over the Internet is basically always bad, regardless of the tech used. WANs just aren't fast, and files are very speed sensitive.

                          Yes there will be places that just can't do it until internet speeds are faster and cheaper than local/onprem.

                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @Obsolesce
                            last edited by

                            @Obsolesce said in AzureAD and shares:

                            @scottalanmiller said in AzureAD and shares:

                            @brandon220 said in AzureAD and shares:

                            Less than desirable internet service is a large factor in having things in-house versus hosted. It is a big factor that cannot be overlooked.
                            AD does not have to be implemented. That is why I'm here discussing it.

                            Nothing wrong with in house. File serving over the Internet is basically always bad, regardless of the tech used. WANs just aren't fast, and files are very speed sensitive.

                            Yes there will be places that just can't do it until internet speeds are faster and cheaper than local/onprem.

                            And more importantly.... low latency. It is latency, more than bandwidth, that kills files and databases over the WAN.

                            1 Reply Last reply Reply Quote 0
                            • ObsolesceO
                              Obsolesce @scottalanmiller
                              last edited by

                              @scottalanmiller said in AzureAD and shares:

                              @Obsolesce said in AzureAD and shares:

                              @scottalanmiller said in AzureAD and shares:

                              AD + SMB.... it's like designing for ransomware.

                              What does AD have to do with ransomware?

                              A ton. AD and SMB shares authenticated through it are the primary attack vector for ransomware. While AD itself is not a huge vulnerability, it ties many systems together so that a single compromise easily turns into a big one. It's like the authentication equivalent to a LAN. It magnifies exposure and discovery.

                              So if you take away AD, nobody gets ransomware?

                              I would say it's an issue of old outdated SMB versions with bad access and authentication practices.

                              scottalanmillerS 2 Replies Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @Obsolesce
                                last edited by

                                @Obsolesce said in AzureAD and shares:

                                So if you take away AD, nobody gets ransomware?

                                Being a primary vector, and the only vector, and totally different things.

                                If you have four attack vectors, three that are 24% of the time, and one that is 28% of the time, that one is the primary, but the other three make up 72% of attacks.

                                So the leap from feeling something is primary, to all, can be astronomic.

                                But yes, if you remove AD, a massive percentage of people getting ransomware, or getting it across systems rather than isolated to one system, drops dramatically.

                                1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @Obsolesce
                                  last edited by

                                  @Obsolesce said in AzureAD and shares:

                                  I would say it's an issue of old outdated SMB versions with bad access and authentication practices.

                                  That is a factor, too, of course. Anything outdated ups the risk. But for systems properly maintained, those things don't exist.

                                  ObsolesceO 1 Reply Last reply Reply Quote 0
                                  • brandon220B
                                    brandon220
                                    last edited by

                                    If you had a client/friend/relative and needed a file server for 'reasons' and they only knew MS since birth - would you still install a samba file server if licenses were not a factor?

                                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                                    • ObsolesceO
                                      Obsolesce @scottalanmiller
                                      last edited by Obsolesce

                                      @scottalanmiller said in AzureAD and shares:

                                      @Obsolesce said in AzureAD and shares:

                                      I would say it's an issue of old outdated SMB versions with bad access and authentication practices.

                                      That is a factor, too, of course. Anything outdated ups the risk. But for systems properly maintained, those things don't exist.

                                      Bad things happen with good solutions when they are not implemented and maintained correctly.

                                      1 Reply Last reply Reply Quote 0
                                      • stacksofplatesS
                                        stacksofplates @brandon220
                                        last edited by

                                        @brandon220 said in AzureAD and shares:

                                        Here is an example from the FFIEC Cybersecurity Assesment Tool:
                                        assessmentsnip.PNG
                                        The more OSS you have, the lower your score will be.

                                        I'm not defending or even sure this is what they are talking about, but they may be looking at the risk of the licensing. It can be tough to keep track of all of the licensing of open source tools and making sure you comply with them.

                                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @brandon220
                                          last edited by

                                          @brandon220 said in AzureAD and shares:

                                          If you had a client/friend/relative and needed a file server for 'reasons' and they only knew MS since birth - would you still install a samba file server if licenses were not a factor?

                                          Honestly, yes. For the very reason you mention.... someone who "only knows one thing", don't actually know that thing and are the most dangerous of people. Making it easy for people who don't understand to break things is really the worst option, IMHO . It's costly, and risky. Making IT "seem easy" is one of the biggest mistakes of the MS ecosystem.

                                          1 Reply Last reply Reply Quote 1
                                          • scottalanmillerS
                                            scottalanmiller @stacksofplates
                                            last edited by

                                            @stacksofplates said in AzureAD and shares:

                                            @brandon220 said in AzureAD and shares:

                                            Here is an example from the FFIEC Cybersecurity Assesment Tool:
                                            assessmentsnip.PNG
                                            The more OSS you have, the lower your score will be.

                                            I'm not defending or even sure this is what they are talking about, but they may be looking at the risk of the licensing. It can be tough to keep track of all of the licensing of open source tools and making sure you comply with them.

                                            But, honestly, not nearly as hard as the risks of anything else. And "can be" should never be a legitimate factor. ONce we go down that path, we could list unrealistic risks for forever.

                                            stacksofplatesS 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 7
                                            • 3 / 7
                                            • First post
                                              Last post