ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    SAMIT: Do You Really Need Active Directory

    Scheduled Pinned Locked Moved IT Discussion
    samitscott alan milleryoutubeactive directory
    135 Posts 10 Posters 18.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @Dashrender
      last edited by

      @Dashrender said in SAMIT: Do You Really Need Active Directory:

      @scottalanmiller said in SAMIT: Do You Really Need Active Directory:

      @Dashrender said in SAMIT: Do You Really Need Active Directory:

      @IRJ said in SAMIT: Do You Really Need Active Directory:

      @Dashrender said in SAMIT: Do You Really Need Active Directory:

      @IRJ said in SAMIT: Do You Really Need Active Directory:

      @Dashrender said in SAMIT: Do You Really Need Active Directory:

      Toss in a situation where many users must be able to use nearly any computer in the office at any time - and now what? really - how do you manage that?

      100 desktops, 100 users, and they play musical charges daily - now what?

      Everything they access of value is cloud based, so you only care about authentication to that service not authentication to the local system.

      You can prevent users from storing files locally on OD for example and in that case if their workstation is compromised none of the data is sensitive.

      But basically - you are saying - BYOD all the things, and just not give a shit about the end device at all...
      But you still have regulations, the reason you're running an SIEM.

      Not BYOD and have standard builds with restricted permissions, but you dont really push anything because they are just a basic OS that lets you access resources. You let them update on their own.

      I could definitely see this working in a 1 to 1 situation because there would be so little to manage.. and once the user is setup, they aren't likely going to need much IT support. But in a shared environment, it gets stickier.

      It seems to work pretty well from what I've seen. And the cost to 1:1 often is small compared to other costs of management. So when you get close, it often pans out. This style also allows for heterogenous environments really easily.

      Definitely not a fan of working on a laptop and only a laptop - but I suppose you could deploy monitors and keybaords to every desk, and you just hook up where ever you are working that day.

      They more or less did that at Drop box when I visited there 4 years ago. Just monitors - they still had to type on the laptop keyboard.. ug.

      Same, I hated that about the environment. They spent a fortune to overcome the laptop crap of it. But it remained crap.

      1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @Dashrender
        last edited by

        @Dashrender I think the key name to what you want is "snowflake managed". The fleet isn't seen as a uniform body, but more a congregation of workstations.

        DashrenderD 1 Reply Last reply Reply Quote 0
        • DashrenderD
          Dashrender @scottalanmiller
          last edited by

          @scottalanmiller said in SAMIT: Do You Really Need Active Directory:

          @Dashrender I think the key name to what you want is "snowflake managed". The fleet isn't seen as a uniform body, but more a congregation of workstations.

          I can dig that...

          1 Reply Last reply Reply Quote 0
          • ObsolesceO
            Obsolesce @scottalanmiller
            last edited by

            @scottalanmiller said in SAMIT: Do You Really Need Active Directory:

            @Dashrender said in SAMIT: Do You Really Need Active Directory:

            And is it really GPO if you're using Salt/Ansible/RMM to set registry keys, and not the GPO tool and the XML files it generates? I mean the end goal is the same, sure, but the tech to get there is slightly different - I think.

            No, it is definitely not GPO if you are using PS to set the registry. That highlights why GPO is often not to be maintained, because there are other, often better ways to handle it. GPO isn't the end all of value. That said, though, you can use Salt / Ansible / PowerShell to do set GPOs, or to bypass them. Most people use the GPO approach because of momentum of conversations like this - people get convinced that they need GPO, so they want tools to automate GPO rather than starting from the goal and figuring out how to achieve it.

            There are quite often cases where computer settings, policies, controls, etc. (whatever they be, security, etc...) need to be centrally managed, monitored, finely targeted, etc. AD does some, but not all. GPO is not the most featureful tool for this (I'm purposely not saying best), as well as other tools are not. Many of the won't do shit if they are "mobile" devices, meaning users really never leave their laptops at work. MDM is really where things are going, seriously. Out of like 10k computers, I'd say 98% of them are laptops, and are "mobile", or at least not on "the" LAN. I can imagine this will only get bigger as time goes. So really, centrally managed AD DS GPO is on it's way out, and is being replaced by MDM policies, with great compliance policies and reporting baked right in.

            DashrenderD 1 Reply Last reply Reply Quote 0
            • ObsolesceO
              Obsolesce @Dashrender
              last edited by Obsolesce

              @Dashrender said in SAMIT: Do You Really Need Active Directory:

              How do you replace the functionality of auto deployed printers - you don't, you make the users add them manually when needed... yeah that sounds awesome.

              You don't, you use follow-me-printing and only have "one" printer to install on a system. User takes their card (or something) and walk up to any printer, scan it, print their shit.

              Installing that one printer can be done so many automated ways.

              JaredBuschJ 1 Reply Last reply Reply Quote 0
              • JaredBuschJ
                JaredBusch @Obsolesce
                last edited by

                @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                @Dashrender said in SAMIT: Do You Really Need Active Directory:

                How do you replace the functionality of auto deployed printers - you don't, you make the users add them manually when needed... yeah that sounds awesome.

                You don't, you use follow-me-printing and only have "one" printer to install on a system. User takes their card (or something) and walk up to any printer, scan it, print their shit.

                Installing that one printer can be done so many automated ways.

                not even ever going to happen in the SMB anytime soon.

                1 Reply Last reply Reply Quote 0
                • DashrenderD
                  Dashrender @Obsolesce
                  last edited by

                  @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                  @scottalanmiller said in SAMIT: Do You Really Need Active Directory:

                  @Dashrender said in SAMIT: Do You Really Need Active Directory:

                  And is it really GPO if you're using Salt/Ansible/RMM to set registry keys, and not the GPO tool and the XML files it generates? I mean the end goal is the same, sure, but the tech to get there is slightly different - I think.

                  No, it is definitely not GPO if you are using PS to set the registry. That highlights why GPO is often not to be maintained, because there are other, often better ways to handle it. GPO isn't the end all of value. That said, though, you can use Salt / Ansible / PowerShell to do set GPOs, or to bypass them. Most people use the GPO approach because of momentum of conversations like this - people get convinced that they need GPO, so they want tools to automate GPO rather than starting from the goal and figuring out how to achieve it.

                  There are quite often cases where computer settings, policies, controls, etc. (whatever they be, security, etc...) need to be centrally managed, monitored, finely targeted, etc. AD does some, but not all. GPO is not the most featureful tool for this (I'm purposely not saying best), as well as other tools are not. Many of the won't do shit if they are "mobile" devices, meaning users really never leave their laptops at work. MDM is really where things are going, seriously. Out of like 10k computers, I'd say 98% of them are laptops, and are "mobile", or at least not on "the" LAN. I can imagine this will only get bigger as time goes. So really, centrally managed AD DS GPO is on it's way out, and is being replaced by MDM policies, with great compliance policies and reporting baked right in.

                  I completely agree with this - I am surprised that MS didn't come out with a better solution for this ages ago. That whole Direct Connect or whatever it was called - phone home VPN solution they have for Enterprise edition only - what a kluge.

                  That said - while my environment is 80% laptops, 80% of those stay onsite 100% of the time, it's that other 20% that are a problem - and most of those I actually came to the conclusion that Scott mentioned - Snowflake managed - was the way to go. they aren't on the domain - they are single user only devices, so they have a local account for that user, a local admin account for me - and ScreenConnect for when they need assistance.

                  All non windows apps are installed using Chocolatey and update automatically, Windows updates are set to install automatically (yet like all windows, that still fails/confuses users and systems end up not updated)...

                  coliverC 1 Reply Last reply Reply Quote 0
                  • ObsolesceO
                    Obsolesce @IRJ
                    last edited by

                    @IRJ said in SAMIT: Do You Really Need Active Directory:

                    @Dashrender said in SAMIT: Do You Really Need Active Directory:

                    @IRJ said in SAMIT: Do You Really Need Active Directory:

                    @Dashrender said in SAMIT: Do You Really Need Active Directory:

                    @IRJ said in SAMIT: Do You Really Need Active Directory:

                    @Dashrender said in SAMIT: Do You Really Need Active Directory:

                    @IRJ said in SAMIT: Do You Really Need Active Directory:

                    @Dashrender said in SAMIT: Do You Really Need Active Directory:

                    Toss in a situation where many users must be able to use nearly any computer in the office at any time - and now what? really - how do you manage that?

                    100 desktops, 100 users, and they play musical charges daily - now what?

                    Everything they access of value is cloud based, so you only care about authentication to that service not authentication to the local system.

                    You can prevent users from storing files locally on OD for example and in that case if their workstation is compromised none of the data is sensitive.

                    why would you even have OD if you can prevent local storage of files?

                    That statement makes no sense. If you prevent local storage you have to have a service like OD to access files.

                    Thanks for pulling a scott and not reading the followup where I answered my own question - but left it there anyways for other people who might have had the same thought I originally did.

                    that said - the file is still saved locally - in the cache of OD. I don't believe you can work locally with a non cached file.
                    I'm prepared to be wrong that account though if you have an article from MS stating as much.

                    Why would you need to use Desktop Office? Why not use Office Online?

                    Because it gives you a reason to have OD installed - if you don't have any local apps using the files - then OD is pointless (at least the local application) Your files are just 'in the cloud' sure personal files are in something called OD, and shared are in Sharepoint - but again, nothing local.

                    @Obsolesce would probably know for sure, but I think you can encrypt that partition and require authentication to access it.

                    I would however not even bother with it. Train them to use Office Online and your OS dependency completely goes away.

                    Data at rest should always be encrypted, no exceptions. We ensure all user devices are encrypted. Windows bitlocker, androids, ios, macs, everything.

                    IRJI 1 Reply Last reply Reply Quote 0
                    • ObsolesceO
                      Obsolesce @scottalanmiller
                      last edited by

                      @scottalanmiller said in SAMIT: Do You Really Need Active Directory:

                      You can do this with scripts, it's not nearly as hard as people think. If this is your environment, you can build scripts to do this really quickly. In fact, I bet you can automate this without AD faster than you can with AD. We have O365 customers where we have to automate this and yes, that's harder than AD automation, but it's a million times worse than local scripts. Scripts always sound like a kludge, but really, what's AD other than tons of really good, well reviewed scripts (basically.)

                      How do you like to ensure delivery of these scripts to devices that need them, prevent those that don't from getting them, monitor progress, completion, and compliance of it?

                      1 Reply Last reply Reply Quote 0
                      • IRJI
                        IRJ @Obsolesce
                        last edited by

                        @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                        @IRJ said in SAMIT: Do You Really Need Active Directory:

                        @Dashrender said in SAMIT: Do You Really Need Active Directory:

                        @IRJ said in SAMIT: Do You Really Need Active Directory:

                        @Dashrender said in SAMIT: Do You Really Need Active Directory:

                        @IRJ said in SAMIT: Do You Really Need Active Directory:

                        @Dashrender said in SAMIT: Do You Really Need Active Directory:

                        @IRJ said in SAMIT: Do You Really Need Active Directory:

                        @Dashrender said in SAMIT: Do You Really Need Active Directory:

                        Toss in a situation where many users must be able to use nearly any computer in the office at any time - and now what? really - how do you manage that?

                        100 desktops, 100 users, and they play musical charges daily - now what?

                        Everything they access of value is cloud based, so you only care about authentication to that service not authentication to the local system.

                        You can prevent users from storing files locally on OD for example and in that case if their workstation is compromised none of the data is sensitive.

                        why would you even have OD if you can prevent local storage of files?

                        That statement makes no sense. If you prevent local storage you have to have a service like OD to access files.

                        Thanks for pulling a scott and not reading the followup where I answered my own question - but left it there anyways for other people who might have had the same thought I originally did.

                        that said - the file is still saved locally - in the cache of OD. I don't believe you can work locally with a non cached file.
                        I'm prepared to be wrong that account though if you have an article from MS stating as much.

                        Why would you need to use Desktop Office? Why not use Office Online?

                        Because it gives you a reason to have OD installed - if you don't have any local apps using the files - then OD is pointless (at least the local application) Your files are just 'in the cloud' sure personal files are in something called OD, and shared are in Sharepoint - but again, nothing local.

                        @Obsolesce would probably know for sure, but I think you can encrypt that partition and require authentication to access it.

                        I would however not even bother with it. Train them to use Office Online and your OS dependency completely goes away.

                        Data at rest should always be encrypted, no exceptions. We ensure all user devices are encrypted. Windows bitlocker, androids, ios, macs, everything.

                        Yes but can you force authentication when access synced OD files? And by authentication I mean checking the validity of token not logging in each time.

                        DashrenderD ObsolesceO 2 Replies Last reply Reply Quote 0
                        • DashrenderD
                          Dashrender @IRJ
                          last edited by

                          @IRJ said in SAMIT: Do You Really Need Active Directory:

                          @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                          @IRJ said in SAMIT: Do You Really Need Active Directory:

                          @Dashrender said in SAMIT: Do You Really Need Active Directory:

                          @IRJ said in SAMIT: Do You Really Need Active Directory:

                          @Dashrender said in SAMIT: Do You Really Need Active Directory:

                          @IRJ said in SAMIT: Do You Really Need Active Directory:

                          @Dashrender said in SAMIT: Do You Really Need Active Directory:

                          @IRJ said in SAMIT: Do You Really Need Active Directory:

                          @Dashrender said in SAMIT: Do You Really Need Active Directory:

                          Toss in a situation where many users must be able to use nearly any computer in the office at any time - and now what? really - how do you manage that?

                          100 desktops, 100 users, and they play musical charges daily - now what?

                          Everything they access of value is cloud based, so you only care about authentication to that service not authentication to the local system.

                          You can prevent users from storing files locally on OD for example and in that case if their workstation is compromised none of the data is sensitive.

                          why would you even have OD if you can prevent local storage of files?

                          That statement makes no sense. If you prevent local storage you have to have a service like OD to access files.

                          Thanks for pulling a scott and not reading the followup where I answered my own question - but left it there anyways for other people who might have had the same thought I originally did.

                          that said - the file is still saved locally - in the cache of OD. I don't believe you can work locally with a non cached file.
                          I'm prepared to be wrong that account though if you have an article from MS stating as much.

                          Why would you need to use Desktop Office? Why not use Office Online?

                          Because it gives you a reason to have OD installed - if you don't have any local apps using the files - then OD is pointless (at least the local application) Your files are just 'in the cloud' sure personal files are in something called OD, and shared are in Sharepoint - but again, nothing local.

                          @Obsolesce would probably know for sure, but I think you can encrypt that partition and require authentication to access it.

                          I would however not even bother with it. Train them to use Office Online and your OS dependency completely goes away.

                          Data at rest should always be encrypted, no exceptions. We ensure all user devices are encrypted. Windows bitlocker, androids, ios, macs, everything.

                          Yes but can you force authentication when access synced OD files? And by authentication I mean checking the validity of token not logging in each time.

                          Encryption at rest does nothing for you once the OS is booted. So a stolen device is mostly safe. But an unlocked workstation isn't, unless you require authentication for each access - which would drive users crazy...

                          Assuming a non local admin user logs into another profile - they likely can't reach the files synced in some other profile in OD, so those are likely safe too.

                          ObsolesceO 1 Reply Last reply Reply Quote 0
                          • ObsolesceO
                            Obsolesce @IRJ
                            last edited by

                            @IRJ said in SAMIT: Do You Really Need Active Directory:

                            @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                            @IRJ said in SAMIT: Do You Really Need Active Directory:

                            @Dashrender said in SAMIT: Do You Really Need Active Directory:

                            @IRJ said in SAMIT: Do You Really Need Active Directory:

                            @Dashrender said in SAMIT: Do You Really Need Active Directory:

                            @IRJ said in SAMIT: Do You Really Need Active Directory:

                            @Dashrender said in SAMIT: Do You Really Need Active Directory:

                            @IRJ said in SAMIT: Do You Really Need Active Directory:

                            @Dashrender said in SAMIT: Do You Really Need Active Directory:

                            Toss in a situation where many users must be able to use nearly any computer in the office at any time - and now what? really - how do you manage that?

                            100 desktops, 100 users, and they play musical charges daily - now what?

                            Everything they access of value is cloud based, so you only care about authentication to that service not authentication to the local system.

                            You can prevent users from storing files locally on OD for example and in that case if their workstation is compromised none of the data is sensitive.

                            why would you even have OD if you can prevent local storage of files?

                            That statement makes no sense. If you prevent local storage you have to have a service like OD to access files.

                            Thanks for pulling a scott and not reading the followup where I answered my own question - but left it there anyways for other people who might have had the same thought I originally did.

                            that said - the file is still saved locally - in the cache of OD. I don't believe you can work locally with a non cached file.
                            I'm prepared to be wrong that account though if you have an article from MS stating as much.

                            Why would you need to use Desktop Office? Why not use Office Online?

                            Because it gives you a reason to have OD installed - if you don't have any local apps using the files - then OD is pointless (at least the local application) Your files are just 'in the cloud' sure personal files are in something called OD, and shared are in Sharepoint - but again, nothing local.

                            @Obsolesce would probably know for sure, but I think you can encrypt that partition and require authentication to access it.

                            I would however not even bother with it. Train them to use Office Online and your OS dependency completely goes away.

                            Data at rest should always be encrypted, no exceptions. We ensure all user devices are encrypted. Windows bitlocker, androids, ios, macs, everything.

                            Yes but can you force authentication when access synced OD files? And by authentication I mean checking the validity of token not logging in each time.

                            I don't know, i haven't used OneDrive for Business in the enterprise for years.

                            Right now, we use Google Drive, and that's 2FA enforced. But no, no need to re-login to access them.

                            IRJI 1 Reply Last reply Reply Quote 0
                            • IRJI
                              IRJ @Obsolesce
                              last edited by

                              @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                              @IRJ said in SAMIT: Do You Really Need Active Directory:

                              @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                              @IRJ said in SAMIT: Do You Really Need Active Directory:

                              @Dashrender said in SAMIT: Do You Really Need Active Directory:

                              @IRJ said in SAMIT: Do You Really Need Active Directory:

                              @Dashrender said in SAMIT: Do You Really Need Active Directory:

                              @IRJ said in SAMIT: Do You Really Need Active Directory:

                              @Dashrender said in SAMIT: Do You Really Need Active Directory:

                              @IRJ said in SAMIT: Do You Really Need Active Directory:

                              @Dashrender said in SAMIT: Do You Really Need Active Directory:

                              Toss in a situation where many users must be able to use nearly any computer in the office at any time - and now what? really - how do you manage that?

                              100 desktops, 100 users, and they play musical charges daily - now what?

                              Everything they access of value is cloud based, so you only care about authentication to that service not authentication to the local system.

                              You can prevent users from storing files locally on OD for example and in that case if their workstation is compromised none of the data is sensitive.

                              why would you even have OD if you can prevent local storage of files?

                              That statement makes no sense. If you prevent local storage you have to have a service like OD to access files.

                              Thanks for pulling a scott and not reading the followup where I answered my own question - but left it there anyways for other people who might have had the same thought I originally did.

                              that said - the file is still saved locally - in the cache of OD. I don't believe you can work locally with a non cached file.
                              I'm prepared to be wrong that account though if you have an article from MS stating as much.

                              Why would you need to use Desktop Office? Why not use Office Online?

                              Because it gives you a reason to have OD installed - if you don't have any local apps using the files - then OD is pointless (at least the local application) Your files are just 'in the cloud' sure personal files are in something called OD, and shared are in Sharepoint - but again, nothing local.

                              @Obsolesce would probably know for sure, but I think you can encrypt that partition and require authentication to access it.

                              I would however not even bother with it. Train them to use Office Online and your OS dependency completely goes away.

                              Data at rest should always be encrypted, no exceptions. We ensure all user devices are encrypted. Windows bitlocker, androids, ios, macs, everything.

                              Yes but can you force authentication when access synced OD files? And by authentication I mean checking the validity of token not logging in each time.

                              I don't know, i haven't used OneDrive for Business in the enterprise for years.

                              Right now, we use Google Drive, and that's 2FA enforced. But no, no need to re-login to access them.

                              I would assume it's managed through in tune

                              1 Reply Last reply Reply Quote 0
                              • ObsolesceO
                                Obsolesce @Dashrender
                                last edited by

                                @Dashrender said in SAMIT: Do You Really Need Active Directory:

                                ncryption at rest does nothing for you once the OS is booted. So a stolen device is mostly safe. But an unlocked workstation isn't, unless you require authentication for each access - which would drive users crazy...
                                Assuming a non local admin user logs into another profile - they likely can't reach the files synced in some other profile in OD, so those are likely safe too.

                                That just comes down to good practices. Stolen device is safe. There are no local accounts, no local admin privileged accounts either, not AD joined, encrypted, 2FA / Windows Hello enforced. (in my environment)

                                DashrenderD 1 Reply Last reply Reply Quote 0
                                • DashrenderD
                                  Dashrender @Obsolesce
                                  last edited by

                                  @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                                  @Dashrender said in SAMIT: Do You Really Need Active Directory:

                                  ncryption at rest does nothing for you once the OS is booted. So a stolen device is mostly safe. But an unlocked workstation isn't, unless you require authentication for each access - which would drive users crazy...
                                  Assuming a non local admin user logs into another profile - they likely can't reach the files synced in some other profile in OD, so those are likely safe too.

                                  That just comes down to good practices. Stolen device is safe. There are no local accounts, no local admin privileged accounts either, not AD joined, encrypted, 2FA / Windows Hello enforced. (in my environment)

                                  Does windows boot before a login is done by the user? If yes, how in an offline mode are you preventing bruteforce attacks? of course they would be so slow - who really cares?

                                  ObsolesceO 1 Reply Last reply Reply Quote 0
                                  • ObsolesceO
                                    Obsolesce @Dashrender
                                    last edited by

                                    @Dashrender said in SAMIT: Do You Really Need Active Directory:

                                    @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                                    @Dashrender said in SAMIT: Do You Really Need Active Directory:

                                    ncryption at rest does nothing for you once the OS is booted. So a stolen device is mostly safe. But an unlocked workstation isn't, unless you require authentication for each access - which would drive users crazy...
                                    Assuming a non local admin user logs into another profile - they likely can't reach the files synced in some other profile in OD, so those are likely safe too.

                                    That just comes down to good practices. Stolen device is safe. There are no local accounts, no local admin privileged accounts either, not AD joined, encrypted, 2FA / Windows Hello enforced. (in my environment)

                                    Does windows boot before a login is done by the user? If yes, how in an offline mode are you preventing bruteforce attacks? of course they would be so slow - who really cares?

                                    Huh? It's not like you can boot the machine to Windows login screen, and also connect the hard drive to another OS at the same time. No brute forcing, and a per-device problem, not a wide spread one. If it's stolen, it's remote wiped as well.

                                    DashrenderD JaredBuschJ 2 Replies Last reply Reply Quote 0
                                    • DashrenderD
                                      Dashrender @Obsolesce
                                      last edited by

                                      @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                                      @Dashrender said in SAMIT: Do You Really Need Active Directory:

                                      @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                                      @Dashrender said in SAMIT: Do You Really Need Active Directory:

                                      ncryption at rest does nothing for you once the OS is booted. So a stolen device is mostly safe. But an unlocked workstation isn't, unless you require authentication for each access - which would drive users crazy...
                                      Assuming a non local admin user logs into another profile - they likely can't reach the files synced in some other profile in OD, so those are likely safe too.

                                      That just comes down to good practices. Stolen device is safe. There are no local accounts, no local admin privileged accounts either, not AD joined, encrypted, 2FA / Windows Hello enforced. (in my environment)

                                      Does windows boot before a login is done by the user? If yes, how in an offline mode are you preventing bruteforce attacks? of course they would be so slow - who really cares?

                                      Huh? It's not like you can boot the machine to Windows login screen, and also connect the hard drive to another OS at the same time. No brute forcing, and a per-device problem, not a wide spread one. If it's stolen, it's remote wiped as well.

                                      I was curious if the local TPM (which I assume holds the Bitlocker Key) has to be unlocked before the computer will boot. If yes, then bruteforce attacks against the Windows logon can't happen in a stolen machine, if not - they can.

                                      Of course, the drive is encrypted - so if it's removed and placed in another computer now you have to brute force the drive encryption - like much harder.

                                      JaredBuschJ ObsolesceO 2 Replies Last reply Reply Quote 1
                                      • JaredBuschJ
                                        JaredBusch @Dashrender
                                        last edited by

                                        @Dashrender said in SAMIT: Do You Really Need Active Directory:

                                        @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                                        @Dashrender said in SAMIT: Do You Really Need Active Directory:

                                        @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                                        @Dashrender said in SAMIT: Do You Really Need Active Directory:

                                        ncryption at rest does nothing for you once the OS is booted. So a stolen device is mostly safe. But an unlocked workstation isn't, unless you require authentication for each access - which would drive users crazy...
                                        Assuming a non local admin user logs into another profile - they likely can't reach the files synced in some other profile in OD, so those are likely safe too.

                                        That just comes down to good practices. Stolen device is safe. There are no local accounts, no local admin privileged accounts either, not AD joined, encrypted, 2FA / Windows Hello enforced. (in my environment)

                                        Does windows boot before a login is done by the user? If yes, how in an offline mode are you preventing bruteforce attacks? of course they would be so slow - who really cares?

                                        Huh? It's not like you can boot the machine to Windows login screen, and also connect the hard drive to another OS at the same time. No brute forcing, and a per-device problem, not a wide spread one. If it's stolen, it's remote wiped as well.

                                        I was curious if the local TPM (which I assume holds the Bitlocker Key) has to be unlocked before the computer will boot. If yes, then bruteforce attacks against the Windows logon can't happen in a stolen machine, if not - they can.

                                        Of course, the drive is encrypted - so if it's removed and placed in another computer now you have to brute force the drive encryption - like much harder.

                                        Exactly this.

                                        ObsolesceO 1 Reply Last reply Reply Quote 0
                                        • ObsolesceO
                                          Obsolesce @JaredBusch
                                          last edited by

                                          This post is deleted!
                                          1 Reply Last reply Reply Quote 0
                                          • ObsolesceO
                                            Obsolesce @Dashrender
                                            last edited by Obsolesce

                                            @Dashrender said in SAMIT: Do You Really Need Active Directory:

                                            @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                                            @Dashrender said in SAMIT: Do You Really Need Active Directory:

                                            @Obsolesce said in SAMIT: Do You Really Need Active Directory:

                                            @Dashrender said in SAMIT: Do You Really Need Active Directory:

                                            ncryption at rest does nothing for you once the OS is booted. So a stolen device is mostly safe. But an unlocked workstation isn't, unless you require authentication for each access - which would drive users crazy...
                                            Assuming a non local admin user logs into another profile - they likely can't reach the files synced in some other profile in OD, so those are likely safe too.

                                            That just comes down to good practices. Stolen device is safe. There are no local accounts, no local admin privileged accounts either, not AD joined, encrypted, 2FA / Windows Hello enforced. (in my environment)

                                            Does windows boot before a login is done by the user? If yes, how in an offline mode are you preventing bruteforce attacks? of course they would be so slow - who really cares?

                                            Huh? It's not like you can boot the machine to Windows login screen, and also connect the hard drive to another OS at the same time. No brute forcing, and a per-device problem, not a wide spread one. If it's stolen, it's remote wiped as well.

                                            I was curious if the local TPM (which I assume holds the Bitlocker Key) has to be unlocked before the computer will boot. If yes, then bruteforce attacks against the Windows logon can't happen in a stolen machine, if not - they can.

                                            Of course, the drive is encrypted - so if it's removed and placed in another computer now you have to brute force the drive encryption - like much harder.

                                            BitLocker using TPM only protects it if the drive is taken out. Using it with a PIN adds some more protection, but the point is encryption at rest. Not to keep you out of the OS.

                                            It's not meant to protect your data while Windows is running.

                                            @Dashrender what are you trying to get at? What scenario?

                                            JaredBuschJ 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 7
                                            • 6 / 7
                                            • First post
                                              Last post