Is Active Directory Really Needed Today?
-
Wouldn't AzureAD or (I feel terrible for not remembering that other provider's name) still be vulnerable to things like account lockouts and brute forcing?
I am looking at this from the stand point of the original thread this one forked from... (https://www.mangolassi.it/topic/13601/active-directory-malware-defense)
-
@dafyre said in Is Active Directory Really Needed Today?:
Wouldn't AzureAD or (I feel terrible for not remembering that other provider's name) still be vulnerable to things like account lockouts and brute forcing?
Yes, in some cases, central authentication is going to carry on a central threat.
-
@dafyre I wouldn't think so. The entire platform is hosted, and each account are not centrally connected like with classic AD.
-
In the original thread, part of the issue was tying core services to shared accounts.
-
@scottalanmiller said in Is Active Directory Really Needed Today?:
In the original thread, part of the issue was tying core services to shared accounts.
I've always been a firm believer (and have been saved by this a time or two) in each service having its own account.
-
@dafyre said in Is Active Directory Really Needed Today?:
@scottalanmiller said in Is Active Directory Really Needed Today?:
In the original thread, part of the issue was tying core services to shared accounts.
I've always been a firm believer (and have been saved by this a time or two) in each service having its own account.
@dafyre said in Is Active Directory Really Needed Today?:
@scottalanmiller said in Is Active Directory Really Needed Today?:
In the original thread, part of the issue was tying core services to shared accounts.
I've always been a firm believer (and have been saved by this a time or two) in each service having its own account.
It carries a lot of value.
-
So, I think the answer to the question is no, it's not needed. There are a lot of alternative products that will perform a similar function. Perhaps the question should be is AD desirable? Of all the alternatives, AD is arguably the best, the most comprehensive, the most mature, the most stable, but it's probably also the most expensive. So perhaps the question should be is AD worth the cost?
-
@Carnival-Boy said in Is Active Directory Really Needed Today?:
Of all the alternatives, AD is arguably the best, the most comprehensive, the most mature, the most stable, but it's probably also the most expensive.
I'd argue some of these points.
- Best. Not even close in my opinion. That doesn't meant it is bad, just that the model is poor and very limiting. It requires LAN extension in most use cases making it rather sad for what it is. It was great - in another era. It's far from the best mainstream option today. Better than NT4 SAM, but that's about it.
- Most Mature. If you mean oldest, okay.
Kidding aside, yes, it is extremely mature. - Most stable. It's stable, but not sure I agree with "most". I've never heard of anyone having competitors just corrupt, but I've heard of several people losing their AD just this week because even restoring a simple backup of it will lead to your AD dying.
- Most expensive. I actually don't agree there, AD is actually pretty affordable Not compared to Salt, but compared to JumpCloud or even AzureAD (unless you already have Office 365 otherwise.)
-
@Carnival-Boy said in Is Active Directory Really Needed Today?:
So perhaps the question should be is AD worth the cost?
Yes, it's definitely not a question of if AD is "good", it is. There are a lot of underlying questions implied, I think, like:
- Is AD the best option for me? Maybe, it depends of course.
- Is AD the only way to do X? No, AD offers nothing unique.
- Is AD worth the cost in absolute terms? Maybe, it depends on the use case.
- Is AD worth the cost relative to other options? Maybe, far less likely than the answer above.
- Is AD forward looking or backward looking? Backward, it is a model both for a bygone era and a product that its own vendor is moving away from.
-
So how would the alternatives rate? I run a very small company (just grown to 6 employees) and we're really at that point where this makes sense. Looking at JumpCloud, I see their offer is free for fewer than 10 employees but I'd be interested in opinions on which option people here would go with. What other criteria would you consider important before making your decision?
I already have an Office 365 E3 subscription if that makes a difference.
-
I should also mention that within a year or two, our numbers will probably grow to 20 or more people so that would definitely rate in my evaluation of a solution. Both in terms of cost and value.
-
@Carnival-Boy said in Is Active Directory Really Needed Today?:
So perhaps the question should be is AD worth the cost?
With the latest versions of SAMBA on Linux, you can stand up your own AD for zero cost but your time. I still agree with Scott in that it may not be the best option for everybody, but it's still worth noting AD can be done for free now.
-
@NashBrydges said in Is Active Directory Really Needed Today?:
So how would the alternatives rate? I run a very small company (just grown to 6 employees) and we're really at that point where this makes sense. Looking at JumpCloud, I see their offer is free for fewer than 10 employees but I'd be interested in opinions on which option people here would go with. What other criteria would you consider important before making your decision?
I already have an Office 365 E3 subscription if that makes a difference.
At that scale, JumpCloud is nearly impossible to beat.
-
@dafyre said in Is Active Directory Really Needed Today?:
@Carnival-Boy said in Is Active Directory Really Needed Today?:
So perhaps the question should be is AD worth the cost?
With the latest versions of SAMBA on Linux, you can stand up your own AD for zero cost but your time. I still agree with Scott in that it may not be the best option for everybody, but it's still worth noting AD can be done for free now.
That model is just a "Linux version of AD", so still LAN-centric. You can layer on ZeroTier to take it a lot farther, but you carry the LAN model with you. It just becomes the "best of an old idea." Better, but not yet re-invented.
-
@scottalanmiller said in Is Active Directory Really Needed Today?:
@dafyre said in Is Active Directory Really Needed Today?:
@Carnival-Boy said in Is Active Directory Really Needed Today?:
So perhaps the question should be is AD worth the cost?
With the latest versions of SAMBA on Linux, you can stand up your own AD for zero cost but your time. I still agree with Scott in that it may not be the best option for everybody, but it's still worth noting AD can be done for free now.
That model is just a "Linux version of AD", so still LAN-centric. You can layer on ZeroTier to take it a lot farther, but you carry the LAN model with you. It just becomes the "best of an old idea." Better, but not yet re-invented.
How is something like JumpCloud not LAN-centric?
Is it because I can authenticate against those services from anywhere I have an internet connection?
-
@dafyre said in Is Active Directory Really Needed Today?:
@scottalanmiller said in Is Active Directory Really Needed Today?:
@dafyre said in Is Active Directory Really Needed Today?:
@Carnival-Boy said in Is Active Directory Really Needed Today?:
So perhaps the question should be is AD worth the cost?
With the latest versions of SAMBA on Linux, you can stand up your own AD for zero cost but your time. I still agree with Scott in that it may not be the best option for everybody, but it's still worth noting AD can be done for free now.
That model is just a "Linux version of AD", so still LAN-centric. You can layer on ZeroTier to take it a lot farther, but you carry the LAN model with you. It just becomes the "best of an old idea." Better, but not yet re-invented.
How is something like JumpCloud not LAN-centric?
Is it because I can authenticate against those services from anywhere I have an internet connection?
Right, it, like Azure AD, doesn't care about your LAN at all. It doesn't even run on your LAN, but from a semi-anonymous hosted location. It does not identify your LAN, use any LAN for security, need LAN extensions to function, etc. You can have LANless things on your own LAN of course, and just not have them depend on the LAN, but in this case it doesn't even access the LAN so is that much more removed.
AD depends on the LAN, you can't (or effectively can't) authenticate on the open Internet with it.
-
Easy way to identify LAN dependencies... consider opening a branch office. Do you feel that you need a VPN for a service? Guess what, that's a LAN dependency
