AzureAD and shares
-
@scottalanmiller said in AzureAD and shares:
@Dashrender said in AzureAD and shares:
Because those who are paying for those audits simply don't know any better
Of course they do, they have IT to advise them. That's why IT's job is to do, and it is managment's job to understand that IT is their rep, and the auditors are the vendor's reps. There is never, ever, ever a situation where management isn't mandated and tasked with understanding who is on their team and who they need to be protected from. If you didn't need that, you'd not even need management!
Sure - that's the way it's "supposed" to work. Sadly - as I already said - once you're an employee - your opinion basically never means anything anymore.
-
@scottalanmiller said in AzureAD and shares:
@Dashrender said in AzureAD and shares:
@scottalanmiller said in AzureAD and shares:
@brandon220 said in AzureAD and shares:
@scottalanmiller said in AzureAD and shares:
@brandon220 said in AzureAD and shares:
The more OSS you have, the lower your score will be.
Then it's an anti-audit. I mean it's that easy. If they are specifically penalizing security, that literally makes these guys social engineers / hackers. Instantly, you have a requirement to ban them from the company. Financial regulations actually makes that criminal.
Not to derail this thread, but I deal with this every year. These auditors come in and HAVE to find something "wrong" even though what they find are not actual problems. It just justifies the money spent for the audit. I know there are others on here who deal with these auditors. They know exactly how bad it is.
Right, so you have a criminal activity going on for personal gain. The bank needs to understand that the auditors are being paid to put them at risk, because that's how they get compensated. Doesn't change that it's illegal.
This is clearly totally the wrong mind set for both the auditors and the audited. If anything both should be hoping that they don't find anything.
Auditors do what they are paid to do. If they are paid only to scam people, they will scam them. Only those being audited forcing that to happen can be at fault in a free market.
We don't have a free market - not when you are required to have audits, and often required to have audits by a special list of auditors.
-
@Dashrender said in AzureAD and shares:
@brandon220 said in AzureAD and shares:
My best option IMO is to spin up 3 new VMs - 2 AD/DNS and 1 file server.
Where are you planning on hosting this? I have to assume you don't mean to buy two servers, and setup AD/DNS on each of them, plus then setup a file server on one of them as well? That would be hardware overkill for something like this.
So assuming you did go with a single server - then you're down to two VMs - 1 AD/DNS and 1 file server.Another option would be 1 NAS, and simply map it to everyone's computer.
You mentioned managing local user accounts - do users move around and use other people's computers? or are they mainly only on their own? If they are mostly single use, a NAS is likely the best option. You'll build the users on the NAS and be done with it.
Nothing has to be purchased as there are 2 Hyper-V hosts running and are less than 6 months old.
Users only use 1 machine each. No roaming. -
@brandon220 said in AzureAD and shares:
@Dashrender said in AzureAD and shares:
@brandon220 said in AzureAD and shares:
My best option IMO is to spin up 3 new VMs - 2 AD/DNS and 1 file server.
Where are you planning on hosting this? I have to assume you don't mean to buy two servers, and setup AD/DNS on each of them, plus then setup a file server on one of them as well? That would be hardware overkill for something like this.
So assuming you did go with a single server - then you're down to two VMs - 1 AD/DNS and 1 file server.Another option would be 1 NAS, and simply map it to everyone's computer.
You mentioned managing local user accounts - do users move around and use other people's computers? or are they mainly only on their own? If they are mostly single use, a NAS is likely the best option. You'll build the users on the NAS and be done with it.
Nothing has to be purchased as there are 2 Hyper-V hosts running and are less than 6 months old.
Users only use 1 machine each. No roaming.wow - they have two servers already? what are they doing? what is on them workload wise?
-
@Dashrender said in AzureAD and shares:
What is your proposed or already decided solution for normal file storage? (word, etc, type files)
I know Google Drive is heavily pushed.
-
@Dashrender said in AzureAD and shares:
@scottalanmiller said in AzureAD and shares:
@Dashrender said in AzureAD and shares:
@scottalanmiller said in AzureAD and shares:
@brandon220 said in AzureAD and shares:
@scottalanmiller said in AzureAD and shares:
@brandon220 said in AzureAD and shares:
The more OSS you have, the lower your score will be.
Then it's an anti-audit. I mean it's that easy. If they are specifically penalizing security, that literally makes these guys social engineers / hackers. Instantly, you have a requirement to ban them from the company. Financial regulations actually makes that criminal.
Not to derail this thread, but I deal with this every year. These auditors come in and HAVE to find something "wrong" even though what they find are not actual problems. It just justifies the money spent for the audit. I know there are others on here who deal with these auditors. They know exactly how bad it is.
Right, so you have a criminal activity going on for personal gain. The bank needs to understand that the auditors are being paid to put them at risk, because that's how they get compensated. Doesn't change that it's illegal.
This is clearly totally the wrong mind set for both the auditors and the audited. If anything both should be hoping that they don't find anything.
Auditors do what they are paid to do. If they are paid only to scam people, they will scam them. Only those being audited forcing that to happen can be at fault in a free market.
We don't have a free market - not when you are required to have audits, and often required to have audits by a special list of auditors.
It's a free market here given the case of the auditor selling a fake issue to convince them that it is valuable . That doesn't exist when required.
-
@brandon220 said in AzureAD and shares:
@Dashrender said in AzureAD and shares:
@brandon220 said in AzureAD and shares:
My best option IMO is to spin up 3 new VMs - 2 AD/DNS and 1 file server.
Where are you planning on hosting this? I have to assume you don't mean to buy two servers, and setup AD/DNS on each of them, plus then setup a file server on one of them as well? That would be hardware overkill for something like this.
So assuming you did go with a single server - then you're down to two VMs - 1 AD/DNS and 1 file server.Another option would be 1 NAS, and simply map it to everyone's computer.
You mentioned managing local user accounts - do users move around and use other people's computers? or are they mainly only on their own? If they are mostly single use, a NAS is likely the best option. You'll build the users on the NAS and be done with it.
Nothing has to be purchased as there are 2 Hyper-V hosts running and are less than 6 months old.
Users only use 1 machine each. No roaming.Why? And they have spare Windows licensing, too?
-
@Dashrender One has 2 Server 2019 VMs running databases and the other has 3 Fedora30 VMs.
-
@brandon220 said in AzureAD and shares:
@Dashrender One has 2 Server 2019 VMs running databases and the other has 3 Fedora30 VMs.
Do you know why they have two servers instead of one?
-
@brandon220 said in AzureAD and shares:
@Dashrender One has 2 Server 2019 VMs running databases and the other has 3 Fedora30 VMs.
So likely they still need a lot of licensing for AD.
-
@Dashrender The original was intended to just run databases and did not have enough horsepower to run the other applications. A second was purchased and the plan is to migrate everything to it.
-
AD + SMB.... it's like designing for ransomware.
-
Less than desirable internet service is a large factor in having things in-house versus hosted. It is a big factor that cannot be overlooked.
AD does not have to be implemented. That is why I'm here discussing it. -
@scottalanmiller said in AzureAD and shares:
AD + SMB.... it's like designing for ransomware.
What does AD have to do with ransomware?
-
@brandon220 said in AzureAD and shares:
Less than desirable internet service is a large factor in having things in-house versus hosted. It is a big factor that cannot be overlooked.
AD does not have to be implemented. That is why I'm here discussing it.Nothing wrong with in house. File serving over the Internet is basically always bad, regardless of the tech used. WANs just aren't fast, and files are very speed sensitive.
-
@Obsolesce said in AzureAD and shares:
@scottalanmiller said in AzureAD and shares:
AD + SMB.... it's like designing for ransomware.
What does AD have to do with ransomware?
A ton. AD and SMB shares authenticated through it are the primary attack vector for ransomware. While AD itself is not a huge vulnerability, it ties many systems together so that a single compromise easily turns into a big one. It's like the authentication equivalent to a LAN. It magnifies exposure and discovery.
-
@scottalanmiller said in AzureAD and shares:
@brandon220 said in AzureAD and shares:
Less than desirable internet service is a large factor in having things in-house versus hosted. It is a big factor that cannot be overlooked.
AD does not have to be implemented. That is why I'm here discussing it.Nothing wrong with in house. File serving over the Internet is basically always bad, regardless of the tech used. WANs just aren't fast, and files are very speed sensitive.
Yes there will be places that just can't do it until internet speeds are faster and cheaper than local/onprem.
-
@Obsolesce said in AzureAD and shares:
@scottalanmiller said in AzureAD and shares:
@brandon220 said in AzureAD and shares:
Less than desirable internet service is a large factor in having things in-house versus hosted. It is a big factor that cannot be overlooked.
AD does not have to be implemented. That is why I'm here discussing it.Nothing wrong with in house. File serving over the Internet is basically always bad, regardless of the tech used. WANs just aren't fast, and files are very speed sensitive.
Yes there will be places that just can't do it until internet speeds are faster and cheaper than local/onprem.
And more importantly.... low latency. It is latency, more than bandwidth, that kills files and databases over the WAN.
-
@scottalanmiller said in AzureAD and shares:
@Obsolesce said in AzureAD and shares:
@scottalanmiller said in AzureAD and shares:
AD + SMB.... it's like designing for ransomware.
What does AD have to do with ransomware?
A ton. AD and SMB shares authenticated through it are the primary attack vector for ransomware. While AD itself is not a huge vulnerability, it ties many systems together so that a single compromise easily turns into a big one. It's like the authentication equivalent to a LAN. It magnifies exposure and discovery.
So if you take away AD, nobody gets ransomware?
I would say it's an issue of old outdated SMB versions with bad access and authentication practices.
-
@Obsolesce said in AzureAD and shares:
So if you take away AD, nobody gets ransomware?
Being a primary vector, and the only vector, and totally different things.
If you have four attack vectors, three that are 24% of the time, and one that is 28% of the time, that one is the primary, but the other three make up 72% of attacks.
So the leap from feeling something is primary, to all, can be astronomic.
But yes, if you remove AD, a massive percentage of people getting ransomware, or getting it across systems rather than isolated to one system, drops dramatically.