AzureAD and shares
-
@Dashrender One has 2 Server 2019 VMs running databases and the other has 3 Fedora30 VMs.
-
@brandon220 said in AzureAD and shares:
@Dashrender One has 2 Server 2019 VMs running databases and the other has 3 Fedora30 VMs.
Do you know why they have two servers instead of one?
-
@brandon220 said in AzureAD and shares:
@Dashrender One has 2 Server 2019 VMs running databases and the other has 3 Fedora30 VMs.
So likely they still need a lot of licensing for AD.
-
@Dashrender The original was intended to just run databases and did not have enough horsepower to run the other applications. A second was purchased and the plan is to migrate everything to it.
-
AD + SMB.... it's like designing for ransomware.
-
Less than desirable internet service is a large factor in having things in-house versus hosted. It is a big factor that cannot be overlooked.
AD does not have to be implemented. That is why I'm here discussing it. -
@scottalanmiller said in AzureAD and shares:
AD + SMB.... it's like designing for ransomware.
What does AD have to do with ransomware?
-
@brandon220 said in AzureAD and shares:
Less than desirable internet service is a large factor in having things in-house versus hosted. It is a big factor that cannot be overlooked.
AD does not have to be implemented. That is why I'm here discussing it.Nothing wrong with in house. File serving over the Internet is basically always bad, regardless of the tech used. WANs just aren't fast, and files are very speed sensitive.
-
@Obsolesce said in AzureAD and shares:
@scottalanmiller said in AzureAD and shares:
AD + SMB.... it's like designing for ransomware.
What does AD have to do with ransomware?
A ton. AD and SMB shares authenticated through it are the primary attack vector for ransomware. While AD itself is not a huge vulnerability, it ties many systems together so that a single compromise easily turns into a big one. It's like the authentication equivalent to a LAN. It magnifies exposure and discovery.
-
@scottalanmiller said in AzureAD and shares:
@brandon220 said in AzureAD and shares:
Less than desirable internet service is a large factor in having things in-house versus hosted. It is a big factor that cannot be overlooked.
AD does not have to be implemented. That is why I'm here discussing it.Nothing wrong with in house. File serving over the Internet is basically always bad, regardless of the tech used. WANs just aren't fast, and files are very speed sensitive.
Yes there will be places that just can't do it until internet speeds are faster and cheaper than local/onprem.
-
@Obsolesce said in AzureAD and shares:
@scottalanmiller said in AzureAD and shares:
@brandon220 said in AzureAD and shares:
Less than desirable internet service is a large factor in having things in-house versus hosted. It is a big factor that cannot be overlooked.
AD does not have to be implemented. That is why I'm here discussing it.Nothing wrong with in house. File serving over the Internet is basically always bad, regardless of the tech used. WANs just aren't fast, and files are very speed sensitive.
Yes there will be places that just can't do it until internet speeds are faster and cheaper than local/onprem.
And more importantly.... low latency. It is latency, more than bandwidth, that kills files and databases over the WAN.
-
@scottalanmiller said in AzureAD and shares:
@Obsolesce said in AzureAD and shares:
@scottalanmiller said in AzureAD and shares:
AD + SMB.... it's like designing for ransomware.
What does AD have to do with ransomware?
A ton. AD and SMB shares authenticated through it are the primary attack vector for ransomware. While AD itself is not a huge vulnerability, it ties many systems together so that a single compromise easily turns into a big one. It's like the authentication equivalent to a LAN. It magnifies exposure and discovery.
So if you take away AD, nobody gets ransomware?
I would say it's an issue of old outdated SMB versions with bad access and authentication practices.
-
@Obsolesce said in AzureAD and shares:
So if you take away AD, nobody gets ransomware?
Being a primary vector, and the only vector, and totally different things.
If you have four attack vectors, three that are 24% of the time, and one that is 28% of the time, that one is the primary, but the other three make up 72% of attacks.
So the leap from feeling something is primary, to all, can be astronomic.
But yes, if you remove AD, a massive percentage of people getting ransomware, or getting it across systems rather than isolated to one system, drops dramatically.
-
@Obsolesce said in AzureAD and shares:
I would say it's an issue of old outdated SMB versions with bad access and authentication practices.
That is a factor, too, of course. Anything outdated ups the risk. But for systems properly maintained, those things don't exist.
-
If you had a client/friend/relative and needed a file server for 'reasons' and they only knew MS since birth - would you still install a samba file server if licenses were not a factor?
-
@scottalanmiller said in AzureAD and shares:
@Obsolesce said in AzureAD and shares:
I would say it's an issue of old outdated SMB versions with bad access and authentication practices.
That is a factor, too, of course. Anything outdated ups the risk. But for systems properly maintained, those things don't exist.
Bad things happen with good solutions when they are not implemented and maintained correctly.
-
@brandon220 said in AzureAD and shares:
Here is an example from the FFIEC Cybersecurity Assesment Tool:
The more OSS you have, the lower your score will be.I'm not defending or even sure this is what they are talking about, but they may be looking at the risk of the licensing. It can be tough to keep track of all of the licensing of open source tools and making sure you comply with them.
-
@brandon220 said in AzureAD and shares:
If you had a client/friend/relative and needed a file server for 'reasons' and they only knew MS since birth - would you still install a samba file server if licenses were not a factor?
Honestly, yes. For the very reason you mention.... someone who "only knows one thing", don't actually know that thing and are the most dangerous of people. Making it easy for people who don't understand to break things is really the worst option, IMHO . It's costly, and risky. Making IT "seem easy" is one of the biggest mistakes of the MS ecosystem.
-
@stacksofplates said in AzureAD and shares:
@brandon220 said in AzureAD and shares:
Here is an example from the FFIEC Cybersecurity Assesment Tool:
The more OSS you have, the lower your score will be.I'm not defending or even sure this is what they are talking about, but they may be looking at the risk of the licensing. It can be tough to keep track of all of the licensing of open source tools and making sure you comply with them.
But, honestly, not nearly as hard as the risks of anything else. And "can be" should never be a legitimate factor. ONce we go down that path, we could list unrealistic risks for forever.
-
@scottalanmiller said in AzureAD and shares:
@stacksofplates said in AzureAD and shares:
@brandon220 said in AzureAD and shares:
Here is an example from the FFIEC Cybersecurity Assesment Tool:
The more OSS you have, the lower your score will be.I'm not defending or even sure this is what they are talking about, but they may be looking at the risk of the licensing. It can be tough to keep track of all of the licensing of open source tools and making sure you comply with them.
But, honestly, not nearly as hard as the risks of anything else. And "can be" should never be a legitimate factor. ONce we go down that path, we could list unrealistic risks for forever.
Right, like I said I'm not defending them. Just trying to look at it from all angles.
