domain controller in the cloud for small office?
-
I spent a lot of time going in a circle on this earlier in the year. Basically, Scott was right... Azure AD doesnt do what you want. I spent a lot of time showing Scott he was wrong, spinning up Azure Domain Services, but it ended up Scott was still right and it was just a managed cloud instance of AD. For small business starting at $90 didnt make sense.
-
There's a difference between Azure AD and running a DC on a VPS.
Azure AD doesn't use Kerberos or NTLM and is meant to work with web-based services such as O365 and salesforce using SSO.
WinServer AD isn't meant to work with online services, although there are ways and through federation.
They are different and it's important to know where they fit in.
-
@tim_g said in domain controller in the cloud for small office?:
There's a difference between Azure AD and running a DC on a VPS.
Azure AD doesn't use Kerberos or NTLM ...
For those wondering, it uses SAML.
-
@scottalanmiller said in domain controller in the cloud for small office?:
@tim_g said in domain controller in the cloud for small office?:
There's a difference between Azure AD and running a DC on a VPS.
Azure AD doesn't use Kerberos or NTLM ...
For those wondering, it uses SAML.
AND OAuth 2.0.
-
@tim_g said in domain controller in the cloud for small office?:
There's a difference between Azure AD and running a DC on a VPS.
Azure AD doesn't use Kerberos or NTLM and is meant to work with web-based services such as O365 and salesforce using SSO.
WinServer AD isn't meant to work with online services, although there are ways and through federation.
They are different and it's important to know where they fit in.
In the beginning Azure AD looked like a web service to replace ADAM (I think it was called) but it definitely evolved beyond that with Windows login support.
I remember feeling very clever when I discovered Azure Domain Services, I men's it works great with servers on Azure. When I discovered the base charge was $90/month I was pretty much done with Azure for small business ideas
-
@penguinwrangler said in domain controller in the cloud for small office?:
My friend who is a tech director for my kids school is having his budget slashed by a superintendent who doesn't think that much of technology. About 750 kids in the district (rural area) he has about 400-500 machines to manage. His budget is $20,000 for the year. So we are moving him to all open source. Moving from Novell eDirectory to a Samba 4 domain. Doing anything and everything to save him money.
Identity Management (FreeIPA) would be great if you want to expose the kids to Linux.
One of the easiest things I’ve ever set up.
-
@mike-davis do you have an hhs.gov or gpo.gov link to where it mentions the requirement for passwords to be changed?
How do you create a password change policy that gets enforced without a domain controller?
-
From what I have ever seen there is no mention of the requirement of invalidating passwords after any period of time. I have seen the following mention about passwords but this is all. Requiring users to change passwords is generally bad practice. Only change them when a security incident is suspected or known.
45 CFR Subtitle A §164.308 (D) Password management (Addressable). Procedures for creating, changing, and safeguarding passwords.
-
For 8 computers use a cloud based LDAP like JumpCloud. It's free for <10 users but as many computers as you have. You install the agent which can then push a standard user profiles to the machines. Passwords of the user are managed in JumpCloud for the devices. It also has a RADIUS service for quick deployment to APs.
-
@scottalanmiller said in domain controller in the cloud for small office?:
They are on here, on SW, were at SpiceWorld with a booth, too. Seems like a cool product.
who from JumpCloud is on here?
-
Chromebooks for HIPAA is an ideal solution. Ticks all the boxes for encryption and security and then you have Citrix/VMWare/AWS, Chrome Apps/Extensions, Android Apps for pretty much any thing you think you can't do on one but can.
@dashrender said in domain controller in the cloud for small office?:
Remember, LANLess is the desire now.. so no local servers unless absolutely required - use things like ODfB or Nextcloud.
-
@larsen161 said in domain controller in the cloud for small office?:
@mike-davis do you have an hhs.gov or gpo.gov link to where it mentions the requirement for passwords to be changed?
From what I understand §164.308(a)(5)(ii)(D) requires you to define the password policy. Since the "best practice" in many circles was to change your password every XX days in case someone observed your password, many places still have it in their policy to change passwords every 90 days.
It was only last year that mainstream media ran that article that explained that a longer pass phrase is better than a short complex password, but getting organizations to change their policies doesn't happen quickly.
Do you have a sample policy (or just that part) that you could share to replace the complexity and change requirement?
-
@mike-davis This is what we're meant to be doing before mainstream media makes it popular
I don't have a sample policy but that should be easy to change. Take the requirement for complexity away, give users more characters to use (unicode), require slightly longer password lengths (10+ for example) and enforce 2FA through physical keys if possible (not sms or app based to remove social engineering aspect of obtaining a code), check passwords against dictionary words.
There's a lovely 2011 study from CMU Of Passwords and People: Measuring the Effect of Password-Composition Policies that goes on to say quite a lot supporting the NIST publication
- "Less predictably, basic16 proved better than the comparable strength comprehensive8 in several respects."
- "The comprehensive8 policy condition proved by far the most difficult, as only 17.7% of users in this condition could create a password in one try. By contrast, 52.7%, 56.6%, 88.6%, and 84.8% of participants in the basic16, dictionary8, basic8, and basic8survey conditions respectively created an acceptable password in one try."
- "A significantly greater proportion (50%) of comprehensive8 participants stored their passwords than in all other conditions; and basic16 participants were significantly more likely to store (33%) than basic8 and basic8survey participants (26% and 17% respectively)"
-
@mike-davis said in domain controller in the cloud for small office?:
@larsen161 said in domain controller in the cloud for small office?:
@mike-davis do you have an hhs.gov or gpo.gov link to where it mentions the requirement for passwords to be changed?
From what I understand §164.308(a)(5)(ii)(D) requires you to define the password policy. Since the "best practice" in many circles was to change your password every XX days in case someone observed your password, many places still have it in their policy to change passwords every 90 days.
It was only last year that mainstream media ran that article that explained that a longer pass phrase is better than a short complex password, but getting organizations to change their policies doesn't happen quickly.
Ah, ok I was worried I was missing something. So it's not a HIPAA security requirement but an internal company policy created based on an addressable but not required HIPAA component.
Having a policy that just that says, we will make users have a password and advise them to never share with anyone sounds so much simpler.
-
There's a follow up study to that other one I linked to from the same/similar group of people at CMU: Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms
-
@mike-davis said in domain controller in the cloud for small office?:
@larsen161 said in domain controller in the cloud for small office?:
@mike-davis do you have an hhs.gov or gpo.gov link to where it mentions the requirement for passwords to be changed?
From what I understand §164.308(a)(5)(ii)(D) requires you to define the password policy. Since the "best practice" in many circles was to change your password every XX days in case someone observed your password, many places still have it in their policy to change passwords every 90 days.
It was only last year that mainstream media ran that article that explained that a longer pass phrase is better than a short complex password, but getting organizations to change their policies doesn't happen quickly.
Do you have a sample policy (or just that part) that you could share to replace the complexity and change requirement?
That's been very well known in IT for a very long time that that mass media backwards security policy was wrong. Sure, in Hollywood they are still just figuring that out, but in IT it's been understood that rapid password changes were a direct attack on security for a decade or more. Really, ever since they were first implemented. That there are things like minimum password change lengths and stuff like that are actually demonstrable proof that the system was known to be flawed in that way. So that goes back to 2000 at a minimum in the official MS documents.
-
@larsen161 said in domain controller in the cloud for small office?:
Ah, ok I was worried I was missing something. So it's not a HIPAA security requirement but an internal company policy created based on an addressable but not required HIPAA component.
HIPAA just requires "good practice", nothing specific.
-
@larsen161 said in domain controller in the cloud for small office?:
Ah, ok I was worried I was missing something. So it's not a HIPAA security requirement but an internal company policy created based on an addressable but not required HIPAA component.
That's kinda understating it. Addressable are required as well unless you can show a reason why you can't do it, and then also show what you're doing instead.
-
@dashrender I'm not trying to understate it, just using the HIPAA terms, it's either addressable or required. definitions of the terms
-
@dashrender said in domain controller in the cloud for small office?:
@larsen161 said in domain controller in the cloud for small office?:
Ah, ok I was worried I was missing something. So it's not a HIPAA security requirement but an internal company policy created based on an addressable but not required HIPAA component.
That's kinda understating it. Addressable are required as well unless you can show a reason why you can't do it, and then also show what you're doing instead.
Can you go above and beyond?