Technologies Begging to be Ransomwared
-
@dashrender said in Technologies Begging to be Ransomwared:
Now of course someone is going to jump on me and say - wait Dash... you can use the sync clients for NC, OD, SP, GD, etc and those things will then show up in file explorer... and of course, you're right, but then the cryptoware can crawl them and encrypt them.
Not like a mapped drive, they cannot. Totally different. Still a risk to be considered, but an extremely different one. This is the dangerous kind of thinking that makes people feel like mapped drives might make sense when they simply do not.
-
@dashrender said in Technologies Begging to be Ransomwared:
Of course there can be some ways to recover from that being hit, but I have to ask is that a risk we really want to deal with?
Most of these technologies (and mostly with mapped drives, too) there are ways to have this be extremely transparent. But mapped drives tend to expose the file server in ways that sync clients do not.
-
@jaredbusch said in Technologies Begging to be Ransomwared:
@dashrender said in Technologies Begging to be Ransomwared:
@travisdh1 said in Technologies Begging to be Ransomwared:
@dashrender said in Technologies Begging to be Ransomwared:
One user to one device should be the easiest.
A local account on the computer for the user - no need for AD.
Use something like Next Cloud, OneDrive, Sharepoint, Google Drive, etc for files - at least personal files.
Direct IP printing to printers (I'm wondering what exists to secure this?)
Centralized management would be through RMM solutionSolving the shared files bit it's overly hard, I assume. Sharepoint and OneDrive both offer ways to share files with other users, at least in your own organization. I don't know enough about NC for this.
Of course, when it comes to file access, the biggest thing is training users to not have a Network Share, but instead they have to use a web interface. Now of course someone is going to jump on me and say - wait Dash... you can use the sync clients for NC, OD, SP, GD, etc and those things will then show up in file explorer... and of course, you're right, but then the cryptoware can crawl them and encrypt them. Of course there can be some ways to recover from that being hit, but I have to ask is that a risk we really want to deal with?
Why do you think network shares can't be used with NextCloud? Windows can use webdav to connect to a network share, and they fixed the speed issues it has in Windows 8 (Windows 7 webdav was so slow it was unusable).
Of course they can be.. but Webdav is no different than SMB when it comes to ransomware.
So if you're going to go that route - why change? I mean other than there are no licenses involved.
Because it removes AD. Sure the infected user can still infect the mapped drive. But that's it. No AD giving access to everything.
Exactly. It's AD + Mapped Drives that becomes the biggest problem. The two together exacerbate security issues to an extreme degree. The idea is this transparent access to everything, from everywhere, in file form. It's like having all the money just in a big pile on the kitchen table. Of course it is quick and easy and convenient. And all those things also mean hard to track and secure.
-
@dashrender said in Technologies Begging to be Ransomwared:
Of course they can be.. but Webdav is no different than SMB when it comes to ransomware.
At a protocol level, yes. In any meaningful way, no. Mapped drives from NextCloud are quite different than mapped drives from Windows. You can go to great lengths to make them behave similarly, but by default, they are quite different with security wins going strongly to NextCloud (or similar tech.)
-
@dashrender said in Technologies Begging to be Ransomwared:
I'd love to see some proposed replacement solutions to this situation.
Consider a one to one device to user.
Consider a one user to many devices.
Consider many devices to one user.
Assume the ability to lock the workstation is a requirement in all cases.
The problem here is that naturally AD and mapped drives do nothing to aid these situations. So you can "replace them" simply by "never having them." It's literally that simple.
Imagine the question in reverse. Ask "since all these things are handled to easily without AD or mapped drives, tell me how I could use these MS technologies and still have all these things I've always had without them!"
Seems silly, right? All of those use cases have no dependency or special tie to AD. AD doesn't "do" anything special. It's not like replacing gluten in a dough recipe where it performs a specific and necessary task that has to have an alternative if you use gluten (and gluten serves no purpose but that one thing.) AD has no role in those scenarios, so asking for the replacement has no clear answer because there's no problem to solve.
-
@dashrender said in Technologies Begging to be Ransomwared:
Assume the ability to lock the workstation is a requirement in all cases.
In your particular scenario, I suspect that there is no need for this. You need to lock applications, but not the screen. Doing a physical lock, rather than a logical one, seems counterintuitive. What function does this serve as the data and data sharing requirements are naturally and appropriately handled elsewhere without blanking the screen. Nothing wrong with having a screen lock, but why is the operating system considered important to hide rather than data?
-
@scottalanmiller said in Technologies Begging to be Ransomwared:
You need to lock applications, but not the screen
There is no function in any EMR to lock the application so nothing is visible.
Would be a nice feature. So the easy answer if you lock the screen.
-
@dashrender said in Technologies Begging to be Ransomwared:
Consider a one user to many devices.
We do this with Linux and NextCloud and/or Zoho WorkDrive. This is so natural and obvious I just can't fathom the question. Like... I can't find the challenge that you are looking to solve. And I can't think of any way that AD or mapped drives would improve this in a meaningful way.
Having users without AD is just as easy (or easier) than having them with it. Just create users where you want them, have NC installed automatically through countless automated processes, have them log in once and voila. Everything covered.
This isn't just easy, it's literally "out of the box" behaviour in several operating systems. Ubuntu, for example, doesn't require the NC client, it has integration with NC, Google, and other cloud services out of the box. Just sign in when you first log in and ... easy peasy. Makes the AD / mapped drive approach seem .... unnecessarily convoluted. And no need to reboot after putting in access, either.
-
@jaredbusch said in Technologies Begging to be Ransomwared:
@scottalanmiller said in Technologies Begging to be Ransomwared:
You need to lock applications, but not the screen
There is no function in any EMR to lock the application so nothing is visible.
Would be a nice feature. So the easy answer if you lock the screen.
There is, just choosing the wrong EMR is the bigger issue. Plus they use RDP, so another layer of locking options.
-
@dashrender said in Technologies Begging to be Ransomwared:
Consider a one user to many devices.
Consider many devices to one user.That's the same thing, twice.
-
@scottalanmiller said in Technologies Begging to be Ransomwared:
@dashrender said in Technologies Begging to be Ransomwared:
Consider a one user to many devices.
We do this with Linux and NextCloud and/or Zoho WorkDrive. This is so natural and obvious I just can't fathom the question. Like... I can't find the challenge that you are looking to solve. And I can't think of any way that AD or mapped drives would improve this in a meaningful way.
Having users without AD is just as easy (or easier) than having them with it. Just create users where you want them, have NC installed automatically through countless automated processes, have them log in once and voila. Everything covered.
This isn't just easy, it's literally "out of the box" behaviour in several operating systems. Ubuntu, for example, doesn't require the NC client, it has integration with NC, Google, and other cloud services out of the box. Just sign in when you first log in and ... easy peasy. Makes the AD / mapped drive approach seem .... unnecessarily convoluted. And no need to reboot after putting in access, either.
You missed one part though - the creating that user's account on all of those devices.
AD allows a user to log into any computer joined to AD (at least by default it does). If I have 20 computers spread out at several different offices front desks, I need those 20 people to be able to log into any of them and get there stuff. A centralized authentication solution provides this ability to me.
I'll absolutely give you that scripting solves the rest of the issues - i.e. mapped printers, NC/GD, etc.
But what do you do about creating the user accounts themselves?
A key requirement for me is that a user be able to lock the computer while apps are running to prevent anyone else from gaining access to those apps.
If windows wasn't required - I might consider a Linux based Terminal server and have everyone run remote sessions. Then they could just disconnect from the session and reconnect to it from anywhere....but - windows is required.
-
@scottalanmiller said in Technologies Begging to be Ransomwared:
@dashrender said in Technologies Begging to be Ransomwared:
Consider a one user to many devices.
Consider many devices to one user.That's the same thing, twice.
yeah, I realize that now... I've updated my first post.
-
@dashrender said in Technologies Begging to be Ransomwared:
You missed one part though - the creating that user's account on all of those devices.
AD allows a user to log into any computer joined to AD (at least by default it does). If I have 20 computers spread out at several different offices front desks, I need those 20 people to be able to log into any of them and get there stuff. A centralized authentication solution provides this ability to me.So does decentralized. Centralized doesn't stop it, but also doesn't enable it. AD isn't giving you that ability, you always have it. You just use AD, so you perceive AD as providing a feature. That's the sales pitch for AD.... selling you things you already had and probably don't really want.
Not that central password management isn't nifty keen, but it's also a ransomware vector. So I don't want it. not that I don't want to pay for it, I do not want it installed in my environment. I can do it for free without Windows AD and I don't, because I see having it deployed to be a negative that adds risk and management overhead.
If, for whatever reason, you need lots of users on lots of machines there are ways to do that. Like a simple script of net user and voila, 20 users and 100 machines, as fast or faster than AD will do it. And without the confusing caching and time out issues.
-
@dashrender said in Technologies Begging to be Ransomwared:
If windows wasn't required - I might consider a Linux based Terminal server and have everyone run remote sessions. Then they could just disconnect from the session and reconnect to it from anywhere....but - windows is required.
Windows session for the same effect?
-
@dashrender said in Technologies Begging to be Ransomwared:
I'll absolutely give you that scripting solves the rest of the issues - i.e. mapped printers, NC/GD, etc.
But what do you do about creating the user accounts themselves?It does the user accounts the same as everything else. This is how my team primarily does user management today.
-
@dashrender said in Technologies Begging to be Ransomwared:
@scottalanmiller said in Technologies Begging to be Ransomwared:
@dashrender said in Technologies Begging to be Ransomwared:
Consider a one user to many devices.
We do this with Linux and NextCloud and/or Zoho WorkDrive. This is so natural and obvious I just can't fathom the question. Like... I can't find the challenge that you are looking to solve. And I can't think of any way that AD or mapped drives would improve this in a meaningful way.
Having users without AD is just as easy (or easier) than having them with it. Just create users where you want them, have NC installed automatically through countless automated processes, have them log in once and voila. Everything covered.
This isn't just easy, it's literally "out of the box" behaviour in several operating systems. Ubuntu, for example, doesn't require the NC client, it has integration with NC, Google, and other cloud services out of the box. Just sign in when you first log in and ... easy peasy. Makes the AD / mapped drive approach seem .... unnecessarily convoluted. And no need to reboot after putting in access, either.
You missed one part though - the creating that user's account on all of those devices.
AD allows a user to log into any computer joined to AD (at least by default it does). If I have 20 computers spread out at several different offices front desks, I need those 20 people to be able to log into any of them and get there stuff. A centralized authentication solution provides this ability to me.
I'll absolutely give you that scripting solves the rest of the issues - i.e. mapped printers, NC/GD, etc.
But what do you do about creating the user accounts themselves?
A key requirement for me is that a user be able to lock the computer while apps are running to prevent anyone else from gaining access to those apps.
If windows wasn't required - I might consider a Linux based Terminal server and have everyone run remote sessions. Then they could just disconnect from the session and reconnect to it from anywhere....but - windows is required.
The last two enterprises I was at we decommissioned AD and did away with local accounts. Totally not needed anymore with Windows.
But, a major factor in all this ransomware is the fact that nobody should have "full" permissions to to the data in a mapped drive in the first place.
-
@obsolesce said in Technologies Begging to be Ransomwared:
The last two enterprises I was at we decommissioned AD and did away with local accounts. Totally not needed anymore with Windows.
You decomm'ed AD and did away with local accounts? Then how did you log in?
-
@dashrender said in Technologies Begging to be Ransomwared:
@obsolesce said in Technologies Begging to be Ransomwared:
The last two enterprises I was at we decommissioned AD and did away with local accounts. Totally not needed anymore with Windows.
You decomm'ed AD and did away with local accounts? Then how did you log in?
AAD
-
@scottalanmiller said in Technologies Begging to be Ransomwared:
If, for whatever reason, you need lots of users on lots of machines there are ways to do that. Like a simple script of net user and voila, 20 users and 100 machines, as fast or faster than AD will do it. And without the confusing caching and time out issues.
So how does that create the 20 users on all 100 machines?
-
@hobbit666 said in Technologies Begging to be Ransomwared:
@scottalanmiller said in Technologies Begging to be Ransomwared:
If, for whatever reason, you need lots of users on lots of machines there are ways to do that. Like a simple script of net user and voila, 20 users and 100 machines, as fast or faster than AD will do it. And without the confusing caching and time out issues.
So how does that create the 20 users on all 100 machines?
Have you not used Salt or Ansible? It's one file to set user information and then deploy that to any arbitrary group of computers you want.