Technologies Begging to be Ransomwared
-
@dashrender said in Technologies Begging to be Ransomwared:
Consider a one user to many devices.
Consider many devices to one user.That's the same thing, twice.
-
@scottalanmiller said in Technologies Begging to be Ransomwared:
@dashrender said in Technologies Begging to be Ransomwared:
Consider a one user to many devices.
We do this with Linux and NextCloud and/or Zoho WorkDrive. This is so natural and obvious I just can't fathom the question. Like... I can't find the challenge that you are looking to solve. And I can't think of any way that AD or mapped drives would improve this in a meaningful way.
Having users without AD is just as easy (or easier) than having them with it. Just create users where you want them, have NC installed automatically through countless automated processes, have them log in once and voila. Everything covered.
This isn't just easy, it's literally "out of the box" behaviour in several operating systems. Ubuntu, for example, doesn't require the NC client, it has integration with NC, Google, and other cloud services out of the box. Just sign in when you first log in and ... easy peasy. Makes the AD / mapped drive approach seem .... unnecessarily convoluted. And no need to reboot after putting in access, either.
You missed one part though - the creating that user's account on all of those devices.
AD allows a user to log into any computer joined to AD (at least by default it does). If I have 20 computers spread out at several different offices front desks, I need those 20 people to be able to log into any of them and get there stuff. A centralized authentication solution provides this ability to me.
I'll absolutely give you that scripting solves the rest of the issues - i.e. mapped printers, NC/GD, etc.
But what do you do about creating the user accounts themselves?
A key requirement for me is that a user be able to lock the computer while apps are running to prevent anyone else from gaining access to those apps.
If windows wasn't required - I might consider a Linux based Terminal server and have everyone run remote sessions. Then they could just disconnect from the session and reconnect to it from anywhere....but - windows is required.
-
@scottalanmiller said in Technologies Begging to be Ransomwared:
@dashrender said in Technologies Begging to be Ransomwared:
Consider a one user to many devices.
Consider many devices to one user.That's the same thing, twice.
yeah, I realize that now... I've updated my first post.
-
@dashrender said in Technologies Begging to be Ransomwared:
You missed one part though - the creating that user's account on all of those devices.
AD allows a user to log into any computer joined to AD (at least by default it does). If I have 20 computers spread out at several different offices front desks, I need those 20 people to be able to log into any of them and get there stuff. A centralized authentication solution provides this ability to me.So does decentralized. Centralized doesn't stop it, but also doesn't enable it. AD isn't giving you that ability, you always have it. You just use AD, so you perceive AD as providing a feature. That's the sales pitch for AD.... selling you things you already had and probably don't really want.
Not that central password management isn't nifty keen, but it's also a ransomware vector. So I don't want it. not that I don't want to pay for it, I do not want it installed in my environment. I can do it for free without Windows AD and I don't, because I see having it deployed to be a negative that adds risk and management overhead.
If, for whatever reason, you need lots of users on lots of machines there are ways to do that. Like a simple script of net user and voila, 20 users and 100 machines, as fast or faster than AD will do it. And without the confusing caching and time out issues.
-
@dashrender said in Technologies Begging to be Ransomwared:
If windows wasn't required - I might consider a Linux based Terminal server and have everyone run remote sessions. Then they could just disconnect from the session and reconnect to it from anywhere....but - windows is required.
Windows session for the same effect?
-
@dashrender said in Technologies Begging to be Ransomwared:
I'll absolutely give you that scripting solves the rest of the issues - i.e. mapped printers, NC/GD, etc.
But what do you do about creating the user accounts themselves?It does the user accounts the same as everything else. This is how my team primarily does user management today.
-
@dashrender said in Technologies Begging to be Ransomwared:
@scottalanmiller said in Technologies Begging to be Ransomwared:
@dashrender said in Technologies Begging to be Ransomwared:
Consider a one user to many devices.
We do this with Linux and NextCloud and/or Zoho WorkDrive. This is so natural and obvious I just can't fathom the question. Like... I can't find the challenge that you are looking to solve. And I can't think of any way that AD or mapped drives would improve this in a meaningful way.
Having users without AD is just as easy (or easier) than having them with it. Just create users where you want them, have NC installed automatically through countless automated processes, have them log in once and voila. Everything covered.
This isn't just easy, it's literally "out of the box" behaviour in several operating systems. Ubuntu, for example, doesn't require the NC client, it has integration with NC, Google, and other cloud services out of the box. Just sign in when you first log in and ... easy peasy. Makes the AD / mapped drive approach seem .... unnecessarily convoluted. And no need to reboot after putting in access, either.
You missed one part though - the creating that user's account on all of those devices.
AD allows a user to log into any computer joined to AD (at least by default it does). If I have 20 computers spread out at several different offices front desks, I need those 20 people to be able to log into any of them and get there stuff. A centralized authentication solution provides this ability to me.
I'll absolutely give you that scripting solves the rest of the issues - i.e. mapped printers, NC/GD, etc.
But what do you do about creating the user accounts themselves?
A key requirement for me is that a user be able to lock the computer while apps are running to prevent anyone else from gaining access to those apps.
If windows wasn't required - I might consider a Linux based Terminal server and have everyone run remote sessions. Then they could just disconnect from the session and reconnect to it from anywhere....but - windows is required.
The last two enterprises I was at we decommissioned AD and did away with local accounts. Totally not needed anymore with Windows.
But, a major factor in all this ransomware is the fact that nobody should have "full" permissions to to the data in a mapped drive in the first place.
-
@obsolesce said in Technologies Begging to be Ransomwared:
The last two enterprises I was at we decommissioned AD and did away with local accounts. Totally not needed anymore with Windows.
You decomm'ed AD and did away with local accounts? Then how did you log in?
-
@dashrender said in Technologies Begging to be Ransomwared:
@obsolesce said in Technologies Begging to be Ransomwared:
The last two enterprises I was at we decommissioned AD and did away with local accounts. Totally not needed anymore with Windows.
You decomm'ed AD and did away with local accounts? Then how did you log in?
AAD
-
@scottalanmiller said in Technologies Begging to be Ransomwared:
If, for whatever reason, you need lots of users on lots of machines there are ways to do that. Like a simple script of net user and voila, 20 users and 100 machines, as fast or faster than AD will do it. And without the confusing caching and time out issues.
So how does that create the 20 users on all 100 machines?
-
@hobbit666 said in Technologies Begging to be Ransomwared:
@scottalanmiller said in Technologies Begging to be Ransomwared:
If, for whatever reason, you need lots of users on lots of machines there are ways to do that. Like a simple script of net user and voila, 20 users and 100 machines, as fast or faster than AD will do it. And without the confusing caching and time out issues.
So how does that create the 20 users on all 100 machines?
Have you not used Salt or Ansible? It's one file to set user information and then deploy that to any arbitrary group of computers you want.
-
@travisdh1 said in Technologies Begging to be Ransomwared:
@hobbit666 said in Technologies Begging to be Ransomwared:
@scottalanmiller said in Technologies Begging to be Ransomwared:
If, for whatever reason, you need lots of users on lots of machines there are ways to do that. Like a simple script of net user and voila, 20 users and 100 machines, as fast or faster than AD will do it. And without the confusing caching and time out issues.
So how does that create the 20 users on all 100 machines?
Have you not used Salt or Ansible? It's one file to set user information and then deploy that to any arbitrary group of computers you want.
I haven't - I haven't been in an environment that it would have been possible to even suggest it. Now that I am in the Private sector again - I MIGHT be able to . But that would be a heavy load to work with right now.
-
@travisdh1 said in Technologies Begging to be Ransomwared:
@hobbit666 said in Technologies Begging to be Ransomwared:
@scottalanmiller said in Technologies Begging to be Ransomwared:
If, for whatever reason, you need lots of users on lots of machines there are ways to do that. Like a simple script of net user and voila, 20 users and 100 machines, as fast or faster than AD will do it. And without the confusing caching and time out issues.
So how does that create the 20 users on all 100 machines?
Have you not used Salt or Ansible? It's one file to set user information and then deploy that to any arbitrary group of computers you want.
yeah I haven't yet either, but it's a tool that allows you to break free from the likes of AD for centralized management.
But if you are deploying the same usernames/passwords to all 20 machines, then when one is compromised, all 20 are.
-
@dashrender said in Technologies Begging to be Ransomwared:
But if you are deploying the same usernames/passwords to all 20 machines, then when one is compromised, all 20 are.
How? because you cannot remotely log in to all the machines.
You didn't make those all admin account did you? -
@dashrender said in Technologies Begging to be Ransomwared:
@travisdh1 said in Technologies Begging to be Ransomwared:
@hobbit666 said in Technologies Begging to be Ransomwared:
@scottalanmiller said in Technologies Begging to be Ransomwared:
If, for whatever reason, you need lots of users on lots of machines there are ways to do that. Like a simple script of net user and voila, 20 users and 100 machines, as fast or faster than AD will do it. And without the confusing caching and time out issues.
So how does that create the 20 users on all 100 machines?
Have you not used Salt or Ansible? It's one file to set user information and then deploy that to any arbitrary group of computers you want.
yeah I haven't yet either, but it's a tool that allows you to break free from the likes of AD for centralized management.
But if you are deploying the same usernames/passwords to all 20 machines, then when one is compromised, all 20 are.
I'd just use Jumpcloud. It's purpose made for this. Ansible on windows is annoying. Jumpcloud is cross platform and just works.
-
@jaredbusch said in Technologies Begging to be Ransomwared:
@dashrender said in Technologies Begging to be Ransomwared:
But if you are deploying the same usernames/passwords to all 20 machines, then when one is compromised, all 20 are.
How? because you cannot remotely log in to all the machines.
You didn't make those all admin account did you?Exactly. How would it compromise them because they are all different machines, not connected together, with different accounts. If your computer that you are on now is compromised it does not impact my computer because there is nothing tying them together. That's the issue with AD and mapped drives, they are technologies for attaching machines together.
-
@dashrender said in Technologies Begging to be Ransomwared:
But if you are deploying the same usernames/passwords to all 20 machines, then when one is compromised, all 20 are.
It's not AD. Don't just assume AD problems happen to all technologies, they don't. Yes, having shared passwords and accounts increases risk, a lot. But not to the degree you are assuming. It's not automatic like that.
First, just because something doesn't 100% fix AD doesn't make it bad. There is always some risk.
Two, AD assumes that the computers are able to communicate with one another. Other technologies do not necessarily assume that. They might, but they might not. With AD the computers have to have shared communications through mapped drives, even if only the management drive. But most tech does not require that and can have shared users and passwords without creating shared exposure. Compromising system A does not necessarily allow you to even find System B, let alone access it.
-
@hobbit666 said in Technologies Begging to be Ransomwared:
@scottalanmiller said in Technologies Begging to be Ransomwared:
If, for whatever reason, you need lots of users on lots of machines there are ways to do that. Like a simple script of net user and voila, 20 users and 100 machines, as fast or faster than AD will do it. And without the confusing caching and time out issues.
So how does that create the 20 users on all 100 machines?
What do you mean, it's a script. The script would create the accounts and set the passwords on every machine, probably in seconds. Even a thousand computers would only take a couple seconds in most cases. Faster than AD, most likely.
-
@obsolesce said in Technologies Begging to be Ransomwared:
But, a major factor in all this ransomware is the fact that nobody should have "full" permissions to to the data in a mapped drive in the first place.
this is the key. Local or remote accounts are kind of all the same. It's the data exposure issue that is the problem. Traditional AD and mapped drives, while it didn't HAVE to do this, was designed around the assumption that you limit only what you absolutely have to, not provide access only to what is absolutely necessary. And you provide access at the file level, rather than the application level. So the potential for damage is high and the potential for protection is low.
-
@stacksofplates said in Technologies Begging to be Ransomwared:
@dashrender said in Technologies Begging to be Ransomwared:
@travisdh1 said in Technologies Begging to be Ransomwared:
@hobbit666 said in Technologies Begging to be Ransomwared:
@scottalanmiller said in Technologies Begging to be Ransomwared:
If, for whatever reason, you need lots of users on lots of machines there are ways to do that. Like a simple script of net user and voila, 20 users and 100 machines, as fast or faster than AD will do it. And without the confusing caching and time out issues.
So how does that create the 20 users on all 100 machines?
Have you not used Salt or Ansible? It's one file to set user information and then deploy that to any arbitrary group of computers you want.
yeah I haven't yet either, but it's a tool that allows you to break free from the likes of AD for centralized management.
But if you are deploying the same usernames/passwords to all 20 machines, then when one is compromised, all 20 are.
I'd just use Jumpcloud. It's purpose made for this. Ansible on windows is annoying. Jumpcloud is cross platform and just works.
I haven't used Jumpcloud because the free tier is so limited, even for my home lab I'd have to pay.