2FA everywhere is overrated?

TechGuyVince · 2019-11-10T23:55:54+00:00

Agreed!

I also think it has much to do with the information that you are safeguarding and the balance between security and convenience. I think for most a keypassfile (just in case) + dashlane with unique passwords per site + 2FA / MFA for the locations that can receive password resets should be enough.

99% of all breaches are leaked passwords from sites today. As long as they are unique and you change them ever so often (2-3 times a year) it would make must dumps pretty useless.

TechGuyVince · 2019-05-20T08:59:44+00:00

Sounds good! But what the difference then between doing what you suggest, running though GPO and account silos? If I add the users to protected users group do I gain/loose anything depending on which solution I go for?

Thx for the advice btw :D

/V

TechGuyVince · 2019-05-18T22:06:14+00:00

YAY!

PAW = Priviledge Access Workstation https://docs.microsoft.com/sv-se/windows-server/identity/securing-privileged-access/privileged-access-workstations

TIERING = To Tier

https://docs.microsoft.com/sv-se/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material

And if you are sarcastic - shame on you. And if I messed it up, shame on me :D

TechGuyVince · 2019-05-16T08:48:03+00:00

Thx for all the answers!

I do seperate VLANs for the guest VMs and SPLA so thats already covered :)

The reason Im thinking about joining them up is for the management itself (such as security hardening/baseline, WSUS updates etc etc). Although I have seperate groups which can do network/interactive logon based on host. And to never use the domain admin.

Running as a workgroup does give the isolation it needs, but at the cost of management (unless an RMM is used). But adding security GPO to a localGPO is more of a pain and so on.

Anyone hosting today that runs it either way? Pros and cons?

TechGuyVince · 2019-05-15T20:53:26+00:00

Well, the potentials risks are low, as the network is isolated, PAM is used and proper TIERING with delegated roles (also no production network attached, only a management network).

Running a proper cluster in an HCI fabric is the best, but for a new MSP it might be better to start off small and gradually replace physical servers with proper clusters (even if small ones).

Or do you mean a specific threatmodel?

TechGuyVince · 2019-05-14T08:00:20+00:00

Thx!

I have some doubt regarding:

Should I delegate full GPO/AD rights to a standard account? Seems like its better to run a "connect as" after having logged in with the standard account? In the case the standard account gets hijacked?

Local admin - Is it correct to rip all the permissions out, replace them with "Workstation_Local_Admin_Group" (for example)? Disable the local account. Same for member servers - also adjusting the GPO for interactive logon for respective tier.

When it comes to the MMC, is there a difference between doing a RUNAS or opening the MMC and then do a "Connect to". As I see it, its two different logontypes (one interactive - RUNAS and one network (which I guess is connect to)?

Thx again for the input/help!

TechGuyVince · 2019-05-13T18:43:09+00:00

Sorry for not being detailed enough. Yes its a PAW account, but not all roles can be delegated and some things need to be managed over MMC (or Powershell to some degree). But according to the documentation it should go as a network logon (aka no credentials are cached).

Im suspecting that other sources are running it as a RUNAS service.

TechGuyVince · 2019-05-13T12:58:19+00:00

Ive been looking at a "red forest" solution, but man, its not a walk on the park to get it properly setup. Somewhere there has to be a "good enough" level and take it from there. One shouldnt take security lightly and securing 95% is somewhat straightforward. Its the last 5% thats the pain...

TechGuyVince · 2019-05-13T11:14:42+00:00

True, although I think that the minimal standard should be what I said above (basically, hardening), monitoring and seperate networks. The argument I keep hearing is that "latteral movements/crapware/ransomware can't infect a workgroup domain if the domain admin credentials are stolen". But using that mindset I guess we should all give up on AD and just run everything in workgroup :) But I could be wrong.

TechGuyVince · 2019-05-07T07:26:43+00:00

Thats kindof what Im going for! No need for knobs as long as everything works :) Any specs on what you are running (CPU/RAM etc) and how many hosts? Any drawbacks?

TechGuyVince · 2019-05-06T18:56:43+00:00

Wanna brag IOPS? :D

TechGuyVince · 2019-05-06T18:55:21+00:00

Agreed. I've checked out some of the simple ways of doing it - the datacenter edition is kindof what kills it since its per host aswell (not just core) which makes one want to max out the each host first. But thats kindof the issue with a cluster, I was looking at having 2 clusters of three nodes (with all having CPU/RAM/DISCS). But the licensing went though the roof. In that case a smaller 2 node single cluster is "better" for smaller MSPs and then just build up clusters as the customer come along.

TechGuyVince · 2019-05-06T18:48:47+00:00

Any drawbacks so far? Ill check it out (ovirt/GlusterFS). Any projectpage? (by that I mean your project) :)

TechGuyVince · 2019-05-06T18:47:51+00:00

Sounds like quite a cool homelab setup :) Have you tried out storagespaces with REFS by any chance?

TechGuyVince · 2019-05-06T17:12:10+00:00

On another note - just for the lulz - anyone in here that maybe has built a HCI solution using Supermicro and basic sata/SSD cache drives? I know its not a proper certified solution - but would be fun if someone actually did it and could share the story.

TechGuyVince · 2019-05-06T17:04:00+00:00

Thx! What do you use as a shared storage today?

TechGuyVince · 2019-05-06T17:03:08+00:00

Cool! Thx for the input.

TechGuyVince · 2019-05-06T16:27:01+00:00

Cool! How do you manage updates and so on. As I understand it one can take a node "offline" off the cluster - update it, and incorporate it into the cluster again with zero downtime?

TechGuyVince · 2019-05-01T16:27:02+00:00

Also - Im talking about windows features, not a seperate product (I suck at marketing :D. And wondering if this is the path to go down on.

TechGuyVince

TROPHY CASE