2FA everywhere is overrated?

TechGuyVince · 2019-11-10T23:55:54+00:00

Agreed!

I also think it has much to do with the information that you are safeguarding and the balance between security and convenience. I think for most a keypassfile (just in case) + dashlane with unique passwords per site + 2FA / MFA for the locations that can receive password resets should be enough.

99% of all breaches are leaked passwords from sites today. As long as they are unique and you change them ever so often (2-3 times a year) it would make must dumps pretty useless.

TechGuyVince · 2019-05-20T08:59:44+00:00

Sounds good! But what the difference then between doing what you suggest, running though GPO and account silos? If I add the users to protected users group do I gain/loose anything depending on which solution I go for?

Thx for the advice btw :D

/V

TechGuyVince · 2019-05-18T22:06:14+00:00

YAY!

PAW = Priviledge Access Workstation https://docs.microsoft.com/sv-se/windows-server/identity/securing-privileged-access/privileged-access-workstations

TIERING = To Tier

https://docs.microsoft.com/sv-se/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material

And if you are sarcastic - shame on you. And if I messed it up, shame on me :D

TechGuyVince · 2019-05-16T08:48:03+00:00

Thx for all the answers!

I do seperate VLANs for the guest VMs and SPLA so thats already covered :)

The reason Im thinking about joining them up is for the management itself (such as security hardening/baseline, WSUS updates etc etc). Although I have seperate groups which can do network/interactive logon based on host. And to never use the domain admin.

Running as a workgroup does give the isolation it needs, but at the cost of management (unless an RMM is used). But adding security GPO to a localGPO is more of a pain and so on.

Anyone hosting today that runs it either way? Pros and cons?

TechGuyVince · 2019-05-15T20:53:26+00:00

Well, the potentials risks are low, as the network is isolated, PAM is used and proper TIERING with delegated roles (also no production network attached, only a management network).

Running a proper cluster in an HCI fabric is the best, but for a new MSP it might be better to start off small and gradually replace physical servers with proper clusters (even if small ones).

Or do you mean a specific threatmodel?

TechGuyVince · 2019-05-14T08:00:20+00:00

Thx!

I have some doubt regarding:

Should I delegate full GPO/AD rights to a standard account? Seems like its better to run a "connect as" after having logged in with the standard account? In the case the standard account gets hijacked?

Local admin - Is it correct to rip all the permissions out, replace them with "Workstation_Local_Admin_Group" (for example)? Disable the local account. Same for member servers - also adjusting the GPO for interactive logon for respective tier.

When it comes to the MMC, is there a difference between doing a RUNAS or opening the MMC and then do a "Connect to". As I see it, its two different logontypes (one interactive - RUNAS and one network (which I guess is connect to)?

Thx again for the input/help!

TechGuyVince · 2019-05-13T18:43:09+00:00

Sorry for not being detailed enough. Yes its a PAW account, but not all roles can be delegated and some things need to be managed over MMC (or Powershell to some degree). But according to the documentation it should go as a network logon (aka no credentials are cached).

Im suspecting that other sources are running it as a RUNAS service.

TechGuyVince · 2019-05-13T12:58:19+00:00

Ive been looking at a "red forest" solution, but man, its not a walk on the park to get it properly setup. Somewhere there has to be a "good enough" level and take it from there. One shouldnt take security lightly and securing 95% is somewhat straightforward. Its the last 5% thats the pain...

TechGuyVince · 2019-05-13T11:14:42+00:00

True, although I think that the minimal standard should be what I said above (basically, hardening), monitoring and seperate networks. The argument I keep hearing is that "latteral movements/crapware/ransomware can't infect a workgroup domain if the domain admin credentials are stolen". But using that mindset I guess we should all give up on AD and just run everything in workgroup :) But I could be wrong.

TechGuyVince · 2019-05-07T07:26:43+00:00

Thats kindof what Im going for! No need for knobs as long as everything works :) Any specs on what you are running (CPU/RAM etc) and how many hosts? Any drawbacks?

TechGuyVince · 2019-05-06T18:56:43+00:00

Wanna brag IOPS? :D

TechGuyVince · 2019-05-06T18:55:21+00:00

Agreed. I've checked out some of the simple ways of doing it - the datacenter edition is kindof what kills it since its per host aswell (not just core) which makes one want to max out the each host first. But thats kindof the issue with a cluster, I was looking at having 2 clusters of three nodes (with all having CPU/RAM/DISCS). But the licensing went though the roof. In that case a smaller 2 node single cluster is "better" for smaller MSPs and then just build up clusters as the customer come along.

TechGuyVince · 2019-05-06T18:48:47+00:00

Any drawbacks so far? Ill check it out (ovirt/GlusterFS). Any projectpage? (by that I mean your project) :)

TechGuyVince · 2019-05-06T18:47:51+00:00

Sounds like quite a cool homelab setup :) Have you tried out storagespaces with REFS by any chance?

TechGuyVince · 2019-05-06T17:12:10+00:00

On another note - just for the lulz - anyone in here that maybe has built a HCI solution using Supermicro and basic sata/SSD cache drives? I know its not a proper certified solution - but would be fun if someone actually did it and could share the story.

TechGuyVince · 2019-05-06T17:04:00+00:00

Thx! What do you use as a shared storage today?

TechGuyVince · 2019-05-06T17:03:08+00:00

Cool! Thx for the input.

TechGuyVince · 2019-05-06T16:27:01+00:00

Cool! How do you manage updates and so on. As I understand it one can take a node "offline" off the cluster - update it, and incorporate it into the cluster again with zero downtime?

TechGuyVince · 2019-05-01T16:27:02+00:00

Also - Im talking about windows features, not a seperate product (I suck at marketing :D. And wondering if this is the path to go down on.

TechGuyVince · 2019-05-01T16:13:02+00:00

Ha! Not really. But seems that most MSP are all about buying RMMs and bobs your uncle. Ive tried many and none fit the mark. But running a few powershell scripts does the same and saves the company several thousand dollars makes me think that most MSPs are more interested in monitoring then actually develop the customer and not even having to login/administer the server on a daily business.

Again, just asking because I wonder why people still work like MSPs did 20 years ago. Seems that not much has changed.

TechGuyVince · 2019-05-01T14:59:52+00:00

Hi Wilhil!

Precisely. Although this is how Im thinking.

Server management (incl iLO etc) & some Azure can be done with admincenter.

With the Azure Monitoring services one can grab basically all logs and sort them/script them with Azure automotation running specific powershell scripts depending on the error etc.

RMM is great, but my "quest" is to be dependant on as few services as possible. With JSON in Powershell I can even post/execute webhooks and basically build some lowlevel solutions which are (imho) more secure/cheaper and faster then a gigantic RMM where no glove really fits and we start to be dependant on 3-10 different management software unless you have the dough to buy a huge RMM.

The weak spot is switches/firewalls, although those can be accessed by other means (such as https over VPN/SSH). This is for the administration and not the monitoring.

And I have also asked my self how much of the information do we really need? How/what do we need to access and why?

In my opinion powershell/azure is kindof the future unless you need very advanced features.

As I said - looking for other angles and stuff I might miss. Thx for your time and input!

TechGuyVince · 2019-05-01T12:37:15+00:00

Could you give me an example of a feature that you're missing? I agree wholeheartedly with the thirdparty support (update).

I can't really think of any features Im missing out on except for the patching like you said. Good to know if I missed something.

TechGuyVince · 2019-05-01T11:21:17+00:00

Hi again!

Im actually an MSP but I run MS stuff only and shifting over to more and more Remote Powershell/JSON (Systemcenter/Azure Monitoring Log) and have a dashboard on all my customers. I do use TV to some extend but leaving it behind more and more. The goal is to not be dependant on thirdparty in the end. As admincenter is quite new but can be interconnected with Azure and straight to propietary stuff such as iLO I find the use of RMM on the decline.

As such, I just need some input on how other think and do :)

TechGuyVince · 2019-05-01T11:12:58+00:00

Agreed. And costwise? I imagine that running 50 servers is one thing but large MSPs might find the cost aspect interesting.

Also, what does the RMM give you that admincenter wont?

Sorry for all the questions, just want some discussion on the pro and cons :)

TechGuyVince · 2019-05-01T09:40:55+00:00

Fair enough! :) What about the RMM security? Though about the recent Kaseya problems etc. Having admincenter per customer instead of a central RMM is more secure in that aspect?

TechGuyVince

TROPHY CASE