Active Directory Question(s)

[bcredeur97]

I've been seeing more and more of a need for us to use Active Directory at work. The biggest concern for us to move to it is security however.

Everyone here would be new to it and we're all a little uncomfortable with having all of our computers essentially completely controlled from a central location -- what is out there to protect ourselves? And if it does get attacked in /some/ way can we do anything to limit what an attacker could do?

Has there been incidents with active directory in past events in history?

we have a couple hundred computers and are about to move 95% of them to windows 10, and  with windows 10 automatic update showing no mercy I'm not really seeing anything else we can do at this point to have true control of our user's PC's. Not to mention our bandwidth... we can't have PC's constantly downloading updates it will be a nightmare.

 

any general concerns/questions/suggestions/solutions are also very much appreciated. I'm tired of pulling my hair out over this.

[Catsrules]

Active Directory is a security improvement. Just the user management alone is an imaginable improvement compared to having local users accounts on each computer. You can see exactly what users are on your network. When someone leaves it is very easy to disable or delete there account and remover there access completely. control when password expire etc. 

 

How the hell are you managing a couple hundred computers without active directory?   I have clients that have 10 computers and we are running active directory.

 

[Tabs]

Just now, bcredeur97 said:

I've been seeing more and more of a need for us to use Active Directory at work. The biggest concern for us to move to it is security however.

Everyone here would be new to it and we're all a little uncomfortable with having all of our computers essentially completely controlled from a central location -- what is out there to protect ourselves? And if it does get attacked in /some/ way can we do anything to limit what an attacker could do?

Has there been incidents with active directory in past events in history?

we have a couple hundred computers and are about to move 95% of them to windows 10, and  with windows 10 automatic update showing no mercy I'm not really seeing anything else we can do at this point to have true control of our user's PC's. Not to mention our bandwidth... we can't have PC's constantly downloading updates it will be a nightmare.

 

any general concerns/questions/suggestions/solutions are also very much appreciated. I'm tired of pulling my hair out over this.

If you're worried about bandwidth of updates, you should run WSUS which will give you central control of which updates are deployed and when to your machines. Active directory enables centralised access to network resources, but it doesn't prevent local logins if needed. If people use their own machines, they can be domain joined but still have local accounts. Use technologies like Windows Defender Credential Guard to ensure business data that's available when domain joined cannot be exfiltrated when running in local user mode. You have advanced control over who can join the network, and you can ensure devices are vetted (virus scans, policy validation, etc) before gaining access to network resources.

 

The short answer to your question is: Hire an expert. Sorry. If it was a small business with no more than 20 machines i can see using trial and error, but not for deployment over hundreds. You need someone who understands these technologies inside and out to ensure this doesn't go extremely badly.

 

If you really want to get into the nitty gritty yourself, you'll want to start with some in-depth books like https://www.amazon.co.uk/Active-Directory-Designing-Deploying-Running/dp/1449320023

[bcredeur97]

8 minutes ago, Catsrules said:

Active Directory is a security improvement. Just the user management alone is an imaginable improvement compared to having local users accounts on each computer. You can see exactly what users are on your network. When someone leaves it is very easy to disable or delete there account and remover there access completely. control when password expire etc. 

 

How the hell are you managing a couple hundred computers without active directory, that is insane?  I have clients that have 10 computers and we are running active directory.

 

improvement you say... but we can't help but imagine the catastrophe that would ensue if someone were to get to the central location the computers are controlled from.

Also like how do you prevent downtime? What if the server goes down? can no one work? Do you need two servers in two different locations to keep a reasonably sized company like ours in action?

 

We manage a couple hundred computers by simply making master images making computers clones of each other depending on the person... After that computers are just given to users; their usernames are changed and their personal passwords are applied any software they need is put on the machines, and after that they are set to go. It's quite a labor intensive process but it does work.

Previously we would push out updates with a KACE K1000 but since Windows now gets updates whether you like it or not... we know we need a WSUS server to get real control... But since that requires active directory we are a bit reluctant to do it.

I personally would not mind a move to AD. I think it would be helpful... but I don't really know enough to really convince anyone else that it is a good move. Again, the biggest focus is of security.

[Jarsky]

Active Directory would be safer, in terms of the fact that you wouldnt have users with local admin to do whatever they wanted. You could also integrate it with a proxy to increase your web security as well, and you would know the machines are up to date as far as patches. 

 

As for Windows 10 "Automatic Updates", that's not a thing on Domains. You set your Group Policies, and setup a SCCM/WSUS server to push updates to your Windows 10 machines. Typically you push Defender updates daily, Microsoft security roll ups monthly, and theres an annual release for major version upgrades, which you might want to do once a year as a package via Configuration Manager - the latest is 1709

 

You can truely control who has admin access to their machine, what they can install on it or what folders they can access, where programs can run from, etc....if anything you're adding security. You just need to ensure that you properly secure your AD Forest. e.g have Domain Admin groups, and strong passwords for local admin accounts on the AD servers and put the right policies in place for the various domain roles. Also you should have a minimum of 2 AD servers if not 3 in a forest of that size for maintaining integrity of your directory database, and make sure you have a tested backup system....last thing you want is to not have a restore point should something happen to your forest. 

 

You should also typically restrict the services that run on the AD controllers. For a domain that size you'd probably want Active Directory, DHCP & DNS on there. Everything else should be on different servers. 

 

Keep in mind, you dont need to lock absolutely everything down. You could allow everyone local admin on desktop machines so they can do whatever they like to them as they currently do. But essentially youre just centralizing authentication and updates. 

[Fleetscut]

20 hours ago, bcredeur97 said:

Also like how do you prevent downtime? What if the server goes down? can no one work? Do you need two servers in two different locations to keep a reasonably sized company like ours in action?

You can assign secondary controllers that can automatically take up the load if the primary is down. You can also load balance across multiple servers if you have a high load. You can also assign different tiering to servers so they can manage segments of a domain and are controlled by the main servers.

 

Since this is for work its really best to hire a consultant to at least evaluate your network and provide recommendations. They will be able to explain to you what features and services are available to help you manage your systems and also help you set it up so that you can minimize any impact to your production machines.

[BloodKnight7]

Research a bit on the topic called Failover Cluster, if your top concern is high availability then I would recommend you to virtualize your server infrastructure and take leverage of Hyper-Vs functionality for HA. Another more complicated path: would be Hyperconvergence with an implementation of Storage Spaces Direct hyper-converged cluster in VMM.

 

You will definitely want to spend or repurpose hardware to actually have dedicated servers for all this. If you want to go traditional it would be Virtualization+Servers+SAN or if you want to go more tech adopter it would be hyper-convergence. The best route for you would be to call in vendors/partners (solution integrators) and have them do demos of the technologies available (Nutanix, VMWare, Dell, Microsoft, Simplivity, HP, etc..) as well as talk to you about prices. 

 

High Availability is not cheap, but it's marvelous when it functions correctly. As a plus if there is spare cash invest in a backup solution, backups should always be done.

 

@leadeater my friend, would you add anything else to this topic?

[leadeater]

On 5/25/2018 at 4:29 AM, bcredeur97 said:

improvement you say... but we can't help but imagine the catastrophe that would ensue if someone were to get to the central location the computers are controlled from.

That's more of an access control issue, just don't make every account a domain admin and they won't be getting on your AD servers. In fact it's best to not use any of the default groups in AD and create your own and delegate the required permissions for exactly what the group is for, create groups on singular tasks or roles. You can make groups members of other groups so you can have a finance group for finance users and that finance group is a member of other groups that give access to the finance share, the finance application etc.

 

Basically least privilege model, give as little as possible to any one entity including a group.

 

On 5/25/2018 at 4:29 AM, bcredeur97 said:

Also like how do you prevent downtime? What if the server goes down? can no one work? Do you need two servers in two different locations to keep a reasonably sized company like ours in action?

Minimum would be two physical servers even in the same room. It depends on what you're trying to mitigate, a server failure is easy but something worse like power outage/fire or something that effects the physical location of the servers is harder so would require servers in different locations. How much are you willing to protect against these? I can't tell you that.

 

Two physical servers running VMware Essentials Plus and an external disk array is a good solution that is something we deployed to almost every client we had, more physical servers depending on size but same design concept. We would put a backup NAS in a different building. It's an easy cut and paste design which make it very easy to support when you have lots of clients in different regions and a lot of technical staff, the more that things are the same the easier it is going between clients to do work on them. Clients for us being schools.

 

On 5/25/2018 at 4:29 AM, bcredeur97 said:

We manage a couple hundred computers by simply making master images making computers clones of each other depending on the person... After that computers are just given to users; their usernames are changed and their personal passwords are applied any software they need is put on the machines, and after that they are set to go. It's quite a labor intensive process but it does work.

You can put in to your images local policy to point to a WSUS server, Group Policy isn't actually required to do this. It's ultimately registry values anyway. What I can't remember is if Windows Server will let you install WSUS without AD in your environment, spin up a VM and see if you can.

 

I'd still say implement AD though but don't rush in to it just for WSUS.

 

On 5/25/2018 at 4:29 AM, bcredeur97 said:

I personally would not mind a move to AD. I think it would be helpful... but I don't really know enough to really convince anyone else that it is a good move. Again, the biggest focus is of security.

Does every computer have a local administrator account with the same password? If so you're at more risk due to lack of auditing that AD gives you. Anyone abusing that account could spread everywhere in your network already without AD if that is the case.

 

P.S. I don't work for that support company anymore, haven't since about 2015 (forget exactly when ), so they do it a little different now as would be expected with that amount of time passing.

[bcredeur97]

Everyone here was super helpful. I totally didn’t even think about how you could have multiple AD servers and such. 

 

I obviously need to do to do a LOT of reading but thank you all so much! This certainly cleared up concerns. 

 

And to those who suggested a professional come in and analyze what we have an provide insight to what we need. +1. 

 

Now to begin the fun part of learning AD a bit more and putting it all together so I can propose it as soon as were out of our current “busy” season. 

[BeefyMeats]

This might not be relevant, but you might like "Microsoft Deployment Toolkit" for imaging a lot of computers at once. Especially if you want to automate joining them to AD and loading some basic settings, inputting the key, and apps. Its also free.