I haven't seen anything. A quick google didn't come up with anything either. Would be interested in knowing if this is true or not. I have to think SCCM is getting thrown under the bus. Just like it was SCCM's fault when someone wipes an entire network out.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Mote, Todd Sent: Thursday, April 30, 2015 9:11 AM To: [email protected] Subject: [mssms] FW: [ActiveDir] Virtual Domain Controllers Just because I didn't see, or may have missed it, does anybody here have the details about the Sony intrusion that this post on ActiveDir about virtualizing DC's talks about that seemingly throws SCCM under the bus? Todd -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Robert Singers Sent: Thursday, April 30, 2015 3:09 AM To: [email protected] Subject: Re: [ActiveDir] Virtual Domain Controllers Security isn't just about scary people hacking you. Virtualising all of your DCs brings them all within (generally) one protection boundary. If you want to take Sony as an example, because the SCCM administrator was successfully targeted, every machine under the control of SCCM was compromised and damaged. So your hypervisor doesn't need to be hacked, just one person with admin rights. One person successfully targeted and all of your DCs are within external control or gone completely. That's not an argument not to virtualise, but you need to seriously look at what compensating controls you can put in place. If I was accountable for an environment I'd always keep at least one physical DC in a location that the hypervisor administrators couldn't access. On 30 April 2015 at 19:43, Dan Johnson <[email protected]> wrote: > The arguments against not being 100% virtual are usually advanced as > either ‘what if the VM infrastructure can’t start without AD?’ or > ‘what if the hypervisor is compromised and all hosts are rendered inactive?’ > > > > For the first one, this isn’t a problem on vmware but could be on hyper v. > For the second, I consider it a pretty small probability that the > hypervisor gets hacked as it’s a tiny component with minimal attack > surface. In any case if you have multiple clusters both these issues are > mitigated somewhat. > > > > I usually propose all virtual to clients, but if they were a small > shop and/or wanted to put all their DCs on one single vsphere (or > hyperv) cluster I’d suggest a physical as well just to mitigate risk of > failure. > > > > Dan > > > > From: [email protected] > [mailto:[email protected]] On Behalf Of Amanda Hobbs > Sent: 29 April 2015 23:52 > To: activedir > Subject: [ActiveDir] Virtual Domain Controllers > > > > Hey > > > > Do any list members run their entire Active Directory on virtual > domain controllers or run a mixture? > > > > Regards > > > > Amanda -- Robert Singers e: [email protected] List info: http://www.activedir.org/List.aspx
