As security measure, SCCM administrators should not have access to DCs. This is the standard I followed and companies that I have worked for.
This is not saying SCCM was the link to Sony ' hack or have not read anything previously that would point to that. Cesar A On Apr 30, 2015 6:30 AM, "John Aubrey" <[email protected]> wrote: > I haven't seen anything. A quick google didn't come up with anything > either. Would be interested in knowing if this is true or not. I have to > think SCCM is getting thrown under the bus. Just like it was SCCM's fault > when someone wipes an entire network out. > > -----Original Message----- > From: [email protected] [mailto: > [email protected]] On Behalf Of Mote, Todd > Sent: Thursday, April 30, 2015 9:11 AM > To: [email protected] > Subject: [mssms] FW: [ActiveDir] Virtual Domain Controllers > > Just because I didn't see, or may have missed it, does anybody here have > the details about the Sony intrusion that this post on ActiveDir about > virtualizing DC's talks about that seemingly throws SCCM under the bus? > > Todd > > -----Original Message----- > From: [email protected] [mailto: > [email protected]] On Behalf Of Robert Singers > Sent: Thursday, April 30, 2015 3:09 AM > To: [email protected] > Subject: Re: [ActiveDir] Virtual Domain Controllers > > Security isn't just about scary people hacking you. Virtualising all of > your DCs brings them all within (generally) one protection boundary. If > you want to take Sony as an example, because the SCCM administrator was > successfully targeted, every machine under the control of SCCM was > compromised and damaged. So your hypervisor doesn't need to be hacked, > just one person with admin rights. One person successfully targeted and > all of your DCs are within external control or gone completely. > > That's not an argument not to virtualise, but you need to seriously look > at what compensating controls you can put in place. > > If I was accountable for an environment I'd always keep at least one > physical DC in a location that the hypervisor administrators couldn't > access. > > On 30 April 2015 at 19:43, Dan Johnson <[email protected]> wrote: > > The arguments against not being 100% virtual are usually advanced as > > either ‘what if the VM infrastructure can’t start without AD?’ or > > ‘what if the hypervisor is compromised and all hosts are rendered > inactive?’ > > > > > > > > For the first one, this isn’t a problem on vmware but could be on hyper > v. > > For the second, I consider it a pretty small probability that the > > hypervisor gets hacked as it’s a tiny component with minimal attack > > surface. In any case if you have multiple clusters both these issues are > mitigated somewhat. > > > > > > > > I usually propose all virtual to clients, but if they were a small > > shop and/or wanted to put all their DCs on one single vsphere (or > > hyperv) cluster I’d suggest a physical as well just to mitigate risk of > failure. > > > > > > > > Dan > > > > > > > > From: [email protected] > > [mailto:[email protected]] On Behalf Of Amanda Hobbs > > Sent: 29 April 2015 23:52 > > To: activedir > > Subject: [ActiveDir] Virtual Domain Controllers > > > > > > > > Hey > > > > > > > > Do any list members run their entire Active Directory on virtual > > domain controllers or run a mixture? > > > > > > > > Regards > > > > > > > > Amanda > > > > -- > Robert Singers > e: [email protected] > List info: http://www.activedir.org/List.aspx > > >
