I have seen more than one customer running 100% virtual domain controllers. It depends on the requirements. Hypervisor version and OS version are important considerations. USN integrity was addressed in 2012 with the VM Generation ID (I think msDS-GenerationID is the attribute), which must be exposed and supported at the host level. Disable time synchronization with the host.
Separately, my opinion is that server management accounts and endpoint management accounts in ConfigMgr should be separate accounts at a minimum. Mark On Thu, Apr 30, 2015 at 6:37 AM, elsalvoz <[email protected]> wrote: > As security measure, SCCM administrators should not have access to DCs. > This is the standard I followed and companies that I have worked for. > > This is not saying SCCM was the link to Sony ' hack or have not read > anything previously that would point to that. > > Cesar A > On Apr 30, 2015 6:30 AM, "John Aubrey" <[email protected]> wrote: > >> I haven't seen anything. A quick google didn't come up with anything >> either. Would be interested in knowing if this is true or not. I have to >> think SCCM is getting thrown under the bus. Just like it was SCCM's fault >> when someone wipes an entire network out. >> >> -----Original Message----- >> From: [email protected] [mailto: >> [email protected]] On Behalf Of Mote, Todd >> Sent: Thursday, April 30, 2015 9:11 AM >> To: [email protected] >> Subject: [mssms] FW: [ActiveDir] Virtual Domain Controllers >> >> Just because I didn't see, or may have missed it, does anybody here have >> the details about the Sony intrusion that this post on ActiveDir about >> virtualizing DC's talks about that seemingly throws SCCM under the bus? >> >> Todd >> >> -----Original Message----- >> From: [email protected] [mailto: >> [email protected]] On Behalf Of Robert Singers >> Sent: Thursday, April 30, 2015 3:09 AM >> To: [email protected] >> Subject: Re: [ActiveDir] Virtual Domain Controllers >> >> Security isn't just about scary people hacking you. Virtualising all of >> your DCs brings them all within (generally) one protection boundary. If >> you want to take Sony as an example, because the SCCM administrator was >> successfully targeted, every machine under the control of SCCM was >> compromised and damaged. So your hypervisor doesn't need to be hacked, >> just one person with admin rights. One person successfully targeted and >> all of your DCs are within external control or gone completely. >> >> That's not an argument not to virtualise, but you need to seriously look >> at what compensating controls you can put in place. >> >> If I was accountable for an environment I'd always keep at least one >> physical DC in a location that the hypervisor administrators couldn't >> access. >> >> On 30 April 2015 at 19:43, Dan Johnson <[email protected]> wrote: >> > The arguments against not being 100% virtual are usually advanced as >> > either ‘what if the VM infrastructure can’t start without AD?’ or >> > ‘what if the hypervisor is compromised and all hosts are rendered >> inactive?’ >> > >> > >> > >> > For the first one, this isn’t a problem on vmware but could be on hyper >> v. >> > For the second, I consider it a pretty small probability that the >> > hypervisor gets hacked as it’s a tiny component with minimal attack >> > surface. In any case if you have multiple clusters both these issues >> are mitigated somewhat. >> > >> > >> > >> > I usually propose all virtual to clients, but if they were a small >> > shop and/or wanted to put all their DCs on one single vsphere (or >> > hyperv) cluster I’d suggest a physical as well just to mitigate risk of >> failure. >> > >> > >> > >> > Dan >> > >> > >> > >> > From: [email protected] >> > [mailto:[email protected]] On Behalf Of Amanda Hobbs >> > Sent: 29 April 2015 23:52 >> > To: activedir >> > Subject: [ActiveDir] Virtual Domain Controllers >> > >> > >> > >> > Hey >> > >> > >> > >> > Do any list members run their entire Active Directory on virtual >> > domain controllers or run a mixture? >> > >> > >> > >> > Regards >> > >> > >> > >> > Amanda >> >> >> >> -- >> Robert Singers >> e: [email protected] >> List info: http://www.activedir.org/List.aspx >> >> >> >
