> I have debated on putting the tools on an RDS - aka Terminal - Server but > that just seems wrong even though I could lock those tools down to specific > users.
If you look you will actually find that recommended in some of the MS Solutions papers and various other white papers. We do it for several different environments. Fairly common practice in a controlled environment used in combination with ipsec or firewalls. Traffic can be constrained to the management or jump box(es) Especially useful if you have a lot of tools/mgmt. consoles where version control/licensing are an issue. -----Original Message----- From: David Lum [mailto:[email protected]] Sent: Tuesday, February 28, 2012 11:38 PM To: NT System Admin Issues Subject: RE: Log on to DC directly FWIW I do exactly this - workstation VM with all the admin tools installed as my desktop software load is pretty generic (except for Visionapp Remote Desktop!). Advantages for the management tools VM: 1. Saves me from having to reinstall those when I get a new machine 2. All my OLDCMP.EXE, ADFIND.EXE and other utilities and the batch files that leverage them - and my NWEA-specific hints on how to use them - are in one place for me and fellow admins 3. Fellow delegated admins don't need to ask me how to install said management tools on their systems, they can RDP to that VM 4. New support staff for these roles don't have to install this stuff in their systems 5. When out-of-office I don't need to take a laptop with me or leave my work PC on, I just RDP via RDS to the VM with the tools 6. I can put a new OS on my machine and not worry about having to figure out where all those installers are - I can do it at leisure and stand up a new "tools" VM and take my time reinstalling the admin stuff onto that VM. 7. Any software licensed per device or concurrent user can be purchased as QTY:1 (this doesn't apply to anything installed on ours at the moment, but it could). 8. Tools can run extended and scheduled jobs and not affect my regular workstation 9. Employees in #3 and #4 also never have to go through #1 or #6 and #5 could apply to them 10. It's a VM, backups are easy! Ben mentioned contention: We haven't had that yet, but if we did frequently I'd disjoin it from the domain, clone, NewSID (I don't care what Mark says about it not being necessary, I see GPO errors if we don't do this) and rename the clone, and join both to the domain - yes making sure any licensing was handled. Presto two machines with all the necessary stuff installed/configured. I have debated on putting the tools on an RDS - aka Terminal - Server but that just seems wrong even though I could lock those tools down to specific users. In theory I would only RDP to that VM with elevated credentials (I mean, why else am I going there right?), but it still hit it with my regular creds and elevate when I run the MMC that has DHCP/DNS/ADUC/GP management etc. It's habit! Mostly it's because I hate reinstalling all my doodads when I get a different machine. Might be a lot of work to avoid reinstalling stuff every 3 years or so but that's how much I hate trying to re-find all the little utilities that in some cases I only use a couple times/year. Dave -----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: Tuesday, February 28, 2012 9:07 PM To: NT System Admin Issues Subject: Re: Log on to DC directly Is that Devil's Advocate, or something else? :) But that is the $64k question, isn't it. My thinking is that in theory, a VM has less physical exposure than the laptop I lug around. Credentials can be stolen whether the apps are run on the VM or locally, so that's a wash, but I'm thinking that it'll be less likely for malware, unless it's specifically targeted for my kind of situation, to get snarfed that way. Don't know for sure - that's why I'm thinking it through, and do welcome the feedback on this. Kurt On Tue, Feb 28, 2012 at 17:59, Richard Stovall <[email protected]> wrote: > <da> > If the machine you're using to launch the RDP sessions is compromised, > what's the point? If you trust that machine, why not just run the > tools directly from it? > </da> > > On Tue, Feb 28, 2012 at 8:47 PM, Ben Scott <[email protected]> wrote: >> >> On Tue, Feb 28, 2012 at 6:54 PM, Kurt Buff <[email protected]> wrote: >> > One other thing that I've been mulling over along with the other >> > credentials is a set of VMs on which to run them. Want to manage >> > AD/DNS/WINS/CA? RDP into this Win7 VM with the correct tools on it. >> > Want to manage AV/WSUS/other workstation stuff? Log into that Win7 >> > VM over there with those tools on it. Lather, Rinse, Repeat. Then >> > my laptop would be just another end-user station, with much reduced >> > chances of getting my elevated credentials compromised. >> >> Hmmm. Interesting idea. Definitely some advantages. >> >> You mention RDP. So does that mean a bunch of VMs running all the >> time on some other box somewhere? If not, why RDP? If yes, are >> those VMs all shared between the admin team, or are they dedicated to >> one body? If the former, how do we handle contention? If the later, >> why not just run them on one's own end-user station? >> >> Questions posed for mulling purposes. :-) >> >> -- Ben >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
