Manage Devices without AD,GPO or an MDM
Hello all,
I have recently joined a company as a system administrator and I am in a dire need of advice.
In the interviews we discussed how it is needed for the company to manage Windows endpoints, apply policies, patch them and make sure that they comply with new regulations.
They told me the RMM that they will use and I took for granted that I will have an AD or intune as a tool along side it.
Apparently all I will have is the RMM tool, nothing else, which I think is insane. They expect me to manage the local policies through scripts that I will push through the RMM.
I have told my supervisor that this is not a good idea because the endpoints will basically be unamanged devices, scripts are not reliable and tend to break with updates, they won't stack well... etc. The response was: "this is how we were advised to proceed" (probably by the RMM company, I did not ask), with automations and scripts. I asked for a possibility for an MDM but they will have to check the cost of that.
Now the colleague (field tech) that was starting the project before I came along is fine with it somehow, and I had a look into a script that will set the password "policies". It is a combination of "net" and changing the local security database of windows.
Am I out of touch? I have to admit that I am relatively new to the field and my scripting skills are not good. I am writing a report about this which I am not sure if I should send or not.
What would you do here? Do I need to skill up and take it on?
Focus on the business needs. What do you need? Why do you/they need it? What will they have that they don't have now? This part is very important. If you can't come up with a compelling business case, then there's no reason to move forward on it.
How much will it cost? Are there any cheaper options? Some places would rather hire a $100k/year sysadmin rather than buy a $10k/year license. Other places will get excited when you talk about reducing support staff. Keep that in mind. Also, some places are more concerned about how replaceable someone is, so using standard products are more valuable than price or capability.
When you're evaluating options to recommend, try to get information about the entire landscape. There's a very good chance that they're already paying for Microsoft E5, which means you already have a license for Intune that you aren't using. If not, you can pitch it as a total package with other benefits.
ETA: Security is a really big deal at most companies. Internal and external threats, data loss, exfiltration, legal compliance requirements, etc. But smaller places often won't care until they've been burned.
Just curious, what RMM software are you using?
So, the way Active Directory policies work is quite interesting under the hood. They are essentially served over SMB, and then clients query them, before applying them locally, or you can "push", requesting clients to do this. To be explicit: group policies are the same local security policies, but synced. Of course their is a little bit more nuance, technically they are separate but group policies always win in case of conflict. Regardless, what I mean is that it's not magic, it's not really technically superior to other ways to do it, and you could theoretically get something of equivalent resilience.
The cool thing about Active Directory policies, is that they are declarative, and idempotent. This means, that rather than say, editing a config file, or installing some program, you are just setting variables to values. A script that sets secpols.whatever to X value won't really care about things like the order of the script, or whether the value has already been set, or whatever.
Because of this group/security policies this way will be fairly reliable. Using powershell to set goup/security policies, isn't really the same thing as doing scripting that does logic. Like, say I have a script that checks for something, then does something else — that's where things begin to get brittle.
Now, this is one half of the end, system management. The other half of what Active Directory provides is centralized accounts (IDM/IAM). Other services connect to active directory for authentication, so people use it to log into say, their file server, or their firewall, or the servers, or whatever. When a user leaves, or is compromised, or whatever, you can simply lock their account. This is much, much better, both in security wise, and ease of use wise for provisioning/onboarding users. The previous model, is "password sprawl". Where a spreadsheet of passwords for services gets passed around, and sometimes makes it into the hands of attackers. There is no easy way to audit all the services, ensure that the passwords are up to date
Now, if you are avoiding Active Directory, there exist alternatives for centralized accounts. For example, you can use Microsoft's Cloud stuff, and then use that to authenticate the local machines. Don't give the users admin, and then managing the group/security You can then use Microsoft 365, or Entra ID as a centralized authentication point for external, non microsoft cloud services.
This can be superior to Active Directory for a few reasons. One reason is that Active Directory is a hard, toilsome service to deploy and secure. You have to sit on top of it, watch for CVE's, and patch them. On the other hand, a small, specialized RMM server is much easier to secure, and way less attack surface. Also, if it's push based to agents, it can be updated without any downtime, compared to users not being able to log into services when LDAP goes down. By offloading security onto cloud services like Microsoft's authentication methods, you can gain a big increase in uptime and security, at a very low cost.
Another is cost. A smaller RMM will be cheaper... or free if you are using an open source solution (like TacticalRMM which is built on Meshcentral (but Meshcentral can also be deployed seperately)). Active Directory on the other hand, costs money.
But, let's be honest. What I wrote above is a charitable interpretation, where I am assuming what they are doing is good. What is described above is cool, but only 0.01% of environments you encounter will have novel, well thought solutions like this. It is way more likely that intuition is correct, and the infrastructure is simply brittle and insecure.
Now, you probably want to change it, and that's good! But you need to understand, that changing it is not so simple. At many businesses, security is treated as an expense with no benefit. It doesn't actively make a profit, or save money, so it is ignored. Even free solutions that cost labor will be tough to push through. Active Directory is paid, but is honestly not that much — but the migration and deployment phase might cost a lot. You need to understand that, you are trying to fight through that, when convincing people in charge of making these decisions.
You also need to understand, that when you argue or make points towards AD, or any better security solution, the people you are arguing with will not always be honest about the reasons. Perhaps they themselves don't understand why.
If you attempt to debate, you are may hear a bunch of excuses that obfuscate the real reason why better security isn't pursued.
And then, even if you grind down all these arguments, sometimes you are still just met with simple flat out rejection.
So. If you want to increase security, you have to think like them. You have to translate it to $$$, and put that on a page, on a report, that you can summarize and present. One assumption I would like to correct in advance is the idea that "Labor hours = dollars". From what I've seen, arguing that "automating xyz process saves my engineering hours" arguments, don't really seem to work. What is arguably the most effective, is presenting a way to either save money (and I mean raw cash, not engineering hours), or make money, that incidentally increases security.
Of course, not everybody is motivated by dollars. Sometimes it's a senior engineer who wants things done "their way", for specific reasons. Sometimes an executive is incapable of remembering a password other than "Password123!". You have to understand why and work with their motivations.
This is politics. Balancing peoples interests, making concessions, and granting them what they want in order to advance your own interests. Unfortunately, it's a skill, that you will probably need in order to advocate for security.
Good luck.
If the org is not giving you the right tools you either leave or force the issue.
When asked if you are complying with whatever polices you say you are unable to determine that without X tool.
Because when something goes wrong you will get the blame for lying about compliance.
Second comment, but make sure to put stuff like that into an email. Project yourself by making those permanent, semi public notes.
If you want a company to purchase tools for you to do you job, you need to tell the company what the cost will be if you do not have the tools in place.
This will include the cost of your time to perform the job without the proper tools. It will also include the potential costs of any issues that arise from not have the proper tools in place, like the cost of a security breach or maybe loss of clientele if a security breach occurs.
Basically you try to present what it cost to go without the tools you need and all of the issues that come along with that, and then compare that to the cost of buying the tools.
Possible, but it's gonna be real difficult. What kind of management are they expecting? Are you held to any kind of compliance?
If you have Windows server licensing available, I'd just stand up AD anyway. Hopefully you're not running Windows Home on all the devices.