So, @tinker expressed dismay at something that I see a -lot- of: small business IT people choosing to log directly into their domain controller to do administrative things, including managing their SIEM - which is sometimes hosted as a VM running on a machine where the DC is the bare metal OS.
The reasons for this are a little bit complex in how they interlock, but here's how it boils down:
First, businesses assume that They Must Use Microsoft in order to do business. Correct or not, most businesses tend to use MS products because their suppliers and their clients -also- use MS products.
The major exception is in printing; folks who do t-shirts, flyers, etc. end up using Macs for the most part, because artists and designers are their clients, so that's their supply line.
So when a smallbiz IT guy gets the budget to "do an upgrade" and realizes that he can get one large box running server 2012 to be his domain controller AND run hyper-V to run these virtual machines all on the same hardware?
It looks like a great idea to save time, money, and rackspace.
Now, there -is- a way to do this that isn't completely terrible: have the DC as a VM with dedicated resources, and carefully limit the ability to log into the hypervisor machine.
But that costs one extra windows license.
So, the confluence of bad training, lack of awareness, excessive cost on the part of MS, and inconvenience leads to....
...people remoting into the DC to manage the VMs running underneath that DC in Hyper-V.
And This Is Why I Drink.
Well, amongst the reasons.
Seriously, this fight to get people to not do stupid things like this would be ever so much easier if MS would get its gorram licensing straight. I can't ask a smallbiz IT guy to spend $NNN for some kind of license that may or may not allow him to do the correct thing.
The fact that this exists:
https://www.microsoft.com/en-us/learning/exam-74-678.aspx
...should be all the evidence anyone with even a faint grip on sanity to realize that Microsoft's entire licensing model is irrevocably broken.
@munin @tinker Any thoughts to getting small business insurance, banks, etc., to take role in this? Those are forces which can role unanticipated costs into anticipated (and visible) costs, and press for best practices.
Great war story and methds. Plays into a lot of what I'm thinking about #GreshamsLaw, #UnanticipatedConsequences, #HygieneFactors, and #DelayedInformation realisation.
The tools that insurance and banks generally bring to bear on this are compliance audits - which drive SIEM sales, sure, but don't really help the underlying issues here.
The ultimate problem here is that the prime mover in the market - Microsoft - is very difficult for people to set up without specific training and experience; it is expensive to get that training and experience...
@tinker @dredmorbius ... and it's expensive and confusing to remain compliant with their licensing regime.
So long as this continues to be the case, all the compliance audits in the world will do little to nothing to improve the situation.
@munin @tinker I'd argue that the problem is actually the inverse.
With Microsoft, without any training or experience, you can set something up that /appears/ to work.
You could try to set up a Samba domain controller with LDAP, but ... if you don't know what you're doing, it /won't/ work at all.
Since Microsoft gets you off the ground, you roll with that, but you've also just holed with it, since you in fact /didn't/ know what the fuck you were doing.
@dredmorbius @tinker Either way, really. Some go one way; some go another.
What I'd -like- is for MS to cut out the "be everything to everyone" and fork off multiple companies that agree on open interoperational standards but focus on different markets: consumer, smallbiz, largebiz, enterprise.
Also, stop making gratuitous, breaking changes without clear reasons why.
There's second-order consequences to that approach, as every single managed service provider would come down on that like a ton of bricks - because it would kill their business model for scaling their customer base.
Mandating physically separate hardware means you can't have multitenancy for clients. Vastly higher costs to do business.
@munin @tinker Isn't the question slightly more one of mandating _competently managed_ base hardware?
I mean, what you're saying would kill, say, AWS. Which ... might be politically difficult. (Or Azure, or Rackspace, or ...) You've got to approach this with realism and actual risk in mind.
If multi-tenancy is in fact a real risk, then address it as such. If it's not, /given specific standards of practice/, then ensure those standards are followed and verified.
....you're the one who brought up "physical isolation of equipment providing roles" so....
@munin @tinker Let's add the proviso to that of "in a self-managed arrangement".
I'd also suggest not getting hung up on specific suggestions, and focus more on the goals and/or attainment of same. If I'm saying something clearly stupid, call me on it. I keep in good practice on that.
And the suggestion came from your initial post describing the situation of SEIM as VM on a DC:
https://mastodon.hasameli.com/users/munin/updates/5698
@tinker @munin If there's a more precise way to say "this thing, don't do that, or at least if you must, do it /this/ way", to useful effect, then by all means, do.
My initial suggestion was less about the specific advice given, than on the concept of using an organisation used to assessing and managing risks (insurance) to address and manage risks.
But here we are off in the weeds of largely irrelevant minutia.
Munin, Keeper of Lore
Doc Edward Morbius ❌