Munin, Keeper of LoreMay 12, 2017

So, @tinker expressed dismay at something that I see a -lot- of: small business IT people choosing to log directly into their domain controller to do administrative things, including managing their SIEM - which is sometimes hosted as a VM running on a machine where the DC is the bare metal OS.

The reasons for this are a little bit complex in how they interlock, but here's how it boils down:

Show threadMunin, Keeper of LoreMay 12, 2017

First, businesses assume that They Must Use Microsoft in order to do business. Correct or not, most businesses tend to use MS products because their suppliers and their clients -also- use MS products.

The major exception is in printing; folks who do t-shirts, flyers, etc. end up using Macs for the most part, because artists and designers are their clients, so that's their supply line.

Show threadMunin, Keeper of LoreMay 12, 2017
Secondly, most smallbiz IT folks are -not- sysadmin experts, nor are they security people. They can just about get a domain together - sometimes with outside assistance - but anything beyond the most basic admin skills is outside of their baliwick. They are more concerned with running antivirus on the secretary's system or ordering a couple new laptops that, if they're -really- on top of things, they'll install a newish version of Windows on from actual MS install images.
Show threadMunin, Keeper of LoreMay 12, 2017
Their idea of 'best practices' is not going to be the current state of affairs - it's going to be 20 years out of date, and likely informed by their boss, who originally set up a network back in the late 1990s, which has been patchworked and brute-force-updated ever since.
Show threadMunin, Keeper of LoreMay 12, 2017
Thirdly, smallbiz people do not have very big budgets, and the notion of "doing more with less" is very appealing, regardless of how appropriate the particular 'more' and 'less' setup is for that particular situation.
Show threadMunin, Keeper of LoreMay 12, 2017

So when a smallbiz IT guy gets the budget to "do an upgrade" and realizes that he can get one large box running server 2012 to be his domain controller AND run hyper-V to run these virtual machines all on the same hardware?

It looks like a great idea to save time, money, and rackspace.

Show threadMunin, Keeper of LoreMay 12, 2017

Now, there -is- a way to do this that isn't completely terrible: have the DC as a VM with dedicated resources, and carefully limit the ability to log into the hypervisor machine.

But that costs one extra windows license.

Show threadMunin, Keeper of LoreMay 12, 2017
So, if you're not a security-focused and best-practices aware IT guy, that extra few hundred bucks will make a big difference - so they go ahead and just use the bare metal to install the DC on, and run Hyper-V under it.
Show threadMunin, Keeper of Lore
And since there's only one or two people who are 'supposed' to log in to the thing, why -not- use the domain admin account to do everything, and save yourself the trouble of having to do password dialogues every time that you do something with elevated privileges?
May 12, 2017 at 2:58amWeb
Show threadMunin, Keeper of LoreMay 12, 2017

So, the confluence of bad training, lack of awareness, excessive cost on the part of MS, and inconvenience leads to....

...people remoting into the DC to manage the VMs running underneath that DC in Hyper-V.

Show threadMunin, Keeper of LoreMay 12, 2017

And This Is Why I Drink.

Well, amongst the reasons.

Seriously, this fight to get people to not do stupid things like this would be ever so much easier if MS would get its gorram licensing straight. I can't ask a smallbiz IT guy to spend $NNN for some kind of license that may or may not allow him to do the correct thing.

Show threadMunin, Keeper of LoreMay 12, 2017

The fact that this exists:

https://www.microsoft.com/en-us/learning/exam-74-678.aspx

...should be all the evidence anyone with even a faint grip on sanity to realize that Microsoft's entire licensing model is irrevocably broken.