Comment on Anybody here running AD on-prem in your homelab?

Unforeseen@sh.itjust.works ⁨9⁩ ⁨months⁩ ago

• Godort@lemm.ee ⁨9⁩ ⁨months⁩ ago

  I agree that for this size of network AD is definitely not something you want to deal with unless you want to learn how it works.

  However, I’m not sure it really increases attack vectors to have it running, outside of the fact that it’s a new network service on the LAN. The out of the box default configuration is not bad these days, security-wise

  source

  • Unforeseen@sh.itjust.works ⁨9⁩ ⁨months⁩ ago

    The attack vectors I’m thinking of just come from the inherent complexity and centralization. I’m just considering the amount of damage that can be done with a compromised DA account for example vs a non directory environment.

    It’s complicated. Done right it can be more secure, not done right it’s less secure.

    I also only get brought in for problems for the last however many years, so I’m probaby a bit biased at this point haha.

    I have had to tell companies they are going to have to rebuild thier AD from scratch because they didn’t know what thier DSRM password was (usually after a ransomware attack). These are the sort of hassles I think about vs non AD.

    source

    • wreckedcarzz@lemmy.world ⁨9⁩ ⁨months⁩ ago

      For the rest of us: DSRM

      source
    • MigratingtoLemmy@lemmy.world ⁨9⁩ ⁨months⁩ ago

      I’ll keep that in mind, thank you

      source
• MigratingtoLemmy@lemmy.world ⁨9⁩ ⁨months⁩ ago

  Thank you. I was planning to keep my domain controller offline (not connected to the internet) and run a WSUS to update it, but I’ll keep that in mind. Indeed, I could use FreeIPA too, and I’ll probably need to consider if it’s even worth it to run a DC at all. It just seemed like a really solid idea for learning more about DCs, but indeed, now that I think about it, it doesn’t have much use in a homelab other than the people running mini datacenters in their labs.

  Thanks!

  source