Modern IT environments are incredibly diverse, and while this is great for many reasons, it can also make the IT department’s job more difficult. Today’s environments are often comprised of a mixture of on-prem and cloud resources, corporate owned and BYOD devices, varying device and operating system (OS) types such as Mac, Windows, Linux, iOS, Android, and more.
All of these factors, plus the popularity of hybrid work, add complexity around managing identities and sometimes make it feel like centralized and simplified identity management is out of the question. Luckily, this is not the case at all, though some organizations might need to adjust their infrastructure and tool choices to be more future-proof to achieve a modern and unified identity management strategy. Let’s take a look at why that is and how it can be done.
Centralized Identity Management Barriers
As mentioned above, heterogenous IT environments can be a problem for IT, because resources live in many different places, employees work from all over the world, and there are a plethora of device and OS types out there.
Here’s how some of these factors affect identity management:
Cloud and on-prem resources: It can be hard to get visibility into who has access to what resources, and SaaS apps might not connect to a traditional directory such as Microsoft AD.
Hybrid and remote working models: Monitoring, managing, and helping employees that aren’t in the office can be problematic without the proper tools.
BYOD: Personal devices typically don’t connect back to traditional directory services, and they are sometimes difficult or impossible to manage.
Mac, Windows, and Linux device popularity: Most tools are meant to help you manage certain device types but not others, making it hard to keep track of and secure devices that employees use.
All of these factors and more contribute to an incomplete, decentralized identity management strategy in many organizations.
Why Centralized Identity Management Is Key
This decentralized approach is often forced on IT, rather than chosen, simply because of the disparate resources that need to be managed on top of the fact that many organizations use outdated or disconnected IT management tools. This strategy (or lack thereof) can quickly turn into a security and compliance nightmare, an unnecessary weight on IT, a fractured employee experience, and a hit to the organization’s bottom line, among other things.
When users and their digital identities are not centrally managed, it’s virtually impossible to get visibility into their resource access privileges, what devices they’re accessing company resources on (whether company-managed or completely unsecured), what problems they might be experiencing, whether their systems are up-to-date or not, and much more. On top of all of this, Shadow IT is as prevalent as ever, which causes even more security hiccups when left unchecked due to poor identity management.
Considering that 84% of organizations experienced at least one identity-related breach in the past year, you can see how far-reaching the effects of the decentralized identity management problem truly are.
To avoid all of this to the furthest extent possible, IT needs centralized control over all identities, access, and devices, while simultaneously allowing departments and employees the flexibility they need to get work done.
How to Centralize Identity Management
So, the end goal is to provide employees with flexibility in where and how they work, while maintaining the amount of control that you want over their digital identities, access, and devices. To do so, you’ll want to centralize the management of all of these things, as much as possible.
Centralized user management provides IT with the control and visibility over every device, application, and network across the organization, without dictating what resources are the right choice for each group. This strategy saves IT time with easier day-to-day workflows, helps ensure compliance, enhances security, and ameliorates the end user experience.
A modern way to centralize identity management is by adding JumpCloud’s open directory platform to the center of your IT infrastructure. The beauty of an open directory is that it can easily connect to all of your existing infrastructure, as well as any other tools (such as other directories, HR tools, and more) you decide to adopt in the future, allowing your business to evolve and scale with ease. This means that with the JumpCloud Directory Platform, you can centrally manage identities, access, and devices, all from a single, modern platform.
Get complete, centralized visibility into employee identities, what they do or do not have access to, and their devices. With JumpCloud’s identity lifecycle management capabilities, enjoy simplified onboarding and offboarding, add users to groups for easy control, keep devices patched and up-to-date, quickly change access levels, and much more. With this solution, your organization still maintains the flexibility it needs to leverage the best devices, applications, and tools on the market. Plus, you can hire the best talent, regardless of their location, without worrying about how it’ll impact security or how IT will manage them.
Use JumpCloud to ensure that your identity lifecycle management process is efficient, secure, and complete.
About JumpCloud At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
MariaDB is an open source and community-developed fork of MySQL. It is a widely used relational database management system (RDMS) used to store data both in production and for personal and experimental projects. It was designed by the original developers of the MySQL database server, with the objective of remaining open source under the GNU GPL license.
Some of the advantages of using MariaDB over MySQL include:
Strong security thanks to additional security features such as user roles, PAM and LDAP authentication, data encryption, and role-based access control (RBAC).
High performance thanks to more and better storage engines such as Aria and XtraDB. The former replaces MyISAM in MySQL and offers better caching. XtraDB replaces InnoDB and improves performance.
Galera clustering which ensures scalability, high availability, and zero loss of data through replication.
Integrated monitoring using microsecond precision and extended user statistics.
In this guide, we will demonstrate how to install and secure MariaDB on RHEL 9.
Step 1: Upgrade Software Packages
To get started, log into your server as a sudo user via SSH. Next, upgrade all the packages and refresh the repositories as follows:
$ sudo dnf update
The MariaDB Server package is provided by the official AppStream repositories. You can confirm this by searching for the package on the repositories as shown:
$ sudo dnf search mariadb-server
The following output confirms that MariaDB is hosted on the default repositories.
Step 2: Install MariaDB Server on RHEL 9
The next step is to install the MariaDB Server. To do so, run the following command:
$ sudo dnf install mariadb-server -y
The command installs the MariaDB server alongside other dependencies and additional packages required by the database server.
Once the installation is complete, confirm that MariaDB is installed using the following command:
$ rpm -qi mariadb-server
Running this command displays comprehensive details about the MariaDB Server package including the name, version, architecture, installation date, and installed size to name a few.
Step 3: Start and Enable MariaDB Server
Up to this point, we have successfully installed the MariaDB Server. By default, the MariaDB service does not start automatically. As such you need to start it by running the following command:
$ sudo systemctl start mariadb
In addition, set it to start automatically on system startup.
$ sudo systemctl enable mariadb
To verify that MariaDB is up and running, run the command:
$ sudo systemctl status mariadb
MariaDB listens on TCP port 3306. You can confirm this using the command:
$ sudo ss -pnltu | grep mariadb
Step 4: Secure MariaDB Server
The default settings for the MariaDB database server are considered weak and not robust in the face of a breach or intrusion. As such, you need to go an extra step and secure the database server. To do this, run the mysql_secure_installation script as shown:
$ sudo mysql_secure_installation
Running the script will present you with a series of prompts.
First, you will be required to provide the root password. Next, switch to unix_socket authentication which allows the user to use operating system credentials when connecting to the MariaDB database server.
You can then decide to change the root user or let it remain exactly the way it is.
For the remaining prompts, press “Y” in order to secure MariaDB to the recommended standards. This does the following:
Removes anonymous users from the database server. This prevents the risk of having anyone log into MariaDB without having a user account.
Disallows remote root login. This ensures that only the root user is allowed to connect from ‘localhost’ or the server on which MariaDB is installed. This prevents brute-force attacks using the root user password.
Removes a test database called test which can be accessed by anyone and is only used for testing. Its removal is recommended before transitioning to a producing environment.
Reloads the privilege tables. Hence, saves all the changes made.
MariaDB is now secured using the recommended security standards after installation.
Step 5: Log Into MariaDB Server
To log in to the MariaDB database server, run the command:
$ sudo mysql -u root -p
Provide the root password for MariaDB and press ENTER. This ushers you to the MariaDB shell.
To check the version of MariaDB installed, run the command:
SELECT VERSION();
From the output, you can see that we are running MariaDB 10.5.16.
To list all the databases, run the command:
SHOW DATABASES;
Step 6: Create Database and Database User (Optional)
This step illustrates how to create a database and a database user.
To create a database in the MariaDB Server, run the following command where test_db is the database name:
CREATE DATABASE test_db;
Next, create a database user on the system with a password. Here, test_user is the name of the database user and P@ssword321@ is the user’s password. Be sure to provide a stronger password for your user.
CREATE USER 'test_user'@'localhost' IDENTIFIED BY 'Password321@';
Next, grant privileges to the database user on the database. This determines the rights that the user has on the database, e.g., ALTER, CREATE, DELETE, DROP, SELECT, UPDATE, etc. This command will grant user rights to the database.
GRANT ALL ON test_db.* TO 'test_user'@'localhost' WITH GRANT OPTION;
Lastly, reload the grant tables in order to save the changes made as follows:
FLUSH PRIVILEGES
To confirm the creation of the database, again, run the following SQL query:
SHOW DATABASES;
This time around, an additional database named test_db appears on the list.
To view a list of all the users in the database server, run the following query:
SELECT User, Host FROM mysql.user;
Conclusion
In this guide, you learned how to install and secure the MariaDB database server on RHEL 9. For more information about MariaDB, check out the official documentation.
About JumpCloud At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
Microsoft Intune is a cloud-based enterprise mobility and security (EMS) management solution that enables organizations to manage mobile devices. It integrates with other components of Microsoft’s EMS platform, including Azure Active Directory (AAD) and Azure Information Protection (AIP), allowing IT teams to enforce security policies and manage how endpoints are used in the organization.
Intune allows organizations to achieve a productive mobile workforce without worrying about corporate data security. For example, IT teams can set rules and configure security policies for various devices, whether those devices are corporate-owned or personal. This helps organizations implement bring your own device (BYOD) policies while mitigating security concerns.
However, despite these benefits, Intune has only traditionally supported devices running Windows, macOS, iOS, and Android operating systems (OSs). This left out Linux-based devices that many companies use to maintain workloads out of the picture for a long time. Toward the end of 2022 however, Microsoft finally added Linux workstation support to Intune — starting with Ubuntu.
Does Intune Support Linux?
The short answer is yes. In October 2022, Microsoft announced that Microsoft Endpoint Manager (MEM) added Linux-based devices to its unified endpoint management solution, with general availability for Ubuntu LTS.
However, Microsoft has yet to release support for other distros which means IT teams are either leaving other types of Linux workstations unmanaged or using other third-party mobile application management (MAM) and mobile device management (MDM) tools.
What’s Been Discussed?
Companies need to ensure that all endpoints are secure and compliant. In this regard, IT teams need to ensure that they mitigate compliance issues by deploying software and patches to all device types, including Linux endpoints. Effective Linux MDM is particularly challenging due to the many flavors of Linux distributions.
With Linux support added to Intune, IT teams can theoretically use a unified console to manage devices and apply the same protection policies and configurations for Linux workstations. Whether Microsoft is able to accomplish that for more distros after Ubuntu remains to be seen.
Having cross-platform support in an MDM is essential because the integration of multiple operating systems into one tool streamlines:
Cloud-Based Management
If IT teams are able to combine all the applications and device controls in one cloud-based endpoint management system, they can then apply policies and endpoint configurations in the same way across a heterogenous IT environment for added security and compliance.
In addition, a unified MDM allows organizations to move their employees closer to Zero Trust security architecture and cover their entire IT infrastructure. For example, IT teams can apply management controls such as password policies, Wi-Fi profiles, and certificates in a standard way across all cloud-managed endpoints.
Compliance
Adding Linux support to an existing MDM enables companies to more easily enforce compliance policies and standards. For example, IT teams can create rules and configuration settings such as the minimum RHEL version that devices need to meet to be considered compliant.
IT teams can also create application policies that provide an extra layer of protection, allowing employees to access them on personal devices securely. Most importantly, IT teams can also take actions for non-compliance, like sending notifications to the user.
Conditional Access Policies
Determining if the device is compliant is one of the outcomes of cloud management. In a Microsoft-specific ecosystem, MEM allows organizations to assess the device’s posture while sending signals to AAD. If MEM finds that the device is compliant, it applies conditional access configurations. These configurations combine device compliance signals with other signals such as user identity risks to secure access to enterprise resources through adaptive policies.
With Intune, Microsoft’s goal is to allow IT teams to set AAD Conditional Access policies for Linux devices, as it does for Windows, macOS, iOS, and Android endpoints. This would ensure that only compliant Linux devices can access enterprise resources such as Microsoft 365 applications.
However, note that the current release only provides conditional access policies protecting web applications via Microsoft Edge. This is an example of Microsoft attempting to lock admins and users further into the Microsoft ecosystem, without allowing for the flexibility of choice in IT tools.
The Good News? A Linux Device Management Alternative Already Exists
Even if Microsoft succeeds with its Intune Linux management framework, the approach will still face some challenges. This is because of the differences between Microsoft’s approach to identity and access management (IAM) and other open source solutions.
For example, while Microsoft’s approach is to create segmented solutions that seamlessly integrate with Azure, the same cannot be said about non-Windows platforms like Linux-based OSs. Additionally, it is those very same segmented solutions that force users into Microsoft products and add additional complexity and cost for IT admins.
If you’d prefer to have a cloud-based MDM that provides the openness you need to choose the best tools and IT resources for your stack, while still resolving compliance and security issues in a heterogeneous environment, then you should consider JumpCloud® as an alternative cloud directory service.
As an open directory platform and unified MDM, JumpCloud centralizes identity and system management, irrespective of OS. It can overcome the common “admin black hole” associated with managing Linux devices, and help you reduce the number of IT tools your organization has to pay for and manage to fully secure its IT environment.
Whether you need patch management, encryption and lock-screen policies, MFA, or other capabilities applied to the Linux devices in your fleet, JumpCloud supports the following distros:
Amazon Linux 2 on x86_64 and ARM64 processors
Amazon Linux 2022 (AL2022) on x86_64 and ARM64 processors
CentOS 7, 8
Debian 10, 11 on x86_64 and ARM64 processors
Fedora 35, and 36
Mint 19, 20, 21 Cinnamon on x86_64 and ARM64 processors
RHEL 8, 9 on x86_64 and ARM64 processors
Rocky Linux 8, 9 on x86_86 and ARM64 processors
Ubuntu 18.04 (64 bit), 20.04, and 21.04, and 22.04 on x86_64 and ARM64 processors
About JumpCloud At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
JumpCloud Password Manager has officially been released to our customers and MSP partners! MSPs have long requested a tool that allows their users to share passwords and MFA tokens, and now, we have a solution of our own built right into the core of our platform.
Say goodbye to the days of juggling 14-day trials and countless promotional emails just to get a few days of password management. As a JumpCloud MSP partner, your account executives can have you up and running with Password Manager before your next password reset ticket.
If you’re not a current JumpCloud MSP partner and you’re still weighing your various password management options, it can be difficult to determine which solution is best. Here, I would like to discuss some of the benefits of implementing JumpCloud Password Manager for your clients.
Simplify the Vendor Management Process
An MSP’s vendor management responsibilities can be as complex as another full-time client. And the more vendors you have to rely on to provide a comprehensive tech stack, the less time you have to win that new account. That’s why we built our Password Manager directly into the JumpCloud platform.
Whether you’re a new partner or JumpCloud’s already part of your tech stack, you’ll enjoy both SSO and password management directly within one portal – without increasing your stack’s complexity.
Meet a Popular Client Request on Your Terms
Password management can be a bit of a touchy subject for MSPs. Since it’s often an a la carte or add-on feature, many clients try to do their own research on the cheapest solution, and bring it to their MSP to implement.
Unfortunately, this scenario rarely works out for either party. MSPs are forced to complicate their tech stack, often with a product they don’t trust or recommend. And the cheapest-possible solutions rarely prioritize intuitive user experiences, leading to frustrations for the technicians and admins that must manage the product.
With JumpCloud Password Manager, MSPs have a tool they can readily recommend to any of their clients currently using JumpCloud, with assignment and deployment being only a few clicks away. In addition to a seamless roll out experience, you can avoid the long process of convincing your client that they can trust this new vendor you are introducing into their environments.
Grow Your Revenue Without Increasing Costs
With JumpCloud Password Manager, you are no longer forced to choose between affordability and security. If you’re enrolled in JumpCloud for MSPs, Password Manager is included in your plan, making implementing it for your clients a no-brainer. If you’re considering switching to JumpCloud, combining SSO and password manager into one platform may save you money.
Adding Password Management to your tech stack can also increase your team’s efficiency, decreasing your need for additional staff. Password resets make up anywhere from 20% to 50% of an organization’s support ticket load, meaning your technicians are wasting valuable time handling one of the most easily solved problems in the technology industry. This can translate into a situation where even offering password management as service to your clients for free can have a real impact on your bottom line.
Choose JumpCloud for Password Management
Here at JumpCloud, we are working hard to meet the needs of our MSP Partners, their clients, and the users that rely upon our platform everyday. With the arrival of JumpCloud Password Manager, we have taken yet another step in the direction of making the Open Directory Platform more powerful than ever.
If you have any questions about Password Manager, reach out to your account executive today. If you’re new here, visit our JumpCloud for MSPs page to try our platform for free.
About JumpCloud At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
When evaluating your organization’s technology choices, there are a few different angles to took at it from:
Usefulness – Do the pieces of tech that make up your stack accomplish what you need them to in the most efficient way possible?
Total cost of ownership – Is your TCO where you want it to be, or can it be improved with different tools?
User experience – Is your chosen tech easy to use? Does it save or suck IT’s time?
Employee experience – How does your technology affect the employee experience at your company? Is it promoting productivity and happiness or frustrating and holding up end users?
This article focuses on the employee experience aspect of your tech evaluation process.
Consider this:69% of employees are more likely to remain at your company for 3 years if they have a positive onboarding experience. Though onboarding is just one small piece of the employee experience puzzle, it’s an important one, and your technology is the foundation of your onboarding processes.
This is important because if your tech isn’t up to par, then your workflows become disconnected and inefficient, and HR and IT will either have to work harder to make up for that, or your onboarding and identity lifecycle management tasks will be substandard. This leads to IT and HR frustration and burnout, decreased productivity on the end user’s part, and unsatisfied employees, which all negatively affects your bottom line.
A good starting point when evaluating your IT tech stack from the angle of how your tech impacts the employee experience is to survey employees with tech- and IT-specific questions. Here are a handful to get you started:
10 Tech Stack and Employee Experience Questions
Onboarding
1.Rate your onboarding experience in the following areas:
a. Device setup (1-5 scale)
b. Access setup (1-5 scale)
c. Technical orientation (1-5 scale)
2. Did you have access to everything technology-wise that you needed on day 1 of your employment? (Yes/No)
Role and/or Access Changes
3.Have you changed roles or responsibilities since joining the organization? (Yes/No)
a. If yes, rate your role change experience (1-5 scale)
b. If yes, did you have to reach out to IT or HR to fix anything after your role change, or was it all handled correctly behind the scenes? (Had to reach out./Everything was handled appropriately.)
If they answer that they had to reach out, you can provide a box for them to further explain the issue.
4. Have your access needs changed over time for any other reason? (Yes/No)
a. If yes, rate how efficiently this was handled (i.e., Did your privileges change in a timely manner to allow you to be productive?) (1-5 scale)
b. If yes, rate how effectively this was handled (i.e., When your privileges were changed, did you have everything you needed to be productive?) (1-5 scale)
Remote/In-Office Work
5.At any point with our organization, did you switch between in-office and remote work? (Yes/No)
a. If yes, when switching from in-office to remote work, did IT and HR ensure that you were set up to be productive from the moment you changed your work style? (Yes/No)
6. When working from a new location, was your technical experience impacted in a negative way? (i.e., Were you able to access everything you needed with the appropriate security measures in place?) (Yes/No/NA)
Specific Tools
7. How satisfied are you with the apps, software, and other tools you use on a daily basis? (1-5 scale)
Credentials
8. How satisfied are you with the efficiency and ease of daily login processes? (1-5 scale)
9. How satisfied are you with our password management tool? (1-5 scale)
General Pulse Check
10.How satisfied are you with the preparedness of the IT department based on past interactions you’ve had? (1-5 scale)
Creating Your Survey
All of the questions listed here are general suggestions to get you started with evaluating your tech stack vs your employees’ experiences. Modify or remove them as you see fit – feel free to make them more specific or allow employees to write in open-ended answers, to give you a better picture of how your tech truly impacts each person’s day-to-day responsibilities.
If you’re looking to improve the employee experience at your organization, it’s important to find and employ technology that connects seamlessly and reduces any current tech disruptions that your end users face. A good place to start is by ensuring that IT’s directory service and HR’s tool of choice connect well. Employee experience and security issues often begin when these two tools don’t work well together, leading to even bigger issues down the line.
About JumpCloud At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
Microsoft and Google have been locked in a battle for the heart of the IT community for years now. This technological arms race has brought about a number of cloud innovations, including in identity and access management (IAM). Both contenders understand that by controlling user identities, they can lock you into their respective ecosystems and sell you additional services.
In one corner, we have Microsoft Azure Active Directory (AAD), a cloud-based IAM solution for hybrid or cloud-only implementations. In the other corner, we have Google Cloud Identity, a cloud-based solution for managing user identities and access to Google resources. Both organizations seek to control your identities. The interesting problem is that if you are looking to replace your on-prem Active Directory instance or leverage directory services, then neither of these options can provide a solution. In this article, we’ll compare Google Cloud Identity and Azure Active Directory, before explaining why neither is the best replacement for on-prem solutions.
What is Google Cloud Identity?
If you have ever used Google Workspace, you’re already familiar with Google cloud identities. Google identity management services enable users to connect to various applications and platforms delivered through Google. Google identity management allows for easy integrations to Google’s catalog of SaaS services and SSO applications but it does not offer support for legacy applications or on-prem resources. It also offers some authentication services via OAuth and SAML. An organization’s systems, on-prem applications, and network are outside of the scope of G Suite directory.
Unfortunately, this means that a lot of users will remain locked into their on-prem identity provider instance, namely Active Directory. While Google IDaaS is an excellent cloud user management system for Google Workspace, it is not a stand alone cloud-delivered directory service.
What is Azure Active Directory?
Microsoft’s version of the user management system is called Azure Active Directory (also called AAD, or Azure AD). The name confuses many people, because it makes it seem like Microsoft has moved their on-prem directory to the cloud. But that’s not the case.
Rather, Azure AD works on top of Active Directory to provide single sign-on (SSO) access to a variety of SaaS applications like Office 365, Salesforce, DropBox, and many others. In essence, it is designed as a bridge between your existing legacy Active Directory instance and Microsoft’s catalog of compatible cloud-delivered services. While it is possible to sync your Active Directory instance with Azure AD, in of itself Azure AD is not a complete cloud-based directory service.
This is because Azure AD does not act as the authoritative source of truth of user identities (unless you are just using Office 365 or Azure resources). This role is still within the domain of Active Directory for many organizations, thus requiring traditional on-prem devices and dedicated IT staff to create and maintain. While Azure AD is meant to be a cloud identity platform, unfortunately, the true source of identity management is still firmly grounded with the legacy directory service, Active Directory.
The Problem with Google Cloud Identity and AAD
As hinted above, the most glaring weakness of both of these platforms is that neither can truly function as the core identity provider for an organization. Instead, they’re user management systems designed only for their respective platforms.
Google Cloud Identity only organizes identities for Google Workspace and other Google cloud-hosted applications. It isn’t designed to be used for on-prem systems, AWS cloud servers, Azure, Office 365, and a wide range of other web and on-prem applications and networks.
Azure Active Directory isn’t an Active Directory replacement, either. It’s a user management system for Azure, Office 365, and a web application SSO platform. If you want a core directory service, you won’t find it with either Google Cloud Identity or Azure Active Directory.
Instead, both of these platforms leave it to the IT department to figure out how to build a central, authoritative directory service for the organization. Having multiple user management platforms can create a significant amount of work and a great deal of security risk.
Thankfully, there’s a better solution. An open directory platform can be your single authoritative source for user identities and authentication – across all platforms and operating systems.
Open Directory Platform – the best Active Directory Replacement
A new generation of cloud identity management is here. This independent solution, called an open directory platform, doesn’t rely on a single vendor, but works across platforms and operating systems to support authentication on Windows, Mac, Linux, Google Workspace, and more – all from the cloud, all at the same time.
JumpCloud’s open directory platform provides the stability and authentication of Azure Active Directory and the flexibility and cloud nativity of Google workspace. You’ll also get many features, like SSO, multi-factor authentication (MFA), and password management you typically have to get from a third-party provider.
About JumpCloud At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
Until recently, Windows was the de facto platform of choice in the working world as businesses set up their networks on the Microsoft operating system.
They used Word for word processing, Excel for spreadsheet work, PowerPoint for presentations, and Active Directory for domain management. However, the old paradigm has been shifting for some time now.
While Windows-based PCs and laptops are still the market leaders for large and small-to-medium-sized enterprises (SMEs), many organizations have begun to adopt Mac, Linux, and Android devices. Improved usability, convenience, and affordability are commonly cited reasons for switching.
Translation: administrators must manage and control access to their Azure Active Directory from different types of devices and operating systems.
So, can you bind a Mac to Azure Active Directory?
Let’s find out.
Mac and Azure AD: Unwilling Bedfellows
The short answer is yes — you can bind Mac to Azure. But as you can imagine, it is far from straightforward.
Competitors hardly find incentives to make life easy for each other. Think of Pepsi and Coke’s cola wars or Nike and Adidas’ sportswear battles; they’ve been at it for decades. Apple and Microsoft are no different.
With Microsoft’s Azure being a leading access management solution, many IT managers have found themselves being the grass that suffers the pinch between the giant boots of these two tech giants.
Since its release in 2000, Active Directory (AD) has been a staple for Windows networks. It provides users and IT admins with identity management, access control, and policy enforcement for Windows servers, desktops, and laptops.
Azure Active Directory (AAD) is Microsoft’s cloud-based version of its traditional on-premise Active Directory service. It allows businesses to securely access their applications and resources from anywhere on their windows device.
However, the problem arises when it comes to Apple’s Macs. While Microsoft has done an excellent job of making Windows computers compatible with AAD, the same cannot be said for Mac users.
The Challenge of Binding Macs to Azure AD
The challenge of binding Macs to Azure Active Directory is twofold:
No thanks to the Apple-Microsoft rivalry, there is no native integration between Macs and AAD.
Even when workaround solutions exist, ensuring a seamless user experience can also take time and effort.
For example, some admins have taken a cobbled approach of creating a domain within Azure using the Azure AD Domain Services (AD DS) before setting up a VPN connection between their Macs and the Azure domain. The problem, however, is that this solution is complicated and even discouraged by Microsoft.
Others, which already utilize Active Directory, can choose to implement an on-prem directory extension. However, this presents a new set of challenges, from extra costs to more infrastructure to manage.
In addition, this doesn’t enable direct Mac integration into Azure AD. Instead, admins are left with a non-future-proof method of managing endpoints.
The Solution: Step Out of Platforms And Into Identity
A better approach that IT admins take to resolve this problem is to think away from platforms and into identity.
Rather than relying on a cobbled solution that requires managing multiple directories or on-prem extensions, cloud identity management solutions such as the JumpCloud Directory Platform provide a single-user directory that can manage all users’ access to the network and other applications from one central platform.
This solution enables admins to bind not only Macs but also Windows, Linux, and other devices to Azure Active Directory in an intuitive and hassle-free manner. With JumpCloud, admins can securely manage users’ AAD access, regardless of their device or platform.
Also, IT teams that leverage other cloud-computing platforms, such as Amazon’s AWS, or Google Workspace, needn’t worry about managing different identities.
Users can access every network or resource with a single identity, such as Wi-Fi, VPN, web applications, legacy LDAP application, and on-prem or cloud-based file storage solutions. This configuration creates a true single sign-on (SSO) experience for users, making it more convenient and secure.
Manage Identity with the JumpCloud Directory Platform
JumpCloud provides an all-in-one solution for IT admins to bind Macs to Azure Active Directory without any of the earlier-mentioned problems. It’s an identity provider that delivers secure, cloud-based access services to users regardless of their devices.
The platform streamlines user experiences with SSO while unifying admin tools for mobile device management (MDM), multi-factor authentication (MFA), and compliance controls behind one pane of glass. Want to get a better handle on your heterogeneous environment? Watch our demo video and sign up for a free trial today.
About JumpCloud At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
JumpCloud delivers single sign-on (SSO) to everything, including RADIUS authentication and authorization for network devices. Multi-factor authentication (MFA) is environment wide, delivering Push MFA for RADIUS. RADIUS is a core network protocol that’s widely used for Wi-Fi authentication, and it provides authentication, authorization, and accounting (AAA).
JumpCloud Cloud RADIUS simplifies and secures privileged administrative access for network admins. It’s also an option to configure access to LANs for all of your SSL VPN users. JumpCloud eliminates the need to use Fortinet’s FortiTokens for MFA.
This two-part blog series explores two use cases with FortiGate next-generation firewall:
Option 1: Use existing local FortiGate groups that contain FortiGate remote users. This approach is ideal for existing appliances that already have settings and users.
Option 2: Use remote groups (JumpCloud) and attribute mapping to set up access control on a new Fortinet device. This approach spares admins the work of having to establish local groups using ACLs on the Fortinet appliance.
This article focuses on Option 1.
We’ll demonstrate how to bind the local user to the JumpCloud RADIUS server that is configured inside your FortiGate so that JumpCloud becomes the authentication authority without changing anything in the way the appliance is configured for network posture.
Note: It’s also possible to accomplish this using a different brand of network appliance.
Configuring JumpCloud RADIUS and Groups
Follow this guide to get started with JumpCloud groups. You may also refer back to this previous tutorial on how to configure SAML access for Fortinet devices if it better suits your requirements. However, RADIUS has the advantage of also mapping groups and authorizations/permissions.
Establishing Groups and MFA
You may have MFA required for individual users or leverage groups with conditional access. Skip this step if you’ve already configured your access control policies.
To require MFA factors for the User Portal on an individual user account:
In the User Security Settings and Permissions section, select Require Multi-Factor Authentication for User Portal option. Note: The enrollment period only affects TOTP MFA. See Considerations.
Click save user.
To require MFA factors for the User Portal on existing users from the more actions menu:
Select any users you want to require MFA for.
Click more actions, then select Require MFA on User Portal.
Specify the number of days the user has to enroll in MFA before they are required to have MFA at login. You can specify a number of days between 1 and 365. The default value is 7 days.
Click require to add this requirement to the selected users.
To require MFA factors with a Conditional Access Policy:
If you don’t want the policy to take effect right away, toggle the Policy Status to OFF and finish the rest of the configuration. When you’re ready to apply the policy, you can toggle the Policy Status to ON.
For users, choose one of the following options:
Select All Users if you want the policy to apply to all users.
Select Selected User Groups if you want the policy to apply to specific user groups, then search for those user groups and select them. If you need to create user groups, see Getting Started: Groups.
If there are User Groups you want to exclude from the policy, search for the user groups and select them in the search bar under Excluded User Groups.
Optionally, set the conditions a user needs to meet. Note: Conditions is a premium feature available in the Platform Plus plan. Learn more about conditions in Getting Started: Conditional Access Policies.
In Action, select Allow authentication into selected resources, then select the Require MFA option.
Click create policy.
Two JumpCloud groups were created for the purpose of this tutorial:
Enter a name for the server. This value is arbitrary.
Enter a public IP address from which your organization’s traffic will originate.
Provide a shared secret. This value is shared with the device or service endpoint you’re pairing with the RADIUS server.
Select an identity provider.
Now select an authentication method:
To use certificate authentication, select Passwordless.
Once Passwordless has been selected, the Save button will be disabled until a certificate has been successfully uploaded (or the authentication method has been changed back to Password).
If desired, select Allow password authentication as an alternative method.
If this checkbox is selected, admins can enable certificates for some users while allowing others to continue validating by username and password. Users will continue to have the option to validate by username and password, but once they choose to validate with certificates and a valid certificate is found, the password option will no longer be presented.
The MFA Configuration section will be available if using JumpCloud as the identity provider, and Passwordless is selected as the Authentication Method, and the Allow password authentication as an alternative method checkbox is selected.
Configuring multi-factor authentication (MFA).
Toggle the MFA Requirement option to “enabled” for this server. This option is disabled by default.
Select Require MFA on all users or Only require MFA on users enrolled in MFA.
If selecting Require MFA on all users, a sub-bullet allows for excluding users in a TOTP enrollment period, but this does not apply to JumpCloud Protect™ (users in a TOTP enrollment period who are successfully enrolled in Protect will still be required to complete MFA).
If JumpCloud Protec t is not yet enabled, users can select the Enable Now link.
Uploading a Certificate Authority (CA).
To upload your certificate, click on the Choose a File button, navigate to the file location, and select it for uploading.
Once the file has uploaded successfully the file name will display on the screen and options will change to replacing or deleting the file. There is also an option to view the full CA chain.
Clicking Save will return the user to the main RADIUS screen, where the Certificate badge will display in the Primary Authentication column. Note: For more information about where and how to find trusted certificates outside of JumpCloud, see RADIUS-CBA Tools for BYO Certificates.
Select Users for Access to the RADIUS Server (User Groups tab):
To grant access to the RADIUS server, click the User Groups tab then select the appropriate groups of users you want to connect to the server.
Every user who is active in that group will be granted access.
Click save.
Note: Users who are being granted access to a RADIUS server and leveraging delegated authentication (with Azure AD as their identity provider) must be imported into JumpCloud and assigned to a User Group.
FortiGate Settings
Follow these instructions to configure the RADIUS server(s) in your FortiGate appliance. Next, we’ll make it possible for your existing users to use JumpCloud’s identity and access management (IAM).
Local Groups with Remote Users
You may enter more than one JumpCloud RADIUS server IP for redundancy. The next section uses the FortiGate command line interface (CLI) to convert your existing local users into RADIUS users. Then, you’ll match the usernames with the respective JumpCloud usernames. Significantly, there will be no changes made from an access control list (ACL) perspective. Yet, you’ll increase your network security and easily meet compliance requirements. The steps are simple, and will spare a small and medium-sized enterprise (SME) the time and expense of allocating/billing blocks of hours with a network technician or MSP partner.
Converting Local Users Into RADIUS Users
The first step is to launch your CLI to convert users that already exist in FortiGate.
An existing user and user group
This may be scripted to streamline the process for a group of users. The steps include:
# config user local (local # edit “USER NAME” # show # set type radius # set radius-server YOUR SERVER # end
Checking Your Work
You may verify these settings by entering:
# config user local (local) # edit USER NAME # show # end
The local user is looking at the remote RADIUS user for authentication
Ensure that the user is a member of the corresponding RADIUS group in JumpCloud with the exact same user name as on your appliance. JumpCloud now controls authentication, including enabling MFA without having to engage with FortiTokens or a third-party MFA solution.
This is an example of an existing FortiGate user:
This RADIUS user belongs to the appropriate JumpCloud Group
Reporting
JumpCloud’s Directory Insights captures and logs RADIUS authentications. It makes it possible to determine which user is attempting to access your resources and whether it was successful. Directory Insights is useful for debugging and testing your RADIUS configuration deployments.
Try JumpCloud RADIUS
JumpCloud’s full platform is free for 10 users and devices with premium chat support for the first 10 days to get your started. The open directory platform provides SSO to everything:
Need a Helping Hand? Reach out to professionalservices@jumpcloud.com for assistance to determine which Professional Service option might be right for you.
About JumpCloud At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
JumpCloud recently held a webinar to discuss how MSPs can expand their Identity Access Management (IAM) offering with password management.
Our host, JumpCloudian Dakota Hippern, was joined by Antoine Jebara, co-founder and GM of MSP Business, and Rob McGrath, product manager, in discussing the relevance of password management and how JumpCloud Password Manager is poised to help MSPs bolster their IAM offering. Below is a recap of the key points discussed during the webinar.
Passwords might soon become an endangered species. With the uptick in biometric recognition, smart pins, and push notifications as the preferred method of authentication, password management is no longer at the center of organizations’ IAM approach.
More companies now use LDAP and RADIUS-based authentication to log people into resources like VPN, Wi-Fi, on-prem infrastructure, etc.
Despite this, password management constitutes a vital component in most organizations’ infrastructure, and MSPs must take this into consideration when assessing their identity and access management offering.
This post discusses why password management is still relevant today and how MSPs can make the most of JumpCloud’s password manager to deliver excellent service to their clients.
Password Management: Why Bother?
Almost two decades after Bill Gates first predicted the death of passwords, passwords no longer form the core of most organizations’ access management strategy. Why then should MSPs bother with password management?
Ubiquity
Passwords are the most common authentication method, and for good reason. First, they’ve been around for far longer. Second, passwords are a right-out-of-the-box feature in almost all devices. This is more than can be said for other modes of authentication such as biometric recognition or smart cards.
The net effect is, despite organizations’ less reliance on them, passwords are likely to hang on till, at least, other authentication methods become as commonplace.
Weakness
MSPs must have a password management strategy to protect their clients from the vulnerabilities that passwords pose. From phishing to physical theft, and even dumpster diving, passwords pose the most risk of enabling authorized access.
In developing their IAM offerings, most MSPs have had single sign-on (SSO) play a significant role in their strategy. SSO enables users to log in once to all the company resources they need to get their work done.
This is mostly done by coupling SSO with push authentication, biometric recognition, and other authentication modes.
Sometimes, however, users will not be able to use SSO to get into some paywalled web-based apps. Or sometimes, they may have to use some shadow IT tools which aren’t part of the company’s infrastructure.
In such instances, password usage creates a gap which password management must bridge, or organizations risk security exposure.
Password Managers + Types
Password managers are software that securely stores and protects users’ login information. Although they typically maintain records of usernames and relevant passwords, they also offer additional storage options. This includes addresses, card details, etc.
There are three major types of password managers:
Offline Password Managers
These password managers store and encrypt passwords locally on a user’s endpoints but don’t sync the password across different devices. Thus, users can only use the password manager on one device outside the box.
Offline password managers are rather unfit for enterprise use cases because they don’t grant admins with centralized visibility and control. What they lack in convenience however, they make up for in security. Offline password managers are not susceptible to network or server attacks since they store and encrypt passwords on the user’s device.
Cloud-Based Password Managers
Cloud-based password managers store passwords in a vault which is itself located on the password manager servers. The passwords are encrypted with a key called the “Master Password.” The user is tasked with creating, remembering, and protecting this master password.
Users access the information in cloud-based password managers using a combination of their email and the master password.
These are more convenient since users can access them on multiple devices. Plus, they give a high level of visibility and control to admins. However, they make a huge trade-off in security as their effectiveness depends on the user’s ability to create and protect a strong master password.
A hybrid password manager, such as JumpCloud Password Manager, works by combining the best traits of the first two types of password manager.
It uses a decentralized storage architecture where passwords are stored locally on the user’s endpoints. Next, it generates a key for encrypting the passwords in a vault.
This vault then syncs across other devices on JumpCloud’S network, thereby making simultaneous login possible.
It also allows users to share passwords with other users in the organization. What’s more? A hybrid password manager facilitates an environment where admins have visibility and control but without being able to see the user’s password unless where it is shared with them.
An inherent advantage of JumpCloud’s password manager is that reliance is not placed on a user’s ability to create and protect a master password. Thus, users can authenticate access to this vault using biometrics, Windows Hello, or other local authentication means.
JumpCloud Password Manager: Fitting Into a Larger Ecosystem
JumpCloud developed its sophisticated password manager in response to growing demand from organizations and MSPs. The password manager provides a single-point solution for IAM needs, reducing tool sprawl and lowering IT costs.
The password manager integrates with the JumpCloud open directory platform and greatly complements other tools such as multi-factor authentication (MFA), SSO, conditional access, etc.
JumpCloud Password Manager also provides a seamless experience for admins as it is deployed and managed through one console. Users also benefit from not having to log in to disparate apps through an external password manager.
Besides its benefits as an important part of a larger ecosystem, JumpCloud Password Manager is also a superior option because it eliminates the dilemma of choosing between convenience and security.
Leverage JumpCloud’s Password Manager Today
As passwords continue to hang on for the ride, MSPs must understand how to fit password managers into their IAM offering.
With JumpCloud’s hy brid password manager being the perfect mix of security, visibility, control, and convenience, password management just became less of a pick-your-poison dilemma.Learn more about JumpCloud’s password manager and watch a demonstration of it in this webinar.
About JumpCloud At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
A domain describes a collection of users, systems, applications, networks, database servers, and any other resources that are administered with a common set of rules. Generally, a domain also encompasses a physical space like an office or multiple offices. If you are within the domain you are in a theoretically safe space and trusted. If outside, you are untrusted, so the domain would effectively be your castle with a moat around it.
A domain controller (DC) is a server that manages network and identity security, effectively acting as the gatekeeper for user authentication and authorization to IT resources within the domain. Domain controllers are particularly relevant in Microsoft directory services terminology, and function as the primary mode for authenticating Windows user identities to Windows-based systems, applications, file servers, and networks. They also host Active Directory services.
The popularity of Windows systems for enterprise solutions established the domain controller as a common term in networking architecture. However, recent trends have antiquated their use — especially for non-Windows systems. Domain controllers as they exist today don’t meet the requirements of small and medium-sized enterprises (SMEs). That has led many organizations to seek alternative cloud identity and access management (IAM) solutions and device management that works on systems beyond Windows. The domainless enterprise accomplishes what domain controllers did for Windows networks through cloud-based infrastructure. It treats identities as the perimeter and devices as a gateway to resources.
However, domain controllers remain a foundational technology for SMEs and can be extended and improved by cloud directories, including JumpCloud’s Open Directory Platform. This article provides an in-depth introduction to domain controllers, how they work, and how to use them.
Intro to Domain Controllers
The concept of the domain controller was first introduced by Microsoft to manage Windows NT-based networks. It provided IT admins a way to control access to resources within a domain — essentially an organization’s users and IT resources. In this environment, all user requests are sent to the domain controller for authentication and authorization. The domain controller then authenticates the user identity, typically by validating a username and password, then authorizes requests for access accordingly. Windows Server has evolved over the years with the inclusion of new features to support modern hosting paradigms and deployment options. Subsequent releases have added additional server roles, and can keep pace with newer hardware, authentication protocols, reporting, administration, and security requirements.
What Does a Domain Controller Do?
Domain controllers continued to enforce permissions and security policies for network resources while ensuring the overall security and reliability of the network. Then, inclusion of Microsoft’s Active Directory (AD) enabled network administrators to manage users accounts and entitlements for Window-based networks from a centralized location. AD sets policies such as password complexity requirements or account lockouts. It’s also possible to replicate data and user information to other domains on the network, whether on-premise or at another location.
AD has since played a critical role for many organizations for over two decades. Domain controllers remain relevant to the modern enterprise, but lock users into Windows networks without the inclusion of cloud services that federate identity and manage all device platforms.
How Is Active Directory Set Up on a Domain Controller?
Active Directory Domain Services (AD DS). This is the main service within the Active Directory protocol. Besides storing the directory information, it also controls which users can access each enterprise resource and group policies. AD DS uses a tiered structure comprising the domains, trees, and forests to coordinate networked resources.
Active Directory Lightweight Directory Services (AD LDS). It shares the same codebase and functionality as AD DS. However, unlike AD DS, AD LDS uses the Lightweight Directory Access Protocol (LDAP), allowing it to run on multiple instances on the same server.
Active Directory Federation Services (AD FS). As the name suggests, AD FS is a federated identity service that provides single sign-on (SSO) capabilities. It uses many popular protocols such as OAuth, OpenID, and Secure Assertion Markup Language (SAML) to pass credentials between different identity providers.
Active Directory Certificate Services (AD CS). This is a service that creates on-premises public key infrastructure (PKI), allowing organizations to create, validate, and revoke certificates for internal use.
Follow these steps to set up AD:
Install Windows Server: Designate a Windows Server instance to be your primary domain controller. Dedicate a virtualization platform or server that meets the minimum hardware requirements to run Windows Server and leave room for expansion.
It’s likely that you’ll need additional server instances and roles if you’re building an infrastructure around the DC infrastructure around the DC. Microsoft modified its licensing regime to function on a per core basis (not to mention every other Client Access License (CAL) you need). Keep these added costs in mind, because server core licensing may be more expensive than you realize.
Install Active Directory Domain Services: Install AD DS using the Server Manager or PowerShell. Have a contingency plan for backups and to address what happens if your DC goes down.
Promote the Server to a Domain Controller: Next, you’ll need to promote the server to a domain controller. The Active Directory Domain Services Installation Wizard will assist with specifying the appropriate settings for your network.
Configure Active Directory: Configure Active Directory to suit your network requirements. This involves creating organizational units, users, groups, and other network components. Meeting modern security standards can be a complex process that should only be attempted by experienced administrators who understand the risks involved.
Configure DNS: Active Directory relies heavily on DNS (Domain Name System) for name resolution. Configure DNS properly to ensure that Active Directory functions correctly. Have at least two internal DNS servers and consider using Active Directory integrated zones. It improves reliability, performance, and the DNS server will deny requests from hosts that aren’t authorized.
Configure Group Policy: Finally, configure Group Policy, which allows you to manage and enforce policies across the network. Group Policy settings can be applied at the domain, site, or organizational unit level. The default UIs can be challenging and laborious. GPO Templates make it easier to implement strong security postures for Windows such as CIS benchmarks.
Is a Domain Controller the Same as a DNS Server?
A DC functions as a gatekeeper for host access to domain resources and provides authentication into a domain using Kerberos and/or NTLM. It’s where policies are enforced and AD is hosted. The Domain Network System (DNS) protocol translates IPs into URLs that help users navigate the web. A DNS Server will strictly provide DNS services.
Other Domain Controller Implementation Options
The following deployment options can help admins to save money and meet their requirements.
Global Catalog (GC): The GC is an unofficial Flexible Single Master Operations (FSMO) role and AD feature that provides information about any object across all forest domains. Select attributes are replicated to GC servers, which allows admins to pull necessary information.
Read-Only Domain Controllers (RODC):An RODC is an option to host a read-only copy of Active Directory for branch offices when IT resources are limited. It serves as an economical alternative to establishing secure data center facilities at every branch of an organization. Authentication requests go to the RODC versus a WAN link to improve security. The RODC server holds limited data about the DC and credential caching is defined by policy. Local administrators can make changes that won’t affect the primary DC at headquarters.
Directory Services Restore Mode (DSRM): DSRM is a special boot mode to help admins recover AD databases and restore system state. This is a similar concept to “Safe Mode” in Windows. Hackers sometimes use pen-testing tools such as Mimikatz to activate and capture local DSRM admin credentials. They can obtain remote access using local admin accounts.
Domain Controller Setup and Best Practices
Attackers employ several common methods to elevate privileges and create persistence. The following steps take those into consideration and can help to prevent breaches from happening:
Disable the default administrator user. This is a primary attack vector.
Limit the use of domain admin privileges. Don’t run as an admin user and consider time-based privileged elevation. When AD is installed, consider having administrative accounts reside within a separate forest (Red Forest model) from other users by implementing authentication policy silos. This configuration may require external experts, training, and add-on tools to implement. It’s extremely important to plan out the design and configuration and to implement monitoring and logging.
Implement new Active Directory enhanced features such as protected groups, restricted RDP, time-based group membership, and testing. Consider an intrusion detection system, because AD contains all of your “keys to the kingdom.”
Use different servers for RDP and MMC access. This writer encountered a DC that hosted the RDP role service directly on it and my team (in a previous role) had to reprovision it for a “clean” baseline.
Be judicious and trust the supplier when you install third-party applications on DCs.
Restrict internet access to DCs through network filtering and consider using a defense in-depth approach. Microsoft recommends using Defender for Identity, which requires deploying sensors and obtaining licensing. It’s a standalone subscription that’s also bundled into premium SKUs including Enterprise Mobility + Security 5 suite (EMS E5).
Admins should establish a program to harden their DCs, patch and remediate, and maintain an appropriate security baseline. For instance, prevent web browsing from a DC. Microsoft recommends these actions to secure DCs from attack.
Use Local Administrator Password Solution (LAPS) to manage local admin passwords on domain-joined computers. It will randomize local administrators’ passwords.
Why Are Domain Controllers Important?
Domain controllers prevent unauthorized access to resources while ensuring that local domain identities/resources are managed and authorized through directory services. They can also scale to support large and complex networks and customized directory requirements.
What Are the Benefits of a Domain Controller?
Domain controllers centralize user lifecycle management for local domains. They can help to deploy Windows applications to groups of users while establishing the prerequisite security settings for files and programs. Windows DCs are a mature technology that’s widely supported, extensible with third-party solutions, and can be used to federate identities to the cloud.
What Are the Limitations of a Domain Controller?
DCs don’t provide high availability or security best practices out of the box. Organizations may require several domain controllers at different physical locations in order to ensure that there’s no single point of failure. The load on DCs increases as environments grow, which can impact the performance of applications and network services that are dependent on it. This weakness may require additional hardware resources or modifications to your infrastructure to remediate.
This aspect of DCs increases the overheads for maintaining data centers beyond standard configurations and patching. New servers require extending infrastructure and security, and some specialized knowledge and skills are necessary to do it correctly. This increases the costs of training and staffing. DCs will require careful planning, management, and monitoring.
Your domain controllers will always be at risk of zero-day Windows vulnerabilities. Constant vigilance and diligent entitlement management are essential.
Enabling remote work can also be a challenge. IT teams that are AD centric must connect remote users to their LANs through VPNs or alternatives including a software-defined WAN (SD-WAN) and secure access service edge (SASE). Otherwise, purpose-driven cloud services can more easily manage remote endpoints and identities with less infrastructure and overhead. There’s also no potential to extend SSO to web apps, no multi-factor authentication (MFA), and no conditional access rules for privileged users without add-on cloud or software solutions.
Modern Domain Controllers
JumpCloud’s Open Directory Platform is cloud directory service that eliminates the need for an on-prem domain controller by shifting IAM and device management to the cloud. It connects users to whatever IT r esources they need, regardless of platform, protocol, provider, and location. All of the secure identity validation still occurs, but you don’t need to manage a server. You can keep Active Directory and use cloud services other than Azure Active Directory and Intune for single sign-on (SSO) and mobile device management (MDM) for your entire fleet.
Cloud-delivery reduces infrastructure costs, simplifies deployment, and maximizes what you already have. Additionally, attribute-based access control and HR system integrations can enable advanced user lifecycle management scenarios to lower overall management overhead. These capabilities are driven by your workflows versus being parceled off as premium features.
Domain Controllers in an Open Directory
JumpCloud is an Open Directory Platform that unifies identity, access, and device management capabilities, regardless of the underlying authentication method or device ecosystem. It can extend both AD and the free tier of AAD to accomplish more, with a lower TCO. JumpCloud authenticates users whether they use biometrics, digital certificates, passwords, or SSH keys. JumpCloud ensures that every resource has a “best method” to connect to it, including LDAP, OIDC, RADIUS, and SAML. Like the original concept of a DC, users can employ a single set of credentials to access systems, applications, networks, file servers, and cloud apps.
Access is secured via environment-wide MFA with optional conditional rules for privileged users. A password manager is also available to support non-SSO applications. It delivers secure, frictionless access, from managed (or trusted) devices running any platform. JumpCloud treats identities as the new perimeter. This is made possible through positioning every device as a gateway to your resources through identities. There are no add-ons for device management or consuming external identities: JumpCloud produces value lock-in versus vendor lock-in.
Try JumpCloud
If you would like to learn more about the future of domain controllers and why the domainless enterprise may be the future approach for your organization, drop us a note. Alternatively, sign up for a JumpCloud Free account and see what a true cloud directory platform could be for you. Your first 10 users and 10 systems are free and you can leverage our 24×7 premium in-app chat support for the first 10 days as well.
Sometimes self-service doesn’t get you everything you need. If that’s how you’re feeling, schedule a 30-minute consultation to discuss options for implementation assistance, migration services, custom scripting, and more.
About JumpCloud At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
