Event banner
Event details
Azure Stack HCI expects an OU with GPO inheritance disabled.
When deploying Azure Stack HCI in the same AD as prod, or better in a seperate AD, would it make sense to apply Security GPO Baselines still? Or can we rely on Azure Policies doing this?
- That's a great question Karl. As far as securing the server estate outside of Domain Controllers, especially for specialized systems such as HCI, I'd have to get back to you as far as an answer. I know that there is overlap between Azure Policy and Group Policy, but securing HCI is outside of the realm in which I really work these days.
- Thank you for going the extra mile. I am really curious since, my preferred scenario, setting up a seperate domain for Azure Stack HCI only, we could still consider GPO baseline for protecting the domain controllers "serving" Azure Stack HCI cluster, if not the nodes itself. I can imagine that hosts are protected by Azure Policy but the DCs could be "out of scope". Hope you see my curiosity and, can name it concerns?
- Matthew Reynolds
Microsoft
Good news, HCI nodes have a specialized security baseline applied by default (during deployment). You don't have to do anything to get it applied! To audit/monitor this you can use Azure Policy / Machine Configuration with the built in Windows baseline policy definition. Today the "Windows" baseline settings Policy is able to audit differ slightly from the "HCI" settings applied during deployment, but we are working to bring them into 100% harmony.
