Event banner

An ounce of prevention is worth a pound of detection

Event Ended
Thursday, Mar 28, 2024, 11:30 AM PDT
Online

Event details

With Identity Threat Detection and Response (ITDR) continuing to trend in the realm of identity security, systems protecting Active Directory tend to focus on real-time detection of attacks, using ad...
Char_Cheesman
Updated Dec 27, 2024
msfthiker's avatar
msfthiker
MVP
Mar 28, 2024
That's a great question Karl. As far as securing the server estate outside of Domain Controllers, especially for specialized systems such as HCI, I'd have to get back to you as far as an answer. I know that there is overlap between Azure Policy and Group Policy, but securing HCI is outside of the realm in which I really work these days.
Karl-WE's avatar
Karl-WE
MVP
Mar 28, 2024
Thank you for going the extra mile. I am really curious since, my preferred scenario, setting up a seperate domain for Azure Stack HCI only, we could still consider GPO baseline for protecting the domain controllers "serving" Azure Stack HCI cluster, if not the nodes itself. I can imagine that hosts are protected by Azure Policy but the DCs could be "out of scope". Hope you see my curiosity and, can name it concerns?
  • Matthew Reynolds's avatar
    Matthew Reynolds
    Icon for Microsoft rankMicrosoft
    Mar 28, 2024

    Good news, HCI nodes have a specialized security baseline applied by default (during deployment). You don't have to do anything to get it applied! To audit/monitor this you can use Azure Policy / Machine Configuration with the built in Windows baseline policy definition. Today the "Windows" baseline settings Policy is able to audit differ slightly from the "HCI" settings applied during deployment, but we are working to bring them into 100% harmony.

    • Karl-WE's avatar
      Karl-WE
      MVP
      Mar 28, 2024

      Thank you for this follow-up. Lastly. How do you recommend protecting the dedicated Domain Controllers, PAWS, WAC being for Azure Stack HCI (assume they are all on a separate domain for management and security reasons not tied / trusted to the productive domain)? For these VMs also using Arc and same policies as for HCI nodes or do you have something different in mind? If this is too complicated to answer here, I would not mind taking it elsewhere.

      In result I am just trying to understand if I have to deal with on-prem GPO security baselines at all for this specific scenario.

      Example:
      mgt.contoso.com (Azure Stack HCI Domain) Forest / Domain consists
      Azure Stack HCI nodes (domain-joined mgt.contoso.com)
      1 DC VM per node (mgt.contoso.com, unclustered)
      1 PAWS VM (domain-joined mgt.contoso.com, clustered)
      1 WAC GW VM (domain-joined mgt.contoso.com, clustered)
      1 Backup server (domain-joined mgt.contoso.com, to avoid NTLM to HCI hosts, seperate hosts)

      Thank you for your time!

Date and Time
Mar 28, 202411:30 AM - 12:00 PM PDT