what do you use for secure IT management hosts?
Posted by crankysysadmin@reddit | sysadmin | View on Reddit | 19 comments
I've seen some companies give all their sysadmins a Windows 11 VM running on vmware, I've seen a full on VDI solution used for IT, I've seen people use a personal Windows server VM assigned to each tech, I've seen Windows RDS session hosts to run Windows admin tools like ADUC.
A couple years ago I saw a company that ran VMware View to give everyone on the IT team a linux desktop to work off of. (now that product got split off and has another name)
What do you use?
_SleezyPMartini_@reddit
isolate everthing.
jumpboxes yes, but not joined (and therefore not domain accounts on jumpboxes)
segment jumpboxes and limit access to specific vlans or hosts
MFA on jumboxes, yes, but not same MFA you use for domain
logs and alerts for attempts to log into your jumpboxes
canadian_sysadmin@reddit
Most jumpboxes and bastion hosts I see are joined to their [domain] infrastructure. Isolating can introduce as many risks as it eliminates.
I'd be curious to see a fleshed out risk assessment for that.
_SleezyPMartini_@reddit
If your AD is comprised or attackers get lateral movement your jump boxes are gone.
canadian_sysadmin@reddit
If AD is compromised, you're already fucked anyway - jump boxes would be the least concern at that point.
This is why you protect the jump boxes to the highest degree. And then zero trust kicks in, you still have network protections from the jump boxes.
And as the other comment says, you have to manage them independently, which doesn't scale or integrate with anything.
crankysysadmin@reddit (OP)
so you hand out individual passwords to every IT person on the jump boxes? how does that scale?
_SleezyPMartini_@reddit
each person gets an account, password are forced rotated on whatever schedule you need to match
KripaaK@reddit
We use Password Vault for Enterprises. It centralizes privileged access, manages credentials for Windows, Linux, and VMware, and lets admins connect securely without exposing passwords. Everything’s audited and tightly controlled.
imadam71@reddit
what product is this? Password Vault for Enterprises.
KripaaK@reddit
It is a password manager
MBILC@reddit
What product? There are many?
CyberArk? something else....
Not all password managers do this well, proper PAM solutions can get very expensive very fast
gamebrigada@reddit
Jump boxes don't really gain you much security these days. They just become the target. These days you should invest that money into a PAM solution, and other than through the PAM, never login to a privileged account. Setup PAM to autorotate credentials, and monitor access to your requirements. There are lots of solutions for this at different tiers.
The most secure solution is something that uses Apache Guacamole or a similar system to proxy access, with a password manager front end. Delinea, CyberArk and Keeper all do this well. I like Keepers solution, and they've taken over managing Apache Guacamole source.
At a lower cost tier, there is the Devolutions route.
calculatetech@reddit
I connect a PC directly to the firewall and use that as a jump host. It is completely segregated with one way traffic only. Nothing else even knows it exists or can find it. No passwords or confidential information are stored on it, so even if compromised it can't do anything.
rcdevssecurity@reddit
I would recommend to dedicate an admin VM per tech, joined to a separate admin OU. It keeps credentials clean and contains the risks.
Rawme9@reddit
This is really interesting, thanks for the suggestion
homing-duck@reddit
We run the old 3 tier model from Microsoft.
Tier 0 is our DCs, CAs, PAWs (privileged access workstation) and tier 0 jump host Tier 1 is our servers, and tier 1 jump host Tier 2 is end user computers
Tier 0 admin accounts are blocked from tiers 1 and 2 Tier 1 admin accounts are blocked from tier 2
Every IT person as two laptops, one PAW,one daily driver
Practical-Alarm1763@reddit
Damn what the fook? That is the most inefficient garbage process I've heard of in a long time. I promise you it's not as hardened as whoever thinks it was a good idea to implement that process. There are dozens of different ways to make that both more secure, efficient, and effective without having to buy extra shit and go through the inconvenience of whatever cluster garbage setup this is. I feel so bad for you and your coworkers.
homing-duck@reddit
Agreed! We reviewed shortly after Microsoft deprecated the 3 tier model as their best practice, but a lot of their new model (EAM) was focusing more on the cloud. We are getting closer to the point of reviewing our approach.
What recommendations would you have to replace the 3 tier model. I’d love to hear your recommendations.
sambodia85@reddit
Everything these days is about JEA and JIT.
I like the way Lithnet does it, it’s all based on native Active Directory features, so it doesn’t become some proprietary nonsense that’s impossible to get rid of.
VirtualDenzel@reddit
Old skool. That has to be replaced 😅. Setup some bastions. Add pim and phase out this antique way.