Skip to content

runZero 3.4: Vulnerability import from CrowdStrike Spotlight (plus something for everyone)

What’s new with runZero 3.4?

  • Vulnerability import from CrowdStrike Spotlight
  • Integration performance improvements and enhancements
    • Automatic expiration of ephemeral AWS assets
    • Processing performance improvements
    • Enrichment-only integration support
  • OAuth Client Secret authentication
  • Simplified site import and export format
  • Rapid Response queries for MegaRAC and Cisco
  • User interface improvements

Vulnerability inventory from CrowdStrike

runZero Enterprise customers can now import vulnerabilities from CrowdStrike Spotlight. runZero 3.4 automatically imports vulnerabilities when a credential is supplied that has access to the “Spotlight” OAuth scope. CrowdStrike Spotlight vulnerability data can be viewed from the asset detail page as well as in the vulnerability inventory. CrowdStrike vulnerability attributes include the relevant CVE identifier, severity, exploitability status, vulnerability detail, and any recommended actions to remediate the issue. Use the filter source:crowdstrike in the asset or vulnerability inventory to see CrowdStrike-sourced data. Use the following queries to track down common concerns: Ready to complement your runZero inventory with vulnerability data from CrowdStrike? To get started, set up a connection to CrowdStrike using a credential with access to Spotlight vulnerabilities. Vulnerabilities from CrowdStrike Spotlight

Integration performance improvements and enhancements

The 3.4 release delivers new features and performance improvements to runZero integrations.

Automatic expiration of ephemeral AWS assets

You can now have your AWS integration automatically remove AWS assets from your inventory that weren’t seen in the latest sync. Many AWS resources are ephemeral, only being in use for a short period of time, and these temporary assets can lead to a slow increase of offline assets over time. If you don’t want to keep those decommissioned AWS assets in your runZero inventory, this feature can be used to automatically delete them. An alternative to this feature is to place your cloud assets in a separate Organization and configure a low stale asset expiration.

Processing performance improvements

The performance of all integration tasks has been improved and processing now completes much faster, with better use of resources, especially for self-hosted customers. This improvement is the most significant for processing data from vulnerability management products.

Enrichment-only integration support

You can now choose to exclude unknown assets from your integration imports. If enabled, runZero won’t import assets from an integration unless they can be merged with an existing asset in your inventory. This places the integration into an enrichment-only mode. This option is helpful when overlaying data from directory providers (Azure AD and Windows AD) as well as MDM and EDR systems that often include off-network assets that may be outside of your runZero scope.

OAuth Client Secret authentication

In addition to being able to access the runZero APIs using bearer tokens, you can now configure the use of OAuth2 client credentials. Simply register an API client and use the client ID and secret to obtain a temporary session token, which can then be using with the existing APIs as a bearer token.

Simplified site import and export format

The process and format for importing sites has been simplified so that you can more quickly add multiple sites based on subnets. The format of the imported CSV has been updated so that each registered subnet can be provided as a separate row, with the results merged automatically during import. Need to add a ton of new subnets to your sites? Export the current CSV, append the new subnets to the end with the same site name, and re-import the list to update your site configuration.

Rapid Response queries for MegaRAC and Cisco

In addition to letting you create queries to fit your needs, runZero includes pre-built queries for recent threats. During the 3.4 release, new queries were added to quickly track down assets running MegaRAC BMC firmware and to locate Cisco 7800/8800 series IP phone assets.

User interface improvements

The 3.4 release includes several changes to the user interface to improve the performance of the runZero console. The tables on the analysis reports, site comparison reports, and SSO groups pages now perform and load faster. This will let users query and sort the results in tables more efficiently, getting to the answers they need faster.

Release notes

The runZero 3.4 release includes a rollup of all the 3.3.x updates, which includes all of the following features, improvements, and updates.

New features

  • The AWS integration now includes an option to automatically remove assets no longer reported by AWS.
  • OAuth 2.0 client credentials can now be used to authenticate with runZero APIs.
  • The edr.name asset attribute is now updated to show when a runZero scan no longer detects the EDR.
  • Tasks can now be stopped during data gathering and processing phases.
  • The site import and export CSV format has been simplified.
  • The performance of connector task processing has been improved.
  • Tables for the Site comparison report, analysis report results, and SSO group mappings have been redesigned for improved performance.
  • Added a new canned query for finding Cisco 7800/8800 series IP phone assets.
  • Improved fingerprinting coverage of Google Workspace assets.
  • Additional fingerprint updates.

Security improvements

  • A bug that could show cross-tenant “no access” role users in the Your team > Current organization view was resolved. This issue only applied to the cloud-hosted version of the runZero platform. The affected build was live for slightly more than two hours. Any customers affected by this issue will receive a detailed notice to the email addresses associated with their superuser accounts.

Product improvements

  • The consistency in asset terminology has been improved.
  • The site import CSV format has been improved.
  • The CLI Scanner --api-url parameter handling has been improved.
  • The DELETE API method for bulk asset deletion has been deprecated.
  • A public API endpoint to check the platform health has been added.
  • OS EOL dates are now reported for Windows 11.
  • A new canned query for MegaRAC BMC firmware has been added.
  • Self-hosted customers can configure concurrent task processing with the RUNZERO_CRUNCHER_INSTANCES option.
  • VMware ESXi instances now display OS end-of-life dates based on version.
  • The scanner now supports a configurable ToS/Traffic Class field in the advanced configuration.
  • Additional operating system and hardware icons are available in the inventory view.
  • Explorer and CLI Scanner binaries are now approximately 5MB smaller.
  • The All Organizations view now more accurately handles limited user permissions.

Performance improvements

  • The performance of the task overview page load time has been improved.
  • The import time for third-party data sources was improved.
  • The scheduler will now delay recurring tasks if the previously completed task has not yet started processing.
  • The backend now processes concurrent tasks for separate sites within the same organization when possible.
  • Searching and sorting is faster when using the asset first seen and last seen columns.

Fingerprinting changes

  • Improved fingerprinting coverage of Apple HomeKit and HomeKit-connected devices.
  • Improved fingerprinting coverage of Google Workspace assets.
  • Improved fingerprinting coverage of Microsoft Intune and Azure Active Directory assets.
  • Additional support added-or-improved for products by by Advidia, APC, Apple, Ascom, Avaya, Cisco, Citrix, D-Link, Dahua, ecobee, Eve, Fortinet, First Peer, Google, Green Electronics, ICP DAS, ifm electronic, iXsystems, LG, Microsoft, Motorola, Nintendo, OnePlus, OpenWRT, Poly, QNAP, Raspberry Pi, Red Hat, Riverbed, Roku, Sagemcom, Samsung, Shelly, Schneider Electric, SolidCP, Sony, SUSE, SwitchBot, TCL, Technicolor, Twinkly, UPS Manufacturing, Vizio, and VMware.

Integration improvements

  • The CrowdStrike integration now imports vulnerabilities when CrowdStrike Spotlight is enabled for the API key.
  • An option to disable the creation of new assets from third-party integrations has been added.
  • Third-party integrations merge assets more consistently.
  • Third-party integrations now merge more accurately when using IP addresses as the match key.
  • Microsoft Intune and Azure Active Directory assets are now fingerprinted more accurately.
  • New LDAP credentials now auto-populate the discovered port.
  • The Microsoft Defender integration now merges assets more comprehensively.
  • The AWS EC2 integration now provides an option to include Stopped instances.

Bug fixes

  • A bug that could prevent an Explorer from running scans with specific network configurations has been resolved.
  • A bug that could cause recurring tasks to backup has been resolved.
  • A bug in the Organization asset export API has been resolved.
  • A bug that caused the License information page to display an incorrect project asset count was resolved.
  • A bug that could delay concurrent task processing has been resolved.
  • An issue that could cause the command-line scanner to skip LDAP enumeration has been resolved with the --ldap-thumbprints flag.
  • A bug that could prevent tag searches from completing when thousands of tags are in use has been resolved.
  • A bug that could result in partial import of GCP CloudSQL assets was resolved.
  • A bug that could lead to duplicate vulnerabilities when an import was restarted has been resolved.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

Active Directory Without a Server

Active Directory (AD) is a directory service introduced by Microsoft that runs on a Windows server to centrally manage user access to resources on the LAN. The server role in Active Directory is run by Active Directory Domain Services (AD DS), and the server running AD DS is called a domain controller. The domain controller performs two important functions:

  • Authenticates and authorizes all users and systems in a Windows-based network
  • Assigns and enforces all security policies for Windows systems

That is why Active Directory remains an important system of record for many small and medium-sized enterprises (SMEs), even though it can only reside on servers within a network. However, IT infrastructure and workplace trends have changed dramatically since its introduction over two decades ago. It’s common to have a heterogeneous mix of devices with employees working remotely at least some of the time (or even indefinitely). Microsoft has responded by extending AD to the WAN, but devices and users can now be managed without AD, or Microsoft. 

Identity has become the new perimeter and IT teams must look beyond standalone AD to manage identities and all corresponding devices, wherever they exist. Devices are the gateway to your IT assets and shouldn’t go unmanaged because they’re not Windows. Cloud directories are filling the gap by providing the access control, device management, portability, and security that AD cannot. This has brought forward the option for a new paradigm: the domainless enterprise.

This article examines AD’s benefits, and when it’s necessary to look beyond it. That’s accomplished by integrating with cloud directory services to extend it, or even a domainless enterprise.

What Does Active Directory Do?

AD DC manages local network elements, such as systems and users, by organizing them into a structured hierarchy. The domain controller is then responsible for authorizing user authentication requests within the network. The next section outlines its core capabilities.

Manages Devices, Services, and Users

Active Directory Users and Computers manages local contacts, devices, and users in your fleet: from PCs to printers. Admins create and organize groups within organizational units (OUs) to logically separate resources. OUs reside within a “forest,” which is the highest level of organization in AD. It may include service accounts for network services, apps that run on your servers, and integrations with SaaS apps. Service accounts can run locally on machines or across the domain. This tool also configures permissions for objects within your directory.

Global Catalog of Domains

Global catalog is an AD feature that stores replicas of the attributes of an object within a forest (or domain tree), even if the object (such as a user) resides within a separate domain. This enables organizations to centralize IT even if they have multiple locations and data centers, but users and devices must either exist within the confines of those facilities or utilize a VPN.

Querying and Indexing Directory Objects

There are two built-in options to query AD attributes. The Active Directory schema snap-in enables admins to index attributes. PowerShell is another option to specify a query string to retrieve AD objects. Many organizations purchase third-party reporting tools for compliance purposes and to gain visibility into their AD environment, but it’s vital to trust all software that’s installed on a DC. Attackers may gain entry into networks through the supply chain, and DCs hold the “keys to the kingdom.”

High Availability

Every domain controller is a server object in AD DS. High availability is automatic whenever there’s more than one DC. This makes it possible to shut down a server for maintenance without impacting your end users. Objects are automatically replicated throughout the server cluster. Administration is more complex: e.g., add-on apps must be installed and updated on each DC. Adding servers may increase licensing, management, server infrastructure costs.

Schemas and Templates

Admins have deep control over how AD operates. Schemas can be customized to control (through rules) objects that can be stored within the directory and their related attributes. Templates can be configured to automate the creation of objections and associated policies. Admins use the Group Policy Editor to create and edit ADMX and ADML template files. Templates may also be imported into Microsoft’s Endpoint Manager, a new subscription cloud service.

Now, let’s explore what AD isn’t capable of doing.

What Doesn’t Active Directory Do?

The domain controller serves an important role, but the modern workplace has shifted to the cloud. Legacy management solutions like the domain controller struggle to manage the disparate, non-Windows-based identities that have become commonplace in the IT landscape. Managing identities also entails managing devices and access to SaaS apps external to the Microsoft ecosystem. The next section examines those constraints in further detail.

Single Sign-On (SSO) and Multi-factor Authentication (MFA)

The widespread shift toward web applications means that end users can no longer leverage single sign-on (SSO) through AD for all resources. Twenty years ago, when the IT landscape consisted entirely of Windows applications and desktops, AD connected every user to just about every resource they required. AD no longer grants that level of authorization, forcing admins to adopt additional tooling to manage authentication and authorization for all of their IT assets.

Microsoft introduced an Identity-as-a-Service (IDaaS) solution with Azure Active Directory (AAD), but AAD can make identity management complex, time-consuming, and costly for IT admins by forcing them to keep on-prem AD in conjunction with it. There’s a free tier of AAD that makes it possible to access apps such as Microsoft 365 (M365), but a Premium 1 (P1) or greater subscription to AAD is necessary to have SSO for domain-bound apps and the cloud.

Additionally, if IT professionals wanted to leverage SSO for their users without AAD, they would have to add Active Directory Federation Services (AD FS) to their on-prem AD. That would need to be housed on-prem. AD FS has high management overhead and can be difficult to implement. Microsoft requires the NPS server role to be installed, configured, and managed to access network devices. There are multiple options for SSO within the Microsoft portfolio, but extending AD for roles it wasn’t designed for dramatically increases complexity and overhead.

Multi-factor authentication (MFA) isn’t built into AD. SMEs must purchase solutions that integrate with it. Microsoft offers MFA to access Windows apps, but only through its AAD P1, P2 SKUs. Additionally, conditional access (CA) policies aren’t available without those integrations.

Securing and Managing External Identities 

The domain controller struggles with providing access to IT resources outside of the on-prem Windows networks, so AWS and GCP infrastructures can be difficult to integrate, such as Google Workspace. 

Third-party solutions, such as JumpCloud’s open directory, manage identities from other identity providers (IdPs) such as Google or Okta. Microsoft has introduced the capacity to manage external identities through Entra, for an additional monthly fee per user. It also charges for every single instance of an MFA authentication for those external IDs.

Strong Security Defaults

Substantial work is required to harden Active Directory through specialized configurations. It’s not secure by default, and attackers have cultivated a strong understanding of AD’s default settings. Hardening AD is mandatory to secure your infrastructure. 

IT teams should always follow best practices to limit how they run as domain administrators. It’s advisable to use Microsoft’s ATA (Advanced Threat Analytics) or Defender for Identity to detect anomalous user behaviors. Security best practices for AD can take several full days of work to implement.

Automation of Identity Lifecycle and Entitlements

User identity lifecycle and entitlement management is a manual process in AD. Serious and costly breaches, including the Colonial Pipeline ransomware attack, have occurred when domain users were “forgotten.” Forgotten accounts are still able to access assets. It’s important to actively manage users and privileges to safeguard against insider and external threats.

Integrated Reporting

Third-party tools/services are necessary for reporting, especially when your users are accessing confidential and protected information or your industry is subject to compliance or regulatory requirements.

Cross-OS Device Management

Systems must be directly bound to the AD to deploy Group Policy Objects (GPOs) which are registry settings, configurations, or tasks that need to be executed. Mac and Linux systems’ commands and scripts (i.e., no GPOs) cannot be managed from the Windows domain controller, meaning that IT admins must manually configure each system if they choose not to implement add-ons. Even Windows systems must be connected to a VPN to receive policy updates from AD or PowerShell commands, complicating your capacity to effectively manage remote users.

Microsoft’s paid subscription Intune service fills this gap, but Microsoft services aren’t mandatory. An open directory platform, such as JumpCloud integrates with AD to perform this function, but could also manage devices without a domain controller being present.

Patching

There have been over 1,000 patches released from Microsoft to date this year alone. Patch Tuesday has now become “Zero Day Tuesday.” However, it’s possible to deploy software using AD Group Policy, but it doesn’t handle patching Windows systems throughout a domain (or even third-party applications) without a patching solution. 

Patching services may be cloud-based, such as JumpCloud, or on-premise servers. Patching OSs and apps (such as browsers) is vital to prevent Zero Day attacks from being exploited.

AD DS runs on Windows Server, which must be maintained and supported. Domain controllers contain data that determine access to an established network, making it a primary target for cyberattackers looking to corrupt or steal confidential information. It’s even possible for attackers to elevate domain standard users accounts to become domain admins without using malware on unpatched systems. Security tools such as BloodHound and Mimikatz are all that’s required for the AD attack path. 

Standard endpoint detection and response (EDR) won’t detect these intruders, and firewalls won’t stop them. Given these risks, cybersecurity should be a paramount priority for all SMEs. Industry experts routinely recommend a Zero Trust posture.

Active Directory isn’t Zero Trust.

Active Directory and Zero Trust Security

Microsoft has responded to these threats by updating AD’s capabilities for better security, but the requisite setups and changes can be resource intensive or require its premium cloud services. Active Directory works best with on-prem networks and Windows-based environments. AD natively operates by establishing a network of trusted assets, known as a domain, which are protected by an AD domain controller, VPN, firewalls, and other controls.

The objective is to create a strong perimeter to protect trusted resources from the open internet. As a result, external sources of network traffic (e.g., users) must first authenticate and ultimately be authorized to access internal domain resources such as systems and applications.

Zero Trust security, on the other hand, is a security model that effectively eliminates the separation between an internal domain that’s safe and the open internet that’s dangerous. Rather, all sources of network traffic are viewed as potential attack vectors that must generate trust before they are authorized for user access — and with good reason too. Bad actors are now attacking traditional networks from inside and out, often bypassing perimeter-based security by targeting trusted assets. Thus, Zero Trust security is effective because it basically eliminates the concept of trusted assets (i.e., the domain) altogether. Users must prove who they are.

The next-generation Active Directory alternative has been reimagined AD for the cloud era. Cloud directories connect users to their IT resources regardless of their platform, provider, protocol, and location. They’ll also manage all your devices. Additionally, as an identity and access management (IAM) platform, cloud directories forgo the concept of the traditional domain. This provides users with True Single Sign-On™ access to virtually all of their IT resources. SMEs can leverage JumpCloud’s open directory platform to manage identities wherever they reside with the assurance that it will help to deliver Zero Trust security.

Cloud Integration with IT Resources

The cloud directory integrates with the external identities and devices that AD doesn’t support in addition to AD itself. This is made possible through the combination of modern IAM and SSO protocols, automated entitlements management, using MFA to verify users, and CA for privileged user management. You can manage your entire device fleet through JumpCloud.

Centrally Control Identities and Systems

JumpCloud can extend AD and AAD identities and agent-based control (or MDM) to all systems in a fleet, whether they’re Apple, Android, Linux, or Windows devices. Unlike Microsoft, there’s no additional cost to manage your non-Windows devices or Windows without a DC. JumpCloud can also serve as a standalone cloud directory or import identities from Google and Okta

End users access their machines with their identity provider’s credentials, and admins can enforce pre-built GPO-like policies on those machines, such as full disk encryption or managing patches. No complex templates are required. SUDO-level permissions and a PowerShell module enable administrators to perform commands on any device, from CRUD operations to benchmark policies. A commands queue offers admins an easy-to-use dashboard for admins to see what commands they have awaiting execution on all their assigned devices and their status. 

Other key features include:

  • Automatic high availability and redundancy. There’s no need to license multiple servers or to create a service account that has access to a privileged AD group.
  • Telemetry aggregated from devices, events, users, and cloud services with pre-built reports and reporting tools. You’ll even know which users are accessing SSO apps.
  • Opt-in Remote Assist, without the complexity of RDP or need to license a solution from a third party. This feature works across multiple operating systems.
  • An optional decentralized password manager and vault for your users.
  • Zero-touch Mac enrollment is available and Windows Out of the Box Experience (OOBE) is upcoming to onboard remote workers.
  • PowerShell command templates to bind Windows PCs to your office printers without a print server.
  • PKI as a service (coming soon), eliminating the need for a separate CA (certificate authority) Windows server role.
  • The benefit of potentially lowering your TCO.

Manage Wi-Fi and VPN Access

You don’t need AD to access your network. Admins can achieve Cloud RADIUS functionality without additional on-prem infrastructure, and they can ensure users log into Wi-Fi networks (with VLAN tagging) and VPN clients using the same core credentials they use to access their other resources. Delegated authentication includes AAD credentials. Admins can enable Push or TOTP MFA, which is especially useful to secure VPN access to internal network and on-prem resources from switches to servers.

SSO to Everything

The open directory platform builds the stack that you want. A web-based portal is used to access all the apps employees need to do their jobs with best-of-breed solutions. The portal serves as a security control to help eliminate phishing. Pre-built connectors are freely available for common apps. Supported protocols include:

  • LDAP
  • OIDC
  • SAML/SCIM
  • RADIUS

Long-standing workflows don’t have to be scrapped in favor of cloud apps. Even Windows file sharing is possible without a domain controller.

Like AD, groups are used to manage access to your apps and resources. The difference is that they are automated with HRIS provisioning included. Attribute-based access control (ABAC) reduces the risk of human error and eliminates the heavy administrative overhead that’s necessary to keep AD privileges and users up to date. 

Boundaries matter less. 

This setup also eliminates the need for complex server management and AD’s global catalog. For instance, specifying an office location could be as simple as creating a directory group assignment.

Integrated MFA and Conditional Access

AD is reliant upon a single factor. MFA is environment wide in the open directory platform. Optional conditional access policies can further restrict access to trusted devices, by geolocation, and more for privileged users. JumpCloud doesn’t charge for MFA for external identities; Microsoft’s AAD does. Microsoft limits CA to AAD P1, P2, and requires integrations for AD. AD doesn’t have these capabilities and must be morphed into something it’s not in order to satisfy modern requirements.

In contrast, there’s far less complexity, labor, and cost when the domain controller is left out of the equation. In addition, there’s a greater opportunity to protect identities. JumpCloud secures identities (and aligned devices) even further with extended detection and response (XDR) integrations from the security vendors of your choosing. Microsoft only makes its security services first-class citizens.

Utilizing an Open Directory Platform

Organizations have already been moving their operations to managed services in the cloud to save the cost and time of maintaining an on-prem domain controller and server rooms. The journey begins by integrating JumpCloud with AD. An open directory platform frees up time and money for IT admins looking to manage a variety of systems and applications from one built-in service. Budget can be allocated toward higher priorities, such as Zero Trust, especially during leaner economic times. JumpCloud is free for your first 10 users or devices with 10 days of chat support up front. 

Sometimes self-service doesn’t get you everything you need. If that’s how you’re feeling, schedule a 30-minute consultation to discuss options for implementation assistance, migration services, custom scripting, and more.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About JumpCloud
At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.

Can I Replace Active Directory with Azure AD? No, Here’s Why

Can I replace Microsoft Active Directory with Azure Active Directory? This is a very common question for IT professionals. With almost all of the IT environment moving to the cloud, there are a number of incentives to move the core directory service to the cloud too. Unfortunately, Microsoft’s path to the cloud can be unwieldy, expensive, and difficult to comprehend. It’s also heavily focused on Windows as its first-class citizen and the Microsoft ecosystem at large.

It all starts with Azure Active Directory (AAD), Microsoft’s foray into cloud-based directory services. It’s reasonable to think that it would have all the capabilities of Active Directory® (AD), as the name implies, but the truth is more complicated than that — even before Microsoft’s licensing factors in.

Azure AD’s True Purpose

AAD was created to extend Microsoft’s presence into the cloud. It connects Active Directory users with Microsoft Azure services, and is easier to implement than Active Directory Federation Services (ADFS) for single sign-on (SSO). It doesn’t incorporate the full features of Active Directory and lacks support for authentication protocols including LDAP and RADIUS. It may manage non-Microsoft identities, but there are additional fees for multi-factor authentication (MFA). A gated licensing model keeps many features behind a paywall. For example, group management with role-based access control (RBAC) isn’t included with the free tier of AAD.

AAD is the cornerstone of Microsoft’s portfolio of identity, compliance, device management, and security products, because it provides a common identity for Azure, Intune, M365, and more. The permutations of products and challenges of migrating from Active Directory to the cloud have given rise to a cottage industry of consultants for implementation and planning. The breadth of configurations and options may be fitting for enterprises that have considerable resources to support deployments. Considering that it’s not even possible to abide by Microsoft’s best practices for AAD without subscribing to Premium tiers, AAD may be a mismatch for small and medium-sized enterprises (SMEs) that have more essential needs.

Costs tick upward when SEMs are pulled deeper into the Azure ecosystem or require interoperability with services that fall outside of the Microsoft stack. For example, fees are assessed for unrestricted cross-domain SSO and MFA authentications with other identities. 

Replace AD with Azure AD?

Can Azure AD actually be the complete replacement to AD that admins are looking for? Unfortunately, the short answer to that question is no. Azure AD is not a replacement for Active Directory. AAD was originally intended to connect users with Microsoft 365 services, providing a simpler alternative to ADFS for SSO. It has since evolved into a springboard to new subscription services that target enterprise customers and charge for capabilities that on-prem AD provided at no additional cost. 

You don’t have to take our word for it, check out what a Microsoft representative said in this Spiceworks post:

Azure Active Directory is not designed to be the cloud version of Active Directory. It is not a domain controller or a directory in the cloud that will provide the exact same capabilities with AD. It actually provides many more capabilities in a different way.

That’s why there is no actual “migration” path from Active Directory to Azure Active Directory. You can synchronize your on-premises directories (Active Directory or other) to Azure Active Directory but not migrate your computer accounts, group policies, OU etc.

As you can see here Azure Active Directory is an identity and access management solution for hybrid or cloud-only implementations. It can extend the reach of your on-premises identities to any SaaS application hosted in any cloud. It can provide secure remote access to on-premises applications that you want to publish to external users. It can be the center of your cross-organization collaboration by providing access for your partners to your resources. It provides identity management to your consumer-facing application by using social identity providers. Cloud app discovery, Multi-Factor Authentication, protection of your identities in the cloud, reporting of Sign-ins from possibly infected devices, leaked credentials report, user behavioral analysis are a few additional things that we couldn’t even imagine with the traditional Active Directory on-premises.

Even the recently announced Azure Active Directory Domain Services are not a usual DC as a service that you could use to replicate your existing Active Directory implementation to the cloud. It is a stand-alone service that can offer domain services to your Azure VMs and your directory-aware applications if you decide to move them to Azure infrastructure services. But with no replication to any other on-premises or cloud (in a VM) domain controller.

If you want to migrate your domain controllers in the cloud to use them for traditional task you could deploy domain controllers in Azure Virtual Machines and replicate via VPN.

So to conclude, if you would like to extend the reach of your identities to the cloud you can start by synchronizing your Active Directory to Azure AD.


Why Azure AD Can’t Replace AD Outright

Azure AD and AD require 3rd party tools


When you step back and think about Microsoft’s identity and access management (IAM) strategy, it makes sense that you can’t replace AD with Azure AD. From a business perspective, Active Directory already has more market share than just about any solution they offer.

The on-prem directory acts as a tie that binds a Microsoft network together. By providing a way for customers to shift to a cloud directory service, Microsoft would open up the door to potential customer loss. Instead, it directs SMBs to cloud services that broaden the breadth and depth of its product families. However, these are intended to service enterprise customers and can be difficult to deploy and learn. 

Beyond the business perspective, there are also the technical capabilities to consider. Think of Azure AD as a user management platform for the Azure cloud platform, along with basic web application SSO capabilities. Where Azure falls short is that it doesn’t manage on-prem systems or resources without being integrated with a domain controller or add-on services for Windows.

For example, on-prem Windows (except for Windows 10), Mac, and Linux systems can’t be controlled for user access or systems management without subscribing to Microsoft Intune or Microsoft Endpoint Manager (MEM). Intune has limited functionality for Macs (without more MEM subscriptions) and, at present, has limited Linux support. Windows support is extensive, including auto-pilot onboarding.

Further, non-Microsoft solutions such as AWS and Google Workspace are outside of the scope of provisioning as well. There are a lot of resources that users need that can’t be touched by Azure alone, without adding additional subscriptions. 

While it’s possible to utilize Intune for a domainless enterprise, many organizations are still compelled to have a hybrid environment for full compatibility with AD or ADFS. Microsoft’s reference architecture (diagram below) prescribes both AD and AAD in an environment.

Azure cloud identity and access management graphic

JumpCloud: Extend or Replace Azure Active Directory 

Every environment has different requirements and constraints that can make cloud migration more challenging. Some shops are locked into the Microsoft stack and would benefit from SSO, simplified Zero Trust security, and cross-OS system management that AAD + Intune don’t provide or charge too much for. Other organizations aren’t tied to legacy on-prem systems and can adopt a domainless architecture, saving on infrastructure, management, and rising CAL licensing costs. JumpCloud makes it possible to do either, or anything in between, for individual SMEs or through a multi-tenant portal for MSPs to consolidate tools and deliver value at scale.

JumpCloud’s open directory platform can serve as a cloud replacement to AD. JumpCloud enables admins to have seamless management of users with efficient control over systems (Mac, Windows, and Linux), wired or Wi-Fi networks (via RADIUS), virtual and physical storage (Samba, NAS, Box), cloud and on-prem applications (through SAML, OIDC, RESTful APIs, and LDAP), local and cloud servers (AWS, GCE), and more. Automated group memberships, that pull relevant user attributes from other IdPs or HRIS systems, assist with identity lifecycle management. Environment-wide push/TOTP MFA is implemented for each protocol for free.

Your identities can be assigned to trusted devices. JumpCloud provides mobile device management (MDM) for Android, iOS/iPadOS, Linux, and Windows. Zero-touch onboarding is available for Apple devices. With MDM and the Windows agent, IT teams can leverage GPO-like policies such as full disk encryption. The CLI of each OS is accessible, at root, to deploy custom commands and policies that fall outside of JumpCloud’s point-and-click catalog of policies.

The platform services IT management and security needs with security add-ons, including:

JumpCloud can also integrate seamlessly with Azure AD, Google Workspace, or Okta to create one core identity provider for an organization. It is truly the cloud-forward directory that is built for the modern IT environment. JumpCloud’s open directory platform is interoperable and frees its users to adopt the IT stack of their choosing from best-of-breed services.

An Open Directory Platform™

The JumpCloud platform does not need to fully own and manage an identity. It consumes identities from different sources to orchestrate access and authorization to resources. This simplifies IT management for SMEs by addressing access control and security challenges that arise from having siloed apps and heterogeneous device endpoints outside of a corporate network. For instance, Microsoft doesn’t interoperate with Google Workspace, so IT professionals would otherwise have to seek alternatives for Identity and Access Control (IAC) and device management. Unfortunately, most other alternatives aren’t an integrated solution.

JumpCloud makes it possible for trusted devices to securely access resources across domains.

Delegated authentication is another option for access control. IT can configure AAD credentials to be used for RADIUS authentication into Wi-Fi networks with JumpCloud. There’s no domain controller or third-party service required.
JumpCloud helps SMEs to improve security, save on licensing, reduce headcount, and save time and effort by consolidating orchestration into a single, open directory that serves as an identity broker. The JumpCloud platform also works with Okta identities to provide RADIUS and LDAP access control, SSO, and system management for your device endpoints.

Try JumpCloud for Free

Want to learn more about how you can replace Active Directory with JumpCloud? It’s as simple as signing up for the JumpCloud Free account. JumpCloud offers all free accounts for 10 users and 10 devices, with no credit card info required. This grants the perfect opportunity for you to try out the entire platform including all of our premium functionality and see exactly how it works for yourself. Need more tailored, white glove implementation assistance? Schedule a free 30-minute technical consultation to learn about the service offerings available to you.

The JumpCloud community is always open for peer discussions about any IT topic.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About JumpCloud
At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.

Security, Privacy, Anonymity feat. Portable Apps

Intro

I want to talk about why you need virtualization/compartmentalization, but through the prism of portable apps. The reason behind this is twofold: I want to outline the potential uses and security benefits that portable apps bring, as well as to talk more about how one would go on about reducing that attack surface, and their respective risk, through compartmentalization and virtualization. These are great methods, and I dare say, it pays at least knowing a bit more about them.

Portable Apps

Portable apps. We all know what these do (probably) but we may not be familiar with the how. This talk is freeform and example-based. Let’s get to it.

For example, you might use compartmentalization with encryption by separating your stuff by its importance, like having an encrypted volume for each of those potential uses, by using different encryption keys for those volumes. You could also use a NAS where each volume is encrypted using a different encryption key. The more secure ones could be accessed on a need-to basis, only decrypting when you need the access to that specific volume, while you would continue using day to day volumes for other data that needn’t be that secure.

This is a very decent way to reduce the attack surface of your data. From the previous articles, you know how important this is, and you also know that the encryption key is not in the memory if the volume doesn’t get mounted. Also, if its not mounted it cant really be attacked. So, by using this type of virtual isolation in conjunction with encryption you’re actually doing quite a bit for your own security/privacy.

You can also make use of the hidden encrypted volumes… one other option for virtual isolation are portable apps, something we’ve all gathered here about. You can download the tools from portableapp.com or pendrives.com doesn’t really matter which one you choose (I’m sure there are others too), what matters is the fact that portable apps are self-contained, don’t require installation, and are not writing themselves inside your system. They are contained within the folder, and you could even copy/paste them to a desired destination and have another instance of the same app, that’s also self-contained, isolated, and more secure. You can even do this for the versions of the said app.

There are many great implications for your privacy/anonymity/security that stems from the portable apps. For example, let’s say you’re using a regular web-browser… all the data related to the browser’s history is contained within your portable app (which is all within its folder) which makes for a great way to quickly even eliminate that if needed, and also, maybe more importantly, not spewing and writing all that forensically important data all over your OS. Simple, and quite secure.

What is nice about this approach is the fact you can gauge it to your liking, having the more ‘paranoid’ setups, and also the more lax ones, all in accordance with your own security needs.

Furthermore, should you just use this portable setup, you can also place that folder with your self-contained app on a more secure device, like for example an encrypted USB drive; and, there you have it, a much more secure setup, that you can also take with you and plug into another device, without having to lose any sleep over it.

Taking all this further, you can even add that hidden partition to your USB drive.

This is even better, as you well know, because the encrypted partition can’t be accessed at all before being decrypted. This little setup including a hidden volume, a self-contained app (stealthy too!) is already ahead of the curve – maybe even when compared to companies, but, the kicker for me here is that you can have 2, 3, or as many as instances of that specific application as you’d like, that are all self-contained, just by doing some copying and pasting. This is vital, because it basically enables you to create different security domains, profiles, aliases, anything you might need really, and it’s all nicely isolated/contained. The options here are many!

For our example with the browser, I’d like to add this also works for profiles so you can set up your browser’s profiles in any way you’d like, and still retain the ability to pop your USB into any machine and basically have your hardened browser available to you. This also works nicely in conjunction with the regular browser – if we’re talking private use – as you can have one that’s for your everyday stuff, and the other that’s ready to go but is living in a hidden place, securely configured, hardened, available for you to do some private browsing, should that matter. This is a great thing, because it might even keep you forensically ‘clean’ should you end up being scrutinized, since you’re not actually doing anything that’s of importance to anyone, right?

Another thing I want to mention that you can do all of this through the cloud-offered services, by storing your ready to go app in a cloud of your choice.This is a great way to have your app available anywhere, on any device, remotely… This would give you an extra layer of physical isolation. Since the app itself would not exist locally in this case, you could, potentially, escape the sphere of influence of your adversary, and that’s nothing to scoff at.

Lastly, you could also try some sandbox solutions, which are generally good from the security perspective, but are not that great for your privacy and anonymity. This is because of the infrastructure you’re using, but you’re not the owner of. However, you would again be able to enjoy both virtual and physical isolation which reduces your potential risk greatly.

As you can see, there are some caveats with all these options, but all of these should provide you with excellent protection against many types of attacks out there. With your going through other systems and isolating yourself in such a way, even if something were to get compromised, it still ends up contained within that instance you’ve set up, be it a VM, a VPC/server, anything. This is also a great way to browse the web.

When it comes to attacks, browser-based ones are definitely relevant, since we’re all using them. So, with that in mind, this whole story above might even seem much more important, I hope!

 

Conclusion

 

It would be great if this conclusion could permeate all of my articles so that I needn’t repeat myself, but the main point I want to emphasize here is the fact that when I’m talking about adversaries, geographic sphere of influence, and similar terms that are within the field, I am not trying to write guides for evading 3-letter agencies, nor am I trying to condone anything illegal.

Think of all that as necessary! Yes, necessary, because as we all know, the same tactics are used by real threat actors, but also by activists, whistle-blowers, journalists, etc. I want us to explore those options together, so we can all learn how to protect ourselves better, and smarter, while online. That’s why we all need to be in the know. The bottom-line remains the same, and that is all about the choice, rather, what you choose to do with all that knowledge and technology.

This is key for me and is the main reason behind the topics I’m choosing to write about.

I hope this article spurred some imagination! Till next time!

Stay tuned.

Cover image by hmm 001

#portable #apps

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About VRX
VRX is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

Asset Discovery That Improves The More You Use It

A SCADAfence New Feature report The first question we’re usually asked by any CISO who wants to increase their OT security posture is about asset visibility and management. Gathering a comprehensive and accurate inventory of all the devices attached to an OT network is often the primary need driving an organization to seek assistance, and the biggest barrier to achieving their goals for security and compliance. It’s the right question to be asking, and the best place to start.
Continue reading
×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×