Ok, this has nothing to do with enterprise or business for that matter, but this bugged me and took me too long to find information on so hopefully this helps someone trying to do the same thing. I have a home server currently running Windows Server 2016 that runs my PLEX media server as well as a Minecraft server for a few friends and I. I decided that since I was barely using any resources on said server, I might as well put a little more stress on it!
A few months back, I came across a peculiar issue in my production network. We had 3 data centers with WAN links between them. Each had a Domain Controller with one location having two (A regular and a Read Only Domain Controller). One of my colleagues reported that there was an intermittent replication issue that was discovered only after one of the DC’s failed, of course, not long before my arrival.
So shortly after starting my current roll, my first task was automation of patching. I decided to accomplish this with System Center Configuration Manager. My work gave me a single server and a SQL cluster we used for several other applications. I did the obvious thing and tried to utilize the SQL cluster for the SCCM SQL requirement. For my first attempt at installing on the SQL cluster, I let SCCM create it’s own databases (DB’s).
The infrastructure I inherited (You’ll see most of my posts start like this for awhile unfortunately.) consisted of 3 data centers, each with it’s own WSUS running the databases on the local servers with GPO’s pointing either to each local WSUS or one in the other data centers. Here’s a rough diagram to better explain it:
Obviously, this wasn’t ideal and my predecessor had even let the servers slip into disrepair since he was using a third party patching tool.
We utilize the Microsoft ESAE/Red Forest in my production environment for our Active Directory security hardening. What is this? Well, it’s the path of least privilege in Active Directory. According to this Microsoft article, the underlying principles can be achieved in as few as 3 concepts summarized below:
Phase 1 of the roadmap is focused on quickly mitigating the most frequently used attack techniques of credential theft and abuse. Phase 1 is designed to be implemented in approximately 30 days and is depicted in this diagram:
I guess it’s one of those things where if you do it you have to teach it… Here’s how I bumbled my way through mine! I’d seen mention of Hugo/Jekyl on Twitter in the infosec circles I followed since people were looking for something lightweight, secure and versatile. I kind of ignored it because I was using WordPress at the time, but eventually I wanted a new challenge and something cheaper so Hugo came back to my attention.