Hi, So from my side I have been mainly working on the Azure parts so that has been using Priviledged Access Management as part of Azure Active Directory to get a specific set of members allowable access to a group for a certain time. https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-... I have got this working for access to Kubernetes clusters and also to allow access to a specific Azure AAD role required to create specific types of SPNs. From the Azure VM side I have been experimenting with JIT access for NSGs: https://docs.microsoft.com/en-us/azure/security-center/security-center-just-... This is where I can grant a specific IP belonging to an administrator direct access into the VM for management purposes via SSH or RDP. If I'm honest I think that VPN access in is better than allowing IP address via NSG especially as we're looking at this method to allow access to a bastion host which causes me problems myself. One advantage with this type of access is I have been experimenting with using Azure Devops public hosted agents with this so we don't have to host our own agents. I realise that is a bit out of scope for what you want. I have also been advocating that any admin access to the AAD tenant for SPN creation or priviledged roles can be scripted and put through a pipeline. The pipeline runs from an account with only privs to do the necessary functions. I've run into a bit of trouble with this one as the initial design I chose for this meant we granted very specific API permissions to perform the necessary actions but I kept running into issues with more privs required for a specific purpose or for example if providing an account to a team to perform a specific function like creation of AAD apps depending on which tool they used for the job they would end up with more perms required. In terms of end user devices there is a team playing with a piece of software called Osirium Priviledged Endpoint Management: https://www.osirium.com/products/privileged-endpoint-management This software allows a user to step up to an admin group for a set amount of time based on access via its console. I find this software fairly inaccessible if I'm honest. A group of us have decided to disjoin ourselves from the on-prem domain and use AAD join with InTune managing the software and other settings on the laptops aka group policy. Its been successful for me so far but my workflow doesn't require me to do anything with Windows management or Active Directory on-prem work. May be an option for developer workloads though. Hope that has given you some ideas. Andrew. -----Original Message----- From: Darragh Ó Héiligh <d@digitaldarragh.com> Sent: 11 April 2021 23:05 To: Mailing list for blind system administrators <blind-sysadmins@lists.hodgsonfamily.org> Subject: [Blind-sysadmins] Re: Security. Open conversation among system administrators? Hey Andrew, What are your people using to provide just in time access?? I'm going to look up products tomorrow. I was thinking of just writing something myself but I'm conscious of not spending hours on coding when there's so many other things to do. -----Original Message----- From: Andrew Hodgson <andrew@hodgson.io> Sent: Sunday 11 April 2021 22:35 To: Mailing list for blind system administrators <blind-sysadmins@lists.hodgsonfamily.org> Subject: [Blind-sysadmins] Re: Security. Open conversation among system administrators? Hi, Interesting idea. A bit late in the evening for me though could manage it if others were interested. The company I work for are very concerned about possible ransomware attacks. In the main they are trying to mitigate against this by disabling admin privs everywhere and only allowing them for the time they are required after an approval process, this is across the board and has had several interesting ramifications. Andrew. -----Original Message----- From: Darragh Ó Héiligh <d@digitaldarragh.com> Sent: 11 April 2021 17:19 To: Mailing list for blind system administrators <blind-sysadmins@lists.hodgsonfamily.org> Subject: [Blind-sysadmins] Security. Open conversation among system administrators? Good afternoon, Security is a huge concern for me at the moment. Two institutions in Ireland were targeted with Ryuk over the past few weeks. I have no doubt that there are malicious acters targeting the institution I work for right now. I was wondering if a few of you would be up for a conversation via Zoom or Teams in the coming days. I can explain what we have done and what we are continuing to do to protect ourselves. You can do the same. Some of what we are doing might overlap but potentially we all might get a few new ideas. My infrastructure might be considered legacy compared to some. I'm still using on-prem systems for the most part. But I have some cloud based services as well. All system admins / architects would be welcome. Perhaps Wednesday at 10pm gmt? I don't know what that is in other time zones. But it's probably around 6pm eastern. Regards Darragh Ó Héiligh Performing, Promoting and Sharing traditional Irish music Performance: www.darraghpipes.ie<http://www.darraghpipes.ie> Music at the Gate: www.musicatthegate.ie<http://www.musicatthegate.ie> Ceol FM: www.ceol.fm<http://www.ceol.fm> Tel: 00353(0)877670464 Email: darragh@ceol.fm _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org