Especially, Jimmy’s 2 cents, hit a nerve:
There are many companies that have a policy not allowing DCs connecting to the “outside”. And changing the policies is not easy sometimes.
While Jimmy wisely airquoted outside, it is a valid point that I see many Chief Security Officers (CSOs) make. So, how would an Active Directory admin respond in this situation, where the policy is not easily changed? Do we simple accept the policy, or can we make everyone happy?
Let’s find out.
The CSO Point of View
The reason why a Chief Security Officer (CSO) (or someone in a similar role in your organization) doesn’t want the new Active Directory Replication Status is because he doesn’t want Domain Controllers to be connected to the Internet. Being connected, in most cases, means a Domain Controller may also, in rare cases, be connected to from the Internet. Since Domain Controllers are the centers of authentication and authorization within a Microsoft-oriented networking environment, unauthorized modification of the data on these systems may be disastrous to the organization.
However, while the CSO is responsible for protection against both physical and digital penetration attacks and other criminal threats, this person is also responsible for the other information security-related aspects of the organization, like availability (next to confidentiality and integrity in the popular abbreviation for information security: CIA).
Monitoring: the frontline of availability
I’m arguing Active Directory availability is achieved through monitoring, mostly. Adequate processes for handling exceptions found by monitoring, backed by trend analysis and common sense, define the availability of the systems in scope.
Monitoring can be implemented on-premises (with a solution like Microsoft System Center Operations Manager), cloud-based (like Microsoft Operations Management Suite) or both.
What Microsoft has done
Microsoft has made some great decisions in the way its monitoring agent (Microsoft Monitoring Agent, MMA) connects to its Azure datacenters:
- Traffic is encrypted in transit with a certificate that is unique per Microsoft Monitoring Agent, connected to Microsofts Operations Management Suite (OMS), based on the enrollment key.
- The Microsoft Monitoring Agent initiates the remote connection.
- The connection from the Microsoft Monitoring Agent uses TCP port 443, popularly referred to as the universal firewall bypass protocol.
This means, no firewall rules have to be opened up from the outside (the Internet) to the inside network(s) for Operations Management Suite (OMS) traffic for any of the monitoring agents in use on the inside network(s).
What you can do
However, firewall rules allowing traffic from the inside network(s) to the outside network may need to be created to allow this traffic.
We can restrict this in several ways:
- Restrict traffic
- Inspect traffic
- Reroute traffic
In situations where you can restrict traffic from your Active Directory Domain Controllers to the Internet, you can control the amount and direction of traffic, granularly.
By default, all traffic from the Microsoft Monitoring Agent to Microsofts Operations Management Suite (OMS) service is compressed. If Microsofts Operations Manager Suite service is unavailable, the data collected by the Microsoft Monitoring Agent is stored in a temporary cache and the agent tries to resend the data every 8 minutes for 2 hours.
The only network port needed for the Microsoft Monitoring Agent is TCP 443.
The only hosts, the Microsoft Monitoring Agent needs to connect to are:
Using a network-based firewall, you can restrict the traffic from the monitoring agent to only the addresses of Microsofts Operations Management Suite (OMS).
Restricting the traffic might be your mere first step. When you have a proxy server available in the network, like Microsofts Threat Management Gateway (TMG) Server, you might want to inspect the traffic that is sent.
For this, you will need to set the proxy information when installing the Microsoft Monitoring Agent using the Graphical User Interface (GUI) via running MMASetup-AMD64.exe or MMASetup-i386.exe:
On the Azure Operational Insights screen of the Microsoft Monitoring Agent, click the Advanced button and specify the proxy server.
You can also specify a proxy after installation using the Microsoft Monitoring Agent applet in the Control Panel. On the Proxy Settings tab, specify the proxy server and port for the Microsoft Monitoring Agent.
While the above settings will show you the amount of traffic and its direction, you might want to inspect the actual data sent. You can use Fiddler on a (test) Domain Controller with the Microsoft Monitoring Agent installed (and connected) to inspect and record the traffic sent.
While a proxy server can be used to reroute traffic, you can also use an on-premises Microsoft System Center Operations Manager (OpsMgr) implementation to take care of the traffic between Microsoft Monitoring Agent installations and Microsofts Operations Management Suite (OMS) Service.
To this purpose, connect the on-premises Microsoft System Center Operations Manager (OpsMgr) implementation to Microsofts Operations Management Suite (OMS) Service using Operational Insights Connection in the Administration workspace, available since Operations Manager 2012 SP1 Update Rollup 7 and Operations Manager 2012 R2 Update Rollup 3.
Of course, connecting the on-premises Microsoft System Center Operations Manager (OpsMgr) implementation to Microsofts Operations Management Suite (OMS) Service is strictly optional.
This way, (V)LANs with Active Directory Domain Controllers on them, do not need to be Internet-connected.
Microsoft Management Agent installations on Active Directory Domain Controllers can be restricted and rerouted towards Microsofts Operations Management Suite (OMS) Service, if need be.
This way you can channel your inner Active Directory Replication Status to Microsoft, benefiting from the Machine Learning capabilities it provides.
Active Directory Services and their System Center Management Packs
The Active Directory Replication Status Tool is making the move to OMS
KnowledgeBase: Heartbeat failure alerts on Windows Server 2012 R2 Domain Controllers when monitoring with System Center 2012 R2 Operations Manager
TechNet – Configure proxy and firewall settings for OMS
TechNet – Connect Windows computers directly to OMS
Be A Good IT and Protect Yourself for Free with Operations Management Suite
Playing with automation of OMS agent deployment