Jul 10, 2018 Mark Blackburn

Run-DMZ: WORK this way!

Run-DMZ: WORK this way!

Active Directory (AD) group policy is a very convenient way of ensuring the policy is applied across an estate of PC’s – be they workstations/laptops or servers. However group policy can only be applied to machines that are directly joined to an Active Directory, and there are cases where this is undesirable, usually for security reasons such as servers located in a DMZ network.

The whole point of a DMZ is to isolate trusted internal networks from the potentially hostile Internet, and if a DMZ server is compromised, the fact that it is not in the AD domain makes it much harder to traverse into internal networks to steal data. Conversely, it makes it much harder to apply the consistent policy to DMZ servers, as they are isolated on purpose from the systems that could do this.

Tachyon can be used to remove this gap in policy application with a new script just released on the Tachyon Exchange.  When run by an AD administrator, the script takes an existing Group Policy Object (GPO) and converts it into a Tachyon Instruction which can be imported into your own Tachyon environment, set to a repeating schedule to run against DMZ machines which applies the policy locally. This has the exact same effect as if those machines were in the domain and subject to the group policy.

AD administrators can use the tools that they are familiar with to define the Group Policy object, and then automatically convert the policy to a Tachyon instruction.

The same mechanism can also be used for new ‘Modern Management’ environments where PC’s are only connected to Azure AD, since InTune policy management capabilities do not cover the wide array of capabilities provided by GPOs, so applying policy via Tachyon Instruction allows for the full breadth and depth of GPO capabilities to apply.

Tachyon makes it easy to maintain a better security posture without the typical negative impact created by additional administrative tasks. With this new script shared on the Tachyon Exchange it’s possible to have the best of both worlds – a more secure IT environment and reduced admin overhead to maintain this.