|
Jesus, this month. https://technet.microsoft.com/library/security/MS14-066
|
#
?
Nov 12, 2014 07:59
|
|
|
|
| # ? May 30, 2024 21:05 |
|
|
I immediately fast tracked this with a mid week restart of servers. 350 updates this month tho 
|
|
#
?
Nov 12, 2014 08:08
|
|
|
Is there a good "this is all the basic poo poo you need to know to create a new proper windows domain" anywhere? I am creating a new domain from scratch to repalce a really hosed up server 2003 domain(originally SBS) with Server 2012r2.
|
|
#
?
Nov 12, 2014 08:36
|
|
|
Given that the security update impacts 2003 (x86) all the way to 8.1 RT (ARM) is it safe to say that anyone still clutching to XP is doomed? XP and 2003 shared a lot of code IIRC.
|
|
#
?
Nov 12, 2014 10:26
|
|
|
Windows XP users aren't doomed, but you should seriously think about removing XP machines from having internet access, if possible. We moved all of ours to a VLAN with no routing or internet access and have had minimal issues with it as of right now.
|
|
#
?
Nov 12, 2014 15:39
|
|
|
Calidus posted:Is there a good "this is all the basic poo poo you need to know to create a new proper windows domain" anywhere? I am creating a new domain from scratch to repalce a really hosed up server 2003 domain(originally SBS) with Server 2012r2. I did some quick googling but I haven't seen a good compilation or official one but maybe someone else could comment?
|
|
#
?
Nov 12, 2014 15:47
|
|
|
Anyone treating this as "patch now"? The only reason groups like SANS said not to, is because they think it'll take a week or more for an actual exploit to be released taking advantage of this.
|
|
#
?
Nov 12, 2014 20:21
|
|
|
Yeah I'm already getting ready to push it out to our production servers. I would really only be worried about anything that is internet facing (IIS/Exchange CAS/Hub) or RDP. I love how SSL/TLS has become the exact opposite of secure over the past few months.
|
|
#
?
Nov 12, 2014 20:27
|
|
|
I went ahead with patch now mode and I'm glad, the .net poo poo still takes loving forever. Otherwise we would be doing this at 3 am, and who wants to do that 
|
|
#
?
Nov 12, 2014 20:41
|
|
|
CLAM DOWN posted:Anyone treating this as "patch now"? The only reason groups like SANS said not to, is because they think it'll take a week or more for an actual exploit to be released taking advantage of this. We've got our internet facing servers patching tonight. Luckily I don't own any of them so nothing to do tonight but 
|
|
#
?
Nov 12, 2014 23:10
|
|
|
CLAM DOWN posted:Anyone treating this as "patch now"? The only reason groups like SANS said not to, is because they think it'll take a week or more for an actual exploit to be released taking advantage of this. Yup, all of vNuc's production Windows stuff has already been patched. We're rolling new images for guest creation shortly as well.
|
|
#
?
Nov 12, 2014 23:44
|
|
|
I figured as such, all our servers with any external access (no matter how little) are now scheduled for patching by tomorrow, everything else next week. It's a pretty nasty little vulnerability, I'm curious to try out an actual exploit.
|
|
#
?
Nov 12, 2014 23:56
|
|
|
I really want to see a "through the ages" exploit video of this like the upgrade from every single version of microsoft windows.
|
|
#
?
Nov 13, 2014 00:10
|
|
|
Yeah, how long this bug has existed for is the most interesting part. That's one of the scary things about this industry - bugs like this are everywhere, and I'd wager we don't know about the majority of them.
|
|
#
?
Nov 13, 2014 00:16
|
|
|
So are there ANY useful details on MS14-066 out there (aka SSLMAGEDDON) so I can figure out how much to freak the gently caress out? I'm assuming anything behind a LB or reverse proxy is fine?
|
|
#
?
Nov 13, 2014 07:15
|
|
|
Maneki Neko posted:So are there ANY useful details on MS14-066 out there (aka SSLMAGEDDON) so I can figure out how much to freak the gently caress out? Chances are quite a few of your SSL ports will be forwarded, for web servers, RDS gateways, proxies, SCCM distribution points etc.
|
|
#
?
Nov 13, 2014 09:16
|
|
|
peak debt posted:Chances are quite a few of your SSL ports will be forwarded, for web servers, RDS gateways, proxies, SCCM distribution points etc. Most stuff does SSL termination at the LB/reverse proxy, although to your point, not sure what RDS does in that case.
|
|
#
?
Nov 13, 2014 17:14
|
|
|
Ok, so I'm trying to wrap my head around this. We have a mix of Adobe Reader and Acrobat in the company (don't ask, I hate it but my boss doesn't want to pay for seats for everyone). So the people who have Acrobat keep getting file associations grabbed away by reader whenever I update it and I get frantic HELP I CAN EDIT PDFS ANYMORE emails. I've never really done any Item Level targeting but it looks like I can set up a MSI query to say "if Adobe Acrobat is installed, don't install reader" correct? Does anyone have any good articles on MSI targeting filters for group policy?
|
|
#
?
Nov 13, 2014 21:29
|
|
|
LmaoTheKid posted:Ok, so I'm trying to wrap my head around this.
|
|
#
?
Nov 13, 2014 21:37
|
|
|
nexxai posted:You should be using the Adobe Customization Tool to generate a proper .MSI for Reader, and right within the configuration options is that exact setting. WELP, that makes things easier, thank you. Can I apply a MST after something's been installed? E: I'm only seeing "let the installer decide what opens PDFs" or something like that. Just for shits and giggles, this should return TRUE right? code:Matt Zerella fucked around with this message at 23:28 on Nov 13, 2014 |
|
#
?
Nov 13, 2014 21:50
|
|
|
Two different machines I tried to check for updates and its having a problem connecting. Is everyone spamming the update servers or is something else going on?
|
|
#
?
Nov 14, 2014 01:03
|
|
|
JHVH-1 posted:Two different machines I tried to check for updates and its having a problem connecting. Is everyone spamming the update servers or is something else going on? I'm manually patching a system right now with no problem.
|
|
#
?
Nov 14, 2014 01:09
|
|
|
Question about Hyper-V NIC teaming in VM's. Is there any benefits of NIC Teaming inside the actual VM/child guest if the physical server\parent has NIC teaming setup ? I assume there isn't but I figured I'd ask just in case.
|
|
#
?
Nov 14, 2014 02:17
|
|
|
lol internet. posted:Question about Hyper-V NIC teaming in VM's. none that I have seen. If you do it make sure you allow MAC Spoofing and such on the vNICs otherwise it won't work properly. Honestly, use VMM and do Logical Switches with lots of physical NICs then a single NIC on the guest and you'll be more than covered from a (network) high availability standpoint.
|
|
#
?
Nov 14, 2014 02:57
|
|
|
incoherent posted:I immediately fast tracked this with a mid week restart of servers. This is karma for all the "lmao linux got hacked where is your god now  " idiots that came out of the woodwork for ShellshockI don't actually believe that. Everything will get hacked on a large enough timescale. But it's some funny Just Desserts for shitposters/trolls Docjowles fucked around with this message at 06:10 on Nov 14, 2014 |
|
#
?
Nov 14, 2014 06:06
|
|
|
lol internet. posted:Question about Hyper-V NIC teaming in VM's. No
|
|
#
?
Nov 14, 2014 14:38
|
|
|
At all the places I've worked, I've always joined computers and users to Active Directory. At my current place it's all cloud software, and everyone is assigned a personal laptop, no desktops in the environment. I've been researching Cached Credentials and looking into getting maximum domain controller availability on Azure, and I got another (probably bad) idea. What about joining all the computers to the domain but having people continue to log in locally? Computer-targeted GPO seems to have just about everything that User-targeted GPO does, so I can control the environment that way. Plus, every laptop computer name is matched to the person using it, so I can still assign computers to departmental OUs that way. I got a publisher certificate whitelist working in GPO, so even if the users have local admin privs, they can only execute apps from companies I've allowed. I would take admin privs away but users constantly need to elevate so they can run GoToMeeting/WebEx executables to meet with clients. It seems like this way even if there is a catastrophic domain failure, people can continue to work normally.
|
|
#
?
Nov 14, 2014 15:29
|
|
|
You'd probably want a mobile device management that has a pc feature, not a domain controller.
|
|
#
?
Nov 14, 2014 17:38
|
|
|
Zero VGS posted:What about joining all the computers to the domain but having people continue to log in locally? Computer-targeted GPO seems to have just about everything that User-targeted GPO does, so I can control the environment that way. Plus, every laptop computer name is matched to the person using it, so I can still assign computers to departmental OUs that way. I got a publisher certificate whitelist working in GPO, so even if the users have local admin privs, they can only execute apps from companies I've allowed. I would take admin privs away but users constantly need to elevate so they can run GoToMeeting/WebEx executables to meet with clients. It seems like this way even if there is a catastrophic domain failure, people can continue to work normally. I'll talk some other people later but essentially you're going to run into a GPO you want to deploy but is only user-targeted. I know with the security prompts for GoToMeeting/WebEx you basically need to find out what it's request access to and modify permissions appropriately. I've never done it myself, I've heard it sucks but that's the right way.
|
|
#
?
Nov 14, 2014 18:08
|
|
|
Zero VGS posted:At all the places I've worked, I've always joined computers and users to Active Directory. At my current place it's all cloud software, and everyone is assigned a personal laptop, no desktops in the environment. Look at intune and get everyone to upgrade to Windows 10 when it comes out so you can use azure ad.
|
|
#
?
Nov 14, 2014 20:21
|
|
|
On a windows 2k8R2 server with no TPM is there a way to use Bitlocker to encrypt the drive that does NOT require user intervention when the server reboots? If not Bitlocker, something else? The server has a few shares on it, so any encryption would have to be done so that it doesnt impact users. I ask because this server is in a location about an hour away so having someone sit there and enter a password/hardware key isnt really feasible and a couple weeks ago someone drove their car through the front of the building, so obviously it's not the most physically secure location.
|
|
#
?
Nov 14, 2014 20:55
|
|
|
Mr. Clark2 posted:a couple weeks ago someone drove their car through the front of the building, so obviously it's not the most physically secure location. A long time ago in one of these threads, someone told me "jersey barriers are the cornerstone of any IT defense paradigm", wise words. Maneki Neko posted:Look at intune and get everyone to upgrade to Windows 10 when it comes out so you can use azure ad. The MS Intune group actually cold-called me a few weeks back but I blew them off because they were only telling me it was for mobile, which I don't care about. I didn't realize it can do PC management. http://www.microsoft.com/en-us/server-cloud/products/microsoft-intune/buy.aspx OK gently caress nevermind, I thought for a second it was $6 per user per year, $6 per month probably ain't happening. Zero VGS fucked around with this message at 21:07 on Nov 14, 2014 |
|
#
?
Nov 14, 2014 21:04
|
|
|
Mr. Clark2 posted:On a windows 2k8R2 server with no TPM is there a way to use Bitlocker to encrypt the drive that does NOT require user intervention when the server reboots? If not Bitlocker, something else? The server has a few shares on it, so any encryption would have to be done so that it doesnt impact users. There's a way to use BitLocker so that it would only need a USB dongle connected to a USB port during boot-up (but I presume that's what you mean by hardware key.)
|
|
#
?
Nov 14, 2014 23:46
|
|
|
Zero VGS posted:A long time ago in one of these threads, someone told me "jersey barriers are the cornerstone of any IT defense paradigm", wise words. Go with intuneSA and deploy directaccess for always in the domain connections. incoherent fucked around with this message at 01:07 on Nov 15, 2014 |
|
#
?
Nov 15, 2014 01:01
|
|
|
If $6 a user per month to have some form of control of endpoints is enough to put your employer off then you really need to work on that. Trying to do everything on the cheap won't help you in the longer term.
|
|
#
?
Nov 15, 2014 01:11
|
|
|
incoherent posted:Zero VGS you're a real smart dude, but you should know by now if anyone was using a cheap or open source implementation of active directory (with group policy functionality) that worked we'd be all over it and be extremely lousy with gurus. Yeah I'm stubborn, I'm putting my foot down with this loving Software Assurance bullshit though. I've been researching for months and everything devolves into a licensing hell where everything is bait-and-switch expensive and nothing is EULA/CAL-compliant. I'm not going to become dependent on a bunch of SaaS that can change in features and price whenever anyone feels. I saw it at my last job with Adobe Creative Commons. Nice discount rate for the first year, then you practically have no choice but to be hosed for life once you're hooked, Adobe are IRL drug pushers. Maneki Neko posted:Look at intune and get everyone to upgrade to Windows 10 when it comes out so you can use azure ad. I'm not sure I can wait a whole year for Windows 10 before going insane. Windows 8 allows you to log in with a Microsoft account, which is excellent because: - it is free - the login can be user's corporate email account name - two-step authentication can be enabled - self-service password resets, I'm usually not too comfy from an infiltration standpoint with that, but this isn't a very security-sensitive workplace compared to my last two jobs - I tested Cached Credentials for this and it actually works better than the AD version (the PC will tell you "You aren't connected to the internet, use the last password you signed into this PC with) - Alleges to save settings to the cloud However, Microsoft is being intentionally obtuse with how I'd obviously want to implement this. I can't sync Business Office 365 logins. I can use a personal OneDrive account as the Windows login, but not a OneDrive For Business account. Everything on the PC becomes this personal/business account mishmash. If Windows 10 is really going to integrate Azure AD into the initial sign-in than that's a miracle but MS shouldn't wait until then. I might just drat the torpedoes and do the Microsoft login thing. Anyway, my 200 users make all our money with their phone and laptop, and they have super-simple needs: - Always have a way to log in to their laptop under any circumstance - Always be able to run Office 365 and Salesforce - I need a ton of high-availability on the internet and phones and I'd rather put our money into that or there's going to be some kind of outage cataclysm eventually and I'll be fired I don't even give a poo poo if they catch a virus, because I already have everyone's entire hard drive synced to OneDrive for Business. Even if they caught some kind of encryption ransomware, OneDrive for Business has full deletion and previous version restoration for everyone's documents. Windows Defender and the current lack of any servers or file shares in our environment seems like it's making it pretty hard for a virus to spread. I could isolate all network devices from each other if it weren't for those pesky printers. Thanks Ants posted:If $6 a user per month to have some form of control of endpoints is enough to put your employer off then you really need to work on that. Trying to do everything on the cheap won't help you in the longer term. I've gotten that a lot in these threads and I probably deserve it. But here's the truth. I've done everything The Right Way for the last ten years with Windows Administration and AD. I can lock down a domain like crazy. But when I got to this job all users from senior execs to grunts are running laptops on a workgroup with admin access and they all tell me it's mostly fine. And the horrifying part... I'm starting to agree with them. It IS mostly fine. By virtue of being completely unmanaged and unconnected, everyone's productivity here has been practically bulletproof for years. Who the gently caress am I to roll in and use the traditional approach just because I'm resourceful enough to do it? Right now I need to finish putting my newest image on all these laptops so they all inventory in Spiceworks properly, and figure out the cheapest way possible to add/remove programs and deploy scripts uniformly. We made it this far with poo poo IT running the place, maybe I should just embrace the madness! incoherent posted:Go with intuneSA and deploy directaccess for always in the domain connections. DirectAccess to what? We don't have an air conditioned server room so I have to either run a DC in Azure (which I already got working on a trial account with Point-to-site VPN) or on a couple of laptops in house (I also got this working). Either will need user cals... Spiceworks is an amazing value (free) Office365 is too ($20 per user per month is worth it for the for unlimited folder-redirected cloud backup syncing, not even counting Office 2013) And I hired a friend for $12/hr to double my efforts for cloning laptops and other time consuming stuff. Those are all worth the money several times over. But there just has to be a better way to manage these laptops at a basic level than paying for CALS/Servers/VPN/Hardware/SaaS. My autonomy will be my undoing if I get carried away, slippery slope and all that.
|
|
#
?
Nov 15, 2014 02:37
|
|
|
Zero VGS posted:I've gotten that a lot in these threads and I probably deserve it. But here's the truth. I've done everything The Right Way for the last ten years with Windows Administration and AD. I can lock down a domain like crazy. But when I got to this job all users from senior execs to grunts are running laptops on a workgroup with admin access and they all tell me it's mostly fine. If you're coming in cold to a new company, I actually think you're going about this perfectly. The first thing you do shouldn't be to beat your chest while yelling "NO LOCAL ADMIN FOR YOU!". You can plan and dream for that day but in the meantime, help users and the business with everything that's blocking them from getting work done. Build up good will. Understand the business and everyone's workflow. Then, once you have a track record of being super helpful and not making GBS threads on the business for (from their perspective) no reason, float your suggestions. They're a lot more likely to be heard coming from a trusted partner than "that fuckin' IT nerd who always says No". And they're a lot more likely to be helpful since you now actually understand how everyone does their job. </utopian dream> Docjowles fucked around with this message at 05:08 on Nov 15, 2014 |
|
#
?
Nov 15, 2014 04:59
|
|
|
It took about two years to yank local admin rights from my last job. I preach it here to our IT team, but it will be some time until I get to start yanking rights.
|
|
#
?
Nov 15, 2014 08:05
|
|
|
Servers deployed in Azure don't need CALs for what it's worth.http://azure.microsoft.com/en-us/pricing/licensing-faq/ posted:Does a customer need Windows Server CALs to connect to a Windows Server image that is running in Azure Virtual Machines?
|
|
#
?
Nov 15, 2014 15:35
|
|
|
|
| # ? May 30, 2024 21:05 |
|
|
Half-measures won't suffice so either go full loving bore domains/etc or just sit back and chill and keep doing things the way they are now.
|
|
#
?
Nov 15, 2014 18:11
|
|