|
FISHMANPET posted:Man, that was me a month ago, except that other people at my old place know how to manage it. I went from being secondary in an SCCM install that had about 600 computers to a "Senior" admin in control of an SCCM instance with 25k computers. 1430 collections. I've been missing my old networking job but system center, while occasionally infuriating, has kept my interest. Seems like I've only scratched the surface of what it can do. I feel like my next step in really learning it is to spend some time spinning up a lab environment of it and all the extra sql servers you can get for reporting. That and practicing writing queries. So often I'll write a query and get a lot of data back but not in the exact nuanced way that I want.
|
# ? Feb 5, 2015 20:01 |
|
|
# ? May 30, 2024 13:24 |
|
5er posted:I ran the OEM vendor's (only) process for restoring from a failed OS situation, which is supposed to only re-install the OS on its small partition and leave any other allocated space completely alone. Two cents: I think this got derailed at the "Raid for recovery" bit. Hardware redundancy really only performs well from a design aspect for the purpose of preventing downtime during hardware failure. Raid is not a backup solution for higher levels of architecture -- namely, the recovery of accidentally damaged or misconfigured software. For that, you really need regular system backups of some kind on a separate device. I know Raid can really easily look like a backup solution. I've been there. Without the capacity to easily do software-level backups, however, its application in your recovery plan are very limited. Edit: In a sentence, you are going to be far more safe if you don't rely RAID for software recovery.
|
# ? Feb 6, 2015 02:00 |
|
Potato Salad posted:Two cents: I think this got derailed at the "Raid for recovery" bit. Hardware redundancy really only performs well from a design aspect for the purpose of preventing downtime during hardware failure. Raid is not a backup solution for higher levels of architecture -- namely, the recovery of accidentally damaged or misconfigured software. For that, you really need regular system backups of some kind on a separate device. I'm way ahead of you, and the wisdom you speak is something I have to dispense almost daily to others. I just wanted to know if the problem as I described it is fixable, because some dumb gently caress is going to break things along the lines I described and I might get looked at to un-gently caress it up.
|
# ? Feb 6, 2015 03:57 |
|
5er posted:I'm way ahead of you, and the wisdom you speak is something I have to dispense almost daily to others. I just wanted to know if the problem as I described it is fixable, because some dumb gently caress is going to break things along the lines I described and I might get looked at to un-gently caress it up. Ideally the system drive should be mirrored (at the hardware level), THEN build you Storage Space with all of the other drives using at least a parity space, and replace drives as needed there. Don't use anything from the OS disk in the storage space.
|
# ? Feb 6, 2015 04:02 |
|
I'm working on setting up software restriction policies in my domain at work. I followed that NSA .pdf file and I've got the GPO set up as a user policy, and I'm whitelisting. I've got the GPO applied to a set of test users and for the most part things are working correctly, with one very large problem...Internet Explorer launches, stays on screen for about 3-5 seconds and then closes. The weird part is that nothing is getting written to the event log when this happens, either under Application or the IE section. When I try to launch any other .exe from a denied location, I see the appropriate event get written to event viewer, so I know that much is working. My current theory is that iexplore.exe is trying to spawn some process from a denied location, but I havent had a chance to test that yet (weekend work is for suckas). I've whitelisted iexplore.exe but still no dice. Any other ideas? This is on Win7 Pro, users are all non-admin accounts. Mr. Clark2 fucked around with this message at 17:58 on Feb 7, 2015 |
# ? Feb 7, 2015 17:56 |
|
Your best bet is to download procmon and procexp to see where is blocking. You may have something like protected mode disabled/enabled or even something weird like DAP disabled or on at per app level. Hardening Windows is probly the most time consuming, but rewarding thing you could do. e: you didn't white list the x86 program files\internet explorer
|
# ? Feb 7, 2015 19:40 |
|
I'd have assumed that would have been caught by the Program Files (x86) path though. Also it loads and then goes away again, so it's being allowed to load. Maybe it's crashing because it's referencing a lovely addon/plugin in the user profile? Will it load in safe mode? (-extoff)
|
# ? Feb 7, 2015 20:07 |
|
True, thanks ants. I'd also make sure I can read/write to the Internet Explorer temp directory. Even if its in "appdata\local\temp" and should have r/w i'd check it off the list (and, consequently, you should probly begin making a checklist). I suspect its loading, seeing it can't "r/w" somewhere or even "r" and is peacing out.
|
# ? Feb 7, 2015 20:41 |
|
Thanks, I'll have a look at those things on monday. One other thing I noticed when looking at the shortcut that launches IE... it has "Start in" set to %homedrive%%homepath% whereas shortcuts that work all have start in set to their own directory in ProgramFiles. %HomeDrive% is a network share where the user has r/w access. These are all x86 machines so far, we only have a couple on x64, I'll have to add one of those to my test group. *Update* Well, this is getting weirder. Tested the GPO with a completely different user today and found that when it's applied on her workstation, IE does the same open, then quit thing. Walked her over to another computer (in the same OU), she logs in...and IE launches. Ran the GP results wizard and see that the same GPOs are being applied and the machines are members of the same groups. I'm stumped at this point Mr. Clark2 fucked around with this message at 22:07 on Feb 9, 2015 |
# ? Feb 7, 2015 20:49 |
|
Stupid question here. I have GPO in bpinske.local to disable cmd and I want to to set a GPO to enable it for only a specific group (named IT support inside of the BC OU). What is the proper way of doing this?
|
# ? Feb 10, 2015 05:47 |
|
I would put the IT users in a group, and then deny that group access to Apply the "NoCmdPmpt" GPO. (don't deny read access, eek). Do this in the Delgation Tab > Advanced button.
|
# ? Feb 10, 2015 06:13 |
|
Alternatively, remove Authenticated Users from the security filtering and add the IT group. Or don't, if only IT users are in the BC OU. Or do, if non-IT users are in there as well. Also don't enable enforcement unless you have a good reason for it.
|
# ? Feb 10, 2015 12:23 |
|
Is anyone using sharepoint online (o365) as a file server replacement? Would love to hear your experiences.
|
# ? Feb 11, 2015 17:07 |
|
Anyone here hosting a SQL server in a public cloud somewhere? We're thinking of getting our servers out of the basement here but are concerned about the latency. 100Mbps/10Mbps connection with at most 7 users using an app to access the DB. I'm working in the test environment now but I have a lot of configuring to do first before I can test this.
|
# ? Feb 11, 2015 17:18 |
|
The latency won't be a problem with a pipe like that. How often does your internet go down is the question and if you want/need a backup DSL or cable line for emergencies.
|
# ? Feb 11, 2015 17:25 |
|
GreenNight posted:The latency won't be a problem with a pipe like that. How often does your internet go down is the question and if you want/need a backup DSL or cable line for emergencies. Seems pretty rock solid. We will be installing a second 30/30 pipe into our SonicWall as well. I hope the failover clustering built into it is actually good.
|
# ? Feb 11, 2015 17:32 |
|
GreenNight posted:The latency won't be a problem with a pipe like that. Latency could be an issue if the app does something crazy like hundreds of tiny queries for a specific action. If the latency used to be 0.1ms and you click a button that performs 100 queries to do its job, then network latency accounts for 10ms for that button's action. Do that over a 100mb connection where you have 25ms of latency to the SQL server, and now you're waiting 2.5 seconds for that button to do its thing. But that's a crazy example, and I highly doubt the app in question is doing that. Plus, if you run the app server on the same cloud provider, then it won't matter.
|
# ? Feb 11, 2015 17:44 |
|
Erwin posted:That's not how latency works, but you probably didn't mean to word it that way. a 100mb/s connection can have a higher latency than a 1.5mb/s T1, and if so, then the latter would generally perform better for SQL queries that aren't returning millions of rows. The software is running on each users local computer. I suppose I could start doing virtual desktops but that's more than I wanted to do. Also, I wouldn't put it past this developer to do 100 queries just for pressing 1 button. The software is a poo poo show.
|
# ? Feb 11, 2015 17:47 |
|
Apps that are remote from the SQL DB can be really bad news. There's almost certainly something one user can do that will bring the pipe to its knees and disrupt everybody. In a lot of business apps it would be reporting-related.
|
# ? Feb 11, 2015 17:54 |
|
Does anyone have a simple solution for Font installation on semi-secure (i.e. UAC enabled, users don't have admin rights) domain computers? Our art department (mac users) is constantly using new fonts, and then sending them to our Windows users who can't install them without IT intervention. I've been working on setting up a script to auto-install fonts from a shared folder all morning, with not much success.
|
# ? Feb 11, 2015 17:58 |
|
NevergirlsOFFICIAL posted:Is anyone using sharepoint online (o365) as a file server replacement? Would love to hear your experiences. Sharepoint is designed for the storage of documents not 8gb backups of 2girlsandatroll.avi This may have changed with the latest version but I wouldn't trust it without testing profusely.
|
# ? Feb 11, 2015 18:12 |
|
Gerdalti posted:Does anyone have a simple solution for Font installation on semi-secure (i.e. UAC enabled, users don't have admin rights) domain computers? Our art department (mac users) is constantly using new fonts, and then sending them to our Windows users who can't install them without IT intervention. GPO Deploy the font files themselves from a UNC share, and then deploy the appropriate registry entries via that same GPO.
|
# ? Feb 11, 2015 18:16 |
|
Gyshall posted:GPO Deploy the font files themselves from a UNC share, and then deploy the appropriate registry entries via that same GPO. I was super hoping to be able to avoid having to create a registry entry for each one. We have dozens of "new fonts" a day
|
# ? Feb 11, 2015 18:21 |
|
You can probably setup a scheduled task to scan a folder and import new fonts.
|
# ? Feb 11, 2015 18:23 |
|
GreenNight posted:You can probably setup a scheduled task to scan a folder and import new fonts. I'm trying to get them to install at logon. The issue seems to be that the Fonts directory is owned by "Trusted Installer" so you can't set it's permissions via GPO. Same with the Fonts Cache. I'm seriously considering an encrypted password style RunAs... script that just runs as an Admin account (that can't do much of anything else).
|
# ? Feb 11, 2015 18:25 |
|
http://arstechnica.com/security/2015/02/15-year-old-bug-allows-malicious-code-execution-in-all-versions-of-windows/ Time to patch your poo poo.
|
# ? Feb 11, 2015 18:33 |
|
Jeoh posted:http://arstechnica.com/security/2015/02/15-year-old-bug-allows-malicious-code-execution-in-all-versions-of-windows/ I don't really understand this bug. How bad is this?
|
# ? Feb 11, 2015 18:50 |
|
Do you have users with domain attached laptops? If yes then this very serious. If not it's still possible for an attack but it would have to be inside your LAN so you can just patch normally. An attacker would have to be able to compromise your network infrastructure and impersonate your domain controllers. If that's the case you probably have a lot more to worry about than this.
|
# ? Feb 11, 2015 19:11 |
|
My RDS server died after a power cut (no data on it) so I've virtualised it (using free Hyper-V Server 2012)! It also had the KMS service on it because it was our first 2k8r2 server. Now that I've virtualised, I don't know where I should install the KMS server. Do I just throw it on the main DC or should I give it its own virtualised Server Core with few resources? Things I did wrong:
alanthecat fucked around with this message at 19:20 on Feb 11, 2015 |
# ? Feb 11, 2015 19:17 |
|
Am I correct in thinking that putting a DNS blackhole in place for _ldap.*, _gc.*, and _kerberos.* SRV records would do Bad Things to a domain?
|
# ? Feb 11, 2015 19:18 |
|
alanthecat posted:My RDS server died after a power cut (no data on it) so I've virtualised it (using free Hyper-V Server 2012)! It also had the KMS service on it because it was our first 2k8r2 server. Now that I've virtualised, I don't know where I should install the KMS server. Do I just throw it on the main DC or should I give it its own virtualised Server Core with few resources? I have mine on a separate server with WSUS, although I'm sure it's fine on the main DC.
|
# ? Feb 11, 2015 19:20 |
|
Tolan posted:Am I correct in thinking that putting a DNS blackhole in place for _ldap.*, _gc.*, and _kerberos.* SRV records would do Bad Things to a domain? You would completely break it. edit: I'm personally not a fan of running anything on a DC at all. Throw KMS on any other server in the environment you can. It's not the end of the world if you have to put it on there, but I don't recommended. I'm a bit spoiled though where I don't have to make hard resource decisions like that. KMS on it's own server is a bit of a waste as well. It can exist anywhere really. skipdogg fucked around with this message at 19:26 on Feb 11, 2015 |
# ? Feb 11, 2015 19:23 |
|
skipdogg posted:You would completely break it. I love our security team.
|
# ? Feb 11, 2015 19:25 |
|
It sort of looks like you can man in the middle attack a file request from a user, and then execute the malicious code on their workstation with their access rights. Am I close?
|
# ? Feb 11, 2015 19:25 |
|
Hadlock posted:It sort of looks like you can man in the middle attack a file request from a user, and then execute the malicious code on their workstation with their access rights. Am I close? Yup. Computer requests a file (in the example a logon script), MITM attack provides a malicious file by spoofing the file server. That file gets executed with either user level permission or even System level permission depending on how it's set up. With the right code, you own the box.
|
# ? Feb 11, 2015 19:28 |
|
Gerdalti posted:Does anyone have a simple solution for Font installation on semi-secure (i.e. UAC enabled, users don't have admin rights) domain computers? Our art department (mac users) is constantly using new fonts, and then sending them to our Windows users who can't install them without IT intervention. Your problem is designers running amok. Having managed them, I bet the process they are using looks like this: See font Download and install Make document using font as demonstrator Send font to others so they can install it Send document around demonstrating font Be upset when font isn't available on window machine Get it installed for everybody Decide font sucks Never use it again, or use it once. You need to determine what the expected usage for a font is, and then break out the steps into ones they have more control over. Eg: all font evaluations are done via PDFs. Only once a font is approved is it installed on all clients. They also need to assign a font to a specific project or group of projects, so it can be cleaned up when those project are completed. If they are crazy about it and won't do this, or you don't have the ability to make them, get a quote for Extensis Universal Type Server, which handles all this and has a bunch of assignable access levels and font management tools for Mac and PC. It will let them manage their own mess. Good luck.
|
# ? Feb 11, 2015 19:49 |
|
^^ Great post right here. Key word is control, for your and their sanity.
|
# ? Feb 11, 2015 20:12 |
|
EoRaptor posted:If they are crazy about it and won't do this, or you don't have the ability to make them, get a quote for Extensis Universal Type Server, which handles all this and has a bunch of assignable access levels and font management tools for Mac and PC. It will let them manage their own mess. 100x this. Giving people local admin will only bring pain. It also stops your designers from stealing fonts, which is how you pitch the cost of Extensis to management. You get caught printing/publishing stolen fonts and the licensing cost will seem small.
|
# ? Feb 11, 2015 21:32 |
|
UTS is genuinely good software and Extensis support is really competent as well.
|
# ? Feb 11, 2015 21:38 |
|
|
# ? May 30, 2024 13:24 |
|
EoRaptor posted:Your problem is designers running amok. Having managed them, I bet the process they are using looks like this: That's about right, yes. I really do need to get them to nail this process down. I'll check Extensis UTS out if I can't get them to come up with a more sane method of doing things. mayodreams posted:100x this. Giving people local admin will only bring pain. It also stops your designers from stealing fonts, which is how you pitch the cost of Extensis to management. You get caught printing/publishing stolen fonts and the licensing cost will seem small. I have been down that path before, it brings nothing but (liver) pain. We took admin away from every user in the building about 6 days after I started at this job, and aside from some recent explosive growth (for a small company with 1.5 IT people anyhow) things have been quite smooth. We're also getting prepped for a Soc 2 Type 2 audit, which is allowing me to lock-down/secure even more things, and when people complain I go: "Sorry, Soc 2 ya know". It's the best.
|
# ? Feb 11, 2015 22:00 |