|
Oh noooo, can't have that for a PCI audit. The absolute horror.
|
# ? Aug 8, 2015 14:12 |
|
|
# ? May 11, 2024 12:12 |
|
The client I've been working with the past few weeks is a school that has requested all student passwords are set to never expire in addition to keeping a spreadsheet of all student names and passwords.... In an unencrypted file on a network share.
|
# ? Aug 8, 2015 14:26 |
|
I have tried to fight the good fight where I work about what we do when our clients request access to other users mailboxes in their Office 365 subscriptions. I have written pages of documentation on how it's possible to grant permission to other mailboxes, how to open those mailboxes, and how the auditing tools work. It doesn't stop people just resetting passwords and handing the details out. Maybe I'm weird but I'd be pretty pissed off if I came back from a holiday and found that someone had reset my mail password to get into it.
|
# ? Aug 8, 2015 14:35 |
|
I work at a school and just got to a point where each student user account is actually unique. I can't imagine trying to get the teachers to deal with student passwords that aren't written out somewhere. Hell I have a mile long list of nasty emails every time we go through a password change because people can't remember what they typed in.
|
# ? Aug 8, 2015 15:29 |
|
pyrofreak421 posted:I work at a school and just got to a point where each student user account is actually unique. I can't imagine trying to get the teachers to deal with student passwords that aren't written out somewhere. Hell I have a mile long list of nasty emails every time we go through a password change because people can't remember what they typed in. Yeah I kind of understand the necessity of it and that it's not like the kids really have any sensitive info in their accounts, it's just the principle of it that makes me feel like I'm doing something completely wrong. Each kid has their own O365 account for email too, and no AD sync at this point.
|
# ? Aug 8, 2015 15:53 |
|
The problem is kids are bastards. Give them something static and they'll gently caress with each others accounts, let them pick their own and you'll be resetting them constantly (we reset 3% of freshman accounts every day, first year I've done self-assigned PW). I think I might go with a matrix of colors, picked randomly + their 4-digit student ID for next year e.g. Green0023, Violet3452
|
# ? Aug 8, 2015 15:59 |
|
crunk dork posted:Yeah I kind of understand the necessity of it and that it's not like the kids really have any sensitive info in their accounts, it's just the principle of it that makes me feel like I'm doing something completely wrong. Each kid has their own O365 account for email too, and no AD sync at this point. https://msdn.microsoft.com/en-us/library/azure/dn683881.aspx
|
# ? Aug 8, 2015 15:59 |
|
I wish.... They want their O365 account to have the same password as their domain account too, but didn't reveal this until after I had created all of their mailboxes. They really just need to sync it with AD and make life easier on everyone since they use LDAP for PowerSchool too, but I've never set that up and my boss said that it's a pain in the rear end to deal with? I'll probably figure something out in powershell to pull from a CSV with their UPN and password to set their email passwords to the same and not request them to change it on login.
|
# ? Aug 8, 2015 16:08 |
|
Cell phone PW resets are pretty cool but the issue is putting this stuff outside of your domain of control. Kids are shitlords and will pretend to forget things to get out of doing work. If you put that control on their personal email address you're going to get very frustrated, and lots of schools have policies against cell phones in the classroom
|
# ? Aug 8, 2015 16:11 |
|
Thanks Ants posted:I have tried to fight the good fight where I work about what we do when our clients request access to other users mailboxes in their Office 365 subscriptions. I have written pages of documentation on how it's possible to grant permission to other mailboxes, how to open those mailboxes, and how the auditing tools work. It doesn't stop people just resetting passwords and handing the details out.
|
# ? Aug 8, 2015 16:56 |
|
that would totally against policy and show up in a cursory audit. Resetting one's password without requiring a change however is plausible deniability!
|
# ? Aug 8, 2015 17:28 |
|
Roargasm posted:The problem is kids are bastards. Give them something static and they'll gently caress with each others accounts, let them pick their own and you'll be resetting them constantly (we reset 3% of freshman accounts every day, first year I've done self-assigned PW). I think I might go with a matrix of colors, picked randomly + their 4-digit student ID for next year e.g. Green0023, Violet3452 We use first four of their birthday and last four of their social. I'd be interested in metrics of password resets, as we have three different systems using different passwords. Network acct, student portal acct (for stuff like transcripts, class schedules, financial aid stuff), and O365 account. It would be nice to sync them all, but at this point that would be a huge project to be undertaken during the beginning of the summer.
|
# ? Aug 8, 2015 17:51 |
|
Exactly this which goes along with the 'I have more accounts than you do so I completely understand your frustration with the password expiration policy' poker face. See also: my laptop is NOT bound to AD and I am the only person with access to it. Our voice guy hates that and is super jealous of me running Win10 and Office 2016 while he is stuck with Office 2007. Although it's more that I don't need any rogue GPO to make it so I can't work, which actually happen to quite a few people in IT a few months ago as we have been rolling out more standardization and moving off of Novell / Zen.
|
# ? Aug 8, 2015 22:34 |
|
Can anyone show official Microsoft Documentation that with Office 365 you get Azure AD Basic? On a completely different, note has anyone worked for or with Century Link? If so, how did you like it? Gucci Loafers fucked around with this message at 00:10 on Aug 9, 2015 |
# ? Aug 9, 2015 00:05 |
|
I don't think you do get Basic with Office 365, you get the free version with the total object count limit removed. https://msdn.microsoft.com/en-us/library/azure/dn532272.aspx
|
# ? Aug 9, 2015 00:48 |
|
Tab8715 posted:Can anyone show official Microsoft Documentation that with Office 365 you get Azure AD Basic? I work with CenturyLink; previously Qwest. They're ok. The billing people are slow as hell to process contract mods. Otherwise they've been fine; any specific questions? Use them for data center on both sides of the US
|
# ? Aug 9, 2015 01:10 |
|
Walked posted:Otherwise they've been fine; any specific questions? I was reading a Gartner article earlier and surprised to see them listed as a major cloud provider. I didn't know they did anything aside from telecommy stuff and have never come across any discussions of the company online or off.
|
# ? Aug 9, 2015 03:00 |
|
Tab8715 posted:I was reading a Gartner article earlier and surprised to see them listed as a major cloud provider. They've advertised their cloud stuff to us a number of times, but we haven't really heard their offerings out. Not sure how it compares to Amazon or Azure, but we've had good success with Amazons offerings on that front
|
# ? Aug 9, 2015 03:09 |
|
CenturyLink works great. When it works. At that point good loving luck getting it fixed.
|
# ? Aug 9, 2015 03:34 |
|
CloFan posted:We use first four of their birthday and last four of their social.
|
# ? Aug 9, 2015 05:53 |
|
Tab8715 posted:I was reading a Gartner article earlier and surprised to see them listed as a major cloud provider. It's just a public openstack deployment with docker added on. Comparable to rackspace/HP/IBM. But some of their tooling (labs.centurylink, and it's all on github) is pretty interesting
|
# ? Aug 10, 2015 04:28 |
|
Does IBM have any cloud offerings or is that all through Softlayer?
|
# ? Aug 10, 2015 04:59 |
|
Tab8715 posted:Does IBM have any cloud offerings or is that all through Softlayer?
|
# ? Aug 10, 2015 05:41 |
|
Fellatio del Toro posted:Well after a week of mandatory vacation due to a government funding loving up I've been told I get to go work at a different nearby organization for the next two and a half weeks until the funding comes back. Hooray government contracting I am continually in awe of GSA's ability to screw up payments and paperwork for contracting, thus forcing all my favorite contractors with whom I work to go take vacation time.
|
# ? Aug 10, 2015 11:05 |
|
Daylen Drazzi posted:So as long as ENSA exists I will still have a position - I was only anticipating it lasting until November 30th at the latest, but it looks like I may have 1 to possibly 2 years now instead of 5 months. My timing on this one was pretty drat near perfect. There are other virtualization positions in the pipeline on base. You may be luckier than you realize.
|
# ? Aug 10, 2015 11:08 |
|
evol262 posted:It's just a public openstack deployment with docker added on. Comparable to rackspace/HP/IBM. But some of their tooling (labs.centurylink, and it's all on github) is pretty interesting
|
# ? Aug 10, 2015 15:28 |
|
Aunt Beth posted:Do you work for an Upstate NY community college? Nah, rural Arkansas university
|
# ? Aug 10, 2015 15:45 |
|
Should've learned this a long time ago, but man is it nice to schedule specific times to check emails and ignore them altogether otherwise. I'm getting so much more done by not just responding to one-off emails as they come in and interrupt me. If something's on fire they can call me (luckily no one uses the phone around here).
|
# ? Aug 10, 2015 18:17 |
|
Japanese Dating Sim posted:Should've learned this a long time ago, but man is it nice to schedule specific times to check emails and ignore them altogether otherwise. I'm getting so much more done by not just responding to one-off emails as they come in and interrupt me. If something's on fire they can call me (luckily no one uses the phone around here).
|
# ? Aug 10, 2015 18:47 |
|
Any suggestions for a robust, offline, Windows AV scanning product? Tried AVG's offering the other day, no luck. Our endpoint protection didnt pick it up either. (Had a user get something that was spamming our DC with 1000+ requests per minute, leaving authentication failures in the DC log; hitting successive ports, one-by-one). Pulled him off the network immediately, but in the process of doing an incident report, and I'd really like to be able to identify what he managed to do to himself. Anyone seen something similar or have an offline solution to suggest?
|
# ? Aug 10, 2015 20:12 |
|
Walked posted:Any suggestions for a robust, offline, Windows AV scanning product? Tried AVG's offering the other day, no luck. Our endpoint protection didnt pick it up either. Do you want something to remove this infection and cleanup the computer just this time? I have used norton power eraser a number of times to remove malware and it works pretty well. It really depends on what the problem is, you might be better off just wiping the computer.
|
# ? Aug 10, 2015 20:54 |
|
lampey posted:Do you want something to remove this infection and cleanup the computer just this time? I have used norton power eraser a number of times to remove malware and it works pretty well. It really depends on what the problem is, you might be better off just wiping the computer. I dont care about cleanup; it will not be connected to a network again until the drive has been formatted (Actually replacing in our SSD transition anyways). Mainly just want to identify what he got; how he got it ("I installed some image software" according to him), and document/report accordingly.
|
# ? Aug 10, 2015 20:57 |
|
Use any anti-virus (kaspersky, MSSE), connect the drive to a different computer, right click > scan drive. And then malwarebytes anti-malware will catch garbage that the AV software doesn't consider a virus but is obnoxious
|
# ? Aug 10, 2015 23:12 |
|
Aunt Beth posted:Do you work for an Upstate NY community college? I think I went here....
|
# ? Aug 10, 2015 23:34 |
|
KillHour posted:I think I went here....
|
# ? Aug 11, 2015 04:17 |
|
I don't really understand how Windows permissions work. Does Cryptolocker need admin to work, or does it just get access to more that way? I finally have a supervisor who doesn't think security is unnecessary, and while I doubt she will get us off the "all users are administrators" platform soon, it would be nice to get the bug in peoples' ears that anyone getting a virus could take out an entire site. Can cryptolocker go through RDP sessions?
|
# ? Aug 11, 2015 04:52 |
|
What's bad about cryotolocker is it only needs permissions to the files. You can limit damage by making sure your users only each have access to the stuff they need access to (including locking things down to read only.). However, if the user has permission to modify files, cryptolocker will run rampant on them. So, admin could make things worse by giving them more access to files, but cryptolocker can still do a ton of damage with user level access.
|
# ? Aug 11, 2015 05:00 |
|
The core process itself, not being an installed program but simply an executable likely running from an untrusted location, should kick up a uac prompt. Most users are 'trained' to mash the OK button without reading, so giving admin rights to these people means cryptowall gets to execute the code. Taking admin away will require an admin password to execute the process so users will either cancel and ignore or put in a ticket to unwittingly destroy their data. 22 Eargesplitten posted:Can cryptolocker go through RDP sessions? It will attempt to hit every accessible mapped drive. If you like to attach your local c drive on rdp sessions, it could likely hit your local computer until you disconnected the session.
|
# ? Aug 11, 2015 05:51 |
|
Aunt Beth posted:HVCC? That's what I'm thinking of. Maybe this password formula is just SOP in education. Wasn't there. Must be common.
|
# ? Aug 11, 2015 05:59 |
|
|
# ? May 11, 2024 12:12 |
|
bull3964 posted:What's bad about cryotolocker is it only needs permissions to the files. You can limit damage by making sure your users only each have access to the stuff they need access to (including locking things down to read only.). However, if the user has permission to modify files, cryptolocker will run rampant on them. Pretty much this. The best security against crypto* is having good backups. Fortunately I have secure locked down home drives that map "My Documents" for all users. This means I get a nice little indicator of who my culprit was (As they end up encrypting half of their My Docs which only they have access too). One guy got us twice and got a good yelling at.
|
# ? Aug 11, 2015 15:58 |