|
Dr. Arbitrary posted:We had two domains, for regulatory reasons. The two logins were similar 12345 and 12345corp. Two AD domains, where domain ABC uses a login like jsmith and domain XYZ uses the employee number. The latter is used for workstation login, while any server resources are authenticated by ABC. Except some. Establishing a trust between the domains is of course impossible because ~policy~. In addition a bunch of legacy systems use a third party LDAP directory which also uses the employee number as user name. A large number of people just can't wrap their head around having the same user name but different passwords, and the various systems usually don't make it very clear which account it wants you to use. Oh, and the three directories have different password requirements and different password expiry periods. 
|
#
?
Jan 20, 2016 22:48
|
|
|
|
| # ? May 29, 2024 06:16 |
|
|
Collateral Damage posted:We're in a similar situation due to a semi recent merger. My only problem at my previous employer that has 2 systems like this was when I would get on to something I hadn't used in a long time and couldn't remember which logon that system used. Then there was the whole not remembering my employee Id number because I rarely used it.
|
|
#
?
Jan 20, 2016 22:56
|
|
|
Collateral Damage posted:We're in a similar situation due to a semi recent merger. I have a bunch of different systems I log into that utilize the same naming structure first initial, last name. They do have different password complexity and expiry requirements. For my windows logins when one expires I just change them all, for the other stuff, when one expires I change all of those, seems to work well.
|
|
#
?
Jan 20, 2016 23:17
|
|
|
MF_James posted:I have a bunch of different systems I log into that utilize the same naming structure first initial, last name. They do have different password complexity and expiry requirements. For my windows logins when one expires I just change them all, for the other stuff, when one expires I change all of those, seems to work well. Yeah, I have 4 different directory accounts I do that with. That way I don't have to play Match the Password With the Account. I know it's not operationally secure since these networks will never have trust and don't interact with each other. I suppose I can always track them manually in 1Password or something.
|
|
#
?
Jan 21, 2016 03:10
|
|
|
EoRaptor posted:Exchange will only send out an OOO to any given email once every calendar day, just to prevent this exact scenario. Outlook running standalone has the same limit. Way way back in 1996 I had just started work supporting users on a helpdesk. I had someone ask how they set up an out of office reply and how to test it. So before doing it for them I decide to set up the rule in my own Pegasus mail, (I miss Pegasus), and sent a test email. This worked well so I logged out and went to help them set it up. By the time I got back and tried to log in I had approximately 32,000 emails in my inbox.  Luckily the guy who caught the loop and I got along, so he cleared it and I avoided a bollocking. Lesson learnt there. Always test in the users account! 
|
|
#
?
Jan 21, 2016 10:48
|
|
|
We have a bunch of external users that only uses email and the current solution to avoid having them locked out every 90 days, is to have their passwords never expire. On top of that we have the usual normal user lockouts because of forgotten passwords and the current procedure is resetting them over the phone. I have therefore been asked to look into a self service portal for resetting passwords, could be 2-factor or just a plain portal with personal security settings. Before I look around the web, I was wondering if anyone has any recommendations?
|
|
#
?
Jan 21, 2016 11:28
|
|
|
I've basically got over a dozen passwords for my helpdesk job, some expire, some don't, those that expire have different ranges(30 days for one, 90 for the other), some systems have separate logins. This is all due to us working with a giant pile of different programs and systems, all industry/company-specific. There are some attempts at consolidating everything and reducing the amount of logins, but it's gonna take a few years. One of the main applications we use still runs in a terminal emulator, and it's been around since the 80s. It's pretty much rock-solid though, and user interaction is mainly handled by a frontend.
|
|
#
?
Jan 21, 2016 12:08
|
|
|
Nm. Reset <> change.
|
|
#
?
Jan 21, 2016 12:44
|
|
|
That's one thing I'm really starting to appreciate about my previous job - they did a hell of a job integrating as many systems as they could via AD. It made my life a lot easier because I only had 3 total passwords.
|
|
#
?
Jan 21, 2016 13:47
|
|
|
Ugato posted:That's one thing I'm really starting to appreciate about my previous job - they did a hell of a job integrating as many systems as they could via AD. It made my life a lot easier because I only had 3 total passwords. I know this is a lot of work (and isn't always possible), but damned if it isn't worth it in so many ways.
|
|
#
?
Jan 21, 2016 14:15
|
|
|
Bohemian Cowabunga posted:We have a bunch of external users that only uses email and the current solution to avoid having them locked out every 90 days, is to have their passwords never expire. Not exactly a recommendation but Outlook Web App comes in handy for this, as it detects expiries and lets you change your password... except people still can't loving figure out how to use it. Type in user name, type in password, oh no your password has expired! Follow these instructions which will take no more than 10 seconds. Ugato posted:That's one thing I'm really starting to appreciate about my previous job - they did a hell of a job integrating as many systems as they could via AD. It made my life a lot easier because I only had 3 total passwords.
|
|
#
?
Jan 21, 2016 15:16
|
|
|
Ugato posted:That's one thing I'm really starting to appreciate about my previous job - they did a hell of a job integrating as many systems as they could via AD. It made my life a lot easier because I only had 3 total passwords. I have two passwords. User AD login. Admin AD login. These log me into Windows, Linux, Routers, Switches, Security System, vSphere, SAN and our storage systems. That's it, any organization with more than that is doing it wrong. 
|
|
#
?
Jan 21, 2016 16:16
|
|
|
DigitalMocking posted:I have two passwords. Look at this hotshot with one AD account for every server and network device in his company. I must be doing things wrong.
|
|
#
?
Jan 21, 2016 16:23
|
|
|
BaseballPCHiker posted:Look at this hotshot with one AD account for every server and network device in his company. I must be doing things wrong. Does it help to say that I'm the same way? Thanks to ADFS, Azure and many of our externally provided services too
|
|
#
?
Jan 21, 2016 16:28
|
|
|
You guys dont use service accounts for those types of things? Maybe I'm just paranoid but I prefer to have a different service account and password for everything.
|
|
#
?
Jan 21, 2016 16:39
|
|
|
We're not that.... together, I guess. But I have an AD login, which then works on our Privileged Account Management, which I then use as a personal keystore with all of our tools, vendor accounts, random logins, everything including the DA accounts. gently caress having a password for that poo poo. I can check that out for a few minutes at a time, give a reason I'm accessing it, and the PAM tool changes it after a timeout to another random password which I think have to check out again. Its annoying, but its safe.
|
|
#
?
Jan 21, 2016 16:41
|
|
|
Mustache Ride posted:We're not that.... together, I guess. But I have an AD login, which then works on our Privileged Account Management, which I then use as a personal keystore with all of our tools, vendor accounts, random logins, everything including the DA accounts. gently caress having a password for that poo poo. I can check that out for a few minutes at a time, give a reason I'm accessing it, and the PAM tool changes it after a timeout to another random password which I think have to check out again. Its annoying, but its safe. What do you use for your PAM? I've looked at Secret Server in the past but ultimately havent moved past using KeePass. SSO is great for end users, for the most part. I've used Okta in the past and the few people who actually learned to use it loved it but %90 of our sales idiots still couldnt figure it out. This was before Azure had really taken off though, I dont know if that is a better product now.
|
|
#
?
Jan 21, 2016 16:51
|
|
|
BaseballPCHiker posted:What do you use for your PAM? I've looked at Secret Server in the past but ultimately havent moved past using KeePass. We use PasswordState and we love it. Can't say enough good things about it and it's free for up to 5 users.
|
|
#
?
Jan 21, 2016 16:58
|
|
|
We're using Thycotic Secret Server. Its pretty nice, and we finally got it working with SSH keys, so now all my linux passwords are being rotated like the windows ones.
|
|
#
?
Jan 21, 2016 17:30
|
|
|
A ticket came in: our sales guy took a screenshot of a website he had a question about, emailed it to himself, printed it out, then brought the print out to us. I think I'm going to write up an answer, scan it, fax it to myself, then snail mail it to him.
|
|
#
?
Jan 21, 2016 18:27
|
|
|
beepsandboops posted:A ticket came in: our sales guy took a screenshot of a website he had a question about, emailed it to himself, printed it out, then brought the print out to us. Embroid the printed fax onto a scarf and tie that to a carrier pigeon to send to him.
|
|
#
?
Jan 21, 2016 18:39
|
|
|
BaseballPCHiker posted:Look at this hotshot with one AD account for every server and network device in his company. I must be doing things wrong. Please note I didn't set any of this poo poo up except for the routers/firewalls/switches, everything else was our awesome sysadmin team.
|
|
#
?
Jan 21, 2016 18:42
|
|
|
beepsandboops posted:A ticket came in: our sales guy took a screenshot of a website he had a question about, emailed it to himself, printed it out, then brought the print out to us. Be sure to run it through google translate a few times to get the wording just right.
|
|
#
?
Jan 21, 2016 19:31
|
|
|
AllTerrineVehicle posted:A prophecy came in: Only twice was the U doubled, leading to the mysterious Four of Fours gate to the ethereal realm, a placard reading "Your Path To Enlightenment Is Not In This Location. Contact The Lord Of The Realm For The Correct Course" beepsandboops posted:A ticket came in: our sales guy took a screenshot of a website he had a question about, emailed it to himself, printed it out, then brought the print out to us. Three words: Morse Code Telegram BOOTY-ADE fucked around with this message at 19:51 on Jan 21, 2016 |
|
#
?
Jan 21, 2016 19:48
|
|
|
Ozz81 posted:Three words: Morse Code Telegram After encoding it into a QR code and extracting the binary for the 2-color TIFF.
|
|
#
?
Jan 21, 2016 20:12
|
|
|
Mustache Ride posted:We're using Thycotic Secret Server. Its pretty nice, and we finally got it working with SSH keys, so now all my linux passwords are being rotated like the windows ones. So are we, that is, security casually announced that it exists and to make a ticket for access. I replied asking if it's established as a critical service with HA and 24/7 on-call support, and if so witch of our 46 on-call teams has the responsibility, also I can't find it in the service catalog and it's not modeled in the CMDB meaning SCOM isn't monitoring it and did they really think we'd put in all our passwords to the critical systems we manage under those circumstances, we'll stick with our 2fish-encrypted PasswordSafe that we can sync to our laptops so we have it available on-site during a network outage thanks. Never heard a thing. I honestly think none of those things occurred to them, they just set it up and called it a day, revealing just how divorced they are from the "integrity" and "availability" components of security. And the secret server instance appears to be completely default with no customization at all, so it kinda sucks.
|
|
#
?
Jan 21, 2016 20:28
|
|
|
Caconym posted:So are we, that is, security casually announced that it exists and to make a ticket for access. But it's a Secret Server! Those things are not for you to know! 
pr0digal fucked around with this message at 21:06 on Jan 21, 2016 |
|
#
?
Jan 21, 2016 21:03
|
|
|
We are moving away from Secret Server to Authanvil's password management, since we use their 2FA anyway. I'm unsure if they rotate the passwords through secret server or authanvil, but our client uses Enterprise Random Password Manager to rotate service/local account passwords, but it's somewhat finicky when you need to propagate those passwords (i.e. you have a service account that needs rotated and it runs 2 windows services and a scheduled task, it might not actually update 1 of the services but happily tell you it worked fine), but with N-Able monitoring we catch those issues quickly and fix them.
|
|
#
?
Jan 21, 2016 21:19
|
|
|
I don't mind remoting into your computer to figure out why Microsoft Word suddenly started typing in red. But telling me you don't have time for me to explain what you did that caused it so you don't do it again is gong to piss me off.
|
|
#
?
Jan 21, 2016 21:43
|
|
|
Well it only took them 11 years, but the University of Michigan Health System finally disabled my VPN access. I last worked there in 2005. Nice work guys. (Some of our docs work there and need access to their VPN while on our systems, so I had an occasion to test semi-regularly.)
|
|
#
?
Jan 21, 2016 22:15
|
|
|
KillHour posted:I don't mind remoting into your computer to figure out why Microsoft Word suddenly started typing in red. But telling me you don't have time for me to explain what you did that caused it so you don't do it again is gong to piss me off. "Oh, no time? Looks like I see signs of some serious malware. I'm going to have to scan your computer for the next several hours, during which time you won't be able to use it. Sorry, it's policy."
|
|
#
?
Jan 21, 2016 22:16
|
|
|
MF_James posted:We are moving away from Secret Server to Authanvil's password management, since we use their 2FA anyway. I'm unsure if they rotate the passwords through secret server or authanvil, but our client uses Enterprise Random Password Manager to rotate service/local account passwords, but it's somewhat finicky when you need to propagate those passwords (i.e. you have a service account that needs rotated and it runs 2 windows services and a scheduled task, it might not actually update 1 of the services but happily tell you it worked fine), but with N-Able monitoring we catch those issues quickly and fix them. You should be using Managed Service Accounts for all of those automated services anyway. Use the password manager for passwords that humans should be punching in.
|
|
#
?
Jan 21, 2016 22:39
|
|
|
beepsandboops posted:A ticket came in: our sales guy took a screenshot of a website he had a question about, emailed it to himself, printed it out, then brought the print out to us. Technologic.
|
|
#
?
Jan 21, 2016 22:41
|
|
|
Ozz81 posted:Three words: Morse Code Telegram Four words: Morse Code SINGING Telegram.
|
|
#
?
Jan 21, 2016 22:44
|
|
|
keseph posted:You should be using Managed Service Accounts for all of those automated services anyway. Use the password manager for passwords that humans should be punching in. Yes, we're transitioning away from 2003 currently and along with that comes a lot of other changes.
|
|
#
?
Jan 21, 2016 22:46
|
|
|
Wizard of the Deep posted:Four words: Morse Code SINGING Telegram. 
|
|
#
?
Jan 21, 2016 23:13
|
|
|
|
|
#
?
Jan 21, 2016 23:30
|
|
|
beepsandboops posted:A ticket came in: our sales guy took a screenshot of a website he had a question about, emailed it to himself, printed it out, then brought the print out to us. Email it to another company office, have it printed off and delivered to him by courier.
|
|
#
?
Jan 22, 2016 10:07
|
|
|
Some users manage to get their domain-joined, SCCM managed computers upgraded to Windows 10. How?!
|
|
#
?
Jan 22, 2016 10:25
|
|
|
|
| # ? May 29, 2024 06:16 |
|
|
nielsm posted:Some users manage to get their domain-joined, SCCM managed computers upgraded to Windows 10. How?! At work yesterday, I was logging onto an ordering site on an old version of IE through Citrix, and I had a redirected window pop up from Microsoft asking me to download Windows 10 so it could have possibly been that.
|
|
#
?
Jan 22, 2016 10:38
|
|