|
Walked posted:oh boy oh boy oh boy Disclosure breaks when patches are released and the discloser is saying exploits will be easily reversed from the patch data So if the exploit is truly awful it could be a patch now thing
|
#
?
Apr 12, 2016 17:14
|
|
|
|
| # ? May 14, 2024 06:33 |
|
|
Number19 posted:Disclosure breaks when patches are released and the discloser is saying exploits will be easily reversed from the patch data Oh I know; I'm just referring to their disclosure information about "Patches will be released around 17:00 UTC. That's about the same time the Microsoft Patch Tuesday occurs." Basically wondering if Microsoft is going to get the appropriate patch in the open swiftly.
|
|
#
?
Apr 12, 2016 17:17
|
|
|
Walked posted:Oh I know; I'm just referring to their disclosure information about "Patches will be released around 17:00 UTC. That's about the same time the Microsoft Patch Tuesday occurs." My guess is thanks to the early private disclosure by Samba to MS, one of today's patches will address this. I could be way off though. The problem is going to come from the fact that often people don't apply new patches right away, and wait days or even weeks.
|
|
#
?
Apr 12, 2016 17:18
|
|
|
Yes. They are disclosing responsibly. The embargo ends when the patch is out.
|
|
#
?
Apr 12, 2016 17:21
|
|
|
My core network services are cross site redundant for every client, bring on patching domain controllers in the middle of the day.
|
|
#
?
Apr 12, 2016 17:38
|
|
|
Here's Badlock: https://technet.microsoft.com/library/security/MS16-047 It doesn't look as bad as it was feared, but I think it still requires testing and patching quickly.
|
|
#
?
Apr 12, 2016 18:14
|
|
|
Number19 posted:Here's Badlock: https://technet.microsoft.com/library/security/MS16-047 Agreed. Bit of a wet fart on this one relative to the hype; it requires attention but I'm not going to lost my lunch or need liquor to get me through the week because of this specifically
|
|
#
?
Apr 12, 2016 18:15
|
|
|
Walked posted:Agreed. Bit of a wet fart on this one relative to the hype; it requires attention but I'm not going to lost my lunch or need liquor to get me through the week because of this specifically Wait until you apply the patch and find all the nice Microsoft bugs that come with rushed patches! I'm still wrapping my head around it but it sounds like unless you have SMB/Samba exposed to a compromised network, you should be relatively okay?
|
|
#
?
Apr 12, 2016 18:19
|
|
|
Internet Explorer posted:Wait until you apply the patch and find all the nice Microsoft bugs that come with rushed patches! It looks like someone can sit a computer passively in a network and MITM user logins to harvest credentials by forcing a security downgrade on the protocol. It is definitely exploitable but it also feels like if someone is already far enough into your network to do this then you have worse problems. It needs patching but it's not "holy poo poo the world is burning down" levels of bad.
|
|
#
?
Apr 12, 2016 18:28
|
|
|
Am I reading this correctly, or is this not even an SMB protocol problem as earlier hinted? It looks like it's LSAD and SAMR.
|
|
#
?
Apr 12, 2016 18:28
|
|
|
CLAM DOWN posted:Am I reading this correctly, or is this not even an SMB protocol problem as earlier hinted? It looks like it's LSAD and SAMR. From the article: quote:My application or product uses the SMB protocol, does this issue affect me? So no, not SMB related at all.
|
|
#
?
Apr 12, 2016 18:32
|
|
|
Welp, I got drunk before noon for nothing!
|
|
#
?
Apr 12, 2016 18:36
|
|
|
CLAM DOWN posted:Welp, I got drunk before noon for nothing! Do we really need a legit reason? I'm not familiar with SAMR or LSAD, but at least it doesn't seem like SAML is affected?
|
|
#
?
Apr 12, 2016 18:44
|
|
|
SAML is claims-based authentication for things like AD FS right? I don't think it's affected.
|
|
#
?
Apr 12, 2016 18:48
|
|
|
Well this went down exactly as expected... from the updated website:quote:"What does "Badlock" stand for? lol. He literally just made up the name, it's not tied to the exploit at all. I do get that having a "branded" exploit like Heartbleed can help raise awareness and drive faster patching of truly world-breaking problems. But ~*~Badlock~*~ seems to be moderate severity at worst. The whole thing is a transparent publicity grab by the author, especially since he published the hype site weeks in advance. Yawn.
|
|
#
?
Apr 12, 2016 18:52
|
|
|
CLAM DOWN posted:SAML is claims-based authentication for things like AD FS right? I don't think it's affected. Yeah, AD FS. It doesn't seem like it, but that's really the only way I could see this being earth-shattering. People don't generally expose SMB/Samba to the Internet, so I'm not sure why there was so much hype. I liked one of the Twitter responses on #BadLock. "This is just normal patch Tuesday stuff." [Edit: I guess if you have RDP opened to the Internet you should update ASAP? And probably kill yourself.] Internet Explorer fucked around with this message at 18:58 on Apr 12, 2016 |
|
#
?
Apr 12, 2016 18:55
|
|
|
Hey guys I just discovered a vulnerability that I'm not disclosing until Patch Tuesday next month, it's called Blowhard, please get ready for a PATCH NOW situation!!!!!
|
|
#
?
Apr 12, 2016 19:00
|
|
|
talk to me about powershell remoting, after reading this i'm convinced I need it. What are some good implementation guides, gotchas, etc? I have a patch cycle coming up with some wierd reboot dependencies, I'm thinking I can script the manual reboots in order. the less I have to rdp in to servers at 6 am the better. devmd01 fucked around with this message at 12:42 on Apr 14, 2016 |
|
#
?
Apr 14, 2016 12:37
|
|
|
Edit: wow misread that. Just do it, the only real gotcha is credential passthrough, if you're trying to access network resources from a host you've remoted in to you have to use credSSP to allow your credentials to hop to the next node.
hihifellow fucked around with this message at 16:16 on Apr 14, 2016 |
|
#
?
Apr 14, 2016 16:10
|
|
|
Has anyone done much with Azure AD Join yet in Windows 10? It's something I'm aware of having existed for a while but still very much seems to be a thing that is possible and Microsoft use internally, and that's about it. Does it play nicely with SAML providers - e.g. if my Azure directory is synced to AD but Office 365 logins use SAML provided by Okta, does Windows 10 joined to Azure AD work with that or does it just come crashing down spectacularly? Do I actually just want to domain join machines and use DirectAccess and revisit in a couple of years when it's more mature?
|
|
#
?
Apr 15, 2016 00:09
|
|
|
Thanks Ants posted:Has anyone done much with Azure AD Join yet in Windows 10? It's something I'm aware of having existed for a while but still very much seems to be a thing that is possible and Microsoft use internally, and that's about it. When I started this gig a few years ago we had 300 PCs all on "workgroup" with no domain controller in sight. I held out for Windows 10 when I heard it would have Azure AD Join, and I put all our PCs on it. It is overall pretty great with some bugs and poo poo not hooked up yet. People log in to the PC with their Office 365 username and password, and if I change the password they're completely locked out (especially with BitLocker enabled). When they sign in, Windows 10 passes the token to IE and Edge to give them single-sign-on to Azure stuff like portal.office.com, and things that I'd enabled for O365 Azure AD SAML such as Freshdesk. I still haven't figured out how to get the SSO working on Chrome but people just save their O365 password on Chrome anyways. Another perk is that any Global Admin on Office 365 can authenticate to elevate permissions. So I took admin privs from all users, and if someone off-site needs to install something in a pinch, I can do a join.me to their screen, reset the "temporary.admin@domain.com" password and give it to them, confirm they're installing what they claim to be installing, then reset the password again. Nice secure way to let people run a WebEx installer or whatever and still have things locked down. When people first sign in under Azure AD Join, Windows 10 forces them to put in a mobile number and confirm it, then they pick a pin for the PC. This is cool because I have their smartphone on file if I ever enable two-factor auth. The pin is cool because it's easy for people to remember, and it only works on that one single device (as opposed to the O365 password that works on anything) so it's not any more insecure than a pin on an iPhone. Bugs include the fact that 10% of my users over the last year had the pin login option magically vanish, so that they have to go back to using their O365 password to sign in (usually you can toggle to choose between either, which is nice if they forget one, they have two ways to log in), and 1% of people had both pin and password just complete stop working properly, so I'd have to unjoin the laptop from Azure AD Join and rejoin to fix the issue. Microsoft just loving shrugged at me when I put in a ticket for it. We actually do use Okta here, but that's because our marketing team got it after all this, without telling me, simply because they wanted to give customers SSO without getting those logins mixed in with the users in my Azure tenant and possibly exposing them to more of our stuff than they should. So, I can't answer your questions on how Okta/DomainJoin/DirectAccess work because I don't use any of those. I just have a domain-free environment with logins managed with Azure AD Join and Apps / Group Policy pushed out by PDQ Deploy (you can set local group policy on one PC and just push the GP folder to other PCs, works fine. Edit: As far as Azure AD Join maturing, Microsoft needs to get their heads out of their asses and make a loving "Azure AD Domain Services" that actually works. It was supposed to be an Azure-hosted IP that you can connect to as a cloud domain controller that could pass group policy and run LDAP against your O365 users, but it's only in their VPN, and it's loving rocket science to get my site-to-site VPN to connect to it. Basically they want it to only work to give Azure VMs a domain controller and never connect your endpoints to it. If it was just an easy to reach LDAP I'd be thrilled. If anyone knows any way in the world I can get LDAP out of O365/Azure without a domain, let me know, because I'd love to hook up my VPN router to LDAP so people can use their email/password to VPN in or connect to Wifi. Zero VGS fucked around with this message at 16:40 on Apr 15, 2016 |
|
#
?
Apr 15, 2016 16:06
|
|
|
Does anyone have any idea why external email senders wouldnt get an NDR from Exchange if they sent to a recipient who doesnt exist? I've confirmed that I have NDRs enabled and internally if I send to someone who doesnt exist I get a bounceback but when I test from my gmail account I get no message.
|
|
#
?
Apr 15, 2016 17:03
|
|
|
Zero VGS posted:As far as Azure AD Join maturing, Microsoft needs to get their heads out of their asses and make a loving "Azure AD Domain Services" that actually works. It was supposed to be an Azure-hosted IP that you can connect to as a cloud domain controller that could pass group policy and run LDAP against your O365 users, but it's only in their VPN, and it's loving rocket science to get my site-to-site VPN to connect to it. Basically they want it to only work to give Azure VMs a domain controller and never connect your endpoints to it. Deploy a Server 2012 R2 VM into Azure, join to Azure AD Domain Services, install the NPS role. Connect back to your office via a tunnel or if that doesn't work expose the RADIUS endpoints but lock the ACLs down on Azure to only listen to your office(s). I've never had any issues with the VPN stuff in Azure.
|
|
#
?
Apr 15, 2016 18:01
|
|
|
Zero VGS posted:It was supposed to be an Azure-hosted IP that you can connect to as a cloud domain controller that could pass group policy and run LDAP against your O365 users I was never under the impression that Azure AD Domain Services was supposed to do that. quote:Basically they want it to only work to give Azure VMs a domain controller and never connect your endpoints to it. This is exactly what it was designed to do, never seen any documentation otherwise. It's an extension of Azure AD that lets you join Azure VMs to it and gives you some BASIC functionality when it comes to GPO. There's major limitations. We all know you want full blown AD in the cloud, but it hasn't happened yet.
|
|
#
?
Apr 15, 2016 19:24
|
|
|
Thanks Ants posted:Deploy a Server 2012 R2 VM into Azure, join to Azure AD Domain Services, install the NPS role. Connect back to your office via a tunnel or if that doesn't work expose the RADIUS endpoints but lock the ACLs down on Azure to only listen to your office(s). I appreciate it, it's just overkill to get our tunnel up. We cut a huge check to Microsoft for Office 365 and I did a 3-year with them when they promised to support us with configurations like this, but once the ink was dry they told us "actually, Azure AD is completely outside of Office 365, you need a whole different support contract for that", like OK assholes, thanks a bunch. Even all the SSO companies like Okta and OneLogin can connect to Azure AD SSO using SAML, but somehow can't convert that into an IP that I can authenticate LDAP/RADIUS against. Something like a public-facing IP but with ACLs would be perfect; I don't get what's stopping them. Maybe not enough people are trying to set it up like I have it. skipdogg posted:I was never under the impression that Azure AD Domain Services was supposed to do that. Well sure, but they were sooo close. Why would they not just go the last inch and fix my biggest Windows Enterprise Problem. Because they don't think it's cooked up well enough yet? That didn't stop them from putting out Windows 10 and Azure AD Join. I did say AD Join is cool now but I was trying it the first few weeks it came out, that was a fun shitshow, I was literally the only person in the world submitting AD Join tickets to Microsoft at the time. The insulting thing is even it is considered "Preview", and yet you still have to pay them like $40/month to even try it. Sorry you're so attentive to my posts, I figure some people haven't learned I'm the "gimme real cloud AD" guy yet and If I vent every couple of months eventually someone might chime in that they figured it out.
|
|
#
?
Apr 15, 2016 21:05
|
|
|
Zero VGS posted:I appreciate it, it's just overkill to get our tunnel up. We cut a huge check to Microsoft for Office 365 and I did a 3-year with them when they promised to support us with configurations like this, but once the ink was dry they told us "actually, Azure AD is completely outside of Office 365, you need a whole different support contract for that", like OK assholes, thanks a bunch. That's more or less exactly what I said - VM instance and make the RADIUS ports accessible externally. Or, you know: https://support.okta.com/help/articles/Knowledge_Article/24434913-Installing-the-Okta-RADIUS-Agent https://onelogin.zendesk.com/hc/en-us/articles/202361670-Configuring-the-RADIUS-Server-Interface https://jumpcloud.com/engineering-blog/introducing-jumpclouds-radius-as-a-service/ The solutions to all your problems exist, they just cost a non-zero amount. I'm not sure why you make life hard for yourself by ignoring best practises and people here who have done lots of this stuff before, and then post about the problems you've had doing it. See also: your upgrades to Windows 10. Thanks Ants fucked around with this message at 21:33 on Apr 15, 2016 |
|
#
?
Apr 15, 2016 21:30
|
|
|
|
|
#
?
Apr 15, 2016 22:08
|
|
|
Thanks Ants posted:That's more or less exactly what I said - VM instance and make the RADIUS ports accessible externally. Or, you know: None of those can reference Azure AD for LDAP (ironic since Azure AD is just LDAP on the back-end), they all require me to spin up additional virtual infrastructure. I know this because I asked them all and they threw up their hands and said "we'll try to put it in the roadmap". Keep in mind my crazy bosses are "just cloud everything, don't run any Windows servers, not even in a VM, what if they crash and we can't log in?" and I've tried and failed to gainsay them. If Microsoft could spin up a reachable IP that just said "duhh send LDAP queries here", then it's not their fault when it goes down and that's how they sleep at night. It's OK, I think the real problem is just that that Azure portal is way, way harder to use than AWS. I got a secure site-to-site up on that perfectly fine where Azure is some heinous jumble of powershell commands and garbage. Anyway, I'm making life interesting for myself, not hard. None of this is like super important; we're doing fine without it, it'd just be nice to have. I only chimed in because someone asked about Azure AD Join and I'm like the official production alpha tester.
|
|
#
?
Apr 15, 2016 23:00
|
|
|
cached credentials?
|
|
#
?
Apr 16, 2016 00:39
|
|
|
MF_James posted:cached credentials? Are inconsistent at best; there's all sorts of conditions that will generate "could not service the login request" and other poo poo even when you set up a long expiration on cached credentials.
|
|
#
?
Apr 16, 2016 05:21
|
|
|
If 'run a Windows Server VM on Azure' breaches some sort of decree then I think you're going to be waiting around for a while for an acceptable solution. Do your higher ups know that Azure AD runs on virtualised compute infrastructure. Re: Azure VPN, it can all be done in the portal. I think you're reading old documentation.
|
|
#
?
Apr 16, 2016 13:00
|
|
|
Does anyone know of a cheap host for all of the records needed for Office365? We've been using MyDomain.com as our registrar and DNS record host for a while because they are so much cheaper than any other registrar/DNS site I can find but they do not support SRV records for some dumb reason. The prices for other sites recommended by Office365 are all over the place. I tried EntryDNS.net because they told me in an email they supported SPF and SRV records, but (no big suprise for a site that's free after a registration fee), these records don't seem to work on their site.
|
|
#
?
Apr 21, 2016 13:54
|
|
|
tadashi posted:Does anyone know of a cheap host for all of the records needed for Office365? We've been using MyDomain.com as our registrar and DNS record host for a while because they are so much cheaper than any other registrar/DNS site I can find but they do not support SRV records for some dumb reason. The prices for other sites recommended by Office365 are all over the place. I tried EntryDNS.net because they told me in an email they supported SPF and SRV records, but (no big suprise for a site that's free after a registration fee), these records don't seem to work on their site.
|
|
#
?
Apr 21, 2016 17:19
|
|
|
wyoak posted:Amazon's Route53 is pretty cheap and will do everything under the sun. $.50/mo per zone and $.40 per million queries (cheaper per million if you go over 1 billion which you probably won't). Funnily enough, in researching how to setup DNS records on Route53 for Office365, I may have found my answer for how to setup the records on EntryDNS. I'll know in an hour when the TTL expires.
|
|
#
?
Apr 21, 2016 21:08
|
|
|
It's still worth moving. The UI is sooooooo much better than any other DNS service, even if you don't access it programmaticly at all.
|
|
#
?
Apr 21, 2016 21:23
|
|
|
tadashi posted:Funnily enough, in researching how to setup DNS records on Route53 for Office365, I may have found my answer for how to setup the records on EntryDNS. I'll know in an hour when the TTL expires. You can query the name server directly rather than waiting for caches to expire on your ISP/router/locally http://mxtoolbox.com/SRVLookup.aspx
|
|
#
?
Apr 21, 2016 22:47
|
|
|
is there an easy way to find out what local policy edits have been made to a machine? I am hoping there's something like rsop/gpresult that will only look at local policy edits. Trying to figure out how someone got some stuff to work on one server so I can document and migrate to another, there are a few local edits that I've found, but I'm pretty sure there's more that I'm missing and there's too much poo poo to go through by hand to figure it out.
|
|
#
?
Apr 22, 2016 18:53
|
|
|
Heads up WSUS users: https://redmondmag.com/articles/2016/04/22/flawed-kb3148812-update.aspx
|
|
#
?
Apr 22, 2016 19:50
|
|
|
I've got a couple of AD 'Best Practice" questions. First, whats the state of renaming a domain in 2012R2? Can you\Should you do it? Or should I just spin up a new domain and migrate the clients? Second, this is calling on people that might have been in the same boat, what's the most flexible domain name scheme for a company who at some stage in the future may have to join up with a much larger company's domain. Does it even really matter? I was just considering companyname.com (to match the email address) but perhaps that is not the best way? Bonus question: I've seen domains of LongAssCompanyName.local shortened to: LACN\Username for easier typing when logging in. How is that done?
|
|
#
?
Apr 24, 2016 10:42
|
|
|
|
| # ? May 14, 2024 06:33 |
|
|
You can rename domains, I've done it. It gets more difficult when you have other dependencies on that domain, loads of cruft from previous upgrades etc. So it's technically possible but it can still fail in many cool ways. Don't use your TLD for the domain as it makes managing DNS really hard - do you want your web guys constantly submitting tickets for changes to be made to the zone whenever they work on the external-facing site? Either register a new domain and don't publish a zone for it outside of your org, or use something like ad.companyname.com. You can add companyname.com as a UPN suffix at a later date to let people log in with their email address. The longasscompanyname.local and LACN/Username is just a case of having a Netbios name set to LACN.
|
|
#
?
Apr 24, 2016 11:32
|
|