|
Well I found some interesting things today. Cashiers with their own domain admin accounts. Cashiers using the same domain admin account that I was given. Zombie DCs that had been supposedly intermediately causing issues for 4 years. Declared to be unfixable. (fixed in 2 hours) GPOs that were declared to be crap and didn't apply to OUs (set on the root of the domain that had inheritance disabled) Methanar fucked around with this message at 00:41 on Jun 8, 2016 |
# ? Jun 7, 2016 23:57 |
|
|
# ? May 27, 2024 02:13 |
|
If a GPO doesn't work you just make another one and try again.
|
# ? Jun 8, 2016 00:01 |
|
Am I seeing this right? Cashiers with domain admin rights?
|
# ? Jun 8, 2016 00:25 |
|
Dr. Arbitrary posted:Am I seeing this right? Cashiers with domain admin rights? Yes. I would guess maybe 10% of all cashiers had domain admin, even if they didn't know it.
|
# ? Jun 8, 2016 00:40 |
|
Thanks Ants posted:If a GPO doesn't work you just make another one and try again.
|
# ? Jun 8, 2016 00:42 |
|
Thanks Ants posted:If a GPO doesn't work you just make another one and try again. It is shocking how often people gently caress up GPO. I never had a SR to show me best practices, but over the years I have come up with the following rules as I have become a SR myself. 1. Leave all the loving default domain policy alone!!! 2. Name your domain policies properly. Keep the same naming scheme throughout. Your policies should be easy to figure out what it does by its loving name. Security through obscurity doesn't apply here. 3. Its not necessary to make a new policy for every little thing, but its also bad to stuff too much into a single policy from an organizational standpoint. There isn't a search function. Nobody wants to spend all day figuring out where one small change is located and in what policy. 4. Your OU structure should make sense before you try and be super cute in your policy enforcement. Group membership filters should be the exception, not the norm. 5. If you are new, disable group policy objects and delete them at a later date. Rename accordingly. This is another thing that is easier to enable then to recreate if you find out you actually still need it. 6. Group policies don't always do what they say they do. So if a new policy isn't working, do some research before you start trying to fix other things that aren't broken.
|
# ? Jun 8, 2016 01:20 |
|
Sickening posted:There isn't a search function. Nobody wants to spend all day figuring out where one small change is located and in what policy.
|
# ? Jun 8, 2016 01:53 |
|
Sickening posted:It is shocking how often people gently caress up GPO. I never had a SR to show me best practices, but over the years I have come up with the following rules as I have become a SR myself. 7. Use AGPM and kill anyone who doesn't on the spot
|
# ? Jun 8, 2016 01:55 |
|
Sickening posted:It is shocking how often people gently caress up GPO. I never had a SR to show me best practices, but over the years I have come up with the following rules as I have become a SR myself. I lumped all my GPOs into the default domain policy and scoped to literally everything in a single flat OU after reading this, tyvm my domain is throbbing
|
# ? Jun 8, 2016 02:09 |
|
CLAM DOWN posted:I lumped all my GPOs into the default domain policy and scoped to literally everything in a single flat OU after reading this, tyvm my domain is throbbing I hate you.
|
# ? Jun 8, 2016 02:14 |
|
GreenNight posted:We're balls deep into a 3Par implementation. So far so good. Hopefully HP is better at supporting that poo poo now than they were a few years ago after the acquisition. At ${job}-1 i had a bad time once HP borged them.
|
# ? Jun 8, 2016 02:17 |
|
nitrogen posted:Hopefully HP is better at supporting that poo poo now than they were a few years ago after the acquisition. At ${job}-1 i had a bad time once HP borged them. Yes, supposedly it's much better. We're migrating from an EVA, and the GUI for that thing was a bear.
|
# ? Jun 8, 2016 03:57 |
|
xezton posted:7. Use AGPM and kill anyone who doesn't on the spot Can you tell me a little more about this? I don't use it and don't want to get killed on the spot.
|
# ? Jun 8, 2016 04:00 |
|
Dr. Arbitrary posted:Can you tell me a little more about this? I don't use it and don't want to get killed on the spot. It's relatively new to me as well, so maybe killing on the spot is a little overboard. For a long time my boss was very "look don't touch" with GPO stuff. None of us ever really understood why until he left the company and a week later an MS PFE gave us the rundown on GPOs, and brought up AGPM (which our boss happened to already have set up and was actively using). https://technet.microsoft.com/en-us/itpro/mdop/agpm/technical-overview-of-agpm It takes a bit of setup, but it gives you check-ins/outs of GPOs so you can actually see who made changes along with diffs, history, and rollback. It also lays out handy roles to control who can do what, and even lets you set up notifications for when GPOs need to be approved, etc. If you have a team that works on them, though, everyone needs to be on-board with it. Otherwise, if they have access to create/modify GPOs the normal way, they can just totally skip AGPM, thus making it completely worthless. Which at least partly explained the look-don't-touch way things were handled before.
|
# ? Jun 8, 2016 04:57 |
|
xezton posted:It's relatively new to me as well, so maybe killing on the spot is a little overboard. For a long time my boss was very "look don't touch" with GPO stuff. AGPM is a nice idea not implemented too well. It makes doing GPO work even clunkier than it already is in GPMC, and unless there's a workaround I'm not aware of it makes some pieces of that work considerably harder to script. Minor tweaks to policies or filtering involves a bunch of extra steps in that damnable GUI. If you have appropriate delegation on your GPOs, appropriate change control procedures, and logging on your DCs, there shouldn't be an (unauditable) issue of random fingers in your policies. We tried to use it all the way, but ended up compromising and only getting policies controlled under AGPM after everything is fully tested, deployed, etc.
|
# ? Jun 8, 2016 05:40 |
|
Well I've been putting GPOs in place over the last few weeks of working here, so far no complaints. One admin coworker thought Windows 10 had QuickEdit enabled as a default, was completely blown away when I told him it's a GPO... Anyway, I can't wait for the day I can boot the FLS team of Domain Admin privileges. But "they need it to remote into X...". At least I implemented delegation so they can manage AD objects without admin rights, tho I'm pretty sure they are using their domain admin account still for that. Before, they had DA on their personal accounts as well They are not making it easy for me, because one of the other admins doesn't want me to define too much scope, because he fears we'll have to do some mundane tasks then. Which is probably true for security things, but that should be our thing, not left to Tier 1 to clickbash until it works. OUs are still a mess, and I'm not allowed to change it too much because it could "break something, I think".
|
# ? Jun 8, 2016 06:52 |
|
I feel like Group Policy is one the largest drivers towards OS X, iOS, Chrome, etc.
|
# ? Jun 8, 2016 06:59 |
|
Tab8715 posted:I feel like Group Policy is one the largest drivers towards OS X, iOS, Chrome, etc. Even just comparing Chrome to Internet Explorer GPO options is ridiculous. IE has hundreds and hundreds of knobs once you start adjusting settings by security zone, including some pretty arcane and unintuitive stuff. Chrome has a few dozen total, you can be an expert in an afternoon. Granted, there is just no way to make a lot of janky legacy apps work in Chrome. If you have the management backing to tell your developers to gently caress off with that, there's not a lot of reason not to default to Chrome.
|
# ? Jun 8, 2016 09:14 |
|
AreWeDrunkYet posted:Even just comparing Chrome to Internet Explorer GPO options is ridiculous. IE has hundreds and hundreds of knobs once you start adjusting settings by security zone, including some pretty arcane and unintuitive stuff. Chrome has a few dozen total, you can be an expert in an afternoon. Just today I adopted Chrome GPOs and will start pushing for Chrome to be installed as default browser. Once I give FLS a Deployment System (They are still installing from hand, probably gonna have to go with WDS) they won't have a choice because I'll bake it in there.
|
# ? Jun 8, 2016 09:18 |
|
psydude posted:My girlfriend's mom just got hit by a great malware/social-engineering scammer combo pack. Popped up a fake message with the Wells Fargo logo on it (while she was on the Wells Fargo site) telling her she'd been infected with Zeus and to call the listed number for "Microsoft Tech Support." When she asked them to prove they were actually Microsoft techs, they told her that the firewall picked up the virus so that's how she could be certain. They then went on to explain that her computer had been 80% compromised ("Five of seven layers have been breached!"), threw out a bunch of bullshit techno babble to confuse her, and then requested that she kindly do the needful and purchase the full package to include a "Network administrator, Certified Ethical Hacker, and Computer Forensics Specialist." Fortunately she called me for a second opinion, that opinion being to change all of her passwords, call her bank's anti-fraud department, take her computer in to an actual computer place, get an ad blocker, and report the phone number to Microsoft's fraud department. Honestly. if you have to get ripped off, I'm betting feeling like you weren't ripped off and actually saved from trouble is the way to go, and it has much less risk on the backend. Toshimo posted:Yesterday, I sat through a meeting to talk about cracking down on security because our security officer got rekt by a congressional committe live on C-SPAN and we don't want to be the next OPM leak. There isn't a single person in Congress that I wouldn't destroy if they tried to bring me into a committee on anything. "How could this breach happen?" "IDK, probably the same way you made it to 58 years old and had children and still don't know how vaginas work or how to check your own email."
|
# ? Jun 8, 2016 15:49 |
|
gfsincere posted:"IDK, probably the same way you made it to 58 years old and had children and still don't know how vaginas work or how to check your own email."
|
# ? Jun 8, 2016 16:18 |
|
adorai posted:and then they would hold you in contempt. It's easy to talk tough on the internet, the reality of being there is a lot different. I honestly didn't know they could do that. Who ever thought that was a good idea?
|
# ? Jun 8, 2016 16:28 |
|
adorai posted:and then they would hold you in contempt. It's easy to talk tough on the internet, the reality of being there is a lot different. They aren't judges, so...what? How do they even have that ability legally to say "I don't like your answers, go to jail" when they aren't judges and it isn't a court of law? e: also I have a felony for assaulting a cop. So talking poo poo to Congress wouldn't be the dumbest nor the most ballsy decision I've made as a black man.
|
# ? Jun 8, 2016 16:35 |
|
gfsincere posted:There isn't a single person in Congress that I wouldn't destroy if they tried to bring me into a committee on anything. No company in their right mind puts someone front-and-center in the subcommittee chambers without general counsel, pages worth of planned statements and responses, and a PR rep or five. You'd get tackled by your own crew before you got to the "g" in "vaginas". Sickening posted:I honestly didn't know they could do that. Who ever thought that was a good idea? If you're subpoenaed by Congress, you're under a legal obligation to answer their questions. Dodging them or "not taking it seriously" can be ruled contempt. The relevance of a given question is, of course, wide-ranging and subject to debate, but it's still not something you'd want to test to become a BuzzFeed hero.
|
# ? Jun 8, 2016 16:40 |
|
Cenodoxus posted:If you're subpoenaed by Congress, you're under a legal obligation to answer their questions. Dodging them or "not taking it seriously" can be ruled contempt. The relevance of a given question is, of course, wide-ranging and subject to debate, but it's still not something you'd want to test to become a BuzzFeed hero. Every answer is "I don't recall".
|
# ? Jun 8, 2016 16:44 |
|
gfsincere posted:They aren't judges, so...what? A hangover from the British Parliament, which was/is a court of law (the phrase 'court' derives from the actual mediaeval version, i.e. a king plus his advisors, which is what Parliament is as well) and back in the day could literally pass legislation to have people judicially executed. This is why Congress can subpoena people too - that's generally a judgy sort of power.
|
# ? Jun 8, 2016 16:51 |
|
If you've seen that video of a guy repeatedly failing to understand questions about what a copy machine is, that's the only real way to get away with obstruction. You just become unbelievably dense and forgetful. The thing about Congress is that they're rarely interested in actually getting to the bottom of things, they're more interested in providing justification for some other thing that they already wanted to do. So if you work for a government agency and provide honest answers, they could easily be used to try and dismantle your own employer. Imagine answering a bunch of loaded questions about "zero-day" exploits that are carefully designed to ever avoid an understanding that they're unknown vulnerabilities.
|
# ? Jun 8, 2016 17:15 |
|
GreenNight posted:Every answer is "I don't recall". You do like Leo McGarry on West Wing did, you cover the mic and pretend to talk to your lawyer over questions you feel are stupid, then go "I'm sorry, can you repeat the question?"
|
# ? Jun 8, 2016 17:21 |
|
Yeah, this is the hot seat you don't want to be on and I don't think, if you were anywhere near it, you'd even consider for a second trying to your way out: https://www.youtube.com/watch?v=ZcW0x_4iVMA
|
# ? Jun 8, 2016 17:55 |
|
The correct response is, as mentioned, to say "I do not recall" over and over and over until they hit the point that they stop even sounding like human language to you.
|
# ? Jun 8, 2016 18:10 |
|
Recently given an option of WFH for one day, or working four 10-hr days. Decisions decisions...
|
# ? Jun 8, 2016 18:25 |
|
Hughmoris posted:Recently given an option of WFH for one day, or working four 10-hr days. Decisions decisions... Four 10 hour days sounds awesome to me. 3 day weekend every week! 4 day weekend on holidays!
|
# ? Jun 8, 2016 18:29 |
|
Hughmoris posted:Recently given an option of WFH for one day, or working four 10-hr days. Decisions decisions... 10 hour days. I used to work 9 hour days for every second Friday off, and it is genuinely the best thing - you rarely notice the extra hour or two, especially in IT where you're generally working longer than everyone else anyway. It only recently got taken away from me and I miss it
|
# ? Jun 8, 2016 18:48 |
|
Toshimo posted:Yeah, this is the hot seat you don't want to be on and I don't think, if you were anywhere near it, you'd even consider for a second trying to your way out: https://www.youtube.com/watch?v=ZcW0x_4iVMA They cut the best part of this video off in the segment. After he gets done having an absolutely amazing meltdown at this lady who obviously doesn't know what is going on they cut away from him and he mumbles "Unbelievable" in a pissed off voice into his still on microphone. https://www.youtube.com/watch?v=cNO7BihmRXI 1:09:15
|
# ? Jun 8, 2016 18:52 |
|
Hughmoris posted:Recently given an option of WFH for one day, or working four 10-hr days. Decisions decisions... 4 10hr days hands down. WFH usually means you work longer as an overall average. This is probably a double post.
|
# ? Jun 8, 2016 18:53 |
|
Virigoth posted:They cut the best part of this video off in the segment. After he gets done having an absolutely amazing meltdown at this lady who obviously doesn't know what is going on they cut away from him and he mumbles "Unbelievable" in a pissed off voice into his still on microphone. What do you mean CISO isn't just a position where I make a lot of money and not know whats going on?
|
# ? Jun 8, 2016 18:55 |
|
Sickening posted:What do you mean CISO isn't just a position where I make a lot of money and not know whats going on? The moment she said "a holistic approach" I almost broke out laughing. There is nothing else you can say that is more likely to tell a professional that you have NO loving CLUE what you are talking about.
|
# ? Jun 8, 2016 19:10 |
|
FireSight posted:The moment she said "a holistic approach" I almost broke out laughing. There is nothing else you can say that is more likely to tell a professional that you have NO loving CLUE what you are talking about.
|
# ? Jun 8, 2016 19:23 |
|
anthonypants posted:Technically, a holistic approach is a very good thing. Yea, it's buzzwordy, but looking at the security of the whole system and not just disconnected parts is a good thing. Defense in depth is a holistic approach.
|
# ? Jun 8, 2016 19:44 |
|
|
# ? May 27, 2024 02:13 |
|
NippleFloss posted:Yea, it's buzzwordy, but looking at the security of the whole system and not just disconnected parts is a good thing. Defense in depth is a holistic approach. While the word itself has meaning, the people who USE the word typically use it as a way to say "We are doing stuff, but I have no idea what, and I'm hoping you don't ask for more than superficial details."
|
# ? Jun 8, 2016 20:09 |