|
You just know that if a VPN is too complicated for them then password strength requirements will probably be as well. Put the Terminal Server on its own VLAN so when it does get popped the damage will be limited. Or look for some kind of solution which integrates connecting to the VPN and opening the RDP session.
|
# ? Jul 25, 2016 10:29 |
|
|
# ? Jun 5, 2024 00:13 |
|
spiny posted:We have a customer that wants to enable RDP access for their home users. I know this is generally seen as 'bad' but I don't think they will budge on this, and don't want to have to VPN in first, just straight RDP. isn't the MS RDP gateway product designed for this? all that exposes is 80 ( 443? ).
|
# ? Jul 25, 2016 11:43 |
|
Can you proxy RDP in the non-Linux clients? I'm picturing something like ssh with dynamic port forwarding, effectively running a socks proxy on a jumphost. That way you're not technically VPNing but still have actual auth to get into your network. Hell, could probably have it be part of a powershell "click here to Remote Desktop" script.
|
# ? Jul 25, 2016 11:47 |
|
KennyTheFish posted:isn't the MS RDP gateway product designed for this? all that exposes is 80 ( 443? ). Yeah, pretty much. Remote Desktop Gateway is the way to go for this. Remote Desktop Web Access is handy as well.
|
# ? Jul 25, 2016 11:56 |
|
Jeoh posted:Yeah, pretty much. Remote Desktop Gateway is the way to go for this. Remote Desktop Web Access is handy as well. interesting, I'll do a bit of research. cheers!
|
# ? Jul 25, 2016 12:59 |
|
If you do wind up having to go the route of exposing RDP to the internet at large, you could consider RDPGuard. It's basically fail2ban but for Windows.
|
# ? Jul 25, 2016 13:06 |
|
spiny posted:We have a customer that wants to enable RDP access for their home users. I know this is generally seen as 'bad' but I don't think they will budge on this, and don't want to have to VPN in first, just straight RDP. You should take the advice here, but also leave some kind of e-mail chain that shows you recommending RDP over VPN and the client rejecting it. I'm not sure how big the company you work for is, but this is the kind of decision that seems like legal would need the full CYA treatment before going forward. Like yeah, I'm sure if you put the right policies in then maybe it wouldn't be a dumpster fire. On the other hand, a VPN is really the thing to do. Publicly routable RDP just seems risky.
|
# ? Jul 25, 2016 13:19 |
|
Mo_Steel posted:How does he even have other mapped drives at that level of understanding? Did a VAR setup Group Policy for his company or something? I have literally no idea. The guy is literally the dumbest "IT Professional" I've ever met. He can't do even the most basic things you'd expect someone who's walked past a computer store once in their life would be able to do. It's inexplicable.
|
# ? Jul 25, 2016 14:18 |
|
ErIog posted:You should take the advice here, but also leave some kind of e-mail chain that shows you recommending RDP over VPN and the client rejecting it. I'm not sure how big the company you work for is, but this is the kind of decision that seems like legal would need the full CYA treatment before going forward. 100% in agreement
|
# ? Jul 25, 2016 15:20 |
|
spiny posted:We have a customer that wants to enable RDP access for their home users. I know this is generally seen as 'bad' but I don't think they will budge on this, and don't want to have to VPN in first, just straight RDP. RDP gateway is normally pretty secure, isn't it?
|
# ? Jul 25, 2016 15:58 |
|
The school had the floors waxed. No one told me they were doing this. The company they hired unplugged everything. The company they hired destroyed everything. I have until tomorrow morning to completely redo every classroom and office. gently caress my loving life.
|
# ? Jul 25, 2016 17:11 |
|
larchesdanrew posted:The school had the floors waxed. Buffalo giveth and Buffalo taketh away.
|
# ? Jul 25, 2016 17:16 |
|
larchesdanrew posted:The school had the floors waxed. And this is all your fault
|
# ? Jul 25, 2016 17:17 |
|
Jeoh posted:Buffalo giveth and Buffalo taketh away.
|
# ? Jul 25, 2016 17:25 |
|
Jeoh posted:Buffalo taketh and Buffalo giveth away.
|
# ? Jul 25, 2016 17:26 |
|
Nerd Club assemble!!!!
|
# ? Jul 25, 2016 17:41 |
|
larchesdanrew posted:The school had the floors waxed. That's because it's none of your concern.
|
# ? Jul 25, 2016 17:41 |
|
stubblyhead posted:Nerd Club assemble!!!! perfect training opportunity for the newly formed IT club
|
# ? Jul 25, 2016 17:46 |
|
Potato Alley posted:That's because it's none of your concern. ... but you totally demonstrated a lack of team spirit, leadership, and go-getter mentality by failing to be prepared and account for situations such as this. Your failure here will be noted in your employee record.
|
# ? Jul 25, 2016 17:47 |
|
larchesdanrew posted:The school had the floors waxed. k-12_summer.txt
|
# ? Jul 25, 2016 18:30 |
|
larchesdanrew posted:The school had the floors waxed. Go out and do an emergency contract with some local company to fix those problems, and bill it directly to the school.
|
# ? Jul 25, 2016 18:31 |
|
larchesdanrew posted:The school had the floors waxed. When I worked for a city including schools they would take the entire Summer to clean just take every computer shove it into the hallway. No Summer wasn't a time to close tickets, no it wasn't the time to get projects done. It was the time to ignore the schools and do city stuff like Police and Fire. Cleaning would finish the day teachers would be back to start setting up classrooms about a week before school starts. It was horrible because a bunch of teachers would open tickets about their stuff not working. We also had a bunch of computers that just would suddenly not know what the domain was, or would blue screen. (Pentium 4's in 2014/2015, you end up with chip creep and dead parts). 3-4 guys depending on the year trying to setup over a dozen schools with thousands of computers and verify that google is reachable from each of them. It takes over a week easily. I'm so glad I'm not part of that dumpster fire this year and moved on. They are still using the Pentium 4s for student computers but hey! Teachers got i7 laptops! (They hate them and wanted desktop when I handed them out)
|
# ? Jul 25, 2016 18:32 |
|
Spent an hour today on a conference call and said two sentences. One was when I entered the conference bridge to introduce myself/company. Second was at the end when the customer apologized directly to me that I wasn't really needed and I replied they can contact me if they need anymore documentation or traces for the issue they are having with their network (that has nothing to do with us, we just pointed out the issue to them.) Got some good web browsing in during the conference and read up on MPLS networks a bit since half of the conference was spent talking about their MPLS setup.
|
# ? Jul 25, 2016 20:37 |
|
spiny posted:We have a customer that wants to enable RDP access for their home users. I know this is generally seen as 'bad' but I don't think they will budge on this, and don't want to have to VPN in first, just straight RDP. The MS RD gateway works really really well for this. You can set a shitload of rules on who and what can connect to which machines, time and possibly geolocation restrictions, all it needs it 443 and I think 80 exposed to the internet, and it's extremely easy to set up. The most annoying part is getting a valid SSL cert, but that shouldn't be an issue for a business, unless your boss is a super huge tightwad about spending. Then I think you can script a LetsEncrypt certificate renewal to work. Edit: We had it set up at my office and it worked super well, we had no issues and never had more than a token attempt to gain access by bots and web trawlers. Methylethylaldehyde fucked around with this message at 20:51 on Jul 25, 2016 |
# ? Jul 25, 2016 20:48 |
|
Jeoh posted:Buffalo giveth and Buffalo taketh away. New thread title please moooooooooooooooooooooooooods
|
# ? Jul 26, 2016 09:24 |
|
Methylethylaldehyde posted:The most annoying part is getting a valid SSL cert, but that shouldn't be an issue for a business, unless your boss is a super huge tightwad about spending. Then I think you can script a LetsEncrypt certificate renewal to work. Yeah you can get Let's Encrypt to work but it's super kludgy for RDP Gateway.
|
# ? Jul 26, 2016 16:23 |
|
I really wish there were more options for rack mounting the trash can Mac Pros because the Sonnet enclosures we use are Hot poo poo. The enclosure by Magma (http://magma.com/products/thunderbolt-expansion/mac-pro-rackmount-kit/) looks slightly better but super exposed...which is actually okay because the Sonnet enclosures don't actually have Thunderbolt on the back.
|
# ? Jul 26, 2016 18:19 |
pr0digal posted:I really wish there were more options for rack mounting the trash can Mac Pros because the Sonnet enclosures we use are Hot poo poo. The enclosure by Magma (http://magma.com/products/thunderbolt-expansion/mac-pro-rackmount-kit/) looks slightly better but super exposed...which is actually okay because the Sonnet enclosures don't actually have Thunderbolt on the back. Lol, Apple
|
|
# ? Jul 26, 2016 18:25 |
|
Segmentation Fault posted:Lol, Apple I work in media so a lot of what I work with is Apple, that's the way it is. Though we're starting to move away from it on the server side, putting in Linux boxes as much as possible. In certain cases, such as CatDV Worker Node and Telestream Episode it's still Apple systems. pr0digal fucked around with this message at 18:40 on Jul 26, 2016 |
# ? Jul 26, 2016 18:38 |
|
pr0digal posted:I really wish there were more options for rack mounting the trash can Mac Pros because the Sonnet enclosures we use are Hot poo poo. The enclosure by Magma (http://magma.com/products/thunderbolt-expansion/mac-pro-rackmount-kit/) looks slightly better but super exposed...which is actually okay because the Sonnet enclosures don't actually have Thunderbolt on the back. I'm sorry am I looking at this correctly, it's $400 to mount a single Mac Pro in a 4U rack shelf?
|
# ? Jul 26, 2016 18:46 |
|
lmfao at the trash can apple and having to use it professionally just l m f a o
|
# ? Jul 26, 2016 18:49 |
|
It looks like a rack shelf and long zip ties would do equally as good a job as the $400 option. The only real answer for Apple not making servers any more is to migrate your workflow to applications that run on actual servers, but I appreciate that's a longer-term aim. gently caress having a 'server' that you need to drag a display and keyboard to whenever something goes wrong.
|
# ? Jul 26, 2016 18:55 |
|
Thanks Ants posted:It looks like a rack shelf and long zip ties would do equally as good a job as the $400 option. You don't? Why can't you just log in remotely like normal people?
|
# ? Jul 26, 2016 18:57 |
|
Actually I'm kind of surprised nobody is making a commercial version of the solution imgix came up with.
|
# ? Jul 26, 2016 19:05 |
|
I have it on direct authority that a recent and extremely successful major motion picture that used the new Mac Pros for picture editing chucked 11 of them in the trash over a 6 month period due to hardware failure. They run extremely hot and are experiencing very similar graphics chipset failures to the previous couple of Macbook Pro revisions. They also used Adon'tbe Premiere but that's another story...
|
# ? Jul 26, 2016 19:09 |
|
Thanks Ants posted:It looks like a rack shelf and long zip ties would do equally as good a job as the $400 option. Yeah it doesn't have LOM unfortunately but for everything else that's where ARD and SSH come in. Also the Sonnet one is ~$900 for the dual configuration and it's a piece of poo poo. And yes for everything that isn't Mac specific it's starting to poo poo over to actual servers. Telestream Episode runs so much better on Windows (since it depends on cores) but CatDV on Windows is annoying the hell out of me. The majority of clients are on Macs and it's much easier from a path mapping perspective to keep everything on Macs for the Worker Nodes and such. The other MAM we sell (Reach Engine) runs entirely on Linux servers and our sync servers are Linux servers as well. So we are moving away from it but for certain deployments we have to go Apple. *edit* Yeah I'm not a fan of the new Mac Pros, they just have a super high rate of failure. A lot of clients have started using iMacs as editing platforms and only using the Mac Pros for "high end" uses. Basically all our clients run Premiere though a few have Avid deployments and even fewer run Final Cut.
|
# ? Jul 26, 2016 19:12 |
|
Arsten posted:You don't? Why can't you just log in remotely like normal people? I like having a way into things when the OS has fallen over that doesn't involve physical machine access. Granted a third-party IP KVM with remote USB media support could bridge the gap slightly but it's nicer when it's integrated into the system.
|
# ? Jul 26, 2016 19:18 |
|
Dillbag posted:I have it on direct authority that a recent and extremely successful major motion picture that used the new Mac Pros for picture editing chucked 11 of them in the trash over a 6 month period due to hardware failure. They run extremely hot and are experiencing very similar graphics chipset failures to the previous couple of Macbook Pro revisions. Well clearly literally looking like a trashcan is more important than making sure your high end computer offering can cool itself.
|
# ? Jul 26, 2016 19:21 |
|
Thanks Ants posted:I like having a way into things when the OS has fallen over that doesn't involve physical machine access. Granted a third-party IP KVM with remote USB media support could bridge the gap slightly but it's nicer when it's integrated into the system. Oh, sorry. I didn't grasp the oob context. My bad.
|
# ? Jul 26, 2016 19:22 |
|
|
# ? Jun 5, 2024 00:13 |
We have two distribution lists for our NY office. One of which has been hit by phish attempts twice in the last month. Fortunately, our users are smart enough to ignore and delete, and I ran my script from a few pages back to remove the offending mail from all mailboxes, but I want to make these distros internal only. I tried removing their @companyname.com SMTP addresses but that threw errors in users' Outlook clients stating the address is no longer valid. I wanted to set the Accept Messages From to Enterprise Users or Domain Users, but those aren't selectable options - just individual users. Is there any way I can restrict delivery to stop external messages? I have a ticket in to our corporate IT office to block traffic at the spam filter but I wanted to have something a bit quicker and easier to maintain on our side. I don't have access to make changes to the filter, just to work with quarantines of users in our OU.
|
|
# ? Jul 26, 2016 20:01 |