|
Yeah I use WSUS for Windows, more looking for something to do Adobe, Java, etc. Something to buy and drop in with minimal configuration.
|
# ? Jan 16, 2017 21:52 |
|
|
# ? May 19, 2024 17:40 |
|
PDQDeploy seems to be well-loved, but I've never used it. Its sister product, PDQInventory, is good.
|
# ? Jan 16, 2017 21:56 |
|
Priz posted:I know basic IT stuff... desktop support, some unix over the years... most of my job as of late is troubleshooting PC/Mac stuff... so my knowledge/training has really dropped off... Xenserver is a virtualization platform, you would still need Windows Server licenses. Anywhere you find Windows Server standard edition for less money than the Microsoft store is not legit and you may as well go to that place with the pirate ship for your copy. What is this "server" you were given?
|
# ? Jan 16, 2017 22:49 |
|
Priz posted:I know basic IT stuff... desktop support, some unix over the years... most of my job as of late is troubleshooting PC/Mac stuff... so my knowledge/training has really dropped off... Windows 2012 R2 Essentials can join an existing domain, it just needs to have all of the domain controller functions moved to it within 21 days of joining. I'm sure there's a way to extend that if needed.
|
# ? Jan 16, 2017 23:05 |
|
thebigcow posted:Xenserver is a virtualization platform, you would still need Windows Server licenses. The server is a HP ProLiant SE316M1 which has 2x2.27GHz cpus and 84GB of memory currently. IE: with other machines in here... (and another main network), I don't think it'd be possible for it to be the dc...
|
# ? Jan 16, 2017 23:40 |
|
I can't think of any good reason why it couldn't be the DC, it would just take a bit of work to move those roles off the other servers and onto the new one. Not trying to be a dick, but this is one of those instances where it makes sense to pay someone who knows what they are doing to come in and straighten things out for you guys.
|
# ? Jan 16, 2017 23:45 |
|
What exactly are the rules surrounding Essentials? Could you just make it a RODC with no FSMO and forget about it? It would be pretty dumb, even in an entry level product, to prevent you from say giving Microsoft twice as much money so you could have a pair of DCs.
|
# ? Jan 16, 2017 23:50 |
|
GreenNight posted:What do you guys use for enterprise 3rd party patch management? Don't care about the costs, just want it to be easy to use. I've used Shavlik Patch for just about every environment I've taken charge of. It integrates nicely with SCCM and is pretty easy to manage. The software library hits all the right marks for me. Sacred Cow fucked around with this message at 01:40 on Jan 17, 2017 |
# ? Jan 17, 2017 01:31 |
|
Yeah I'm going to install the demo for the Shavlik standalone product, also probably GFI, and Cloud Management Suite. We do have SCCM but we only use it for OS deployments, never for software or patching.
|
# ? Jan 17, 2017 01:43 |
|
GreenNight posted:Butt Management Suite. Extension keeps on delivering
|
# ? Jan 17, 2017 01:48 |
|
anthonypants posted:PDQDeploy seems to be well-loved, but I've never used it. Its sister product, PDQInventory, is good. I just got licenses for both on the new year. Either works great as standalone products, but having both together is pretty loving cool.
|
# ? Jan 17, 2017 01:57 |
|
GreenNight posted:We do have SCCM but we only use it for OS deployments, never for software or patching.
|
# ? Jan 17, 2017 04:17 |
|
Cause it's just me and I don't have the time nor the patience to learn how to do more. Oh I guess we use it for AV too.
|
# ? Jan 17, 2017 04:19 |
|
If you're using it for AV then you're like 75% of the way to using it for patching (at least for just Microsoft products).
|
# ? Jan 17, 2017 04:42 |
|
I use WSUS so I'm good with Microsoft patching. It's everything else that we currently don't do at all.
|
# ? Jan 17, 2017 04:52 |
|
Why would you pay for SCCM but not use the core features it's meant for
|
# ? Jan 17, 2017 04:55 |
|
We get it with our core cal licensing. Took us years to even get this far. We didn't pay for it separately. We used to use Zenworks and McAfee.
|
# ? Jan 17, 2017 04:57 |
|
CLAM DOWN posted:Why would you pay for SCCM but not use the core features it's meant for Where I am, replace "SCCM" with "LANDESK" and I wonder the same thing. At least in that case the answer will likely be "because it's LANDESK."
|
# ? Jan 17, 2017 19:50 |
|
My dudes, I just watched the new security feature rolled into win 10 v1511\later and Server 2016 called credential guard. https://mva.microsoft.com/en-US/training-courses/deep-dive-into-credential-guard-16651 fortunately each video module are only 5 minutes long. Really neat stuff.
|
# ? Jan 19, 2017 20:25 |
|
incoherent posted:My dudes, I just watched the new security feature rolled into win 10 v1511\later and Server 2016 called credential guard. It's my favourite feature too and is reason alone to move to Windows 10 despite all the other benefits
|
# ? Jan 19, 2017 20:27 |
|
Can anyone point me to a good guide/outline of group policy settings I should use to limit and hopefully seriously stymie the proliferation go malware/bloatware poo poo on workstations?
|
# ? Jan 23, 2017 22:24 |
|
Gozinbulx posted:Can anyone point me to a good guide/outline of group policy settings I should use to limit and hopefully seriously stymie the proliferation go malware/bloatware poo poo on workstations? The one that standardizes who is allowed to be in the local admin group. The one that covers windows updates and enforces them to install and reboot. The one that covers with removable media. Web and email control aren't really well done in group policy.
|
# ? Jan 23, 2017 22:34 |
|
Sickening has a good start, and his point about web control and email control are spot on. I'd suggest looking at something like OpenDNS for web filtering and Mimecast for spam / email AV filtering.
|
# ? Jan 23, 2017 22:39 |
|
Gozinbulx posted:Can anyone point me to a good guide/outline of group policy settings I should use to limit and hopefully seriously stymie the proliferation go malware/bloatware poo poo on workstations? What sickening said. I would look up Microsoft's recommended baseline group policy, but Sickening gave you the stuff to get started with. Depending on your size/budget you can use appliances or applications to do email and content filtering. I work with a lot of fortigates/fortinets that act as firewalls and content filters, they seem to do a good job at both, but I'm not a security guy so perhaps there are better ways to go about it, and obviously it depends on your current environment. MF_James fucked around with this message at 22:44 on Jan 23, 2017 |
# ? Jan 23, 2017 22:41 |
|
Also https://www.ncsc.gov.uk/guidance/end-user-device-security and https://usgcb.nist.gov/usgcb/microsoft/download_win7.html
|
# ? Jan 23, 2017 22:46 |
|
Thanks guys, alot to go by. Out of curiosity, is there a group policy method to forbid the execution of msi's or other installer packages (short of whitelisting executebales and banning everything else)? All these workstations are non-admin yet i swear to god every couple of months I walk in and loving ROBLOX player is on there, I don't even know what it is (some kind of game thing) and I have no idea how they are allowed to install it.
|
# ? Jan 24, 2017 17:28 |
|
Gozinbulx posted:Thanks guys, alot to go by. Well in theory controlling where they can browse on the internet would help this. Applocker is fine-ish. It just takes a lot of planning and the realization that it isn't a catch all. You really need to get control of email and web before you can expect to make any real progress beyond the basics.
|
# ? Jan 24, 2017 17:36 |
|
Gozinbulx posted:Thanks guys, alot to go by. Yes, almost all of these applications 'install' and execute out of the user profile directories because it doesn't require admin credentials, and there is a gpo that can prevent the running of executables from those directories. This will break some things ( Dropbox, for instance ) but you can work around that as needed.
|
# ? Jan 24, 2017 19:05 |
|
Has anyone really used LAPS yet? (https://technet.microsoft.com/en-us/library/security/3062591.aspx) Our current setup is ERPM and we disable built-in admin/guest, then create a separate admin and utilize ERPM to manage/rotate the password as needed. Moving forward we would disable guest and then let LAPS manage the built-in admin password. This will save our client roughly 200K a year, so it's something that is getting pushed, provided we don't hit showstoppers. For those that have used it, any issues/gotchas/whatevers?
|
# ? Jan 26, 2017 20:57 |
|
MF_James posted:Has anyone really used LAPS yet? (https://technet.microsoft.com/en-us/library/security/3062591.aspx)
|
# ? Jan 26, 2017 21:01 |
|
MF_James posted:Has anyone really used LAPS yet? (https://technet.microsoft.com/en-us/library/security/3062591.aspx) I have LAPS about 50% deployed right now, should have 100% coverage in a couple months. LAPS is enforced by GPO and AD ACL's. The extended attributes do store the password in plain text, but if you follow the instructions for setting permissions, you should have a reasonable expectation of security. Passwords only update when the computer boots up and processes group policy. The password reset works be setting the expiration date to the current date-time. The GUI is terrible, but the powershell module is great. wyoak posted:I use it and have never had an issue with it - it doesn't have to manage the built-in admin account, if you wanted to keep using the separate admin account. This is the way I do it as well, and afaik is the recommended best practice, since the built-in admin sid is a known constant.
|
# ? Jan 26, 2017 21:04 |
|
Perhaps we aren't going back to the built-in admin account. Initially I thought LAPS could ONLY handle the built-in, but perhaps it has changed since I last looked at it (it's been a while). I am not specifically involved in the project, but figured I'd see what others have experienced.
|
# ? Jan 26, 2017 21:09 |
|
Yeah, you can specify what account it rotates the password on - one of the domains I manage a previous admin decided to put in a GPO that renames administrator to something else entirely. Works great, especially if there's an instance where someone is remote and you have to give them admin to fix their vpn client or whatever, who gives a poo poo if you give them the password, mark it to reset the next day. That, combined with a set of group policies that purge all local admins except the specified IT groups as well as a per-computer account security group makes it very easy to audit who has local admin. Wanna give someone local admin? Just create a domain local security group named "%COMPUTERNAME% Administrators," drop the person in there, and they're good to go. If that user you give the local admin to is smart enough to add themselves as local admin, this GPO will blow them away at the next gpo refresh interval. devmd01 fucked around with this message at 21:18 on Jan 26, 2017 |
# ? Jan 26, 2017 21:15 |
|
devmd01 posted:Yeah, you can specify what account it rotates the password on - one of the domains I manage a previous admin decided to put in a GPO that renames administrator to something else entirely.
|
# ? Jan 26, 2017 21:33 |
|
painpoints from what i've read over at /r/sysadminquote:If you delete the computer account from AD you lose the password for the local admin account.
|
# ? Jan 27, 2017 01:46 |
|
incoherent posted:painpoints from what i've read over at /r/sysadmin 1. Don't delete computer objects unless the hardware is being decommissioned. 2. If the computer is still a member of AD, the password will update.
|
# ? Jan 27, 2017 02:03 |
|
re #2: It falls under those "lost trust with the domain" situations. I agree with not deleting the object. There has to be a hard reason to delete it (or reuse object names).
|
# ? Jan 27, 2017 02:15 |
|
incoherent posted:re #2: It falls under those "lost trust with the domain" situations. I agree with not deleting the object. There has to be a hard reason to delete it (or reuse object names). In that situation I'd prefer to re-image the computer fresh, then extract any data I need from the backup image separately. If that's not an option you're already in a special shitflake situation and there are a bunch of tools out there for wiping local passwords.
|
# ? Jan 27, 2017 02:27 |
|
Crosspost from infosec thread https://isc.sans.edu/diary/Windows+SMBv3+Denial+of+Service+Proof+of+Concept+%280+Day+Exploit%29/22029 (vuln analysis) https://github.com/lgandx/PoC/blob/master/SMBv3%20Tree%20Connect/Win10.py (PoC) http://www.kb.cert.org/vuls/id/867968 https://isc.sans.edu/diaryimages/smbexploit.pcap (sample pcap, look at the bytes on packet 27) quote:Windows SMBv3 Denial of Service Proof of Concept (0 Day Exploit) quote:Microsoft Windows fails to properly handle traffic from a malicious server. In particular, Windows fails to properly handle a specially-crafted server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure. By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys. We have confirmed the crash with fully-patched Windows 10 and Windows 8.1 client systems, as well as the server equivalents of these platforms, Windows Server 2016 and Windows Server 2012 R2.
|
# ? Feb 3, 2017 20:02 |
|
|
# ? May 19, 2024 17:40 |
|
StorSimple is now available as a VM rather than the fairly high entry price of the physical appliances. https://azure.microsoft.com/en-us/blog/storsimple-new-offers/ I don't think this is a Nasuni competitor since it doesn't appear to try and provide the global file share across multiple offices, but it's a very keen price if the features work for you.
|
# ? Feb 3, 2017 21:15 |