|
Leaving access for someone who just lost their job? What's the worst that could happen?
|
# ? May 15, 2017 15:08 |
|
|
# ? Jun 1, 2024 00:56 |
|
Deuce posted:Leaving access for someone who just lost their job? What's the worst that could happen? Whatever it is, it'd be IT's fault regardless for not being psychic.
|
# ? May 15, 2017 17:36 |
|
nexxai posted:I run https://fsrm.experiant.ca - can you tell when WanaCrypt news started breaking out? I really need to thank you for running it, it's saved by corporate bacon more than once
|
# ? May 15, 2017 20:55 |
|
Lynxifer posted:I really need to thank you for running it, it's saved by corporate bacon more than once
|
# ? May 15, 2017 21:45 |
|
nexxai posted:You have no idea how big a smile that puts on my face when I hear people tell me that it's saved them. 2 separate ransomware attacks in a week were what caused me to put this project together, and during those attacks, I think I maybe slept 5 hours that week from the stress. To know that I'm helping other people literally get some sleep gives me nothing but the happiest feeling in my heart. I too love it. All I've ever gotten are false positives but it's really nice. I don't lose sleep worrying about it but I really don't want to spend a weekend fixing a massive mess, or possibly lose my job because it would take several days to recover, if not from an over reaction than to the company going under. We have VMs but nothing in place to leverage them in backup everything is still file level and on the "to purchase" list and keeps getting promised. Management thinks they are okay with losing a day of work but It would be a nightmare and probably actually be 2-3 days of effective time lost. 1 because the backup would be the previous day, 2 to get everything back and running normal and another for users to figure out what is missing and re-enter data. stuff would still get missed by users because they already did that! It'd be a poo poo show. I have CYA but you know it only does you so much good after explaining that you need this and someone signing off on it. I feel with this it's very likely to be mitigated enough to just having to wipe a users machine and hopefully not nail the file server or at least only a single share. It really depends how wipe spread something would get. A true 0 day SMB exploit that doesn't have a patch could be a true nightmare as it could spread to pretty much every server and a full rebuild just isn't something I want to do. I'd much rather have someone call me and tell me they can't write to a folder and it turns out a file they have with a random name just happens to have triggered the filter and locked them out. At least I know it works!
|
# ? May 15, 2017 21:53 |
|
pixaal posted:I too love it. All I've ever gotten are false positives but it's really nice. I don't lose sleep worrying about it but I really don't want to spend a weekend fixing a massive mess, or possibly lose my job because it would take several days to recover, if not from an over reaction than to the company going under. We have VMs but nothing in place to leverage them in backup everything is still file level and on the "to purchase" list and keeps getting promised. Management thinks they are okay with losing a day of work but It would be a nightmare and probably actually be 2-3 days of effective time lost. 1 because the backup would be the previous day, 2 to get everything back and running normal and another for users to figure out what is missing and re-enter data. stuff would still get missed by users because they already did that! It'd be a poo poo show. I get a few false positives too, usually 1 every couple months. I'll gladly live with that though, the frsm list saved my rear end last year.
|
# ? May 15, 2017 22:08 |
|
I just installed it. I'm excited to add this to the list of "poo poo I'm doing to mitigate ransomware", which is a long loving list at this point. As the sole IT guy with an incompetent MSP I would be impacted the hardest, so any added security measure is better sleep at night.
|
# ? May 15, 2017 22:12 |
|
|
# ? May 15, 2017 22:12 |
|
KoRMaK posted:You should def read or listen to The Phoenix Project. I'm on a 3 person team and it helped me realize a bunch of stuff. From figuring out how to manage myself and my team to figuring out how to best serve the rest of the Org to add real value. Necroquoting this, but I got the book based on Kormak's recommendation and will definitely second it. It's a great read both as "something to read" and as "something that has some good lessons". I'm not in a department that directly supports developers, and I know squat about DevOps and Agile and all that stuff, but I felt that a lot of the lessons apply equally as well to IT staff in general, as well as our support section. Ended up reading it again with a highlighter in hand so I could copy out notes for later! e: Posted this because this morning I'm giving a quick presentation to our team about it during our weekly "what's happening 'round the plains" meeting.
|
# ? May 15, 2017 22:14 |
|
PremiumSupport posted:I get a few false positives too, usually 1 every couple months. I'll gladly live with that though, the frsm list saved my rear end last year. How do you deal with the false positives, do you just restore access and move on? In our situation we have one or two specific files that were flagging, so I modified the setup script so we can supply our own second JSON feed to allow for inserting them.
|
# ? May 15, 2017 22:23 |
|
Lynxifer posted:How do you deal with the false positives, do you just restore access and move on? In our situation we have one or two specific files that were flagging, so I modified the setup script so we can supply our own second JSON feed to allow for inserting them.
|
# ? May 15, 2017 22:25 |
|
nexxai posted:There's already a SkipList functionality in the latest version of the script that allows you to whitelist any file extensions that are in the main list that you use in your environment. SkipList is fair enough, but we have this deployed on about 12 - 15 file servers, as far as I can see, it always refers to a local copy of it. So we thought we'd centralise it.
|
# ? May 15, 2017 22:43 |
|
Lynxifer posted:SkipList is fair enough, but we have this deployed on about 12 - 15 file servers, as far as I can see, it always refers to a local copy of it. So we thought we'd centralise it. I don't know if there's a better way than that.
|
# ? May 15, 2017 23:45 |
|
Is the FSRM stuff supposed to stop the encrypted files from writing to a share, or just to let me know when it happens?
|
# ? May 16, 2017 02:01 |
|
myron cope posted:Is the FSRM stuff supposed to stop the encrypted files from writing to a share, or just to let me know when it happens? By default it will stop it, but you can configure it to just alert you if you want for some reason. I had to turn off fsrm file screening to do an upgrade of our lovely software, and I forgot to turn it back on before I left Friday. Nothing on there but test/demo data but it was still making me sweat till I got in on Monday an turned it on.
|
# ? May 16, 2017 02:44 |
|
I'm not an admin. One thing I don't get about FSRM: if it just stops the cryptoware from writing the *.pay_me_ur_bitcoins file, won't it still delete the original anyway? Or is most ransomware coded to give up if it fails to write the encrypted file since there wouldn't be any point in asking for money if the files are gone?
|
# ? May 16, 2017 07:18 |
|
vOv posted:I'm not an admin. One thing I don't get about FSRM: if it just stops the cryptoware from writing the *.pay_me_ur_bitcoins file, won't it still delete the original anyway? Or is most ransomware coded to give up if it fails to write the encrypted file since there wouldn't be any point in asking for money if the files are gone? The thing that protects you with the CryptoBlocker.ps1 is that if it detects a file on the block list, it'll add an explicit deny for the user generating it. In theory, you'd only lose one file on a share before the CryptoBlocker & FSRM acted
|
# ? May 16, 2017 08:30 |
|
Lynxifer posted:The thing that protects you with the CryptoBlocker.ps1 is that if it detects a file on the block list, it'll add an explicit deny for the user generating it. I thought thats how it worked, but i tested it and after renaming a file and getting a permission denied, I could still do whatever I wanted with other files :/
|
# ? May 16, 2017 09:32 |
|
I installed FSRM last week (and blocked Windows Scripting Host in the GPO). Just in time for the news to start rolling in about Wannacry ... Worked wonders for my anxiety levels this weekend!
|
# ? May 16, 2017 10:18 |
Weatherman posted:Necroquoting this, but I got the book based on Kormak's recommendation and will definitely second it. It's a great read both as "something to read" and as "something that has some good lessons". I'm not in a department that directly supports developers, and I know squat about DevOps and Agile and all that stuff, but I felt that a lot of the lessons apply equally as well to IT staff in general, as well as our support section. Ended up reading it again with a highlighter in hand so I could copy out notes for later! It really is a hell of a book. I just finished it last week. The DevOps part to me was almost secondary to redefining the way you see IT ops.
|
|
# ? May 16, 2017 11:53 |
|
Lynxifer posted:How do you deal with the false positives, do you just restore access and move on? In our situation we have one or two specific files that were flagging, so I modified the setup script so we can supply our own second JSON feed to allow for inserting them. In my case it's usually triggered by a bad date format in the file name followed by some combination of letters contained in the filter list, making the entire file name look like an extension. I've been training my users to rename files using the mm-dd-yyyy format rather than mm.dd.yyyy and then restoring access.
|
# ? May 16, 2017 14:18 |
|
I only just discovered this checkbox today, there has to be a wonderful ticket story behind it. Does anyone know the details? Edit: it helps if I actually add the picture
|
# ? May 16, 2017 14:20 |
So tired of everyone using their own mappings. IG1 -> ix-TIX -> TIX -> key_id_TIX -> TIX 3rd party found their bug. basically strReplace("ix","") lol
|
|
# ? May 16, 2017 14:38 |
|
Naksu posted:I only just discovered this checkbox today, there has to be a wonderful ticket story behind it. Does anyone know the details? https://support.office.com/en-us/article/Learn-about-Office-365-operated-by-21Vianet-a8ab5061-3346-4da0-bb7c-5260822b53ae Less(?) exciting than expected, 21Vianet provide an instance of Office365 hosted inside China so it's available to chinese nationals.
|
# ? May 16, 2017 14:47 |
|
PremiumSupport posted:In my case it's usually triggered by a bad date format in the file name followed by some combination of letters contained in the filter list, making the entire file name look like an extension. I've been training my users to rename files using the mm-dd-yyyy format rather than mm.dd.yyyy and then restoring access. Don't you mean the yyyymmdd format
|
# ? May 16, 2017 16:45 |
|
Thanks Ants posted:Don't you mean the yyyymmdd format
|
# ? May 16, 2017 16:49 |
|
Thanks Ants posted:Don't you mean the yyyymmdd format You say this like most people can comprehend that. I tell people to do this all the time and I name files like that they don't get it. It sorts better! No I want to name my files August TPS report 2017 so I have no idea how to find it later.
|
# ? May 16, 2017 16:49 |
|
Thanks Ants posted:Don't you mean the yyyymmdd format Baby steps... we are talking about users here
|
# ? May 16, 2017 20:16 |
|
We installed a StorNext SAN with an SMB reshare component for a client recently. It's all running CentOS whereas before they were almost a 100% OS X shop and they're starting to put Windows clients on. Flash forward to today when I get a case about weird folder names that are only appearing on the SMB share. I take a look and sort out the issue after seeing one folder...dates formatted like this: 05/16/2017 I checked the config file of the SMB reshare and mangled names were turned on and I then got to spend some time explaining illegal filename and why they're a bad thing on shared storage systems. Sure OS X doesn't give two shits about illegal characters but Windows does! I then told him that the teams need to clean their poo poo up. Creatives
|
# ? May 16, 2017 21:45 |
|
pr0digal posted:We installed a StorNext SAN with an SMB reshare component for a client recently. It's all running CentOS whereas before they were almost a 100% OS X shop and they're starting to put Windows clients on. To be fair, telling someone to "memorize this random subset of very obviously displayable ascii characters that can be typed with face characters on a keyboard, okay you can't use them because someone else on an operating system you don't use will have things break if you do, unicode glyphs are fine though!" sounds extremely silly on the face of it.
|
# ? May 16, 2017 22:06 |
|
Use a solidus instead of a slash: 05/16/2017
|
# ? May 16, 2017 22:14 |
|
Underscore separator with a hyphen to give hour_minute_second. e.g. 2017_05_13-00_24_19-<file_name> e: This is for script log auto-naming, I wouldn't bother with the hms part if I was naming by hand.
|
# ? May 16, 2017 22:27 |
|
anthonypants posted:Use a solidus instead of a slash:
|
# ? May 16, 2017 22:43 |
|
Kurieg posted:My file system says 05162017 isn't a valid date. Thank you for making me quote this just to see wtf that image was.
|
# ? May 16, 2017 23:12 |
|
It's a Solidus Snake from Metal Gear Solid 2 of course.
|
# ? May 16, 2017 23:16 |
|
Kurieg posted:My file system says 05162017 isn't a valid date. obviously on windows instead of a mac like us creative types
|
# ? May 17, 2017 02:20 |
|
We have a client who ripped a bunch of stuff from Instagram with cyrillic characters in it. Our sync program did not like that. But really editors/producers/EPs what have you left to run rampant will make administration hell. I spent four years running IT at a TV production house and production/edit always seemed to find new and innovative ways to break things. The editors in LA were fun from what the Post Director said. He had to buy a specific type of desk and chairs plus two nice monitors and a broadcast monitor (I don't remember if they had to buy scopes) or else they wouldn't get any freelancers. Though I guess the same could be said for anybody really, my experience is just in media. My least favorite OS X gives no fucks moment is the time I had to re-generate/rename and re-link like 15,000 proxies because there were slashes in the filenames/folders. The media asset management tool they were using got really unhappy. pr0digal fucked around with this message at 02:37 on May 17, 2017 |
# ? May 17, 2017 02:34 |
|
I got contacted by our mobile supplier today to say that one of our users has gone over his 4GB data limit.code:
|
# ? May 17, 2017 03:48 |
|
Phrosphor posted:I got contacted by our mobile supplier today to say that one of our users has gone over his 4GB data limit. That's a lot of porn
|
# ? May 17, 2017 05:15 |
|
|
# ? Jun 1, 2024 00:56 |
|
We had people using their company supplied mobile devices as hotspots for their primary home internet connection, or just letting their kids use it as much as they wanted. After we started keeping track of the bill person by person, the ones with bills in the thousands were politely told that they needed to cut back on their use.
|
# ? May 17, 2017 06:42 |