|
passwords rotated by 360 degrees
|
# ? Jun 30, 2017 04:14 |
|
|
# ? May 15, 2024 04:41 |
we have 60 day rotation and warning emails about passwords expiring start getting sent out at 15 days from expiration. 1/4 of my working days I get a password reminder email.
|
|
# ? Jun 30, 2017 04:34 |
|
Jesus, I try to float 6mo expiration and fallback to annual when the inevitable pushback occurs.
|
# ? Jun 30, 2017 05:01 |
|
Shifty Pony posted:wired has a story on it which isn't entirely awful. it goes over the pattern of the attacks starting out as largely manually executed against a particular system and then iterating until they are automated attacks based on modular tools which could be more easily adapted for use against other targets. if you dig a bit online about each of the incidents in the article there are usually a few blog posts by researchers. Wicked, thanks.
|
# ? Jun 30, 2017 06:06 |
|
Just allow users to keep passwords for a year, but mandate 20+ character passphrases. Good password: The boy bounced the basketball on July 21st lovely lazy password encouraged by over-zealous password rotation policies: Summer2017! Next quarters password: Fall2017!@#$
|
# ? Jun 30, 2017 06:10 |
|
we had some company-wide webex password update enforced recently. usual rules apply, except they also check on the password change form whether your password contains common english words thankfully Abcde123 passed all the checks so i'm secure as gently caress now
|
# ? Jun 30, 2017 09:16 |
|
spankmeister posted:Straight up blackmail lmao e: more info on how vulnerable the medoc update process was: http://blog.uk.fujitsu.com/information-security/petya-medoc-and-the-delivery-of-malicious-software/ Wiggly Wayne DDS fucked around with this message at 10:59 on Jun 30, 2017 |
# ? Jun 30, 2017 10:55 |
|
Wiggly Wayne DDS posted:they're getting better at this: https://steemit.com/shadowbrokers/@theshadowbrokers/response-to-response-to-doxing wow, someone at fujitsu knows how to use nmap such cyber
|
# ? Jun 30, 2017 14:10 |
|
MononcQc posted:and here I am with a work computer that has cylance running on it, which just loves to randomly decide vim or scp are viruses and quarantines them
|
# ? Jun 30, 2017 17:29 |
|
anthonypants posted:it is my understanding that this is how cylance works vim is a notorious hacking tool.
|
# ? Jun 30, 2017 17:31 |
|
Microsoft should go the apple route and only execute signed code without a prompt and force some kind of manual intervention for anything unsigned
|
# ? Jun 30, 2017 17:38 |
|
Do a full applocker rollout on top of it and all these heuristics/sandboxing solutions become irrelevant
|
# ? Jun 30, 2017 17:39 |
|
BangersInMyKnickers posted:Microsoft should go the apple route and only execute signed code without a prompt and force some kind of manual intervention for anything unsigned
|
# ? Jun 30, 2017 17:55 |
|
Make a windows enterprise-only GPO that allows you to disable code signing validation boom slam-dunk I am pdresident of mcmicrosoft https://www.youtube.com/watch?v=ZqnrZrPRBaI
|
# ? Jun 30, 2017 17:57 |
|
BangersInMyKnickers posted:Jesus, I try to float 6mo expiration and fallback to annual when the inevitable pushback occurs. We enforce 45 days here. It sucks.
|
# ? Jun 30, 2017 18:57 |
|
Anybody know what services or processes need to be whitelisted on the windows firewall to make updates work on an outbound deny default config? I've cleared both BITS and WU services but it still fails and I see something hitting 443 outbound and getting dropped but I am having a hell of a time figuring out what process or service its associated with. I made a blanket 443 out allow rule and it started working again but there's something else that is now a dependency for updates to work properly and this poo poo isn't documented by MS.
|
# ? Jun 30, 2017 19:02 |
BangersInMyKnickers posted:Anybody know what services or processes need to be whitelisted on the windows firewall to make updates work on an outbound deny default config? I've cleared both BITS and WU services but it still fails and I see something hitting 443 outbound and getting dropped but I am having a hell of a time figuring out what process or service its associated with. I made a blanket 443 out allow rule and it started working again but there's something else that is now a dependency for updates to work properly and this poo poo isn't documented by MS. you need 80 and 443 for http and https wsus access respectively. restrict the ports to code:
|
|
# ? Jun 30, 2017 19:04 |
|
BangersInMyKnickers posted:Anybody know what services or processes need to be whitelisted on the windows firewall to make updates work on an outbound deny default config? I've cleared both BITS and WU services but it still fails and I see something hitting 443 outbound and getting dropped but I am having a hell of a time figuring out what process or service its associated with. I made a blanket 443 out allow rule and it started working again but there's something else that is now a dependency for updates to work properly and this poo poo isn't documented by MS. The actual process is almost 100% going to be some subfunction/process of svchost, so if you're looking for an actual executable to whitelist rather than specific connections for updates you're going to have trouble. Even the latter is problematic because the update points change all the time, and Store Apps, Office, 365, etc. come from different locations. TL;DR: Turn off Windows Firewall. I take it that this isn't a place with an internal WSUS server you can whitelist? Wrath of the Bitch King fucked around with this message at 19:09 on Jun 30, 2017 |
# ? Jun 30, 2017 19:06 |
|
oh and you'll have to punch windows defender updates through elsewhere %ProgramFiles%\Windows Defender\MSASCui.exe iirc
|
# ? Jun 30, 2017 19:08 |
|
cinci zoo sniper posted:you need 80 and 443 for http and https wsus access respectively. restrict the ports to Windows firewall doesn't whitelist on domains, I need to know what process is initiation the connection.
|
# ? Jun 30, 2017 19:10 |
|
I do have WSUS/SCCM available but I'm testing out some more edge lockdown configs for desktops. I have a suspicion that windows update fails to connect if the firewall is dropping the telemetry service connections which would be the most WTF thing imaginable. It's an unpatched 1607 install though so I'm letting it up updates in for the most recent patchset and I'll keep digging in from there.
|
# ? Jun 30, 2017 19:12 |
|
Also the Windows Firewall is Very Good and you are wrong about it. This is the OS's fault for having an absurdly convoluted update mechanism that routes through 3+ services
|
# ? Jun 30, 2017 19:13 |
|
one of our dbas is having trouble browsing to a network share presented by our backup appliance from his workstation and my first guess is that it's using smbv1. this should be good. e: slightly disappointed that wasn't it. welp anthonypants fucked around with this message at 19:17 on Jun 30, 2017 |
# ? Jun 30, 2017 19:14 |
|
The last time I did this I used a 3rd party firewall that isolates things down to the process (Netlimiter, etc.) along with Wireshark to run it down on a machine with WF disabled. That'll probably save you the most time. It wouldn't surprise me if the system did a connection check for something like connect.microsoft.com as a preliminary step before updating and then proceeded based on the result (or lack thereof). Turning off WF was a joke.
|
# ? Jun 30, 2017 19:15 |
|
BangersInMyKnickers posted:Also the Windows Firewall is Very Good and you are wrong about it. This is the OS's fault for having an absurdly convoluted update mechanism that routes through 3+ services seriously though if they bothered to make any of this at all functional and didn't quietly throw in their own rules you'd be able to lockdown most consumer systems pretty easily
|
# ? Jun 30, 2017 19:16 |
|
run you are own windows update server
|
# ? Jun 30, 2017 19:17 |
BangersInMyKnickers posted:Windows firewall doesn't whitelist on domains, I need to know what process is initiation the connection. wuauclt.exe i think
|
|
# ? Jun 30, 2017 19:18 |
|
Wiggly Wayne DDS posted:yeah windows firewall is very good which is why diagnosing this issue is so easy There should be a canned outbound rule to allow whatever stuff needs for WU but yeah, you get to figure it out yourself. There's also a default ruleset that includes the stuff needed for kerberos/policy/AD whatever but it doesn't include ldap/ldaps and whoooopsie that one is necessary too
|
# ? Jun 30, 2017 19:19 |
|
it is under svchost for the record, i don't remember which services it uses though
|
# ? Jun 30, 2017 19:20 |
|
To be clear, 3rd party firewall's "solution" to this problem is to allow anything running under a svchost process to do whatever it wants with the network interface which is poo poo.
|
# ? Jun 30, 2017 19:20 |
|
anthonypants posted:cylance works you contradict yourself
|
# ? Jun 30, 2017 19:21 |
|
BangersInMyKnickers posted:There should be a canned outbound rule to allow whatever stuff needs for WU but yeah, you get to figure it out yourself. There's also a default ruleset that includes the stuff needed for kerberos/policy/AD whatever but it doesn't include ldap/ldaps and whoooopsie that one is necessary too Yeah MS is notoriously bad at making their own poo poo interoperable. Having to add LDAP rules is pretty lol. I haven't messed with it in a while; do you still have to create rules for RDP when within the domain? quote:To be clear, 3rd party firewall's "solution" to this problem is to allow anything running under a svchost process to do whatever it wants with the network interface which is poo poo. They are. I used it temporarily just to get some information, then peeled it all off. I'm definitely not advocating it as an actual use case.
|
# ? Jun 30, 2017 19:22 |
|
Wrath of the Bitch King posted:We enforce 45 days here. It sucks. The FTC put out a great blog on this subject: https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes TL;DR: more frequent forced changes == frustrated users == weaker PWs
|
# ? Jun 30, 2017 19:23 |
|
cis autodrag posted:you contradict yourself
|
# ? Jun 30, 2017 19:23 |
|
from the schadenthread, emphasis mineRaygereio posted:Remember that WannaCry ransomware attack from last may? Afterwards the company I work for pushed out an internal memo telling all employees not to worry and that such attack could never hit us.
|
# ? Jun 30, 2017 21:23 |
|
cinci zoo sniper posted:looks like he found a vuln in his employment status Reminds me of that guy who "pranked" his fellows at some chemical lab by putting almond extract into an A/C intake
|
# ? Jun 30, 2017 23:07 |
Ciaphas posted:Reminds me of that guy who "pranked" his fellows at some chemical lab by putting almond extract into an A/C intake im not sure what effect that does but ive seen some of my coworkers smoking next to the intake of building-wide air ventillation system
|
|
# ? Jun 30, 2017 23:09 |
|
cinci zoo sniper posted:im not sure what effect that does but ive seen some of my coworkers smoking next to the intake of building-wide air ventillation system it doesn't do anything per se but usually smelling almonds in a chemical plant means 'cyanide spill'
|
# ? Jun 30, 2017 23:11 |
vOv posted:it doesn't do anything per se but usually smelling almonds in a chemical plant means 'cyanide spill'
|
|
# ? Jun 30, 2017 23:11 |
|
|
# ? May 15, 2024 04:41 |
|
Ciaphas posted:Reminds me of that guy who "pranked" his fellows at some chemical lab by putting almond extract into an A/C intake I remember that article. Schadenfreude is a wonderful thing
|
# ? Jun 30, 2017 23:42 |