|
Wrath of the Bitch King posted:It's cake, just don't be retarded and try to deploy the client to a domain controller. you mean target a DC with the group policy settings right? pushing the CSE to all machines should be fine as long as you aren't deploying any group policy settings for LAPS to those maschines.
|
# ? Jul 5, 2017 19:04 |
|
|
# ? May 13, 2024 22:42 |
|
cheese-cube posted:you mean target a DC with the group policy settings right? pushing the CSE to all machines should be fine as long as you aren't deploying any group policy settings for LAPS to those maschines. There isn't a reason for the client to exist on a DC since it would never be utilized, for obvious reasons. Even if you deployed it and GPS were deployed perfectly, the last thing you want is for some idiot to move your DC out of the designated OU for DCs and into one that has the policy defined. Is this an extreme edge case? Absolutely, but not deploying the client to DCs removes any possibility of failure.
|
# ? Jul 5, 2017 19:06 |
|
Wrath of the Bitch King posted:It's cake, just don't be retarded and try to deploy the client to a domain controller. Will it even do something there? I assume it would rotate the domain services recovery password which creates a circular dependency but that seems like something MS would catch for and stop.
|
# ? Jul 5, 2017 19:12 |
|
Wrath of the Bitch King posted:There isn't a reason for the client to exist on a DC since it would never be utilized, for obvious reasons. i would love for this to happen because then i'd actually be allowed to murder someone. bullshit aside, if your domain can be crippled by having the built-in domain administrator account password changed then you've done something wrong. from a supportability POV it is much easier to just deploy the CSE everywhere and then target via GPO (edit: especially if you're doing orchestration like we are). if someone does something as stupid as what you suggested then they get fired. out of a cannon. into the sun. edit2: i've just remembered that you have to specifically delegate privileges to the SELF security principle in the OU containing computer objects so that they can update their own LAPS-related attributes. if you don't delegate these same privileges on the Domain Controllers or any other OU then the devices associated with the computer objects within that OU will be unable to reset their local admin password as they cant update the attributes on their relevant computer object. ofc that is all moot if you delegate full write for all extended attributes or some poo poo BangersInMyKnickers posted:Will it even do something there? I assume it would rotate the domain services recovery password which creates a circular dependency but that seems like something MS would catch for and stop. apparently it will change the domain built-in administrator account password? tbh i haven't tested that scenario Pile Of Garbage fucked around with this message at 19:26 on Jul 5, 2017 |
# ? Jul 5, 2017 19:19 |
|
BangersInMyKnickers posted:Will it even do something there? I assume it would rotate the domain services recovery password which creates a circular dependency but that seems like something MS would catch for and stop. Yes, that's my understanding. Lol at expecting MS to "catch and stop" anything, especially something free like LAPS. quote:ofc that is all moot if you delegate full write for all extended attributes or some poo poo Guess what most terrible computer janitors do at the top level of the domain because they don't understand Active Directory let alone AD security? Or more accurately, any company that doesn't have meaningful audits. Also, what scenario is made easier by deploying the client everywhere rather than select locations? It's trivial to exclude stuff like DCs in SCCM. Or any deployment tool really, even if you're using Group Policy to do it. I'm not trying to pick on you here, I just loathe the shotgun approach for systems management like that. If it has no purpose being somewhere, don't put it there.
|
# ? Jul 5, 2017 19:30 |
|
deploying servers from a single template that is role-agnostic. much easier to have the CSE pre-installed than to deploy it after the fact once the server's role has been decided. i dont understand why you "loathe the shotgun approach for systems management" when establishing a common universal baseline is the best approach to systems management in almost all situations. imo you prolly have some hangups as to the efficacy of group policy or something also dont talk to me about hosed up AD permissions. ive inherited an environment where every single ACE is 1000% pissssss but ive still seen worse than you can begin to imagine
|
# ? Jul 5, 2017 19:41 |
|
I inherited a domain where the previous admin kept a secret "offline" domain controller that he only booted once a month to patch, replicate, then shut back down. His plan for recovery from an AD compromise/wipe was to shut down the live DCs and bring his offline controller as the sole DC and run that until he could rebuild the others. gently caress just setting the authoritative restore flag on a restore job. Guess how well an AD performs when 1 of the 3 DCs is never online and the zone firewall drops all traffic instead of the clients getting a dst unreachable response from the router?
|
# ? Jul 5, 2017 19:48 |
|
Lol, our domain is still on FRS. To each their own. The client is incredibly tiny so I don't consider it a necessary to be baked into a template or image, and I'd prefer to mitigate all risk that I can even if the chance of it causing something stupid is some minute percentage. I don't have hangups on group policy and how reliable it is, I have hangups about having reliable coworkers that won't do stupid things. This problem might be worse where I am, but I don't want to get into a "my stupid workplace" pissing match in the Sec thread. Most of the people I work with don't really understand AD or GP. We also didn't patch servers until I got here and automated it all. At the end of the day I'm just glad you guys are using LAPS. It's the smart choice.
|
# ? Jul 5, 2017 19:48 |
|
one of our dbas recently stopped being able to navigate to the backup appliance from his desktop using the cifs shares. turns out the backup appliance, using firmware from december 2016, only supports smbv1. boss tests this out on his laptop by re-enabling smbv1, and is now in the process of re-enabling smbv1 on the dba's and other workstations. maybe we'll update the firmware on our backup appliance next week
|
# ? Jul 5, 2017 19:52 |
|
cool but yeah LAPS is cool, we did scope the project to implement it over a year ago but it's been in PM purgatory since then until the whole wannacry bs happened and the CFO just went and blanket approved any project that was sec related. gourd poo poo i guess but lol reactive is not appropriate attitude blah blah i shld gently caress poo poo up more often
|
# ? Jul 5, 2017 19:58 |
|
cheese-cube posted:cool I used to lament our lack of PMs to help manage things, but then we got them. Definitely a Monkey's Paw situation.
|
# ? Jul 5, 2017 19:59 |
|
PMs + proper time accounting are a godsend but I feel for anyone who doesn't have the second half of that equation.
|
# ? Jul 5, 2017 20:09 |
|
Hahahahaha I'm sorry that would be admitting that there are limits to how much can be done in a finite amount of time
|
# ? Jul 6, 2017 01:42 |
|
Didn't see this posted https://blog.haschek.at/2017/how-to-defend-your-website-with-zip-bombs.html I know it's not really security stuff, but I thought it was kind of funny. So have some funny computer.
|
# ? Jul 6, 2017 03:20 |
|
a good PM is great to have, but i can see why they usually suck, it's a thankless job that nobody with any technical skill wants to do. you have to interface with the stakeholders and argue about product roadmaps in meetings all day, and then the developers and QA folks who actually build and test that stuff don't report to you
|
# ? Jul 6, 2017 03:30 |
|
JewKiller 3000 posted:it's a thankless job that nobody with any technical skill wants to do. from what I've experienced, they don't. Every PM I've worked with barely knows what a keyboard is.
|
# ? Jul 6, 2017 03:38 |
|
Wrath of the Bitch King posted:from what I've experienced, they don't. Every PM I've worked with barely knows what a keyboard is. always remember: PMs are all that stand between you and sales
|
# ? Jul 6, 2017 03:41 |
|
i think someone hacked my poo poo, someone tried to log into (with correct username and password) my steam account from brazil and my spotify password just got changed
|
# ? Jul 6, 2017 08:22 |
Maximum Leader posted:i think someone hacked my poo poo, someone tried to log into (with correct username and password) my steam account from brazil and my spotify password just got changed sounds like that ye
|
|
# ? Jul 6, 2017 08:24 |
please use password manager from now on
|
|
# ? Jul 6, 2017 08:25 |
|
or if you're like me, dont use the same password everywehre password managers are for the unburned i use safari's pw manager/creator thingo works great 10/10
|
# ? Jul 6, 2017 08:39 |
FAT32 SHAMER posted:or if you're like me, dont use the same password everywehre what
|
|
# ? Jul 6, 2017 08:46 |
|
Just keep all your passwords in a word file on your desktop titled "passwords" like my dad.
|
# ? Jul 6, 2017 08:50 |
|
the unburned are those who havent been hacked yet
|
# ? Jul 6, 2017 08:51 |
FAT32 SHAMER posted:the unburned are those who havent been hacked yet yeah im trying to make sense of your advice to ditch password managers and implication of single password for everything with the use of password manager
|
|
# ? Jul 6, 2017 08:54 |
|
cinci zoo sniper posted:yeah im trying to make sense of your advice to ditch password managers and implication of single password for everything with the use of password manager people aren't hacking your password manager, they're hacking that unpatched counterstrike forum you posted on 10 years ago with the same password e: wait i think that's what you're saying Angela Merkle Tree fucked around with this message at 09:12 on Jul 6, 2017 |
# ? Jul 6, 2017 09:09 |
|
cinci zoo sniper posted:yeah im trying to make sense of your advice to ditch password managers and implication of single password for everything with the use of password manager nonono i said i use a pw manager (safari's) and at the very least dont use the same pw everywhere because Angela Merkle Tree posted:people aren't hacking your password manager, they're hacking that unpatched counterstrike forum you posted on 10 years ago with the same password safari's generates a pw for each one and uses your fingerprint for entry
|
# ? Jul 6, 2017 09:16 |
|
my one password came out from the 000webhost leak like two weeks after i switched my last accounts over to new passwords
|
# ? Jul 6, 2017 09:34 |
Angela Merkle Tree posted:people aren't hacking your password manager, they're hacking that unpatched counterstrike forum you posted on 10 years ago with the same password yeah that what I'm saying FAT32 SHAMER posted:nonono
|
|
# ? Jul 6, 2017 09:46 |
but yeah just ignore me whenever i stumble in english, i should've known better by now unless you are making some obscure regional references
|
|
# ? Jul 6, 2017 09:47 |
|
ah ya dude I got burned from some pw leak (I think last.fm) and someone tried to steal some video game account because idiot me used the same pw for 13 years so what I mean is the only people who don't use pw managers are those who haven't been burned yet aka the unburned I guess there are a few toasted retards floating around but then there always is but ya don't do like what I did and use the same ow everywhere is what was trying to say
|
# ? Jul 6, 2017 09:52 |
|
Some woman just sent me some vacation photos.
|
# ? Jul 6, 2017 10:15 |
|
Powaqoatse posted:Some woman just sent me some vacation photos. Is it a nice vacation? If yes comment her on it!
|
# ? Jul 6, 2017 11:46 |
|
Powaqoatse posted:Some woman just sent me some vacation photos. tell me more about Anatoliy's vacation
|
# ? Jul 6, 2017 11:54 |
|
FAT32 SHAMER posted:so what I mean is the only people who don't use pw managers are those who haven't been burned yet aka the unburned FAT32 SHAMER posted:password managers are for the unburned i think cinci's confusion stems from these being basically opposites
|
# ? Jul 6, 2017 12:18 |
Raluek posted:i think cinci's confusion stems from these being basically opposites
|
|
# ? Jul 6, 2017 13:06 |
|
cinci zoo sniper posted:please use password manager from now on and set up two factor on the accounts that support it
|
# ? Jul 6, 2017 13:18 |
|
leper khan posted:tell me more about Anatoliy's vacation idgi Vivick posted:Is it a nice vacation? If yes comment her on it! yea it looked p nice but i threw em away. i only email prank music artists
|
# ? Jul 6, 2017 13:21 |
|
lol if there's scrubs itt not using password managers and 2fa
|
# ? Jul 6, 2017 13:26 |
|
|
# ? May 13, 2024 22:42 |
|
Raluek posted:i think cinci's confusion stems from these being basically opposites yeah this is why I shouldn't post at 5a
|
# ? Jul 6, 2017 13:26 |