|
cheese-cube posted:pretty sure we have one resident schannel pro, i shamefully cannot remember but they posted nice cipher suite lists plus recommended ECC curve combos, was very handy https://www.nartac.com/Products/IISCrypto/ is a nice GUI for some of that, with presets and template support but these auditors aren't complaining about any of that, but talking about specific TLS extensions like session ticket and extended master secret. let me recompile my openssl real quick for you, oh wait
|
#
?
Mar 13, 2018 15:38
|
|
|
|
| # ? Jun 8, 2024 00:00 |
|
|
https://amdflaws.com/quote:What happened? lol this is gonna be a fun ride. also, lol here we go again with lovely marketing websites for bugs.
|
|
#
?
Mar 13, 2018 16:19
|
|
|
cheese-cube posted:pretty sure we have one resident schannel pro, i shamefully cannot remember but they posted nice cipher suite lists plus recommended ECC curve combos, was very handy Hi. That is me. No, I do not believe you can do stuff like that change session ticket behavior, DH primes, etc. That stuff pretty much is the way it is, and if there is something new then you need to upgrade to the latest OS version to get it. If they're being that picky then tell them to eat poo poo or if its actually a problem (it isn't, schannel is fine through 2008r2 is getting long in the tooth) then throw it behind an F5 so you can tweak to your hearts content. e: May have spoken too soon, this might do it HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\MaximumCacheSize to 0 HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ServerCacheTime to 0 BangersInMyKnickers fucked around with this message at 16:29 on Mar 13, 2018 |
|
#
?
Mar 13, 2018 16:22
|
|
|
https://www.samba.org/samba/security/CVE-2018-1057.htmlquote:
|
|
#
?
Mar 13, 2018 16:24
|
|
|
holy loving poo poo! ..people actually use samba as an AD DC?
|
|
#
?
Mar 13, 2018 16:25
|
|
|
BangersInMyKnickers posted:Hi. That is me. ty bangers and sorry for forgetting you!!! infernal machines posted:holy loving poo poo! no (well maybe but how?) but samba operates it's own LDAP server to interface with an AD DC and this is where the issue occurs (correct me if i'm wrong). from what i understand the issue is that in AD "change password" and "reset password" privileges are secured differently for obvious reasons however the samba LDAP server conflates the two and fucks up the extended right security checks.
|
|
#
?
Mar 13, 2018 16:40
|
|
|
cheese-cube posted:ty bangers and sorry for forgetting you!!! samba can act as a full DC now yeah i was surprised too
|
|
#
?
Mar 13, 2018 16:43
|
|
|
it does, i've seen it implemented (terribly), it was a joke because it's hard to imagine why anyone would want to do that
|
|
#
?
Mar 13, 2018 16:44
|
|
|
I presume you can hang an entire Windows shop off a tiny appliance like Synology as the AD DC, typically a better option than trying to use a cheap desktop PC.
|
|
#
?
Mar 13, 2018 16:48
|
|
|
i'd never trust anything other than a windows server DC to provide domain services, simply because everything else out there seems to fail in spectacular ways at things which are very simple. for example, the AD schema clearly outlines object and attribute associations as well as the typing of the values for attributes. attributes which accept integers are either typed as "Integer" (int32) or "LongInteger" (int64). CA (the company) provides an entire suite of software which integrates with AD as an IAM solution. however in their infinite wisdom they've ignored the schema and just decided on arbitrary types for attribute values. this really fucks poo poo up when you want to say set an exchange recipient type value which is an int64 but the CA garbage only accepts int32 for some idiotic reason.
|
|
#
?
Mar 13, 2018 17:24
|
|
|
MrMoo posted:I presume you can hang an entire Windows shop off a tiny appliance like Synology as the AD DC, typically a better option than trying to use a cheap desktop PC. unless its running windows then no you don't want to do that. Also you can run your windows domain off azure ad these days.
|
|
#
?
Mar 13, 2018 17:27
|
|
|
samba is probably appropriate for running a domain for Linux clients where you cant afford windows at all.
|
|
#
?
Mar 13, 2018 17:28
|
|
|
yeah if your linux doesn't do SSSD then whatever samba can do would be an acceptable fall back seeing as NIS is deprecated
|
|
#
?
Mar 13, 2018 17:32
|
|
|
Shaggar posted:unless its running windows then no you don't want to do that. Also you can run your windows domain off azure ad these days. can you run azure side by side with on prem AD? seems like a lot of SSO stuff only works with azure
|
|
#
?
Mar 13, 2018 17:34
|
|
|
NEED MORE MILK posted:can you run azure side by side with on prem AD? seems like a lot of SSO stuff only works with azure yes, AD sync to azure cloud actually works pretty well
|
|
#
?
Mar 13, 2018 17:35
|
|
|
europe is getting quite a bit of rollout of samba only ad nowadays in governments and such
|
|
#
?
Mar 13, 2018 17:36
|
|
|
NEED MORE MILK posted:can you run azure side by side with on prem AD? seems like a lot of SSO stuff only works with azure yeah its really great.
|
|
#
?
Mar 13, 2018 17:40
|
|
|
Tankakern posted:europe is getting quite a bit of rollout of samba only ad nowadays in governments and such lol
|
|
#
?
Mar 13, 2018 17:40
|
|
|
infernal machines posted:yes, AD sync to azure cloud actually works pretty well can confirm, AADC sync is smooth as gently caress. however if you want to enable password change in the cloud with federation then you'll need to pay for an AAD P1 subscription, that's how they get you (probably, idk just buy ECS which is Enterprise E3 plus EMS E3 for gently caress all)
|
|
#
?
Mar 13, 2018 17:41
|
|
|
Truga posted:https://amdflaws.com/ taviso just retweeted this: https://twitter.com/cynicalsecurity/status/973591954096381952
|
|
#
?
Mar 13, 2018 17:41
|
|
|
cheese-cube posted:can confirm, AADC sync is smooth as gently caress. however if you want to enable password change in the cloud with federation then you'll need to pay for an AAD P1 subscription, that's how they get you (probably, idk just buy ECS which is Enterprise E3 plus EMS E3 for gently caress all) yeah its such bullshit that password change and security auditing is in P1 and not included in E1 or E3
|
|
#
?
Mar 13, 2018 17:41
|
|
|
isnt their a free azure tier?
|
|
#
?
Mar 13, 2018 17:42
|
|
|
the azure ad basic tier is free
|
|
#
?
Mar 13, 2018 17:44
|
|
|
neat
|
|
#
?
Mar 13, 2018 17:45
|
|
|
Shaggar posted:yeah its such bullshit that password change and security auditing is in P1 and not included in E1 or E3 i like how they put the really useful security features in E5. our sec ops lead is always asking "hey can we use this?" and my answer is usually "no we're not licensed for it lollll" NEED MORE MILK posted:isnt their a free azure tier? "azure" and "azure AD" are two different beasts. afaik there's no AAD P1 or EMS E3 trial.
|
|
#
?
Mar 13, 2018 17:46
|
|
|
DuckConference posted:taviso just retweeted this: nice!
|
|
#
?
Mar 13, 2018 17:47
|
|
|
cheese-cube posted:i like how they put the really useful security features in E5. our sec ops lead is always asking "hey can we use this?" and my answer is usually "no we're not licensed for it lollll" yeah but theres an azure ad free tier and literally all i want is user sync for sso so i think that will work??
|
|
#
?
Mar 13, 2018 17:49
|
|
|
yep that will work fine.
|
|
#
?
Mar 13, 2018 17:50
|
|
|
we're looking at using e3 for a client to handle 2fa for webmail and rdp. it's amazingly easy to set up if you don't have a pants on head stupid environment e: also some intune features for mdm to sandbox corporate data on byod stuff
|
|
#
?
Mar 13, 2018 17:50
|
|
|
quote:CTS-Labs, a security company based in Israel... 
|
|
#
?
Mar 13, 2018 17:51
|
|
|
cheese-cube posted:i like how they put the really useful security features in E5. our sec ops lead is always asking "hey can we use this?" and my answer is usually "no we're not licensed for it lollll" it really feels like extortion when they hide basic security stuff behind a higher plan level. I'm implementing some of it myself (poorly) cause I refuse to pay the absurd price to get a P1 for everyone.
|
|
#
?
Mar 13, 2018 17:51
|
|
|
NEED MORE MILK posted:yeah but theres an azure ad free tier and literally all i want is user sync for sso so i think that will work?? yes it will work great for that. The free tier also lets you integrate with any app that uses azure ad for auth
|
|
#
?
Mar 13, 2018 17:52
|
|
|
Truga posted:https://amdflaws.com/ Their site is down.
|
|
#
?
Mar 13, 2018 17:54
|
|
|
no its not
|
|
#
?
Mar 13, 2018 17:56
|
|
|
just got an email about suspicious activity with one of my microsoft accounts I don't really use, went to go change the password and enable 2fa because why not. tried to set it up using their wizard thing, select android and it's like "ok install the microsoft app and log in with it" and refuses to let me proceed until i log in with it. no thanks, so i go back and select "other" as my phone type and get this: what fantastic advice
|
|
#
?
Mar 13, 2018 18:01
|
|
|
Shaggar posted:it really feels like extortion when they hide basic security stuff behind a higher plan level. I'm implementing some of it myself (poorly) cause I refuse to pay the absurd price to get a P1 for everyone. it's funny our customer recently outsourced SOC (Security Operations Centre) to a BPO (lol yeah i know) and the first complaint i got from them was that the on-prem SIEM appliance wasn't getting logs from O365. the dudes at the BPO just assumed we were using the actual "SIEM integration" feature with Cloud App Security but yeah i had to tell them "lol nope, we're not licensed for that and are just smashing APIs for logs". kind of a critique on how garbage BPOs are but also how microsoft try to make you pay for stuff. if you google "office 365 siem integration" the first results are for the E5 feature so the whole thing's a rort.
|
|
#
?
Mar 13, 2018 18:02
|
|
|
ate all the Oreos posted:just got an email about suspicious activity with one of my microsoft accounts I don't really use, went to go change the password and enable 2fa because why not. tried to set it up using their wizard thing, select android and it's like "ok install the microsoft app and log in with it" and refuses to let me proceed until i log in with it. no thanks, so i go back and select "other" as my phone type and get this: you should use the Microsoft authenticator cause it does push notifications for approvals
|
|
#
?
Mar 13, 2018 18:02
|
|
|
Shaggar posted:lol nice fud
|
|
#
?
Mar 13, 2018 18:03
|
|
|
cheese-cube posted:it's funny our customer recently outsourced SOC (Security Operations Centre) to a BPO (lol yeah i know) and the first complaint i got from them was that the on-prem SIEM appliance wasn't getting logs from O365. the dudes at the BPO just assumed we were using the actual "SIEM integration" feature with Cloud App Security but yeah i had to tell them "lol nope, we're not licensed for that and are just smashing APIs for logs". yeah I'm using the office365 management apis to get audit logs and stuff. its loving stupid
|
|
#
?
Mar 13, 2018 18:03
|
|
|
|
| # ? Jun 8, 2024 00:00 |
|
|
the new Graph API looks p sw8, been meaning to find time to gently caress with that for a while now. apparently that's where microsoft are going to push all o365+services and seccom reporting to. also looks like a faster method of querying some of the more expensive exchange cmdlets (Get-MailboxStatistics, Get-MailboxFolderStatistics, etc.) sorry im making GBS threads up the sec gently caress thread with msft stuff i'll stop now Tankakern posted:nice fud 
|
|
#
?
Mar 13, 2018 18:08
|
|