|
If you want to learn about windows pki, find Brian komar’s book. Windows 2008 pki and certificate security It’s out of print so find a pdf on google and don’t feel bad about it. There was supposed to be an updated 2012/2016 book but I don’t think they’ve gotten around to it. There are other very good PKI books out there as well. That one is just windows specific
|
#
?
Nov 3, 2018 03:34
|
|
|
|
| # ? May 26, 2024 00:55 |
|
|
Replacing certs every year isn't that interesting. Its mostly a pain in the rear end
|
|
#
?
Nov 3, 2018 04:29
|
|
|
H110Hawk posted:Don't use an easy cheat script. However, BUILD yourself an easy cheat sheet script as you go absolutely 100% You will simultaneously use it as a crutch for things you haven't 100% memorized yet, but as well recognize better ways of doing things / more appropriate combinations of commands and flags such that you'll be updating that cheat script constantly and it will end up badass and useless at the same time - because once you're happy with it, you'll just be typing it out by hand most of the time anyway. The only thing I regularly reused was a example blank ssl.conf for building SAN certs easily.
|
|
#
?
Nov 3, 2018 04:32
|
|
|
jaegerx posted:Wait what. Why? SSL is not that hard. It’s pretty easy to verify a cert.
|
|
#
?
Nov 3, 2018 05:21
|
|
|
TLS is a racket
|
|
#
?
Nov 3, 2018 05:32
|
|
|
Vulture Culture posted:Sure, there's just expiration dates, certificate chains, cross-certification, differing sets of trust anchors between multiple clients and versions, common names, DNS subject alternative names, IP subject alternative names, basic constraints, key usage extensions, extended key usage extensions, mutual authentication, certificate revocation lists, OCSP, OCSP stapling, Yup and?
|
|
#
?
Nov 3, 2018 05:34
|
|
|
jaegerx posted:Yup and?
|
|
#
?
Nov 3, 2018 05:40
|
|
|
A great feature of letsencrypt is the short expiration. It basically forces you to automate and monitor the certs instead of doing it manually.
|
|
#
?
Nov 3, 2018 06:52
|
|
|
Vulture Culture posted:Sure, there's just expiration dates, certificate chains, cross-certification, differing sets of trust anchors between multiple clients and versions, common names, DNS subject alternative names, IP subject alternative names, basic constraints, key usage extensions, extended key usage extensions, mutual authentication, certificate revocation lists, OCSP, OCSP stapling, I only understand 10% of that but I’ve had to explain that 10% to every vendor we’ve ever hired.
|
|
#
?
Nov 3, 2018 06:53
|
|
Boys who love boys
|
jaegerx posted:Yup and? Thanks upright citizens brigade
|
|
#
?
Nov 3, 2018 07:05
|
|
|
Vulture Culture posted:Sure, there's just expiration dates, certificate chains, cross-certification, differing sets of trust anchors between multiple clients and versions, common names, DNS subject alternative names, IP subject alternative names, basic constraints, key usage extensions, extended key usage extensions, mutual authentication, certificate revocation lists, OCSP, OCSP stapling, Perfect forward secrecy, ec vs rsa, sni, code signing.
|
|
#
?
Nov 3, 2018 16:05
|
|
|
Internet Explorer posted:Why is WSUS such unmitigated garbage? And the new update methods they moved to definitely don't improve the situation. Windows Updates for Business? What problems are you having? We’re still on WSUS, but we’re pretty sure we’ll have to move soon.
|
|
#
?
Nov 3, 2018 16:45
|
|
|
nitsuga posted:Windows Updates for Business? What problems are you having? We’re still on WSUS, but we’re pretty sure we’ll have to move soon.
|
|
#
?
Nov 3, 2018 17:05
|
|
|
nitsuga posted:Windows Updates for Business? What problems are you having? We’re still on WSUS, but we’re pretty sure we’ll have to move soon. It's just a pain to manage. The product categories are all over the place these days, with every new Windows 10 quarterly update getting it's own category. The "express updates" or "express packages" just seem to completely balloon the storage usage. Cleaning up downloads or approved updates? Good luck. The database constantly gets disconnected and times out. It's just a lovely piece that hasn't been properly updated since it came out 10 years ago. Haven't used Windows Update for Business yet, but it looks like that's Windows 10 only. We want to update servers and still have Windows 7 machines for the next 6-12 months.
|
|
#
?
Nov 3, 2018 17:25
|
|
|
Internet Explorer posted:Why is WSUS such unmitigated garbage? And the new update methods they moved to definitely don't improve the situation. No no no. It works great! All you have to do is reboot the WSUS server and the client server every time you get a weird update error. And when that doesn’t work, because it never does, delete the client from WSUS and then flatten and rebuild the client from scratch. Easy peasy!
|
|
#
?
Nov 3, 2018 17:51
|
|
|
With our Win 10 deployment (in pilot now) we're moving away from SCCM/WSUS for updates/patches and moving to Cloud Management Suite. Seems pretty decent. Wish we could find something better than SCCM for our actual Image deployment though.
|
|
#
?
Nov 3, 2018 18:05
|
|
|
Internet Explorer posted:It's just a pain to manage. The product categories are all over the place these days, with every new Windows 10 quarterly update getting it's own category. The "express updates" or "express packages" just seem to completely balloon the storage usage. Cleaning up downloads or approved updates? Good luck. The database constantly gets disconnected and times out. It's just a lovely piece that hasn't been properly updated since it came out 10 years ago. Definitely agree, WSUS is not fun. We had our vendor get it set up, and now (a few years later) it's mostly a matter of letting it run for us. We're going to keep it for a while I'm sure (tons of Windows 7 still). Good point with the servers too, I'd have to talk to our network admins about how they're updating their servers, since they're not part of our SCCM environment.. Bob Morales posted:What do you move to and what factors decide when you do? What we're looking at is Windows Update for Business. It is only for Windows 10 as Internet Explorer said, but it gives us a little more flexibility with out-of-band management, since we're not running an always-on VPN connection into our SCCM environment (and we had some cases where updates were forced in the middle of the day once SCCM and WSUS got back in the picture). There are also some really quite cool things you can do with it, like peer-to-peer cache, deployment rings, and it provides a framework that could really modernize how we deploy Windows. TheFace posted:With our Win 10 deployment (in pilot now) we're moving away from SCCM/WSUS for updates/patches and moving to Cloud Management Suite. Seems pretty decent. Wish we could find something better than SCCM for our actual Image deployment though. We're not ready for it yet, but you ought to check out Windows Autopilot. nitsuga fucked around with this message at 03:20 on Nov 4, 2018 |
|
#
?
Nov 4, 2018 03:16
|
|
|
I'm working on both WUfB and Autopilot and the moment and the biggest challenge I face is getting management to understand that WUfB is not update management like WSUS. It's just update scheduling. They're handing update management off to Microsoft. Autopilot is... rough with decentralized purchasing.
|
|
#
?
Nov 4, 2018 07:48
|
|
|
Our wsus servers have worked perfectly fine(as i matter of fact it was the first project i campaigned for and done in my current workplace to move from manual updates for ~120 workstations) since 2010(we moved them from 2008r2 to 2012r2 shortly after win10 came out). We had to move part of our updates workflows to SCCM which never fails to gently caress some new thing up at every update so consider me one of the few people who would prefer to have a decent wsus implementation insted of intune/Windows update for business. Most issues i've found in wsus stems from bizantine group trees and not cleaning up every month all the supeseded/expired updates, if you just keep a handful of non-nested groups it will work just fine.
|
|
#
?
Nov 4, 2018 07:58
|
|
|
With the right combination of GPOs and WSUS config it should be pretty drat painless for patching. I spend maybe 30 minutes dealing with patch management a month, aside from getting up to check things when prod gets patched and handling the occasional “this machine didn’t patch for whatever reason” issue. I’ve been in charge of patch management for most of my career and other than the occasional client corruption I’ve rarely had issues with WSUS, managing anywhere from 400 servers to 4000+ workstations. And if your WSUS server does have issues, it’s not like it doesn’t take an hour to spin up a new one. Find a copy of the Adamj cleanup script that used to be available on spice works before he went to a paid model (or pay, whatever) and that solves most of the WSUS performance issues.
|
|
#
?
Nov 4, 2018 13:16
|
|
|
We patch ~1000 workstations and 200 servers with WSUS each month. Very painless. We did get a huge balloon in size with the addition of express packages, but it's just space I guess. We even have a slave exposed to the internet in a DMZ so computers that are off net will still get updates. We just use split dns for wsus.myorganization.com.
|
|
#
?
Nov 4, 2018 13:21
|
|
|
ADRs in SCCM are what we use. Select the product and required. It does all the cleaning of purged and expired updates.
|
|
#
?
Nov 4, 2018 22:18
|
|
|
We use Ivanti (formerly LANDesk) for our patching. It... isn't great. Requires a lot of babysitting. 150-odd servers, 150-odd workstations, split across four weekly patching groups (plus a special "public-facing" group). I'm not even primary on it, I just help out when the two primary guys can't both make it, or on the public-facing night because most of those are my servers, and are the more complex ones to restart (specific services have to be going, and some of the software they use is really poorly-written). Our main group (General) usually takes a handful of hours. We're such a small shop, we really can't justify SCCM. We inherited this, so we're stuck on it for the foreseeable future, unfortunately.
|
|
#
?
Nov 5, 2018 05:42
|
|
|
If you think ivanti needs a lot of babysitting...yeah we have ivanti and sccm and I like ivanti a lot better.
|
|
#
?
Nov 5, 2018 14:11
|
|
|
WSUS is mostly just obnoxious and likes to gently caress up at random but thisdevmd01 posted:Find a copy of the Adamj cleanup script that used to be available on spice works before he went to a paid model (or pay, whatever) and that solves most of the WSUS performance issues. helps a lot. Just have your company toss the guy a few bucks instead of fighting with the dumb bullshit that is WSUS. I just check it whenever there's another big win10 update package and have to reset/resync the occasional client node when it decides to be extremely broken which happens maybe once a year or so? I've got one momma server and 11 babby servers for reference of scale I'm in manufacturing and still have XP poo poo sitting on WSUS and will probably have to maintain these things forever. Besides, Win update for business has maximum quality update deferment intervals (why? gently caress you that's why. Give it a big red warning ! or w/e but don't force crap) and there have been instances where X update will break lovely OEM software Y and the fix takes significantly longer than 30 days. I basically just have a couple windows update group policy sets that are go hog wild (regular workstation machine, servers without goofy stupid vendor crap on them), manual update for production servers which we push with PoshPAIG during plant shutdown days, and forced off no updates for HMIs, which are all updated via Vmware Horizon when the template is updated from time to time. Since some plants don't go down often this does result in a bunch of stuff that gets woefully out of date which is still better than your average manufacturing facility which usually runs unpatched forever on a flat garbage network.
|
|
#
?
Nov 5, 2018 20:05
|
|
|
Winks posted:If you gave your two weeks because you have a job lined up already, in most states it isn't worth the hassle thanks to a waiting period, the actual waiting in offices, all the paperwork, and a former employer that could try to make it difficult. At least in my state, it can all be handled online and over the phone. It's crazy easy, or at least used to be. I'd be gettin' those two weeks. Fuckers.
|
|
#
?
Nov 5, 2018 21:12
|
|
|
Oh look, a new job posting...quote:This position requires a self paced and motivated individual that will work independently to support our small business and corporate customers on windows based server operating systems including Windows server 2000 to current Windows server operating system. 
|
|
#
?
Nov 5, 2018 21:38
|
|
|
22 Eargesplitten posted:Oh look, a new job posting... You forgot to highlight the bit that said "to current Windows server operating system". Hollow Talk fucked around with this message at 23:11 on Nov 5, 2018 |
|
#
?
Nov 5, 2018 21:45
|
|
|
There (are) will be windows admins responsible for maintaining windows 2000 machines that were set up before they were born.
|
|
#
?
Nov 5, 2018 21:49
|
|
|
I saw what looked like a pentium pro era tower that scanned barcodes at the voting place today. It was wild.
|
|
#
?
Nov 5, 2018 21:51
|
|
|
I wonder if they disable the control barcodes when they deploy those things
|
|
#
?
Nov 5, 2018 21:52
|
|
|
Thanks Ants posted:I wonder if they disable the control barcodes when they deploy those things My first guess as a person who supported county level elections offices years ago is "lmao" Would be shocked if they knew that you could do goofy poo poo like SQL injection via barcode if you leave that on (or if they even know control barcodes that can reconfigure stuff are a thing).
|
|
#
?
Nov 5, 2018 21:54
|
|
|
Hollow Talk posted:You forgot to highlight the bit that said "to current WIndows erver operating system". That's true, but you know what you're going to have to work with the most.
|
|
#
?
Nov 5, 2018 21:58
|
|
|
3 years experience of Server 2019 required.
|
|
#
?
Nov 5, 2018 21:59
|
|
|
At this point, I'm not even sure what "maintaining" a Windows 2000 machine would be. There's no more patches, hardware (if it's not virtualized) would be annoying to seek out. Maybe reboot it every once and awhile?
|
|
#
?
Nov 5, 2018 22:00
|
|
|
https://twitter.com/TheOnion/status/900081677338370049 but a Windows 2000 server
|
|
#
?
Nov 5, 2018 22:01
|
|
|
bull3964 posted:At this point, I'm not even sure what "maintaining" a Windows 2000 machine would be. There's no more patches, hardware (if it's not virtualized) would be annoying to seek out. "Remove" viruses every single
|
|
#
?
Nov 5, 2018 22:05
|
|
|
I’m starting to put feelers out for a junior dev job so I can  my way out of helpdesk at long last. Problem is, I’m under contract (not a FTE) and thus have no PTO and a recruiter that breathes down my neck if I take any unpaid time off. How do I make technical interviews work in such a situation, given their general length relative to other kinds of interviews?
|
|
#
?
Nov 5, 2018 23:09
|
|
|
bull3964 posted:At this point, I'm not even sure what "maintaining" a Windows 2000 machine would be. There's no more patches, hardware (if it's not virtualized) would be annoying to seek out. Acknowledge its existence
|
|
#
?
Nov 5, 2018 23:12
|
|
|
|
| # ? May 26, 2024 00:55 |
|
|
Pray none of the ISA cards in it dies.
|
|
#
?
Nov 5, 2018 23:14
|
|