|
You're gonna want 'hybrid join' (presence in both on-prem AD and AAD) which you can setup/enable with some GPOs and the Azure AD sync client. As far as I understand this is supposed to automatically assign licensing to desktops that are joined in this manner. The last time it I tried I could never get Win 10 to activate properly though, so good luck!
|
#
?
Nov 1, 2018 19:18
|
|
|
|
| # ? May 31, 2024 22:18 |
|
|
Here's a dumb question I somehow can't seem to google my way out of: I have an offline Root CA, and I have two domain controllers that are Subordinate CA and Subordinate User CA. I have managed to renew the certificates for both my domain controllers, but only for a year. My root CA certificate seems to be good until 2022. How do I renew my Sub-CA certificates for more than one year at a time?
|
|
#
?
Nov 6, 2018 10:12
|
|
|
Has anyone looked into instructing Bitlocker not to use the opal/tcg eDrive features of an SSD? That is: is it possible to force software encryption for Bitlocker?
|
|
#
?
Nov 6, 2018 15:27
|
|
|
Potato Salad posted:Has anyone looked into instructing Bitlocker not to use the opal/tcg eDrive features of an SSD? I am unsure, but I am curious as to why this is needed.
|
|
#
?
Nov 6, 2018 15:52
|
|
|
It is, you can control the setting via GPO. However, the setting will only apply to newly provisioned drives. It is not possible to change the bitlocker mode once it has been deployed. Beefstorm posted:I am unsure, but I am curious as to why this is needed. CLAM DOWN posted:Omfg this is so amazing The Fool fucked around with this message at 15:55 on Nov 6, 2018 |
|
#
?
Nov 6, 2018 15:53
|
|
|
The Fool posted:tweet Oh good... Time to revisit my Bitlocker strategy.
|
|
#
?
Nov 6, 2018 16:01
|
|
|
The Fool posted:It is, you can control the setting via GPO. While you can't change the mode, you can remove bitlocker and add it again with the new settings. I am pretty sure every team that is new to bitlocker runs into this issue at least once.
|
|
#
?
Nov 6, 2018 16:02
|
|
|
The investment in sccm is going to pay off here, hugely.
|
|
#
?
Nov 6, 2018 23:42
|
|
|
Aaaaand we were already on software encryption in most cases, except literally the test machines I touched, thanks to transient policy fuckery in AD. Herp. owner of this compliance requirement did his goddamn job well
|
|
#
?
Nov 7, 2018 00:05
|
|
|
Is there any chance that Microsoft will expand the Microsoft planner app to small/medium business packages versus limiting it to enterprise packages? It seems like it would be a good fit.
|
|
#
?
Nov 7, 2018 14:57
|
|
|
A month or go we got the rollout for Microsoft's "anti-phish" feature that was previously E5 only (we're E3): https://www.reddit.com/r/msp/comments/97juyt/microsoft_pushing_out_office_365_antispoofing/ It seems to have made email filtering worse than ever. In particular, WebEx and Zoom calendar invites are being sent to high-confidence spam when coming from most customers. I can't tell exactly if it is this new feature causing the problem but that should be the only that has changed. Microsoft has the new E5 "anti-phish" feature located in: 1) Portal -> Admin Center -> Security and Compliance -> Threat Management -> Policy -> Anti-phishing -> Default Policy but there is also our original spam filter, which has it's own "anti-phish" filtering: 2) Portal -> Admin Center -> Security and Compliance -> Threat Management -> Policy -> Anti-spam -> Default spam filter policy -> Spam and Bulk Actions -> "Phishing email" (action set to Quarantine) So, I'm having a hard time figuring out how Microsoft decides whether it is going to handle a suspected phishing email with the actions from method 1, or from method 2. Has anyone had issues with more false positives since this has been introduced, and have you been able to fine-tune it, or did you just disable the new feature?
|
|
#
?
Nov 7, 2018 21:53
|
|
|
Zero VGS posted:It seems to have made email filtering worse than ever. In particular, WebEx and Zoom calendar invites are being sent to high-confidence spam when coming from most customers. No, that sounds accurate.
|
|
#
?
Nov 8, 2018 01:52
|
|
|
incoherent posted:No, that sounds accurate. I get you're joking but I've just about never seen a malicious calendar invite so I have no idea why the new filter is so aggressive to them. I figured the it would handle all the fake Docusign / OneDrive / Dropbox password reset emails we get by the dozens, but it lets those right through.
|
|
#
?
Nov 8, 2018 02:18
|
|
|
Those are probably from comprormised o365 tenants. I'd do some deep digging on those and find their origin.
|
|
#
?
Nov 8, 2018 02:24
|
|
|
incoherent posted:Those are probably from comprormised o365 tenants. I'd do some deep digging on those and find their origin. Our sales department was dumb enough to sign up for ZoomInfo, who promptly scrubbed all our emails and phone numbers from Outlook with their app, and sold them all to the highest bidders. That's when most of our phishing started. Absolute scum company, ZoomInfo.
|
|
#
?
Nov 8, 2018 02:34
|
|
|
Ugh so I’ve been tasked with moving some old .net sites from IIS6 on a 2003 server to one of our more modern IIS servers (2008R2 lol) It looks like this is pretty simple if I use the web deploy tool, however the issue I am running into is when I sync or import a package backed up from the 2003 server, it overwrites ALL sites on the destination server. Is there some option in the GUI to just merge in the sites or does something exist in the cmd line options that I am missing? EDIT: Found the flag I was looking for! -enableRule:DoNotDeleteRule EDIT EDIT: Well it looks like this flag is not doing anything! Existing sites at the destination are still being removed. msdeploy -verb:sync -source:webserver60 -dest:auto,computername=xxxx -enablerule:donotdeler Spring Heeled Jack fucked around with this message at 16:51 on Nov 8, 2018 |
|
#
?
Nov 8, 2018 04:35
|
|
|
SlowBloke posted:All of our machines are either on win 7 pro or win 10 pro. My higher ups made the call that Microsoft 365 would be cheaper than office 2016 with sa and win 10 ent upgrade with sa. Sadly i have no loving idea on how to get keys to install the os without resorting to enroll the newly formatted pc into azure ad and have it fetch the key on the azure ad dns volume licensing(meaning it won't get our local ad gpo settings). Yeah, you need to use Azure Ad with m365 to assign the licences, we ran into similar problems. If you use hybrid enrolment via adconnect you should be able to keep your gpos.
|
|
#
?
Nov 8, 2018 18:48
|
|
|
Does anyone know if Lync 2013 can exist with Server 2016 Domain controllers and the updated schema. I know Exchange 2010 couldn't until CU22 or later. I can't find solid documentation about it.
|
|
#
?
Nov 14, 2018 21:12
|
|
|
I moved the whole company over to E3/Business Premium on 365 last year, but mostly just because we were on ...GoDaddy... and its 2018. Now we have a ton of stuff but mostly just use Outlook and OneDrive. We only use Sharepoint to create 'shared files' for our groups that we sync via OneDrive. I want to setup some kind of flow/status/dashboard for keeping track of our vendors and customers. Something where people can enter in updates and others can see when and what is going on. I know how to do this with a shared Excel file, but obviously that isn't robust. I assume there is some 'correct' way to do this on 365 that is cloud 1st and scalable and mobile friendly and all that other poo poo, but I just don't know where to start. Is it some kind of Forms -> Flow -> Sharepoint -> PowerBI dashboards? I don't loving know. Can I just do it in SharePoint? I don't need an auditable workflow, just some way of saying 'yes, someone updated the product images last week and 10 transactions were put in by another person yesterday'
|
|
#
?
Nov 15, 2018 23:22
|
|
|
I think the Outlook Customer Manager is being retooled to not be a giant heap of poo poo and also to make it available with the Enterprise plans, that might do what you need if you are happy to kick the can down the road a bit.
|
|
#
?
Nov 16, 2018 00:05
|
|
|
SlowBloke posted:All of our machines are either on win 7 pro or win 10 pro. My higher ups made the call that Microsoft 365 would be cheaper than office 2016 with sa and win 10 ent upgrade with sa. Sadly i have no loving idea on how to get keys to install the os without resorting to enroll the newly formatted pc into azure ad and have it fetch the key on the azure ad dns volume licensing(meaning it won't get our local ad gpo settings). Assuming you have ad on prem setup.. You first need to buy 5 open licenses of windows 10 pro from a vendor. This will get you a vlsc site login which gets you a kms host key. Kms has two activation methods, AD and the old original kms activation. If you are activating windows 7 still you need to use this method. So you get the kms host key off the vlsc site, setup a kms server locally. New pcs domain join your local ad and you just enter the default kms client keys for either windows 7 or 10 then it looks to activate locally. The first time you activate the kms host though you need to like register 25 or something before it becomes a full fledged kms host. Essentially you need to pay up for 5 licenses of windows 10 enterprise through open license. The kms should cover you for windows 7 as well although I'd double check this first. This is what I did at a old place to save money for windows 8.x. We eventually got an audit by MS and they just asked for 5 licenses from the actual pc stickers. Not much places realize you save a lot of money this way. Why buy a pc with a pro license, then cover it with an enterprise when you don't necessarily use the enterprise features. lol internet. fucked around with this message at 00:29 on Nov 16, 2018 |
|
#
?
Nov 16, 2018 00:25
|
|
|
If you are paying for Microsoft 365 then you might as well use the features - do a Hybrid AD Join and then use Intune to bring your Windows Pro machines up to Enterprise. I would *guess* that for the Windows 7 machines you can deploy Windows 10 Pro using the USB/ISO that you can get from Microsoft's own website and just don't enter a key, and let Intune handle it, but I haven't had to deal with that scenario before.
|
|
#
?
Nov 16, 2018 00:30
|
|
|
Thanks Ants posted:If you are paying for Microsoft 365 then you might as well use the features - do a Hybrid AD Join and then use Intune to bring your Windows Pro machines up to Enterprise. You do need the windows pro key embedded in the firmware for that to work. That being said I did manage to get win 10 to activate on a win 7 pro key just recently, so you might be able to getaway with it. I have found that once a device is activated it'll stay activated with a digital licence between builds/resets.
|
|
#
?
Nov 16, 2018 18:54
|
|
|
Are 2012 Server Licenses transferable? Can I pull the key from registry and use it somewhere else?
|
|
#
?
Nov 17, 2018 02:22
|
|
|
Any non-oem key should be transferable. I don't actually know if there are OEM versions of Windows Server.
|
|
#
?
Nov 17, 2018 02:28
|
|
|
The Fool posted:Any non-oem key should be transferable. I don't actually know if there are OEM versions of Windows Server. Yes, OEM licensed server copies still exist.
|
|
#
?
Nov 17, 2018 06:48
|
|
|
Thanks Ants posted:If you are paying for Microsoft 365 then you might as well use the features - do a Hybrid AD Join and then use Intune to bring your Windows Pro machines up to Enterprise. We have decided to go this path, set up hybrid join last week. Win7 machines will get wiped using our current w10 pro kms key as place holder until azure ad joined.
|
|
#
?
Nov 18, 2018 11:23
|
|
|
So let's say I want to run a script locally on all computers that checks if the configured email accounts on Outlook and the respective password have been compromised using HaveIBeenPwned. Is there any way I can get the password hashes through regular PowerShell? Didn't want to have to use mimikatz lol.
|
|
#
?
Nov 25, 2018 06:49
|
|
|
HaveIBeenPwned doesn't need password hashes? My strategy here would be to get all active email addresses from Fiddler.
|
|
#
?
Nov 25, 2018 15:32
|
|
|
I'm talking about HaveIBeenPwned Passwords, which checks your password against a list of leaked passwords. You send them the first 5 characters of the SHA-1 of your passwords with the API and it returns all compromised hashes that match that pattern. Then you compare it to the entire hash.
|
|
#
?
Nov 25, 2018 15:40
|
|
|
Yeah, HIBP has two services. One that will let you check your e-mail address or domain against a list of data breaches. The other lets you check your password hash against known compromised passwords.
|
|
#
?
Nov 27, 2018 02:38
|
|
|
That's both cool and initially confusing to me. Under what circumstances is a password compromised when you don't also know that a service has been compromised? "Corp X leaked passwords unassociated with usernames, check them here?" Would you not just reset all Corp X accounts?
|
|
#
?
Nov 29, 2018 18:36
|
|
|
HIBP maintains two different databases. One is a set of hashes of every known compromised password. They provide an API for tools to query this, and a form for you to type in a password (don't actually do this with passwords you intend to use). A password is considered pwned if its hash matches a hash in this database, independent of username or service the password was used on. The other is a database of known PII breaches. You can submit your e-mail address and get back a list of any data breaches that contained your e-mail, and a summary of what types of information were in this breach. HIBP also provides a free subscription so that if you own a domain, you can get notifications if any e-mails on your domain have shown up in a breach. For example, I just got this e-mail yesterday: pre:An email on a domain you're monitoring has been pwned You signed up for notifications when emails on contoso.com were pwned in a data breach and unfortunately, it's happened. Here's what's known about the breach: Breach: Data & Leads Date of breach: 14 Nov 2018 Accounts found: 44,320,330 Your accounts: 488 Compromised data: Email addresses, Employers, IP addresses, Job titles, Names, Phone numbers, Physical addresses Description: In November 2018, security researcher Bob Diachenko identified an unprotected database believed to be hosted by a data aggregator. Upon further investigation, the data was linked to marketing company Data & Leads. The exposed Elasticsearch instance contained over 44M unique email addresses along with names, IP and physical addresses, phone numbers and employment information. No response was received from Data & Leads when contacted by Bob and their site subsequently went offline.
|
|
#
?
Nov 29, 2018 18:44
|
|
|
I get the how -- it's the why. The first seems like snake oil.
|
|
#
?
Nov 30, 2018 01:29
|
|
|
When would JUST a pw be pwned, without the accompanying account? Sensible: reset bob@yahoo.com when you hear that Yahoo is compromised. Odd: check whether specifically your pw has been in one of the payloads Troy Hunt could get his hands on.
|
|
#
?
Nov 30, 2018 01:32
|
|
|
1. Assume that the database Mr. Hunt uses is also available to anyone with sufficient motivation. 2. Know that comparing the contents of the password database is an order of magnitude faster than any other method of attacking passwords. 3. Know that many compromised websites either are not aware that they have been compromised or do not report that they are compromised. 4. Know that if the salt and hashing method is known, it is trivial to extract a list of usernames with known passwords from a site dump. 5. Assume that even if the salt and hashing method is not known, sites are bad at security and it is not difficult to figure this information out with a suitable site dump. 6. Know that if a valid username and password pair is found in a site dump, it is trivial to test those credentials against any other site or service. 7. Assume that if your username and password do not exist as a pair in any known site dump, scripts are constantly trying random known username and known password pairs. Infer that given the above, it is prudent to not want to use the same password twice, and to not want to use a password that has ever been compromised in the past. edit: In addition: NIST recommends not allowing password that are a part of a previous breach. quote:When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to: The Fool fucked around with this message at 02:01 on Nov 30, 2018 |
|
#
?
Nov 30, 2018 01:45
|
|
|
I know that active directory is a "dead product" to microsoft, i'd be nice if we could direct AD to validate hashes against a local db of common passwords to stop them from being used. Everything I've researched to implement a solution like this are webpage-based solutions. Doesn't tackle the common password changing interface, which is logging in or unlocking your workstation.
|
|
#
?
Nov 30, 2018 02:29
|
|
|
Mobile posting but they do https://docs.microsoft.com/en-us/windows/desktop/secmgmt/password-filters
|
|
#
?
Nov 30, 2018 02:37
|
|
|
incoherent posted:I know that active directory is a "dead product" to microsoft, i'd be nice if we could direct AD to validate hashes against a local db of common passwords to stop them from being used. Everything I've researched to implement a solution like this are webpage-based solutions. Doesn't tackle the common password changing interface, which is logging in or unlocking your workstation. My understanding is that you have to install a password filter, which involves deploying a custom dll to your workstations. There are 3rd party products that do this. At Ignite I seem to recall there being support for AAD's banned passwords edit, this: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises Looks like it supports Server 2012 R2 The Fool fucked around with this message at 02:40 on Nov 30, 2018 |
|
#
?
Nov 30, 2018 02:37
|
|
|
|
| # ? May 31, 2024 22:18 |
|
|
Well gently caress, another reason to get into o365/azure.
|
|
#
?
Nov 30, 2018 18:55
|
|