|
No powershell rules are just lack of institutional knowledge at sr positions. I would say that script signing is so rarely used for reasons that baffles me.
|
#
?
Jan 17, 2019 14:36
|
|
|
|
| # ? May 28, 2024 09:43 |
|
|
Internet Explorer posted:I assume you're talking about FSRM? There's hard and soft quotas. If it is a soft quota and you reduce it, it will trigger whatever event is supposed to be triggered but they can still save files. If it is a hard quota, they will need to delete files before they can save more. It is my understanding that it will not delete old files. Thank you so much for the answer. We do have FSRM ans the quotas are hard and just too large. I want to change them and just wanted to know how much damage it would do. If it is a simple case of no saving until you clean files out, then that is perfect and actually forces them to do some tidying. I cannot seem to make them tidy any other way right now!
|
|
#
?
Jan 17, 2019 14:41
|
|
|
Thanks Ants posted:You can't do your job without Powershell if you're a Windows shop. I really really hope it is just a freak out about script signing and was just worded poorly, because the above is basically all you need to know.
|
|
#
?
Jan 17, 2019 15:55
|
|
|
Wicaeed posted:Is it "normal" for an Enterprise to come down with a blanket statement from on-high saying that PowerShell be disabled across all systems, even server OS ones? You may think it's crazy, but I work at a Fortune 500 who's had that directive for years, and it's making my life (as the Powershell expert on the Windows deployment and endpoint management team) a loving nightmare. We were supposed to have unblocked it for good this week. Then one of the GPOs EntSec required broke the VPN. lol plz let me die.
|
|
#
?
Jan 17, 2019 19:17
|
|
|
Dirt Road Junglist posted:You may think it's crazy, but I work at a Fortune 500 who's had that directive for years, and it's making my life (as the Powershell expert on the Windows deployment and endpoint management team) a loving nightmare. Same. Blocking Powershell is a uncommon but common.
|
|
#
?
Jan 17, 2019 22:38
|
|
|
Disabling powershell is in every one of those dogshit "hardening windows for the enterprise" books I've ever seen. For any of them that are worth a poo poo, its part of the guide for hardening AppLocker configs to stop known evasion techniques, but crappy IT people turn it off while leaving all other arbitrary code execution enabled which makes it a useless pain in the butt.
|
|
#
?
Jan 18, 2019 17:34
|
|
|
Disabling Powershell along with Console Only VM access is one of those things that’s claim to be secure but it’s really just paranoia and anxiety not actual security.
|
|
#
?
Jan 18, 2019 19:19
|
|
|
Cargo Cult security. Meanwhile in the real world just about anything we do more than once we figure out how to do it with a powershell script. Even if we find example scripts online that are vbscript, we'll put in the effort to translate it to powershell. We have a ton of powershell modules in github, some in our private internal github, some public (I'll link when I get back to my desk).
|
|
#
?
Jan 18, 2019 20:26
|
|
|
So I went to figure out why my Server 2012R2 VMs take hours to patch while my 2016 ones are nothing, and my sccm team is pushing the individual KBs, the the Security Only rollups, AND the full rollups for both the OS and .net every single month. Incredible.
|
|
#
?
Jan 18, 2019 20:35
|
|
|
BangersInMyKnickers posted:So I went to figure out why my Server 2012R2 VMs take hours to patch while my 2016 ones are nothing, and my sccm team is pushing the individual KBs, the the Security Only rollups, AND the full rollups for both the OS and .net every single month. Incredible. That's impressive.
|
|
#
?
Jan 18, 2019 21:48
|
|
|
I'm in enterprise IT doing Powershell, and our network has it locked down pretty hard. We can't create remote sessions or use Invoke, I have to push a script to the target machine and invoke it with psexec. It makes doing a lot of things much harder than it has to be.
|
|
#
?
Jan 18, 2019 22:20
|
|
|
Yes, allowing psexec is way better 
|
|
#
?
Jan 18, 2019 23:29
|
|
|
BangersInMyKnickers posted:So I went to figure out why my Server 2012R2 VMs take hours to patch while my 2016 ones are nothing, and my sccm team is pushing the individual KBs, the the Security Only rollups, AND the full rollups for both the OS and .net every single month. Incredible. That's like the time one of my provisioning teams was bitching that it took too long to image, and it turned out they were running Windows Update at the end, every single time. When asked why, they said they were told to do it that way. By whom, I asked, because I'm the one who writes the docs and trains the trainers. Lots of furtive looks were shared, and it turned out that was a directive from my vertical's loving VP, who said he used to do it that way when he was a desktop analyst. (Said VP is in the same remote office as this provisioning team.) VP got told. Also, the complaints about duration issues stopped. (Our endpoint management software automatically pushes the relevant patches to a new machine, so running a manual Windows Update is redundant as hell.) skipdogg posted:Yes, allowing psexec is way better 
|
|
#
?
Jan 18, 2019 23:48
|
|
|
BangersInMyKnickers posted:So I went to figure out why my Server 2012R2 VMs take hours to patch while my 2016 ones are nothing, and my sccm team is pushing the individual KBs, the the Security Only rollups, AND the full rollups for both the OS and .net every single month. Incredible. Wait how the hell do you even get individual KBs anymore. Related, it's a shame there's nobody developing wsus anymore, because it really needs a flag for "security & quality" and "security only" and to flag the security only as both in months when there are no quality updates. Make my ADRs easier!
|
|
#
?
Jan 19, 2019 02:20
|
|
|
BangersInMyKnickers posted:Disabling powershell is in every one of those dogshit "hardening windows for the enterprise" books I've ever seen. For any of them that are worth a poo poo, its part of the guide for hardening AppLocker configs to stop known evasion techniques, but crappy IT people turn it off while leaving all other arbitrary code execution enabled which makes it a useless pain in the butt.  "We're disabling powershell because it's insecure." "Okay, are you also disabling windows scripting host?" "What's that then?"Yep, gives me confidence for sure.
|
|
#
?
Jan 19, 2019 03:25
|
|
|
The "security" group at the corp I'm working for had Chrome and Firefox removed from the application portal because "Internet Explorer is industry proven but unofficial browsers are an unknown risk". This is the same security team which despite quarterly user rights audits did not catch a SQL Server with its service account in the Domain Admins group and xp-cmdshell enabled. e: SA doesn't let me post with an underscore in the xp name. 
Collateral Damage fucked around with this message at 08:48 on Jan 19, 2019 |
|
#
?
Jan 19, 2019 08:45
|
|
|
xp_cmdshell Ha, I can! We also introduced application control (with AppSense) and then someone had the brilliant idea to block powershell, cmd.exe and mstsc.exe because those applications apparently are all security risks. Of course after they did that, nobody was able to do any work anymore, so we introduced an exception scheme where your boss was able to make you completely exempt from it with a simple ticket. Now, two thirds of all users have been exempt from any application restrictions for the past 18 months and I don't believe anyone is ever going to pick this topic up again. peak debt fucked around with this message at 14:09 on Jan 19, 2019 |
|
#
?
Jan 19, 2019 14:06
|
|
|
FISHMANPET posted:Wait how the hell do you even get individual KBs anymore. Server 2016 is the cutoff where you don't get individual KBs any more, just one or the two rollup choices. If you're running WSUS/SCCM you can still pull them for 2012R2 or lower. With a normal WSUS config it would just pull the one with more precedence (everything rollup) but whatever the hell is going with our SCCM config is making them install like incrementals.
|
|
#
?
Jan 21, 2019 15:27
|
|
|
Any software based snapshot software exists that can take incremental snapshots of a lun and replicate to another drive/share. I need to migrate some sql severs that have storage drives up to 1tb and it's hard to ask for a 8h outage window. What I am snapshotting is either sql db or a shared vhdx that is holding it.
|
|
#
?
Jan 22, 2019 08:09
|
|
|
skipdogg posted:Yes, allowing psexec is way better Yeah. My favorite part of my job is going online and finding a really elegant bit of code I could steal, except it won't run in our environment because Our Swiss Overlords have very definite ideas about security..
|
|
#
?
Jan 22, 2019 08:21
|
|
|
lol internet. posted:Any software based snapshot software exists that can take incremental snapshots of a lun and replicate to another drive/share. What's your virtualization stack, and are you running SQL clustered/dag?
|
|
#
?
Jan 22, 2019 13:33
|
|
|
Hyper v shared vhdx sql cluster service (not always on.)
|
|
#
?
Jan 23, 2019 01:20
|
|
|
Must be a 2019 feature, partially available.
|
|
#
?
Jan 23, 2019 01:35
|
|
|
Another suggestion from the same person that proposed completely disabling PowerShell in our environment. He wants to use completely random computer names for every device. Every. Device. Laptops. Printers. Domain Controllers. Switches. Routers. Servers. Application Servers. Like, I get it. It is harder to snoop your network and find out useful information. But at some point someone, somewhere has to WORK on the loving thing.
|
|
#
?
Jan 23, 2019 03:24
|
|
|
Wicaeed posted:Another suggestion from the same person that proposed completely disabling PowerShell in our environment. Yeah, but that is what the computer janitors are paid to do. /s
|
|
#
?
Jan 23, 2019 03:46
|
|
|
Wicaeed posted:Another suggestion from the same person that proposed completely disabling PowerShell in our environment. Some people just want to watch the world burn, other people seem to want to be set on fire. Are they trolling your management ?
|
|
#
?
Jan 23, 2019 03:58
|
|
|
We’re acquiring a division (that does what we do) of a larger company and all of their servers are in the larger company’s shared services VMware farm. Their naming scheme might as well be random, there is absolutely nothing useful in the server names to tell you anything about them - gotta refer back to the description field from the rvtools export. We’re tossing most of them and just migrating the data, but sheesh.
|
|
#
?
Jan 23, 2019 11:58
|
|
|
Is there a go-to book to get familiar with (on-prem) AD infrastructure concepts top to bottom for someone who has administered pieces of an AD environment? Preferably something that gets the ideas across effectively rather than one designed to help pass a test.
|
|
#
?
Jan 23, 2019 20:54
|
|
|
The "Cat book" is basically the AD Bible and covers all the moving pieces. http://shop.oreilly.com/product/0636920023913.do or google search for a PDF version Also ask questions here if you like. I'm always happy to answer AD questions. Some of the deeper stuff is found on technet blogs and MVP blogs, but the cat book is a solid pickup. It's so solid I bought a physical copy, something I rarely do. edit 1: Also bookmark this. https://blogs.technet.microsoft.com/askds/2010/07/27/post-graduate-ad-studies/ edit 2: Also, yes some of these articles are old, but not much has changed in AD since 2012R2. skipdogg fucked around with this message at 21:18 on Jan 23, 2019 |
|
#
?
Jan 23, 2019 21:15
|
|
|
That’s fine if they’re old. I too need to figure how AD actually works.
|
|
#
?
Jan 23, 2019 21:54
|
|
|
skipdogg posted:The "Cat book" is basically the AD Bible and covers all the moving pieces. Thanks!
|
|
#
?
Jan 23, 2019 22:21
|
|
|
Tab8715 posted:That’s fine if they’re old. I too need to figure how AD actually works. So much DNS. So so much DNS. Bookmark this guy too, he's written some great stuff over the years that explains under the hood AD stuff https://blogs.msmvps.com/acefekay/
|
|
#
?
Jan 23, 2019 22:53
|
|
|
skipdogg posted:The "Cat book" is basically the AD Bible and covers all the moving pieces. Oh hey, I had that book for Server 03, good to see it's still around. I should pick up a new one, I lost mine in a flood I think.  Catte E: I wonder if they're going to make a 6th with, like, Azure poo poo in it?
|
|
#
?
Jan 24, 2019 00:01
|
|
|
Nevermind!
Japanese Dating Sim fucked around with this message at 18:55 on Jan 24, 2019 |
|
#
?
Jan 24, 2019 17:26
|
|
|
Not sure if its the default or not because its its been far too long since I originally set up SCCM but in my environment the UDI wizard files are here: "D:\Sources\OSD\SW\MDT\Scripts" on the SCCM server. Also there is a program on the SCCM server called "UDI Wizard Designer" if you open the XML with that you can edit the the standard / optional applications fairly easily. I think you can also edit the .xml.app file directly but I have not done that my self.
|
|
#
?
Jan 24, 2019 18:55
|
|
|
Mute_Fish posted:Not sure if its the default or not because its its been far too long since I originally set up SCCM but in my environment the UDI wizard files are here: "D:\Sources\OSD\SW\MDT\Scripts" on the SCCM server. Also there is a program on the SCCM server called "UDI Wizard Designer" if you open the XML with that you can edit the the standard / optional applications fairly easily. I think you can also edit the .xml.app file directly but I have not done that my self. Thanks! Probably shouldn't have edited my post - this should be extremely helpful.
|
|
#
?
Jan 24, 2019 19:30
|
|
|
I haven't Googled this but I thought I'd ask here first: What (if possible) is the easiest way to migrate a Hyper-V Ubuntu Server VM running on a Windows 10 Enterprise LTSC 2019 host to a Hyper-V Server 2016 host? Can I just do "Export", copy the file(s) to the server, then "Import" from the Hyper-V Manager?
|
|
#
?
Jan 26, 2019 05:48
|
|
|
Yes
|
|
#
?
Jan 26, 2019 05:49
|
|
|
Mute_Fish posted:Not sure if its the default or not because its its been far too long since I originally set up SCCM but in my environment the UDI wizard files are here: "D:\Sources\OSD\SW\MDT\Scripts" on the SCCM server. Also there is a program on the SCCM server called "UDI Wizard Designer" if you open the XML with that you can edit the the standard / optional applications fairly easily. I think you can also edit the .xml.app file directly but I have not done that my self. Not sure what the original question was but this is all MDT stuff, not SCCM. Presumably you've integrated them (which is a good thing to do) but by default SCCM doesn't have any of this stuff.
|
|
#
?
Jan 26, 2019 15:41
|
|
|
|
| # ? May 28, 2024 09:43 |
|
|
FISHMANPET posted:Not sure what the original question was but this is all MDT stuff, not SCCM. Presumably you've integrated them (which is a good thing to do) but by default SCCM doesn't have any of this stuff. I was dumb and cleared my post. I was asking about editing the optional programs list that comes up during OSD with, yeah, an MDT generated task sequence.
|
|
#
?
Jan 26, 2019 16:22
|
|