|
Methanar posted:name them different things and then cname This is literally what I am doing to make a data center move happen where developers have hard coded hostnames all over the place and we don’t have time to find and fix them all  We are finding and fixing a ton of tech debt during this move but my “nightmare poo poo we will let slide and clean up afterwards” list is still like longer than The Odyssey.
|
#
?
May 10, 2019 03:00
|
|
|
|
| # ? May 15, 2024 07:32 |
|
|
Docjowles posted:This is literally what I am doing to make a data center move happen where developers have hard coded hostnames all over the place and we don’t have time to find and fix them all I do NOT miss having to deal with waiting for something to loving build to accommodate networking/site alterations.
|
|
#
?
May 10, 2019 14:12
|
|
|
Same. I just got done yesterday blasting our Devs to stop coding server local host names into their goddamn programs and use the FQDNs I give them so when we migrate services all their poo poo doesnt break. It amazes me in 2019 that people think hard coding anything into config files that cant be adjusted without recompiling a program is a thing they should do.
|
|
#
?
May 10, 2019 14:30
|
|
|
developer resume: emphasizes experience with elastic provisioned microservices developer: *manages identifiers as text in source code*
|
|
#
?
May 10, 2019 14:49
|
|
|
Potato Salad posted:developer resume: emphasizes experience with elastic provisioned microservices This was more upset than I was planning to be this morning. Holy.
|
|
#
?
May 10, 2019 14:52
|
|
|
it's elastic, I just gotta build and presto! why are you crying?
|
|
#
?
May 10, 2019 15:03
|
|
|
I have a question about Active Directory Sites and Services. If I just went into Active Directory Sites and Services and reconfigured how sites talk to each other on my domain. Basically, the MPLS is setup as a hub-and-spoke configuration so every bit of traffic on the network routes through the main office, but all of the DCs across the network are setup to replicate evenly amongst themselves (so for example Spoke 2 would often replicate to Spoke 1 before then finally replicating to the Main Hub even though traffic flowed through the main hub each time, etc.), they all had manually configured bridgeheads so if those DCs happened to go down, replication would stop, etc. I cleaned all this up. I split out the locations in the Inter-Site Transports, providing incentive for the Spoke DCs to always talk to the Hub DC first (Cost 40), I set Spoke to Spoke communication higher (Cost 100), and let KCC select bridgeheads so if a dynamic bridgehead needs to be decommed, the system will automatically pick another bridgehead and replication can continue. Basically I configured the DCs to communicate like this: Hub to Spoke1 - cost 40 Hub to Spoke2 - cost 40 Spoke1 to Spoke2 - cost 100 ...then KCC auto-generates the lines of communication between DCs. I tested replication and it's working. I added a "TestUserSpoke1" user account to the Spoke1 DC, and a "TestUserSpoke2" user account to the Spoke2 DC... and they both replicated across the network, so that's good. HOWEVER, I dumbly did this on a Friday afternoon and now I'm paranoid as hell that I might have broken something. I DID NOT TOUCH the Subnet section of Active Directory Sites and Services the whole time. tl,dr: Can simply messing with Active Directory Sites and Services (but not touching anything in the Subnets section) mess up anything besides DC replication? Could I have messed up DNS or DHCP or anything vital like that? Replication Tests have been successful and there's no evidence anything like this has happened, but it's a Friday so errors might not show themselves immediately, and these sites are remote. GreatGreen fucked around with this message at 02:29 on May 11, 2019 |
|
#
?
May 11, 2019 02:20
|
|
|
You should be good. DNS and dhcp are in their own other sections so that should be fine. Even if you messed around with the site subnets you would just have a possibility of some workstations getting confused which site they are in and then having some performance issues. Of course if you broke replication, which it doesn’t sound like you did, you could have some dns records in the integrated zone not propagate but that’s it.
|
|
#
?
May 11, 2019 02:46
|
|
|
buffbus posted:You should be good. DNS and dhcp are in their own other sections so that should be fine. Even if you messed around with the site subnets you would just have a possibility of some workstations getting confused which site they are in and then having some performance issues. Of course if you broke replication, which it doesn’t sound like you did, you could have some dns records in the integrated zone not propagate but that’s it. Ok cool, thanks for the response.
|
|
#
?
May 11, 2019 02:49
|
|
|
If you change the way you split your domain into sites also tell to your SCCM guy(s) because he probably uses AD sites that to optimize download traffic and if you mess around with those he might have to adjust things too.
|
|
#
?
May 12, 2019 22:19
|
|
|
peak debt posted:If you change the way you split your domain into sites also tell to your SCCM guy(s) because he probably uses AD sites that to optimize download traffic and if you mess around with those he might have to adjust things too. Thanks for the consideration. That's me though. I'm managing our network's OS updates with WSUS because the IT director doesn't want to pay for SCCM. It's not exactly a large company so it's never really been brought up. Our network works through MPLS and it's configured in a hub-and-spoke configuration. I've got a primary WSUS server in the hub location and a replica WSUS installation at each remote location as well. The replica servers are set to not download direct from Microsoft but instead get their update files directly from the primary WSUS as all the network's external traffic is set to flow through the central site anyway. GreatGreen fucked around with this message at 05:59 on May 13, 2019 |
|
#
?
May 13, 2019 05:55
|
|
|
Hey, if you still have Windows Server 2008 R2 (or earlier  ) in your networks, get to patching pretty much ASAP. There's a CVSS3 Base 9.8 score, pre-authentication, wormable attack against RDP:quote:A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 
|
|
#
?
May 14, 2019 19:42
|
|
|
yikes. what if you got RDP gateway? Same deal? e: well at least NLA buys me some time so i'm not rolling out a same day patch. e2: you buried the lead here, they're patching XP and 2003 too. Though earlier was 2008\vista. incoherent fucked around with this message at 20:05 on May 14, 2019 |
|
#
?
May 14, 2019 19:50
|
|
|
incoherent posted:yikes. what if you got RDP gateway? Same deal? I just rolled it anyways even with NLA on. I only have a couple of 2008R2s left anyways so why not get it over with.
|
|
#
?
May 14, 2019 20:14
|
|
|
incoherent posted:yikes. what if you got RDP gateway? Same deal? You'd have to auth through your RDP gateway before you could hit anything internally with that vuln so I doubt this could relay through there. I think the gateway requires NLA support on the other end.
|
|
#
?
May 14, 2019 20:28
|
|
|
incoherent posted:yikes. what if you got RDP gateway? Same deal? Why on earth would anyone still have rdp gateway?
|
|
#
?
May 14, 2019 20:42
|
|
|
Sickening posted:Why on earth would anyone still have rdp gateway? Why would anyone still have Windows xp/server 2003? Enough must that MS pushed updates for a long dead product.
|
|
#
?
May 14, 2019 20:43
|
|
|
Sickening posted:Why on earth would anyone still have rdp gateway? it's still the easiest way to provide relatively secure access to rdp without loving around with ip whitelisting / vpns for SMBs
|
|
#
?
May 14, 2019 21:05
|
|
|
RDP Gateways own.
|
|
#
?
May 14, 2019 21:17
|
|
|
Never though a remote service would be so decisive. VPN is always preferred but some SMB still have physical machines and installed software. Plus the easy learning curve (email a RDP link and be done with it).
|
|
#
?
May 14, 2019 21:30
|
|
|
Jeoh posted:it's still the easiest way to provide relatively secure access to rdp without loving around with ip whitelisting / vpns for SMBs Behold https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy
|
|
#
?
May 14, 2019 21:52
|
|
|
Putting your org behind Azure is compelling as gently caress as it takes most of the security out of your hands, but some small orgs are just not there yet.
|
|
#
?
May 14, 2019 22:13
|
|
|
incoherent posted:Putting your org behind Azure is compelling as gently caress as it takes most of the security out of your hands, but some small orgs are just not there yet. how does azure fix people having 3389 open to the internet.
|
|
#
?
May 14, 2019 22:15
|
|
|
Methanar posted:how does azure fix people having 3389 open to the internet. It at least suggested by microsoft to fix it in azures security center.
|
|
#
?
May 14, 2019 22:20
|
|
|
It also displays this little message if you try to open it up: It does the same warning for 22 as well.
|
|
#
?
May 14, 2019 22:23
|
|
|
Can installing Hyper-V gently caress up domain trust? Cos enabling it on my laptop seems to have exiled it from the domain with "The trust relationship between this workstation and the primary domain failed" Leave & rejoin? Didn't work. Rename computer? Didn't work. Going to get a domain admin to try and reset the computer account & remove Hyper-V but that was a frustrating end to a day.
|
|
#
?
May 15, 2019 20:29
|
|
|
Have a client that needs guest WiFi on their system. I want to separate this on to a VLAN but they want RADIUS authentication from the server. I have used VLANs before but not ones that can go one way. I have never done anything like this. As for the tech, all the switches are Unifi, as are the access points, and the DC is 2012 R2. Router is a Draytek 2860. Because Unifi Switches are only Layer 2, I can't do any layer 3 stuff (not that I know how to anyway), which makes me think I need to route through the Draytek. Is this the case? Will it be able to handle this? I have a small budget so I could purchase more. They also have one 10G Edge Router which CAN handle layer three, but it's not the core switch at the moment.
|
|
#
?
May 15, 2019 20:38
|
|
|
Fruit Smoothies posted:Have a client that needs guest WiFi on their system. I want to separate this on to a VLAN but they want RADIUS authentication from the server. I have used VLANs before but not ones that can go one way. I have never done anything like this. So they want to setup an AD account for every guest that comes on site?
|
|
#
?
May 15, 2019 20:38
|
|
|
Do not use WPA enterprise for guest Wi-Fi, nobody* will be able to join it. * practically speaking
|
|
#
?
May 15, 2019 20:39
|
|
|
Cancelbot posted:Can installing Hyper-V gently caress up domain trust? Cos enabling it on my laptop seems to have exiled it from the domain with "The trust relationship between this workstation and the primary domain failed" On a workstation with one NIC, you want to make sure that "Allow management operating system to share this network adapter" is checked. You can find this setting in the switch manager.
|
|
#
?
May 15, 2019 20:43
|
|
|
GreenNight posted:So they want to setup an AD account for every guest that comes on site? Perhaps guest was ambiguous wording. These are BYOD devices that aren't managed by IT. When I heard the theory of VLAN recommended this way I sorta scratched my head and read up about it, but apparently people DO indeed put some items on subnets. EDIT: And they have a Smooth Wall filtering product so RADIUS is required to make sure the students aren't looking at bad things.
|
|
#
?
May 15, 2019 20:50
|
|
|
Thanks Ants posted:Do not use WPA enterprise for guest Wi-Fi, nobody* will be able to join it. I wouldn't use WPA enterprise for an actual guest network either (though it seems it may be appropriate in this case), but why do you say this? I have a WPA Enterprise network at home just for the hell of it and it works fine with all of my devices with no special configuration required. You do need a legitimate certificate for it to work without configuration, but that's easy in the Let's Encrypt world.
|
|
#
?
May 15, 2019 22:34
|
|
|
At best you get a "do you trust this certificate" message popping up on devices that aren't Apple ones (which seem to just accept legit certs), at worst you might prevent certain corporate devices from connecting to your network. There are no reasons to deploy it for guest access, and a lot of problems that you can cause by doing so. It's great for staff networks, I wouldn't use anything else in an ideal world, but you need to be able to do your own device configuration and certificate distribution, and you don't get that chance on a guest network. If you want to encrypt traffic on public Wi-Fi then either use a WPA key and put it on a sign somewhere, or use WPA3 and hope that devices get updated to support OWE. Most proper wireless systems will let you split your guests out onto their own VLAN, apply firewalls, rate limits, time limits and captive portals for acceptance of AUPs without needing to use RADIUS. Thanks Ants fucked around with this message at 22:54 on May 15, 2019 |
|
#
?
May 15, 2019 22:51
|
|
|
In fact UniFi has a built in guest SSID feature you can enable with like two mouseclicks and it even firewalls off RFC1918 ranges for you. (The APs will handle the extra network for you without any switch side config required.) I donno why you would want your guest network AD integrated, just change the password once every 2 weeks or something. E: Oh, this is BYOD student poo poo. Why not set the web filter to restrict everything coming from the guest subnet without requiring user auth? Digital_Jesus fucked around with this message at 00:21 on May 16, 2019 |
|
#
?
May 16, 2019 00:18
|
|
|
Thanks Ants posted:At best you get a "do you trust this certificate" message popping up on devices that aren't Apple ones (which seem to just accept legit certs), at worst you might prevent certain corporate devices from connecting to your network. Definitely a lot of appliance-type devices that straight up don't support it though. Digital_Jesus posted:In fact UniFi has a built in guest SSID feature you can enable with like two mouseclicks and it even firewalls off RFC1918 ranges for you. (The APs will handle the extra network for you without any switch side config required.)
|
|
#
?
May 16, 2019 03:21
|
|
|
wolrah posted:I don't believe I've ever had a "do you trust this certificate" popup I certainly have with work guest wifi. Allegedly, there's a prohibition against putting a non-work asset on the work wifi, but until like a month ago, our guest wifi was so hosed it wasn't worth using unless you were desperate or testing something that had to work off-prem. They fixed it recently, and holy poo poo, it's so much better.
|
|
#
?
May 16, 2019 04:47
|
|
|
The Fool posted:On a workstation with one NIC, you want to make sure that "Allow management operating system to share this network adapter" is checked. Fixed! Thanks!
|
|
#
?
May 16, 2019 07:55
|
|
|
Digital_Jesus posted:In fact UniFi has a built in guest SSID feature you can enable with like two mouseclicks and it even firewalls off RFC1918 ranges for you. (The APs will handle the extra network for you without any switch side config required.) Because we want them to use the (filtered) internet. I suppose they could use the filter's webpage login, but radius will be remembered on their device. I know it would piss me off as a student, having to enter my username and password often.
|
|
#
?
May 16, 2019 11:09
|
|
|
You don't need to use RADIUS to send guest users to their own VLAN - just map the guest SSID to whatever VLAN you want to use. Unless I am missing something it sounds like you're making this too complicated.
|
|
#
?
May 16, 2019 14:43
|
|
|
|
| # ? May 15, 2024 07:32 |
|
|
Thanks Ants posted:You don't need to use RADIUS to send guest users to their own VLAN - just map the guest SSID to whatever VLAN you want to use. Unless I am missing something it sounds like you're making this too complicated. As I mentioned up, they aren't guest users. They are students who bring their own devices, laptops, tablets etc, and need the filtered internet. The smooth wall filtering system needs authentication from the user. This can be passed via radius or through HTTP authentication in the web browser. We can't have a conventional guest network as we need to track web activity for safe guarding etc etc
|
|
#
?
May 16, 2019 14:54
|
|