|
The Fool posted:If you look up the cve, the current kbs don't say anything about needing a registry change. I am fairly confident that all those wonky hotfix patches were fixed by rollups that happened after. Nessus just sees the kb was installed at one point and blindly checks for the registry entry. The chances that you no longer need the registry key are very high.
|
# ? Jul 16, 2019 17:40 |
|
|
# ? May 15, 2024 16:11 |
|
The Fool posted:If you look up the cve, the current kbs don't say anything about needing a registry change. The registry changes are still posted in the main CVE article: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8529 If the registry update wasn't part of the solution then I hope Microsoft would have put that in the CVE by now. But it's Microsoft, so who knows.
|
# ? Jul 16, 2019 18:14 |
|
I'm in the process of migrating off our ancient single tier Windows PKI setup. My initial thought was the standard offline root with online subordinate CA, but the more I think about it the more I'm considering just doing a single tier deployment. Our certs are generally only issued to domain-joined machines via auto-enrollment, and they're only used for internally-facing resources. In the event of the online CA getting compromised, it seems like it'd be quicker to remove the CA's cert from Trusted Root CA's via GPO than it would be to online the offline root, revoke the subordinate CA's cert, publish the new CRL, and trust the clients to check the updated CRL - especially considering the CRL expiration on an offline root CA is typically pretty long. Am I missing anything here? wyoak fucked around with this message at 18:23 on Jul 16, 2019 |
# ? Jul 16, 2019 18:21 |
|
We don't have the budget for cool things like SCCM or Nessus licensing so I guess I'll just set up a free Metaploit server because otherwise, I'm not sure how I'm going to know some random Windows KB needs a manual registry update to enable it in the future.
|
# ? Jul 16, 2019 18:42 |
|
wyoak posted:Am I missing anything here? Would multiple subordinate CAs make sense, now or in the future? Multiple subs allow for high availability, load distribution, and simplifying cert management if you have more than one domain that doesn't trust the other.
|
# ? Jul 16, 2019 19:00 |
|
wyoak posted:I'm in the process of migrating off our ancient single tier Windows PKI setup. My initial thought was the standard offline root with online subordinate CA, but the more I think about it the more I'm considering just doing a single tier deployment. Our certs are generally only issued to domain-joined machines via auto-enrollment, and they're only used for internally-facing resources. In the event of the online CA getting compromised, it seems like it'd be quicker to remove the CA's cert from Trusted Root CA's via GPO than it would be to online the offline root, revoke the subordinate CA's cert, publish the new CRL, and trust the clients to check the updated CRL - especially considering the CRL expiration on an offline root CA is typically pretty long. You need an offline root. The problems this can help you solve are varied and quite goddamn sticky without it.
|
# ? Jul 16, 2019 19:48 |
|
Potato Salad posted:You need an offline root. The problems this can help you solve are varied and quite goddamn sticky without it. wyoak fucked around with this message at 20:21 on Jul 16, 2019 |
# ? Jul 16, 2019 20:18 |
|
We are finally delving into the mysterious world of Azure AD DS. It's less complicated than I thought, but this article is telling me that you can't move users out of the default OU. Most of our clients are coming from on-premise Exchange and AD or a combo of Office 365 and AD. My current strategy is to Azure AD Connect from On-Prem to Office 365. Then sync those users to Azure AD DS so their password doesn't change. After the move is complete I'll disable AD Connect This leads me to being stuck with a terrible, horrible, no good, very bad OU structure and I hate it.
|
# ? Jul 17, 2019 01:39 |
|
That article is a couple years old which is several lifetimes for cloud stuff. Last I checked azure ad ds still isn’t a full replacement for on prem AD yet. Latest docs are here https://docs.microsoft.com/en-us/azure/active-directory-domain-services/
|
# ? Jul 17, 2019 02:05 |
|
snackcakes posted:We are finally delving into the mysterious world of Azure AD DS. It's less complicated than I thought, but this article is telling me that you can't move users out of the default OU. Isn't the point of AD DS is that OU's don't matter? What would the point of AD DS OU's be?
|
# ? Jul 17, 2019 02:07 |
|
Sirotan posted:kiwid, I was in the process of writing up a post recommending you use Microsoft Baseline Security Analyzer as a quick/easy/free way to check some of your systems for compliance, but I guess I've been out of the SMB game for too long now, and just learned it's no longer supported. If you also have SCCM in your environment, you could set up some compliance reporting. Otherwise, I use Nessus (sorry, Dirt Road Junglist), there is a free version called OpenVAS that you might be able to check out. I have never used it so this is not a recommendation, just a suggestion. Chiming in. We use OpenVAS for scanning our servers before we put them on the open internet. Is good. But, at least in the config we have, it scans the ports and then services that are available. Does have good reporting though.
|
# ? Jul 17, 2019 02:31 |
|
skipdogg posted:That article is a couple years old which is several lifetimes for cloud stuff. Last I checked azure ad ds still isn’t a full replacement for on prem AD yet. That article points to this article which says the same thing. I appreciate the link to updated documentation though. The 2016 timestamp on my article didn't fill me with much confidence. Sickening posted:Isn't the point of AD DS is that OU's don't matter? What would the point of AD DS OU's be? Like skipdogg said, Azure AD DS doesn't seem like a full replacement for on prem but so far lot of what I need is there. I still have the ability to do group policy, so that's cool. I'm not really losing much functionality right now but that one OU is unpleasant to look at. I guess that's my main gripe. I also miss being able to do DFS stuff.
|
# ? Jul 17, 2019 04:11 |
|
Azure AD DS is meant to be going multi-region at some point rather than the current incarnation where it's stuck in one place. I'd weigh up the pros and cons of just running a few VMs as DCs vs. using the managed service.
|
# ? Jul 17, 2019 09:34 |
|
kiwid posted:We currently have a security expert doing an audit of our network and he's emailed me asking what we use for patch management for Windows and I responded with WSUS. He followed up with: He might be talking about the additional registry keys you need to deploy to enable the meltdown/spectre mitigations on Windows Server. But if he can't muster up those words then he's a useless clown and should be fired.
|
# ? Jul 17, 2019 13:40 |
|
kiwid posted:We don't have the budget for cool things like SCCM or Nessus licensing so I guess I'll just set up a free Metaploit server because otherwise, I'm not sure how I'm going to know some random Windows KB needs a manual registry update to enable it in the future. I don't think that's necessarily a good application of Metasploit. http://www.openvas.org/
|
# ? Jul 17, 2019 17:22 |
|
Who's using m365 with Defender ATP? My sophos renewal is coming up and it seems easier to get E3,F1+Identity & Threat Protection for my end users.
|
# ? Jul 17, 2019 17:57 |
|
BangersInMyKnickers posted:He might be talking about the additional registry keys you need to deploy to enable the meltdown/spectre mitigations on Windows Server. But if he can't muster up those words then he's a useless clown and should be fired.
|
# ? Jul 17, 2019 18:12 |
|
incoherent posted:Who's using m365 with Defender ATP? My sophos renewal is coming up and it seems easier to get E3,F1+Identity & Threat Protection for my end users. I demo'd Defender ATP and had a very positive experience with it, however it was locked behind Windows E5 at the time and we didn't go for it.
|
# ? Jul 17, 2019 18:17 |
|
snackcakes posted:That article points to this article which says the same thing. I appreciate the link to updated documentation though. The 2016 timestamp on my article didn't fill me with much confidence. I think it keeps up with the overall feel of how you manage azure ad users in the cloud and less like you would in ad in the GUI. I mean the current model is Group policy -> Group -> Group Members with AD DS right?
|
# ? Jul 17, 2019 18:18 |
|
I've recently been asked to look into on prem Nessus, rather than spending 50k a year getting a third party scan done. I'm going to throw OpenVAS into the mix too, see what the boss says about Open Source. I don't think it'll be a problem, and it looks like a pretty slick tool.
|
# ? Jul 17, 2019 18:34 |
|
The Fool posted:I demo'd Defender ATP and had a very positive experience with it, however it was locked behind Windows E5 at the time and we didn't go for it. Did they install the tools on servers or just your DC to do the demo? Or did you watch it work in a contoso demo environment? I still need an AV for my servers and it doesn't make it clear it's for on-prem server installs.
|
# ? Jul 17, 2019 19:12 |
|
incoherent posted:Did they install the tools on servers or just your DC to do the demo? Or did you watch it work in a contoso demo environment? I still need an AV for my servers and it doesn't make it clear it's for on-prem server installs. I deployed it to a test group of about 30-users. It is seriously just turning on some extra features in Defender + some very nice reporting and incident management tools.
|
# ? Jul 17, 2019 19:23 |
|
Thanks for the GPO recommendations! Currently putting together what I'd like to do in the test network, some of it became waaay simpler when I learned about item-level targeting. (can do stuff cleanly like have all our drive mapping by security group in the same GPO) Feels like my head gonna pop, but I'm learning a lot, and is starting to come together!
|
# ? Jul 18, 2019 04:50 |
|
klosterdev posted:some of it became waaay simpler when I learned about item-level targeting. (can do stuff cleanly like have all our drive mapping by security group in the same GPO) ILT is great. There are a handful of things I do with a registry preference using ILT and “remove when no longer applied” instead of admin templates so I can manage exceptions without tons of extra GPOs. A good place to find how to convert those is https://getadmx.com It can go too far though. Depending on size of your org, all the drive mappings might be too much and result in super long logon times. Printer mappings are even worse if you do those. I’d just try to keep it at less than 100 or so mappings if you can. If you get into the 1000s that’s when the real pain starts.
|
# ? Jul 18, 2019 13:50 |
|
buffbus posted:
Yes. This. Slow logins aren’t much of a thing on most networks these days, but you have to find a balance with stuff like this.
|
# ? Jul 18, 2019 16:33 |
|
Has anybody got a good way of managing approvals for 3rd party apps that people want to authorise to access their Azure AD / O365 data? We have the ability for users to grant access disabled since that seems to be the new way that malware gets forwarders added to people’s mail accounts, or documents created on SharePoint with dodgy links in and then shared out to people’s contacts. However I still want to be able to approve access to applications, but I can’t just add certain apps as they don’t appear in the Gallery. All I have is a failure log entry with the application ID - I need a way to change this into an approval workflow so I can grant permissions. Currently the way to deal with this is to either turn the setting off, let someone add the app, change the setting back and then go and grant the permissions to everybody in the tenant, or I need to be handed the device during the approval workflow where there’s an option to log in as an administrator and approve the app. Both options aren’t great as they require two people to be available at the same time, or to be in the same office.
|
# ? Jul 19, 2019 01:25 |
|
Any recommendations for O365 mailbox backups? (and I guess onedrive/sharepoint if its not that much expensive.) I have like 400 people on the front line subscription, probably half of them don't even check their emails. I am looking for a way to do backups, data back to on prem or data to the cloud is fine. Maybe on prem would be preferred.. I had a couple looks and it looks like what's recommended is like $50/year per mailbox which is hard to justify if the frontline worker subscription is just about the same.
|
# ? Jul 20, 2019 06:17 |
|
Veeam has a solution that works great and should be cheaper.
|
# ? Jul 20, 2019 06:23 |
|
I wonder how hard it would be to download the users mail weekly and save it tape or an Azure Blog. I'd imagine it'd be possible to scrip with Exchange Online Powershell.
|
# ? Jul 20, 2019 06:31 |
|
Synology NAS boxes can backup from Office 365 but I've never used it and they're not really an enterprise vendor in terms of getting support etc. If you just need to make some backups though I guess it wouldn't be horrible if it wasn't available for a couple of days, and it fits the requirement of being cheap. My preference would be Veeam though. https://www.synology.com/en-uk/dsm/feature/active_backup_office365
|
# ? Jul 20, 2019 09:52 |
|
The Fool posted:Veeam has a solution that works great and should be cheaper. We’ve not had a good experience with Veeam O365 backup, it’s not a fully baked product yet imo. As soon as we get through the stupid legal process with Druva (seriously their lawyer is an idiot) we’re switching ASAP. We also don’t want to be bringing all the data for a 3300 user tenant back on prem.
|
# ? Jul 20, 2019 16:20 |
|
Can you talk about the issues you've had with veeam? We had some performance issues, and the SharePoint component had some API issues, but both of those were fixed in an update this winter.
|
# ? Jul 20, 2019 18:48 |
|
buffbus posted:ILT is great. There are a handful of things I do with a registry preference using ILT and “remove when no longer applied” instead of admin templates so I can manage exceptions without tons of extra GPOs. A good place to find how to convert those is https://getadmx.com Thanks, been keeping that in mind! Did my first prod GPO deployment yesterday after making some child OUs to organize computer objects, just laptop + desktop power settings and an inactivity screen timeout, but goddamn does it feel good to make it happen.
|
# ? Jul 20, 2019 19:06 |
|
lol internet. posted:Any recommendations for O365 mailbox backups? (and I guess onedrive/sharepoint if its not that much expensive.) Just get a barracuda archiver on prem and journal the box.
|
# ? Jul 20, 2019 19:24 |
|
I would think it would be a giant pain in the rear end to work for orgs that actually need to backup cloud email.
|
# ? Jul 20, 2019 19:39 |
|
It doesn't seem that front line worker emails are terribly critical vs the rest of the organization that would need exact mailbox restoration. He already indicated they don't read em, so using a archiver and a phone app\portal to let them fish their own emails out should anything happen would probably be the best course of action. 10 grand box would cost about 8 dollars a user\year.
|
# ? Jul 20, 2019 20:00 |
|
Sheesh. Look at all these admins in luxury jobs where you can just create a GPO when you need one. We're about 15% of the global organization and we have to put in a request ticket for every GPO we need. We have the GPO Author role, we just can't create, just edit. We also have a root-cause investigation open in to how a batch of SPF records were deleted from DNS, sending tens of thousands of emails to partners directly to spam. It turns out the vendor for the third-party app involved see this so often, their phone support agents can troubleshoot SPF records. There's a lot I don't miss about being the only person who can (or should) touch infrastructure in a job, but not having a team on another continent able to approve, deny, or break all my poo poo isn't one of them.
|
# ? Jul 20, 2019 23:48 |
|
For all I know you could be talking about me. I put more effort into talking people out of GPO additions than I do almost anything else. Part of the reason for that is I am the only person in corporate IT who really does GPOs at this point in a company with about 100k workstations. The other reason is we will be going to autopilot and modern management in the future and I’d rather not hate life when I do that.
|
# ? Jul 21, 2019 02:07 |
|
Quick check - if I want users to authenticate in another domain using a UPN suffix rather than the DNS name of the forest then I need to do a forest trust rather than an external one, don’t I?
|
# ? Jul 24, 2019 19:07 |
|
|
# ? May 15, 2024 16:11 |
|
Is there a good tool, free or paid, that can convert an MBR partition to GPT? Need to increase a partition to greater than 2TB. Can't lose data or permission info. Seen a few such as - https://www.partitionwizard.com/partitionmagic/will-converting-mbr-to-gpt-erase-all-the-disk-partitions.html But it would be good if someone has done this before. GreenNight fucked around with this message at 19:24 on Jul 29, 2019 |
# ? Jul 29, 2019 19:21 |