|
Sickening posted:I do like that Microsoft is actively telling you to not expire your users password in their security suggestions across their platforms. Can you tell me exactly where this is? I want to send this to a few folks. I don't see it in Compliance Manager.
|
# ? Feb 8, 2021 17:13 |
|
|
# ? May 14, 2024 09:14 |
|
I'd love to know where it is in compliance center, you can also find a post by MS here in their password policy recommendations articlequote:Password expiration requirements for users
|
# ? Feb 8, 2021 17:19 |
|
We changed to something like 14 character passwords with expiry once a year, just over a year ago. It was a compromise from the original plan of no expiry but 25-30 character length passwords
|
# ? Feb 8, 2021 17:25 |
|
GreenNight posted:Can you tell me exactly where this is? I want to send this to a few folks. I don't see it in Compliance Manager. It’s in secure score -> security.Microsoft.com
|
# ? Feb 8, 2021 17:27 |
|
I HAVE THE MAILBOX IS FULL AGAIN AND I HAVE DELETED SO MANY THINGS I CANT SEEM TO FIGURE OUT WHAT NEEDS TO BE DELETED FOR METO GET THIS DONE. I HAVE BEEN WORKING ON IT FOR OVER 2 WEEKS DELETING EMAILS. COULD YOU PLEASE HELP ME AGAIN?
|
# ? Feb 8, 2021 17:29 |
|
quote:Research has found that when periodic password resets are enforced, passwords become less secure. Users tend to pick a weaker password and vary it slightly for each reset. If a user creates a strong password (long, complex and without any pragmatic words present) it should remain just as strong in the future as it is today. It is Microsoft's official security position to not expire passwords periodically without a specific reason, and recommends that cloud-only tenants set the password policy to never expire. The argument my boss is making is that we're not cloud only, we have on prem AD therefore passwords should expire, according to MS.
|
# ? Feb 8, 2021 17:33 |
GreenNight posted:The argument my boss is making is that we're not cloud only, we have on prem AD therefore passwords should expire, according to MS. Your boss is a dipshit, MS is just echoing NIST recommendations that aren’t even that recent.
|
|
# ? Feb 8, 2021 17:34 |
|
GreenNight posted:The argument my boss is making is that we're not cloud only, we have on prem AD therefore passwords should expire, according to MS. Yeah, this is wrong and also if you have on-prem stuff you can still use Azure AD Bad Password Protection. https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-deploy
|
# ? Feb 8, 2021 17:46 |
|
GreenNight posted:The argument my boss is making is that we're not cloud only, we have on prem AD therefore passwords should expire, according to MS. If you are hybrid with password hash sync, cloudside account password expiration is disabled so feel free to laugh at your boss(only passthru auth hybrid has password expiration on cloudside auth)
|
# ? Feb 8, 2021 17:58 |
|
The new org is great with MFA, FIDO tokens, etc... but they still make us change our passwords every 90 days. I hope we can convince them to move to a 1 year expiration.
|
# ? Feb 8, 2021 18:05 |
|
Internet Explorer posted:Yeah, this is wrong and also if you have on-prem stuff you can still use Azure AD Bad Password Protection. I am fully deployed in audit mode for this right now. Local AD is the source of truth for authentication and password changes other than those done through intune ctrl-alt-del to their azure AD profile. Everyone authenticates through Okta, but the delegation occurs down to AD through the on prem agents. Once we’ve had this deployed for a month or so, I’ll start pulling data so we can start picking a date to work towards with communication, etc.
|
# ? Feb 8, 2021 18:11 |
https://pages.nist.gov/800-63-FAQ/ If anyone needs to argue with people about it quote:A-B05:
|
|
# ? Feb 8, 2021 18:12 |
|
The real problem is that we have to wait for auditors to catch up and for security assessments in contracts to catch up. It can be a recommendation from agencies for 100 years, but until that auditor from EY no longer asks for a screenshot of the AD policy to expire passwords, it's going to remain in effect. Same with contracts. Oh, we attested in this contact we signed 5 years ago that we expire our passwords every 90 days. Well, we aren't rewriting that contact anytime soon so we can't change it.
|
# ? Feb 8, 2021 18:19 |
|
https://github.com/lithnet/ad-password-protection I've had good success with Lithnet's password protection and it even has a bit about scanning your AD for compromised passwords found in haveibeenpwned. Even if you don't use it for the agents and all that, that piece is good.
|
# ? Feb 8, 2021 18:23 |
|
Something that never fails me to piss me off is how many loving agents and ancillaries programs I need to install for these kind of hybrid azure features, one agent on every dc for azure atp, one agent on every dc for password protection, at least one rando server agent for ad connect, another one for intune ad connector, another one for password protection proxy and I’m sure I’m forgetting some. Just have a single agent for everything to be installed on each dc and stop this nonsense
|
# ? Feb 8, 2021 18:25 |
|
Yeah we don't pay for Azure P2 license so we can't do a self service reset portal or password writeback.
|
# ? Feb 8, 2021 18:32 |
|
GreenNight posted:Yeah we don't pay for Azure P2 license so we can't do a self service reset portal or password writeback. Sspr and write back is p1 tho
|
# ? Feb 8, 2021 18:33 |
|
We have whatever comes with 365 Business Standard which is not enough apparently. https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-licensing
|
# ? Feb 8, 2021 18:35 |
SlowBloke posted:Something that never fails me to piss me off is how many loving agents and ancillaries programs I need to install for these kind of hybrid azure features, one agent on every dc for azure atp, one agent on every dc for password protection, at least one rando server agent for ad connect, another one for intune ad connector, another one for password protection proxy and I’m sure I’m forgetting some. Just have a single agent for everything to be installed on each dc and stop this nonsense Hybrid runbooks, cert connector, proxy, Arc, probably a few more
|
|
# ? Feb 8, 2021 18:36 |
|
GreenNight posted:We have whatever comes with 365 Business Standard which is not enough apparently. You need Microsoft 365 e/a 3 for included p1 or 5 for p2, business standard is their cloud equivalent to small business server.
|
# ? Feb 8, 2021 18:37 |
|
SlowBloke posted:Something that never fails me to piss me off is how many loving agents and ancillaries programs I need to install for these kind of hybrid azure features, one agent on every dc for azure atp, one agent on every dc for password protection, at least one rando server agent for ad connect, another one for intune ad connector, another one for password protection proxy and I’m sure I’m forgetting some. Just have a single agent for everything to be installed on each dc and stop this nonsense So one of the first things I noticed at my new gig was the sheer number of agents and poo poo running on DC's. Like yeah you're having performance issues... There's 9 different loving agents all contending for resources in addition to AD. We're looking at rolling out ATP/Defender for ID, and it's requirements are probably going to cause us to resize our entire DC fleet.
|
# ? Feb 8, 2021 18:38 |
|
devmd01 posted:I am fully deployed in audit mode for this right now. How much of a pain in the neck was this actually to set up and implement? Going over the number of workarounds in the documentation I'm getting a "This software is held together with duct tape" vibe
|
# ? Feb 8, 2021 18:42 |
|
skipdogg posted:So one of the first things I noticed at my new gig was the sheer number of agents and poo poo running on DC's. Like yeah you're having performance issues... There's 9 different loving agents all contending for resources in addition to AD. In our case we had to move from 1vcpu/2gb to 2vcpu/8gb on each dc, along with extra 20gb space on the os disk if the image was old when we pushed azure atp. Also there are a few caveats on vm dc to be aware of. The docs explain most of the pain points.
|
# ? Feb 8, 2021 18:44 |
skipdogg posted:So one of the first things I noticed at my new gig was the sheer number of agents and poo poo running on DC's. Like yeah you're having performance issues... There's 9 different loving agents all contending for resources in addition to AD. Also make sure you don’t have any teamed NICs (or you’ll need to install an older version of npcap) and don’t run any bullshit like Cisco Tetration on them.
|
|
# ? Feb 8, 2021 18:45 |
|
klosterdev posted:How much of a pain in the neck was this actually to set up and implement? Going over the number of workarounds in the documentation I'm getting a "This software is held together with duct tape" vibe Most of Microsoft password security solutions local assets are janky, be it azure atp, password protection or even laps. Nothing to be surprised really(the worst offender since we went all in on Microsoft stack is intune ad connector, which looks like something out of nirsoft rather than Microsoft)
|
# ? Feb 8, 2021 18:47 |
|
klosterdev posted:How much of a pain in the neck was this actually to set up and implement? Going over the number of workarounds in the documentation I'm getting a "This software is held together with duct tape" vibe Super easy. I didn’t care about redundancy for the proxy, so I just deployed one. As long as one DC can talk to the proxy, it will store the data in sysvol to replicate to the rest. Only deal is that you will have to install the agent on and reboot every DC.
|
# ? Feb 8, 2021 18:47 |
After years of working for a dogshit rear end consultancy I’m now being given a multiple days onboarding and expected to shadow people on projects for a while before I really get my hands on anything. Feels weird, I’ve been conditioned to expect the worst
|
|
# ? Feb 8, 2021 19:54 |
|
Enjoy your pod while it lasts!
|
# ? Feb 8, 2021 19:56 |
|
ughhh the only jobs that are getting sent my way via recruiters are MSPs (doing the same poo poo I am now probably for the same/less pay) or working for finance companies of various flavors which pay very well but I think I know better; my will is being broken though.
|
# ? Feb 8, 2021 20:02 |
|
i am a moron posted:After years of working for a dogshit rear end consultancy I’m now being given a multiple days onboarding and expected to shadow people on projects for a while before I really get my hands on anything. Feels weird, I’ve been conditioned to expect the worst I just started week 6 and I still haven't had admin accounts provisioned yet. No hurry on my part
|
# ? Feb 8, 2021 20:04 |
|
Post your resume and/or your linked in of your comfortable doing that
|
# ? Feb 8, 2021 20:06 |
|
My pod is giving all of the employees “performance based bonuses” in a lump sum this year in lieu of a raise. We service the medical industry, and as you can imagine our services therefore revenue have dropped off last year as elective surgeries have gone downhill for obvious reasons. I’m not mad; I’m here for at least another year until I’m fully vested and then i’m gonna take a long hard look at the skills that I have, experience that I have, and how I can best capitalize on what I bring to the table in any discussion about interviewing elsewhere or making it worth my while to stay.
|
# ? Feb 8, 2021 20:07 |
skipdogg posted:I just started week 6 and I still haven't had admin accounts provisioned yet. No hurry on my part Got a buddy who went to Google Jan 1 and he’s not even through onboarding yet. I’m still in a billable role and I get itchy as hell when I’m not billing. The bench and low utilization is death to me
|
|
# ? Feb 8, 2021 20:09 |
|
i am a moron posted:Got a buddy who went to Google Jan 1 and he’s not even through onboarding yet. I’m still in a billable role and I get itchy as hell when I’m not billing. The bench and low utilization is death to me I feel you man. That poo poo takes time to go away. Well, it probably won’t ever go away but it becomes less of an itch.
|
# ? Feb 8, 2021 20:54 |
|
A recruiter sent me a very tempting offer this morning but snuck “on site with mandatory occasional travel” in there and that’s a big ol Nope
|
# ? Feb 8, 2021 21:11 |
|
More government agencies saying "don't expire passwords": https://www.ncsc.gov.uk/collection/passwords/updating-your-approach quote:Don't enforce regular password expiry Whenever I need to look for security advice the NCSC seems to be pretty much aligned with what ~*the industry*~ outside of Spiceworks and Reddit is saying to do, it's a really good resource. I assume each country will have a similar agency.
|
# ? Feb 8, 2021 21:33 |
|
Oh hey, the March 9th 2021 Win 10 update with install Chromium Edge by default and remove legacy Edge. Good luck everyone.
|
# ? Feb 8, 2021 23:04 |
|
Are people worried about that?
|
# ? Feb 8, 2021 23:06 |
|
Yeah, I don't really have any concerns about that. Old-Edge wasn't around long enough for people to use it. Really, they should have just used that as an opportunity to go back to the Internet Explorer branding. If we can have nu-Edge, we can have nu-Internet Explorer.
|
# ? Feb 8, 2021 23:07 |
|
|
# ? May 14, 2024 09:14 |
|
With Edge's fancy O365 Plug-ins and whatever management that comes with it there's literally no reason to deploy any other web browser.
|
# ? Feb 8, 2021 23:10 |