|
BIG FLUFFY DOG posted:Any process which cannot survive a person not being available is a failed process Just to be clear, these do this to uncover and eliminate these kinds of problems. It's a way to detect them.
|
# ? Sep 15, 2023 19:37 |
|
|
# ? Jun 13, 2024 01:31 |
|
BIG FLUFFY DOG posted:Any process which cannot survive a person not being available is a failed process Our only solution to "the internet disconnects from all our servers every few months" is currently unplug the firewall from the wall, and nobody told me which one is the firewall. Could I figure it out? probably! But the documentation is a decade old for an entirely different product and my boss has been ignoring my requests for any up to date documentation whatsoever.
|
# ? Sep 15, 2023 19:43 |
|
And now a former team member appears to be stymied by removing me from some azure as groups. There's tons of stuff I've set up that over time has become load bearing, but nobody owns it other than me. Since we started our SAFe transformation 3 years ago, any attempt to even mention all these internal shadow systems and processes was met with scorn. So the schadenfreude continues. And if they have to stoop so low as to ask me, I will gladly explain what's going on.
|
# ? Sep 15, 2023 20:04 |
|
tokin opposition posted:
Tokin, I'm gonna help you out here. This took me oh I guess 20 years of being in industry. Nothing gets done unless you do it yourself.
|
# ? Sep 15, 2023 20:06 |
|
The Fool posted:whomst among us has never found an unlabeled and undocumented box in a closet and preformed a scream test I've been trying to get a coworker to send some demo gear back to the vendor, and he mentions "Hey, I found a Cisco router in the rack, should I grab that?" Since I wasn't onsite for the demo install, I'm not sure what they had sent over. He grabs the router and puts it aside to add to the shipping box. About 20m later, I get 2 people asking me why they can't reach a particular site, and oops turns out that box is part of a vpn to a very specific website. We toss it back in the rack. Turns out the old router that was in there that had very specific labels on it that said what it was for and not to touch was replaced with one that didn't have those. Lesson learned. On the other hand, it also proves the failover that was supposed to happen didn't, so we actually made things better if you think about it.
|
# ? Sep 15, 2023 20:10 |
|
FISHMANPET posted:And now a former team member appears to be stymied by removing me from some azure as groups. Are they the type of org to throw you under the bus and claim you set everything up incorrectly (no you can't see the documented processes for doing it the right way) to try and get this 12 month notice period down?
|
# ? Sep 15, 2023 20:16 |
|
thewizardofshoe fucked around with this message at 21:07 on Sep 15, 2023 |
# ? Sep 15, 2023 21:05 |
|
TIL the iPhone XR apparently can’t handle number matching with Microsoft authenticator? I have two new employees who started yesterday who both have this phone and neither one could access our apps. Had to put an exclusion on the policy for their accounts as they are on call over the weekend. Looks like it’s a 5 year old phone so I wonder at what point do we ask people to replace. We do give a $70/mo phone allowance so I don’t think it’s that unreasonable.
|
# ? Sep 15, 2023 21:07 |
|
I tend to be one of those weirdos that loves having a stereo jack and having expandable memory on my phone ( I like listening to podcasts without having to stream them), my options to upgrade get fewer and fewer every year.
|
# ? Sep 15, 2023 21:10 |
|
Cyks posted:TIL the iPhone XR apparently can’t handle number matching with Microsoft authenticator? I have an XR and it does number matching just fine.
|
# ? Sep 15, 2023 21:15 |
|
Cyks posted:TIL the iPhone XR apparently can’t handle number matching with Microsoft authenticator? $70 probably comes close to covering the monthly plan, but not more than that. I do think that at the point where the device stops receiving security updates you can require it.
|
# ? Sep 15, 2023 21:25 |
|
The XR runs iOS 16 and will run iOS 17, the issue is somewhere else.
|
# ? Sep 15, 2023 21:27 |
|
Maybe. I didn’t have a chance to work on it directly but my coworker spent almost two hours in person yesterday and couldn’t get it to work, AAD is reporting that the user didn’t satisfy MFA and disabling the conditional policy fixed it for now. I just find it interesting that the only two people who in the company who ran into any issues both have the same model phone. The other 20 employees we brought on yesterday have had no issues. Though I slightly misspoke; they were able to do two two digit number matching when setting up the phone. The issue is when they are trying to log into an SSO enabled app on their phone, including Teams and Outlook
|
# ? Sep 15, 2023 21:50 |
|
What do you guys (or your security departments) think is a reasonable amount of MFA/number checks per day?
|
# ? Sep 15, 2023 21:53 |
|
LochNessMonster posted:What do you guys (or your security departments) think is a reasonable amount of MFA/number checks per day? Daily? I do a check on a new device or if suspicious activity.
|
# ? Sep 15, 2023 22:04 |
|
thewizardofshoe posted:
Lol this happens to us so often that our job duties just got email receptionist added to it basically because fighting it was useless
|
# ? Sep 15, 2023 22:08 |
|
LochNessMonster posted:What do you guys (or your security departments) think is a reasonable amount of MFA/number checks per day? A user should do nothing each day except logging into services and verifying their identity
|
# ? Sep 15, 2023 22:57 |
LochNessMonster posted:What do you guys (or your security departments) think is a reasonable amount of MFA/number checks per day? The security team added a setting somewhere that means my primary work application doesn't remember any user credentials. Opening the application means I might have to log anywhere from 2 to 6 times. Every time. Also, more if I open a file from SharePoint, or if I publish a report, or if I save a file to SharePoint. It's loving infuriating.
|
|
# ? Sep 15, 2023 23:51 |
|
If someone is using a managed device that is deemed in compliance, and that device is happy that the user is who they say (biometric auth of some sort) then don’t show people an MFA prompt until they hit an admin console for a service or work in finance and access their banking.
|
# ? Sep 16, 2023 00:01 |
|
Had to call another orgs IT dept. today because one of our users was on their campus and was unable to access their network (we have a MOU that says our users can use their private network) and the credentials were updated. All I'll say is that the smug dickhead IT helpdesk stereotype is extra annoying when you are also in IT and on the receiving end of it.
|
# ? Sep 16, 2023 03:54 |
|
LochNessMonster posted:What do you guys (or your security departments) think is a reasonable amount of MFA/number checks per day? Every time the context (network, device or security level) changes. If the session didn't change any of those, zero.
|
# ? Sep 16, 2023 08:44 |
|
SlowBloke posted:Every time the context (network, device or security level) changes. If the session didn't change any of those, zero. Right on. If you get too many MFA checks... people's psychology takes over and there is real risk they accept a malicious one. I know back in ~2018 there was a serious issue with fake MFA apps in the Microsoft and Apple store. And hackers explicitly targeting executives with LinkedIn data... "I know Mr. Important Executives lives in NYC. It's the end of the quarter, it's super busy and we managed to get his password. Now let me try logging in at 8:30AM EST and see if he just accepts.".
|
# ? Sep 16, 2023 09:18 |
|
skipdogg posted:whoo boy this MGM hack has got folks asking all sorts of questions now. https://twitter.com/aejleslie/status/1702417787006673076 quote:Successfully launched ransomware attacks against more than 100 EXSi hypervisors I also really, really hope Okta sync agent doesn't actually sync plain-text passwords. If it does.. Wowza.
|
# ? Sep 16, 2023 09:21 |
|
SlowBloke posted:Every time the context (network, device or security level) changes. If the session didn't change any of those, zero. This sounds like the ideal set up. Last job had me auth every 30 mins for high privileged accounts (~ 50% of my work) which was incredibly annoying.
|
# ? Sep 16, 2023 11:45 |
|
MFA every 60 minutes to access the ERP, it loving sucks. Then arbitrary password expirations every 90 days too because we're a government entity stuck in 2010. At least for the poo poo I control like email and web apps it's only on context change so I see the MFA maybe once every 2 months if I'm not logging in from locations other than the office PC
|
# ? Sep 16, 2023 14:48 |
|
never; just trust the user, never verify
|
# ? Sep 16, 2023 15:07 |
|
Crosby B. Alfred posted:Right on. You got all your execs to actually use MFA? Impressive
|
# ? Sep 16, 2023 16:27 |
|
No exceptions except for service accounts and time-limited, minimally scoped, very specific purpose test accounts handed out to vendors so they can sort out their SSO problems.
|
# ? Sep 16, 2023 16:55 |
|
one of our client owners has an MDM exception and we just have to bug him every quarter and be like "you doing these things" and he goes "yah" and we go "ok" and its so lame. should beat his rear end imo
|
# ? Sep 16, 2023 17:05 |
|
We do one MFA every month or so, have no password policies enforced, and have a OTP that goes to email every time you connect to the VPN, which every user has preconfigured on their laptops I'm sure it's fine tho, they only do ransomware once, right? Right??
|
# ? Sep 16, 2023 17:07 |
|
every time you talk about your job tokin I think of the first real IT job I had as the sole onsite tech for a rubber factory + its engineers my bosses were super chill though, .... maybe too chill.... Sometimes I think of it in the way that's like "I wish I could go back and kick that job's rear end" because I was sooo early IT baby it'd be interesting to see the clear difference.
|
# ? Sep 16, 2023 17:11 |
|
I have to re-auth for every website every day because my org fubar'd the SSO and it forgets you logged in on a different web page two minutes ago. It's security through stupidity.
|
# ? Sep 16, 2023 19:10 |
|
tokin opposition posted:We do one MFA every month or so, have no password policies enforced, and have a OTP that goes to email every time you connect to the VPN, which every user has preconfigured on their laptops Depends, if they have any device registration required. If they do, it's pretty good but not an ideal configuration.
|
# ? Sep 16, 2023 19:40 |
|
xzzy posted:I have to re-auth for every website every day because my org fubar'd the SSO and it forgets you logged in on a different web page two minutes ago. Goldfish Memory Method.
|
# ? Sep 16, 2023 21:29 |
Burning a weekend to do more learning on AWS. Except mapping from "Here's how IAM works" and "Here is how my company has set it up and how to debug it" are two different things.
|
|
# ? Sep 17, 2023 20:47 |
|
Not sure if this is the best place to ask, but I’m looking for some advice and am finding this impossible to google. We have about 200 call center agents and they all work exclusively from home - about half in the same city as our main office and the rest scattered across the state. They are issued laptops and basic accessories only (mouse, headset, etc). Our CEO is suddenly stuck on the idea of having IT staff physically go to their homes to set the laptops up for them and show them how to use them (both for new hires and any time someone is issued a new machine)… I have a long list of reasons why I think this is A) a bad idea, and B) completely unnecessary, but I’m looking into it anyway in case I can’t convince him otherwise. Does anyone have any experience doing anything like this? Is this a thing companies even do? I could maybe see the need if we were installing networking equipment or setting up more complicated desktops, but we’re talking about just a laptop that’s already 99% configured in advance (not to mention that all new hires come through a temp agency and often don’t show up for their first day or quit within the first couple weeks, making this even more of a waste of time). My proposed alternative is to have them come into the office for their first day or two and we’ll do in-person training on the equipment there. Even that seems unnecessary to me as our current system of just FedExing the laptops is already working fine, but at least it’s not nearly as disruptive. Any thoughts would be appreciated.
|
# ? Sep 17, 2023 23:26 |
|
gey muckle mowser posted:Not sure if this is the best place to ask, but I’m looking for some advice and am finding this impossible to google. How hard is your software that you can't just whip up a 60 minute training video on it and just ship it to their house?
|
# ? Sep 17, 2023 23:36 |
|
Everyone is going to have a ton of variance when it comes to their setup, from dumb poo poo like where they want their cables run all the way down to they run an unsecured wireless network. Doing any sort of support on non-company equipment will set the precedent that you'll do it for everyone. It's a huge waste of your time and IT time because that should be spent on just the workstations after they're on and connected to the VPN.
|
# ? Sep 17, 2023 23:36 |
|
Your CEO sounds like a moron
|
# ? Sep 17, 2023 23:38 |
|
|
# ? Jun 13, 2024 01:31 |
|
gey muckle mowser posted:Not sure if this is the best place to ask, but I’m looking for some advice and am finding this impossible to google. The onboarding training sounds pretty generous. Going to their homes is gonna, as you mentioned, have your staff working on their personal crap and wasting time or increasing IT's liability if someone fucks up. Hell, at the hospital I work at I still get tons of "I can't get personal device to do X thing not at all related to my job" on-site, can't imagine what that would be like going to their homes.
|
# ? Sep 17, 2023 23:47 |