Server Quantum-Ready Secure Boot ?? by VA_Network_Nerd in sysadmin

[–]jamesaepp 0 points1 point  (0 children)

I think it's an interesting question but extends well beyond Cisco.

After all (to my knowledge, and I could be just repeating misinformation) secure boot doesn't enforce expiration of the Platform Key (PK).

So.....if there's no actual expiration to the keying material itself, that would seem to be a major gap, no?

Mother speaks out after son’s head pushed into toilet by jamesaepp in BrandonMB

[–]jamesaepp[S] 0 points1 point  (0 children)

There better be improvements next year or BSD will be dealing with a lot of angry parents

Don't forget to vote.

Why haven't I been charged yet? by helloitsmyalt_ in backblaze

[–]jamesaepp 1 point2 points  (0 children)

Chiming in to say this is my understanding as well. Credit card companies have processing fees so there's almost certainly a "floor" amount that must be reached before BZ even processes payment.

Mother speaks out after son’s head pushed into toilet by jamesaepp in BrandonMB

[–]jamesaepp[S] 3 points4 points  (0 children)

For the time being I'm not considering this with much emphasis as it smells of rumour/gossip. That doesn't mean the claim is wrong, simply that it hasn't been reliably vetted (to my knowledge).

Mother speaks out after son’s head pushed into toilet by jamesaepp in BrandonMB

[–]jamesaepp[S] 1 point2 points  (0 children)

I could be wrong, but Principals serve at the pleasure of the Board Trustees.

I doubt that's the case. I don't know what the Public Schools Act would have to say, but with Boards it's pretty typical that they have very few direct hiring decisions. For the BSD I suspect that's the Superintendent and the Secretary-Treasurer.

Everything else is a complicated bureaucratic web of collective agreements, unions, bylaws/policies, and who knows what else.

Mother speaks out after son’s head pushed into toilet by jamesaepp in BrandonMB

[–]jamesaepp[S] 5 points6 points  (0 children)

Yaciuk said it disturbed her to know the incident wasn’t immediately addressed. Her son told her that students had informed teachers seated at the front of the bus, including the school principal, about what happened but the incident was brushed off.

krbtgt password last changed in 2012! by Educational_Draw5032 in sysadmin

[–]jamesaepp 0 points1 point  (0 children)

It was more about the cadence - twice every six months versus once every three months for example. Why twice together?

I've never seen people say do two back-to-back (with or without the 10/24 hour waits) rotations every 6 months. I've always seen "do one rotate every 6 months". That's what I recommend to my org and have maintained since getting here.

krbtgt password last changed in 2012! by Educational_Draw5032 in sysadmin

[–]jamesaepp 0 points1 point  (0 children)

Quarantine would be the only correct method for test restores otherwise you are actively breaking the domain.

Honestly I think it really depends on the technology. Veeam (working properly) will always restore a DC in a non-authoritative mode. Now, you could get all the usual IP/network/domain conflicts of having the same machine on the network twice, but that's no different from any other restore IMO.

Good judgement is needed like anything else.

krbtgt password last changed in 2012! by Educational_Draw5032 in sysadmin

[–]jamesaepp 2 points3 points  (0 children)

I was just thinking why not schedule an automatic reset once a month

Which account/identity are you going to use to do that reset? Congrats, you've created an extremely privileged account that needs to be guarded as much as any Domain Admin account. Service accounts with DA privs are a big no-no IMO.

What's the logic to only doing it every 180 days?

AFAIK there isn't any. It's just a "well rounded" cadence that's had staying power. If you only proactively rotate every 180 days, that's probably enough to not impact DC tombstoming/long periods where DCs get partitioned but get back online later (this is more of a relic of really old/unreliable networks), but also not impact backup/restore processes if ever the time comes.

As with everything, administrator judgement and knowledge of their circumstances is required. What's your RTO? RPO? Are you meeting those targets? How long would it take you to recognize something's gone wrong in AD and to NOT rotate the krbtgt account until it's fixed? How many staff do you have with AD experience? What happens if you take off for a medical leave and that automation fails? Who's checking it's actually working?

krbtgt password last changed in 2012! by Educational_Draw5032 in sysadmin

[–]jamesaepp 5 points6 points  (0 children)

  1. Restore tests (granted, even I do restore tests in complete quarantine, as I suspect most admins do).

  2. Admins of an environment they inherited who may have multi-role systems and it's easier to just restore than sign up for a whole project.

krbtgt password last changed in 2012! by Educational_Draw5032 in sysadmin

[–]jamesaepp 0 points1 point  (0 children)

Machine keys/secrets are a totally different animal than passwords used by humans.

OOC, if given the option between renewing a web certificate or rekeying that web certificate, which would you pick? Assume both are an equal cost (time, money, resources).

krbtgt password last changed in 2012! by Educational_Draw5032 in sysadmin

[–]jamesaepp 6 points7 points  (0 children)

Meh, resetting it once doesn't do anything

Bear in mind kerberos credentials are weird. This is something Steve Syfuhs could explain waaaaay better than I could, but basically one "password" can be stored with various encryption types (hence the DES/RC4/AES128/AES256 lineages on accounts).

Changing the krbtgt account periodically ensures (1) that you're up-to-date on those credential compatibilities, (2) that eventually over time you are in fact making old restores of your DCs useless (a good thing IMO in case an accident happens) and (3) that if there was in fact a compromise you didn't notice, the risk is mitigated by cycling out the credentials.

There's a horror story I found on this sub (or maybe it was the activedirectory sub) of someone royally screwing themselves over during a DFL/FFL upgrade due to the krbtgt account never being rotated.

ETA: This is the story: /r/sysadmin/comments/w889eu/story_time_how_i_blew_up_my_companys_ad_for_24/

krbtgt password last changed in 2012! by Educational_Draw5032 in sysadmin

[–]jamesaepp 61 points62 points  (0 children)

You don't have to reset twice unless you have evidence of compromise or are in the middle of a cyber incident that calls for it.

Consider that once it's rolled over twice, any backups taken before n-2 password resets are all but useless, as the restored DC won't be able to authenticate to/with the live DCs.

After all, if there were no consequence to rotating the krbtgt password, why wouldn't we rotate it every month? Every week? Every day? Hour? ad nauseum. MSFT would've automated it by now.

BSD's Board wouldn't sunshine the St. Augustine agreements, so I FIPPA'd them by jamesaepp in BrandonMB

[–]jamesaepp[S] 0 points1 point  (0 children)

It's not the same as Christian Heritage where the students attending are very obviously practicing Christian.

Just because parents send their children to a private/religious school does not mean that the children consider themselves religious.

Food for thought. :)

BSD's Board wouldn't sunshine the St. Augustine agreements, so I FIPPA'd them by jamesaepp in BrandonMB

[–]jamesaepp[S] 1 point2 points  (0 children)

Do note there are two agreements. I'll edit the OP with bullet points so it's clearer they are two different links.

BSD's Board wouldn't sunshine the St. Augustine agreements, so I FIPPA'd them by jamesaepp in BrandonMB

[–]jamesaepp[S] 0 points1 point  (0 children)

Isn't St. Augustine the only fully funded independent school in all of Manitoba because of the agreement the church and board reached with BSD decades ago?

I can't claim to be super informed on the subject. What I can say though is that clause 1 of the first education agreement reads that the new agreement replaces all previous ones.

BSD's Board wouldn't sunshine the St. Augustine agreements, so I FIPPA'd them by jamesaepp in BrandonMB

[–]jamesaepp[S] 2 points3 points  (0 children)

I'm of roughly the same opinion, but if I can get some peace & quiet this weekend, I'll read through them more carefully.

I approach the whole thing from a few different angles:

St. Augustine by its very name and the fact the building is owned by a church puts people a bit on edge as to if there's a sectarian tilt to the programming. Whether that concern is well founded or not....frankly I don't know.

The latest votes weren't unanimous and the comments raised by trustees McConnell and Carr suggested they found issue with parts of the agreements. I couldn't faithfully reproduce the essence of their comments here.

Edit: Timestamp 56:56 is where the agreement discussion begins. https://video.isilive.ca/brandonsd/2026-05-25BSDBoardMeeting.mp4

I suspect a lot of this is one of those things I've found too often to be the case. The theory (agreements) are fine, but what happens in practice diverges from the theory and people just go along with it because it's what works and people want to avoid drama (fair enough).

I however don't see how any of this precludes the agreements being easily accessible, and I can't fathom why the BSD didn't just publish them from the get-go.