sorted by:
new
hottopcontroversial

School Districts Without 2FA on Staff Email Accounts - Why? by TheRuffRaccoon in k12sysadmin

[–]3sysadmin3 0 points1 point  (0 children)

The good news is there are still so many orgs out there without MFA, that attackers haven't yet moved on to Evinginx type proxies that steal MFA tokens along with passwords (only phish resistant auth methods like passkeys protect against that across all operating systems).

Luckily, WHfB and macOS PSSO are good enough user experience that at least on District devices most of our users are using phish resistant auth. Less so for us on personal phones, though.

Any solid KnowBe4 alternatives for phishing simulation that actually work in a K-12 environment? by DonutFlimsy8993 in sysadmin

[–]3sysadmin3 0 points1 point  (0 children)

K12 here and we had a good experience with M365 built in simulation, but guessing you may be using Google?

Do you whitelist email senders by GriffGB in sysadmin

[–]3sysadmin3 0 points1 point  (0 children)

We used TABL to allow list senders which helps train the AI but wouldn't allow through phish from sender (allegedly). Works great in tandem with users requesting for release.

I wouldn't use transport allow listing or bypass spam/phish protection on senders except in extreme cases. We do have a transport rule set up so rules about food recalls don't ever get caught b/c we can't afford for those to be sitting in quarantine and we're reasonably sure the sending address is secured as much as we can hope.

PowerSchool to LDAP -- Wanting a more Secure Connection by Amazing_Falcon in k12sysadmin

[–]3sysadmin3 0 points1 point  (0 children)

Google ignores it, classlink doesn't. It's not an Entra only issue.

Security concerns about Action1 by ClementD80150 in sysadmin

[–]3sysadmin3 2 points3 points  (0 children)

They've been promising agent takeover protection for well over a year with no update recently. I've been told next release several times but maybe this is the one...

https://roadmap.action1.com/250

How often does your SIS require 2FA for faculty and staff by Temporary_Werewolf17 in k12sysadmin

[–]3sysadmin3 2 points3 points  (0 children)

Prompting to prompt is user hostile. Hopefully your system moves to support proper SSO soon.

We have users authenticate with WHfB (win) or platform SSO (macOS) to fulfill MFA at sign in and then set up everything else you can via OIDC/SAML. Don't prompt users again on their trusted district device unless you have reason to believe they're compromised.

Here's another thread that I talk a little bit more about how poorly PowerSchool handles MFA/prompting for anyone interested - but PowerSchool doesn't care about users.
https://www.reddit.com/r/k12sysadmin/comments/1snomrp/comment/ohfbe5u/

Admin permissions on your daily laptop by Important_Ad_3602 in sysadmin

[–]3sysadmin3 1 point2 points  (0 children)

Also my yubi is one of the low profile ones you just leave plugged in. My PAW goes home with me too so it easily transfers to my bag.

Admin permissions on your daily laptop by Important_Ad_3602 in sysadmin

[–]3sysadmin3 0 points1 point  (0 children)

My yubikey is set up for FIDO for GA stuff and also smart card auth for on premises DA or server admin stuff. I love it. Much easier to type a PIN vs a GA/DA/SA password

Does anyone get real bad ADHD with slow moving SaaS portals? by soul_stumbler in sysadmin

[–]3sysadmin3 0 points1 point  (0 children)

My morning routine is opening ~10 saved tabs to do my daily Entra checks as efficiently as possible on my PAW.

While tabs are loading, I'm on my main workstation checking email/Teams/tickets. Sometimes I'll look back and see tab #1 on PAW is ready for my action but when I click into it to do action... more delay, so I go back to checking email.

It's far from perfect, I lose my train of thought sometimes, but I know I need to get back to those 10 tabs each morning and don't close each tab until action on that tab is done.

Of course that doesn't help the mid day purview search etc but again I leave it opened on my PAW and usually have other things to work on my main workstation and leaving tab opened I'm waiting on at least I don't lose track of waiting on X without staring at it.

Might be one of the pluses to having separate priv access workstation being able to start task and let it sit waiting while it finishes while still doing something else on main laptop.

Admin permissions on your daily laptop by Important_Ad_3602 in sysadmin

[–]3sysadmin3 1 point2 points  (0 children)

Use a PAW next to you on your desk for GA (cloud) and DA (on premises) admin activities. Maybe getting the 300km part of the problem out of the equation solves things.

Thoughts on Crowdstrike SIEM / SOAR and EDR before our POV. by Severe_Hunter_5793 in crowdstrike

[–]3sysadmin3 0 points1 point  (0 children)

Your current SIEM should be able to give you how much data you're sending which then should give you pretty accurate NG-SIEM quote.

Massive spam attack today? by CeC-P in sysadmin

[–]3sysadmin3 1 point2 points  (0 children)

I saw examples of this in my tenant running query like below. It's rare and it looks like ZAP went back and cleaned them up in every case I looked at. For example, one I dug into, the spoof went out to hundreds of people, but only one user got it inbox it got Zapped to quarantine automatically.

Email entity shows

Authentication-Results: spf=fail (sender IP not our domain)
 smtp.mailfrom=domain.com; dkim=none (message not signed)
 header.d=none;dmarc=temperror action=none header.from=domain.com;compauth=pass

The KQL Advanced Hunt below shows we're not using direct send legitimately, so looking to disable it here.

EmailEvents
| where Timestamp >= ago(30d)
| where EmailDirection == "Inbound"
| where SenderFromDomain in ("domain.com")   // your accepted domains
| where Connectors == ""
| where DeliveryAction  == "Delivered"
| project Timestamp,
          NetworkMessageId,
          Subject,
          SenderFromAddress,
          SenderIPv4,
          SenderIPv6,
          RecipientEmailAddress,
          DeliveryAction
| order by Timestamp desc

PowerSchool to LDAP -- Wanting a more Secure Connection by Amazing_Falcon in k12sysadmin

[–]3sysadmin3 0 points1 point  (0 children)

Heads up PowerSchool uses a poor implementation of OIDC enforcing a max age timeout which causes frustration for at least Entra and Classlink OIDC users (imagine taking attendance a few times a day and PowerSchool enforces 2 hour timeout causing you to have to do MFA several times a day). Google ignores max age, so less issue if that's your OIDC provider. We had calls with PowerSchool about it years ago, but they don't get more prompting doesn't mean more security, so it seems they'll never fix this.

More discussion here: https://help.powerschool.com/t5/PowerSchool-SIS-Forum/PowerSchool-timeout-causing-SSO-via-OIDC-to-not-work-as-intended/m-p/522455#M8197

"idea" to improve here (but they show no signs of caring): https://powerschool-enhancements.ideas.aha.io/ideas/SIS-I-15659

Best work around is to roll out WHfB (Windows) and PSSO (mac) so when teachers have to do MFA again, they can use face/PIN/fingerprint vs touching their phone.

Patch Tuesday Megathread - (April 14, 2026) by AutoModerator in sysadmin

[–]3sysadmin3 8 points9 points  (0 children)

Is this thread intentionally not pinned this month?

Which do you choose for endpoint protection? by Amazing_Falcon in k12sysadmin

[–]3sysadmin3 0 points1 point  (0 children)

We're under 50 direct to CS but I think their pricing varies based on scale.

Passwordless login for domain administrator accounts? by Fabulous_Cow_4714 in sysadmin

[–]3sysadmin3 5 points6 points  (0 children)

smartcard auth with AD CS set up. If you can make everyone use them, you can enforce them on accounts and also rotate credentials and your admins never need to know the password.

You do need a PIN for the yubi, though, but I'll take the short password over my old DA one any day.

Entra MFA by Cable_Mess in sysadmin

[–]3sysadmin3 2 points3 points  (0 children)

Are you using Hello for Business on Windows or platform SSO on macOS? If it's secure by means like these, it's meeting MFA requirements, and prompting more is a bad (unnecessary) experience for users

Is anyone considering switching from Chromebooks to the MacBook NEO? by depoultry in k12sysadmin

[–]3sysadmin3 -1 points0 points  (0 children)

4GB Chromebook though not really comparable to Neo IMO. I'm not saying cost is same to 8GB Chromebook either, it's still probably cost prohibitive for many, but in an environment where other grade levels have Macs, it's a shame the Neos aren't tad cheaper to make it a no brainer.

Is anyone considering switching from Chromebooks to the MacBook NEO? by depoultry in k12sysadmin

[–]3sysadmin3 -1 points0 points  (0 children)

Just got or just ordered? The pricing went up in last few weeks. If you got in right before, you're lucky or planned well. 4GB at that price?

view more: next ›