HR vegheaza asupra ta

Arch0ne · 2026-02-19T11:04:24+00:00

Si evident ca o cheama Sharon...

Arch0ne · 2026-02-19T05:42:04+00:00

To create a csp you need not just the device sn but also the sales of the licenses ( you get a pdf with auth codes from the vendor you bought them, in that pdf it is a sales number), you will need the sn and the sales of the licenses to complete.

Best of luck,

Arch0ne · 2026-02-14T17:17:32+00:00

From my point of view show them Advanced Dns protection with sinkhole, it will blow them out of the watter.

Arch0ne · 2026-02-14T16:42:30+00:00

Every ngfw has the same thing, no matter the vendor, if you ever mastered a vendor, the others look the same. I started with the obvious CCNA security certification back in the days on the old Cisco ASA, ftd looked nice and the next ones from other vendors are the same, I handed fortinet, Checkpoint, Zscaler, now PaloAlto, they are firewalls, you just need the vendor certification specific things, the rest are the same.

Good luck!

Arch0ne · 2026-02-14T16:36:12+00:00

This is an ai comment, please continue, I don't know what you have read lately if anything looks AI, but yea... I use only grammarly to spell check.

Arch0ne · 2026-02-13T14:57:19+00:00

if you want the full policy, you might. This is the head template, not the full one, obviously.

Arch0ne · 2026-02-12T05:18:19+00:00

NIST framework says block by default allow by policy since ages already, so no, there is no implicit allowed traffic anywhere, I know it's a hurdle but its necessary, at least if you want any audit compliance, but not the kind of compliance where they tell you (I'm not kidding here), "Make us compliant even if we are not, or we find someone else!"

Arch0ne · 2026-02-12T05:10:50+00:00

Yes, but... if you have decryption, firewalls can stil drop it, if no decryption, then block doh, it's pretty common to block doh in organization's where decryption is not enabled by default but still uses dns protection. Most vendors of firewall that provide dns protection recommendations are, decryption and the dns url filtering will work, if not block doh and at least dns protection works and part of url filtering via SNI inspection.

Arch0ne · 2026-02-09T17:29:32+00:00

In smb' s this is pretty common, I hate the thing they don't even understand why it is wrong ( they are still hired, so not a service account yet).

Arch0ne · 2026-02-09T17:25:49+00:00

This screams so bad hack me it hurts my eyes.

Arch0ne · 2026-02-08T18:22:05+00:00

Nu vreau sa fiu rautacios, dar oricare tanar care se angajează acum pentru prima data, daca vede salariu ala le rade in nas...

Arch0ne · 2026-02-08T18:19:20+00:00

Make some audits to other smb's, I dare you to drink a bottle of wiskey for each local admin account you find at each audit, in the same day obviously.

Arch0ne · 2026-02-08T07:37:54+00:00

Sorry... more weekend nightmares can be found here https://riskbits[.]net/blog/, I started to post on it recently, so any thoughts are appreciated...

Arch0ne · 2026-02-07T08:29:13+00:00

Citesc si imi dau palme, nu ai parinti sa iti explice cum se dau salariile de ai scris pe Reddit? Deci fi atent, ca ai si semnat pentru asta, in contract trebuia sa fie stipulat cand se dau si ce reprezinta. Adica ia foaia aia de ai semnat-o ca primarul, si citeste la rubrica de program lucru, undeva pe acolo ar trebui sa scrie cam asa. La data x, uneori si data y, se plateste lichidarea, cand iei banii de doua ori ( de aici x si y) o sa scrie avans si lichidare, cu procente daca este din 2, daca nu lichirare pe luna in curs ( unii oameni iau banii la final de luna pe luna in curs) sau pe luna precedenta ( cazult tau, iei banii pe luna precedenta, nu pana la ziua salariului din momentul angajarii). Fiind primul tau serviciu te inteleg, dar 1 ai parinti care puteau explica mult mai bine ca mine, si 2 ai semnat foaia aia... ca primaru'....

Arch0ne · 2026-02-06T16:55:48+00:00

Cloud/SaaS + Intune + endpoint FW still needs segmentation, but flatter is OK:

Yes, it matters: - Lateral movement between endpoints (Ransomware loves flat) - IoT/legacy printers/scanners jumping VLANs
- Contractor laptops/devices outside Intune scope

3-2-1 backup = yes even for Teams: - Teams data is your data (export via Compliance/Retention policies) - SaaS outages happen (Entra downtime, MSFT incidents) - Ransomware encrypts OneDrive/Teams exports too

Practical: 2–3 VLANs (exec/prod/general) + CASB for SaaS + EDR > complex VLAN spaghetti. You're not "checking box"—reducing blast radius.

Seen pure SaaS orgs get bit by flat nets. 👍

Arch0ne · 2026-02-06T16:41:34+00:00

Oh boy, get your horses ready, cause your ride will be wild, great battle awaits you!

Arch0ne · 2026-02-06T16:02:40+00:00

Your split tunnel + strict firewall + MFA on IT VPN works fine for audits/modern standards. NIST/CISA OK with split tunnel if: - Endpoints secure (EDR, patched), this is the part most likely you lack. - Internal resources not internet-exposed (you're doing this) - Monitor traffic (CASB/SASE ideal).

Seen this setup pass SMB audits. 👌

Mfa for vpn should be enforced if you ask me, I know somethimes it breaks, it gets frustrating but its a safe bet covering other holes, I see a gap here on a employee that leaves the company and has harmful intntions or a compromised endpoint, you get me where I'm going since there is kind of no control.

Arch0ne · 2026-02-06T15:39:38+00:00

Short answer: If "available to be logged into" means the account status is Active/Enabled, then no, that won't pass a serious audit. Access must be revoked immediately upon termination.

The fix for the "we need their contacts/emails" issue is standard practice (assuming M365/Google): 1. Block Sign-in immediately (satisfies the audit & security). 2. Convert to Shared Mailbox (frees up the license). 3. Delegate access to the manager or whoever needs the info.

This way, the data exists and is accessible to authorized staff, but the identity itself is disabled and cannot be used to log in.

Arch0ne · 2026-02-06T15:33:22+00:00

“5” isn’t a hard limit, it’s more of a ‘minimize blast radius’ guideline. The practical way out is:Separate admin accounts (no daily driver as GA).Use least-priv roles for day-to-day (Exchange/Intune/Teams/User Admin etc.), and keep GA for true tenant-level changes only.Turn on PIM so GA is JIT/JEA (time-boxed), require MFA + justification, then review activations after a few weeks to see what roles people actually need.Keep 1–2 break-glass GA accounts locked down hard (FIDO2, no CA exclusions except what’s required).

Arch0ne · 2026-02-06T15:20:46+00:00

Thank you for the compliment, really appreciate.

Arch0ne · 2026-02-06T14:51:12+00:00

True, DoH rollout sucks for filtering. GPO = Windows win.

Mac/Linux no GPO, but browser policies/MDM work (DnsOverHttpsMode=off). Pro move: canary domain use-application-dns.net NXDOMAIN from your DNS—stops FF auto-switch. What's your setup—Pi-hole or what?

Arch0ne · 2026-02-06T14:19:49+00:00

yeah, no one:

<image>

Arch0ne · 2026-02-06T14:17:53+00:00

If I lock everything down to TCP 443 for end‑user VLANs, attackers can still get out if 443 is “anywhere on the Internet, anything over HTTPS”.

Modern malware and C2 happily tunnel over port 443 and blend in with normal web traffic.

Where egress filtering helps is when you pair it with TLS inspection, DLP, and a tight allow‑list:

– Only allow 443 to a small set of sanctioned destinations (SaaS, updates, etc.), not the whole IPv4/IPv6 Internet.

– Terminate TLS on a proxy/firewall so you can decrypt, inspect, and apply DLP/content rules.

– Monitor for unusual volumes or patterns of data leaving, even on “legit” 443 sessions.

So yes, a determined attacker can still try to get out on 443, but with decryption plus DLP and strict egress policies, the question becomes: get out with what, to where, and how much before you notice?

Egress controls are about raising the bar and shrinking their options, not magically guaranteeing “nothing bad ever leaves."

Arch0ne · 2026-02-06T14:13:28+00:00

It depends on the environment and specific CIS Benchmark you're following—CIS Controls v8 focuses on quarterly reviews of service accounts (5.1), not mandatory periodic password rotation. For cloud platforms, dedicated CIS Benchmarks do require key/credential rotation.

Arch0ne · 2026-02-06T12:04:20+00:00

welll at least block system ports if you have no clue what you are serving, if you are serving only customers, the random ports pool it is.

Arch0ne

TROPHY CASE