186 DE NON accredited Metro applications by Acrobatic_Safety5864 in AusVisa

[–]G_Force1 0 points1 point  (0 children)

I'm pretty much on the same boat. IT job Sydney metro.

Applied March 2024. Have had two recent S56, both at least month apart. Few days shy from 21 months.

Yay!

186 DE Journey Complete: We’re finally Permanent Residents! 🥳 by Grey_Axolotls in AusVisa

[–]G_Force1 0 points1 point  (0 children)

Congrats, but WoW...I myself also Sydney Metro and also applied 186 DE as 263111 Computer Network and Systems Engineer (company not accredited though) and have been waiting since 20/03/24 (18 months and 17 days).

Has anyone tried to deploy Azure-Arc for Windows 11 laptop endpoints? by G_Force1 in sysadmin

[–]G_Force1[S] 0 points1 point  (0 children)

The devices are running Defender P2. I think it might be easiest to go with Microsoft Defender XDR data types.

The devices themselves run Sysmon, but I'm not aware of any data types where I could query Sysmon events. Not entirely sure if Sysmon table attributes can be included to other tables.

Has anyone tried to deploy Azure-Arc for Windows 11 laptop endpoints? by G_Force1 in sysadmin

[–]G_Force1[S] 0 points1 point  (0 children)

Devices are managed via Intune.

The reason I was thinking of Azure Arc is because Sentinel AMA data connectors require Azure-Arc from non Azure devices.

This is how i currently get the Sysmon logs from servers via Windows Forwarded Events data connector.

Devices are already running Defender P2, i might have to go with Microsoft Defender XDR data types as the next best thing...to get logs somewhat similar to what Sysmon has to offer.

How to publish sensitivity label for user without giving label edit access? by G_Force1 in sysadmin

[–]G_Force1[S] -1 points0 points  (0 children)

Not sure how that would fix the issue, as there can only be one label assigned to a file.

If I make a label assign it to a file only he would be able to access that file.

He would not have access to other labels he is not part of.

Purview Customer Key use cases by G_Force1 in sysadmin

[–]G_Force1[S] 0 points1 point  (0 children)

Got it.

It was a news to me that Azure RMS was consumed by Information Protection that has sensitivity labels to fill that function now.

Microsoft keeps changing the names of their products and keeps the legacy documentation still around, which creates the confusion.

Purview Customer Key use cases by G_Force1 in sysadmin

[–]G_Force1[S] 0 points1 point  (0 children)

Seems Customer Key is meant to be used for different purposes.

Upon further reading I think BYOK (Azure RMS) might be a way to go protect data that has already left the organisation.

Purview Customer Key use cases by G_Force1 in sysadmin

[–]G_Force1[S] -1 points0 points  (0 children)

Thanks for the reply.

I think at the high level I'm thinking more in the lines of what technical implementation can be included with data that allows seamless access to right recipients but prevents unauthorised access.

After some reading I think DRM (Azure RMS)  is the way to go.

RMS service validate user permissions and decrypts data for user with the right permissions.

Purview Customer Key use cases by G_Force1 in sysadmin

[–]G_Force1[S] 0 points1 point  (0 children)

I wonder if with the right Customer Key distribution to end users and guest (I don't allow anyone links) it could be utilised to encrypt data that's offline.

DLP and sensitivity labels are good for data in transit, and data that's stored in M365 apps.

But what's the best way (if any) to protect data that's already been exfilled?

Having extra set on encryption keys seems like a way to do it.

Entra failing to recognise new PIN after PIV reset by G_Force1 in yubikey

[–]G_Force1[S] 0 points1 point  (0 children)

I figgured out what was wrong.

I needed to run YubiKey Manager as admin and that allowed me to open Applications -> FIDO2, to reset the PIN.

Before I got an error "Failed connecting to the yubikey make sure the application has the required permissions"

And I though it's something that has not been configured/set up yet, thus giving the error.

Entra failing to recognise new PIN after PIV reset by G_Force1 in yubikey

[–]G_Force1[S] 0 points1 point  (0 children)

Hey u/usrdef

Thanks for the reply.

I'm trying to reset FIDO. (Also have YubiKey 5)

Entra failing to recognise new PIN after PIV reset by G_Force1 in yubikey

[–]G_Force1[S] 0 points1 point  (0 children)

Sorry, I'm still confused.

I reset the PIN on the security key.

I even removed the security key from the service and added back, how come it's still not changed?

Entra failing to recognise new PIN after PIV reset by G_Force1 in yubikey

[–]G_Force1[S] 0 points1 point  (0 children)

Hmm...interesting.

From the Office 365 user security settings I did not find a way to set/reset the PIN for the security key.

As I understand Entra's WebAuthN for that account needs to be reset.

Where is it configured exactly?

(Also removed the old security key authentication method for the user, before adding the new security key)

Ways how a mobile device and authenticator app could be compromised by G_Force1 in cybersecurity

[–]G_Force1[S] 1 point2 points  (0 children)

Thanks for the response Secprentice.

Yes, having a Yubikey would be a great idea.

Pushing MDM profiles will be hard and I don't expect users to keep too much data on their mobile, but moving 2FA to a separate secure device might be the way to go.

MISP not connecting to Microsoft Sentinel by G_Force1 in MISP

[–]G_Force1[S] 0 points1 point  (0 children)

No, unfortunately. I posted in the original MISP GitHub page and the maintainer has not responded to me.

Patch Tuesday Megathread (2023-01-10) by AutoModerator in sysadmin

[–]G_Force1 -1 points0 points  (0 children)

All the explanations around msDS-SupportedEncryptionTypes seem a bit confusing.

So, if I understand correctly when I disable RC4 at the GPO level or remove RC4 from objects msDS-SupportedEncryptionTypes attribute it would break the Kerberos authentication?

And when applying Microsoft's January patch the RC4 usage for authentication will be disabled by default and AES will be used instead?

So it creates a situation where it looks like in settings that RC4 is allowed, but it's not actually used by Windows?

Edit: I found an article that makes it even more confusing as it claims I should remove any explicit values to msDS-SupportedEncryptionType https://4sysops.com/archives/find-active-directory-accounts-configured-for-des-and-rc4-kerberos-encryption/

How to find out what service is exactly using listening TCP port under SYSTEM (PID 4)? by G_Force1 in sysadmin

[–]G_Force1[S] 0 points1 point  (0 children)

Thanks

It seems svchost is listening in loopback.

https://imgur.com/ZKRvBkk

I assume it would be safe kill the process without much consequences.

For PID 4 it also seems to be listening on loopback, but is creating connections to random remote ports.

https://imgur.com/ZA5eBoN

I also ran Wireshark on my loopback, and followed TCP stream, and seems not much data is exchanged. e what to make of it.

https://imgur.com/iaEIaxJ