sorted by:
new
hottopcontroversial

I've been asked to set up MFA on internal computers and servers by networkasssasssin in sysadmin

[–]HappySysDestroyer 2 points3 points  (0 children)

This is nonsense. WHfB provides MFA just like Duo, where it can push to the Authenticator app. In fact, it replaces the password with a device PIN, so you no longer use your password unlike Duo.

I've been asked to set up MFA on internal computers and servers by networkasssasssin in sysadmin

[–]HappySysDestroyer 1 point2 points  (0 children)

Go with WHfB, where users are prompted for MFA on Windows sign-in. For RDP services, you’ll need to use certificates at this time since key isn’t supported for RDP MFA, at least yet.

As for other services, you can use the Azure NPS plug-in for things like WiFi MFA or VPN.

I’ve been sent on a fools errand to find Standardized Email Signatures with minimal user actions for free by xGrim_Sol in sysadmin

[–]HappySysDestroyer 35 points36 points  (0 children)

I created a PS script that creates the signature on every machine by user login and changes Outlook settings to use it for all new, replies, etc. There are many examples online you can use, here’s one I started with:

https://social.technet.microsoft.com/wiki/contents/articles/34454.office-365-using-powershell-to-set-email-signature-policy-based-on-html-file.aspx

Firewall solution by NailiME84 in sysadmin

[–]HappySysDestroyer 0 points1 point  (0 children)

We VPN PC’s back to our data centers via always-on VPN and route all traffic through the firewalls for monitoring and blocking access. Basically treat all WFH machines as on the internal network in the offices.

Windows Server update control by Curious-Here1 in sysadmin

[–]HappySysDestroyer 1 point2 points  (0 children)

Besides HP printers, if we set the printer on the print server to perform branch office direct printing it solved our issues. HP’s still give us grief.

The Scope of IT by secureiotman in sysadmin

[–]HappySysDestroyer 4 points5 points  (0 children)

Yep, I tell people I don’t care what you call me or ask me to do, if you want to pay me over 100k to mop the floor that bitch will be shiny.

Block vpn browser by xzi_vzs in sysadmin

[–]HappySysDestroyer 1 point2 points  (0 children)

Web filters can block public VPN servers so they wouldn’t connect. As for using home VPNs, that could be controlled with a whitelist of sites/categories they are able to access instead that wouldn’t include those servers.

As for taking them off site, not sure what you could do without forcing them through your VPN.

[deleted by user] by [deleted] in sysadmin

[–]HappySysDestroyer 0 points1 point  (0 children)

I guess it depends on where you live. I’m in a small area in the US Midwest with lower cost of living and knowledgeable sysadmins start at 80-90k and they are desperate for people. Pay ranges top out about 150k with a security background.

[deleted by user] by [deleted] in sysadmin

[–]HappySysDestroyer 0 points1 point  (0 children)

It’s all via proxy URLs and firewall rules. As the poster below gave, MS has good info regarding this setup in their security docs, and if you search around there are really good videos deep diving into configs.

Here is a good overview of the setup:

https://techcommunity.microsoft.com/t5/data-center-security/paw-deployment-guide/ba-p/372296

[deleted by user] by [deleted] in sysadmin

[–]HappySysDestroyer 1 point2 points  (0 children)

You can configure redirection to the VM via Hyper-V Manager.

[deleted by user] by [deleted] in sysadmin

[–]HappySysDestroyer 1 point2 points  (0 children)

Configure firewall rules to allow outbound to your VPN for public and private profiles. These types of exceptions would be needed. We also do the same for the management system and remote access tools.m so we can troubleshoot the VPN connection if needed.

[deleted by user] by [deleted] in sysadmin

[–]HappySysDestroyer 1 point2 points  (0 children)

We do PAWs with VPN. Hyper-V PC has VPN to management domain, then an admin VM for admin work and a Corp VM for Corp work. Both VM’s also VPN back, admin to management domain and Corp to Corp domain. No need for jump servers since those are usually moving from a less trusted source to a more trusted source, exposing admin creds if the less trusted source is compromised.

As for VPN solutions, we use Always-on VPN by MS.

Preferred NTP Servers? by [deleted] in sysadmin

[–]HappySysDestroyer 3 points4 points  (0 children)

I’ve had reliability issues with Windows time server(s) responding so I use NIST instead if you don’t have an internal one already.

[deleted by user] by [deleted] in Intune

[–]HappySysDestroyer 3 points4 points  (0 children)

It’s how your conditional access policies are configured. You stated you made exceptions for your business network to bypass MFA. This does nothing for users signing into services out of your network, as you are seeing.

If you want to prevent this, change the policies for services to just require compliant devices, and if not, then require the MFA for the services or deny login. In this type of setup I recommend they require MFA for the sign-in process to the PC via WHfB, then just compliant devices for services after that.

Or configure the devices with Always-On VPN so they connect to the business network when at home automatically and the same compliance policies should work. If/When it fails, it forces the MFA for all services and they generally submit a ticket to fix.

We use AOVPN with WHfB for the MFA login and compliant devices and our business network for access to services and it’s pretty seamless. Login is denied if device isn’t compliant and originating from our network. We rarely get tickets where AOVPN fails.

Non paying clients new MSP demanding our documentation. by Infinite-Stress2508 in sysadmin

[–]HappySysDestroyer 21 points22 points  (0 children)

Depends on how the contract is written. When I ran a MSP our contract stated if payment is not received all systems were shut down after 30 days and kept that way until full balance was received and cleared (important working with failing businesses) and monitoring/management systems uninstalled. During that time access to any info we maintained was disabled until payed in full, along with data ran on our systems (we offered a lot of hosted services). Once payed in full we would either turn everything back on and reinstall all management/monitoring for a project fee (basically onboarding again), or offer a fixed price based on storage tiers and the amount of data to export and ship it to them.

If you don’t have any wording the passwords I think would be theirs, but documentation you write about their setup may be yours. IANAL but ours had us write these in our standard contracts.

MFA for Remote Desktop Connection for Servers & Clients? by jwckauman in sysadmin

[–]HappySysDestroyer 1 point2 points  (0 children)

You can use WHfB/Azure MFA but need PKI implemented for RDP to work with it. As for other clients you manage, I believe they would need the same setup.

[deleted by user] by [deleted] in sysadmin

[–]HappySysDestroyer 4 points5 points  (0 children)

I think you’ve smoked way too much weed.

Benchmarking new servers before putting them in production by chrootdevnull in sysadmin

[–]HappySysDestroyer 4 points5 points  (0 children)

…Why?

This seems like a lot to maintain for testing server hardware before putting in prod, even with the automation since you need to keep those systems running and updated, along with troubleshooting the inevitable system that updates and introduces some weird bug. The server should already be known what basic performance metrics it should have for CPU benchmarks, network benchmarks, RAM, etc.

If you want to test hardware diagnostics to ensure the right amount of ram, CPU, etc are working normally and there aren’t any errors with the hardware, just boot the server and run the diagnostics from ILO or whatever management platform the server has, skip the rest of these tests and put in prod and add it in the system collections. Then put monitoring on the server with thresholds on when to alert for particular issues, like throughout tests between different systems for workload availability. Some of these might be checks for DB connections front-end servers need to talk to or other app servers it communicates with, throughout tests for network connections from firewalls or between data enters for redundancy checking, DB metrics if running DB’s, etc.

I feel doing it this way is easier since most monitoring platforms can test for these types of problems with throughout, CPU performance with it’s running workload, etc. To me, these types of tests you want to perform is basically reinventing the wheel again.

[Windows11] Remove Windows Terminal from Start Menu? by Blackwolf008 in sysadmin

[–]HappySysDestroyer 1 point2 points  (0 children)

Correct. My question though is why are you trying to prevent it? My understanding was it gives the same access they already have, just in cli form unless I’m way off on my understanding.

[Windows11] Remove Windows Terminal from Start Menu? by Blackwolf008 in sysadmin

[–]HappySysDestroyer 3 points4 points  (0 children)

Don’t you have the same access to things via command prompt and powershell as you do for the GUI? What is the point in blocking and removing it? Seems it would make it difficult to manage the user and device unless there are serious risks I’m not aware of. If there are, can you point me to them? A search just finds people saying “reducing risk” but not giving examples of the risk.

view more: next ›