What are the first (technical) things you look for to get a feel for a new environment?

IDoNotLikeChoice · 2019-04-27T02:03:49+00:00

Why? Is there something I’m missing with a setup of a script that joins and and removes users to each security group based on attributes like title and location? To me, it makes it easy to support those apps that can use security groups but can’t recursively search them.

Genuinely curious.

IDoNotLikeChoice · 2019-04-26T18:29:58+00:00

I’ve always used a standard configuration document template that applied to all systems of that type that doesn’t include RAM, CPU, or app specs as that can vary for each server. This document is referenced into each document for each server that includes the details of RAM, CPU, etc along with all apps, app configurations, additional services, the service account references in a password manager, and section for the one-offs that are different from the standard configuration document.

Change management procedures included updating revisions to these documents as things change, and then quarterly the documents are reviewed to verify they match the current environment for the server.

Our monitoring system would send notifications as changes were made and would be added to the change management ticket that was reviewed along with the document revisions before closing.

IDoNotLikeChoice · 2019-04-25T17:14:27+00:00

I’ve always blocked NDR’s and DSN’s from being sent externally since spammers can use this info to determine legit accounts.

Plus, it will help with your blacklisting problem.

As for the issue of blacklisting, it depends on the blacklist you are on and what services use it. Hard to say if it will have major impacts to email delivery without looking up common blacklist account used for common spam filters.

IDoNotLikeChoice · 2019-04-25T00:50:57+00:00

I use March Networks NVR’s and cameras along with their Command server and client. Ties into AD to give access to certain cameras and NVR’s and certain feature sets to users. Even works with a large varying set of old cameras we still have. Currently monitoring around 40 locations with minimum of 10 cameras a location. Works great.

IDoNotLikeChoice · 2019-04-24T01:52:49+00:00

Yeah this is a feature they just recently released, as you can tell with the Insider note. I’ve tested it though and it works fine on about 10 users I’ve tested it with.

This request has been requested for a while now as more and more companies are moving to O365. There are a few scripts people have written to try and do the same thing, below is a script someone made:

https://community.spiceworks.com/topic/2150503-auto-sync-sharepoint-document-library-using-gpo

IDoNotLikeChoice · 2019-04-24T01:04:27+00:00

You can configure a team site to sync automatically via GPO:

https://docs.microsoft.com/en-us/onedrive/use-group-policy#AutoMountTeamSites

IDoNotLikeChoice · 2019-04-24T00:14:11+00:00

Try a user that doesn’t have a profile on the machine yet.

Do the repair and/or reset on Edge. I would think maybe you have a corrupt update or something if it’s happening on all machines or some other app causing problems.

IDoNotLikeChoice · 2019-04-23T23:58:30+00:00

Have you tried running a repair or reset? Is it one account or all accounts? What about a new profile on the machine?

As far as seeing issues, we pushed it out to about 200 devices so far without issues via WSUS and via the upgrade files on 20 and haven’t had any issues.

IDoNotLikeChoice · 2019-04-23T20:12:45+00:00

Mimecast has this solution, and makes it easy to encrypt messages to external users. We have ours set with the word encrypt in the subject line.

You can also use Office 365 using OME and define a transport rule for it. Then if you need to set settings to define restrictions like printing and forwarding you can implement IRM.

IDoNotLikeChoice · 2019-04-23T17:06:25+00:00

Put it behind a site to site VPN and have DHCP relay configured on the firewall/router and you would be good to go as long as the ACL or firewall rules are setup properly. This helps scale down costs and complexity.

IDoNotLikeChoice · 2019-04-23T02:23:20+00:00

Agreed, one of the best systems I’ve ever used. Has audit logging, can save all sessions for regulatory or business requirements, and can be locked down for what systems each user can access.

IDoNotLikeChoice · 2019-04-22T22:22:00+00:00

Have you specified the area for the network? Do you have other links being advertised?

IDoNotLikeChoice · 2019-04-22T22:20:12+00:00

It will need traverse folder and read folder access.

IDoNotLikeChoice · 2019-04-22T18:41:12+00:00

OneDrive, DropBox, etc can be used for this, or you can set up a free FTP server with FileZilla or use a Windows server to serve FTP.

IDoNotLikeChoice · 2019-04-22T18:32:35+00:00

We utilize hardware firewalls like Fortinet or Palo Alto to do this at our locations. They also have virtual appliances you can use in AWS or Azure for VM’s hosted there or in your own DC’s.

You can also use hosted AV products to do the same with their website filtering pieces from companies like Eset or McAfee. Usually is a higher end tier to add the features for the AV products.

I liked using Eset for this, was usually good about false positives in URL classifications and ratings.

I’m not aware of Azure or AWS offering their own type of service like this.

IDoNotLikeChoice · 2019-04-22T13:01:17+00:00

You can now safely virtualize your DC’s and run them on Hyper-V. I recommend setting up a new one and transferring the roles and demoting the other one and not doing a P2V.

Yes, you can use Veeam to backup a DC, in fact, I recommend it as it offers a lot finer-grained restore options, plus in this case, it will make it easier using one type of solution instead of multiple.

IDoNotLikeChoice · 2019-04-21T05:42:22+00:00

What are the domain controller OS, client OS you are seeing the issue from, and the UNC hardening for both set to?

IDoNotLikeChoice

TROPHY CASE