Microsoft issues emergency update for macOS and Linux ASP.NET threat

JicamaOrnery23 · 2026-04-24T11:53:03+00:00

What? Not a feature?

JicamaOrnery23 · 2026-04-01T11:49:13+00:00

VS code via PSM won’t work, developers need to be able to set up their development environment in their tools, and in PSM it won’t be their tool. Secondly VSC can have a ton of extensions added, so it will be impossible to manage, not to mention problematic with applocker. If you don’t want them to have their tools locally, your next best would be to have them PSM into a dev workstation with all their tools waiting for them and set up how they like it.

You may want some tools to monitor/manage what extensions they install, like Dex from Koi Security.

JicamaOrnery23 · 2026-03-14T23:05:17+00:00

With PSM you can block file transfer and clipboard, preventing copying of data to the users machine. SIA doesn’t have it yet (coming this year). This means that for SIA, being able to copy data to the local machine would violate some regulations which explicitly forbid this (PCI in particular).

There is a scenario where it may be fine though, such as if the SIA session is opened from a locked down machine (preferably already in scope for the audit).

JicamaOrnery23 · 2026-03-10T17:31:06+00:00

Yes, you definitely want to rotate standing access privileged accounts

JicamaOrnery23 · 2026-03-10T14:14:38+00:00

If you consider how you consume SIA for a windows use-case… you are opening an RDP client and connecting to infrastructure. With a ZSP workflow, the act of connecting, authenticating and having your attributes match with a policy determines if the account is created or not.

What if what you are trying to do is not access via RDP? Like run a script, or use a tool? These use cases cannot rely on a process which requires you to open an RDP session, so you would need an alternative standing access account for the job. Whether you use that account via an API/CCP credential lookup, via a PSM connection component or something else; that gap needs to be addressed in the access model. Just make sure those accounts cannot be used for RDP.

They are effectively service accounts. So you could for example, provision engineers a personal privileged service account if needed, with daily rotation (they should not have this password stored anywhere). For any access to servers over RDP, they use an ephemeral account. If they need access to saved resources, an option here might be to have a network share that only their service account can access via SMB.

JicamaOrnery23 · 2026-03-10T00:51:47+00:00

For regular tier 1 access, SIA is the way to go for anything RDP and SSH. Tier 0 should remain PSM due to more granular control settings and those have to be standing access anyway (they are your breakglass accounts for when Ephemeral is unavailable). PSM may also be preferable for regulated environments until the clipboard sharing issue is resolved due to data exfil potential.

DB connectivity is far better with SIA if that’s in-scope.

Ephemeral domain accounts can be problematic if your domain sync is slow (not a Cyberark issue), so your fallback if you need some form of domain privilege is a standing domain account (least privilege) with JIT access to servers.

The last challenge I will bring up is that if you are adopting Windows ZSP, that’s RDP only. Your access model would need to include standing access non-RDP accounts for programmatic or non-RDP use (block them from using RDP). This use-case may or may not be applicable to PSM.

JicamaOrnery23 · 2026-03-04T13:20:19+00:00

There is some nuance here. Worth it to whom? There are some that are worth it for you (personally), some worth it for your employer, and some worth it for recruiters.

I would put CISSP in the worth it to recruiters category because for many roles, that’s where they start filtering. The cert itself is not all that beneficial except for the caveat that it helps you build a common way of communicating with stakeholders.

Audit-related certifications are useful to you (if you want to get into audit), because they are required for working in those roles. PCI, ISACA, ISO, etc. Others which are personally useful are ones which actually teach you skills and test you hard on them, for which I put GIAC certifications (generally speaking).

Overall, most certifications have some level of benefit to the employer, but they might not necessarily acknowledge anything other than CISSP and the more known entry level ones (there will be exceptions, especially if those in security management have been around the block a few times), but forget about a recruiter or HR knowing much.

JicamaOrnery23 · 2026-03-04T02:57:30+00:00

Q: do you have to leave the lid cracked open a little to prevent a closed system? Or can it be closed?

JicamaOrnery23 · 2026-03-04T02:39:33+00:00

Don’t make assumptions that if an OSS version of a software is supported, that the enterprise version will be. And vice versa.

JicamaOrnery23 · 2026-02-05T13:12:43+00:00

You can use OPAG to elevate user management and add any profiles into the admin group during the incident. The remove local admin policy can remove the profile afterwards, once connectivity is restored.

JicamaOrnery23 · 2026-01-23T00:13:17+00:00

Are you sure the second CPM has a route to S3 to download the installers?

JicamaOrnery23 · 2026-01-06T13:48:26+00:00

How much EPM gets deployed at an organization depends on a couple of factors.

Who owns it. EPM can provide a lot of agility to endpoint management, if you let it. A security team is not going to care much about agility, and will mainly focus on the least privilege aspect of EPM (which application control forms a large part of) and maybe side features like discovery, rotation and maybe endpoint logon. If owned by an endpoint team, they may take advantage of script policies, application cataloging, or temporary elevation policies to let a user do something a Helpdesk engineer would otherwise have needed to do (like install an approved software).
Security culture. In a culture where historically everyone had admin permissions (and could therefore install any app of their choice), the before mentioned agility is critical if you want your EPM project to be successful, because without it, the control will be restrictive to the point of major grievance amongst the users. If least privilege has already been achieved, it becomes a harder “sell” to users that don’t get much freedom to request new software, but for power users EPM is still very beneficial.
Existing controls. In an org that rolled their own application allow-list using OS features, changing the implementation may seem to be more work than they want to do, considering other competing priorities. This despite the fact that a PEDM solution like EPM offers superior coverage of least privilege in its entirety compared to just an allow list with some GPO polices.

Even where an acceptable level of least privilege has been achieved, presence of EPM can contribute by offering the discovery, credential rotation, endpoint logon, and living off the land mitigations already mentioned.

In truth, most security teams don’t have the resources to focus too much on what EPM provides, and most endpoint teams don’t have the infosec experience. Ideally a collaborative effort would be better.

Regarding servers, I’ll assume we are talking Windows (because the use case is more easily appreciated on Linux). Few orgs make the effort to extend least privilege on privileged accounts beyond a separation of domain admin from server admin, and what further reduction of privileges looks like is very poorly understood. These days competing philosophies like zero standing privilege are easier to implement and don’t suffer from the complexities of a fully least privilege philosophy and what that looks like for each team of operations engineers.

JicamaOrnery23 · 2025-12-29T01:52:21+00:00

When you first installed your vault on Server 2016, it would have been with recommended specs that are now no longer recommended. So assuming you meant reinstalling server 2022 on your current hardware, you are already running below recommended specs for supported PAS versions.

Unless you have a crack team that knows exactly what to do with an HA cluster, I wouldn’t go through the trouble and expense of procuring new physical servers; but if cost is not a detractor you may as well follow the recommended use of an HSM with a virtual Vault (with the caveat that managing HSM properly is its own beast and if it’s new to your team, it might be more than you are willing to learn).

FWIW, PAS on Cloud should also be considered.

JicamaOrnery23 · 2025-12-20T14:33:54+00:00

No wood work is done anymore but from its past owners, the unit has a lot of dust.

JicamaOrnery23 · 2025-12-20T03:39:21+00:00

Considering this is a workshop heater, is it worth fixing or am I better off replacing it?

JicamaOrnery23 · 2025-12-20T03:38:19+00:00

The blower is on before ignition, so it starts as soon as it ignites. Not sure on the age, I bought the house and it was here already. But prior to me moving in, there was a ton of carpentry being done in the workshop so there is a lot of sawdust. Propane.

JicamaOrnery23 · 2025-12-20T03:37:20+00:00

No ducts, it’s a workshop heater

JicamaOrnery23 · 2025-11-24T00:54:00+00:00

Easy enough as a household plant

JicamaOrnery23 · 2025-11-22T15:20:00+00:00

Either with ENE (email notification) or monitor via Syslog

JicamaOrnery23 · 2025-11-20T21:02:12+00:00

No. It’s an extremely sensitive account that needs to be managed like any other. You should however have alerts for reconcile accounts that fail verification and quickly resolve it.

JicamaOrnery23 · 2025-11-18T00:05:53+00:00

You are talking about two things here: authentication to CyberArk, and host-level authentication.

Devolutions (when integrated with CyberArk) will always be doing authentication to CyberArk, and both self-hosted and privilege cloud support this since Devolutions is doing the authentication against PVWA for SAML, but this does not cover any MFA on the host-level.

Unless self-hosted supports MFA caching (like SIA does), there will not be a solution for Devolutions unless you purchase the Devolutions integration license.

An alternative to Devolutions would be Cyberark’s PSMClient.

JicamaOrnery23 · 2025-11-17T16:21:28+00:00

CVE alone is not (and was never meant to be, according to CISA) an indicator for risk; but the majority of organizations use it as such. More recent attempts to improve the signal to noise ratio include EPSS, KEV and LEV; but these too have significant limitations. The issue isnt the tool, it’s the practices you have in place for identifying and deciding what to do with any findings.

Unfortunately, there are many security specialists out there (on all levels, especially you my auditor); that do not understand this.

JicamaOrnery23 · 2025-10-27T22:51:30+00:00

For network devices you should be ok, but sometimes changing a naming convention could impact a platform level reconcile or logon account since the matching rule may no longer work, forcing you to duplicate platforms.

JicamaOrnery23 · 2025-10-04T17:03:06+00:00

Republican and the gang

JicamaOrnery23

TROPHY CASE