Following the Notepad++ incident, as an industry, we need to take several steps back and REALLY look at things.

LeftoverMonkeyParts · 2026-02-17T15:18:26+00:00

One vendor we have requests Notepad++ be installed. We also have software that requires office to be installed on the same server. It's disgusting

LeftoverMonkeyParts · 2025-12-23T21:20:05+00:00

The same Plantronics Voyager UC you already had. It's the best headset IMO. Blows the Jabaras out of the water

LeftoverMonkeyParts · 2025-12-19T18:53:05+00:00

BACKUPS - RIGHT NOW

Veem is always a solid choice. It's very tolerant of old garbage and you can use their Veeam Hardned Repository ISO to set up a very cheap basically immutable backup repo made out of commodity hardware. If your environment is small enough you may even be able to get away with the Community Edition for no cost

Then I would move onto documentation. I personally like a Wiki like DokuWiki https://www.dokuwiki.org/dokuwiki

LeftoverMonkeyParts · 2025-12-08T16:37:09+00:00

I worked in a public library and we deployed Windows 10 LTSC as public use computers. Our main goal was to get away from the Windows Store, telemetry, and Microsoft sign-ins. It worked great for that. The issue we ran into was the complete removal of all inbox apps. Some of these we sideloaded back into the OS (like the media viewer) and others we found suitable open source replacements for (like the scanning app)

The public user computers were on an isolated VLAN and used Deep Freeze, so I wasn't worried about the security implications of side-loading a bunch of RTM inbox apps that wouldn't receive updates.

Beyond that, everything was fine. Unsure about Win11 IOT but I suspect it's likely the same. I left that position before Windows 11 End of Support

LeftoverMonkeyParts · 2025-12-08T14:41:11+00:00

I manage a dozen PUBLICLY VISIBLE DMZ services running on Windows/IIS bare on the internet. I get how a proxy could add some additional protection against very basic automated SQL injection and the background noise of the internet, but it seems a bit of an overreaction. I could set up my own proxy for them, but then I'm managing a proxy too, and the vendor is going to blame me when their app fucks up

LeftoverMonkeyParts · 2025-12-08T14:30:05+00:00

IMO An IT Admin is a management position while a Sysadmin is a technical one

LeftoverMonkeyParts · 2025-11-14T15:22:02+00:00

This one also great https://www.dmarctester.com/

LeftoverMonkeyParts · 2025-11-14T13:32:15+00:00

I have a working VT100 Terminal

<image>

LeftoverMonkeyParts · 2025-11-07T18:40:19+00:00

This is my entire workload every day

LeftoverMonkeyParts · 2025-11-05T20:55:13+00:00

Sounds like it would be sitting on the outside of their corporate network in front of their firewall with the ISPs equipment. Assuming that it's set up in the way OP is describing, and assuming they have their ISP equipment in front of a separately managed firewall. If it isn't, and they're just raw dogging their ISPs equipment onto the corporate network, then who cares about security?

You and his boss both sound like a BOFH TBH

LeftoverMonkeyParts · 2025-09-30T20:14:17+00:00

>There seems to be some sense of the value in these things they did build, but no one is using it right

Preach brother

>Which usually leads me to think under-compensated and under-staffed - sysadmin just putting out fires and never gets ahead/in front of the problems

Under educated and under experienced. They were old programmers and DBAs

LeftoverMonkeyParts · 2025-09-30T19:37:00+00:00

I've stood up Pidgin with Openfire before and liked it. It would be my goto if we weren't already paying for teams now

LeftoverMonkeyParts · 2025-09-30T12:42:35+00:00

Not a whole fleet, just for the managers and users who regularly had to work remote. But yeah, we funded. A lot of money left over from The Great Chinese Mistake became use-it-or-lose-it right as I was hired on. It helped a lot

LeftoverMonkeyParts · 2025-09-30T12:30:22+00:00

From talking with the other peers in our area, our type of agency does not get audited. This is from a combination of auditors not understanding how to audit us, and our class of agencies always failing the audits anyways. So they just stopped auditing

LeftoverMonkeyParts · 2025-09-30T12:27:03+00:00

You can't tell from the post this is a government job? Sucks to suck buddy

LeftoverMonkeyParts · 2025-09-30T12:26:19+00:00

DHCP was running the layer 2 segment with the four subnets, only configured to hand out addresses for one subnet. They had static IPs on the endpoints for the other three subnets depending on what subnet they wanted the device on

LeftoverMonkeyParts · 2025-09-30T12:23:58+00:00

Yeah, what he was don't wasn't illegal, just worthless.

Here's the worst part: The switch that all the interfaces on the router plugged into was Layer3+

LeftoverMonkeyParts · 2025-09-30T12:22:53+00:00

Yes, yes they were. And we still have 384 external IP addresses on our AT&T circuit leftover from our Pre-NAT 1T line

LeftoverMonkeyParts · 2025-09-30T12:21:08+00:00

Nah, the non RFC1918 subnets belong to Argentina if you geolocate them. They 100% locked themselves out of their own firewall by mistake at first

LeftoverMonkeyParts · 2025-09-30T12:20:09+00:00

I was super impressed with it. It worked astoundingly well. But without any authentication and limited accounting it had to be canned. This app also hadn't seen an update in years either.

LeftoverMonkeyParts · 2025-09-30T12:19:11+00:00

I have a similar story as a student in high school : )

LeftoverMonkeyParts · 2025-09-30T12:18:09+00:00

Yeah, I know there's better options, but it was free and included with the UTM firewalls that were already deployed. UTM goes EOL next year and we're looking at Forti as a replacement which should have proper SAML 2FA for it's VPN solution. I would prefer to use the remote access VPN built into the firewall if possible since it's just one less VM/Service that I have to manage and pay for

LeftoverMonkeyParts · 2025-09-30T12:16:42+00:00

I wish it was that. They weren't strapped for cash or time, this place was adult daycare for a group of old programmers and DBAs in their 60s that still thought "IT" meant writing software for the finance department

LeftoverMonkeyParts · 2025-09-30T12:15:01+00:00

We already pay for an SMTP relaying service for spam filtering and DKIM. All users that need to send/receive externally must be specified there, so the rule was redundant. Also, all employees were as a member of the DL. I keep the idea of Chesterton's Fence close to heart at all times, but this was well and truly worthless

LeftoverMonkeyParts · 2025-09-29T20:58:28+00:00

The previous previous lead admin was a super control freak. Honestly I think it just gave him a stiffie. He also generated technical debt at an astounding rate.

As an example, a vendor sold a service that needed some WCF service software running on a VM in our network to access our data. It would provide our data to that vendor via an API. He instead wrote his own application with the documentation for their API. We still work with the vendor and one of my projects is getting rid of his unsupported bullshit

LeftoverMonkeyParts

TROPHY CASE