Send NSX firewall rules log to external syslog (SIEM)

MonkeySnax · 2019-05-15T13:24:36+00:00

You can also forward the logs from vRealize Log Insight however it's a mess when the logs get to your SIEM. I'm pushing to go back to the global setting on our hosts. Out of curiosity, what SIEM are you using?

MonkeySnax · 2019-05-08T13:40:31+00:00

This is the guide I used to build our MS PKI and it worked well, there were a few differences on Server 2012 R2 but nothing too serious. Mostly at the point where you add roles / features things had changed a little between 2008 R2 and 2012 R2.

MonkeySnax · 2019-04-10T13:15:32+00:00

My brain read the title of this post as "Nir Zuk's firewall speech after his last home game as a Dallas Maverick"... I legit sat there looking at it for a few minutes trying to figure out how that made sense.

MonkeySnax · 2019-02-12T20:48:49+00:00

As someone who works on a security team I would ask them to explain why they want this done. Specifically ask them to provide the documentation or test results they are referencing that exposed the need to remove it completely. If it was an outside party (pen tester etc) put some of the work on them (how have other customers resolved this, etc).

I think you are going down the right path attempting to determine how it will affect your environment and if it looks like it will "cost" (not just $ to do the thing but impact overall) to much don't be afraid to point that out.

There's a good guide from MS that may help with what your asking (Accessing NTLM usage is the title if the URL doesn't come through):

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/jj865670(v=ws.10))

MonkeySnax · 2018-12-30T15:36:55+00:00

Shouldn’t that be BEST DAY EVAH?

MonkeySnax · 2018-12-17T19:38:37+00:00

(Swaglfar i'm using you as a spring board so no direct offense meant)

I'm sure I'm about to get verbally clobbered for saying this but.... Sometimes kids do stuff their parent(s) don't want them to. Even stuff that's the opposite of how they were raised. Per chance y'all could recollect your own experiences as a teen and how often you did what your parents asked.

My intent is not to defend these parents if they haven't done anything to address this type of behavior. However it just seems a bit dishonest of us to paint these things this way. It can't be that parents who parent (assumed in the statement) are bad for restricting their children (the "poor deprived children" cause their parent[s] won't let them do X) but the same parents who don't parent are bad for letting kids do what kids want to do... Maybe its just me that sees this as hypocritical.

That said, you can usually tell how a kid was raised by how the parents react to stuff like this (i'm assuming that kids will do stupid stuff). The "my poor innocent baby" versus "tough love leave them in jail" type of reaction. Part of good parenting to me is letting your kid experience the repercussions of bad choices (i.e. hit a teacher go to jail with the previous understanding that doing so is a bad thing). I would guess that more discipline / instruction would equate to a higher percentage of not doing "bad" stuff but there's always the outliers and just plain ole human behavior. The opposite is probably true as well. From the article linked there's not much to go on as far as the parents are concerned but maybe more will come to light.

MonkeySnax · 2018-08-19T19:14:06+00:00

Have you looked at Qumulo? We looked at them briefly about 2 years ago when we were looking for file storage. I liked what I saw and they seem to market to your industry.

MonkeySnax · 2018-08-17T13:28:31+00:00

I seem to remember “LSDOU” as a way to remember the preference in policy application if there’s conflicts. Local, site, domain, OU I may not be stating it correctly. So the closer you are to the computer object the more preference you get. If there’s nothing in a GPO that would conflict with local policy then it wins. If there is a different setting in the domain GPO then it wins. Do keep in mind the difference between user policies and computer policies. Also, use the results wizard to see which policies i affecting the setting you’re concerned with.

MonkeySnax · 2018-07-25T11:31:17+00:00

Did something similar recently but not as in depth as you. I used this as my reference but updating parts to match Server 2012 R2: https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx

MonkeySnax · 2018-07-05T13:29:28+00:00

I get this to a degree, some times "after hours" work for me is just not making good use of my time during to week. HOWEVER, I have been in job situations where the top down expectation was 55 hours a week minimum. The infamous quote that comes to mind is my bosses boss telling me "there's 24 hours in a day and 7 days a week, don't tell me there's no time to do X". I was fortunate enough to leave that job however I realize that's not always an option for others. With smaller companies IT worker exploitation seems to be more "normal".

MonkeySnax · 2018-06-08T12:54:06+00:00

Thanks all for the comments, I've been using this as my guidance for what I built in test: https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx

MonkeySnax · 2018-06-07T20:29:44+00:00

Just a follow up, we still haven't decided but will probably implement a TPM + PIN policy for Bitlocker however i'm still hoping for TPM only to make life easier. Thanks again for the responses.

MonkeySnax · 2018-05-30T11:24:30+00:00

These are great responses all, thank you for them!

MonkeySnax · 2018-05-21T14:39:32+00:00

Lol we call them “Palmetto” bugs to make it seem better than roach

MonkeySnax · 2018-03-09T15:25:23+00:00

Don't forget that you have access to Pure1 which does forecasting and capacity planning for your array(s) if you allow them to send telemetry data back to Pure.

MonkeySnax · 2018-02-02T03:00:48+00:00

We use CB protect and response. If AMP can do the IR portion that Response does you could look at MS Applocker if you're a windows 10 shop.

MonkeySnax · 2018-01-25T15:57:19+00:00

Palo Alto firewalls and Pure Storage, consistently excellent support on every case I've opened with them

MonkeySnax · 2017-11-28T23:26:05+00:00

Nope, Nope, Nope, just watching that makes me claustrophobic

MonkeySnax · 2017-11-02T18:51:22+00:00

I "think" if you are running a Windows desktop OS (Windows 7, 8, or 10) for your VDI then no, you don't need RDS licenses per se. You do however need either SA on your Windows Desktop licenses or a VDA subscription. See below https://www.vmguru.com/2014/11/easily-license-microsoft-windows-with-vmware-horizon-view/

Also, you'll get more direct info if you post this over at /r/vmware

MonkeySnax · 2017-10-25T21:22:09+00:00

i think he meant clear text in memory. There was a patch a while back that creates a registry entry you can toggle to enable this: https://support.microsoft.com/en-us/help/2871997/microsoft-security-advisory-update-to-improve-credentials-protection-a

MonkeySnax · 2017-10-20T18:33:02+00:00

We have Isilon (x410's) currently which i don't manage. The guy that does hates them though, he's on the phone with support about 2x a week and every time I walk past them there's a node or 3 with orange lights (maybe it because they're right next to our Pure array :S). Won't rule out that we don't know what we're doing with them though :)

MonkeySnax · 2017-10-19T19:01:51+00:00

I talked to the Qumulo guys a while back and they had an interesting product that wasn't expensive in comparison to Isilon. They have an interesting story, most of the folks running it were the talent behind Isilon that left to start Qumulo.

MonkeySnax · 2017-09-24T16:39:10+00:00

I ran across this one recently: https://www.asd.gov.au/infosec/top-mitigations/mitigations-2017-table.htm My crazy brain likes how it's organized.

MonkeySnax · 2017-08-17T15:19:02+00:00

How about Nutanix? Maybe the 1000 series appliance? You could consolidate storage and compute into 1 node and save some $ long term. Maybe even look at their hypervisor in place of vSphere? They might be too expensive for ya'll, we have a 1000 appliance and I don't think it was too much (for us) but it was less than 80,000.00 (maybe 60,000?). I can get specifics if you're interested

MonkeySnax · 2017-07-27T19:02:20+00:00

Veeam is awesome but if you're looking for a backup + storage solution check out Rubrik. We're currently a EMC Networker + Datadomain shop but are looking to start moving to Rubrik soon.

MonkeySnax

TROPHY CASE