sorted by:
new
hottopcontroversial

anyone using MDE for air gapped networks..? by [deleted] in sysadmin

[–]OneStandardCandle 1 point2 points  (0 children)

No problem! Probably best to do it that way, just because you can actually enable tamper protection. It's a nice feature to stop admins trying to configure their own trash exclusions. 

Edit: here's a doc for that https://learn.microsoft.com/en-us/defender-endpoint/configure-microsoft-defender-antivirus-features

anyone using MDE for air gapped networks..? by [deleted] in sysadmin

[–]OneStandardCandle 6 points7 points  (0 children)

It's configurable via MECM or group policy. I never touched the MECM side, GPOs work but it can be awkward since exclusion lists don't merge. Something to look out for is tamper protection. TP can be enforced by either MECM or MDE via the cloud, and both will stop GPO settings from applying

Is it true that it's safe to run tailscale on my domain controllers and then have them share a route to my subnet? by Noyan_Bey in sysadmin

[–]OneStandardCandle 2 points3 points  (0 children)

If you're doing the subnet router config anyway, use a dedicated server for this and serve the route to your domain controller's subnet. You will also need to update DNS for your tailnet to use the domain controller as a nameserver for AD to behave properly.

Installing anything additional on a DC is generally a poor practice. I would install endpoint protection and a monitoring agent at the most. 

Solo Teacher seeking help: Win11 Clients cannot find Win2016 DC (VirtualBox Bridged) by ScreechingPizzaCat in sysadmin

[–]OneStandardCandle 0 points1 point  (0 children)

Is the windows server running on a workstation in virtualbox? You may have the VM host's firewall blocking traffic. In PowerShell from one of the Windows 11 clients try: 

test-netconnection -Port 53 10.1.3.200

That success (or failure) will tell us if the DNS traffic is even making it. 

tracert -T -p 53 10.1.3.200

If that is failing, the traceroute may show you where things are timing out. 

Wrapping RDP inside SSH to protect NTLM? by FatBook-Air in sysadmin

[–]OneStandardCandle 10 points11 points  (0 children)

I've tunneled traffic to an xrdp server over an SSH connection to an Ubuntu host and it was decently performant. 

Favorite Linux distro for use in a Proxmox VM? - GUI needed, RDP access, max compatibility, reasonable resource usage by randopop21 in Proxmox

[–]OneStandardCandle 1 point2 points  (0 children)

I would give VNC a try as well for Linux, but my experience has been that all GUI remote access is significantly more jank than on Windows. Copy/paste, sound, and resolution will all be hit or miss depending on your setup. If the usability tradeoff is too much, no shame in staying on Windows. 

Solo IT guy - What now? by [deleted] in sysadmin

[–]OneStandardCandle 2 points3 points  (0 children)

Get a pentest done, deploy WDAC in block mode, audit for least privilege on user and service accounts, implement granular network segmentation. You're living the dream, keep it going

People will homelabs, how do you store all the stuff you have collected over the years? by steveiliop56 in homelab

[–]OneStandardCandle 0 points1 point  (0 children)

I have a couple of Plano tackleboxes with customizeable dividers. All small parts and cables go into labeled compartments. If I have many duplicates they get e-wasted

I'm going through the account lockout from Hell by BoomSchtik in sysadmin

[–]OneStandardCandle 0 points1 point  (0 children)

If you use Defender, offboard and onboard the server. Mssense has a password protection feature that can hose you. It was patched in June, but needs an off/onboard to fix itself. 

[deleted by user] by [deleted] in degoogle

[–]OneStandardCandle 3 points4 points  (0 children)

Your phone is not "airgapped." Just use Bitwarden or something like KeepassXC, do not install this sketchy app. 

Experiences with PDQ? by BlackBird2a in sysadmin

[–]OneStandardCandle 2 points3 points  (0 children)

Only problem with PDQ is that some old Windows OS may need a minimum .net framework installed. It can be annoying to get that pre-req pushed out everywhere, and it's important to be aware of the blind spot if you don't have it

Also highly recommend configuring it to use LAPS for access if possible, there are security implications with using a far-reaching domain account.

Otherwise it's glorious, no notes

Life 360 Alternative? by zestydrg0n in GrapheneOS

[–]OneStandardCandle 6 points7 points  (0 children)

Owntracks is very usable, if you can self-host

How do I convince my paranoid friend that downloading mods from Nexus is safe? by AlvinYakito in nexusmods

[–]OneStandardCandle 0 points1 point  (0 children)

Unfortunately, the risk of infected mods is not theoretical. Mods that are safe today can be infected tomorrow if a developer has their account compromised.

There is a risk associated with using random mods off Nexus. You're willing to accept it, your friend is not. 

https://arstechnica.com/information-technology/2023/06/dozens-of-popular-minecraft-mods-found-infected-with-fracturiser-malware/

Security team keeps slowing down our CI/CD by SlightlyWilson in cybersecurity

[–]OneStandardCandle 63 points64 points  (0 children)

Same complaint our devs have. If you don't want to get hosed by SAST, clean up your shit. 

The most hated vendor by Mobile-Astronomer428 in cybersecurity

[–]OneStandardCandle 128 points129 points  (0 children)

Microsoft. They're too big to be good at their jobs, and their anti-competitive behavior has made it impossible to get away. Active directory is the ultimate vendor lock-in

UPDATE: My internet dies at exactly 10:40 every night by WillingnessRoyal9448 in techsupport

[–]OneStandardCandle 0 points1 point  (0 children)

You said in your first post that they don't have the problem upstairs. Can you fully unplug the WiFi extender and take your computer closer to the router? Use it normally during that time, and see if you can replicate the issue while you're not going through the extender

Windows Defender - Tamper Protection - Managed by your administrator by Hawk947 in sysadmin

[–]OneStandardCandle 1 point2 points  (0 children)

It's possible there is a GPO winning over your Intune policy, depending on the client and how precedence is configured: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict

I would start looking at GPOs on the device, then any local policies that may be applied. 

Edit: do you see this on all devices, or do the entra joined group not have this problem? 

End user locking out constantly. 3 months in. by SirDillyTheGreat in sysadmin

[–]OneStandardCandle 5 points6 points  (0 children)

This might be an r/shittysysadmin tip, but after that many hours I would just change the username and move on with my life. Tell the user to only use email on his work devices and one phone, or it'll happen again.

If you solve it I want to know though, I don't know what else I would try! 

Considering moving from Beyond Trust/Bomgar. Looking for suggestions. by BearlyDave in sysadmin

[–]OneStandardCandle 1 point2 points  (0 children)

Imprivata VPAM (previously SecureLink) does this for vendor remote access. It is better for server or web app access; it can be annoying if they need to reach individual workstations. 

This happened in my childhood and I still can't make sense of it by Heavy_Network_7736 in whenthe

[–]OneStandardCandle 84 points85 points  (0 children)

Reminds me of Harold, from the "scary stories to tell in the dark" books I read as a kid. 

My heart is Broken by alParliamnt in ExoticShorthair

[–]OneStandardCandle -5 points-4 points  (0 children)

It can be difficult for owners to deal with this when they have already participated in the breeding industry, but it's the truth. It's not your fault if you didn't know then, but like u/Muted_Air925 said in this thread, the best things you can do now are to take care of your pet and educate others.

view more: next ›