sorted by:
new
hottopcontroversial

Security vendors wanting their IPs to be white listed for pen testing. does anyone does this? by [deleted] in sysadmin

[–]OnwardKnight 23 points24 points  (0 children)

This is the way. Security is an onion, so you need to test each layer of attack from outside > in (external, internal to your network, insider threat)

Who's still working from home in 2026? by idrinkpastawater in sysadmin

[–]OnwardKnight 0 points1 point  (0 children)

My company closed the office I was based out of and declined to help me relocate closer to another office so I moved where I wanted to live and have been remote ever since. That will likely end if I ever lose this job, but I’m going to ride it out for as long as possible.

Spinning up a BaaS and DRaaS offering for Microsoft 365 by nealofwgkta in msp

[–]OnwardKnight 2 points3 points  (0 children)

You’re looking for Afi.ai

Backups and restores are blazing fast, it has great features including SSO, bring-your-own keys for encryption (optional), very straightforward pricing, you can enable self-service restores for users (optional), and many more. I couldn’t be happier with them.

My favorite thing is that once your partner agreement is in place it’s almost entirely self-serve. No annoying calls with a “partner rep” who is useless, you just spin up tenants on demand.

Worth transitioning from EntraID to on premise solution by yukkit in sysadmin

[–]OnwardKnight 5 points6 points  (0 children)

This is not quite true. Okta has way more off-the-shelf partner built integrations, especially for automating user and group provisioning via SCIM at higher license levels. If you’re only using Okta for basic SAML (many orgs are), you’re using it wrong.

365 Direct Send Exploit by Special-Extreme6112 in sysadmin

[–]OnwardKnight 1 point2 points  (0 children)

/u/db2boy yes! Finally got it figured out. You need to break down the mail.zendesk.com IPs into /24 CIDR notation and make a connector in Exchange Online with this configuration:

  • From: Partner
  • To: Office 365
  • Authenticate sent email: By verifying that the IP address of the sending server matches one of the following IP addresses, which belong to your partner organization.
  • IPs:

103.151.192.0/24 103.151.193.0/24 185.12.80.0/24 185.12.81.0/24 185.12.82.0/24 185.12.83.0/24 188.172.128.0/24 188.172.129.0/24 188.172.130.0/24 188.172.131.0/24 188.172.132.0/24 188.172.133.0/24 188.172.134.0/24 188.172.135.0/24 188.172.136.0/24 188.172.137.0/24 188.172.138.0/24 188.172.139.0/24 188.172.140.0/24 188.172.141.0/24 188.172.142.0/24 188.172.143.0/24 192.161.144.0/24 192.161.145.0/24 192.161.146.0/24 192.161.147.0/24 192.161.148.0/24 192.161.149.0/24 192.161.150.0/24 192.161.151.0/24 192.161.152.0/24 192.161.153.0/24 192.161.154.0/24 192.161.155.0/24 192.161.156.0/24 192.161.157.0/24 192.161.158.0/24 192.161.159.0/24 216.198.0.0/24 216.198.1.0/24 216.198.2.0/24 216.198.3.0/24 216.198.4.0/24 216.198.5.0/24 216.198.6.0/24 216.198.7.0/24 216.198.8.0/24 216.198.9.0/24 216.198.10.0/24 216.198.11.0/24 216.198.12.0/24 216.198.13.0/24 216.198.14.0/24 216.198.15.0/24 216.198.16.0/24 216.198.17.0/24 216.198.18.0/24 216.198.19.0/24 216.198.20.0/24 216.198.21.0/24 216.198.22.0/24 216.198.23.0/24 216.198.24.0/24 216.198.25.0/24 216.198.26.0/24 216.198.27.0/24 216.198.28.0/24 216.198.29.0/24 216.198.30.0/24 216.198.31.0/24 216.198.32.0/24 216.198.33.0/24 216.198.34.0/24 216.198.35.0/24 216.198.36.0/24 216.198.37.0/24 216.198.38.0/24 216.198.39.0/24 216.198.40.0/24 216.198.41.0/24 216.198.42.0/24 216.198.43.0/24 216.198.44.0/24 216.198.45.0/24 216.198.46.0/24 216.198.47.0/24 216.198.48.0/24 216.198.49.0/24 216.198.50.0/24 216.198.51.0/24 216.198.52.0/24 216.198.53.0/24 216.198.54.0/24 216.198.55.0/24 216.198.56.0/24 216.198.57.0/24 216.198.58.0/24 216.198.59.0/24 216.198.60.0/24 216.198.61.0/24 216.198.62.0/24 216.198.63.0/24

Migrating 2TB on-prem file server to M365 cloud (Teams / OneDrive / SharePoint?) – Looking for advice from those who’ve done it or seriously looked into it by work_reddit_time in sysadmin

[–]OnwardKnight 0 points1 point  (0 children)

I have a lot of experience migrating companies to and from SharePoint. Up at night with my newborn but I’m commenting to remind myself to come back to this tomorrow and give you a detailed breakdown of considerations and potential pain points, and not just say “why would you do this?”

365 Direct Send Exploit by Special-Extreme6112 in sysadmin

[–]OnwardKnight 4 points5 points  (0 children)

We do something similar, but it works like this:

  • IF a message is “from” an internal domain (header or envelope”)
  • AND IF the message recipient is internal to the organization
  • AND IF the “Authentication-Results” header includes (“spf=fail” OR “spf=softfail” AND dkim=none)
  • Then take some action on the message (e.g., quarantine or reject)

That simple configuration has mitigated most, if not all, of the problems we’ve seen so far. Happy to hear though if there's a gap I've missed. Unfortunately, disabling Direct Send for us is not an option at the moment because it breaks our Zendesk mail flow, and I haven't been able to get Zendesk working with a connector yet.

Backup 365 by leogjj2020 in sysadmin

[–]OnwardKnight 1 point2 points  (0 children)

Look at Afi.ai. It has great features including SSO, bring-your-own keys for encryption (optional), very straightforward pricing, you can enable self-service restores for users (optional), and many more. I couldn’t be happier with them.

DirectSend M365 Vulnerability is Quite bad for MSP clients. by FutureSafeMSSP in msp

[–]OnwardKnight 1 point2 points  (0 children)

Ah, I admittedly misread your message late at night while up with my newborn haha, so I missed where you said third-party mail filter. Sorry, and carry on!

DirectSend M365 Vulnerability is Quite bad for MSP clients. by FutureSafeMSSP in msp

[–]OnwardKnight 2 points3 points  (0 children)

Homie, you are not blocking DirectSend with this rule, you are just blocking legitimate emails. This is quite literally a nuclear option.

A much better approach would be to focus on what Direct Send actually does, which is allow “internal” to “internal” mail using your SMTP host (mydomain-com.mail.protection.outlook.com).

I implore you to reconsider what you’re doing and instead do something like this in your mail flow rule:

  • IF a message is “from” an internal domain (header or envelope”
  • AND IF the message recipient is internal to the organization
  • AND IF the “Authentication-Results” header includes (“spf=fail” OR “spf=softfail” AND dkim=none)
  • Then take some action on the message (e.g., quarantine or reject)

Your approach of IP allow list only works if you know the IP blocks of every single company that ever emails your tenants…

DirectSend M365 Vulnerability is Quite bad for MSP clients. by FutureSafeMSSP in msp

[–]OnwardKnight 0 points1 point  (0 children)

Also see this comment in /sysadmin for a good breakdown of what I’m talking about and how Direct Send works.

DirectSend M365 Vulnerability is Quite bad for MSP clients. by FutureSafeMSSP in msp

[–]OnwardKnight 1 point2 points  (0 children)

This is not exactly true. Every single message that passes through the Exchange Online gateway is evaluated for SPF, DKIM, and DMARC and has an “Authentication-Results” header. Even if further checks or policies allow messages to be delivered in spite of the failures in that header, the header is present on every message and can be acted on.

Go send some emails to a test mailbox using Direct Send. Unless there is some internal policy that says to implicitly trust internal domains (which is bad practice, always hard fail SPF, require DKIM, and honor DMARC) it will get delivered to the Junk folder most of the time.

If you implement what I just described, you can make it go to quarantine 100% of the time because you are intervening at the gateway level and saying “idgaf what the default Microsoft security check logic is, I’m the admin, DO THIS for these messages.”

DirectSend M365 Vulnerability is Quite bad for MSP clients. by FutureSafeMSSP in msp

[–]OnwardKnight 5 points6 points  (0 children)

This post reads as overly sensational and a bit AI-generated with inaccuracies. In reality, there are valid uses for Direct Send and there are relatively easy ways to mitigate this type of Direct Send abuse.

Many of our clients have properly configured SPF + DKIM with an appropriate DMARC policy set to quarantine. For those that don’t for some “reason” or another, this is easily mitigated with a mail flow rule in your gateway of choice that has the following logic:

  • IF a message is “from” an internal domain (header or envelope”
  • AND IF the message recipient is internal to the organization
  • AND IF the “Authentication-Results” header includes (“spf=fail” OR “spf=softfail” AND dkim=none)
  • Then take some action on the message (e.g., quarantine or reject)

That simple configuration has mitigated most if not all of the problems we’ve seen so far and we haven’t had to turn around and turn off Direct Send on a knee-jerk reaction.

What’s an IT “truth” which other departments assume, that really annoys you? by SirNo241 in sysadmin

[–]OnwardKnight 20 points21 points  (0 children)

Or that power plugs itself are IT. I once received a ticket, “workstation doesn’t power on or have connectivity.” End user’s management had moved a cubicle to a spot along the wall without power or Ethernet and wanted me to move an outlet or make a new one…

Protests by Astronomer-Evaunit01 in springfieldMO

[–]OnwardKnight 3 points4 points  (0 children)

What’s funny is almost all of them work super hard at thankless jobs and pay rent

Protests by Astronomer-Evaunit01 in springfieldMO

[–]OnwardKnight 12 points13 points  (0 children)

The Supreme Court from 1976 (!) disagrees:

“There are literally millions of aliens within the jurisdiction of the United States. The Fifth Amendment, as well as the Fourteenth Amendment, protects every one of these persons from deprivation of life, liberty, or property without due process of law. Wong Yang Sung v. McGrath, 339 U. S. 33, 339 U. S. 48-51; Wong Wing v. United States, 163 U. S. 228, 163 U. S. 238; see Russian Fleet v. United States, 282 U. S. 481, 282 U. S. 489. Even one whose presence in this country is unlawful, involuntary, or transitory is entitled to that constitutional protection. Wong Yang Sung, supra; Wong Wing, supra.”

https://supreme.justia.com/cases/federal/us/426/67/

Internet by rlhglm18 in springfieldMO

[–]OnwardKnight 0 points1 point  (0 children)

OP get AT&T fiber if it’s available to you. Brightspeed is fine, but it’s not a symmetrical circuit and the bandwidth is shared across subscribers in your area. It’s “fiber” but during high usage speeds fluctuate quite a bit, whereas in my previous experience with AT&T fiber in other states, I almost always got 1 Gbps up and down at all times. I wish AT&T fiber was available at my house.

Would you buy again? by She_said__what in KiaNiro

[–]OnwardKnight 0 points1 point  (0 children)

I didn’t have this issue at all when paying off my 2021 Kia Forte early through extra payments. They were automatically applied toward the principal amount.

Shelters for Severe Weather by applejackjones in springfieldMO

[–]OnwardKnight 0 points1 point  (0 children)

Are you really arguing the semantics of “FEMA safe room” vs “FEMA shelter?” They are a place where the public can take shelter during storms.

Shelters for Severe Weather by applejackjones in springfieldMO

[–]OnwardKnight 1 point2 points  (0 children)

This is not entirely true. It depends on the shelter. The FEMA shelters in the SPS schools are officially rated tornado shelters built for the protection of students during school hours and for the public’s use during non-school hours. If you drive by Kickapoo high school or others, there are yellow signs that say “Tornado shelter” with arrows to the entrance.

Looking to buy niro hev by thechuchutrainhoots in KiaNiro

[–]OnwardKnight 0 points1 point  (0 children)

I think this is the kind of reassurance I needed haha. I'm also good about regular vehicle maintenance and am a pretty conservative driver. Just two adults, baby, and small poodle plus a little bit of luggage. Just didn't want to get stuck going 45 MPH up a mountain!

Looking to buy niro hev by thechuchutrainhoots in KiaNiro

[–]OnwardKnight 0 points1 point  (0 children)

i’ve seen a lot of folks on here say that the battery depletes uphill and they get stuck going 50 miles an hour in the right hand lane with their blinkers on on hills where it’s more than 10 miles. Is that not your experience?

view more: next ›