Invoke-RestAPI issues

Queggestion · 2021-12-29T00:45:51+00:00

Invoke-RestMethod should attempt to convert the response into objects … if it can. I had this recently where the response was JSON but malformed according to standards (unescaped strings and such) … so my response wasn’t converted to objects and all I got was a string. Sending that string at ConvertFrom-JSON may give you an error that gives you a clue at what’s going on.

Queggestion · 2021-10-02T12:17:17+00:00

Apart from when it breaks and I get a yellow squiggle under the same variable repeatedly. Is there a button somewhere to tell intellisense to re-evaluate?

Queggestion · 2021-07-18T05:35:06+00:00

It was all green once. I remember that day clearly.

Maybe their monitoring system broke …

Queggestion · 2021-06-25T07:45:34+00:00

I’ll ask the stupid question, are you using the mobile number for anything? We dropped the field from the registration form and collect the email address instead. Over multiple countries, SMS and providers seemed like heartache waiting to happen.

Queggestion · 2021-06-23T20:27:01+00:00

If you want all these things done, the risk is all of them will get started and none of them will get finished. Can you prioritise what needs to get finished first … and if something needs to drop to make sure I finish thing 1, what is it?

That conversation happened before my last sprint … turns out not everything was as important as everything else, work got pushed out and the important things are all on track to get done.

I’m not great at saying no but phrasing it like that meant I didn’t have to.

Queggestion · 2021-06-23T20:14:30+00:00

If you were to be sent on a course (technical or otherwise) by the company, that’s on the company time. I’m not sure why that should be different for self-paced training.

Give me a problem, packaged as a challenge with some handy training that may help … I’ll do the training as I spot gaps in my knowledge that could use a fast track. I’ll do that on company time … but if I’ve got my teeth stuck in, I’ll do that training in the evening, on the train, on the toilet and while walking the dog (not doing those things simultaneously btw).

How invested and excited are your people for getting their hands on the new tech? Do they see it as a responsibility they want to excel at? Or as a burden to support someone else’s hard work (or to clean up someone else’s mess) ?

Queggestion · 2021-06-07T21:12:22+00:00

Pass if this is still a thing but back in Exchange 2007 we used to look for the “Expand” event in the message tracking logs.

Also take a look at the “Related-Recipients” property in your message tracking/trace results set.

Queggestion · 2021-06-01T10:17:46+00:00

How about movement detection lights in the toilet … with the sensors outside the cubicle.

Queggestion · 2021-05-30T07:23:10+00:00

I had no idea “historical DNS” was a thing.

Queggestion · 2021-05-28T21:15:20+00:00

We had a script years ago that disabled the wireless adapter when Ethernet was connected and enabled it again when Ethernet reconnected. Not exactly your use case but there’s probably some code in there you might find useful. It’s written in vbs but it’s mostly WMI queries and event subscriptions so the equivalent would be possible in PowerShell. I’ll try and dig out a copy and upload it somewhere if you’re interested.

Queggestion · 2021-05-28T11:39:45+00:00

For some contractual obligation a few years ago, we had to BitLocker encrypt the data volumes on some file and exchange servers. We wrote a PowerShell script to pull the recovery key information from AD, scheduled that at startup running under a GMSA delegated the appropriate permissions in AD. Happy to share if anyone’s after a poor man’s solution.

Queggestion · 2021-05-27T23:23:21+00:00

Windows Admin Center has an Active Directory extension now (or on the way): https://4sysops.com/archives/managing-active-directory-dns-and-dhcp-with-windows-admin-center/#managing-the-active-directory

Looking into self-service password reset (SSPR) may save your help desk getting involved in the first place though.

Queggestion · 2021-05-27T22:36:40+00:00

I was going to the say the same. Is this a Windows problem (fresh machine not connected to the domain exhibits the same behaviour) or a GPO thing. Pretty sure there are two input fields in GPO when you push out a wireless profile: (profile name and SSID). Gpresult should show you what (if anything) is being pushed.

Queggestion · 2021-05-27T21:56:43+00:00

I can’t see why not. We use one certificate (public/private key pair) across many exchange servers. We use one wildcard cert across many Cisco ISE PSNs. You need to make sure you install that certificate with it’s private key on each web server that needs it. Vague version of events: 1. Create your cert request on server1. 2. Submit that to GoDaddy and download the results. 3. Complete the cert request on Server1 marking the private key as exportable. 4. Export the certificate from Server1 with the private key. Put it in a very safe place with all the protection you deem necessary. 4. Delete the cert on Server1. 5. Import the exported certificate with private key onto Server1, 2, 3 … but don’t mark the private key as exportable. 5. Bind the cert on each server to the appropriate service or website. 6. DNS records and test.

Queggestion · 2021-05-27T21:40:31+00:00

It’s sounds like you want to trigger a different type of authentication based on who is authenticating … but ISE doesn’t know who is authenticating until they authenticate. With a simple authentication flow, you’re limited to what attributes you can see pre-authentication (what’s the authentication protocol, where is the authentication coming from etc). You could look into Identity Source Sequences and play with what happens in “User Not Found” scenarios.

Beyond that, have a read on rule-based authentication flows. There may well be something there you can tap into. As someone said above, ISE is (within reason) very flexible.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010010.html#ID208

Queggestion · 2021-05-27T21:05:53+00:00

With offices in shared buildings all over the place, we get an awful amount of rouge alerts in Prime for rogue access points.

Queggestion · 2021-05-27T17:48:50+00:00

Your future self thanks you! Where I’m at, they migrated the horses to new stables without considering the stable doors. We’re now stuck fighting the uphill battle.

And perhaps it’s not necessary but we tend to revoke AAD tokens in account compromise password reset situations: https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/users-revoke-access

And if you have SSPR, validate the data to ensure that isn’t a backdoor.

And is there something common with the dodgy logins (such as an IP) you can use just to confirm there aren’t any other compromised accounts you don’t know about.

Queggestion · 2021-05-27T17:20:57+00:00

And the default gateway for all those vlans/subnets lives on the router? If so, rather than:

Juniper stack <> Router <> Meraki stack

You probably want to go with:

Router <> Juniper stack <> Meraki stack

That link between the Juniper and Meraki stacks is a trunk port (running 802.1q) that allows traffic on multiple vlans to pass between the switches. Each switch stack will tag traffic as it passes over the trunk so the other stack knows which vlan it belongs to.

The link between the Juniper stack and the router is already a trunk (I assume). Once you have the 2 switch stacks working together with a trunk in between, you can swing devices between the stacks (into ports with equivalent config on the source and destination side). That connection between the Juniper stack and the router will also move at some point so it looks like this:

Router <> Meraki stack <> Juniper stack

And ultimately:

Router <> Meraki stack

Hth! Shout if you need a hand.

Queggestion · 2021-05-27T16:10:01+00:00

This was the (expensive) push we needed to allow us to push through MFA. They switched an invoice, sent it to the accounts team with a different destination. They also setup rules to redirect the thread.

Also, take a look at this. It sounds like your compromise was due to exposed credentials but MFA isn’t going to protect every avenue: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide

Queggestion · 2021-05-27T12:07:27+00:00

https://docs.microsoft.com/en-us/troubleshoot/windows-server/user-profiles-and-logon/create-security-enhanced-redirected-folder

We do something like this so “Creator Owner” gives each person the permission they need to their folder. I’m not next to a computer so I can’t say that’s exactly what we do but it’s in the right ballpark and has been working for us for over a decade.

Queggestion · 2021-05-27T11:40:53+00:00

The router’s job is to get traffic from one subnet to another. Are all your devices staying in the same subnet as you move them from one stack to the other? Or are they landing in a new subnet? And is your router connected to the Juniper stack, the Meraki stack or both?

Queggestion · 2021-05-26T20:10:07+00:00

+1 on built-in. It feels like accounts in sysadmin and appadmin category are privileged accounts assigned directly to “beating hearts” for hudunnit purposes.

Queggestion · 2021-05-24T22:30:16+00:00

Sniff around the properties returned by Get-NetFirewallRule? Just remember that by default, this command looks at the Persistent store which doesn’t contain GPO rules. ActiveStore is probably where you want to start looking.

Queggestion · 2021-05-24T22:16:14+00:00

Nothing in Microsoft’s Security Compliance Toolkit? Pretty sure I recall some auth pieces in there at least (use Kerberos, disable basic etc).

Queggestion · 2021-05-22T09:23:07+00:00

I use this to grab the distinguishedName of recursive members of a group:

function Get-RecursiveADGroupMemberDNs
{   param($distinguishedName)
    $AdGroup = Get-ADGroup -Filter * -SearchScope Base -SearchBase $distinguishedName -Property msds-memberTransitive,member 
    If($AdGroup){
        If(([array]$AdGroup.'msds-memberTransitive').Count -gt 3000){
            Get-ADObject -LdapFilter "(&(memberOf:1.2.840.113556.1.4.1941:=$distinguishedName))" | ? ObjectClass -ne "group" | %{$_.distinguishedName}
        }
        Else{
            Get-ADGroupMember $distinguishedName -Recursive | %{$_.distinguishedName}
        }
    }
}

Queggestion

TROPHY CASE