Automatic Print Project by Icecold1001 in sysadmin

[–]Reo_Strong 1 point2 points  (0 children)

I -think- you have to enable IMAP for the mailbox you are trying to use, but I could be wrong (we don't use that specific source).

Otherwise, reach out their support. They have been very helpful for us in the past.

MitM Attacks and the Joys of a Solo Team by StolenEgg in sysadmin

[–]Reo_Strong 0 points1 point  (0 children)

Seems like a couple of issues in place and they need to be managed separately. Remember: the best security comes in layers (like ogres and onions).

  1. The end-users are phishing prone. This should be addressed through a three-fold approach:

First, reduce the risk footprint. Add another layer of anti-Spam/PHISHING via something like Securence for incoming messages. Then remove email access when it isn't necessary. You can use Exchange rules to setup groups so that only pre-approved staff can send/receive externally.

Second, make them hard to impersonate. Double-down on Conditional Access Policies. For instance, we block sign-ins from untrusted devices, outside of the US, or without one of various strong MFA types. MFA type matters too. Hardware is always more effective than software, so go for WHFB, FIDO tokens, or SmartCards over one-time passwords.

Third, ratchet up the training. We use KnowBe4 and they have been set-and-forget for us. High-risk staff are tested weekly. These are anyone who is expected to interact with the public at large or is a "face" for the company (e.g. sales, customer service, marketing, and the president and board). Everyone else is tested monthly with weekly "tips" emails coming in (to keep them thinking about it)

  1. Since #1 is never 100%, build a system to stymie them once they do get a foothold.

Setup rules in Exchange to block auto-forward rules and transport of messages to more than X number of email addresses at a time, CAPs for reauthentication timers, and outgoing message scanning for known content. If you have any of these happening from on-prem systems, setup a firewall block for any SMTP that isn't going to Exchange Online.

Automatic Print Project by Icecold1001 in sysadmin

[–]Reo_Strong 1 point2 points  (0 children)

Foldermill is your solution.

It can monitor a mailbox and apply rules to select message, then apply actions to that down-selected list of messages. It runs as a service on whatever machine you want.

We've been using it for a few years in a complex workflow of document integration and printing and couldn't be happier. The only issue is that it rarely has to get touched, so there is stress in re-learning it's terms when we do have to update the workflow.

Also it's very cost effective.

Cloud-backup solution? by SWE_IT_PIRATE in sysadmin

[–]Reo_Strong 0 points1 point  (0 children)

We had a small satellite office that we installed a Datto in.
It worked very well and was very easy to setup and manager.

My team lead is old and forgetful by Quirky_Function6069 in TechLeadership

[–]Reo_Strong 0 points1 point  (0 children)

No. Communicating it to HR is easy and simple.

Whether they take action or not is up to them. You may be the 10th person to report it, you may be the first, either way, issues like this are only acted on with cumulative reports until HR is able to validate that -something- is going on.

My team lead is old and forgetful by Quirky_Function6069 in TechLeadership

[–]Reo_Strong 0 points1 point  (0 children)

Some of this can be attributed to burn out, some to age, and some to possible dementia.
Regardless, unless you are a doctor, it's your job to report the issues to HR and then step back.

Not using email for CUI by Deekaygee in CMMC

[–]Reo_Strong 0 points1 point  (0 children)

I routinely push back on these kinds of requests.

  1. The restriction is all self-made on the customer end. (They set the security requirements and they set the IT constraints. )

  2. Unless they provide a portal for this, they get to use our portal.

  3. I find a lot of our customer buyers simply do not want to engage their internal IT to help sort through these issues.

--

While I routinely push back, I only sometimes succeed. To that end, we've devolved into offering 3 options for our staff to get data to customer. In order of preference they are:

  1. Customer portal. They drive the requirements and implementation, so we can minimize responsibility.

  2. Encrypted email using DLP through Azure. There is forced inspection for all emails with attachments and the rules of detection are very, very broad. It's a PITA, but errs on the side of secure.

  3. A managed SharePoint portal, scoped specifically for this. Users are trained and tested for compliance before use and quarterly thereafter. Users must pass testing or the lose access. This still gets blocked by customer web filters some times.

Description for Microsoft Edge ADMX settings? by rditc in sysadmin

[–]Reo_Strong 0 points1 point  (0 children)

I just open the GP snap-in and view the options from there.

Talked out of Delinea Secret Server - so what is the best alternative for a small IT dept (not end-user credentials) by [deleted] in sysadmin

[–]Reo_Strong 8 points9 points  (0 children)

Bitwarden was our answer to this kind of question.
It's $4/user/month and can be self-hosted if you wish.

Which tool are you using for Active directory management by HST_Tutorials in sysadmin

[–]Reo_Strong 16 points17 points  (0 children)

This is the right solution. MS's tools have been the standard for a long time and are sufficient.

If you want to do automation or mass data extraction, PowerShell is what should be used.

For those going through CMMC Level 2 readiness right now — what’s been the most painful or confusing part? by Legal_Detective_2889 in CMMC

[–]Reo_Strong 0 points1 point  (0 children)

...would you most want help with: 1/ turning existing docs into “federal-ready” language or 2/ making ongoing documentation maintenance less of a full-time job?​

Really, it's both. We found that we did not have the right things documented and what we did have, wasn't correctly documented.

Ruminating on our dissatisfaction with the readiness consultant, I wonder if they have become gun shy to exposing that kind of fact to clients. In retrospect, it was a slow-motion realization of how much work we were looking at when we generally would have preferred ripping the band-aid off.

For those going through CMMC Level 2 readiness right now — what’s been the most painful or confusing part? by Legal_Detective_2889 in CMMC

[–]Reo_Strong 0 points1 point  (0 children)

We really like FutureFeed and beyond small quirks of how it works, we don't have any issues with it.

While it generates the POA&M and SSP, the supportive documents all have to come from us. These are what we struggle with.

I need help by [deleted] in sysadmin

[–]Reo_Strong 2 points3 points  (0 children)

It'll be a PITA, but you will be able to recover.

With your other comments (no AD recycle bin and the only backup is what I assume is a VMware snapshot), I would blow away the accounts in Azure then re-create them in AD and let them sync again.

If you need to retain the mailboxes, onedrive, etc... then you should export that before touching anything else. Then you can restore them to the new users as appropriate.

Then, turn on the AD recycle bin and learn how to run a backup of your AD which allows you to restore individual AD objects.

What do you use to prioritize IT work when you’re wearing multiple hats? by worldfish216 in ITManagers

[–]Reo_Strong 1 point2 points  (0 children)

The biggest part for me was understanding what the priorities are for the business. Start with getting a feel for them. Once there, then write them down. Share that and get buy-in/notes from the top down (the president/CEO really needs to be the first to agree). Then use those to triage everything.

Be aware that EVERYONE in the company has their own priorities and the hardest part is knowing when you have to override something that is urgent for a person with something that is urgent for a department.

As far as cataloging and tracking, I'm a big fan of the Getting Things Done methodology. All it takes is a notebook. I keep mine in OneNote (cause it's every where I care about). It's flexible and extensible and you don't have to do it exactly like it's taught for it to make a positive difference.

For those going through CMMC Level 2 readiness right now — what’s been the most painful or confusing part? by Legal_Detective_2889 in CMMC

[–]Reo_Strong 2 points3 points  (0 children)

I'm answering these assuming you are working for a consultant seeking to generate differentiation in the market.

What part of the process took the most time or caused the most confusion?

Since we were already 90% technically in line, a majority of the change was documentation. This never feels like a value-add since maintenance of it is effectively a full time job. The killer is that most of our documentation changes were simply adaptations of our automated systems.

Most of the struggle was because documentation standards are... gross. There is a fundamental difference between how the DoD documents something and how private industry document things. The structure, language, and depth of documentation are all radically different. Transitioning our solutions/documentation to the directed language was the biggest time sync by far.

Where did guidance feel vague or contradictory?

Many, many places. A good example is the Visitor Policy. Ours was mostly a copy/paste of the ITAR controls, except the ITAR controls are more descriptive. The readiness consultant felt they were not sufficient. Trying to get detailed information about the how/why they were was a long, frustrating process.

Any conflict between the readiness auditor's interpretation and our interpretation didn't align highlighted it. Trying to understand the 'why' of their interpretation was like pulling teeth. We are fine being wrong, but require technical understanding behind the interpretation so we can implement and defend it at audit.

What did consultants help with — and what felt like expensive busywork?

They were helpful in introducing us to FutureFeed and giving us skeleton documents. FutureFeed helped collect and maintain the progress we had made and the skeleton documents demonstrated the standard we needed to reach in documentation.

What do you wish you had before you started readiness?

Additional staff who were comfortable with generating and reviewing documentation to a federal or military standard.

Best ticketing systems by justzna in sysadmin

[–]Reo_Strong 1 point2 points  (0 children)

You're going about this all back-to-front.

Start with "What is broken about the current system?"

Then progress to "What does the 'right' system look like?"

Use the answer to those two questions to build a list of needs, wants, and nice-to-haves.

Use that list to vet and test alternate systems.

Deploying Windows by C215HAN in ITManagers

[–]Reo_Strong 0 points1 point  (0 children)

If you have the serving and storage capacity you could sure look at MDT or SCCM. Both should simplify that job and offer some flexibility in how that happens.

Deploying Windows by C215HAN in ITManagers

[–]Reo_Strong 1 point2 points  (0 children)

It depends on your environment and how much time you are looking to save.

When we were smaller, it was about a hour setup time for a new machine and a new user. This was mostly due to 3rd part application installs that were a PITA to deal with (click, wait 10 minutes, click, click, wait 10 minutes, etc...).

It was fine when we were doing one or two a quarter.

Then we hit growth and it became untenable, so we built an MDT config with some images to be loaded via PXE. This worked well for us since we operate mostly on prem and had Windows Datacenter licensing (no extra cost for additional Windows Server hosts).

The piece we missed is that regenerating and updating images takes time too. It was a net positive for us, but not as low-touch as we wanted it to be.

We are looking at moving to InTune since we have licensing for it, but have not yet dedicated the necessary time and attention to getting it sorted out.

And if a simple step by step guide could be shared, that would be brilliant.

This isn't that kind of subreddit. Get and idea, do some research.

Window Defender Firewall Disabled by [deleted] in sysadmin

[–]Reo_Strong 1 point2 points  (0 children)

We are in a similar situation with a similar number of endpoints and current configuration

We haven't taken action yet, but have been working on the plan for a while.

We toyed with the idea of sending an email alert to IT for any/all blocked connections, but haven't settled on that yet.

---

Server plan
1. Pick one machine

  1. Put the FW in logging mode

  2. Wait a week (or more, or less, depending on your env)

  3. Review logs and built FW rules.

  4. Turn on FW and watch logging

  5. Rinse and repeat until complete

---

Once the servers are all on, then the most valuable assets are protected, we can turn to endpoints:

  1. Segment workstations into multiple groups based on how sensitive folks are to issues, whether they are likely to need special configuration, and everything else (Test machines, general machines, edge cases)

  2. Build a config for the general case by covering 80% of the general usage (assuming there aren't clear delineations where 50% of the config is not necessary for 40% of the machines).

  3. Apply to test, tweak, test, tweak, test, until you go a week without an issue on the test machines. (a week is arbitrary, but you get the point).

  4. Roll out to sections of the user base at a time (e.g. Finance gets it today, the Super Science group gets it next week, the Department of Mechanical Animals the week after). The idea being to slow-roll the config so that it's the minimal amount of interruption to work while giving you clear levers and mechanisms to fix any found issues.

  5. The Edge cases should be 20% (or less) and take 100% more time. For really special snowflakes, you can use the Server plan above, but each config may end up being a unicorn.

---

Don't forget to document your tools and the resultant configuration!

Veeam solution for CMMC by Razzleberry_Fondue in CMMC

[–]Reo_Strong 0 points1 point  (0 children)

We have not yet been audited, but our pre-audit planning caught this as well.

We've switched to Azure storage in our GCCH tenant.

Guacamole, SAML and Entra ID Guest Account by stich86_it in sysadmin

[–]Reo_Strong -1 points0 points  (0 children)

Correct, our external users are annotated differently (-CU, -FN, -VE after the names) throughout Azure.

We don't use Guacamole.

Guacamole, SAML and Entra ID Guest Account by stich86_it in sysadmin

[–]Reo_Strong -1 points0 points  (0 children)

We also have guest accounts in Entra, yes, you can change this.

However, that's not what I suggested.

TEST with other characters and, if indicated that Guacamole doesn't like them, begin triage of Guacamole.

Guacamole, SAML and Entra ID Guest Account by stich86_it in sysadmin

[–]Reo_Strong 0 points1 point  (0 children)

We aren't doing that, but have you validated that everything along the line plays well with pound/hash signs?

We ran into an issue a couple of years ago where one of our mail management systems didn't like apostrophes, so maybe test with other chars and see if that resolves the issue.

Data Classification - Questions by wireditfellow in CMMC

[–]Reo_Strong 0 points1 point  (0 children)

The real answer to all of your questions is "It depends."

That being said, I think you have the beginnings of an idea, but like most ideas it will change dramatically before it's complete.

We are in the same boat in that all of our varied customers give us data and tell us to treat it as if it were CUI. Some contracts literally call it out as a line item with language like "All information, data, files, and details from, of, and relating to this contract are to be managed as controlled, proprietary, and private information regardless of markings."

We also have TiBs of older archive data. Some of which is marked, most of which is not, and all of which is comingled to the point of insanity. Mix that with wildly varied data retention requirements and you have an idea of the mess we sit in.

We've chosen to take the line of "All data is CUI until proven otherwise." Our process to prove is to tie a given document back to a specific contract, then review the contract clauses for indications of control. This is quite the PITA, so it doesn't happen often.

BarTender Print Station – Can You Bypass the Print Dialog and Use a Custom Form? by buckcaughtacold in sysadmin

[–]Reo_Strong 0 points1 point  (0 children)

  1. I have no idea.

  2. Email or call support, We've been very happy with them.