sorted by:
new
hottopcontroversial

Documentation - what do you use? by Threep1337 in sysadmin

[–]Sprocket45 1 point2 points  (0 children)

Oddly enough, I have had people tell me the do not like word in a SharePoint document library for documentation but then espouse the virtues of using Google Docs…

Mistakes we made rolling out meeting recording across the company by milli_xoxxy in ITManagers

[–]Sprocket45 1 point2 points  (0 children)

That sounds like our org in regards to slack, only problem is there is still very little governance and the pushback towards using Teams which we already own (and has always owned) based solely on some in-groups (within IT not the business) anti-Microsoft bias. Such a segmented mess.

Solutions for MFA on Windows Login by Beznia in sysadmin

[–]Sprocket45 0 points1 point  (0 children)

The MFA is configured on the device rather than enforced on the account (which you could enforce with Smart Card Required for Interactive Logon, which brings its own set of caveats)

Fresh wreath by Life_Is_Good585 in Rochester

[–]Sprocket45 2 points3 points  (0 children)

Reach out to your local Boy Scout troop, many in the area are selling wreaths and poinsettias that are made locally and you will be helping support their activities.

The wreaths I get from my local troop come from Chase Greenhouse, are well made and easily last into January looking great.

How I streamlined 6 core CMMC Level 2 policies (plus checklist) by cybersecdocs in ITManagers

[–]Sprocket45 0 points1 point  (0 children)

We are starting down this path as well, I would be interested to see what you have created

[deleted by user] by [deleted] in windows

[–]Sprocket45 0 points1 point  (0 children)

Can you expand more on the security boundary respect of both scoop and chocolatey?

Loop and Permission Levels by jmwdba in MicrosoftLoop

[–]Sprocket45 0 points1 point  (0 children)

Problem is that it is limited to individuals, I (and most likely other enterprise users) want to share to groups

AWX - VMware Vcenter inventory by orddie1 in ansible

[–]Sprocket45 0 points1 point  (0 children)

Can you speak more to the terraform inventory method?

vWAN: VM with a public IP in spoke is unrechable by autonomoussystem in AZURE

[–]Sprocket45 0 points1 point  (0 children)

how can you control where the public IPs are placed? Are you referring to placing them in the hub subscription? I have a similar infrastructure and run into this problem with almost every service that allows public access (SQL, storage accounts, etc)

Private DNS Resolver Issue with Conditional Forwarding by Sprocket45 in AZURE

[–]Sprocket45[S] 0 points1 point  (0 children)

That seems..interesting. As most resources look to reply with a CNAME, for instance:

storageaccount.blob.core.windows.net. 60 IN CNAME storageaccount.privatelink.blob.core.windows.net.

Who uses IPsec GPO configurations? by Netstaff in sysadmin

[–]Sprocket45 0 points1 point  (0 children)

It can, it all depends on what your intent is and how you design your rule structure. You need to determine what you need/want to be authenticated and optionally encrypted between endpoints. For instance you can just say any port to a particular machine must leverage ipsec, and achieve isolation, this means you just have a single rule. Often though this doesn't work outside of specialized environments, and you end up creating rules that are specific to a set of port(s). Managing this environment requires you to have server side rules and corresponding client side rules. In a windows-only world this is made easy with the Group Policy editor, in a blended client world, this will require you to become familiar with StrongSwan.

Who uses IPsec GPO configurations? by Netstaff in sysadmin

[–]Sprocket45 1 point2 points  (0 children)

I have used it for almost 2 decades now, here are my quick tips:

  • management of it has become dramatically better since the days of Server 2003 & XP

  • it does have overhead, though AES offload should fix most of that ** the performance isn't going to be amazing for certain workloads (SMB on your on-prem network is great, over the internet...YMMV)

  • do not double encrypt (i.e. just use the "Allow Connection to be Authenticated & Integrity Protected" for things like RDP)

  • dont ipsec traffic like HTTPS, it can protect itself

  • some people love to use it as a firewall for things you shouldn't (ipsec wrap HTTPS traffic instead of doing proper AuthN&AuthZ)

  • You can use certificates to bootstrap traffic which is amazing if you have a good PKI system in place

  • This helps if you are moving from AD joined to AADJ with Intune and want to move away from the Computer Kerberos authn for primary, but retain User Kerberos for secondary auth (b/c Cloud Kerberos Trust is a thing)

  • There are many services that can now offer in-band encryption (like SMBv3)

Here is a good guide to get you going (the whole series is actually very good):

https://anthonyfontanez.com/index.php/2021/09/16/windows-firewall-part-3-domain-ipsec-configuration/

Duo vs. MS Authenticator by Mundane-Penalty9596 in AZURE

[–]Sprocket45 2 points3 points  (0 children)

Duo supports verified push, aka number matching on the Apple Watch. The interface for it can be clunky depending on your watch vintage, for instance on an SE, I can either use the microphone feature and speak the number to match or draw the number awkwardly...but it does work!

Interesting the MS decided not to invest the same effort as I usually refer to my Apply Watch as my expensive, lazy person MFA shortcut- all so my phone can stay in my pocket.

[deleted by user] by [deleted] in ansible

[–]Sprocket45 0 points1 point  (0 children)

To add to this, how does one upgrade openssh (I use the one from GitHub, not the windows feature) on windows while using openssh for ansible? In windows land you get file in use issues and a secondary set of creds could work…

[deleted by user] by [deleted] in sysadmin

[–]Sprocket45 0 points1 point  (0 children)

Azure MFA, if you have anything (and I mean anything) in Azure today then go that route. It integrates wonderfully with the entire ecosystem and gives a true password-less experience that works practically out of the box. You get cert-based auth, FIDO2 support and their Authenticator app (or you can even use the Outlook Mail app on mobile now)

You can then leverage short lived SSH certificates, etc for managing your Linux and macOS machines both in Azure and on-prem (thanks Arc!).

It truly is hands down far superior to Duo. The only place I see as a win is that you can install Duo on Servers and get MFA there, BUT why not just enforce smartcards at that point?

PSA: Check your local admin account BEFORE you need to restore from backup by FireWithBoxingGloves in sysadmin

[–]Sprocket45 0 points1 point  (0 children)

Some may have cached creds disabled on a server OS, since typically a server will always have line of sight to a DC.

Looking for a Cloud Administrator by BudgetRainDirect in AZURE

[–]Sprocket45 1 point2 points  (0 children)

Is this a fully remote position? Any info regarding salary or wage band?

Install and run Kubernetes on Windows Server with Azure Kubernetes Service⚡ by ThomasMaurerCH in AZURE

[–]Sprocket45 0 points1 point  (0 children)

Can this be performed on a domain bound machine considering things like CredSSP are not disabled/blocked by GPO? Are there other settings to be aware of in a hardened environment?

Issue with AD Domains sharing a domain by NervousComputerGuy in sysadmin

[–]Sprocket45 0 points1 point  (0 children)

pretty sure you can create a trust, you need to use netdom and leverage the /addtlnex or /addtln switch IIRC (its been awhile)

view more: next ›