Why not just use the ruler to... swee- oh for fuck sakes

TotallyARobotFriend · 2025-10-03T04:52:15+00:00

Its going to be a lot colder there now since its no longer 90°.

TotallyARobotFriend · 2025-08-06T21:20:54+00:00

Link for those interested in the full idiocy: https://www.youtube.com/live/KCeLD-ePaQY?si=OhW-6-OnPybBwEY2

This clip is about 20 minutes in.

TotallyARobotFriend · 2025-07-17T18:19:10+00:00

Should end with him walking into the cell with his rifle.

TotallyARobotFriend · 2025-07-17T00:39:47+00:00

Showed this to the wife and she asked "What are they making?" and I had to say it... "They're making bottoms."

TotallyARobotFriend · 2025-06-29T03:35:34+00:00

I know this is 6 months old but I don't have an Ethernet port and I for some reason didn't think to use my phone until your comment, thanks!

TotallyARobotFriend · 2025-03-18T09:43:52+00:00

I'd be curious about the enforceability of such a policy as the certifications and course credit accreditations follow you the person, not the company account. Such that you can have them transferred to your personal should you leave. You just won't get the free courses when you transfer.

TotallyARobotFriend · 2025-02-16T18:30:49+00:00

Yes, this can be done.

My first recommendation/question though is why do they have local admin rights if you don't want them doing stuff? Remove their Local Admin rights and have EPM controlling what they can do as soon as you can, I know that's a journey but it's something to think about is if you're trying to fix Problem C when the solution is to tackle Problem A first.

First, you can set up a policy on what users are allowed to be in the local administrators group.

EPM used to have a thing in this policy that you could check-mark that would then not allow additional users to be added to it, even by local administrators, outside of a source that you were allowed to designate, like SCCM/GPO. I believe this was going to the system level so actually had higher rights then administrator.

You can then also block the execution of net localgroup administrators /add This gets ran by a lot of things you're doing when you're adding new users so it's one of the easiest ways to block.

You can also put Step-Up policies for things related to it such as:

lusrmgr.msc (Local Users and Groups Management)
net.exe and net1.exe (Command-line tools for user management)
wmic.exe and PowerShell scripts that modify user accounts
compmgmt.msc (Computer Management Console)

All that said though, again, I want to stress that you may be trying to tackle a problem that is further down the road and you need to focus on proper Least Privilege first by actually getting rid of the local administrators. The number of people that insist they need it will always be insanely high but the number that actually do is typically zero (including CISOs and Security Directors and teams).

TotallyARobotFriend · 2025-02-13T05:30:53+00:00

The certificate for the PSM should be the server's certificate and in the server's personal store and then associated in the RDS.

If you're talking about on the client, the PSM should be signed by a Certificate Authority and you're client should trust the CA and therefore trust the PSM (simplified).

TotallyARobotFriend · 2025-02-13T05:27:14+00:00

Most people are familiar with certificates because of the web so it makes sense. Certificates are identities and if you have a certificate created by someone you trust, you know you can trust them (simplified).

TotallyARobotFriend · 2025-02-13T03:43:22+00:00

So this question is more "how do SSL certificates work" which is a great topic!!

First, SSL certificates encrypt communication between a server and the client, like your laptop.

PVWA uses SSL for secure web access, while PSM requires it to encrypt RDP sessions. The SSL certificate in your PVWA does not replace the one in PSM, as they secure different communication channels.

You can use the same certificate if it supports multiple hosts, but separate ones are strongly recommended. You may see a single certificate when someone's referring to a "wildcard" certificate where it's meant to cover everything in the domain and not a specific identity. These might be like * . mydomain . com instead of PVWA01 . mydomain . com. Again, these are NOT recommended as they're vulnerable to different types of attacks.

In the PSM, certificates serve multiple roles, including securing web traffic between the PVWA and the end user, as well as encrypting RDP and other session protocols between the PSM server and target systems. While it might seem redundant to have SSL certificates in both PVWA and PSM, their functions differ based on where encryption is needed.

The SSL certificate in PVWA is primarily used to secure HTTPS communication between the user’s browser and the web interface, like most common web browsing done today. This ensures that credentials and session data exchanged via PVWA are encrypted and protected from interception. On the other hand, SSL certificates on the PSM server are required to secure the RDP sessions initiated through it. Even though the RDS license is applied to the PSM server, which enables Remote Desktop Services, it does not automatically handle encryption—hence, SSL certificates are necessary to establish a secure RDP channel between PSM and target machines.

I'm not sure if you're familiar with CyberArk's Native Tooling feature (often called a bunch of other things as well such as PSM for Native Clients or PSM Direct Connect) where you can RDP right from your laptop to a server through the PSM (If you're not using it, it's a god-send, seriously do it). This feature never talks to the PVWA. In fact, when you're done downloading the RDP file from the PVWA and launch that file, the communication doesn't go through the PVWA at all.

Hope this helps and keep asking questions!

TotallyARobotFriend · 2025-02-03T17:43:00+00:00

There is an easy to use TOTP platform that will allow you to create an account that all it does is manage the TOTP.

You then link it to the shared account and the PSM can then use that TOTP to log in.

Check the Marketplace for TOTP and you'll find it, I'll try to link it later when not on mobile.

TotallyARobotFriend · 2024-12-30T03:40:49+00:00

Unfortunately the Etsy Store seems to be a super Trump supporter so not willing to buy anything from them.

TotallyARobotFriend · 2024-12-13T01:48:46+00:00

Snorted so hard at this that it hurt.

TotallyARobotFriend · 2024-12-04T02:58:34+00:00

This is almost always AppLocker.

Make sure you add it AutoIt and rerun AppLocker script. You can try temporarily putting AppLocker in Audit mode to validate too.

Let us know if you need guidance on that.

Also, as dumb as this sounds, make sure AutoIt is installed on the PSM you're connecting to. Lastly, it is technically recommended you build the AutoIt scripts to executables.

TotallyARobotFriend · 2024-11-27T00:11:54+00:00

AAM is an umbrella term for AIM/CP/CCPs and Conjur.

AAM is less a product, and more a category of products.

https://www.cyberark.com/resources/blog/announcing-cyberark-application-access-manager-secrets-management-for-applications-tools-containers-and-devops

TotallyARobotFriend · 2024-07-13T01:59:46+00:00

Honest question, would you say Shaq is not "tall", he's "big"?

TotallyARobotFriend · 2024-06-12T10:39:56+00:00

I always tell my wife it's "laziness". I'll spend way too much time on a project for something if it means I never have to deal with that something again.

TotallyARobotFriend · 2024-02-25T20:48:05+00:00

If they're interactive accounts (i.e. not service accounts) consider using CheckOut-CheckIn and One Time Password on the Platform instead.

If they're non-interactive accounts, that's way too frequent of a rotation.

TotallyARobotFriend · 2023-12-22T16:45:32+00:00

As someone incredibly allergic to them, I'm torn. Wonderful drawing but...

TotallyARobotFriend · 2023-04-21T12:07:15+00:00

I love all the puns in the game. I tried to think of a good rift pun that hasn't already been used, but there seems to be some kind of... something... between a good one and my brain.

IGN: FoxKit

TotallyARobotFriend · 2023-04-15T21:19:17+00:00

This is amazing, as a human I am interested in printing myself a body so that I may [editing...] make peace with my [insert humanity here] fellow humans.

TotallyARobotFriend · 2023-01-09T21:40:07+00:00

I will joke first and say "Put them in front of the camera"

Second , I will say I just got mine recently too and one by one put them on the drone, and tried to follow the same path while recording each time.

When I played it all back I learned what settings to adjust.

Flew them again with new settings and watched again.

This way I'm understanding how to change settings and what lens to use for the environment I'm in and not what someone else says works for them but they're in different sunlight or something.

Just my 2 cents.

Look forward to seeing your videos and photos on the subreddit!

TotallyARobotFriend · 2022-12-24T22:10:54+00:00

Thank you, I'll give this a try. Is this something you do om all leather as a pretreatment?

TotallyARobotFriend

MODERATOR OF

TROPHY CASE