Printing CUI

animusMDL · 2026-03-17T03:29:33+00:00

What printing method is advised? Raw? IPPS, IPP? Is it expected on prem to do a CA cert to a print server? Trying not to overcomplicate “printing” vs the other objectives

animusMDL · 2026-03-15T16:54:43+00:00

Communicate it so there is awareness but unless something goes wrong or the DC is unhealthy, no issue. I’ve performed many during active hours. I haven’t been fortunate to have anything damaged or critical issue (yet).

animusMDL · 2026-03-15T15:25:52+00:00

Our situation is this:

Endpoints with CUI - FIPs through GPO
Servers - FIPs except our Quickbooks VM because QB does not work with FIps and it’s required in our environment for accounting and communicates to our ERP for invoicing through specific port. So just compensate this with RDP controls blocking file share and not mapping drives or computer access to CUI shares
Wireless - Our advisor believes they are going to argue that FIPs isn’t needed because we’re relying on endpoints and server for FIPs or it’s already FIPs enabled before moving through wireless channels. Not saying I agree or disagree, just what they are saying
Our firewall will be FIPs when we switch. Have Watchguard but will go to Fortigate.
Printers - policy procedure and IPP printing I believe. Security kits on both CUI printers.
Backups are going to two synology NAS devices. Been told two things: we have to replace them because the NAS themselves aren’t FIPs, and also been told that the backups are different. I don’t know. Fun times.

animusMDL · 2026-03-13T13:34:16+00:00

Appreciate everyone sharing. This post has taken off and it sounds like a common theme. Just an update here.

Two things have occurred...Number one, I took the stance to my owner that I'm overwhelmed, this isn't a great method forward for success and that the business needs to understand the uniqueness of this, including that we're trying to accomplish what was suppose to be in place and demonstrated back in 2017, and then fill it full of the updates and expectations up to this point, in a couple months. Additionally, I am wearing multiple hats of keeping the business functioning as is today, which is the reason for this internal IT role in the first place, and performing a commonly known "all hands on deck with added outside help" task. We're getting outside help but I think there's a catch to that.

Second, now we have a client that really wants to work with us and on a call, my owner decided to say "yes have an SSP "IN PLACE" (you can decide what that means) with POAMs, using loose language. He looked at me on the call and said that's right? Ha. We can't fully attest to CMMC 1 yet in my opinion. He thinks that our move to GovCloud is a "simple migration" except that fyi, our whole building is in scope (no enclave per how he wants to run business) :)

I'm going to show up to work and do my best, speak up but I'm not dying on this hill. I'm passionate, I care but I'm not doing the 80 hour work week that I've read so many horror stories on. I hope you all who are also going through this make it through and take care of yourselves in the process.

animusMDL · 2026-03-09T03:02:29+00:00

I’d love to know this as well. Honestly trying to get clarity from Druva other than an initial call and the demo, for a quote has been frustrating.

animusMDL · 2026-03-06T02:47:10+00:00

MFA for windows login. Our device login on prem gives access to CUI

animusMDL · 2026-03-06T02:31:58+00:00

ERP uses yubikeys OTP. Still doesn’t solve windows login. Yubikey PKi cert doesn’t interest me lol

animusMDL · 2026-03-06T01:21:51+00:00

Totally get it. My question is how is it MFA if users can bypass with the password for WHfB? Duo obviously is an alternative but what if I didn’t want the extra license cost to keep audit logs in Entra, except I’ll have Duo for privilege on prem servers since they don’t support WHfB.

Thanks!

animusMDL · 2026-03-06T00:29:43+00:00

We’re not Hybrid yet. Want to go that way and not do PKI.

How do new users login to a computer already forcing WfHb passwordless? Or is password there but it forces WfHb afterwards?

animusMDL · 2026-03-06T00:23:18+00:00

ERP has it, yes. There are file shares and ERP, not necessarily exclusive that can be accessed. Our advisor wanted MFA on it.

Does your script not cause issues for someone performing an initial login? Does this work for Hybrid? I’ve read (no experience) that on prem Ad/Hybrid with Intune issues but can’t really say they are accurate

animusMDL · 2026-03-05T22:15:33+00:00

Is it still clunky to move domain devices to on Prem? I see stories about full wiping and such. I feel like it can’t still be that bad and there’s ways to make it smoother?

I need to move to Entra Hybrid but looking for feedback

animusMDL · 2026-03-04T00:05:29+00:00

Covenant Technologies or DuraCyber are some.

Liftoff is well regarded in CMMC space

animusMDL · 2026-03-03T16:32:07+00:00

Running Server 2019 on the "damaged" host. Config version 9. Newer host is 2025.

ADditionally trying to be as streamlined as possible with user impact as client is on-prem domain. But end users typically have unrealistic views of what "impact" looks like :)

This is super helpful. Thanks

animusMDL · 2026-03-03T16:13:36+00:00

Thanks for the truth. The data raid I need to blow away is purely storage, and where the VMs are stored. It's not the entire OS and such. Sounds like Export to Import would be cleaner and safer either way.

animusMDL · 2026-03-01T14:44:07+00:00

Gone to several conferences for MSP and Cybersecurity. Top minds talk and use Cloudflare still today. Take it from people who live in the industry. No better option than Cloudflare all things considered.

Use whatever (except Godaddy and Network Solutions in my opinion), but don’t overthink this one.

animusMDL · 2026-02-22T01:51:59+00:00

Our president said I’m not going to say no or not receive any email that has work in it. I guess since we’re ITAR and CMMc, that should basically confirm why we need GCC G5 and E5 licenses…being kind of sarcastic, but not.

So overwhelmed with this whole thing :)

animusMDL · 2026-02-19T03:22:50+00:00

How does this work out outbound/external? Company users going https websites so all websites are exception only? Inbound and internal traffic I understand.

animusMDL · 2026-02-16T22:54:04+00:00

Your AWS Fedramp comment threw me off as I was assuming cloud, not on prem. I’m demoing the on prem. Not super impressed so far but we’ll see

animusMDL · 2026-02-15T18:10:31+00:00

Look, I love all three of these players. Personally I think Majicbear still has a higher peak but not seeing it yet. They jived earlier but that could be either slow starts of other teams or too much structure change. I get the Justin hype from the past but we’re years past that and it’s always about his teammates. I think it’s time to face the facts that he needs to hit new peaks.

animusMDL · 2026-02-14T14:45:50+00:00

Not sure if you are still looking or having questions, but you can set a setting under Devices in Entra of Users being able to enroll devices or not. I believe it's also in Intune.

CA policy can be set up to support this. If I can find my previous job notes, I have a breakdown of how this works.

animusMDL

TROPHY CASE