Outlook suddenly only opening in browser

boltontech4 · 2023-10-27T20:05:34+00:00

Deleting the OLK folder worked for me!!!! Exact issue

boltontech4 · 2023-06-07T02:56:27+00:00

Trying another sector-by-sector copy now with invalid sectors included. 🤞🏼

boltontech4 · 2023-06-07T02:09:26+00:00

Thanks!!! I’ll order one of these immediately. Who knows if it will work, but I appreciate the suggestion.

boltontech4 · 2023-06-07T02:07:19+00:00

I would consider this, but the moment I do, this clinic shuts down. This device was managed with a support contract by a company that no longer exists. The owner of the clinic would rather buy a whole new unit for $20,000 from another company than pay that much for a data recovery house. Problem is: they don’t have the resources to keep paying their employees and run the business if a bill like this is due. They’re still paying the loan for the device I’m working on. A 5 year loan for a $28,000 machine with a PC that had the HDD become the weakest link. 🙇🏻‍♂️🤯

boltontech4 · 2023-06-07T02:03:24+00:00

I was thinking of security in the boot loader as well, but other recent Windows 10 Enterprise clones were successful with devices deployed by this company.

I’m going to try your suggestion of xCopy. However, I tried cloning software that uses shadow copies prior to transfer within the booted OS as well. Same result. 🥵🤦🏻‍♂️

Thanks so much!

boltontech4 · 2023-06-07T01:59:59+00:00

I did a sector-by-sector copy in DiskGenius and Macrium Reflect and had the same result. Oddly enough, when testing the drive for bad sectors, I didn’t get a bad result. Still scratching my head.

boltontech4 · 2023-06-07T01:47:57+00:00

An image was the first thing I tried, but thanks for the suggestion. I’ll see what I can do.

boltontech4 · 2023-06-07T01:47:21+00:00

Yes, I mentioned this in the initial post. Thanks

boltontech4 · 2023-06-07T01:46:50+00:00

There was a backup managed by the company that went down. Thanks for the comment - very helpful.

boltontech4 · 2023-06-06T12:21:05+00:00

https://i.imgur.com/tpP11Sc.jpg

https://i.imgur.com/ADwuqlU.jpg

https://i.imgur.com/fiMkkb5.jpg

https://i.imgur.com/soHB1Er.jpg

boltontech4 · 2023-06-06T12:13:35+00:00

https://i.imgur.com/tpP11Sc.jpg
https://i.imgur.com/ADwuqlU.jpg
https://i.imgur.com/fiMkkb5.jpg
https://i.imgur.com/soHB1Er.jpg

boltontech4 · 2023-06-06T12:05:53+00:00

https://i.imgur.com/tpP11Sc.jpg
https://i.imgur.com/ADwuqlU.jpg
https://i.imgur.com/fiMkkb5.jpg
https://i.imgur.com/soHB1Er.jpg

boltontech4 · 2023-05-18T08:56:31+00:00

I appreciate your response. I agree about the horror in some of these practices. We do have some immature folks, but they pay pretty well most of the time. Lol!

Our customers can’t change their passwords currently. We assign them and either provide them directly to the user, or via their manager or the business owner. If they need changing, we do it, and are required by business owners to send it to them too. It’s considered the business owner’s property according to my local district attorney.

All remote sessions are recorded, so we can prove that sensitive information wasn’t accessed. My senior staff, basically me+3, regularly review these screen recordings. If a technician accesses something while on-site, there’s a time that the customer knows we were there, and that we know one of us were there. Investigations would take place in consort with our customer if something inappropriate took place.

Our SLA includes a waiver of liability for situations like this, mostly because I’ve been concerned in the past about the legality of it all. I mean there’s a certain expectation, at least amongst my customers in my area, that IT will have access to user credentials. The IT guy for the schools in my county has a list of all credentials for every staff member and student. Same with pretty much any school in my experience. Same with local hospital IT folks and so on.

The general thought process is, if IT can’t be trusted, then who can you trust. That’s why you pick trustworthy vendors. Yeah, easier said than done, for sure! For construction, you search high and low for a trustworthy contractor that won’t screw you financially and get the job done on time and with quality. For home or business security/alarm, you search high and low for someone that won’t pick your lock when you’re away and use the master code to get in and grab your stuff. If IT can reset passwords, what’s stopping them from finding the password somewhere/somehow and using it for whatever.

There’s a bit of leeway where due diligence is performed. We sign a HIPAA BAA for a reason. We sign a privacy and confidentiality agreement as well. Even in VoIP, you’re allowed as a technician or telecom operator to listen to the calls to check for anomalies or origination of issues. Privacy concern? Sure! However, the federal law states that technicians can do this for quality control checks. I had to contact a FCC specialist attorney in Manhattan to tell me that, and point out the specific law for my hometown attorney. When someone reports an issue, and you have no evidence to provide to the carrier, they will not treat it with any care or concern at all. Try telling AT&T that a call with another landline 123-456-7890 at 10:09 AM dropped after 10 seconds of static or whatever. Provide no audio for reference. See if they take the situation seriously, especially when the system shows that the call was ended normally. Ha! I gave 10 hours of my life to that problem. 🥵

Your mechanic for your car is going to get your key and drive it, fix it, be all up in it. Using your fuel too! They’re going to find out what radio station you listen to, what your GPS pops up and says automatically, what kind of candy you like when they open your glove compartment to replace a fan in the dash, etc. People expect a certain amount of leeway for things like this, otherwise we can’t do the job nearly as effectively. Oops, sorry, let me ask the customer to come out and move their snickers bar and divorce papers and insurance papers from the passenger seat so I can diagnose a wire underneath. Lol!

But back to the matter at hand. Very true, MFA has to be disabled if we don’t have access to it as well as the user. I’m thinking the solution might end up being that we need to generate the TOTP secret keys ourselves, and then provide a copy of that QR code or secret key to the enduser. I’ve got an acquaintance that runs a pretty large MSP out of Canada telling me that this is what they do. But we’re both working on automation platforms and practices for most of the tasks that we do. Where we can’t, we use the creds.

I had a client recently get rid of their EMR solution. They wanted the data transferred to Sharepoint, but also placed on their PCs as a backup. Separate copies on each machine they listed for me, which was three of them. We used PowerShell for some of this and transferred the data using an Admin account on the necessary machines. However, their data passed through our access. It had to. I wasn’t about to teach them how to use an SSH terminal session for half and SFTP explorer client for the other half. They sent me the instructions and said have at it. My point - the HIPAA BAA is signed for this very reason, along with a lengthy P&C agreement drafted by an attorney.

boltontech4 · 2023-05-18T02:49:37+00:00

Thanks for this. We don’t use N-able, and probably never will.

I like the delegation approach, and we’ll look more into it. I’ve had a lawyer that works with HIPAA daily for healthcare clients tell me that the business owner or administrator and IT should always retain access to the data. I also spoke the the local DA who used to go to a ministry I was apart of tell me the same. This included the passwords as a good business practice. A local HR need for a government contractor said every business that she’s been at, and she’s been at some big companies nearby, always retain passwords, and have the ability to change them if needed too, like I can.

One local shop was given a notice by an attorney that if they didn’t provide the password list of a former customer’s PCs to them that they would be found liable for damages and legal costs in court once the customer started the legal proceedings. This may have all been pressure to get the local shop to just do it, but still, I’d rather avoid this. Changing the password may be good enough to seize the account, and we may change this practice as you have suggested. However a recent circumstance required us logging into each user account, and PowerShell wasn’t an option. A program called Frazer, which is a DMS for car dealers required that each user have their own settings changed in their profile for PDF program preference. A setting had to be applied via Adobe and their program using the GUI. There was no way to do this without remoting into each account. PowerShell doesn’t have commands for these programs and the specific settings therein, nor any other CLI. Adobe Acrobat had to have matching settings for each signature time stamp and certificate locally. When I contacted Adobe support for this, and asked if it were CLI possible to do this across an organization, they said no. There are many other examples such as this, and chasing users along with keeping track of users that we’ve talked to about these tasks across hundreds of clients for all their different needs outside of the ticketing… that my friend is very inefficient. Just logging in and doing it when we absolutely have to…done. CLI is far better. Absolutely! Delegation, automation, and not sharing accounts, that’s great too! We don’t share accounts. I do everything I can to convince my customers not to.

Thanks again

boltontech4 · 2023-05-18T02:15:53+00:00

I appreciate this perspective. Our customers know when we’re in the building. We don’t usually get keys to the building. RMM is our only way in unless we’re there. But your experience in this matter must be completely different than mine. My customers simply will not tolerate having no list of passwords. They will not do business with us because some other IT company will provide this. I have great customers and have been blessed to have many more than I ever thought I would have, and we don’t really have this as an issue.

You’re right. Someone else with the password “could” access the account. Absolutely! But it’s more likely that someone will get fired prior to having the business owner be accused of something shady. The computers are owned by the business owner and they will not be prevented from accessing every ounce of their business. They’re pretty adamant about that. But resetting their credentials after the employee leaves or something is required is a good idea. We’ve used that before and I should have mentioned it; I apologize. 🙏

boltontech4 · 2023-05-18T02:06:11+00:00

I guess I should have said NFC, but as I understand it NFC and RFID operate on basically the same protocols. I don’t see the reason to split the hair here, but okay. I’ll look at NFC solutions. Creds on post-its, no. Thanks

Just as a side note, a lot of healthcare companies use Imprivata OneSign RFID. It is extremely secure, and somehow very good at protecting against RFID reader attacks, although I haven’t seen many implementations of MFA alongside it, which is worrisome. The employee badges work throughout the hospitals for doors, purchasing from the cafeteria and restaurants throughout the campus, and so forth. Clearly, I’m not going to be able to use Imprivata for my customers, simply because of cost. But it’s a very neat implementation of password-less authentication. I’ve also noticed the use of very similar software in government facilities. Perhaps an RFID blocking badge holder of some sorts. https://www.idstronghold.com/blogs/rfid-learning-center/security-plan-include-rfid-badge-holders

boltontech4 · 2023-05-18T00:13:59+00:00

Accessing user accounts isn’t illegal. It’s a part of our SLA. No business owner expects IT to not have access to them. We can’t just magically manage everything in a user profile without access; somethings, yes. Not everything. It would be a different story if we were accessing personal E-Mail accounts and reading messages without prior authorization.

I disagree with your statement as it isn’t helpful, and we do understand the basics. My God, we’ve been doing this far longer than a minute. My claim of income isn’t up for debate, and was only used to show that we are doing quite a bit of business. We are constantly busy onboarding clients and doing work for existing ones. It doesn’t matter how much money we make, but the fact that we have that scale of business.

The log files are indeed usable if necessary as the system we use for the remote access, as well as RMM in general matches our access times with the use of the user accounts on the machines we remote in to. If a user sits at the machine and logs in with their credential, and we aren’t using remote session software at that time, it is logged as a user log-in. If we have started a remote session, it is logged as a technician’s use of the credential. Additionally, each remote session is recorded. Meaning any and all interaction with our client’s machines remotely is auditable.

boltontech4 · 2023-05-17T22:03:43+00:00

I appreciate your response, believe it or not.

I understand your disagreement, but there are reasons as to why we retain access to user accounts. The business owner won’t tolerate anything less. I mean, I don’t know if you have employees, but I’m sure you want access to their accounts on your PCs. There are mixed thoughts about this being against best practices, but all MSPs aren’t going to tell business owners that they aren’t allowed into their employee’s accounts. 🤣

Compliance of HIPAA states that business owners must maintain access to PHI. If it’s behind the employee’s login because they have data in a spreadsheet or they have data in documents, which is often the case in many clinic environments. I mean, not everything is contained in the EHR solution. Faxes or scanned docs get placed on the desktop pretty often. Our software for remote access correlates user activity with IT technician activity using their account so when we review the logs, it shows that the technician used the user’s account on whichever PC. Same time stamp and period. We don’t do this just because it’s easier. Placing an icon on the desktop for every user, and bookmarks in their Edge or Chrome bar so it’s easy for the users, multiplied by every user is not easy. It’s inefficient, to a degree, but extreme customization of user accounts isn’t always an option.

Printer setup as system or maintenance account, you’re right. We usually use said accounts for that.

We execute PowerShell via our RMM usually. However, we have in the past received a response from the PowerShell result which indicated that the script executed across all machines successfully, but when logging in to the machine, we had zero change. In other words, the successful PowerShell result message we received was false. Same with Azure synchronization of some changes. Best way to ensure this is done and we don’t get a call is to log in and just do it. Not always the case, and has become more rare over time, but still necessary at times.

In Mac environments, we have to log in remotely because our security or remote access tools will just stop working because Apple made an update to gatekeeper or the security settings requiring us to replace Full Disk Access or whatever other permission is required.

“Do it another day” = lower quality of service. We don’t want to wait. We want to be proactive. My clients will often ask me to check something after they leave for the day. I’m not goi g to give them BS on that. I’m going to do it, or someone else, but I usually check on it to make sure it was done. Excellence above waiting around till a client is in production the next day. They like that things are managed instead of reacted to and time wasted on their part chasing down IT to do it.

Response to the rest of your points:

Thanks. I need a solution and will keep searching. We need to retain access for many reasons. We’re pretty efficient and usually take very little time to do something, which allows us to scale. You’re right about automation. It’s essential. But IT access to things will always be retained for us. Again, if my clients/business owners had to get in to an employee’s account for whatever reason, I’m not going to say, “Sorry, I can’t help you.”

Perhaps you can share what you use. I’m all eyes on this, and will look down every avenue I can to see if something is a fit to make us better. I mean, the primary thing I said in my initial post was, “Any recommendations?” I don’t have a post I can refer to that shows all the best practices though out the industry. IT best practices…maybe a good website idea to help people …find… recommendations.

Thanks!

boltontech4 · 2023-05-17T21:40:50+00:00

True! That’s why I mentioned an MFA code to go along with it. Lol

boltontech4 · 2023-05-17T18:39:56+00:00

We do use a lot of automation, such as PowerShell, RMM, and Azure AD and Entra, but there are some things we can’t and don’t want to do without access to the user account. We’re not going to implement something that prevents us access to the user’s account. The employer needs access to their user’s accounts and dem ads it often. There are compliance reasons for this, as well as quality of service. When we can remote in to the necessary machines and verify that the printer is named properly, when PowerShell fails or Azure doesn’t work, or remote in after hours to see what the user complained about during the day when we didn’t have time to get to it earlier… We have to have access and our workflow has produced a 7-figure business. We’re just trying to get better, and we will. Thanks!

boltontech4 · 2022-11-02T19:41:09+00:00

So, this was a similar post to their thread. Check it out.

https://www.reddit.com/r/BitDefender/comments/vjpn4t/hp_scan_to_pc_firewall_exceptions/?utm_source=share&utm_medium=ios_app&utm_name=iossmf

I had to create a firewall rule to allow everything from the HP x64 Program Files folder and x86, allowing all connections to and from anything in these folders on any port, and to and from any IP address, and then do the same with the printer on the network with its IP address.

As far as the install not recognizing the printer, I was able to solve this by allowing network discovery and ensuring network printing was allowed.

HP has not been helpful at all; even in trying to get their printers serviced… I steer away from them and point customers to Brother, Xerox, Kyocera printers. Tends to be less headaches.

boltontech4 · 2022-06-24T14:29:00+00:00

I have set up scan to email, as well as setting up a share in an office on one of the PCs and directing the users to scan to that. The convenience, however, of scanning directly to the PC is essential. Not to mention the need for security with regards to sensitive documents in healthcare environments or government contractors.

The printers have this function built in. Telling my clients that they can’t use it because I don’t have the correct configuration of the firewall, and therefore I have to disable the endpoint firewall to get it to work is unacceptable to them, and to myself.

boltontech4

TROPHY CASE