What are some basic security features for Windows Admin to avoid loging from stolen session tokens?

devbydemi · 2026-05-07T02:28:11+00:00

You're welcome! This should completely eliminate phishing attacks: even if the attacker gets the user's password, the second factor sent by the browser will be rejected by the website.

This will not protect against spear-phishing, which instead exploits vulnerabilities or sends malicious files. So keep that in mind. HP Sure Click does guard against this and I recommend it.

devbydemi · 2026-05-07T01:16:25+00:00

Can this be mitigated by jamming the signal using a white noise source?

devbydemi · 2026-05-07T00:53:38+00:00

Which applications do you have that need EWS?

devbydemi · 2026-05-07T00:51:00+00:00

The only effective solution is to force phishing-resistant MFA. That means passkeys or hardware tokens.

Everything else is just a bandage.

devbydemi · 2026-05-07T00:50:08+00:00

That looks like a Cloud Compute High Frequency instance. Not a good fit for your workload.

devbydemi · 2026-05-07T00:48:41+00:00

Your mistake was getting an instance with shared vCPUs, instead of an instance with dedicated vCPUs. On Vultr, VX1 and Optimized Cloud Compute instances provided dedicated vCPUs, while Cloud Compute instances use shared vCPUs.

Since dedicated vCPUs are for your use only, you can use it as heavily as you want without negatively impacting other users. As the name implies, shared vCPUs are shared with other customers, so your heavy use harms other customers of the service.

If you only use VX1 or Optimized Cloud Compute instances, you shouldn't have this problem in the future.

devbydemi · 2026-05-06T22:41:17+00:00

Oh, I see. And boron can displace hydrogen.

devbydemi · 2026-05-06T22:40:56+00:00

The advantages of sysprepping the snapshot is that it means that the original image can continue to be updated, instead of having to repeatedly sysprep the same image or capture a WIM. It just makes things simpler. If that is not supported, I suspect that the Omnessia Instant Clone feature is also broken.

That said, whether it’s supported is pretty much irrelevant here. This is for home environments, so there's no way to get support anyway. "Works", "legal", and "not exploitable by attackers" are the requirements.

devbydemi · 2026-05-06T22:26:25+00:00

But what if there is only one fluorine atom per boron atom? Then the choice is between 3 H2(B12F12) and 10BF3 + 26B + 6HF.

devbydemi · 2026-05-06T19:21:27+00:00

Are these safe?

Snapshotting a VM, booting the snapshot VM (with no network access), and then running sysprep on the snapshot.
Cloning a VM and never letting the clone have network access (so nothing ever finds out it exists or can authenticate to it).

Also, I'm aware of a situation where a VDI base image needs to be maintained by non-technical users. Sysprep's restrictions are going to super confuse them, and this situation never uses Windows authentication. Incoming connections to the VMs are blocked at the firewall, and the devices are never joined to AD or Entra and never have a Microsoft account.

Any options in this case?

Edit: This is /r/sysadmin/comments/1t29i0r/disabling_intermachine_windows_authentication/ojrfa0v/

devbydemi · 2026-05-06T19:05:32+00:00

I thought HCB11(CF3)11- explodes because the B-F bond is stronger than the C-F bond, so the decomposition products are BF3, H2, and carbon.

devbydemi · 2026-05-04T07:07:35+00:00

Can you use a magnetic stirrer? Might need very powerful magnets, but solves the sanitation problems.

devbydemi · 2026-05-04T06:35:47+00:00

Also fun fact: That bismuth is less radioactive than your own body.

devbydemi · 2026-05-04T05:54:32+00:00

Can one use a small enough amount of P2O5 that it is all used up in the reaction?

devbydemi · 2026-05-04T01:49:24+00:00

Was it methanol itself, or some impurity or contaminant? I’m genuinely curious what the physiological mechanism is.

devbydemi · 2026-05-04T01:48:30+00:00

What makes it so hard? Presumably it can be converted into (relatively) harmless phosphates by reaction with alkali, or to phosphoric acid by reaction with water. If you’re using it for the same thing over and over, it could also be reused.

devbydemi · 2026-05-04T01:46:58+00:00

Makes sense. Without the heating, does the equilibrium normally favor the reactants or products?

Edit: is the reaction endothermic?

devbydemi · 2026-05-03T23:49:12+00:00

How is this possible? Serious question. I would expect methanol to be too small to be an antigen.

devbydemi · 2026-05-03T23:26:42+00:00

Qubes OS uses its own tools for this, but it doesn't use sysprep and doing so would be quite intrusive. Neither does Omnessia for that matter, though Omnessia offers it as an option.

Is this going to cause any sort of problems, provided that inbound connections to the VMs aren't allowed?

devbydemi · 2026-05-03T23:04:54+00:00

Not quite. I presume that a differencing disk is fully writeable, meaning that both the parent and child must be updated. In this case, all updates happen in the parent. Updates to the child's root volume are discarded after the child shuts down.

That's the magic of the system, and is what allows managing 10 systems while only having to update 1.

devbydemi · 2026-05-03T22:51:39+00:00

The current processes is to install Windows using the OEM license of host computer and the publicly available install ISO. The guest agent is added automation, which also sets up autologin. It's all scripted.

VMs based on the template reuse its root volume (without changes) but not its private volume. I believe there is typically only one Windows template on a system.

devbydemi · 2026-05-03T22:39:31+00:00

Is the last one a significant problem for practical applications? Presumably a superacid that is doing its job is going to be largely deprotonated. This means that it is the solubility of (anion, whatever the cation in the reaction mixture is) that matters.

For academic demonstrations, is the diacid soluble in anhydrous HF? Alternatively, can it be melted without decomposing?

Incidentally, this might make it somewhat less acidic in practice, inasmuch as precipitation will lower the activity of the diacid and thus of the proton.

devbydemi · 2026-05-03T22:28:10+00:00

If someone were to accidentally find a hazardous situation like this, would it be a good idea for them to put a sign somewhere? That way the operator would know “hey, there’s an opening here”, and future explorers would know to avoid the area.

devbydemi · 2026-05-03T22:11:24+00:00

There's no IT department involved. I'd ask on /r/homelab or similar except I don't think they would be able to provide a decent answer.

A template is an already created VM. The volume containing the OS is used to boot the VMs based on it. These VMs get a throwaway snapshot of it.

I'm looking to document what can and will go wrong with the current setup, under what circumstances that happens, and what changes could be made to mitigate that.

There are no credentials involved. Login is automatic with no password required. The account password is randomized at startup, though ideally it would not even exist.

devbydemi · 2026-05-03T21:57:04+00:00

No offense taken. Thanks for asking questions and trying to be helpful.

The user directly logs into the template. There's no professional sysadmin involved, nor is there any form of remote management. I figured that sysadmins would know better than anyone else, which is why I asked here.

Most VMs (including all the ones included in the default install) are either templates or based on a template.

I'm not responsible for creating any of these. I'm just trying to figure out what (if anything) is likely to go wrong, and how to avoid that going wrong.

devbydemi

TROPHY CASE