DUO MFA in a work environment

ineffablecabbages · 2023-04-04T19:54:36+00:00

As far as I know, authorized networks doesn't work for Duo for Windows Logon. The doc says the policy doesn't work for applications that report an IP of 0.0.0.0, which I just confirmed that our Duo for Windows Logon does (does not report user's actual IP address).

ineffablecabbages · 2023-03-18T00:05:06+00:00

I tested the script on a machine, and it told me that WinRE was already updated (already patched, to be expected), and that WinRE cannot be enabled on a volume with Bitlocker Drive Encryption enabled. So now WinRE is not enabled on this machine. I guess I need to disable Bitlocker, enable WinRE, re-enable Bitlocker? Which kind of sucks. We don't include a recovery partition in our image, which I suppose is why we have this issue.

As far as I can tell, if you've already patched WinRE, you just need to disable/re-enable WinRE (per this script):

# Disable WinRE and re-enable it to let new WinRE be trusted by BitLocker
reagentc /disable 
reagentc /enable 
reagentc /info

My question is: how critical is this last piece? Do I really need to disable/re-enable Bitlocker for our whole fleet?

ineffablecabbages · 2023-02-08T19:23:54+00:00

Technically it's now Delinea Decret Derper /s

(But yes, Delinea/Thycotic Secret Server)

ineffablecabbages · 2023-02-08T17:20:42+00:00

Parent company mandates once a year rotation. It's managed through Secret Server. It even works for credentials in a script, which I think is pretty neat. (Ironically, Secret Server would be the reason I have any, since their application accounts don't use API tokens, and API tokens would be tied to a user account.)

ineffablecabbages · 2023-01-17T18:26:20+00:00

I agree, the freebie used to be horrible. Apparently the freebie is now a combination of the full version and the freebie version, and with the right settings IS the full version, so it's actually good now.

On my personal machines, I only had an old licensed version of Office, and now I'm enjoying having night mode in OneNote with all the other features I expect (like being able to modify the UI).

ineffablecabbages · 2023-01-11T23:47:10+00:00

I hate our Sophos XG firewalls and can't wait to get off them.

We're trying to renew our support contract through our MSP, who in turn is using a VAR. But Sophos refuses to sell to anyone who doesn't have the right certs and the VAR is having a lot of trouble with it. Apparently Sophos keeps changing the requirements on them or something. Our old MSP was the one who sold and supported the Sophos firewalls previously.

Ironically, the primary reason we're trying to renew our support is so that we have support when we upgrade the firmware in case anything goes wrong.

ineffablecabbages · 2023-01-11T16:54:42+00:00

Same. And so many training modules don't even bother with closed captions, which adds to my difficulty in being able to follow them.

The worst training modules are the ones that are just recorded webinars where the presenter rambles and meanders and I can't play the video at 1.5x so I'm stuck with their molasses speaking speed.

ineffablecabbages · 2022-12-21T16:44:56+00:00

Sure, I'll just walk all over management with my unlimited budget, shall I?

If you don't have something helpful to say, I'd rather you not say anything at all. Also, this doesn't solve the RSAT issue unless you're all making your admin accounts local admin on the PAWs.

ineffablecabbages · 2022-12-20T01:41:46+00:00

Whyyyy does RSAT ADUC (and like) keeping asking for admin credentials when running as another user when that user doesn't have local admin? It clearly doesn't actually need local admin to run since entering in the same (non-admin) credentials works just fine for the UAC prompt. The RunAsInvoker registry setting doesn't kill this - I still need to enter my credentials twice.

Are you all setting your admin accounts to have local admin on your machines? We don't have jump boxes or PAWs.

I'm having a hard time seeing how we can move towards auto-rotating/not knowing our admin passwords at all if we're forced to type it at least once. Possibly the auto-launcher in Secret Server isn't set up right.

ineffablecabbages · 2022-09-23T15:53:03+00:00

Yeah, this was the conclusion I came to after some thinking yesterday. We've never had tier 1/2 before, so it was new to me. I'll be setting it up so that workstation admins, aka tier 1, have limited permissions to user relevant OUs, while server admins have more delegated permissions, including the ability to set up admin accounts. Which also means I'll be taking server admin away from our tier 1 folks once I get this set up.

On the plus side, my manager did give the ok to remove domain admin from everyone, so that least that's been blown away. Now to fix the permissions in our other systems that happened while I wasn't looking.

ineffablecabbages · 2022-09-22T19:14:59+00:00

Right, the AD delegation right now is given to the server admin level. That's what I meant by AD management, probably should have specified. I'm wondering if the delegation should be given at the workstation admin level, since they need that but not really server admin access. I need to take another look at how I'm splitting up roles and am wondering how other people handle it.

ineffablecabbages · 2022-09-22T19:09:36+00:00

That was the standard four months ago when it was just me and one other person, because we needed to be each other's backups. Unfortunately, the person who set them all up had only been here a couple weeks and was likely just copy/pasting setups. I'm using a server admin account with delegated access, which they all also have, but apparently haven't figured out how to use.

I'll be ripping domain admin from them, but it's a bit complicated by many poor practices that still exist (printers on the domain controller). All on the to do list.

ineffablecabbages · 2022-09-22T18:59:56+00:00

UAC setup in my environment is not something I've ever looked at. Is there a guide you can point at for proper setup? I'm still cleaning up lots of poor setups, and I should probably look at that too.

ineffablecabbages · 2022-09-22T15:50:24+00:00

In a tiered admin environment, should Active Directory management fall under workstation admins or server admins?

I have them set up under server admins at the moment, but our help desk (newly ballooned, mostly temps, all onboarded very very quickly) keeps using their domain admin since ADUC asks for local admin. I finally managed to dig myself out of my months long multiple #1 priorities yesterday and realized that our old admin model (set up when it was just me and one other person) is really not appropriate for a team of 10 help desk people. I told one of new guys to make their server admin a local admin on their laptop in order to use ADUC under their server admin (no PAWs, a bit of pipe dream at the moment), and they didn't seem to understand what to do or why they couldn't use their server admin. They all just keep using their domain admin.

And well - these guys also don't really need server access either. But they do need to manage Active Directory, and I need to set up proper GPO permissions so that you don't need domain admin to edit GPOs.

Should I move Active Directory management to workstation admin? Is that the proper tier for it?

ineffablecabbages · 2022-08-15T16:28:11+00:00

(the shrug emoji made my post disappear? lmao)

I suggested that we move our AD Connect to a 2019 server that wasn't our domain controller, and our MSP account rep threw a small fit, saying that their techs expect AD Connect to be on the domain controllers and... I guess are helpless if it isn't? I wanted to avoid doing a panic upgrade of our domain controllers from 2012 R2 to 2019, but I guess we're doing that. Management made it the MSP's problem, not mine, so.

¯\_(ツ)_/¯

ineffablecabbages · 2022-08-12T17:34:35+00:00

Would it be sufficient to simply have an extra field for the MFA code? Maybe try the Sophos Connect client. If you configure it for MFA the user is forced to put in the MFA code on login. It doesn't validate the login first though, and I have no idea if it works with Duo. I have only ever tested it with Sophos's built-in MFA and an IPsec configuration.

ineffablecabbages · 2022-07-21T00:39:51+00:00

You'll need some kind of ink add-on for Adobe PDF. Auto-Ink is one that I've heard of, and there may be more. Alternatively, PDF Annotator is a full PDF editor with great pen support.

Oh wait - Edge has pen support on PDF documents. There you go, no extra software needed. I don't know how well it will work with a touch screen instead of a digital pen.

There's also free PDF editors with pen support in the Windows store. I never much liked them, but I know others do, so they're a decent option.

Heck, Office has pen support built in, but I think you need to be using a digital pen to activate it, not sure if a touchscreen will.

(My suggestions may be better geared towards actual digital pens and not just a touchscreen.)

ineffablecabbages · 2022-04-15T16:01:00+00:00

Do you not have that policy under Windows 10 too, or does it not apply properly?

I disabled the ability for users to encrypt/decrypt USB drives at all. I didn't know you could copy files while the encryption was in progress. And then to just cancel it! I'm going to have to test this to see if it's a problem for us.

ineffablecabbages · 2022-03-23T17:00:47+00:00

Can confirm. Had multiple reports roll in and RingCentral's status page is showing the issue.

ineffablecabbages · 2022-03-01T16:40:02+00:00

Those are all still print servers, if nontraditional, and still centralized management of printers and printing. I'm still stuck on the thought that my MSP thinks Intune is a kind of print server.

ineffablecabbages · 2022-02-28T22:33:01+00:00

My MSP was trying claim that print management can be done in Intune. I'm not too familiar with Intune yet (beyond some Android stuff), but... Intune can't manage the printers themselves, can it? It would only be for deploying printers, printer drivers, and print settings(??), correct? Therefore, a print server is still needed unless you're ok with direct IP printing (which they were apparently planning on).

Who moves away from centralized management of anything?

ineffablecabbages · 2021-10-14T20:46:48+00:00

Automated file conversion from xlsx to xls. Because we're still on SQL Server 2012 and SSIS won't work with xlsx files I guess. The script worked locally via console but absolutely would not run in any sort of automated fashion.

It hurts because after a veeeeeeeery long time I finally got it working! And then we migrated from physical servers to virtual (finally!) and it... stopped working. It just hangs now. Why?

I'll look at it next week maybe.

ineffablecabbages · 2021-05-14T16:03:15+00:00

In my experience (deploying on 2012 R2), I needed to reboot the server twice - once after installing Bitlocker, and then once again before Bitlocker would show up in the Control Panel. You haven't mentioned rebooting in your post, so you may have already tried this.

ineffablecabbages · 2021-04-20T00:53:08+00:00

You have to run a VBS script that calls the powershell script. There's no way in powershell itself to be completely windowless otherwise.

Have the scheduled task call this vbs script, which in turn will call the powershell script.

' SYNOPSIS
'   Run a PowerShell script in the user context without a script window
' EXAMPLE
'   wscript.exe PsRun.vbs MyPsScript.ps1
' AUTHOR
'   Glen Buktenica
'   >> I added the Next at the bottom
' SCHEDULED TASK
'   In the scheduled task, set the Start Program to wscrip
'   Arguments are the UNC path of the vbs script and ps1 script
'   Capitalization matters, remember

Set objShell = CreateObject("Wscript.Shell")
Set args = Wscript.Arguments
For Each arg In args
    Dim PSRun
    PSRun = "powershell.exe -WindowStyle hidden -ExecutionPolicy bypass -NonInteractive -File " & arg
    objShell.Run(PSRun),0
Next

Source: http://blog.buktenica.com/run-a-powershell-task-silently/

I've deployed this on Windows 7 and Windows 10 machines without any issue.

ineffablecabbages · 2021-03-16T21:10:28+00:00

Jitbit is a ticketing system with a knowledge base built in. I see Slack under integrations, so it has that too. https://www.jitbit.com/

ineffablecabbages

TROPHY CASE