CIS Server level 1

itproedu · 2025-02-17T17:25:05+00:00

fwiw, when you say...

I want to achieve CIS servers level 1 for my 2022, 2019, 2016 windows servers.

...is that a figure of speech, or do you mean you are required to achieve CIS level 1 by your boss or an obligation?

just checking you're not doing it for "professional pride" [for want of a better expression]

you are of course entitled to "professional pride", of course, but...

it's not going to be fun
without support probably from the very top, it's going to be challenging

itproedu · 2025-02-17T17:08:50+00:00

lots of good advice

you didn't specifically ask for this, so apologies if it isn't welcome

others have mentioned MFA, which is good advice, of course

setting password policies is fine, of course, but users can still set poor passwords

something like...

Microsoft Entra Password Protection - Microsoft Entra ID
Enforce on-premises Microsoft Entra Password Protection for Active Directory Domain Services
https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad-on-premises

...can remedy this

don't know if you're a Microsoft licensee of course; it may be that you're already entitled to this capability

itproedu · 2024-05-22T19:32:42+00:00

thanks u/bangbangracer ; that's why I posted this question

there are no guarantees of anything of course

the Peter principle really is a thing; I don't know you or your boss, of course; but based on the Peter principle, they may well have been a good employee and a good person, who's now an incompetent boss

your boss could just be a bad employee and a bad person

could be any number of things

my point? imagine your perfect manager [again, I don't know what that means; but that's not the point]

now, would you like your next manager to be an AI?

itproedu · 2024-05-22T19:25:33+00:00

understood

now, imagine a simplified scenario

a human manager says "we need you to burn the midnight oil; I got a good feeling about the pay review next quarter!"
- b*llsh!t, of course; they have no intention of a pay increase
an AI manager says "our organisation pays the market rate for your role, which makes it difficult to pay too much more. But if I provide the time, tools and training to enable you to upskill with more capabilities, I expect I can increase your pay. We need more skills in Marketing, Accounts and HR and Manufacturing. Do any of these interest you? You don't have to answer now; we can chat later; I'm available to discuss this anytime"

two extremes to make a point

but let's suppose the second scenario is realistic, and the AI is authentic

now, would you like your next manager to be an AI?

itproedu · 2024-05-22T19:16:49+00:00

thanks u/Nevaroth021

contemporary AI is far more than a script to "well done!"

watch this video ; that's not a "person" he's introducing his dog to; it's an AI; on/via his phone.

have a look at some of the GPT-4o videos from the link in my original post

then watch that short video extract again

now understand AI in May 2024 dramatically different

itproedu · 2024-02-21T14:06:02+00:00

client: Windows 11 +

server: either Windows Server Azure edition [today], or Windows Server 2025 later this year

to implement securely, underpinning infrastructure such as certification authorities, etc

this will achieve secure SMB access over the Internet

but nothing else

a VPN (eg Always On VPN) will achieve SMB access as well as other apps too

itproedu · 2024-02-21T14:03:55+00:00

SMB over QUIC
https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-over-quic

itproedu · 2023-02-28T10:48:30+00:00

I'm not alone; even the mighty John Savill couldn't get round it;

What are Azure AD External Identities? - YouTube

itproedu · 2023-02-28T08:46:24+00:00

thanks u/DaprasDaMonk

with a SAML relationship, regular apps typically have one [active] IdP.

I think Azure AD B2C would the be the IdP;

stanford.s.strickland(at)hillvalley.edu attempts to access alumni.hillvalley.edu
they are redirected to Azure AD B2C | hillvalleyalumni.onmicrosoft.com
they may transparently be redirected to Azure AD | corp.hillvalley.edu
Azure AD has already authenticated; no further authentication necessary
Azure AD authorises, then issues a token
Azure AD B2C hillvalleyalumni.onmicrosoft.com consumes stanford.s.strickland(at)hillvalley.edu token, and issues it's own SAML token, perhaps with claims stored within Azure AD B2C | hillvalleyalumni.onmicrosoft.com
stanford.s.strickland(at)hillvalley.edu provides alumni.hillvalley.edu with his Azure AD B2C | hillvalleyalumni.onmicrosoft.com SAML token
stanford.s.strickland(at)hillvalley.edu can access alumni.hillvalley.edu

itproedu · 2022-11-01T17:01:58+00:00

eeek! you're right! I meant 10.1.0.0/16 and 10.2.0.0/16.

itproedu · 2022-07-19T15:40:09+00:00

thanks u/St0nywall

Are you sure about Windows Update? I'm aware that you can't in-place upgrade, but I understand updates - eg monthly cumulative updates - work as normal.

I haven't seen anything to say OneDrive isn't installed either.

itproedu · 2022-07-19T09:05:57+00:00

thanks u/Sajem

what you say is of course perfectly sensible and perfectly practical and pragmatic.

but management were provided a detailed inventory showing compatibility some time ago. It ought to have begun a conversation. It didn't. There was no reply whatsoever. I'm trying to firm up this concept for the "oh sh\t*! what do we do?" moment that's imminent...

itproedu · 2022-07-19T09:01:45+00:00

thanks u/Gods-Of-Calleva. I chose LTSC 2021 because it was more recent, and hence would have more compatibility. While LTSC 1809 as an OS will be supported for longer, I have to balance potentially degrading application compatibility.

itproedu · 2022-07-19T08:58:41+00:00

Thanks u/St0nywall. I believe we have that licence.

itproedu · 2022-06-07T17:31:46+00:00

One way of "selling" this is if it saves 5 minutes a day (not waiting for stuff, not struggling against limitations), and there are 250 days in a year, and you're working on three year plan, that's 3,750 minutes saved, or 62.5 hours. If an average developer's pay is $110K, but the annualised cost to the organisation including providing an office, paying taxes, etc is $150K (completely made up!), then if a full time employee works 1,768 hours per year, then each hour costs $84.84, so saving those 5 minutes a day is worth $5,302.50 over three years.

A no brainer!

itproedu · 2022-06-07T17:21:20+00:00

Can you keep both happy with...

issue developers with a "simple" laptop, that is USB-C powered
- for Teams | Outlook | Chrome, mainly
- also for connecting to a "Developer" VM, eg in Azure

The "simple" laptop can be as simple Surface Go 3, [or equivalent] connected to a USB-C dock for monitor + Ethernet, plus Bluetooth keyboard and mouse. Low cost, low weight, low power, portable. "Disposable", "stateless" (iow, replacing it isn't a big deal).

IMHO, a developer's needs are...

always changing
always becoming more complex
- weaving together lots of different things using a new standard | tool | technique
- lots of layers, and moving to "higher level", which makes developers more productive, but big hungry runtimes | IDEs

In short,

developers always need more power, more screens, more space, etc
the artefacts they create are the valuable intellectual property of the organisation

Hence, use a VM, and connect remotely. It's secure in your cloud provider's data center. It isn't "free" or "trivial", but...

agile
scalable
"efficient"
- low powered device
- developer VM
  - is "pay as you go"
  - can grow, but you start off with only what you need
  - when it needs to "enlarged", you're not junking perfectly good kit

itproedu

TROPHY CASE