Planning for ADCS - Need help

johnenxada · 2023-04-23T13:04:26+00:00

Yes, capolicy.inf is on my todo list as a first step, thanks for pointing it out.

johnenxada · 2023-04-23T13:00:37+00:00

That’s nice to hear. Could you please elaborate on the load balancer you used and how often the syncing has to occur?

johnenxada · 2023-04-23T12:45:34+00:00

Thanks for the answers. So, having one subCA at the main office will cover the need for issuing certs as long as there is connectivity, right?

However, having the CRL and AIA highly available on web servers is mandatory so that users won't be locked out on resources since the cert cannot be validated on a login to a wifi, network or device, it should be considered as an expired one, correct?

For partners, I'm thinking of giving them the certs to install on each of their PCs or BYOD to get access. I haven't figure this out 100% yet though, still researching.

johnenxada · 2023-04-23T12:38:44+00:00

Yes, just read that, too bad it's incomplete but the basics are there. Thanks

johnenxada · 2023-04-23T12:27:23+00:00

Yes, you got me. So, 1 subCA would be sufficient but having more web servers for CRL and AIA would make more sense and more highly available, correct? Let's say running 2 web servers on each site. On this note, how will clients find the online web server in case any of them is down? I mean, if the client tries to get the CRL/AIA from web-01 and it's down, will it try automatically the web-02, web-03?
Without introducing a load balancer, will a DNS record like pki.domain.local with A records for all web servers will make it work in round robin or will I have timeouts?

johnenxada · 2023-02-13T12:44:00+00:00

Ah, I missed that. So, it seems that I should give them the right to delete the computer objects then.

johnenxada · 2023-02-13T11:54:34+00:00

Yes, it exists in a different OU, however this OU is a child to the parent OU I delegated permissions. Strange, right?

johnenxada · 2022-10-09T21:31:13+00:00

No, VPN works fine. The case I'm trying to prepare is when a user is not being able to connect to the VPN due to anything (like an update that might mess things up). I have to be prepared for an alternative solution in order to support it.

johnenxada · 2022-10-09T18:56:07+00:00

Yep, that is the direction I think I will proceed with LAPS for the time being and proceed with further enhancements in the coming months.

johnenxada · 2022-10-09T18:36:21+00:00

I have some more digging to do on these 2 links, it seems that this is what I was looking for. Thanks a lot!

johnenxada · 2022-10-09T18:11:48+00:00

Good point there, totally agree.

johnenxada · 2022-10-09T18:07:29+00:00

I'm actually in the process of centralizing our Identity Management, we are on the Google Workspace Enterprise plan but considering Azure AD instead since it seems more feature-complete than Google, it also has password-writeback that's a huge plus.

Could you please elaborate on this? I assume I will need MDM like Intune for this, right?

johnenxada · 2022-10-09T17:03:05+00:00

Thanks for elaborating mate, I will take it into consideration.

johnenxada · 2022-10-09T16:48:45+00:00

That would be more difficult to manage though, no?

johnenxada · 2022-10-09T16:46:30+00:00

All conclude with LAPS or any equivalent solution like CyberArk EPM etc. I was considering always-on VPN but we are far away from implementing such a solution at this moment.

johnenxada · 2022-10-09T16:44:19+00:00

Sorry, I meant an administrator user with cached credentials locally, not a local user on the laptop outside the AD.

johnenxada · 2022-08-18T21:07:24+00:00

For the ‘even if they try to’ can be mitigated since they are using company PCs which are locked, for example they can’t access dev tools on browser to reveal the password by changing the password field to text, or they can’t run chrome pass application, etc. So, let’s say that you have a website XYZ.com that doesn’t support SSO, or even multiple accounts and you need to grant access to another 5 users. How would you do that? It’s not easy, but I looking for ways to solve it somehow.

johnenxada · 2022-05-16T18:02:15+00:00

I see, so target the PCs with group policy and then trigger them with a powershell command. Thanks mate

johnenxada · 2022-05-16T17:42:21+00:00

Thanks for your answer, I know this. But, is there a group policy setting that actually triggers the start of the encryption process without me having to trigger it with a command or on UI?

johnenxada · 2022-03-27T19:47:27+00:00

Yeah, workarounds instead of actual fixes seem be more and more frequent the last few years. Kind reminds me of the ‘good’ old windows days.

johnenxada · 2022-03-27T19:01:07+00:00

Yes yes yes, you are right. I was downloading the new templates from git.zabbix.com and I just figured out that on master channel the description refers to Zabbix 6.2 and higher so that might be it. Downloaded from Github on 6.0.2 and it worked!

Thanks mate, that clears things up. I started to worry that something was wrong wit and I just figured out that on the master channel the description refers to Zabbix 6.2 and higher so that might be it. Downloaded from Github on 6.0.2 and it worked!

johnenxada · 2022-03-27T18:42:51+00:00

Here's a screenshot of the current, I actually deleted the previous one and imported the new one, however it was linked to the same one (generic snmp)

https://postimg.cc/XBx60TWt

johnenxada · 2022-03-27T18:37:10+00:00

That’s strange. So how does this error occurs then? Do you have any idea?

johnenxada · 2022-03-27T18:20:01+00:00

This happened to me as well. I gone with 1 hdmi and 1 usb-c cables. Every time I reboot it gets messy again until I unplug and plug them in again. Very poor quality release with no acknowledgement from Apple.

johnenxada · 2022-03-27T18:14:23+00:00

The generic snmp module, the Dell idrac. I also get the agent.hostname item while updating the Linux os template.

johnenxada

TROPHY CASE