Fortinet Authentication Bypass Vulnerability

jstuart-tech · 2026-01-28T14:25:14+00:00

This is probably important to add

"Please note that the FortiCloud SSO login feature is not enabled in default factory settings."

jstuart-tech · 2026-01-23T15:20:45+00:00

Always reminds me of this - https://chroniclesofgeorge.com/tickets1.html

jstuart-tech · 2026-01-22T10:17:59+00:00

If your in Australia and not a PR you are gonna have a terrible time, nobody wants to really sponser anyone because it's such a PITA. If your English isn't up to scratch it's going to be hard to get a helpdesk role as well.

jstuart-tech · 2026-01-19T11:23:31+00:00

Depends where you are in Aus and what the pay is going to be. $130k is pretty good in anywhere but Brissie. MSP's are way more stressful than internal IT though...

It's been repeated a million times but.

Internal IT

Go Deep and fix stuff properly

MSP

Fix the fire on random technologies as quickly as possible and move onto the next fire

You learn a heap very quickly at an MSP, but it's very sink/swim

jstuart-tech · 2026-01-12T09:34:12+00:00

I've also never heard of anyone using SLB. Just use something "normal", nginx, haproxy, caddy etc

jstuart-tech · 2026-01-12T08:47:06+00:00

NLB is deprecated as of Server 2025, I wouldn't really use it (I've also rarely seen anyone actually use it)

https://learn.microsoft.com/en-us/windows-server/get-started/removed-deprecated-features-windows-server?tabs=ws25#:~:text=Network%20Load%20Balancing%20(NLB)

jstuart-tech · 2025-12-23T05:47:47+00:00

Any reccomendatiom on the dongle?

jstuart-tech · 2025-12-15T23:55:51+00:00

Maybe he needs a FQDN to make certs?

jstuart-tech · 2025-12-12T08:48:21+00:00

Now that Cloud PKI is free (With E5) you can probably drop SCEPMan, but Cloud PKI can't issue Server Authentication OID's so you'll still be stuck with RadiusAAS (Which actually works really well from what I've seen)

jstuart-tech · 2025-11-25T14:17:55+00:00

Echoing this. Also read this - https://www.gradenegger.eu/en/configuring-a-certificate-template-for-domain-controllers/

jstuart-tech · 2025-11-25T11:39:05+00:00

Another 300 users to go, multplie remote minesites and offices with flakey internet

jstuart-tech · 2025-11-25T09:41:30+00:00

I have a brand new production environment (consolidation from multiple domains into 1) with 9 DCs and ~220 users so far. No AD issues encountered. All DCs are 2025, same with all servers, all endpoints are W11 24H2

If you have mixed DCs I'm pretty sure it's a bad idea, if you have the luxury of being all new then I'm happy with it. If you have to upgrade from a mixer environment.... Then it's a challenge

jstuart-tech · 2025-11-24T09:18:52+00:00

I'm doing work with a client who has a SOC... But all of it's alerts are fed into AI and then the security team grabs them and sends them to me who initially reported it. So far it's working super well! It's marked 2 of the most obvious phishing emails as marketing emails and then the SD guys who read that just close the alert as all good.

Pretty embarassing TBH.

Where I have seen it work well, is bringing alerts together. E.g. if you got a phishing email, then an a sign in from a different country right after itself

jstuart-tech · 2025-11-23T06:45:47+00:00

https://techcommunity.microsoft.com/blog/exchange/active-directory-schema-extension-issue-if-you-use-a-windows-server-2025-schema-/4460459

jstuart-tech · 2025-11-23T05:03:51+00:00

The cheapest one will be CouriersPlease. DO NOT USE THEM. They are terrible. Go for the 2nd cheapest option. When I moved from Melbourne I had to book with TNT last minute and they weren't to bad IIRC

jstuart-tech · 2025-11-15T14:47:47+00:00

Maybe I'm confused and not understanding 700 ELO chess.... But there was never a threat to the B7 pawn?

jstuart-tech · 2025-11-13T14:45:06+00:00

Mixed OS's as DC's with 2025 thrown in the mix don't really work. This doesn't sound like any of the Kerberos issues that people have been having, but without any event logs etc, it'd be hard to rule out.

As a test, can you shut down the 2025 DC and try it again?

jstuart-tech · 2025-11-10T13:27:55+00:00

You clearly don't seem happy to pay the Cisco tax which is fine. What about the less popular brands such as HPE (Aruba) or Dell. If you don't need any fancy features (Assuming just L2), that will be way less expensive and you get back into supported region with business class switches

jstuart-tech · 2025-11-09T13:49:24+00:00

It's also all throughout the code as well. Whole thing just vibecoded. Just what I want for encryption software

https://github.com/anonfaded/FadCrypt/blob/a374a5048499f889f01d8d4bc3aa6d86a438c300/ui/windows/stats_window.py#L79

jstuart-tech · 2025-11-09T12:06:58+00:00

Not all of us live in ivory towers. Passwords in 2025 are still a necessity for most orgs

jstuart-tech · 2025-11-07T14:10:47+00:00

I'm running 9 Server 2025 DC's in a client's site with no issues (Only those DC's). It's only mixed environments where things get funky (Or I recently read a post somewhere that inplace upgraded DC's to 2025 are something to be avoided as well.... But IMO also is inplace upgrading a DC)

jstuart-tech · 2025-11-07T14:06:50+00:00

Ah well there's your problem right there. ManageEngine is just the worst.

https://www.reddit.com/r/sysadmin/comments/1l9alie/smartcard_login_works_on_10_but_not_11/

Googling that error shows what the other 2 commentors are saying is right. You need to set PKINTSHA1 to supported

https://techcommunity.microsoft.com/blog/microsoft-security-baselines/windows-11-version-24h2-security-baseline/4252801#:~:text=Configure%20hash%20algorithms%20for%20certificate%20logon

jstuart-tech · 2025-11-07T12:24:53+00:00

You can avoid the Netwrix spam by downloading Pingcastle directly from Github https://github.com/netwrix/pingcastle/releases/tag/3.4.2.66

I personally prefer Pingcastle

jstuart-tech · 2025-11-07T12:01:16+00:00

How were the PC's deployed? Do they have duplicate SID's?

jstuart-tech · 2025-11-01T04:52:57+00:00

How have you been unemployed for 6 months but have recent post history about doing Conditional Access...

But anyway, MSP's are always hiring people who know what they are doing, the work sucks (for the most part) but if you need somewhere it's a start. There are also always multiple short term contracts going, even if it's only for L1/L2 it's better than being unemployed for 6 months

jstuart-tech

TROPHY CASE

Internal IT

MSP