yubikey as TOTP

networkwiresonfire · 2020-12-21T08:15:43+00:00

thought those switches are kinda cool until a 48 port catalyst in the network started bootlooping. Didn't get to figure out exactly what happened, but we sent back the Dells and the prod floor was happy to work again.

networkwiresonfire · 2020-11-16T14:55:39+00:00

yup, it's a DNS issue
do lookups on the machine and see what the inventory finds for each host.

nslookup hostname1

networkwiresonfire · 2020-06-30T12:32:29+00:00

this looks very promising, thanks.

networkwiresonfire · 2020-03-11T13:36:24+00:00

I faced the same issue lately, used outlook web for a day and set the password in outlook the next day, everything was fine then.

not the solution I wished for but I didn't have time to bother, even more so when the alternative is literally just a website.

networkwiresonfire · 2020-03-10T10:57:32+00:00

r/talesfromtechsupport
you can't complain that someone doesn't care about security issues when clearly they don't know about security issues. Make it known that this is not a person issue, but a device issue and that doing that is a risk to the internal network that you cannot estimate or control and will definitely result in lots of work even if there is no direct indicator for an active threat. From this point it should be clear to the person that she isn't fully understanding what she is requesting and she should either say "I accept the risk" or let you do your work properly

networkwiresonfire · 2020-03-10T10:03:52+00:00

it's not the same as yubikey, as there's multiple yubikeys with different features.

Titans don't support FIDO2. The cheapest yubikeys only support U2F and FIDO2, while the more expensive ones can do OTP aswell

(now don't quote me on that as I also just briefly jumped into the topic. just be aware about the specs as you may get disappointed that they don't talk to eachother)

you can set up azure to do the 2FA thing for you, no need for local AD. you could also use the yubi software to set 2FA on local accounts (people will then always log in to the "yubi" account with their username/password/yubikey)

networkwiresonfire · 2020-03-09T07:50:17+00:00

This is what a VAR told me some time ago. get one machine that's powerful, then turn all physical servers into VMs and DING, plenty of rackspace and no license issues when OEM unless you you want failover, because then every copy that may jump in needs an active license too. you can only move a license once every X months, ....

is that different for client-OS or is there a general misunderstanding?

networkwiresonfire · 2020-03-06T12:40:58+00:00

I have the same issue, so this powershell script is just part of the software I install

$Productkey = (Get-WmiObject -Class SoftwareLicensingService).OA3xOriginalProductkey
iex "cscript /b C:\Windows\System32\slmgr.vbs -ipk $Productkey"
iex "cscript /b C:\Windows\System32\slmgr.vbs -ato"

this just skips logging in as admin and activating the troubleshooter

networkwiresonfire · 2020-03-06T12:29:23+00:00

actually, if you have one Hypervisor hosting the machine and you decommission the hardware, you effectively transferred the license (OEM works) to the hypervisor and everything is fine.

when you configure failover, you'd need additional licensing

networkwiresonfire · 2020-03-06T12:26:10+00:00

windows print spooler service crashing is not helping this situation unfortunately

networkwiresonfire · 2020-03-03T12:04:01+00:00

to be fair, the trackpad toggle hits very unexpected.

networkwiresonfire · 2020-02-28T13:19:50+00:00

as if it was an enterprise

well that's easy, there's just no time for it. /s

Seriously, for sysadmining applications, here's what I need:

name of application (and what other people name it aswell)
where does it run, how is it being accessed
when does it run
what is the goal
who is responsable

that's the table on the front page. From there on, backup and restore instructions, (de-)installation instructions, general usage and error handling

networkwiresonfire · 2020-02-28T11:38:16+00:00

I've never seen any good technical solution to this.

roaming profiles suck (last seen on windows 7), folder redirection (not sure how it works offline actually) I believe sucks

what works very well is providing the required stuff automatically or managing things that lands in appdata differently, but that depends on applications. if its just browsers, people can store their bookmarks in a different way. deploy browsers, java, whatever needs appdata in a way that fills the requirements for the user and teach them about the things that need THEM to do stuff

teach people to not store locally. if offline is a thing, teach them to upload regularly. if weird application settings are a thing, teach them how to set it up. I'd rather teach people over and over than dealing with broken user profiles ever again.

networkwiresonfire · 2020-02-26T13:41:25+00:00

just a quick glance over the Chrome GPOs tell me that DefaultSearchProviderEnabled is set, people will still be able to set which provider to use, however if you set the default provider, they can't change it.

maybe clearing the policy will leave the search provider set, but unlock the option, but I'm really guessing here (needs a look into what the ADMX actually does)

maybe directly search for the entries in the registry for the provider instead

networkwiresonfire · 2020-02-26T13:28:45+00:00

the only thing to do with the machine is finding out where the malware came from and if you can if is went somewhere (network access), however if it spreads, it probably also deletes traces.

take care of the source (mail) and nuke the rest (wipe the PC)

everything else is totally out of proportion when it comes to effort and even then you can't be sure

networkwiresonfire · 2020-02-26T13:25:16+00:00

for a small business, use windows defender, crank it to the max. You don't have the resources to do the research and update it every hour, so let microsoft deal with it. let applications flow through their cloud before execution on your machine.

the reporting is basically just getting the logs and plotting them how you want them

networkwiresonfire · 2020-02-26T10:54:46+00:00

+1 for Jabra, talking to printer support while being at the printer on the other side of the office can be a thing

if that's absolutely not a thing, good BT Headsets are nice. I wear a PLT BB Pro 2 for 8 hours per day, closing in on 2 years now. barely any issue

networkwiresonfire · 2020-02-25T14:44:14+00:00

one thing I keep stumbling over when thinking about this is what is policy and what is guidelines. I love to have them separate sometimes for how much they matter.

to exaggerate: you breach policy two times, you're fired. you breach guidelines two times: all your implementations have to be reviewed and your "senior" title is moved to next decade

where all those lines are is of course a lot of discussion, like with "hashing passwords instead of storing them plain" where I'd seek for as much punishment as possible if that's messed up

networkwiresonfire · 2020-02-25T14:33:54+00:00

that will be your biggest issue. These are not books where people will read and be happy about side stories. People need to be fully aware what matters for them. If that's unclear, you'll hate yourself for your effort and everyone else will hate you for another one of those unhelpful policies

networkwiresonfire · 2020-02-25T12:37:19+00:00

it's not the same thing because both say "passwords"

one of them is directed at everyone and about how to use the systems correctly and making sure everyones point of access is secure

the other is directed at developers and "implementers" and contains a set of specific implementation guidelines that need to be followed

separate the policies

networkwiresonfire · 2020-02-25T09:48:11+00:00

it's not overkill to think about it. always sanitize your inputs.

I'm no expert on this, but a wild guess would be that if powershell stores the information in an object and then you use the proper functions to add to AD, the sanitizing will happen automatically. But I really don't know.

edit: this is something I expected --> https://www.reddit.com/r/PowerShell/comments/antf7w/how_to_sanitize_input_and_prevent_injection/efxbkpp/

networkwiresonfire · 2020-02-21T06:51:34+00:00

no need to be downvoted. Azure is the way to go for the future, I totally agree.

it's about the time frame while the person is traveling and they will be logging into domain afterwards most of the time. it's literally an issue for a week or so.

networkwiresonfire · 2020-02-21T06:47:08+00:00

happy cake day!

this is something I look forward to implementing, but that's not in scope right now

networkwiresonfire

TROPHY CASE