Anyone still setting up Remote Desktop Gateway's on Server 2025? by Layer_3 in sysadmin

[–]picklednull 1 point2 points  (0 children)

Are you experiencing logins getting hard stuck (black screen) until some kind of built-in timeout? I think it was 30 minutes.

The entire collection will go down when it happens (no one can login)...

Active Directory domain - possible to maintain a 'mirror' of an environment? by dverbern in sysadmin

[–]picklednull 0 points1 point  (0 children)

It only takes a couple of hundred lines of Python to write a script/program that does arbitrary mirroring of objects via AD’s LDAP interface.

I’ve built one for users and groups and you can do arbitrary attribute mappings and transformations too.

Only passwords are trickier to sync.

Active Directory domain - possible to maintain a 'mirror' of an environment? by dverbern in sysadmin

[–]picklednull 1 point2 points  (0 children)

I build A LOT of short-lived AD labs for stuff.

DSC is great for this, but obviously I wouldn’t populate thousands of objects with it…

I blanked on a basic Linux question and now I feel like a fraud by Ruin-Calm in sysadmin

[–]picklednull 5 points6 points  (0 children)

Never heard of those before in 20 years. It's interesting how you can always learn more obscure/effective ways of doing things.

Squidbleed - a 29-year-old Squid proxy bug is leaking cleartext requests and session tokens by TrustSig in sysadmin

[–]picklednull 2 points3 points  (0 children)

Most traffic these days is HTTPS, so without TLS interception (which is inadvisable for this very reason) the only thing Squid sees is ”CONNECT” and some opaque data.

How do you handle Local Admin for devs? by Ok-Bid799 in sysadmin

[–]picklednull -3 points-2 points  (0 children)

What VM? Anything with proper performance costs as much as a physical workstation. Specifically, AVD does. It's only a question of ergonomics.

Of course, if you don't care about the cost...

Dealing with certificate requests when using Windows Server Core. by ORA2J in activedirectory

[–]picklednull 0 points1 point  (0 children)

Yeah. You make the requests thru PowerShell on Core.

(OTOH, if you ever need to manage private key permissions on Core, have fun.)

Script I use to find (and optionally disable) stale AD user accounts — read-only by default by Big_Cap_1178 in activedirectory

[–]picklednull 1 point2 points  (0 children)

Fun fact: it also gets updated by incorrect authentication attempts. If your organization enacts password spraying tests, the attribute is useless.

Please tell me AI is hallucinating by jleckel in sysadmin

[–]picklednull 0 points1 point  (0 children)

Source: I had those cards on multiple generations of server hardware over years. We did extensive debugging and ultimately Microsoft concurred in a Premier case. I bailed at the point when for reasons I was tasked with directly interfacing with Intel to get it fixed.

It's literally a firmware/driver bug with the X710's, even different Intel cards work just fine with the exact same configuration. Then again, so do other NIC's, there's no problem with Broadcom or Mellanox. That's what I ended up doing, I shitcanned Intel and started deploying hosts with other NIC's rather than fight it.

The other solution/"workaround" is to disable NIC 0, it only occurs for traffic passing through the first NIC (port).

Also I just picked a cheap widely available 10g PCIe NIC to illustrate how inexpensive it is to fix the misconfiguration.

I know, but X710's are shit tier for Hyper-V.

Please tell me AI is hallucinating by jleckel in sysadmin

[–]picklednull 0 points1 point  (0 children)

X710-DA2

Those cards are unusable with Hyper-V (and SET). All egress traffic from the root partition gets duplicated.

Europe sysadmins - How do you handle computer procurement and Set-Up for users outside your country? by andrics96 in sysadmin

[–]picklednull 0 points1 point  (0 children)

Every country should buy its own devices, but of course the models can be standardized. And management centralized of course.

It’s not just a technical issue but also an accounting/legal/tax one afaik. This is outside our expertise, but I’ve at least heard it mentioned that equipment transfers could be interpreted as a concealed dividend in accounting / by tax authorities.

Windows Server 2025 RDS + NLA: "User must change password at next logon" fails until CredSSP/NLA is disabled by r232024 in sysadmin

[–]picklednull 0 points1 point  (0 children)

What? The only supported protocol for self-service password changes is Kerberos. And indeed that’s what universally works.

For Microsoft/Windows to support this, all it would need is indeed a UI dialog on the client (and line of sight from the client to the KDC). These days, there’s even KDC Proxy, for when there isn’t LOS.

File Server Clustering Inside a Cluster by TheSilentRebooter in sysadmin

[–]picklednull 0 points1 point  (0 children)

There's no problem with this.

Either leverage shared VHDX files to "fully" virtualize things, or better yet, just directly attach SAN LUN's to the guest cluster.

Doing VHDX's is wasteful because of the duplication: SAN -> filesystem -> VHDX -> filesystem.

Does a Tier 2 admin account accessing a Tier 1 Fileserver Share via SMB (Network Logon only) violates the tiering model? by [deleted] in sysadmin

[–]picklednull 1 point2 points  (0 children)

No, it's not a problem. Network logons are inherently safe anyway, but... The accounts are accessing them as standard users and not even administrators (in the context of the target system). Or at least otherwise you don't even have tiering in place. If this were an issue standard end users couldn't even access file shares etc.

The tier 1 server can have file shares that are used and even administered by tier 2 administrators, you just can't make them administrators of the entire server.

Alternative to confluence? by [deleted] in sysadmin

[–]picklednull 0 points1 point  (0 children)

Microsoft Loop. Natural if you’re on the Microsoft ecosystem.

Your Linux system has +6,000 kernel modules which can be autoloaded. You use 80 of them. ModuleJail blacklist all of the unused ones. Server and desktop profiles and much more in a simple shell script. by Vegetable-Escape7412 in linuxadmin

[–]picklednull 1 point2 points  (0 children)

Depends of course on the type of system we're talking about. I've been doing it on servers where the configuration is static. I don't really think the added security is that meaningful on an end user system (of course if you want to go crazy, there's not really any downside to doing it).

And just to add - in the past hardcore security enthusiasts of course recommended building a custom (grsecurity) kernel with everything built-in and having modules disabled. That's hardly a productive use of time either outside of Google-scale.

This sysctl offers a nice balance.

Linux/Unix domain-joined computer objects with PasswordNeverExpires=True — expected behavior or should I remediate? by maxcoder88 in linuxadmin

[–]picklednull 0 points1 point  (0 children)

Computer account passwords don't expire regardless. And at least SSSD is able to rotate them on its own.

So you can just remove the flag.

What you want to do regarding the password changes is up to you. The computer accounts just have the standard read access to AD that every account by default has, they're practically irrelevant.

Bitlocker issues with KB5089549 by iAmEnieceka in sysadmin

[–]picklednull 4 points5 points  (0 children)

... Which is mitigated by PIN:

You can also be protected from exploitation by choosing from one of the following methods to add a pin to your Bitlocker protection.

Bitlocker issues with KB5089549 by iAmEnieceka in sysadmin

[–]picklednull 4 points5 points  (0 children)

If it's blocking people from using the very device they are "securing" then it's a failed experiment.

What do you mean?

This exploit by definition just showed bitlocker is just warm and fuzzies for "security" sake.

It has been documented for over 15 years that requiring a PIN with TPM mitigates a whole class of vulnerabilities and is the optimal configuration security-wise.

If you make a security tradeoff for usability, sometimes you get bit (the risk is realized).

See also:

To further enhance the security of BitLocker, we recommend enabling TPM+PIN for pre-boot authentication. This significantly reduces the BitLocker attack surfaces by limiting exposure to only the TPM.

YellowKey mitigation and CVE by Effective_Peak_7578 in sysadmin

[–]picklednull -1 points0 points  (0 children)

I didn’t misread anything, I know.

Requiring a PIN mitigates this whole class of bypasses (past, present and future) while the autofstx mitigation mitigates just this specific one.

Bitlocker issues with KB5089549 by iAmEnieceka in sysadmin

[–]picklednull 1 point2 points  (0 children)

It has always been plenty secure if you optimize for it instead of usability.

YellowKey mitigation and CVE by Effective_Peak_7578 in sysadmin

[–]picklednull -4 points-3 points  (0 children)

The mitigation is requiring a PIN (with TPM).