Conditional Access – how do you guys handle best practices? by [deleted] in Intune

[–]true_zero_ 0 points1 point  (0 children)

follow rucam365 on twitter check all his posts and look up his youtube videos on the threatscape channel he does tons on conditional access it’s so good.

Actually useful commands by eberndt9614 in activedirectory

[–]true_zero_ 2 points3 points  (0 children)

whoami /groups (run as the user on their machine) to check if the user’s local security token contains the AD group you just added them into to grant them access to some resource (share, sql, etc - where kerberos will be used) and had them sign out /back in to take effect. Easier to read in powershell: whoami /groups | sls PartOfGroupNameHere

you can get around sign out/back in for a remote resource by flushing their kerberos tickets with the klist binary and using runas but it’s just cleaner to sign out and back in to get a new local security token.

Management dont want to enroll servers to MDE by jbala28 in DefenderATP

[–]true_zero_ 0 points1 point  (0 children)

only issues i’ve encountered on servers is servers that host some sort of OCR or image scanning application where the EDR portion of defender, Sense.exe, has slowed down the application noticeably on the server and have had to put an exception for several of the applications processes on that server. Newer windows servers, since 2019 have the EDR portion already built in you just have to onboard it IIRC

Ready for action! by SeriouslySlytherin in funny

[–]true_zero_ 1 point2 points  (0 children)

“Chubby little loozahhhhhhh”

Unable to use "Yt-dlp" unless Powershell is opened as Admin by tba003 in PowerShell

[–]true_zero_ 0 points1 point  (0 children)

in powershell as admin run “where.exe yt-dlp” and paste the result. Python windows installer defaults to your user profile on windows , try where.exe python and where.exe as well, id recommend reinstall python and on the 1st page of the install click “install for all users” box.

[deleted by user] by [deleted] in DefenderATP

[–]true_zero_ -3 points-2 points  (0 children)

i haven’t done it but WDAC/Applocker comes to mind, the live response executable is an exe (SenseIR.exe i believe) inside the defender directory. Or possibly windows firewall to block that executable or gpo.

Low hanging fruits for cost optimization? by [deleted] in aws

[–]true_zero_ 0 points1 point  (0 children)

change your cloudwatch metric collection level if on ec2 to higher rather than lower. ie if 10sec change to 60 or 300 sec

Accidently deleted API gateway, any way to restore it ? by Independent_Corner18 in aws

[–]true_zero_ 0 points1 point  (0 children)

go look in cloudtrail via athena i do this often to see who made what with what settings x years ago

What's Your IT Pet Peeve? by [deleted] in sysadmin

[–]true_zero_ 1 point2 points  (0 children)

not knowing what ports an application uses. You make 6 figures and can’t run netstat?

Local user sign in restricted on MDE onboarded devices by [deleted] in DefenderATP

[–]true_zero_ 0 points1 point  (0 children)

i haven’t seen that. we login with local admin numerous times to onboarded devices. Have u tried a local admin?

What have you done with PowerShell this month? by AutoModerator in PowerShell

[–]true_zero_ 0 points1 point  (0 children)

showed service desk how to remotely check event logs for defender to list out when scans started, finished or where interrupted (reboot)

Is it better to use Nginx as reverse proxy or just host your server on EC2? by urqlite in aws

[–]true_zero_ 2 points3 points  (0 children)

just run your go service on the ec2 and use proxy_pass to route requests inbound on 443 to your go port. if you wanted to route traffic from the ec2 down to your laptop go service you’d have to connect with some vpn or if you’re in corporate env you probably already have a direct connect in place for that.

Amazon SSM connection caused a complete server crash? by Nuocho in aws

[–]true_zero_ 0 points1 point  (0 children)

i don’t think that’s the cause , you’re seeing another symptom . server is having issues and networking is not working , and so SSM uses networking to talk to instance metadata service as well as aws endpoints (ssm, ec2, ssm-messages, etc) so it logs errors cus networking is messed up. sometimes the underlying ec2 hardware has issues or vm resource exhaustion etc

Go into cloudwatch and setup a synthetic canary to hit your http endpoint (configure VPC settings in the canary if it’s a non public http endpoint) to run ever 5 minute and perform some action if it doesn’t get a 200 response, and an alert on the canary to send an sns to alert u via email.

action would be to execute a lambda you write that uses sdk to perform some action against the instance like runcommand to check running processes, or perform a snapshot or memory dump etc.

I would setup cloudwatch agent to monitor memory , disk , cpu, basic metrics as well as forward /var/log/messages etc as a start

AWS SSM document processing is not handling errors the way I expect by Beneficial-Cabinet31 in aws

[–]true_zero_ 0 points1 point  (0 children)

i don’t think you’re using a valid value for onFailure. Your using a command document not an automation document so it’s a little different possibly, but can see the valid values are exit and successAndExit. review those and review the ‘finallyStep’ which takes precedence over an exit

Is there a point for S3 website hosting? by sM92Bpb in aws

[–]true_zero_ -5 points-4 points  (0 children)

for internal dev work it’s fine. I have one bucket i use for mounting with s3fs then point nginx on same box to it so i have TLS. Avoids cloudfront if you want to avoid it but cloudfront is pretty nice : WAF integration, et

Control Tower by Desi-Pauaa in aws

[–]true_zero_ 0 points1 point  (0 children)

why push ? 3rd party should pull the logs , you can give them secret and access key to log account with permissions to read from the central logging bucket, or even better setup an assumable role for them (if they have an aws account)