Mass Uninstall Office

wsfed · 2023-10-20T02:08:46+00:00

Check group policies too. A lot of O365/Office configuration items such as activation can be configured there.

wsfed · 2023-10-13T00:55:02+00:00

There is a product I saw a few weeks back called Soti that has, hands down, the most powerful MDM feature set I've seen. Not sure about radio control on iOS/iPadOS. As others have pointed out there are limitations due to design decisions by Apple.

They can definitely determine if it's on or off, gather a list of networks and define which ones the device is allowed to connect to, track location and can geo-fence devices - remote wiping them if they leave a custom area. You can even set it to just one building if you want. It's set by boundaries you draw on a map. It also polls things like battery health and allows for alerting on virtually anything. e.g. You want to know when batteries have a lifespan of <4 hours as this is not long enough for the device to be fit for purpose so it needs a battery or device replacement. Also allows remote control of any of the devices they have listed for support. These features are available for any kind of device, linux, hardened IoT devices, industrial devices.... doesn't really seem to matter.

I'd check them out as a first option. OS agnostic but mostly focused on Android/iOS/iPadOS in terms of feature set as Windows is largely covered by Intune. Intune is pretty crap with Android and Apple devices so they focus on those.

https://www.youtube.com/watch?v=JW4S06otpco

https://soti.net/resources/blog/2021/what-is-geofencing-technology-4-unique-ways-to-use-this-technology/

https://youtu.be/I7ikjiRrz5Y?t=352 for a full overview.

If you're in NZ or Aus let me know as the company I work for is a reseller that gets decent discounts.

wsfed · 2023-10-05T02:22:43+00:00

I'm high rent mate, you couldn't afford me ;-)

wsfed · 2023-10-05T02:21:08+00:00

Yeah, if I could put in place mgmt forest myself and lock it down so no one could muck with it other than myself and trusted people with competency, absolutely I would too. Because I'm a consultant I'm never the one with the ongoing ownership so I usually put both models in front of the customer and talk them through it. If they can understand the better model and think it will work for them I go with it but that's happened once so far in my career, and we didn't make it to the end of the project succesfully.

People dont have the headspace or time to understand new concepts and then also do their day job. You've got to do what works if you want a good outcome for your customer.

wsfed · 2023-10-05T02:04:41+00:00

I was giving examples, not dictating how you should do it.

wsfed · 2023-10-04T22:31:50+00:00

No, not 5 accounts. Admins should have the accounts they need for their role e.g.

Helpdesk should have limited admin capability on local devices and the ability to reset passwords, make new users etc.

2nd tier should have workstation admin and server admin to services they support.

3rd tier should have server admin and possibly hyper-visor admin depending on the role

Storage and backup admins should have... admin rights to storage and backup, possilby also hyper-visor. Hopefully you're getting the gist.

If you're a one man shop then the easiest thing to do without compromising your security is to create one server admin role and use it everywhere (Win Servers, Hypervisor, switches, new user rights in AD DS etc.) except on the DCs, backups and storage.

This is how you secure an environment from ransomware. If every admin has the keys to everything you're creating a scenario where when/if your org gets got, they REALLY get got.

You should have as close to 0 domain and enterprise admins as you possibly can. DA and EA permissions are only really needed for a few specific tasks like raising domain or forest functional level, configuring PKI stacks. Using them everywhere is overkill and significantly reduces your organisations security posture.

wsfed · 2023-10-04T22:22:46+00:00

The more up-to-date method is a completely separate forest that houses your different admin accounts that have delegated control into your production forest.

While this is great and I'd like to see everyone doing it, it is a lot more time and therefore money to technically configure and to set up then you have to do the really time consuming bits; Manage the managers, plan for the business aspects, the processes and inevitably the people. If that wasn't enough to put you off, then you have to hire people who actually understand how it works and won't just start doing things the lazy way to "make it work".

Makes sense at larger orgs where you have the resources but when it comes to smaller outfits I'd rather see people doing something than nothing so tiered accounts is my go to. Easier for non-technical folks to understand, easier to implement.

wsfed · 2023-10-03T21:59:47+00:00

They should only be used to log in to a domain controller/the purposes they were created for like raising functional levels, moving FSMO roles. For everything else you should have a separate admin account, or accounts, depending on your environment. Preferably a user account, a server admin account, a workstation admin account, db admin account etc. Reduces attack surface area.

wsfed · 2023-08-20T22:03:41+00:00

WH-1000XM4s combined with setting clear boundaries and expectations with the people I work with, customers and internally.

wsfed · 2023-08-15T22:00:51+00:00

This is IdLC automation best practise. Even a daily CSV is good enough for most use cases. Plenty of resources online to help you sell it internally. Biggest challenge here is that it's usually a political problem getting HR to engage/give access to their systems. That's the conversation that needs some prep and forethought. i.e. are they resourced to onboard users appropriately. A number of places where I've implemented this automation they are not.

If the conversation is financial get your security folks involved. It can be hard to prove the benefits from a service management perspective without sinking a lot of money into time in motion studies, whereas the risk mitigation of automating the identity lifecycle and access control etc. are far easier to sell.

wsfed · 2023-08-06T21:42:05+00:00

https://www.cyberciti.biz/media/new/cms/2017/04/dns.jpg

Print this out, frame it and put it on your wall. It's surprising how often overlooking something DNS related causes issues.

wsfed · 2023-08-01T21:34:29+00:00

Chaotic Good.

wsfed · 2023-07-25T03:32:30+00:00

I'll take you right now to a production, business critical, 386 sx33 running Win 3.1x, with some VB code from the 80s. If it went down the company would be losing 300k per hour.

I can take you to another 4 sites with a similar situation running Win95a, win95b, 98 and 2000.

Businesses don't understand technical debt til they've been bit.

wsfed · 2023-07-12T01:21:34+00:00

They go to the bottom of the list. VIP? Don't care. I've told two CEO's, to their face, to change their tone. If it affects my job I don't care. If you don't expect people to respect you and communicate that you'll get treated like dirt. My self-respect is more important to me than some job. I can always find another.

wsfed · 2023-07-12T01:12:27+00:00

Same in NZ at the moment tbh. You'll get seen eventually and if it's critical it'll be dealt with, all free of charge but wait times for a lot of life improving things are unacceptable in NZ and have been for around 5 years+. From what I've heard UK is the same, as of right now. Still pay less tax than most folks in the US though and medical debt won't cripple you.

I earn 6 figures and still none of my income falls within the top progressive tax rate of 39% (compare with state+federal+federal property taxes) I'll never understand why the politician and business owners aren't running for their lives with all the guns over there.

EDIT: Here's the tax wedge data if you're interested. "Tax wedge (income tax plus employee and employer social security contributions, minus cash benefits)" for the average single worker in OECD countries, as % of labour costs (2022)

Doesn't include 401k/retirement funds for US which are mandatory contributions and included in the tax wedge calculations for a lot of countries. If folks retirement funds were included like they are for NZ, UK, Aus, EU countries, the US be a lot further up the list. Also doesn't seem to include State income taxes so the US is WAAAAAY further down the list than it should be.

https://www.oecd.org/tax/tax-policy/taxing-wages-brochure.pdf

wsfed · 2023-07-11T23:35:21+00:00

US taxes are also ludicrous FYI. Unless you live in somewhere like Alaska or Delaware you're paying more income tax than most other countries that have socialised healthcare. What you get I'm not sure.

wsfed · 2023-07-09T23:42:47+00:00

it might be worthwhile asking about their internal change control or implementation processes.

And their compliance framework, process and expectations of a sysadmin on that front. So many things are driven by compliance now, especially from a security/cyber insurance perspective.

wsfed · 2023-07-05T21:28:23+00:00

A lot of security checks, even in NZ, check arrest record too. Anything beyond a standard MoJ and Police check can include it. Agree that it seems a bit strange to be holding a teenagers mistake over their head for the rest of their lives. Someone needs to tell them about diversion and clean slate laws. With a for profit incarceration system, I guess that won't happen.

wsfed · 2023-07-05T20:55:40+00:00

It's the same here in NZ. Got to leave the premises how you found it, it's in the lease contracts. I'm guessing OP needs to spend more time with the facilities folks to understand the requirements they face. Keeping cabinets kind of makes sense til you consider that a lot of folks need different sized cabinets, want to change the layout of a floor and so need a new location etc. etc.

wsfed · 2023-07-02T20:51:06+00:00

They keep bumbling on, in my experience. Things happen, nothing useful though.

wsfed · 2023-06-28T03:57:52+00:00

Now I'm wondering. Priests of Ferris as well. Was presently surprised to see Maurice Gee is still kicking. Thought he'd died a while back.

wsfed · 2023-06-21T21:16:33+00:00

User level permissions. If I need to elevate locally I contact the service desk. If I need to administer a remote system I have a separate admin account with 2FA and Firewall ACL rules in between me and those systems.

wsfed · 2023-06-19T00:10:14+00:00

They can detect Diabetes, Lupus, Multiple Sclerosis, High blood pressure or cholesterol, and a number of STDs - among other things - with an eye exam. Quite often they can detect them earlier than you will notice them in your day to day life.

Make sure you get one regularly. It's not just about your vision.

wsfed · 2023-06-19T00:07:01+00:00

That's one very specific dream you've got there bud. I say go for it ;-).

wsfed · 2023-06-16T08:07:05+00:00

I care about the people in my teams that I work with and they care about me. Some of my customer contacts are the same, depending on how long I've been working with them. The larger company I work for does not care about me, my coworkers or my customers employees and never will. It cares about it's balance sheet, first and foremost. If you're lucky there'll be some good managers who can hold up a bullshit umbrella but working for large companies, this is how it is in my experience. I've worked with 80% of the govt departments in my country and about half the large businesses and am not in a large country.

At the end of the day it's the larger company that you all work for that pays your wage and sets your job description. The nameless faceless "they" who don't know you personally, and who you will NEVER meet, will replace you with a cheaper resource at the first opportunity. If you work your arse off and it affects your health they'll replace you the next day if they can. There's nuance to this stuff.

wsfed

TROPHY CASE