|
Maneki Neko posted:3004394, 3011970 and 2986475 got pulled, so that's good I guess, but holy poo poo. Looks like a new KB came out to address the issues with 3004394. https://support.microsoft.com/kb/3024777
|
# ? Dec 12, 2014 14:38 |
|
|
# ? Apr 25, 2024 16:06 |
|
Swink posted:For those of you running DirectAccess - have you had to deal with an increase in staff cellular data usage? This is the downside to having your endpoints being on the internal network wherever they are. Your internal network generates a shitton of traffic. Configuration Manager has some options for conserving bandwidth in terms of slow/offsite network connections, but if the 4G connection is their internet source (as opposed to something used intermittently) then you have to pay the piper sooner or later. Closest thing you could do is segregate your tethered endpoints into discrete policies somewhere that essentially don't update them in any form. Which...yeah. Might not be so great.
|
# ? Dec 12, 2014 17:48 |
|
PUBLIC TOILET posted:Looks like a new KB came out to address the issues with 3004394. quote:The KB 3004394 update that was dated December 10, 2014 can cause additional problems on computers that are running Windows 7 Service Pack 1 (SP1) and Windows Server 2008 R2 SP1. This includes the inability to install future updates. This new update is available to remove KB 3004394 from your computer. "If your internet is down you can get help at AOL.com/support !"
|
# ? Dec 12, 2014 18:26 |
|
Does the Metered Access stuff in Windows 8 still work when DirectAccess is deployed? That should disable WSUS, background sync etc.
|
# ? Dec 12, 2014 21:02 |
|
The metered connection looked promising but it doesnt seem to do anything aside from count traffic.
|
# ? Dec 13, 2014 01:24 |
|
I'd say that perhaps it's configurable through GPO but Microsoft seem to have completely forgotten about Group Policy in Windows 8.
|
# ? Dec 13, 2014 01:24 |
|
Anyone have any experience with securing RDP? We're trying to set up all our servers to use high encryption and TLS, but we've basically just ended up preventing RDP connections. We have a local CA (though I have no idea if the person that set that up did it correctly), and we've issued certs to all the servers, but there's just been a raft of problems. Servers actually have two certs: one issued by our local CA and one issued by the larger agency that we're a part of. Valid root certs for both CAs are loaded on all devices involved. 1) Most servers will throw SChannel errors when the cert issued by the local CA is used on the server side (fatal code is 20 and internal error state is 960 if it matters); on the client side it just reports the server's denied the connection. Packet capture shows the server is dropping a TCP reset on the connection more or less immediately. It never even gets to the TLS handshake that I can see. Switching the server to use the cert issued by the agency resolves this problem and allows RDP connections. 2) As a workaround, we'd like to force use of the agency certs, so we can access the server via RDP, but some servers refuse to use the agency cert even if configured to do so. They immediately revert back to the auto-generated RDP cert. 3) A few servers are throwing Schannel errors (fatal code of 10/internal error state 1203); this just results in the connection timing out, rather than the quick deny from the servers with the problem in #1. Googling the Schannel errors hasn't really yielded anything helpful. Anyone seen these errors/problems before and can point me at some troubleshooting help? Thanks.
|
# ? Dec 16, 2014 18:17 |
|
Are you keeping your RDP servers open to the internet? In my experience the best way to "secure" RDP is to require VPN before, unless you're using Remote Web Workplace or nonsense like that. Depends on what your requirements are and so on but I'd see if that is an option first. Newer (2008 R2+) versions are already very secure as far as encryption goes.
|
# ? Dec 16, 2014 18:34 |
|
Nah, this is all internal RDP, we don't have anything open to the internet. There's not even any proper RDP licensing--it's all just the 2 default administration slots. e: Just to add that I've bumped Schannel logging up to max on several of the servers with problems and there's nothing extra that's helpful that I can see. Is there a more detailed Schannel log somewhere or is the stuff that it dumps into the Event Log it? Hypnobeard fucked around with this message at 18:39 on Dec 16, 2014 |
# ? Dec 16, 2014 18:36 |
|
What is the reason behind wanting to secure RDP? If it is internal for admin use, just switch on Network Level Auth and call it a day.
|
# ? Dec 16, 2014 18:59 |
|
Gyshall posted:What is the reason behind wanting to secure RDP? If it is internal for admin use, just switch on Network Level Auth and call it a day. Because our "security" team is retarded and basically turns on every plugin in Nessus, does a scan, and then says "remediate everything Low or higher." No exceptions are allowed and actual likelihood of compromise is not a mitigating factor.
|
# ? Dec 16, 2014 19:12 |
|
Why not use RD Gateway internally? It's a built-in server role on 2008+ and built in to the Windows and OS X clients. edit: although that would require RD CALs maybe.
|
# ? Dec 16, 2014 19:16 |
|
Tolan posted:Because our "security" team is retarded and basically turns on every plugin in Nessus, does a scan, and then says "remediate everything Low or higher." No exceptions are allowed and actual likelihood of compromise is not a mitigating factor. Thanks, you made me feel much better about my job today.
|
# ? Dec 16, 2014 19:23 |
|
beepsandboops posted:In the meantime, I've been trying to figure out how to get to the WDS server through a generic WinPE environment instead, but haven't had any success. I tried loading up the WinPE-WDS-Tools onto a PE image, but can't figure it out for the life of me. It doesn't help that I'm getting all of the deployment tools (AIK, ADK, different version of PE) confused. Could anybody point me in the right direction? MDT generates ISO boot images. I've never tried it with USB but it should work. TBH, I don't know how to use WDS without MDT!
|
# ? Dec 16, 2014 20:47 |
|
Erwin posted:Why not use RD Gateway internally? It's a built-in server role on 2008+ and built in to the Windows and OS X clients. Buy the cals and charge them to the security team for compliance, force a GPO out to every computer to use remote desktop gateway to access remote desktops.
|
# ? Dec 17, 2014 09:33 |
|
incoherent posted:Buy the cals and charge them to the security team for compliance, force a GPO out to every computer to use remote desktop gateway to access remote desktops. Charge the security team for compliance? How do you even approach something like that? I get the sense that, if I tried that at a big company, the reply might be something along the lines of, "Heh, we just enforce the policy -- it's up to YOU to be compliant."
|
# ? Dec 18, 2014 03:32 |
|
Potato Salad posted:Charge the security team for compliance? How do you even approach something like that? I get the sense that, if I tried that at a big company, the reply might be something along the lines of, "Heh, we just enforce the policy -- it's up to YOU to be compliant." Unreasonable requests get unreasonable answers
|
# ? Dec 18, 2014 04:10 |
|
Thats when you get the CIO from sony who brow beat the security auditors over weak password policy to make them write down "password policy is not an issue" to discuss the safety of the RDP protocol. link incoherent fucked around with this message at 04:20 on Dec 18, 2014 |
# ? Dec 18, 2014 04:18 |
|
Does Office 2013 need to "phone home" to some server that might be blocked on our LAN? We just had about 10 copies of Office Home & Business 2013 stop working (like uninstall themselves) and they're all tied to the same MS account for activation. This is a new client or we'd have them on volume license. But I thought it was really strange. We did upgrade the firewall there to have perimeter A/V scanning, and I'm wondering if that caused an issue.
|
# ? Dec 19, 2014 03:00 |
|
Gyshall posted:Does Office 2013 need to "phone home" to some server that might be blocked on our LAN? We just had about 10 copies of Office Home & Business 2013 stop working (like uninstall themselves) and they're all tied to the same MS account for activation. If they're retail/oem or other form a click to run installations I believe they function very similar to this - http://technet.microsoft.com/en-us/library/gg982959%28v=office.14%29.aspx Clients will need the ability to reach the office.com servers to verify activation every 30 days.
|
# ? Dec 19, 2014 06:46 |
|
Hey everyone I'm rolling out sharepoint to replace file server. What a great idea! Anyway I still need to map lettered drives to various document libraries for staff that want to do that. The problem is that mapped drives won't take the Windows user authentication until the user opens the sharepoint site manually and then tries to access the drive. This happens every time they log on. Is that normal? Sharepoint site is added in IE security settings as "local intranet".
|
# ? Dec 19, 2014 15:31 |
|
Nebulis01 posted:If they're retail/oem or other form a click to run installations I believe they function very similar to this - http://technet.microsoft.com/en-us/library/gg982959%28v=office.14%29.aspx Thank you very much.
|
# ? Dec 19, 2014 15:47 |
|
NevergirlsOFFICIAL posted:Hey everyone I'm rolling out sharepoint to replace file server. What a great idea! Anyway I still need to map lettered drives to various document libraries for staff that want to do that. The problem is that mapped drives won't take the Windows user authentication until the user opens the sharepoint site manually and then tries to access the drive. This happens every time they log on. Is that normal? Sharepoint site is added in IE security settings as "local intranet". No, what did you add the site as in IE Security Settings?
|
# ? Dec 19, 2014 15:50 |
|
Tab8715 posted:No, what did you add the site as in IE Security Settings? I added [url]https://*.company.com[/url] to local intranet zone and set zone to low. This part lets me go to the site in IE without authenticating but doesn't help with Windows Explorer.
|
# ? Dec 19, 2014 16:07 |
|
Is this Sharepoint Online or On-Prem?
|
# ? Dec 19, 2014 16:13 |
|
Tab8715 posted:Is this Sharepoint Online or On-Prem? on prem
|
# ? Dec 19, 2014 16:20 |
|
NevergirlsOFFICIAL posted:on prem That's very weird... Try posting in the SharePoint Sub-reddit.
|
# ? Dec 19, 2014 16:21 |
|
Tab8715 posted:That's very weird... Try posting in the SharePoint Sub-reddit. ok
|
# ? Dec 19, 2014 16:23 |
|
important development: this works: net use X: http://servername/shared this does not net use X: http://sitename.company.com/shared so clearly it's my Windows machine not trusting this as local intranet. company.com is not fqdn even though the server is on lan and has an fqdn.
|
# ? Dec 19, 2014 22:07 |
|
Might have to add it to the trusted sites list in IE
|
# ? Dec 19, 2014 22:10 |
|
Shouldn't you be using net use x: https try net use with https Gucci Loafers fucked around with this message at 22:15 on Dec 19, 2014 |
# ? Dec 19, 2014 22:11 |
|
Tab8715 posted:Shouldn't you be using net use x: https
|
# ? Dec 19, 2014 22:13 |
|
Tab8715 posted:Shouldn't you be using net use x: https sorry same thing happens with http or https. and it is in local intranet zone in IE
|
# ? Dec 19, 2014 22:45 |
|
Does anyone have thoughts on deploying new machines with UEFI vs old fashioned MBR? They're capable of UEFI, but because reasons it's a few more hoops to jump through to get UEFI working. It's funny because this is the last 3 days of this job, and next Monday I move to another department to run SCCM for the entire campus, so any problems I'm having now will be mine to solve next week.
|
# ? Dec 22, 2014 17:24 |
|
I think this is the right place to ask... I'm the sys admin for a department in my company, one out of many. Recently I found that my SA credentials allow me to preform some pretty nifty things with AD, something that the Help Desk has reign over. However, I figured if I have access to do things like reset passwords and inventory/monitor PCs in my department, why not give Help Desk a bit of a break and do it all myself, aside from it being against the basics of ITIL? So I downloaded Spiceworks and began playing around. I noticed that it would continuously scan the network for devices it would reach with my credentials. I figured if it would raise any flags it was going to do so the first day around. Two weeks pass by, and today I get a call (I'm working from home) from Help Desk saying that Network Security received a security alarm on my machine and they want me to run virus scans and send up the screenshots. I can only see this being related to Spiceworks, as I don't use my work PC for anything but work. Is that an accurate assumption, even though it's been two weeks since I originally installed the application?
|
# ? Dec 31, 2014 22:08 |
|
Spiceworks is an apache web instance which could be raising flags (e: and if you're doing the network scanning: port scanning). If you're in an ITIL environment they're going stick to the prescribed methods till they stop following them. From the way you framed your org each dept (helpdesk, sysadmin, network security/admin) all have specific roles to take care of. help desk is there do boring rear end password resets and other level 1 things. Your role is to ensure the infrastructure is online and continue to document and reiterate documentation pertaining to the infrastructure. Don't feel guilty of the lull periods of the position. Use that time to research, learn and study. Or just look busy and spend your time in SA. incoherent fucked around with this message at 23:00 on Dec 31, 2014 |
# ? Dec 31, 2014 22:57 |
|
Installing Spiceworks without notifying the rest of the network is a big no-no, security guys don't like poo poo randomly reaching out to all the devices.
|
# ? Jan 1, 2015 00:58 |
|
Does Windows Storage Pools/ReFS do anything magical in performance compared to hardware raid? (Home solution.)
|
# ? Jan 2, 2015 17:31 |
|
lol internet. posted:Does Windows Storage Pools/ReFS do anything magical in performance compared to hardware raid? (Home solution.) In terms of making things faster? No, but it's probably less of a pain in the rear end to deal with vs hardware raid when things go south.
|
# ? Jan 2, 2015 17:34 |
|
|
# ? Apr 25, 2024 16:06 |
|
socialsecurity posted:Installing Spiceworks without notifying the rest of the network is a big no-no, security guys don't like poo poo randomly reaching out to all the devices. Not to mention that by default it sends emails through Spiceworks' email servers with the names of all of your servers in that email and details about how your internal network is laid out. It's bordering on paranoid but that's not a great thing.
|
# ? Jan 2, 2015 17:39 |