|
Continuous Access Evaluation in Azure AD is now in public preview https://techcommunity.microsoft.com...ic/ba-p/1751704
|
#
?
Oct 19, 2020 19:10
|
|
|
|
| # ? Apr 18, 2024 09:43 |
|
|
Thanks Ants posted:Continuous Access Evaluation in Azure AD is now in public preview That is kind of a big step in the security side of things.
|
|
#
?
Oct 19, 2020 20:15
|
|
|
EDITED.
BaseballPCHiker fucked around with this message at 21:09 on Feb 2, 2022 |
|
#
?
Oct 20, 2020 21:28
|
|
|
BaseballPCHiker posted:I am soon going to have even more thrown on my plate I think, by getting tasked to help move our org to Exchange Online. Right now we have nothing in the cloud, or any Azure uses besides an old install of ADSync on our DC. I'm in the middle of this right now. Hiring an MSP with a dude to help who has done it hundreds of times was a god send. We had to push out reg entries to the org before we could even start migrating to the cloud and I would have had no idea. There was alot of on prem AD work to do. Having someone who has run through all these fires before was the best move we made.
|
|
#
?
Oct 20, 2020 21:34
|
|
|
Can someone recommend me a remote support/control software that isn't TeamViewer or ConnectWise? I started as the sole IT guy for a company a few months back and I've yet to install remote support software and it's becoming a real headache walking people through quick assist and poo poo. Also, we have a weird setup where like half the company has the full version of TeamViewer installed so they can remote to various PLC/robot control computers and other unmanned computers that need remote access. Unfortunately TeamViewer was not deployed properly either so people are using the partner ID of the various computers to connect instead of using the address book/groups and "easy access". So I really don't have time to fix this poo poo right now by attempting to deploy policies and a custom module. As for ConnectWise, we have an MSP that uses this for end user support and so I don't want to interfere with their software either. I'm considering either DameWare or AnyDesk currently. Since most people work remotely, it needs to work over the internet. Also, one thing I loved about TeamViewer was the ability to boot into safe mode and reestablish the connection but not a deal breaker. Oh, and I don't want to pay more than $600/year for a single license. Any recommendations?
|
|
#
?
Oct 20, 2020 21:37
|
|
|
Dameware didn't impress me, I mean it worrrrked, but my experience was it felt fairly limited, but idk how it was actually set up or if it was set up correctly When we moved to Bomgar it was fantastic, and you can do so many things with it, but it's expensive af and ever since they were bought by BeyondTrust their support has been sub-trash. Software is still pretty great tho.
|
|
#
?
Oct 20, 2020 21:51
|
|
|
Dameware works fine and is what we use right now, but if you want to use it over the internet without a vpn connection, you’ll need to self host a proxy server.
|
|
#
?
Oct 20, 2020 21:52
|
|
|
klosterdev posted:Dameware didn't impress me, I mean it worrrrked, but my experience was it felt fairly limited, but idk how it was actually set up or if it was set up correctly I have the same impression with Dameware. We used an older version of DRS and didn't use the central server so connections were limited to the internal network/VPN. SolarWinds have that new Dameware Remote Everywhere that I was considering testing. As for Bomgar, I really wanted to use this but when I saw the price tag it was a nope for me. I don't need all the extra features, I just need a way to remotely support a PC without user intervention and also do file transfers. The Fool posted:Dameware works fine and is what we use right now, but if you want to use it over the internet without a vpn connection, you’ll need to self host a proxy server. I was considering the new DRE SaaS app.
|
|
#
?
Oct 20, 2020 21:54
|
|
|
Yeah the worst part about Dameware is that we could only access systems on our network. Relying on users to be able to connect to a VPN isn't reliable at all. If Dameware can do that now it wouldn't be greaaaat, but it would solve the worst problem about it.
|
|
#
?
Oct 20, 2020 22:04
|
|
|
kiwid posted:Can someone recommend me a remote support/control software that isn't TeamViewer or ConnectWise? Not sure how your MSP works, but our MSP uses CW but not their remote control software, instead opting for LMI and we can give people access (i.e. internal IT, or using LMI instead of a VPN) to computers and a login and poo poo; not sure if that's possible on the CW platform or how your MSP would feel about it.
|
|
#
?
Oct 20, 2020 22:12
|
|
|
BaseballPCHiker posted:I am soon going to have even more thrown on my plate I think, by getting tasked to help move our org to Exchange Online. Right now we have nothing in the cloud, or any Azure uses besides an old install of ADSync on our DC. I certainly wouldn't say it's an easy and quick project, but it's not an impossible task. They might be better served hiring a company to just do this for them. That being said... Unless you really need to do AD FS, I'd stick to Azure AD w/ password hash sync as it'll likely be the easiest. Migrating mailboxes for 2000 users is going to take a while. Might want to look into how large they are and plan accordingly. If you've already got an old install of ADSync, you might run into some trouble claiming your domain as an O365 if someone did it in the past and didn't document. I'd get started on that part sooner rather than later. Then set up Azure AD Connect. At the very least you'll have your users synced up and ready to go and you can start playing around with it.
|
|
#
?
Oct 20, 2020 22:43
|
|
|
GreenNight posted:I'm in the middle of this right now. Hiring an MSP with a dude to help who has done it hundreds of times was a god send. We had to push out reg entries to the org before we could even start migrating to the cloud and I would have had no idea. There was alot of on prem AD work to do. Having someone who has run through all these fires before was the best move we made. That sort of thing is what has me thinking that I should push hard to get outside help. Setting up something new, and running it are two different beasts. I wont know a lot of the gotchas going into it. Internet Explorer posted:I certainly wouldn't say it's an easy and quick project, but it's not an impossible task. They might be better served hiring a company to just do this for them. That being said... Thanks for the info, it gives me more to consider. I have no clue what the setup of Azure AD entailed, how "well" its setup, etc. kiwid posted:Can someone recommend me a remote support/control software that isn't TeamViewer or ConnectWise? We use Dameware right now and its OK. We dont pay much for it and it works well enough I suppose. If you can afford it Bomgar is the way to do this securely. Also if its just windows host to windows host, Quick Assist is built in to Windows10 now and works really well assuming you have someone who can manage to get to it through the start menu on the other end.
|
|
#
?
Oct 20, 2020 23:38
|
|
|
BaseballPCHiker posted:Thanks for the info, it gives me more to consider. I have no clue what the setup of Azure AD entailed, how "well" its setup, etc. I can feel myself about to puke for saying this, but Microsoft's documentation is not bad in this area. Give it a shot and ask here or the IT thread and I am sure we can get you headed in the right direction.
|
|
#
?
Oct 20, 2020 23:40
|
|
|
BaseballPCHiker posted:That sort of thing is what has me thinking that I should push hard to get outside help. Setting up something new, and running it are two different beasts. I wont know a lot of the gotchas going into it. You absolutely should. Most organizations would consider email critical before the pandemic. This is something you don't wan't to screw up, and there are a lot of gotchas in the process. Having someone who's done it before working with you will save your bacon. How much would you lose if email was down for a day? For a week? How much will an MSP cost?
|
|
#
?
Oct 21, 2020 00:10
|
|
|
BaseballPCHiker posted:I am soon going to have even more thrown on my plate I think, by getting tasked to help move our org to Exchange Online. Right now we have nothing in the cloud, or any Azure uses besides an old install of ADSync on our DC. As someone who works for a Microsoft Partner and has done a shitload of these migrations I think getting some outside help who has done this before should be a no brainer. One option I didn't see anyone else mention was to engage the Fasttrack team: https://www.microsoft.com/en-us/fasttrack/microsoft-365/office-365 For 500+ seats they will also help out with your data migration: https://docs.microsoft.com/en-us/fasttrack/data-migration
|
|
#
?
Oct 21, 2020 00:47
|
|
|
Maneki Neko posted:As someone who works for a Microsoft Partner and has done a shitload of these migrations I think getting some outside help who has done this before should be a no brainer. One option I didn't see anyone else mention was to engage the Fasttrack team: Awesome thanks for the links! We're definitely over 500 seats so thats something we'd qualify for. Going to make as hard a push as I can to get outside help for this.
|
|
#
?
Oct 21, 2020 13:22
|
|
|
BaseballPCHiker posted:Awesome thanks for the links! We're definitely over 500 seats so thats something we'd qualify for. Going to make as hard a push as I can to get outside help for this. You won't regret it. I'm still balls deep in the migration and occasionally run into some bullshit I've never seen before cause Microsoft and reach out.
|
|
#
?
Oct 21, 2020 13:25
|
|
|
My boss wants me to turn off all windows patching to avoid auto reboots for 2016 and 2019 servers. Mainly hyperV but some sql. Is this even possible anymore and if so how can I convince that it's a terrible idea.
|
|
#
?
Oct 21, 2020 15:00
|
|
|
gpo If the guy thinks of himself as a patriot, he could follow guidance by the FBI and US Cyber Command begging dumbass motherfuckers like him to patch the high CVSS score vulnerabilities that have been coming out every month like, is the boss aware that every single month last two years there have been trivial intrusion vulnerabilities found into basically everything that Microsoft owns, every single time? Potato Salad fucked around with this message at 16:52 on Oct 21, 2020 |
|
#
?
Oct 21, 2020 15:05
|
|
|
If not, tell me the name of your employer and I'll share the monero I farm 50/50 with you
|
|
#
?
Oct 21, 2020 15:05
|
|
|
ok so the 365 day deferment The clients are what you should be inquiring after! He knows but will always bend a knee with the smallest push-back. I asked for a workflow to automate reconnecting a sql server to the mainframe post patch but that's not good enough. All the 9's by not patching.
|
|
#
?
Oct 21, 2020 15:31
|
|
|
Re: Zerologon mitigations From this article - https://docs.microsoft.com/en-us/wi...a-when-possible:  Where exactly are they referring to that setting in #3? Default Domain Policy? Default Domain Controllers Policy? The only one it's NOT enabled on, by default, is the Default Domain Policy.
|
|
#
?
Oct 22, 2020 20:02
|
|
|
Huh? The default policies are just objects that exist and you should not touch. It may be in any GPO. There is a Microsoft tool, policy analyzer, I've used to help find poo poo. But anyway your default should have lowest priority just create that policy for endpoints and servers and apply to any OUs with cpus. Submarine Sandpaper fucked around with this message at 22:08 on Oct 22, 2020 |
|
#
?
Oct 22, 2020 22:04
|
|
|
It seems like something changed and turned Windows firewall on sometime this morning, on many of our servers, which was fun to figure out and then find out how many problems it was causing. Nobody has changed anything in GPO as far as I know of (other than the one I created for the secure channel thing but that wouldn't affect any other settings)
|
|
#
?
Oct 28, 2020 18:35
|
|
|
I'd bet good money that something happened network wise and windows network discovery switched the connection from private to public and the firewall is only turned off for private. You should have firewalls turned on with specific exceptions as needed.
|
|
#
?
Oct 28, 2020 19:01
|
|
|
Internet Explorer posted:I'd bet good money that something happened network wise and windows network discovery switched the connection from private to public and the firewall is only turned off for private. It's like the rules are default or something...SQL server wasn't allowing connections. Our Fortinet helper app deal was being blocked on another server (port 8000), our SOC machine did the same thing... Also updates aren't controlled by GPO anymore...someone hosed with something
|
|
#
?
Oct 28, 2020 19:20
|
|
|
Yeah, not sure why you're turning windows firewall off. Good/Decent applications automatically make firewall exceptions, lovely applications you have to do it manually but you should still be using the windows firewall as part of your defense in depth strategy. *edit* I'm unclear what you are actually doing based on your response, but if you DO have the windows firewall on with exceptions, my guess would be the same as intranet explorer in that instead of a domain network your connections are being identified as private/public.
|
|
#
?
Oct 29, 2020 06:21
|
|
|
Havent had it happen on Servers, but the common firewall exceptions we used to activate by GPO stopped working after some update, I am using a custom ruleset since then.
|
|
#
?
Oct 29, 2020 06:38
|
|
|
MF_James posted:Yeah, not sure why you're turning windows firewall off. You're right, I don't want to leave the firewall off, but some windows update did something to reset the rules so I have to go back and activate rules for whatever service it's running. Just trying to track down what the heck happened to cause updates to start running. It's not the domain/private/public network thing.
|
|
#
?
Oct 29, 2020 13:14
|
|
|
Bob Morales posted:You're right, I don't want to leave the firewall off, but some windows update did something to reset the rules so I have to go back and activate rules for whatever service it's running. Just trying to track down what the heck happened to cause updates to start running. oh welp, now everything makes sense, maybe it's because I've gotten some sleep...
|
|
#
?
Oct 29, 2020 14:28
|
|
|
Windows licensing question(s): I have 200'ish PCs that were all originally purchased with OEM Win10 Pro licenses and I would like to move them all to Win10 Enterprise in order to take advantage of some of the features like Applocker. Is this path possible? What is the easiest way to acquire the Enterprise licenses? Who do I even call to get a quote? Why has MS made licensing so difficult? Our Office 365 licenses (E1 and E3) are all non-profit pricing, so hopefully MS offers something similar on the Windows side. Gracias.
|
|
#
?
Oct 29, 2020 19:19
|
|
|
It'll probably be easiest to get Windows E3 licenses, you should be able to get them from the same place as your O365 licenses. Maybe consider Microsoft E3 (a combo license that includes Windows, Office and EMS), but depending on how many E1's you have that may not be practical.
|
|
#
?
Oct 29, 2020 19:24
|
|
|
Mr. Clark2 posted:Windows licensing question(s): You want Microsoft 365 E3: https://www.microsoft.com/en-ca/microsoft-365/enterprise/e3?activetab=pivot%3aoverviewtab Your Office 365 would get rolled into the Microsoft 365 package and you'd get all the other stuff you want.
|
|
#
?
Oct 29, 2020 19:48
|
|
|
Dangit, no way I can just buy an MAK with 200 activations?
|
|
#
?
Oct 29, 2020 21:03
|
|
|
Not without an enterprise agreement, and since you’re asking here I’m guessing you don’t have one.
|
|
#
?
Oct 29, 2020 21:04
|
|
|
Mr. Clark2 posted:Dangit, no way I can just buy an MAK with 200 activations? You should able to there is still non-profit pricing for volume licensing, you should be able to work through your standard Microsoft volume license reseller and see what programs you might qualify for. Maneki Neko fucked around with this message at 21:07 on Oct 29, 2020 |
|
#
?
Oct 29, 2020 21:04
|
|
|
Hey, I'm not sure if this is the right place to post this but I'm not sure what to do. I've been thrown in the deep end with a small client who has an HP Windows Server 2012 box that he needs to be able to login to remotely. Every guide is confusing the gently caress out of me but I'm effectively being sent at gunpoint to do this so I'm hoping to find any advice what to do. It's a very basic operation so whatever the simplest solution is should be fine. Thanks heaps in advance for any help or advice where would be best to ask this.
|
|
#
?
Nov 5, 2020 12:13
|
|
|
I haven't got much time now to reply, but whatever you do needs to not be opening the RDP ports on your firewall.
|
|
#
?
Nov 5, 2020 12:45
|
|
|
(I almost wonder if TeamViewer is safer than sitting a 2012 RDP box on the internet)
|
|
#
?
Nov 5, 2020 14:19
|
|
|
|
| # ? Apr 18, 2024 09:43 |
|
|
Almost any other option is safer than opening rdp to the internet.
The Fool fucked around with this message at 16:29 on Nov 5, 2020 |
|
#
?
Nov 5, 2020 16:09
|
|