|
iajanus posted:Hey, I'm not sure if this is the right place to post this but I'm not sure what to do. I've been thrown in the deep end with a small client who has an HP Windows Server 2012 box that he needs to be able to login to remotely. Every guide is confusing the gently caress out of me but I'm effectively being sent at gunpoint to do this so I'm hoping to find any advice what to do. It's a very basic operation so whatever the simplest solution is should be fine. Thanks heaps in advance for any help or advice where would be best to ask this. The dumb, but easy, and just a bit safer option, is to allow RDP from the internet (lol) and use something like RDPGuard on the server. Trust me, I did this for so many dumb cheap stupid podunk operations in my MSP days. Despite us trying to pitch a RD gateway server, in many cases adding a firewall or reverse proxy server, and 2-factor, no one at that scale ever wanted to grow and pay the money it'd require. But they would pay the $50 for RDPGuard software. Its basically Fail2Ban for RDP servers. Have fun unblocking idiot sales people after they fat finger their passwords to many times trying to RDP in.
|
#
?
Nov 5, 2020 17:11
|
|
|
|
| # ? Apr 23, 2024 10:14 |
|
|
BaseballPCHiker posted:The dumb, but easy, and just a bit safer option, is to allow RDP from the internet (lol) and use something like RDPGuard on the server. https://www.microsoft.com/security/blog/2019/11/07/the-new-cve-2019-0708-rdp-exploit-attacks-explained/ just to pick a recent example, it's far from the only one. Any exploits that work before authentication still work the same way. That's not of course to say these things aren't good to use anyways, but I still would never expose a service to the open internet that doesn't absolutely need to be accessible to randoms. I'd use basically any VPN, remote access tool, or something like Apache Guacamole before exposing RDP outside of trusted networks, and if I did end up having to do that I'd only open it up to the smallest number of IPs that I could get away with while still supporting the business needs.
|
|
#
?
Nov 5, 2020 20:53
|
|
|
wolrah posted:The problem with anything like RDPguard, Fail2Ban, etc is that while it's great against brute force attacks it doesn't do anything about any other kinds of attacks. You arent wrong. The lovely businesses running server 2008 that are vulnerable to BlueKeep ,are the same ones who most desperately need to upgrade and make improvements and the same ones that will be to cheap to do so. I know for a fact that there were some clients I had in my crappy MSP days that are running their Small Business Servers 08 still. Dont worry though they installed Sophos AV on it after our idiot sales/owner figured out he could make a ton reselling that.
|
|
#
?
Nov 5, 2020 21:30
|
|
|
Azure AD Application Proxy is free and can be combined with Remote Desktop Gateway, it's where I'd start https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-integrate-with-remote-desktop-services
|
|
#
?
Nov 5, 2020 21:33
|
|
|
Thanks for all the ideas, ended up muddling my way through and the customer's paid the invoice so all's well and I can get appropriately drunk for a Friday evening  !
|
|
#
?
Nov 6, 2020 10:12
|
|
|
iajanus posted:Hey, I'm not sure if this is the right place to post this but I'm not sure what to do. I've been thrown in the deep end with a small client who has an HP Windows Server 2012 box that he needs to be able to login to remotely. Every guide is confusing the gently caress out of me but I'm effectively being sent at gunpoint to do this so I'm hoping to find any advice what to do. It's a very basic operation so whatever the simplest solution is should be fine. Thanks heaps in advance for any help or advice where would be best to ask this. Yo, the simplest and fastest way to get this done is to use TeamViewer for the love of God, make sure that every account that is used has a very strong password
|
|
#
?
Nov 6, 2020 13:53
|
|
|
We run a small AD deployment with Azure AD Connect to provision Azure AD accounts, all domain controllers are Server 2019 and the functional level (domain and forest) is 2016. We have maybe 10 desktop computers for admin staff to use that are managed through GPO, some VMs that are AD-joined and managed in the same way, but the bulk of our staff all have laptops that are Azure AD joined and managed with Intune or whatever it's called this week. There isn't much on-prem services left, but there's enough that we can't go cloud only. For the few file shares that people still need to access, I would like them to be able to access from their Azure AD devices without having to mess around. It seems like the best way to go is to follow this document https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base I don't want to do any sort of hybrid domain join as I want our momentum to be away from any links to on-prem services, and every time it's come up previously in this forum people have said that hybrid join should be avoided where possible. I've not been keeping up with (Azure) AD developments but is it still worth following the linked guide, or is there better stuff coming shortly that takes a lot of pain out of the deployment? Assuming that going through with this setup is the right way to go, how are people handling the HTTP distribution point for the CRL? Our infrastructure is already in Azure so I was hoping I could just add a service endpoint for the web app service and have the app read straight out of the CRL file share or something, but I've not looked at it too closely.
|
|
#
?
Nov 9, 2020 22:12
|
|
|
kiwid posted:Can someone recommend me a remote support/control software that isn't TeamViewer or ConnectWise? We use Goverlan. As dumb as the name sounds, it's pretty good. You can search domain user, right click set focus, find what PC it's logged into. If you get the enterprise edition you can do scope actions which is mass actions. Remote installs blah blah. BaseballPCHiker posted:I am soon going to have even more thrown on my plate I think, by getting tasked to help move our org to Exchange Online. Right now we have nothing in the cloud, or any Azure uses besides an old install of ADSync on our DC. 2000 mailboxes ain't bad, as soon as you have the connection and mailflow setup it's pretty straight forward send batch email telling users to they're moving blah blah. Go Azure AD with pass-through/modern authentication. Unless you need to go ADFS. I finally recently moved all our AD FS applications to Azure AD. Whoever externally you get will probably go that route anyways unless again you have a specific reason you need ADFS. lol internet. fucked around with this message at 07:18 on Nov 11, 2020 |
|
#
?
Nov 11, 2020 07:15
|
|
|
Potato Salad posted:Yo, the simplest and fastest way to get this done is to use TeamViewer They refused to pay for it :'(
|
|
#
?
Nov 11, 2020 10:53
|
|
|
lmao it's like £30/month, don't waste your time with those clowns
|
|
#
?
Nov 11, 2020 11:28
|
|
|
AnyDesk works in a pinch or if you just want to buy one license cheap
|
|
#
?
Nov 11, 2020 13:43
|
|
|
iajanus posted:They refused to pay for it :'( small business owners are absolute fffffffff
|
|
#
?
Nov 11, 2020 13:58
|
|
|
Thanks Ants posted:lmao it's like £30/month, don't waste your time with those clowns This is something that a lot of MSPs need to learn the lesson of.
|
|
#
?
Nov 11, 2020 17:55
|
|
|
Is there a way to disable ALL applications from preventing screen lock? We have a GPO that locks the screen after 7 minutes on all computers. We also have a security station PC where they watch cameras....that disables the screen locking (just like any media player does). The application for the security cameras doesn't have a 'disable screensaver' checkbox that I can uncheck, like a sane media player would. Any ideas?
|
|
#
?
Nov 11, 2020 19:09
|
|
|
Potato Salad posted:small business owners are absolute fffffffff "Why do I need a router and a server? I just put everything in a shared folder on one computer and they're connected with a dumb switch." "Because you're making medical equipment and HIPAA regulations exist." "Oh, we've never been hacked! I'm sure we'll be fine." If you're an amputee, you may want to PM me about the security of your medical information.
|
|
#
?
Nov 11, 2020 21:58
|
|
|
Bob Morales posted:Is there a way to disable ALL applications from preventing screen lock? This is going to sound very dumb because it is. I had a similar scenario, a computer mounted in a fire truck. It HAD to get the GPO that set screen lockout times for us to pass an audit. Despite it being in a fire truck thats parked in a fire station or out on a call at all times. But then the fire fighters would get pissed because one guy would have to sign in so that they could use their dispatch software to see where the hell they needed to go and what they were getting into. The solution was a simple app called MoveMouse. It moved the mouse, every 30 seconds or so. I'm not sure if its still around or being developed anymore but it worked on older win10 builds.
|
|
#
?
Nov 11, 2020 23:43
|
|
|
BaseballPCHiker posted:This is going to sound very dumb because it is. I had a similar scenario, a computer mounted in a fire truck. It HAD to get the GPO that set screen lockout times for us to pass an audit. Despite it being in a fire truck thats parked in a fire station or out on a call at all times. But then the fire fighters would get pissed because one guy would have to sign in so that they could use their dispatch software to see where the hell they needed to go and what they were getting into. This? https://www.microsoft.com/en-us/p/move-mouse/9nq4ql59xlbf?activetab=pivot:overviewtab
|
|
#
?
Nov 12, 2020 00:02
|
|
|
Bob Morales posted:Is there a way to disable ALL applications from preventing screen lock? https://www.zhornsoftware.co.uk/caffeine/ 
|
|
#
?
Nov 12, 2020 00:14
|
|
|
I think you all may have been misreading. It sounds like there's an app that's stopping the screen from locking. Even the security station PC. Which is kind of odd, I don't know if I'd want to lock something that's solely used to watch cameras if there's no user interaction, but hey. I'm not aware of what that could be. Applications themselves probably shouldn't be able to prevent screen lock unless they're emulating user interaction, like the apps listed above, but I can't say I've put much thought into it. Bob Morales - have you tried contacting the vendor? I wouldn't be surprised if they had something hard coded because it cuts down on calls of "my computer went to sleep!"
|
|
#
?
Nov 12, 2020 01:19
|
|
|
Internet Explorer posted:I think you all may have been misreading. It sounds like there's an app that's stopping the screen from locking. Even the security station PC. Which is kind of odd, I don't know if I'd want to lock something that's solely used to watch cameras if there's no user interaction, but hey. Right, I want the opposite if what people have suggested. I’m hoping they have a registry entry or something I can edit. It’s Avigilon by the way. This is basically a “window is always on top” problem
|
|
#
?
Nov 12, 2020 01:39
|
|
|
Question about LAPS. I assume the answer is yes but wanted to verify without testing on my own. When you set permissions for the computer objects to update the password in the attribute field. Do those permissions trickle down in the OU? (ie. OU1 has a OU named OU2 in it. If I apply the permission to allow the PC to update the password attribute field on OU1, will OU2 get the inheritance?) I ask this just because it's not actually in the guide, it just says apply the permission to whatever OU you stick computers in. I essentially want to just apply it to main root OUs ie. Departments which will have OUs underneath it both User and PC OUs instead of individually applying it to each OU.
|
|
#
?
Nov 12, 2020 06:59
|
|
|
Thanks Ants posted:lmao it's like £30/month, don't waste your time with those clowns They're more than happy to pay me ~500 a month to come out a few times and do trivial stuff, while refusing to pay on a plan. They're loving morons but quite profitable.
|
|
#
?
Nov 12, 2020 08:17
|
|
|
lol internet. posted:When you set permissions for the computer objects to update the password in the attribute field. Do those permissions trickle down in the OU? Yes. Since it’s just setting AD permissions, inheritance follows to the child OUs automatically unless you have it disabled on an OU for some reason.
|
|
#
?
Nov 12, 2020 11:13
|
|
|
I've got a couple questions about Centralized Deployment for Office add-ins that seem pretty basic, but I don't have admin rights to go check for myself:
|
|
#
?
Nov 13, 2020 20:18
|
|
Toast Museum posted:I've got a couple questions about Centralized Deployment for Office add-ins that seem pretty basic, but I don't have admin rights to go check for myself: Yes. I have no idea what the mechanics are if you're developing your own, but certain add-ins do not allow you to select the deployment method at all. I haven't seen one that's, like, 2 out of 3. quote:
You press a radio button and switch from one to the other. Then hit save. That's the whole deal. Since I answered a question, I'm going to ask one. Does anyone have any experience with Microsoft Endpoint DLP. I'm trying to POC it and it's absolutely driving me crazy. I'll probably just open a support ticket and slowly die inside while I explain the issues to Microsoft over and over again, but if I'm missing something it is not documented. I can see in Defender where it identifies labeled files on the endpoint I'm trying to POC, but the EndPoint DLP stuff in Compliance is flat-out not doing anything. Blocking, auditing, etc..
|
|
|
#
?
Nov 16, 2020 17:21
|
|
|
We have this lovely ERM system where you can't get data in or out of it programmatically. I'm now investigating using a BI tool like Tableau to access the data. I'm not too familiar with BI tools so how would this typically work, does it just connect directly to the SQL database? If so, is there any issues with multiple applications reading data from a single database? I'm worried it might interfere with the ERP software in some way. This would be read-only if it matters.
|
|
#
?
Nov 16, 2020 21:12
|
|
|
kiwid posted:We have this lovely ERM system where you can't get data in or out of it programmatically. I'm now investigating using a BI tool like Tableau to access the data. I'm not too familiar with BI tools so how would this typically work, does it just connect directly to the SQL database? If so, is there any issues with multiple applications reading data from a single database? I'm worried it might interfere with the ERP software in some way. This would be read-only if it matters. Most BI tools can read directly from SQL, but it's usually not recommended. At least not your raw ERM database. You want to at least* copy your production database into a read-only reporting db and point your BI tool at that. * I want to stress that this is literally the bare minimum.
|
|
#
?
Nov 16, 2020 21:24
|
|
|
The Fool posted:You want to at least* copy your production database into a read-only reporting db and point your BI tool at that.
|
|
#
?
Nov 16, 2020 21:43
|
|
|
One of my company's domains has DNS entries set up in a really weird way. I want to clean it up but I want to make sure it makes sense. This is Windows Server 2012 R2. What I've always seen in DNS is forward lookup zones will be configured with the top-level domain. So for example, contoso.com would be a zone. And then underneath that zone you can have subdomains and records to your heart's content. However, my company has configured this domain with zones created for SUBDOMAINS. So for example, instead of having a zone just called contoso.com and an A record for subdomain.contoso.com within this zone, they have a ZONE called subdomain.contoso.com and in it a single A record (same as parent folder). And of course the typical NS and SOA DNS entries you see for any zone. It doesn't make sense to me to create zones for subdomains, and what I want to do is just create a zone for the top level domain and move the DNS records from the subdomain zones to this zone. Does that make sense?
|
|
#
?
Nov 17, 2020 20:19
|
|
|
Weaponized Autism posted:One of my company's domains has DNS entries set up in a really weird way. I want to clean it up but I want to make sure it makes sense. This is Windows Server 2012 R2. So yeah, that makes sense. subdomain.contoso.com will resolve to the A record on your DNS, but subdomain2.contoso.com (that does not exist in your DNS server) will resolve using your dns forwarder. We do the same thing because we have a sister organization that has some subdomains that need to resolve using the internal DNS, and some that need to resolve with the public dns and for dumb reasons neither split-brain or a stub zone would work.
|
|
#
?
Nov 17, 2020 20:35
|
|
|
The Fool posted:So yeah, that makes sense. Of course  Upon closer inspection it does seem like there's a need for internal DNS for some of these entries, so that makes sense. Thanks.
|
|
#
?
Nov 17, 2020 20:39
|
|
|
Either one of those methods will work. However, The Fools suggestion is superior because you should always ask do I really need to create this zone? I've usually seen people host those zones inside their network to resolve https://www.mycompanysshittylampsite.com to 10.0.0.5 instead of 192.45.66.12 or whatever. Creating a bunch of zones for that purpose is asking for an administrative headache for no reason in my opinion. Let the DNS forwarding do it's job. The real hotness is to go <subdomain>.whatevercompany.com for your AD domain (internal.contoso.com or something), and then never ever use Windows DNS for anything else ever again. Is the "official" MS guidance these days too. Got a chance to stand up a new domain once that way, was very nice. Still very clean last I checked, no comparing on-premises DNS zones to public DNS records like a DNS record anthropologist only to find out that everything inside was resolving to the wrong version of some dumb website for 10 years. Or, my favorite, not understanding www vs how Windows handles @ and only being able to go to https://www.mycompanysshittylampsite.com.
|
|
|
#
?
Nov 17, 2020 20:51
|
|
|
Yes, don't host company.com in your internal DNS, make everything a subdomain (or a totally different domain that you also own) and if you have to have something like vpn.company.com resolve internally then add a zone just for it. There's nothing worse than having to replicate a bunch of poo poo internally to make things like your website work, especially if you're using AWS, Azure etc. and the DNS records are aliases anyway or load balanced and you have to hard-code A records and then manually change them all the time.
|
|
#
?
Nov 17, 2020 21:51
|
|
|
In Office 365, what's the best way to give a consultant an internal email address that forwards to their gmail account without using a license or mailbox? There seems to be a few different ways like using a shared mailbox or a distribution group. Should I even be doing this in the first place? Should I just use a license/mailbox?
|
|
#
?
Nov 20, 2020 15:29
|
|
|
kiwid posted:In Office 365, what's the best way to give a consultant an internal email address that forwards to their gmail account without using a license or mailbox? There seems to be a few different ways like using a shared mailbox or a distribution group. Should I even be doing this in the first place? Should I just use a license/mailbox? Shared mailbox then you can set auto forwarding in the exchange control panel. No license needed.
|
|
#
?
Nov 20, 2020 15:33
|
|
|
GreenNight posted:Shared mailbox then you can set auto forwarding in the exchange control panel. No license needed. Thanks.
|
|
#
?
Nov 20, 2020 16:29
|
|
|
Or a distribution list with the only member being a mail contact with their Gmail address in
|
|
#
?
Nov 20, 2020 20:34
|
|
|
So, what's the trick to getting 20H2 to show up in wsus? I'd like to start testing it in my environment since I'll be needing to move on from 1809 by spring next year. E: I figured this out. Apparently you have to change the view on wsus to "1903 and above" to get it to show. I had just "Windows 10" checked off which...should have be fine? Whatever. chocolateTHUNDER fucked around with this message at 22:49 on Nov 23, 2020 |
|
#
?
Nov 23, 2020 03:56
|
|
|
I'm getting into a bit of a rabbit hole with Windows Hello for Business in a hybrid deployment (Azure AD joined clients managed with Intune, on-prem resources joined to AD), and the whole "have a PKI infrastructure" step is not just a simple task on the route to implementing this. The most recent MS documentation that covers this is from 2016 (https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn786436(v=ws.11)). It at least mentions Server 2016 but I'd be interested in anything more up-to-date if that exists. Or a good third-party post that covers it if there's nothing from MS on the topic - a lot of the stuff I can find says "this is a lab so we'll just pick these settings" but I'd like to understand what those settings are. From what I can tell, the offline CA seems to be the way to go, and our AD environment lives in Azure so having a 2019 box powered down isn't really a problem, but if there's any way to shift those responsibilities into an Azure service then I'd be up for that.
|
|
#
?
Nov 24, 2020 12:07
|
|
|
|
| # ? Apr 23, 2024 10:14 |
|
Thanks Ants posted:I'm getting into a bit of a rabbit hole with Windows Hello for Business in a hybrid deployment (Azure AD joined clients managed with Intune, on-prem resources joined to AD), and the whole "have a PKI infrastructure" step is not just a simple task on the route to implementing this. Hah, interesting. I didn't know this required PKI. For what it's worth, getting the certs onto devices via the connector with InTune isn't too bad. quote:The most recent MS documentation that covers this is from 2016 (https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn786436(v=ws.11)). It at least mentions Server 2016 but I'd be interested in anything more up-to-date if that exists. Or a good third-party post that covers it if there's nothing from MS on the topic - a lot of the stuff I can find says "this is a lab so we'll just pick these settings" but I'd like to understand what those settings are. There is no service that will replace what the AD Cert servers will do at this point (that I know of). It would be nice if there was. You can power the Offline CA down, I usually just delete the entire thing. I'm never around long enough to need it again. I've done this 3-4 times in the past couple of years. In my experience, every article written about deploying this stuff is wrong to some degree. This one is at the top of my google results and looks generally correct: https://stealthpuppy.com/deploy-enterprise-subordinate-certificate-authority/ edit: I also disable CRL checking and issue the root cert for, like, 20 years. When you do this it would not be advisable to actually use the CA you set up for anything unless you are pretty sure it's for something stupid, like getting SCCM to work with HTTPS because you deployed a CMG on some unsuspecting assholes using HTTP in TYOOL 2020. i am a moron fucked around with this message at 15:12 on Nov 24, 2020 |
|
|
#
?
Nov 24, 2020 15:06
|
|