Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Thanks Ants
May 21, 2004

Bless You Ants, Blants



Continuous Access Evaluation in Azure AD is now in public preview

https://techcommunity.microsoft.com...ic/ba-p/1751704

Adbot
ADBOT LOVES YOU

Sickening
Jul 15, 2007

Black summer was the best summer.

Thanks Ants posted:

Continuous Access Evaluation in Azure AD is now in public preview

https://techcommunity.microsoft.com...ic/ba-p/1751704

That is kind of a big step in the security side of things.

BaseballPCHiker
Jan 16, 2006



I am soon going to have even more thrown on my plate I think, by getting tasked to help move our org to Exchange Online. Right now we have nothing in the cloud, or any Azure uses besides an old install of ADSync on our DC.

I am primarily a networking person. I do have my AWS SA cert, so I am comfortable with cloud concepts as a whole. My point to my company is that I am not the person for this job. We should hire an outside firm to get us to Exchange Online and setup ADFS and then our normal/useless Exchange admin can run the day to day operations at that point. However with budget cuts I dont think thats going to happen.

So with all that said, how screwed am I?

My plan right now is to first, sit down with management and all the other department heads and try to scope out what exactly they think this move is going to accomplish and what their end goal is. From their I can determine if ADFS, or Azure AD, or password hash sync is the way to go. Once that is setup we can discuss our Exchange plan. We have roughly 2000 users so it wont be done in a day, making me think that Hybrid deployment is the way to go.

This is going to be very frustrating but I am hoping I learn a lot from the process and can use my new found experience to make a jump for more money somewhere else down the line.

GreenNight
Feb 19, 2006
Turning the light on the darkest places, you and I know we got to face this now. We got to face this now.

BaseballPCHiker posted:

I am soon going to have even more thrown on my plate I think, by getting tasked to help move our org to Exchange Online. Right now we have nothing in the cloud, or any Azure uses besides an old install of ADSync on our DC.

I am primarily a networking person. I do have my AWS SA cert, so I am comfortable with cloud concepts as a whole. My point to my company is that I am not the person for this job. We should hire an outside firm to get us to Exchange Online and setup ADFS and then our normal/useless Exchange admin can run the day to day operations at that point. However with budget cuts I dont think thats going to happen.

So with all that said, how screwed am I?

My plan right now is to first, sit down with management and all the other department heads and try to scope out what exactly they think this move is going to accomplish and what their end goal is. From their I can determine if ADFS, or Azure AD, or password hash sync is the way to go. Once that is setup we can discuss our Exchange plan. We have roughly 2000 users so it wont be done in a day, making me think that Hybrid deployment is the way to go.

This is going to be very frustrating but I am hoping I learn a lot from the process and can use my new found experience to make a jump for more money somewhere else down the line.

I'm in the middle of this right now. Hiring an MSP with a dude to help who has done it hundreds of times was a god send. We had to push out reg entries to the org before we could even start migrating to the cloud and I would have had no idea. There was alot of on prem AD work to do. Having someone who has run through all these fires before was the best move we made.

kiwid
Sep 30, 2013



Can someone recommend me a remote support/control software that isn't TeamViewer or ConnectWise?

I started as the sole IT guy for a company a few months back and I've yet to install remote support software and it's becoming a real headache walking people through quick assist and poo poo. Also, we have a weird setup where like half the company has the full version of TeamViewer installed so they can remote to various PLC/robot control computers and other unmanned computers that need remote access. Unfortunately TeamViewer was not deployed properly either so people are using the partner ID of the various computers to connect instead of using the address book/groups and "easy access". So I really don't have time to fix this poo poo right now by attempting to deploy policies and a custom module. As for ConnectWise, we have an MSP that uses this for end user support and so I don't want to interfere with their software either.

I'm considering either DameWare or AnyDesk currently. Since most people work remotely, it needs to work over the internet. Also, one thing I loved about TeamViewer was the ability to boot into safe mode and reestablish the connection but not a deal breaker. Oh, and I don't want to pay more than $600/year for a single license. Any recommendations?

klosterdev
Oct 10, 2006

Na na na na na na na na Batman!

Dameware didn't impress me, I mean it worrrrked, but my experience was it felt fairly limited, but idk how it was actually set up or if it was set up correctly

When we moved to Bomgar it was fantastic, and you can do so many things with it, but it's expensive af and ever since they were bought by BeyondTrust their support has been sub-trash. Software is still pretty great tho.

The Fool
Oct 16, 2003



Dameware works fine and is what we use right now, but if you want to use it over the internet without a vpn connection, youíll need to self host a proxy server.

kiwid
Sep 30, 2013



klosterdev posted:

Dameware didn't impress me, I mean it worrrrked, but my experience was it felt fairly limited, but idk how it was actually set up or if it was set up correctly

When we moved to Bomgar it was fantastic, and you can do so many things with it, but it's expensive af and ever since they were bought by BeyondTrust their support has been sub-trash. Software is still pretty great tho.

I have the same impression with Dameware. We used an older version of DRS and didn't use the central server so connections were limited to the internal network/VPN. SolarWinds have that new Dameware Remote Everywhere that I was considering testing.

As for Bomgar, I really wanted to use this but when I saw the price tag it was a nope for me. I don't need all the extra features, I just need a way to remotely support a PC without user intervention and also do file transfers.

The Fool posted:

Dameware works fine and is what we use right now, but if you want to use it over the internet without a vpn connection, youíll need to self host a proxy server.

I was considering the new DRE SaaS app.

klosterdev
Oct 10, 2006

Na na na na na na na na Batman!

Yeah the worst part about Dameware is that we could only access systems on our network. Relying on users to be able to connect to a VPN isn't reliable at all. If Dameware can do that now it wouldn't be greaaaat, but it would solve the worst problem about it.

MF_James
May 8, 2008
I CANNOT HANDLE BEING CALLED OUT ON MY DUMBASS OPINIONS ABOUT ANTI-VIRUS AND SECURITY. I REALLY LIKE TO THINK THAT I KNOW THINGS HERE

INSTEAD I AM GOING TO WHINE ABOUT IT IN OTHER THREADS SO MY OPINION CAN FEEL VALIDATED IN AN ECHO CHAMBER I LIKE


kiwid posted:

Can someone recommend me a remote support/control software that isn't TeamViewer or ConnectWise?

I started as the sole IT guy for a company a few months back and I've yet to install remote support software and it's becoming a real headache walking people through quick assist and poo poo. Also, we have a weird setup where like half the company has the full version of TeamViewer installed so they can remote to various PLC/robot control computers and other unmanned computers that need remote access. Unfortunately TeamViewer was not deployed properly either so people are using the partner ID of the various computers to connect instead of using the address book/groups and "easy access". So I really don't have time to fix this poo poo right now by attempting to deploy policies and a custom module. As for ConnectWise, we have an MSP that uses this for end user support and so I don't want to interfere with their software either.

I'm considering either DameWare or AnyDesk currently. Since most people work remotely, it needs to work over the internet. Also, one thing I loved about TeamViewer was the ability to boot into safe mode and reestablish the connection but not a deal breaker. Oh, and I don't want to pay more than $600/year for a single license. Any recommendations?

Not sure how your MSP works, but our MSP uses CW but not their remote control software, instead opting for LMI and we can give people access (i.e. internal IT, or using LMI instead of a VPN) to computers and a login and poo poo; not sure if that's possible on the CW platform or how your MSP would feel about it.

Internet Explorer
Jun 1, 2005


BaseballPCHiker posted:

I am soon going to have even more thrown on my plate I think, by getting tasked to help move our org to Exchange Online. Right now we have nothing in the cloud, or any Azure uses besides an old install of ADSync on our DC.

I am primarily a networking person. I do have my AWS SA cert, so I am comfortable with cloud concepts as a whole. My point to my company is that I am not the person for this job. We should hire an outside firm to get us to Exchange Online and setup ADFS and then our normal/useless Exchange admin can run the day to day operations at that point. However with budget cuts I dont think thats going to happen.

So with all that said, how screwed am I?

My plan right now is to first, sit down with management and all the other department heads and try to scope out what exactly they think this move is going to accomplish and what their end goal is. From their I can determine if ADFS, or Azure AD, or password hash sync is the way to go. Once that is setup we can discuss our Exchange plan. We have roughly 2000 users so it wont be done in a day, making me think that Hybrid deployment is the way to go.

This is going to be very frustrating but I am hoping I learn a lot from the process and can use my new found experience to make a jump for more money somewhere else down the line.

I certainly wouldn't say it's an easy and quick project, but it's not an impossible task. They might be better served hiring a company to just do this for them. That being said...

Unless you really need to do AD FS, I'd stick to Azure AD w/ password hash sync as it'll likely be the easiest. Migrating mailboxes for 2000 users is going to take a while. Might want to look into how large they are and plan accordingly.

If you've already got an old install of ADSync, you might run into some trouble claiming your domain as an O365 if someone did it in the past and didn't document. I'd get started on that part sooner rather than later. Then set up Azure AD Connect. At the very least you'll have your users synced up and ready to go and you can start playing around with it.

BaseballPCHiker
Jan 16, 2006



GreenNight posted:

I'm in the middle of this right now. Hiring an MSP with a dude to help who has done it hundreds of times was a god send. We had to push out reg entries to the org before we could even start migrating to the cloud and I would have had no idea. There was alot of on prem AD work to do. Having someone who has run through all these fires before was the best move we made.

That sort of thing is what has me thinking that I should push hard to get outside help. Setting up something new, and running it are two different beasts. I wont know a lot of the gotchas going into it.


Internet Explorer posted:

I certainly wouldn't say it's an easy and quick project, but it's not an impossible task. They might be better served hiring a company to just do this for them. That being said...

Unless you really need to do AD FS, I'd stick to Azure AD w/ password hash sync as it'll likely be the easiest. Migrating mailboxes for 2000 users is going to take a while. Might want to look into how large they are and plan accordingly.

If you've already got an old install of ADSync, you might run into some trouble claiming your domain as an O365 if someone did it in the past and didn't document. I'd get started on that part sooner rather than later. Then set up Azure AD Connect. At the very least you'll have your users synced up and ready to go and you can start playing around with it.

Thanks for the info, it gives me more to consider. I have no clue what the setup of Azure AD entailed, how "well" its setup, etc.


kiwid posted:

Can someone recommend me a remote support/control software that isn't TeamViewer or ConnectWise?

We use Dameware right now and its OK. We dont pay much for it and it works well enough I suppose.

If you can afford it Bomgar is the way to do this securely. Also if its just windows host to windows host, Quick Assist is built in to Windows10 now and works really well assuming you have someone who can manage to get to it through the start menu on the other end.

Internet Explorer
Jun 1, 2005


BaseballPCHiker posted:

Thanks for the info, it gives me more to consider. I have no clue what the setup of Azure AD entailed, how "well" its setup, etc.

I can feel myself about to puke for saying this, but Microsoft's documentation is not bad in this area. Give it a shot and ask here or the IT thread and I am sure we can get you headed in the right direction.

Wizard of the Deep
Sep 25, 2005


BaseballPCHiker posted:

That sort of thing is what has me thinking that I should push hard to get outside help. Setting up something new, and running it are two different beasts. I wont know a lot of the gotchas going into it.

You absolutely should. Most organizations would consider email critical before the pandemic. This is something you don't wan't to screw up, and there are a lot of gotchas in the process. Having someone who's done it before working with you will save your bacon.

How much would you lose if email was down for a day? For a week? How much will an MSP cost?

Maneki Neko
Oct 27, 2000



BaseballPCHiker posted:

I am soon going to have even more thrown on my plate I think, by getting tasked to help move our org to Exchange Online. Right now we have nothing in the cloud, or any Azure uses besides an old install of ADSync on our DC.

I am primarily a networking person. I do have my AWS SA cert, so I am comfortable with cloud concepts as a whole. My point to my company is that I am not the person for this job. We should hire an outside firm to get us to Exchange Online and setup ADFS and then our normal/useless Exchange admin can run the day to day operations at that point. However with budget cuts I dont think thats going to happen.

So with all that said, how screwed am I?

My plan right now is to first, sit down with management and all the other department heads and try to scope out what exactly they think this move is going to accomplish and what their end goal is. From their I can determine if ADFS, or Azure AD, or password hash sync is the way to go. Once that is setup we can discuss our Exchange plan. We have roughly 2000 users so it wont be done in a day, making me think that Hybrid deployment is the way to go.

This is going to be very frustrating but I am hoping I learn a lot from the process and can use my new found experience to make a jump for more money somewhere else down the line.

As someone who works for a Microsoft Partner and has done a shitload of these migrations I think getting some outside help who has done this before should be a no brainer. One option I didn't see anyone else mention was to engage the Fasttrack team:

https://www.microsoft.com/en-us/fasttrack/microsoft-365/office-365

For 500+ seats they will also help out with your data migration:

https://docs.microsoft.com/en-us/fasttrack/data-migration

BaseballPCHiker
Jan 16, 2006



Maneki Neko posted:

As someone who works for a Microsoft Partner and has done a shitload of these migrations I think getting some outside help who has done this before should be a no brainer. One option I didn't see anyone else mention was to engage the Fasttrack team:

https://www.microsoft.com/en-us/fasttrack/microsoft-365/office-365

For 500+ seats they will also help out with your data migration:

https://docs.microsoft.com/en-us/fasttrack/data-migration

Awesome thanks for the links! We're definitely over 500 seats so thats something we'd qualify for. Going to make as hard a push as I can to get outside help for this.

GreenNight
Feb 19, 2006
Turning the light on the darkest places, you and I know we got to face this now. We got to face this now.

BaseballPCHiker posted:

Awesome thanks for the links! We're definitely over 500 seats so thats something we'd qualify for. Going to make as hard a push as I can to get outside help for this.

You won't regret it. I'm still balls deep in the migration and occasionally run into some bullshit I've never seen before cause Microsoft and reach out.

Submarine Sandpaper
May 27, 2007



My boss wants me to turn off all windows patching to avoid auto reboots for 2016 and 2019 servers. Mainly hyperV but some sql.

Is this even possible anymore and if so how can I convince that it's a terrible idea.

Potato Salad
Oct 23, 2014

Nobody Cares




gpo

If the guy thinks of himself as a patriot, he could follow guidance by the FBI and US Cyber Command begging dumbass motherfuckers like him to patch the high CVSS score vulnerabilities that have been coming out every month

like, is the boss aware that every single month last two years there have been trivial intrusion vulnerabilities found into basically everything that Microsoft owns, every single time?

Potato Salad fucked around with this message at 15:52 on Oct 21, 2020

Potato Salad
Oct 23, 2014

Nobody Cares




If not, tell me the name of your employer and I'll share the monero I farm 50/50 with you

Submarine Sandpaper
May 27, 2007



ok so the 365 day deferment

The clients are what you should be inquiring after! He knows but will always bend a knee with the smallest push-back. I asked for a workflow to automate reconnecting a sql server to the mainframe post patch but that's not good enough. All the 9's by not patching.

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



Re: Zerologon mitigations

From this article - https://docs.microsoft.com/en-us/wi...a-when-possible:



Where exactly are they referring to that setting in #3? Default Domain Policy? Default Domain Controllers Policy?

The only one it's NOT enabled on, by default, is the Default Domain Policy.

Submarine Sandpaper
May 27, 2007



Huh? The default policies are just objects that exist and you should not touch. It may be in any GPO.

There is a Microsoft tool, policy analyzer, I've used to help find poo poo.

But anyway your default should have lowest priority just create that policy for endpoints and servers and apply to any OUs with cpus.

Submarine Sandpaper fucked around with this message at 21:08 on Oct 22, 2020

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



It seems like something changed and turned Windows firewall on sometime this morning, on many of our servers, which was fun to figure out and then find out how many problems it was causing. Nobody has changed anything in GPO as far as I know of (other than the one I created for the secure channel thing but that wouldn't affect any other settings)

Internet Explorer
Jun 1, 2005


I'd bet good money that something happened network wise and windows network discovery switched the connection from private to public and the firewall is only turned off for private.

You should have firewalls turned on with specific exceptions as needed.

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



Internet Explorer posted:

I'd bet good money that something happened network wise and windows network discovery switched the connection from private to public and the firewall is only turned off for private.

You should have firewalls turned on with specific exceptions as needed.

It's like the rules are default or something...SQL server wasn't allowing connections. Our Fortinet helper app deal was being blocked on another server (port 8000), our SOC machine did the same thing...

Also updates aren't controlled by GPO anymore...someone hosed with something

MF_James
May 8, 2008
I CANNOT HANDLE BEING CALLED OUT ON MY DUMBASS OPINIONS ABOUT ANTI-VIRUS AND SECURITY. I REALLY LIKE TO THINK THAT I KNOW THINGS HERE

INSTEAD I AM GOING TO WHINE ABOUT IT IN OTHER THREADS SO MY OPINION CAN FEEL VALIDATED IN AN ECHO CHAMBER I LIKE


Yeah, not sure why you're turning windows firewall off.

Good/Decent applications automatically make firewall exceptions, lovely applications you have to do it manually but you should still be using the windows firewall as part of your defense in depth strategy.

*edit* I'm unclear what you are actually doing based on your response, but if you DO have the windows firewall on with exceptions, my guess would be the same as intranet explorer in that instead of a domain network your connections are being identified as private/public.

SEKCobra
Feb 28, 2011


Havent had it happen on Servers, but the common firewall exceptions we used to activate by GPO stopped working after some update, I am using a custom ruleset since then.

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



MF_James posted:

Yeah, not sure why you're turning windows firewall off.

Good/Decent applications automatically make firewall exceptions, lovely applications you have to do it manually but you should still be using the windows firewall as part of your defense in depth strategy.

*edit* I'm unclear what you are actually doing based on your response, but if you DO have the windows firewall on with exceptions, my guess would be the same as intranet explorer in that instead of a domain network your connections are being identified as private/public.

You're right, I don't want to leave the firewall off, but some windows update did something to reset the rules so I have to go back and activate rules for whatever service it's running. Just trying to track down what the heck happened to cause updates to start running.

It's not the domain/private/public network thing.

MF_James
May 8, 2008
I CANNOT HANDLE BEING CALLED OUT ON MY DUMBASS OPINIONS ABOUT ANTI-VIRUS AND SECURITY. I REALLY LIKE TO THINK THAT I KNOW THINGS HERE

INSTEAD I AM GOING TO WHINE ABOUT IT IN OTHER THREADS SO MY OPINION CAN FEEL VALIDATED IN AN ECHO CHAMBER I LIKE


Bob Morales posted:

You're right, I don't want to leave the firewall off, but some windows update did something to reset the rules so I have to go back and activate rules for whatever service it's running. Just trying to track down what the heck happened to cause updates to start running.

It's not the domain/private/public network thing.

oh welp, now everything makes sense, maybe it's because I've gotten some sleep...

Mr. Clark2
Sep 17, 2003

Rocco sez: Oh man, what a bummer. Woof.


Windows licensing question(s):

I have 200'ish PCs that were all originally purchased with OEM Win10 Pro licenses and I would like to move them all to Win10 Enterprise in order to take advantage of some of the features like Applocker. Is this path possible? What is the easiest way to acquire the Enterprise licenses? Who do I even call to get a quote? Why has MS made licensing so difficult?
Our Office 365 licenses (E1 and E3) are all non-profit pricing, so hopefully MS offers something similar on the Windows side. Gracias.

The Fool
Oct 16, 2003



It'll probably be easiest to get Windows E3 licenses, you should be able to get them from the same place as your O365 licenses.

Maybe consider Microsoft E3 (a combo license that includes Windows, Office and EMS), but depending on how many E1's you have that may not be practical.

Number19
May 14, 2003

HOCKEY OWNS
FUCK YEAH




Mr. Clark2 posted:

Windows licensing question(s):

I have 200'ish PCs that were all originally purchased with OEM Win10 Pro licenses and I would like to move them all to Win10 Enterprise in order to take advantage of some of the features like Applocker. Is this path possible? What is the easiest way to acquire the Enterprise licenses? Who do I even call to get a quote? Why has MS made licensing so difficult?
Our Office 365 licenses (E1 and E3) are all non-profit pricing, so hopefully MS offers something similar on the Windows side. Gracias.

You want Microsoft 365 E3: https://www.microsoft.com/en-ca/microsoft-365/enterprise/e3?activetab=pivot%3aoverviewtab

Your Office 365 would get rolled into the Microsoft 365 package and you'd get all the other stuff you want.

Mr. Clark2
Sep 17, 2003

Rocco sez: Oh man, what a bummer. Woof.


Dangit, no way I can just buy an MAK with 200 activations?

The Fool
Oct 16, 2003



Not without an enterprise agreement, and since youíre asking here Iím guessing you donít have one.

Maneki Neko
Oct 27, 2000



Mr. Clark2 posted:

Dangit, no way I can just buy an MAK with 200 activations?

You should able to there is still non-profit pricing for volume licensing, you should be able to work through your standard Microsoft volume license reseller and see what programs you might qualify for.

Maneki Neko fucked around with this message at 20:07 on Oct 29, 2020

iajanus
Aug 17, 2004

#GOAT


Hey, I'm not sure if this is the right place to post this but I'm not sure what to do. I've been thrown in the deep end with a small client who has an HP Windows Server 2012 box that he needs to be able to login to remotely. Every guide is confusing the gently caress out of me but I'm effectively being sent at gunpoint to do this so I'm hoping to find any advice what to do. It's a very basic operation so whatever the simplest solution is should be fine. Thanks heaps in advance for any help or advice where would be best to ask this.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



I haven't got much time now to reply, but whatever you do needs to not be opening the RDP ports on your firewall.

Potato Salad
Oct 23, 2014

Nobody Cares




(I almost wonder if TeamViewer is safer than sitting a 2012 RDP box on the internet)

Adbot
ADBOT LOVES YOU

The Fool
Oct 16, 2003



Almost any other option is safer than opening rdp to the internet.

The Fool fucked around with this message at 15:29 on Nov 5, 2020

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply