TheRealLambardi

I mean you can but without that TPM chip bitlocker looses a chunk of its value and intent. Also doesn’t generally meet requirements for many contracts that need it. Example just reviewed a bank MSA and hardware based managed encryption with TPM was a requirement. Your mileage might vary.

1) Don't touch this with GPO's....use Intune, Intune, Intune policies. Or use GPO only and no Intune...but recommend using Intune these days for bitlocker as its getting complex. 2) Your hardware has to support it, so if your buying consumer grade equipment don't bother. 3) your #3 scares the living daylights out of me...if you handling those keys in anyway by hand...this is doomed to fail. Keys should go into Entra via Intune automatically.

and on Friday afternoon.

Wanna have fun. Take them at the letter of the law. Out data in a law, grant access to AI only when its sandboxed…and that encludes Claude, codex, perplexity etc so when they go to download NPM or python models it’s blocked to not have access to the internet because it’s sandboxed. Btw to do this you have to block all of the at the endpoint and firewall an only allow enterprise subs to access them. Second you have to go into Claude, codex and perplexity and take management control of the enterprise license and enforce sandboxed controls. And you should know that blocks a good chunk of their functionality

That is the goal. That is the recommendation that advisory teams and other board members are giving these companies. Three-year deal, lock in that price increase. If they're projecting to sell, how many long-term contracts they have in place is generally one of the number one criteria, or at least one of the top three, that they have to present to potential investors.

I do a bit of consulting for investment firms around software from time to time. Nothing huge, but there are some similar conversations that I get involved in. There's a theme to many of these conversations when it comes to the financial goals. They are testing the waters, and they are setting the expectation that over the long run, year over year, they want to see a 7-10% revenue increase, either through simple price increases (that is the majority). That is the goal. Their time horizon is now to 5 years, one way or the other. The net average is a 7-10% revenue increase. I don't necessarily see fault in that. That's their right. They have invested a lot to build these things out. The issue for many of us in this forum is that we're working at the bottom and making trade-offs to lower license counts. Keep deployment simple, and we're playing the wrong game. This is a conversation for senior management to give yourself some air cover that you're doing what you can to keep license costs down. Every product you buy is going to come at you at some point, one way or another, for these large price increases. Your protection from senior management (I mean business level, not just IT) is that we buy this tool, understand the price increases are coming for you, and that you, as the product owner, may have little real ability to fight against it. What's their willingness to drop it or just pay a 10% year-over-year increase?

This is happening at many companies. Don’t want reporting tool, just give me access and Claude. And many times it is the VP.

In any professional setting, it is not burning bridges to go, "Hey, I'm happy to help a couple of times, but we've now reached the point that further engagement should be under a paid consulting contract. Happy to discuss terms with you. I can put together a proposal for you." If this was a true friend and you said that, they would be like, "Yeah, happy to help get you paid." If this is a colleague that understands business and values your time, their response was, "Yep, this is valuable to me. Let's get you paid for your time." If they're just taking advantage of you and don't want anybody to know about it, that's when they'll get cagey and be like, "I'm not sure, I was just asking for some help." Every friend I have in the business would support me and has supported me over the years in this ask, sometimes for fairly significant contracts, both professional and personal. That is how business works. Setting up a small consulting engagement should not be a big deal for either one of you. You will want to get some basics stood up, but companies know how to do this. Professionals know how to hire consultants.

lol love this … and fair

umm...every...I mean every industry has their crappy software we are all stuck with...Have not found a single one. Mine right now....how how how how how horrid is the ATS system for hiring. I thought it was bad on the candidate side in searching for a job. Turns out it can be far far worse for the employer.

You’re one of the few folks that have had to look at how HORRIBLE the dns protocol and lookup methods are. It’s astound how bad it is without caching

Yeah…I’ve done those but at scale you gotta want to do it (I mean fund and staff the solution) , tie it to cert management / connected directory or a few other options. Doable but not for the faint of heart at many orgs. Personally I think this is maybe headed down the path of a more JIT approach. Many many years ago I used ssh.com’s model and it worked well but requires another layer of management. Cyberark has it…but you have to use Cyberark an I dread using it. Out of the box openssh by itself alone just management features.

I have never been a fan of these in an enterprise setting. Example: enforce keys with a password, don’t allow keys on non controlled environments. The hardest part of managing ssh keys at scale, every time an employee leaves you may have a contractual requirement to clean those up or rotate within a certain window. Same struggle with API keys. \- employee leaves many continue have X number of hours to revoke their passwords an rotate all keys they had access to that can be used. IT teams absolutely live this later requirement. SSH keys fit in that bucket depending on how you set things up. Anyway..what I have built is that admin keys are tied to very narrow set of jump or access hosts that can be used from so it takes moments to revoke or rotate access . I would say NEVER root key from your business laptop / workstation. But that is just my opinion.

Meh. Worse case it finds a bunch of stuff , improves the environment and then finds less items and we continue in. We will adjust

Well if there is internet exposed or desktop exposed to rdp floating around when they leave your network. The answer is “come closer so we can all slap you repeatedly”. RDP protocol itself isn’t so much problem. (Albeit MSFT has failed in the last at the protocol). What is a problem: Incorrectly configured RDP is. Allowing users to save creds in an rdp file or cache is. Allowing RDP access without MFA every time generally is. Not actively logging and monitoring is. And any sysadmin that puts rdp in the internet is just asking, pleading for problems, especially if all of the above is not done. Also leaving chrome unmanaged that allows remote access is worse than above. Replace it with another admin access tool without addressing actual effective management can be just as or worse than rdp. Real answer: determine what remote access into systems is…manage the eff out of it and go out of your way to bloc ALL other methods to the point of being a pain.

I think a better option. Malicious compliance. Agree in principle then get them two dell desktops and lock it to a desk somewhere not quite comfortable.. 1 laptop or two desktops. Their choice . Might even get the approving managers support :)

This is good thought. I would add, seek external business help…find a consultant or two that can help and advise you as well.

lol yup. Rookie mistake

Do Friday afternoons at your own peril. Unless forced I advise and hide against it. My number #1 reasons that usually works. If things go sideways we are calling you for both assistance, support, comms so please make sure you inform employees the might be needed and to not do anything in their personal life that would preclude them from working. Like having a drink as it will impede recovery

- Generator costs - Diesel - Generator maintenance contracts - UPS expenses - Power for the data center - Special security for the data center - Your physical and logical security controls, cameras, etc. for the data center - Extra staff that watches that equipment, manages that equipment, replaces that equipment - Sprinkler systems - Other fire suppression systems All of these are accounted for in that spend.

No, or only backwards decades behind orgs.

Better plan is control where they log in from, and use data and conditional controls. Your scenarios are controllable within the existing product suite.

I can’t see how this would be a great product sale. There have been app container software packages by the big players over the years (and have used them) but it’s always a niche case and cost vs risk mitigation struggles long term. Example: put them in an island browser and you get broader controls. Managing app containers is a pain and the software nearly always requires specialized fixes to keep running, vendor ends up not supporting it well…etc

Turning off smtp Auth is first on my list with clients, it’s a great way to hide a breach. May look to get a proxy of sorts in place and fake it . https://github.com/simonrob/email-oauth2-proxy

I should add. I coached and expected all My admins to have written plans and timelines if it was more than a simple / safe change. That includes back out plans. If those back out and test plans were crap I would stop the work and make them go back and do it over again. I’ve even stopped weekend outages they negotiated because the plans were crap. Sell yourself and the work first by having a plan that others review. It matters otherwise your just Oz behind the curtain…and replaceable. Soft skills matter

When you have a lot of containers, orchestration and redundancy of small services needed and have a good devops/infraops/secops…yes because you likely require new security tools to effectively monitor Kube’d application processes. Yes it’s fantastic but you can replace most deployments of with a lot of lighter weight container services. Example: we had one vendor sell us their solution wrapped in Kube….it had one…one single container…it didn’t even SCALE. They only used Kube to restart the single container because they had memory issues. Worse once I found that out I looked under the covers and they had a mostly full OS deployed in a container..not even hardened and minimized…and zero monitoring other than reboot automatically because we haven’t figured out how to monitor the container or app logs. Lightsail or App runner can sometimes be far cheaper and less costly especially if your are screwing around deploying new systems and monitoring stacks for each customer. Yes it’s great for simplifying deployments…assuming you have a well orchestrated solution which takes a while to build across multiple skillsets.

Sounds like you need to have a plan and a timeline as part of that…A real plan with actions,timelines etc. Give it to you boss…share it have it reviewed by others and say…You call boss, you sold it you want it…Or we can not deliver it. You don’t care either way. But re-formulating a SaaS product mid delivery for a customer seems like a VERY bad idea. As a customer I would not be happy at all. Bigger issue sounds like your SaaS product isn’t really saas and it’s more hosted software…and your team doesn’t have a plan to turn it truly into saas and meet compliance requirements across the board. GDPR is more business process and compliance than it is IT compliance IMO. But…big deal. Have a plan, include testing/burn in etc. as part of that.

I find most sysadmins don’t know about this behind a cursory it exists. More to the BIGGER reasons. 1) marketing or comms setup a new email method and never even talked with IT. 2) someone setup cevent or survey monkey and don’t need ITs help. 3) what’s dmarc or spf and I simply added another domain name for the 14th record after putting much of AWS IP space in there already :)

DR/BCP is about keeping business running…must have the business in part of the conversation, step away from the tech and start with that question…keep business running first while IT rebuilds which is secondary.

To confirm, yes this is normal right now…even for pricing for a F50 company. Such is supply chain. I have - 450% price increase on memory from one year ago. You should’ve 100% be sharing at c-suite level that prices are volatile and delays by days for procurement processes will 99.9% increase pricing. Budgets should be adjusted accordingly and failure to increase IT or purchasing budget will lead to project delays guaranteed or no delivery made. Deal with it. You will need to be vocal about this

Don’t forget to go through Enterprise apps and look for direct assignments, if they were authorized to add apps (as in personal apps) probably want to off board those apps as well…but that will be use case specific (aka do they have a bunch of email clients that let them access (and keep) email post exit? *cough* if yes you may have client notifications to make. Which brings up the other off boarding steps, don’t forget to wipe devices of data if using personal phones is allowed (or not explicitly prevented you should look either way).

Requested 2TB of ram and it required VP approval to even send me a quote from one of the top 3 vendors.

FWIW: People who are in position of authority work better over phone and TXT...its faster. The business and most decisive folks I work with both 20 years in corporate and now a few years vendor side...decision makes work better on the phone. It is a constant and reliable signal. I would say TXT first call later. That said I am not cold calling anyone...nope not going to happen

To be fair, prompt engineer better for the workflow + guardrails + verification | monitoring (legally required for some use case) and for most IT orgs you have to do it in pieces because I do find they struggle to do all of them at once. I’ve cracked open some prompts at orgs and they would be better off having the intern to have done it. End of the day there are legal implications and policy and practices first deliverable for most enterprises

side note...every time I see/use DNF...all I think about is "Do Not Eff" with me....that is burned into my brain.

Now the question…does it matter and do you care in your use case, usage scenario and risk tolerance (including contracts you have committed to).

And welcome to vulnerability management. Validate the claim, find the owner, convince the owner they are the owner, don’t get gaslit that they are not the owner , come up with plan, patch, hack, disable, block, etc , get commitment, publish plan, remediate, report in remediate, verify . Rinse , repeat. Once that is mastered, Now move down the stack and find more. :)

I built these systems for years and all the hosting and rules,routing, gateway errors, working with other IT teams for their bad mail gateway etc. never again will I do that or recommend my org or clients do that. Yes you can, yes I have, make sure you hire a small team to maintain that and nothing else. Ok real answer, build a bcp plan for critical processes that are required and have a backup email system at a completely different provider with a secondary domain. Also while your at it critical contacts and work through what is needed to activate it and practice it from time to time. If you use HubSpot or another CRM likely you could do all of that there in many cases. D

Give them the enterprise license and if your doing it right they get a personal copy as well from the deal you made with the enterprise password manager to encourage use. Then you lock their accounts and make them reset them all and put them in the PM because the passwords have been left in secure and it’s a security requirement. Then you walk them through how to do this so there are zero barriers. Done, works every time…but hope pray and send an email out occasionally ain’t gonna cut it. Find a few advocates that will sit and walk people through the work occasionally

Would agree, with a caveat…the best moved resources around and ended support quickly for less needed services (even to help encourage less business use of services to support faster legacy retirement). The struggle is IT staff who don’t like changes or “this is what I do..I don’t want to change to xyz and why isn’t my mgr supporting me”. Usually you end up getting rid of those type of people but 2-3 years of a good manager moving things around at speed can do wonders to long term productivity. Aggressively in your career work to deploy services and have zero personal care in the world if you have to throw it all away and replace it with something else. Makes you more agile and useful…sure there is a need for a super expert in one tech but that is less and less needed in non consulting, enterprise roles.

Career feedback…plan and curate relationship so if the app isn’t your problem the support isn’t your problem. Seriously not trying to be a jerk but my long term view is more people do themselves a disservice through their entire career because of a hero complex. Ex: I was with a friend recently and another one of those user app, some code … old… yadda rolls down hill sysadmin gets a sat Am ping..pls help. Boss says can you take a look. Watching friend start to dive in and I ask. Hey man you gotta what, find the code, modify it after learning it..fix it and make os changes to support a crap app. Your in what …60 hours all in to completion. I coach him through sending a note before going further to app owner and boss…”something like I have a 90% chance of success but I have to do these xyz things and am in 60-80 hours and stop ALL work, emails, meetings etc to nail this down. Before I proceed is this what you want…app owner replies in 10 minutes. “Oh this was not that important…I am not asking for you to take personal time or skip other work…I will retire this app and go seek a replacement…and apologized for the after hours ask…I thought this might be one of those 5 minute things you just do for us” Point is hero / save the day complex is the worst attribute of a sysadmin. Things roll downhill and it doesn’t mean it’s always sysadmins job…not without strong trade offs before work gets going. All my opinion but I see it a lot and very consistently. And MS sentinel was never hard…same basic 101 SQL and know your data is all that’s needed. Yeah it’s still msft weirdness but it’s simple and requires not much work and should be tier 1 outsource type of work.

Yep…today’s sysadmin is not yesterday sysadmin. Today it is more early career or easily outsourced. Good sysadmins left the field and went into Sec engineering, leadership or DevOps. Coming from an early career sysadmin and realized long ago those salaries and the role was going downhill….because the work was no longer hard and just getting easier.

^^^^^this 100%. IT and Legal process with a singular checklist that engages IT where needed. But getting assets is not and IT thing

Yes, permanent admin accounts = bad. JIT is the way.

\[ I have this fantasy of being a lone sysadmin in like 2002 with one big office. And all the infrastructure was “my infrastructure”. And I run around all day actually troubleshooting computers, running cables, swapping hard drives, etc. I genuinely think I would thoroughly enjoy doing that all day. \] You just described a nightmare working environment. Sure it was fun for a couple of weeks while you were learning new things but after that it's soul crushing. IT support generally isn't a profit center so as an owner/manager here is your equation. \- I don't want to pay someone to learn. \- I want reliable service for as cheap as I can get it. \- I want commodity because why take the risk of bespoke or unique offerings. \- Many SaaS offerings just make getting functionality that much easier and cheaper. I don't want to be stuck in "sticky" IT solutions. For small to early mid sized shops the answer is DIY it until you can afford and MSP that meets your needs.

You need to find out why they acquired you. - people - name - tech - customers - future product - territory - contacts It’s usually only one of those…two is a bonus, three… week behind two is rare (as well as keeping)

My favorite…big US help desk NOC has been “working a NAC port issue for 6 weeks”. I get pulled in and 5 minutes into a call ai ask….show me interface and log stats….because there is nothing in ticket history other than customer (me and my team) provided client side logs. Logging was never turned on…switch confirms this (and hasn’t been rebooted or cleared and this is after they said “NAC logs are too hard to read” i physically said out loud…”what is it that you said you do here?” .

This is not uncommon especially at SMB size companies. Good technical CIOs are rare. In fact in my experience as a consultant now , technical CIOs are not as good in j average. They overthink the tech (or allow their staff to) and don’t drive change and rapid decisions. Yes that is a broad characterization and only that but I find it’s pretty consistent.

Loads of yikes… That you are at this number of devices and not automating raises other questions about the entire operations and maintenance in general. That said…you have some good answers in here.

That is the worst…even better when you named variables after your various pets names.