cvc75

Our CTO almost dropped the prod DB

Posted by relived_greats12@reddit | sysadmin | View on Reddit | 153 comments

cvc75@reddit

>ABSOLUTELY NO ONE HAS DROP/TRUNCATE/DELETE PERMISSIONS ON PRODUCTION OTHER THAN ME! And with "me" I mean the account that I use *only* for drop/truncate/delete, not the account I use for regular queries.

Our CTO almost dropped the prod DB

Posted by relived_greats12@reddit | sysadmin | View on Reddit | 153 comments

I caught a notary in our office

Posted by TrainingOrchid516@reddit | sysadmin | View on Reddit | 64 comments

cvc75@reddit

Although I doubt that the company that doesn't care about employees using company printers for private business would have an Acceptable Use Policy anyway.

Rsync 3.4.3 might break incremental backups for you. Revert to 3.4.1 and it will work again; "Since 3.4.1, 36 commits by "tridge and claude"". Nothing is safe.

Posted by segagamer@reddit | sysadmin | View on Reddit | 152 comments

NTSB gathering details on Frontier Airlines evacuation after plane hit and killed person in Denver

Posted by GregWilson23@reddit | aviation | View on Reddit | 291 comments

cvc75@reddit

Apparently (form another thread on this) some airlines now treat a fanny pack as a personal item? So you can have your carry-on and the fanny pack, or a carry-on and a bigger personal item bag/backpack etc. but not both. So the only option left is cargo pants.

Use of commands for system configuration CONSIDERED HARMFUL.

Posted by thomasafine@reddit | sysadmin | View on Reddit | 130 comments

cvc75@reddit

You know what? Just for complaining, and using fancy words like idempotent, we'll turn some commands into **toggles** just for you. So what the command does depends entirely on the previous state, changes every time, and is absolutely not idempotent.

Team lead got mad I didn't call back someone who didn't leave a VM while I'm on call

Posted by TryARebootFool@reddit | sysadmin | View on Reddit | 284 comments

cvc75@reddit

1a - if you have fallen for a phishing attempt, and now suddenly can’t log in anymore, a password reset (and more) should qualify as an emergency. 

How do you stop loopback GPO user settings from leaking to unrelated servers?

Posted by thmeez@reddit | sysadmin | View on Reddit | 29 comments

cvc75@reddit

Just to be sure: you aren’t using roaming profiles for these users, right? If you are, of course some GPO settings will "leak" to other servers because they move with the profile. 

Urgent: Help needed TODAY!

Posted by Hobbit_Hardcase@reddit | talesfromtechsupport | View on Reddit | 47 comments

cvc75@reddit

>Kind of like someone throwing a tantrum and sitting at the bus stop for several hours Worse, complaining because the bus didn't show up on a Sunday, when the timetable at the bus stop clearly said there was no service today.

Microsoft blocked my CPA client's emails the day before the tax deadline

Posted by Lord_Amoux@reddit | sysadmin | View on Reddit | 106 comments

cvc75@reddit

Only 10-20%? That’s just a recipe for disaster for orgs that work seasonally.  And another reason to send any automated mail or marketing campaigns over an external service, not through MS. 

Learn to Speak

Posted by theMightBoop@reddit | sysadmin | View on Reddit | 454 comments

cvc75@reddit

I've seen some attitudes like "I'm an engineer, I've got my 1st level to talk to the users, and my manager to talk to CEOs and stakeholders. And for vendors, I only want to talk to their techs, not their sales people."

Vendor we fired 2 years ago still has VPN access and admin rights to our backup system

Posted by SpecialistAd7913@reddit | sysadmin | View on Reddit | 68 comments

cvc75@reddit

Right, fix the immediate problem by disabling these accounts, and after that I don't see anything wrong with asking other people. Even if you go to your boss and point this out, it can't hurt if you already have some ideas to present on which processes you could implement in your org.

Anyone read this 49 day SSL expiration thing and think they would rather just retire?

Posted by HJForsythe@reddit | sysadmin | View on Reddit | 1069 comments

cvc75@reddit

I think the problem is more with appliances than with servers, and those will rarely have an option to copy certificates via ssh, sftp etc. and will only allow uploading via their shitty web interface.

Worst thing I ever witnessed in IT in 20+ years

Posted by JohnWellPacked@reddit | sysadmin | View on Reddit | 313 comments

cvc75@reddit

You’re probably right about other companies having similar backend security, but *this* company is the one who also exposed the sheet to a third party, in a recorded session. That should be three strikes against this company. 

Forensic audit on ex-admin: How to track unauthorized file copying and lateral movement?

Posted by Mehmetince2019@reddit | sysadmin | View on Reddit | 63 comments

cvc75@reddit

The backup software is more likely to have easily readable job logs proving he did that, than trying to find anything through Windows event logs etc.

"I would recommend that you refrain from using InDesign for handling confidential information."

Posted by segagamer@reddit | sysadmin | View on Reddit | 94 comments

cvc75@reddit

The post said they were "disabling this for everyone by hand" so probably exactly like the linked thread suggested. The question was for "some registry keys or profiles for us to roll out" for doing this remotely / at scale, which the thread did not provide.

AD account failure to logon after configured "Log On To"

Posted by mailliwal@reddit | sysadmin | View on Reddit | 13 comments

cvc75@reddit

Well it might be the case that they are logged in on the client with user-001 and want to connect with RDP as admin-001, without allowing admin-001 to log on on the client as well.

AD account failure to logon after configured "Log On To"

Posted by mailliwal@reddit | sysadmin | View on Reddit | 13 comments

cvc75@reddit

I've never used the feature, but I've read that you need to set not only the target computer, but also the client you're connecting ***from*** in the "Log On To" list.

PSA: Defender for Cloud Apps is trivially bypassed by setting a User Agent String. Use app-enforced restrictions as well. Microsoft supposedly won't be fixing this.

Posted by ezzzzz@reddit | sysadmin | View on Reddit | 73 comments

cvc75@reddit

OP was talking about **unmanaged** devices, where you have no control over extensions. This is about the supposed use case where you set up Defender for Cloud Apps to block downloads specifically on those unmanaged devices. Which apparently doesn't work / can be easily circumvented. Of course you can just block unmanaged devices completely. That's not the point. But Defender promises that you can safely allow unmanaged devices and still control what they download.

Security want's less security.

Posted by root-node@reddit | sysadmin | View on Reddit | 254 comments

cvc75@reddit

Without knowing more about your environment, I'd agree with your security guy. Nobody needs that many domain admin accounts. Whatever you use DA for should be delegated to a lower-level admin account instead. If you are using domain admin for regular admin tasks like creating/editing/deleting users, groups or computers, managing GPOs etc. then all of that does not need domain admin privileges, just a well managed delegation at OU level.

sporadic authentication failures occurring in exact 37-minute cycles. all diagnostics say everything is fine. im losing my mind.

Posted by kubrador@reddit | sysadmin | View on Reddit | 89 comments

Following the Notepad++ incident, as an industry, we need to take several steps back and REALLY look at things.

Posted by KeeperOfTheShade@reddit | sysadmin | View on Reddit | 340 comments

cvc75@reddit

Exactly. And while big software giants should be able to afford auditing, what happens to small FOSS projects that can barely keep development going?

Following the Notepad++ incident, as an industry, we need to take several steps back and REALLY look at things.

Posted by KeeperOfTheShade@reddit | sysadmin | View on Reddit | 340 comments

cvc75@reddit

But then the question becomes how you know which software is okay to allow. Do you just trust the manufacturer and allow every update as long as it's digitally signed? Or do you require a third party to audit and approve every new version of every piece of software?

How do you understand what logs mean? Completely overwhelmed

Posted by poptart_kitten@reddit | sysadmin | View on Reddit | 100 comments

cvc75@reddit

Although, since OP mentioned RDP not working, sometimes Schannel is actually relevant. We've run into an issue where RDP did not work because Windows 11 and Server 2022 seemed to disagree on some TLS1.3 details, and that was visible in Schannel event log errors.

Exchange Security and Defender suddenly today "soft deleting" "phishing" emails from Docusign? Anyone else seeing this?

Posted by Fizgriz@reddit | sysadmin | View on Reddit | 15 comments

cvc75@reddit

Microsoft definitely tweaked something recently. Just yesterday there was a notification in 365 admin that a change in detection policies apparently affected email delivery and they were looking into it. 

Who else's recruiting staff has been decimated by AI?

Posted by Rustyshackilford@reddit | sysadmin | View on Reddit | 158 comments

cvc75@reddit

Same with developers. Some say AI will only take the jobs of junior devs, seniors will be safe.  But how do you get *new* senior devs when the old ones retire and there’s no juniors left to promote?

Another week and another shitty, broken, ai slop riddled, dumpster fire of an update from Microsoft.

Posted by ShopBug@reddit | sysadmin | View on Reddit | 232 comments

cvc75@reddit

Wow. You posted this exactly two minutes after we received the first "this unrelated program crashes when I click on save as" ticket. And it's from someone with the current (20166) build. That saves us some time finding the culprit I guess, thanks.

After 10+ years in network security, here's the audit checklist I actually use

Posted by Arch0ne@reddit | sysadmin | View on Reddit | 210 comments

After 10+ years in network security, here's the audit checklist I actually use

Posted by Arch0ne@reddit | sysadmin | View on Reddit | 210 comments

cvc75@reddit

Probably not common for actual managed service accounts, but maybe common for just using some existing domain admin account to run a service as... Or how about the HR/accounting software where the installation needed to be done as a domain admin (as usual, probably didn't really need domain admin but there isn't any documentation what exact permissions are required) and therefor, after installation, the server needed that domain admin to be *actually logged in*, because some parts didn't run as a service but from the user's session, and only worked for the user that had installed the software. But hey, the screen is locked with a password, that's secure enough isn't it? I was so relieved when that abomination finally moved to a cloud service.

Apparently, Microsoft support survey results are not anonymized

Posted by BitRunner64@reddit | sysadmin | View on Reddit | 394 comments

cvc75@reddit

If anything else than 5/5 is seen as negative, they shouldn't bother with a detailed survey and should just ask a yes/no "were you satisfied or not" question.

Security vendors wanting their IPs to be white listed for pen testing. does anyone does this?

Posted by Hangikjot@reddit | sysadmin | View on Reddit | 113 comments

cvc75@reddit

Depends on the org. If IT staff only have two accounts, one daily driver and one full domain admin, then you don't really have to test with domain admin creds. And I probably don't even want to know how many are still set up like that...

Modern AD OU Hierarchy

Posted by bluecopp3r@reddit | sysadmin | View on Reddit | 67 comments

cvc75@reddit

I‘d also add OUs for admin users. Regular Helpdesk shouldn’t be able to reset a domain admin‘s password, so I’d make Tier 0/1/2 admin OUs.  And depending on what servers you have, maybe tiered OUs for those as well. 

Worst ticket ever?

Posted by ProfessorHuman@reddit | sysadmin | View on Reddit | 279 comments

cvc75@reddit

I don't remember where I read it, but there was one case where that was the issue as well, but every time IT came over to check the PC, the user "cleaned up" their desk beforehand, including removing the magnets from the case. So IT only found the issue when they finally made an *unannounced* visit.

Solutions for MFA on Windows Login

Posted by Beznia@reddit | sysadmin | View on Reddit | 85 comments

cvc75@reddit

I don't know if it's true for every biometric solution, but if it's just about storing biometric data, there are solutions that don't do that. Look for privacy-preserving biometrics, zero-knowledge biometrics or something like that. Aside from that, we also use DUO for local login. Yes it has its own authenticator, but we also use it (via Conditional Access) for Entra so it replaced MS Authenticator completely for us.

Weekly Updates for servers

Posted by Individual-Bat7276@reddit | sysadmin | View on Reddit | 135 comments

Fired employee downloaded all company files before deactivation we need secure way to prevent this

Posted by Level-Most-2623@reddit | sysadmin | View on Reddit | 404 comments

cvc75@reddit

I don't know if you can extend DLP to (company) phones so that they recognize if you take pictures of protected data? Then you'd also have to ban personal phones unless they don't have a camera. And also, do people still have to print these files sometimes? If you allow printing, then you'd have to start checking people's bags when leaving the building, to see if they are taking anything with them. There's always going to be some way to get company data out, unless you tighten security so much that nobody wants to work for you since they don't like being distrusted. And at least this time you actually have audit logs that prove they copied the data, so you could take that to legal and let it be their problem. If they'd taken a picture with their phone you wouldn't even have that. So I'd argue it's actually better to have an "easy" way for people to copy company data that actually gets audited, as long as you really check those audit logs. This way you at least catch them after the fact.

Remote User IP Conflict Issue

Posted by broken_computers@reddit | sysadmin | View on Reddit | 67 comments

As a EU company, how worried should I be using US services like Azure.

Posted by Kai-Arne@reddit | sysadmin | View on Reddit | 259 comments

cvc75@reddit

You’d think that if Trump orders Amazon/Google/Microsoft to shut down service for Europe or Australia, these tech companies would tell him that they actually like to earn money. I don’t think they can afford to lose that many customers.  But common sense hasn’t stopped him so far, so I wouldn’t count on it. 

As a EU company, how worried should I be using US services like Azure.

Posted by Kai-Arne@reddit | sysadmin | View on Reddit | 259 comments

cvc75@reddit

I’d worry more about my own access to my data. What happens if Amazon/Google/Microsoft are ordered to close your accounts and delete all your data because you’re being sanctioned?

I feel like I missed out on the Golden Age of IT work

Posted by AntsyAnswers@reddit | sysadmin | View on Reddit | 805 comments

Tired of working in IT

Posted by ruzreddit@reddit | sysadmin | View on Reddit | 398 comments

cvc75@reddit

That would be great, but what if I feel almost burnt out just trying to keep up with all the crap Microsoft keeps changing on us every day, and don't really have the spoons left over to learn more Linux? I guess there's very few places who'd hire someone with mostly MS knowledge just to train them in Linux administration.

I kinda hate talking to IT people

Posted by Wolverine-19@reddit | talesfromtechsupport | View on Reddit | 7 comments

cvc75@reddit

But this sounded very much like the problem WAS on a company-owned device (DNS pointing to the company firewall and the customer not having admin credentials to change it)

What's your Microsoft Secure Score at?

Posted by MentalRip1893@reddit | sysadmin | View on Reddit | 99 comments

Stupid question: how does ad connect to entra id?

Posted by Abject_Serve_1269@reddit | sysadmin | View on Reddit | 49 comments

cvc75@reddit

> The actual data flow of the password hash synchronization process is similar to the synchronization of user data. However, passwords are synchronized more frequently than the standard directory synchronization window for other attributes. **The password hash synchronization process runs every 2 minutes**. You can't modify the frequency of this process. When you synchronize a password, it overwrites the existing cloud password. (https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-password-hash-synchronization)

4 years in IT and I still can’t believe some of the requests I get from management

Posted by Revolutionary-Toe72@reddit | sysadmin | View on Reddit | 491 comments

How is it possible to set a windows account password directly by the password hash?

Posted by RMP_Official@reddit | sysadmin | View on Reddit | 29 comments

cvc75@reddit

I don't even know if I want this to be possible, I can see the potential for abuse. You could change a user's password, login and access their data, and then change the password back to the old value without being required to know the plaintext password. (Of course there's probably a dozen other ways to access that data as an admin)

It was the Iomega drive after all - it's always the Iomega drive!

Posted by OinkyConfidence@reddit | talesfromtechsupport | View on Reddit | 22 comments

cvc75@reddit

I never had the Click of Death but I don't remember for how long I used my (ZIP) drive. Or maybe it was less frequent with SCSI connections instead of IDE?

It's always worse.

Posted by Alzzary@reddit | sysadmin | View on Reddit | 305 comments

cvc75@reddit

Yes CodeTwo can work through an Add-In instead of routing through their servers (probably Exclaimer too, I just have no experience with it) Although they are cautious about New Outlook as well: >The Web Add-in works with the new Outlook for Windows but some features might not work as expected because the new Outlook lacks some features available in the classic Outlook for Windows and Microsoft is still changing a lot in it. If you experience any issues, let us know and we'll report to Microsoft. For the best add-in experience, we still recommend using the classic version of Outlook. [https://www.codetwo.com/userguide/email-signatures-for-office-365/system-requirements.htm#signatures-web-add-in-for-outlook](https://www.codetwo.com/userguide/email-signatures-for-office-365/system-requirements.htm#signatures-web-add-in-for-outlook)

With smtp auth going away in 2026, how do you plan on handling devices that only support basic auth?

Posted by 01101110011O1111@reddit | sysadmin | View on Reddit | 210 comments

cvc75@reddit

>HVE will support exclusively ***internal*** (within the tenant) messaging capabilities. As a result, the ability to send email to ***external recipients will be removed*** in June 2025.

How do you manage admin access without slowing things down?

Posted by Necessary-Glove6682@reddit | sysadmin | View on Reddit | 89 comments

cvc75@reddit

Hard to give specific recommendations since you really don't give much details. Which people in your company are you talking about? Admins? IT Helpdesk Staff? Regular users? C-suite users? And what do you mean by "full access" - admin rights to their computer to install software? Domain admin? 365 Global Admin? Full Access on File shares?