randombsforreddit

We only use physical hardware SANs for our virtualization platforms. I don’t trust the tech that imitates SANs.

AOVPN and windows firewall. We allow outbound on public and private domains to our VPN and a few common IP ranges we see used by wifi that uses portals. The domain profile is configured to allow outbound connections, so when they connect they are able to get to everything they should like normal.

We use NDES with SCEP profiles in Intune. Works for Macs, tablets, and phones. https://learn.microsoft.com/en-us/mem/intune/protect/certificates-configure

It sounds like maybe the app session needs to be allowed longer if it’s happening too much. But otherwise protecting the data within the apps is the goal. We do this with password managers where it requires MFA after being idle for a while so passwords aren’t easily exposed.

As for the issue, I would check the cert to verify it's not being MiTM like from their firewall or the ISP router/firewall. For the person, as soon as she called me incompetent I would tell her the call is ending and end it immediately. I don't put up with this type of behavior. Then follow up with her manager with my manager CC'ed and tell them under no circumstances is this acceptable practice to speak to each other in a business environment and if assistant is still needed, an apology is required before further work is done. I've done the above before and it ended well for us. Users that were like this either ended up getting fired or reprimanded by their management and then spoke to us with courtesy from then on end.

You don’t try to bypass security measures. This is how you end up being fired.

I would look at the differences between the two and when upgrading, use process monitor to see exactly what it’s doing, such as changing permission settings on registry or file/folders. Using this, you can update the permissions it changed adding the domain user to it to see if that stops it needing to run as admin. Most of the time little changes like this works.

Years ago it was pointless to run this as it never did anything, but in the last few years I’ve seen it actually fixing things. Not sure what changed but we do run it now and then. Last time I used it, it corrected a hyper-v server that was basically unresponsive after an update. Was a last ditch effort before rebuilding and no longer needed to spin a new one up.

We do separate admin user accounts for Entra/Azure that can only be used from PAWs.

I like to stay with one vendor for networking and recommend Fortinet with their FortiGate firewalls and FortiSwitches and FortiAPs. I’ve used HP, Meraki, Cisco, Juniper, Dell, etc over the years and the integration with the Fortinet solutions is easy and cheap compared to the others.

We use Intune for PC’s and setup detection and remediation scripts for all software. When the detection script shows it’s out of date it runs the remediation script to install the latest version. In MS365 Security we also see EOL info for software and replace/remove or setup an exception for that particular system. We do the same for servers. Except these are ran by azure automation instead of Intune. There are plugins for Intune that can be used but we do each software manually since our SOC didn’t want to rely on a 3rd party vendor.

We use Azure Automation and with that service you can store passwords, certs, keys, etc and call them via the script: https://learn.microsoft.com/en-us/azure/automation/shared-resources/credentials?tabs=azure-powershell You can also use the SecretManagement module: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.secretmanagement/?view=ps-modules

Again, no they aren’t. The links you provided are in regard to the free hyper-v server, which is different than a server with a hyper-v role.

No it’s not, that’s nonsense. Even in Server 2025 there are additional hyper-v features.

We use hyper-v clusters and it works great. If you are familiar with PowerShell it’s pretty easy to manage or you can use SCVMM or Admin Center.

Mine is only a few gigs. Check failed requests and see if you have a bunch there, if so, run the following: certutil -deleterow 2/12/2024 Request and then backup the db again and it should shrink.

I haven’t seen an attack like this yet that I know of, but you will find just about anything is possible with the right skillset and vulnerabilities in apps/services.

Not the catalog, but here’s a blog entry using scripting to search, download, and install updates using the windows update agent api: https://devblogs.microsoft.com/scripting/hey-scripting-guy-how-can-i-search-for-download-and-install-an-update/

We don’t use them, we did back in the day because they were indestructible beasts, but now days we use Surfaces.

No, because anything cheaper is going to be crappier. This is now pretty much the standard. Google’s option is the same price.

https://www.microsoft.com/en-us/microsoft-365/business/compare-all-microsoft-365-business-products-f?rtc=1 It starts at 6/user/month.

Exchange Online/MS365

We do daily incrementals and then once a week we roll them up into a full. Those incrementals and roll ups are copied to another location and also backed up to tape. We also roll the weekly into a monthly, and monthly into a year. We have around two petabytes of data we backup.

Ok, so as a lead/senior tech you need to get access. If you are only supposed to manage your team, then no admin access except maybe breakglass. I would talk with the owners and ask what is expected, because none of this makes sense. Why doesn’t the IT team have access to systems they need? Why is a third party being used when you have an in house team? Is this person used for only certain pieces or the whole shebang? Are you expected to troubleshoot systems or manage your team and translate projects and their troubleshooting tickets into company value? They hired you as a director of IT. I would start with talking about access and who needs what and why, and how you envision supporting the company with your team. It sounds like not everybody in management is on the same page, so you need to sort it out and all come to an agreement.

I don't believe there is any other way to update them except to update the base and redeploy. Is there a reason you went with non-persistent?

I update our VM's on our RDS hosts like the PCs, then once a quarter update the templates. I'm not sure I understand the issue you have.

We have ours setup in the following: Physical PAW and account that can login has no other rights except for some RDS VM’s. Admin to the PAW is handled separately and most of the techs don’t have access. The VM’s are accessed from the PAW. One VM is to manage desktops. The account has admin access that is configured only for desktops and can’t be used on servers or domain controllers. This account is only used if LAPs isn’t working. Another VM is used for servers. The account is an admin for the servers but not for desktops or domain controllers. Another VM for domain controllers and the account is a da. It cannot log into desktops or the other servers. Finally we have a VDI for regular non-privileged work like checking email, teams collaboration, etc the PAW can reach so techs can do the normal business communications. All the accounts besides the non-privileged VDI is monitored for all activity and alerts configured for non-standard activity. How far you want to go with this is up to your company. Separation of accounts like above helps in the case of pass the hash attacks and ensures if a PC or server is compromised it doesn’t necessarily affect the other accounts and their access is limited in scope of what they can access.

Why would you not just use the Administrator’s group? Trying to create another group that matches the same permission settings as Administrators group is gonna be difficult and I don’t think is feasible.

Some critical vulnerabilities will allow you access to firmware if you open a case with TAC, but most of them do require a smartnet contract to download and keep systems up to date.

Here is a PS script I use for all our servers to get the NTFS info #File Shares report $servers = (Get-ADComputer -Filter {(OperatingSystem -like "*Server*") -and (OperatingSystem -like "*Windows*")}).DNSHostName $fileShareReport = foreach ($server in $servers) { Invoke-Command -ComputerName $server -ScriptBlock { $shares = Get-CimInstance -ClassName win32_share | Where-Object {($_.Description -ne 'Remote Admin') -and ($_.Description -ne 'Default share') -and ($_.Description -ne 'Remote IPC') -and ($_.Description -ne 'Printer Drivers') -and ($_.Name -ne 'SYSVOL') -and ($_.Name -ne 'NETLOGON') -and ($_.Description -ne 'Active Directory Certificate Services share') -and ($_.Name -notlike "*PTR*")} | Select-Object Name,Path foreach ($share in $shares) { $folderPath = $share.Path [array]$folders = @() $folders = @(Get-Item -Path $folderPath | Select-Object Name,FullName,LastWriteTime,Length) $folders += @(Get-ChildItem -Path $folderPath -Directory | Select-Object Name,FullName,LastWriteTime,Length -ErrorAction SilentlyContinue) foreach ($folder in $folders) { $acls = Get-Acl -Path $folder.FullName -ErrorAction SilentlyContinue foreach ($acl in $acls.Access) { if (($acl.IdentityReference -notlike "BUILTIN\Administrators") -and ($acl.IdentityReference -notlike "CREATOR OWNER") -and ($acl.IdentityReference -notlike "NT AUTHORITY\SYSTEM")) { [PSCustomObject]@{ FolderName = $folder.Name FolderPath = $folder.FullName IdentityReference = $acl.IdentityReference.ToString() Permissions = $acl.FileSystemRights AccessControlType = $acl.AccessControlType.ToString() IsInherited = $acl.IsInherited } } } } } } } $fileShareReport | Select-Object PSComputerName,FolderName,FolderPath,IdentityReference,Permissions,AccessControlType,IsInherited | Export-Csv -Path "$reportPath\FileShares.csv" -NoTypeInformation

It’s what recommended by the vendor.

Glad you found the issue! Some of that stuff can be tricky to troubleshoot.

Not sure on pricing aspects, but VDI solutions would be RDS by MS, Horizon by Citrix, or Azure AVD. We use RDS and AVD. AVD for teams and RDS for mgmt, vendors, and some one-off apps.

It's the recommended solution to repair .Net by MS. Either that or run the repair via add/remove programs or reinstall.

I use the vendor status portals, like the admin portal for ms365. I don't follow social media accounts for outages.

UTM firewall like Fortinet or WatchGuard. Locked down PCs with WDAC, AppLocker, and Defender ATP.

https://www.sonicwall.com/support/knowledge-base/how-can-i-configure-bandwidth-management/170521130013462/

What firewall do you have? I might be able to point you into the general direction.

Are there network settings that regulate speeds like traffic shaping? Generally would be on the firewall. Might have something in there that regulates the speeds for domain-joined machines and nothing for non domain-joined machines.

We have a min of 5 accounts depending on the role for the tech and all admin accounts along with the PAW account are in the protected users group so no caching is done on any system. 1 non-admin for PAW. This logs into the physical PAW and can really do nothing else except also log into our RDS farm to gain access for the other admin accounts and the production account. 2 admin for servers. This can log into a PAW VM designated for server work only from the main PAW. 3 admin for workstations. This can log into a PAW VM designated for workstation work only from the main PAW. 4 admin for domain controllers. This can log into domain controllers. We have this set to only be allowed directly from console. 5 non-admin for email/teams/work. This is the production user account to browse Internet, check email, messages, etc. It is a VM/VDI solution accessed from the PAW.

Private VLANs aren't that complicated and we use them for our DMZ's so we don't have to have a bunch of different DMZ's. You basically have isolated hosts, community hosts that can talk to the isolated hosts, and promiscuous hosts which is typically the router/gateway. Here is a Cisco overview of how to configure them: [https://learningnetwork.cisco.com/s/article/a-quick-summarized-view-to-private-vlan-pvlan-x](https://learningnetwork.cisco.com/s/article/a-quick-summarized-view-to-private-vlan-pvlan-x)

This was similar to how ours was when I joined. It was a nightmare for everyone. So we changed it to where IT got admin access to the apps and took over the platform support one by one, escalating to the vendor only after we did our initial troubleshooting. This took years to complete due to so many different apps and creating documentation for them. We had one person that would get admin access, work with the product manager internally to go over how everything is used, and created the documentation for the rest of the IT team and then provision their access. Then we scheduled time to review this info for IT.

If you create it with PowerShell do you get an error or timeout? Any logs that correlate when trying to run it like security permissions problems or errors in Event Viewer? New-VHD -Path "C:\\filelocation.vhdx" -Dynamic -SizeBytes 250GB

Veeam has options to spin up a test environment and to run scripts and tasks of backups for each vm. We also have tickets to restore files now and then and that provides additional recovery tests.

Most backup systems can restore single files instead of the entire system. I use Veeam, and can see all the backups of each file and restore to an earlier version when needed or restore an earlier version with a new name for comparison.

You no longer work for the company and accessed their systems. You knew you shouldn’t have access and instead of alerting them of the account and still getting emails from them instead you started changing things. Can’t say what the new company will do if they find out, but i wouldn’t want you accessing my stuff with what you’ve shown here.

This is wrong. The firewalls per CIS benchmark is to have them enabled with a default block rule. Your ZScaler will not help with other internal systems trying to access them.

I had to roll my own checks using powershell and downloading the latest vendor software and running a versioninfo on them to compare to what’s installed. I don’t know of any systems that monitor and maintain software on backend systems.

Are you connecting to the printers via fqdn or just using the server hostname? If using the server hostname instead of fqdn then kerberos won’t work.

Well at least small time should be easy. Usually they don’t have any servers and then setup ad for management. For larger clients, you will sometimes see when a particular service switches from *nix to Windows or when implementing a similar solution for replacement of the older service. Like from Exim/PostFix to Exchange, Intranet to SharePoint, etc. Hopefully this gets you further.