@scottalanmiller said in Weird DNS resolution issue:

@Dashrender said in Weird DNS resolution issue:

I suppose it's possible that would have resolved this specific issue as the router would have been the only device making connections to the external DNS... but then again - it could have caused all machines to go without DNS when the upstream server stopped responding...

Not very likely. Plausible, but not likely enough to avoid it.

sure - but then again, I've never seen this situation before either - so I would have previously called it unlikely.

@scottalanmiller said in Migrating to xxxxx:

I have a similar situation. There's no more panic. Just "let me do my job and get on with it." People sometimes see that as not taking it seriously when really, I'm just that much more on top of things.

I've definitely walked into a few crisis that way with my old boss. Actually those were the best of work conditions - the confidence to just roll up the sleeves and get shit done. If only more of my life was like that.

@jaredbusch said in Locking down vendors:

@scottalanmiller said in Locking down vendors:

@dashrender said in Locking down vendors:

They MIGHT have an internal team for this, but since we have our own IT department, my management has decide to take the costs internal versus paying the new vendor to set up remote access for themselves.

That doesn't really make sense as this is all questions about THEIR IT. All your team can do is get in the way 😉

Right, I have no idea WTF you think you are doing here @Dashrender.

The most you should do is setup a VLAN or actual separate LAN with no access to your network. The other company can deal with putting something on this shit old device that reaches to their support infrastructure.

No one on there side has even breathed a word about something like that.

As I previously mentioned - the old HVAC vendor did all of their own management - I only provided them an internet connection, they managed everything else.
I can see the advantages of that - time to toss this at the new vendor similarly.

@dashrender said in Windows send only specific domains to proxy?:

@scottalanmiller said in Windows send only specific domains to proxy?:

Easiest thing is to override DNS for that domain and point to the proxy. Then the proxy can point on to whatever is real.

How do you propose doing that? remember these are laptops to be used from anywhere, I won't be able to control DNS in most places.

Are you suggesting putting an entry in hosts?

But an EASIER answer, I think, is to make your own CNAME.

Well - this vendor has called me back this morning (last bit of information was passed from the owner from a conversation they had with the vendor).

The vendor knows we are looking for remote access - specifically so we can run reports from home.

rep said - oh, you need that OK sure, fine - give me the user and their home IP and I'll get that added.

me - uh - home ISPs change IPs, sometimes daily - how are we supposed to keep you updated?

rep - oh - they'll have to give us the new IP so we can add it

me - /sigh - does your system support dynamic DNS based OK I screwed up - I should have just asked - Can you put an internet resolvable host name in your list instead of an IP?

rep - oh yeah I know what DDNS is

me - ok do you support it?

rep - well if you're attaching to your server using some type of VPN

me - no, that's not what DDNS is, I explain DDNS

rep - oh, I don't know if our system supports hostnames

me - can you check?

rep - sure

click

Of course this kinda flies in the face of the licensing issue the owner was told, but there's still hope - though very very little.

@dashrender said in Looking for a remote access solution:

@scottalanmiller said in Looking for a remote access solution:

@jaredbusch said in Looking for a remote access solution:

@dashrender said in Looking for a remote access solution:

@jaredbusch said in Looking for a remote access solution:

Put zerotier on the box in the DC and the user's box. restrict it to only RDP.

Done.

I really like this - sadly - our insurance policy requires MFA for remote access. I'll have to see if ZT has anything for that.

Then put the 2fa on the Windows RDP login with a service like Duo.
https://duo.com/docs/rdp
https://duo.com/editions-and-pricing/duo-free

Just use ZT to lower (all but remove) the attack surface.

That would get them up to 3FA (which isn't a bad thing) assuming ZT isn't somehow tied to some other authentication mechanism.

As it's been AGES since I've used ZT - can you make the user have to log into it each time they launch it? If yes - and it's logon isn't associated with AD (as you mentioned) then OK - I see how you consider ZT and RDP MFA.

The user can be forced to start or stop the process. The fact that it uses a key (something you have) owned by the user makes it MFA regardless of if they automate the login or force it to be manual.

Don't try to compare it to Duo or something like that which uses "something you have" to generate "something you know." Compare it to a security USB stick like YubiKey. It's a direct "something you have" 2FA in that sense.

@openit said in Offsite backup and CentOS Upstream - looking for suggestions.:

CentOS Upstream: Isn't okay for Production Servers anymore?

I assume you mean CentOS Stream?

Honestly it is a more viable solution for a Linux server than CentOS ever was as it is no longer so out dated.

But, I would give the entire RHEL ecosystem a wide berth at this point.

This problem sounds familiar.
It's not a normal.dot type problem is it? Where the originator used normal.dot as their doc tempate, saved it as .dot again and it's screwing up everyone's normal.dot that reads / alters the document.

@scottalanmiller said in Laptops versus desktops and roaming users:

@irj said in Laptops versus desktops and roaming users:

@obsolesce said in Laptops versus desktops and roaming users:

I've not worked in hospitals but can image them with different needs and device purposes.

I worked for an 18k employee hospital system. All the support staff (IT, administration, etc) had laptops. The hospitals themselves used desktops as shared stations, but even administrators (or anyone with an office who didn't use shared computer) at hospital locations used laptops.

I work with doctors and we see desktops over laptops. Lots of laptops, to be sure. But desktops remain common that we see. Even in current green field deployments.

Oh - for the doctors themselves - absolutely, in general it seems they don't want to carry anything around with them, so that leaves desktops as the primary interface for them.

In hospitals in-patient care I generally still desktops also generally with swipe care access, at least on in room computers.

@rjt said in Who do you call for IT assistance:

@scottalanmiller As someone who has had to deal with vendor supplied hardware and software for a medical practice, I have come to firmly believe vendors are the enemy, a $very $very $expensive enemy.

Yup. In some cases, a true enemy. In others, just on the other side of the chess board. It's not always malicious, normally it is not. But their interest are very, very different than ours and their financial responsibilities oppose ours. So they are stuck either being ethical to their employers, or ethical to the people they are paid to convince to do things not in their interest.

If they are true to their employer, they can be ethical across the board. If they try to be good for the customer, they have to be unethical to their employer. A nonsensical situation.

@jaredbusch said in script to download and extract MicroSip portable:

@dashrender chocolatey can easily run as non-admin. The question is whether or not the application installs can handle that. Of course your centralized scrips for keeping things up-to-date would not get that use your space one you have to have a script to keep the user space chocolatey package up-to-date also

Yeah, I'll have to look at it - but only after someone else actually picks ownership of the package back up. The current maintainer has stated he's no longer maintaining it.

@dashrender said in M365 Migration - helpful scripts:

@jaredbusch said in M365 Migration - helpful scripts:

@dashrender said in M365 Migration - helpful scripts:

@jaredbusch said in M365 Migration - helpful scripts:

@dashrender You used $group but did not define it in your first example.

it's not defined on purpose - several of these have undefined, it's expected that you will define/replace them yourself.

That is a very poor guide. You posted a script. I expect to copy and paste it and see something work.

Jared is right to a point.

I've now gone back and added variables to all of my scripts making it easier for someone using these to see that they need to enter their own information into the variables to make it work.
I could take it a step further and prompt for that data - but one thing at a time.

1ac5e2e9-a96b-4311-b299-0cd34fcc7b14-image.png

@siringo said in hot potato workers:

I was thinking about this last night. Is there anything you could do with QR codes or similar. Issue a card per device. They swipe/flash the card to log on and the same to log off.

you know of a windows solution that does that? I don't, though I've never looked for one either.

@dashrender said in iPad 2 - are they still considered secure?:

@scottalanmiller said in iPad 2 - are they still considered secure?:

@dashrender said in iPad 2 - are they still considered secure?:

I'm primarily asking in regards to HIPAA.

More importantly than "is it secure" would be "does it meet HIPAA requirements?"

In both cases, the answer is "no". It is a HIPAA violation to use one for PHI.

Well, people are now making excuses - the data collected on them isn't PHI therefore we don't need to worry about it. /sigh.

Then the answer is simple... in no way, in no universe, does using an iPad 2 constitute defensible due diligence. No semi-reasonable court would look on that as anything but an intentional lack of effort at the cost of customer data being put at risk.

@dustinb3403 said in Digital sign boards:

Again, RP and screenly.io/ose

Literally 15 minutes and done for a single screen.

only support the 3.
3c94e740-8619-4553-8593-24e78efa3da8-image.png

@openit said in Microsoft 365 group Mailbox Full -How Backup and Delete emails to free up space?:

@dbeato said in Microsoft 365 group Mailbox Full -How Backup and Delete emails to free up space?:

1- It only deletes the individual message they received.
2- The only tool is to do a E-discovery search for email sent to this Group and then exporting that to a PST.
3- Yes, 50 GB is the maximum storage for an Office 365 Business Basic and Standard
https://docs.microsoft.com/en-us/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#mailbox-storage-limits
You might want to setup an archiving addon for that mailbox or bump the license to E3 so they get 100 GB of Mailbox storage and then archiving is included as well.
4- YOu can setup a retention policy that deletes all items that is 2 years old and then apply to the mailbox and force the Retention Policy to apply then it will take a day or so but it will run faster.
https://docs.microsoft.com/en-us/microsoft-365/compliance/set-up-an-archive-and-deletion-policy-for-mailboxes?view=o365-worldwide

https://docs.microsoft.com/en-us/powershell/module/exchange/start-managedfolderassistant?view=exchange-ps (To force the retention policy)

Not sure if you misunderstood. I got confirmed that deleting any emails on Group Mailbox won't any member's mailbox items. Yes, did it that way, went well. Yeah, not an option for me now. Seems nice and faster action, than PowerShell commands Microsoft guys running.

I wrote the answer 1 in a confusing way. The emails don't get deleted from each user mailbox that received it so no issue there.

@IRJ said in System Admin - checklist for Don'ts and Important points please!:

@gjacobse said in System Admin - checklist for Don'ts and Important points please!:

@Pete-S said in System Admin - checklist for Don'ts and Important points please!:

Maybe I'm alone but on the top of my list:

Only use Microsoft as a last resort when all other options have been explored. If you get paid by the hour disregard #1.

Option 1. - What do you say / do when the Owner specifically states, Windows Only environment. NIX and Apply need not apply -

Look for another job

Lol 🙂

@jt1001001 said in Softphones - complaints:

Ask your users if their kids use Steam. Most of my home users have older "kids" I tell them to have their kids stop there Steam games. The users are like what's that?? But as soon as steam is stopped their perfomance comes right back to nominal.

It would be them downloading more games, most likely.

@Obsolesce said in MFA - who pays for authentication solution?:

@JaredBusch said in MFA - who pays for authentication solution?:

@Dashrender said in MFA - who pays for authentication solution?:

@stacksofplates said in MFA - who pays for authentication solution?:

@Dashrender said in MFA - who pays for authentication solution?:

@stacksofplates said in MFA - who pays for authentication solution?:

@Dashrender said in MFA - who pays for authentication solution?:

@IRJ said in MFA - who pays for authentication solution?:

Why not just supply hardware tokens? They are not that expensive.

for multiple sites? Just what everyone wants, a pocket full of tokens.

EHR
email
2nd EHR
3rd EHR
4th EHR
5th EHR

it's PHI so I could easily see insurance companies at some point also requiring it, so that could be another 20.

This is a joke right? You can use a token across multiple sites. Especially Yubikeys.

yeah I know you can with something like a Yubikey - but that assumes that the site supports Yubikeys -and our EHR only supports Symantec VIP tokens - super lame!

I'd argue it might work anyway. Yubikeys support up to 31 or so OATH-TOTP codes (like an RSA token or Google auth app type token). It also supports any number of u2f applications and two slots for TOTP/HOTP, hmac-SHA1, and GPG keys.

As long as the VIP tokens use some standard for the way it generates the TOTP token you can scan it/enter it with the Yubikey Authenticator app and have it manage that.

Interesting.. thanks.

It is the same for using Authy instead of Google Authenticator. A lot of sites only say Google Authenticator, but they all use standards, thus Authy works just fine.

Exactly. Anything that says it uses Google Authenticator, can also use MS Authenticator. Same standards as JB said.

That part I know, but Symantec VIP uses their own what they call credential IDs, it's not a generic number like GA or MS auth uses... but I'll have to dig into it to see if it's cross compatible.