Turns out I would also need proper MICR font, like this https://www.1001fonts.com/micr-encoding-font.html

@pete-s said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@voip_n00b said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@dave247 I use certificates to only allow company owned and managed devices to connect.

Interesting, can you elaborate more on how you achieve that?

It's common to have certificates with VPN.

A OpenVPN client for example without any MFA is usually setup so that it needs a client certificate and a username and a password as well as the connection info. The same goes for Cisco AnyConnect and others.

The VPN connection uses mutual authentication so the client authenticate that the server is who he is suppose to be and the server authenticate the client is who he says he is.

If you install the certificate on your company devices you can't connect to the VPN just by downloading and installing the client on another computer and enter the credentials. Because you don't have the certificate.

So that's how you can control what device is allowed to connect. For more security the certificates can also be stored on smart cards, hardware devices or even the TPM module inside the computer.

You should have something similar on NetExtender. Look for client certificate or client authentication.

Another thing with certificates is that you can prevent VPN access by revoking the client's certificate. And also certificates expire so you can give someone a short term access if you like.

Nice, I will check it out. I have opened a few tickets and asked around other places regarding NetExtender and nobody has said anything about this, so I don't know if its possible with the Sonicwall NSA / NetExtender setup, but I will find out.

@obsolesce said in Any good recommendations for web content filtering and reporting?:

I set up Squid Proxy in the past for a company and it worked really well.

Cool. I've always wanted to try that out. I will have to set up in my lab and check it out.

@dbeato said in I've been asked to set up MFA on internal computers and servers:

@scottalanmiller said in I've been asked to set up MFA on internal computers and servers:

@notverypunny said in I've been asked to set up MFA on internal computers and servers:

@dave247 said in I've been asked to set up MFA on internal computers and servers:

@notverypunny said in I've been asked to set up MFA on internal computers and servers:

@dbeato said in I've been asked to set up MFA on internal computers and servers:

@dave247 said in I've been asked to set up MFA on internal computers and servers:

@notverypunny said in I've been asked to set up MFA on internal computers and servers:

As far as the internet connectivity issues are concerned, AuthLite has 0 dependencies apart from AD. It can also integrate with NPS / RADIUS + AD to provide MFA to just about anything that can use RADIUS.

It's also per-user perpetual licensing 🙂

oh nice, I will check that out immediately. I was looking at Duo too (of course) so I wonder how that compares. I like the idea that it has no other dependencies than AD - that's perfect for our current environment.

Yeah, DUO has dependencies with their service and if the computer doesn't have internet it has the option to let you login without a prompt so that happens. Not sure if AuthLite does the same.

Authlite has support for offline logins (meaning if the machine can't talk to a DC), it just requires the installation of their client on the workstation / server / endpoint in question. You can also require / enforce 2FA on your endpoints.

Here's a thread where one of the authlite guys gives a quick comparison of AuthLite vs Duo.
https://www.reddit.com/r/sysadmin/comments/ct9m31/duo_vs_authlite_for_ad_mfa/

Duo seems to be the easiest and I've been playing with it with the tiral. Its super easy to configure it so without Internet or Duo service connectivity, MFA is bypassed. So in the event we have an Internet outage (happens 2-3 times a year here), users will still be able to get into their computers.

OK.... but then the only thing that you have to do to bypass the security is pull the network cable, right? Unless there's some other requirement it seems like a massive security hole.

I guess "knowing to unplug the cable" is the second factor? 😉

Also you can disable that setting and it won't let you login at all in Duo.

My main problem with this is that we lose internet connectivity a few times per year and people won't be happy if they can't get into their computers. We have limited providers in our small and rural area. I would do offline codes but apparently that is per/pc and we have quite a bit of computer sharing, which would essentially mean people would have to deal with the offline registration pop-up on every pc and/or have an offline MFA added to the app for multiple computers. If I find a good way around this in time, I will disable MFA bypass when offline.

@dave247 said in best way to map various combinations of mapped drives to AD users?:

@pete-s said in best way to map various combinations of mapped drives to AD users?:

@dave247 said in best way to map various combinations of mapped drives to AD users?:

Problem: we have about 10 different shared folders as mapped drives and a handful of simple bat scripts used as AD logon scripts for users...

I think it would make more sense to just have one mapped drive and use sub directories for each department. That's probably how the files are organized anyway - at least judging from the looks of it.

The users that have permissions to a particular directory can use it and the other can't. That way you don't have to mess with the different drive mappings because everyone get the same one drive.

This also also how I have seen organizations with many departments do it. They basically use one drive mapping per entire file server. Everyone has gets the same shared drive(s) but permissions determine what directories they can access. It's more flexible to do it like that.

Yes actually that's one plan I've had for a long time, just haven't gotten around to doing it mainly since it will disrupt everyone's workflow for a bit.

If you have the directory structure in place, you could do it by adding the new drive share for all departments. Give people a couple of weeks to start using it and then slowly start to remove the older shares one by one. That will force everyone to migrate to using the new share - but not everyone at the same time.

@dafyre said in Looking for a good security camera system:

@dave247 said in Looking for a good security camera system:

My company has a super old security camera system from like early 2000's. I'm considering purchasing a new system and installing it myself to save us money. Literally anything we could buy (even from Wal-Mart) would be better than what we have. That said, I still want to try and find a nice solid system that has an intelligent and feature-rich user interface and good functionality. I say that because pretty much all the systems I've seen at other jobs have looked and operated like junk.

Basically I need something that would be HD and allow for 25 or more cameras connected via network cable and have a central server that would be located on-prem in the server room.

Any suggestions for where to start looking?

The other guys here can speak to the cameras themselves.

I've used two pieces of software for handling the recordings and such as of late. The first is Avigilon Control Center (https://www.avigilon.com). It's ok, based on Windows, and licensed per camera.

The second, I use personally to handle motion detection from a single camera at home. ZoneMinder (https://www.zoneminder.com/) is Free / Open Source

Cool thanks, I'll take a look at these 🙂

@jaredbusch said in offline, air-gapped backups / backup rotation (looking for hardware & ideas):

@dave247 said in offline, air-gapped backups / backup rotation (looking for hardware & ideas):

Of course backups can be encrypted. Anything physically attached to the network is vulnerable to malware/ransomware. The point of all this was clearly explained in my original post.

FFS, think a little.
They cannot be encrypted if the datastore is not accessible to anything except the application making the backup.

Thanks for your rudeness, Jared, it is so helpful.

Yes, I do understand what you are saying, however if a system is connected to a network and other systems, it is not air-gapped / truly segregated from the environment and therefore not 100% safe in a total ransomware situation. All applications have vulnerabilities and a skilled hacker (or insider) or well-made ransomware could still potentially get at it.

Additionally, I am not looking at this as any kind of main backup method - I am just trying to mull over ideas for a very last-ditch, fail-safe, "shit hits the fan but we have offline backups though" setup.

By any chance are there any DFS shares on this File Servers?

Recently, I have come across this same issue. I have it posted in spiceworks forum asking for a resolution. The only thing I have found is to do a system restore back prior to the Oct20 windows debacle and then regedit the pc to NOT take windows updates, which is a bad thing in itself. So, my question is why can't we just go back to win7? LOLOL

@dave247 said in Can't find where to download System Configuration Manager as an M365 admin:

Scratch all this. I just had to reach out to my SP/reseller and have them open a ticket with MS, who got back to them right away with a download link and license key.

Great news - this is what Insight is currently pitching to me to get me to move my licensing through them.

@brandon220 said in Anyone here know of core banking vendors that are actually good for small community banks?:

The only one I've ever had dealings with starts with an F. I have listened to a few of the others give their "sales pitch" but when you are so heavily involved and invested with the same core for so many years, there is a "fear" among the C-levels that prevent them from wanting to change. Some of the ones we listened to even offered to buy out the current contract, etc. just to be awarded the contract.

My biggest gripe with the above mentioned is the lack of keeping software current and not using legacy programs and software. In 2020, we still are forced to use IE11 for most of the web-based items. If you question it, you are asked to submit a feature request to update a platform.

Yeah a lot of our services require IE11 and they wont even work with modern browsers. Much of the applications we have been using are terrible, slow, clunky and end of life with minimal support from our core vendor.

ZeroTier (with Flow rules) + RDP is how I solved this for my clients.
Can you make a guide I'd be interested in that read.

@stacksofplates said in Path from on-prem Windows servers to hosted/cloud (Azure)?:

@dwright1542 said in Path from on-prem Windows servers to hosted/cloud (Azure)?:

I can't count the number of people in the last 12 months that we've "de-clouded" after a CIO got in there and made the switch.

Any examples?

LOL, yeah, a friend's company did something like that and laid off all their support personal, then a year later, the company bailed because service was so bad and pulled shit back inhouse..

Starting on Server 2012 you can have as many SSLs on your IIS Because of SNI support as you want however anything OS than that you can have multiple SSLs but won’t be able to apply them to different sites. I use certifytheweb for Let’s encrypt client with Windows Servers and it works beautifully with Exchange, RDS servers, Application Servers and even internal servers as they use DNS Verification.

@scottalanmiller said in Looking for content filter recommendations for a church:

@JaredBusch said in Looking for content filter recommendations for a church:

@dave247 said in Looking for content filter recommendations for a church:

@scottalanmiller looks like I need to install it on something though. I was hoping to not have to purchase any additional hardware. Still an option though.

A full kit Raspberry Pi on amazon is $60-$80

The 1GB board is plenty.

I was thinking about the 3 where htere was not really choice like the 4. Not used to having to specify on a RPi.

@DustinB3403 said in Looking to create a 20TB RAID5 volume with SSD drives in an R720:

@dave247 said in Looking to create a 20TB RAID5 volume with SSD drives in an R720:

I'm thinking I may just go with 4 of these drives: https://www.newegg.com/micron-5210-ion-7-68tb/p/1Z4-00CB-00035

4 x 7.68TB SSD in RAID10 for 15.36TB of storage

It's SSD, use RAID5 or 6. RAID10 is going to be really expensive per GB.

yeah I just realized that... if I did 4 x 7.68TB SSD drives in a RAID5, that would give me 21TB. This might be my best option!