@stacksofplates said in Vagrant/DHCP problem:

Just for understanding, why Vagrant on the remote machine and not Terraform? Vagrant in my experience had been for local dev. Not saying it doesn't work and I thought I saw recently about remote systems with Vagrant, but terraform would most likely work much better.

Yeah exactly. Vagrant is the wrong tool here. It's great for testing locally. I use it to test automated scripting for immutable builds, but even in dev environments I use terraform to deploy resources that I expect to have around longer than a few hours.

@scottalanmiller said in Vagrant/DHCP problem:

@irj said in Vagrant/DHCP problem:

@stacksofplates said in Vagrant/DHCP problem:

Just for understanding, why Vagrant on the remote machine and not Terraform? Vagrant in my experience had been for local dev. Not saying it doesn't work and I thought I saw recently about remote systems with Vagrant, but terraform would most likely work much better.

Yeah exactly. Vagrant is the wrong tool here. It's great for testing locally. I use it to test automated scripting for immutable builds, but even in dev environments I use terraform to deploy resources that I expect to have around longer than a few hours.

Yeah, and the #1 person who should know this and tell you it is wrong is... the DevOps guys!

Exactly even Hashicorp makes it clear that vagrant is for dev environments

https://www.vagrantup.com/intro/vs/terraform

This is how he should be deploying.

https://registry.terraform.io/providers/taliesins/hyperv/latest/docs/resources/hyperv_machine_instance

I guess if you just give it to the liberty data folder it's not as bad. It's amazing how shitty software can be though. It sucks that %PROGRAMDATA% folder has been around since Windows 7 and this vendor still can't figure out how to leverage it properly.

Also the more I think about it...

1. Why do additional notes need to be in the same file?

2. How are these documents being stored and accessed? Is there any type of software being used to access customer information and documents?

Have you tried a tool like PDF escape? You can do some free editing online with it, but they do offer paid versions which probably make sense if it's something that is done frequently.

There's always the option to buy a license from evil Adobe as well. $15 a month is better than wasting hours every month dealing with it.

@gjacobse said in New hire, make him build his own pc?:

@obsolesce said in New hire, make him build his own pc?:

@mr-jones said in New hire, make him build his own pc?:

We have an HP Z440 workstation sitting on the shelf, that I was about to configure for him, but I had the idea of "why don't I just make him figure it out"

Because when someone starts a new job, they should have a functional system and work area waiting for them.

If you feel a need to train him in putting together a workstation, I'm sure you can do that too, but why have him start a new job without a functional system?

I agree and disagree.

Most times, all the access and such isn't there yet. So what else are they to do? This at least gives them something to work on while things are being set up.

ETA: I started 28 Jun 2021, I am still getting access to systems I will be supporting.... I'm also having to create some of that documentation... but - that's another story.

Lack of documentation and consistency between deployments of equipment creates problems. I've been with enough organizations to realize setting up my own PC just shows a failure in their current process. Also, giving a brand new user local admin rights to setup their PC is poor security practice. Really no user should be running their system as admin or root. If they need software installed, it should already be approved and packaged for them in most cases.

I get that IT employees need more software than typical user, but there should be documentation for IT admin tools and even packages to deploy them in most cases.

What is centralized AV?
AV status, alerting, and policy management

A SIEM and HIDS solution provide the first two for you and there are so many mechanisms which you can use to handle policies like powershell, salt, Ansible, etc.

Also I think centralized policy management is against the concept of zero trust. We should not br whitelisting anything, because it does not fit zero trust model. In an ideal world we are using web applications which require no exceptions.

We need to get out of the mindset that poorly created applications are ok to use. But by off chance we need to make AV exceptions for a shitty app we should be able to do that for the entire organization through configuration management tool. It should be so rare and there should be no onsie or twosie exceptions (so no need for policy management).

@scottalanmiller said in NG AV / Endpoint Protection in 2021:

I think for 90% or more, it is plenty. It's a rare shop that has some valuable action to take when they find out that the AV caught something. Most times it just wastes resources and causes people to start ignoring it. In theory, it's great to have, and that's what a SIEM is for, for sure. But most shops can't do things like test patches or look over logs, they just don't have the resources or knowledge. So getting them maximum benefit at minimum cost is critical and allowing them as much time as possible to deal with meaningful problems.

That's why you need alerts in addition to logs. You need your alerts to have low noise so you actually can respond to them. I do think keeping logs is important even if it's just for forensics after the fact.

@gjacobse said in A Startdocprinter Call Was not Issued:

Is this something that it's likely as easy to re-install Windows as it is to spend a few hours trying to correct?

I know in enterprises, not too much effort is spent on troubleshooting workstations on the Lan. Generally users save everything to one drive or similar and it is much faster (10 mins) to reimage workstations.

Remote users require a bit more troubleshooting, because reimaging is not as fast over WAN or especially VPN. @Obsolesce might be able to speak a bit more on this.

I had a discussion with a coworker yesterday about when to use kubernetes and when to use serverless. I found this article to be a good overview of pros and cons of each.

https://dysnix.com/blog/kubernetes-vs-serverless-part-1/

https://dysnix.com/blog/kubernetes-vs-serverless-part-2/

@mmicha said in Where to start...:

Hello,

Just looking for some help on where to start first...

My company needs to start upgrading some of our infrastructure. Currently we are running on ESXi, with less than 15 VM's across two hosts. Everything is Windows (2012) and linux.

We still have Exchange (2013) on-premise.

My thought is that first step should be get the email to Exchange Online.

Then move our systems to a cloud somewhere. Build out a site to site to a their datacenter and slowly build / upgrade things.

Total storage of VM's / Exchange is less than 5TB.

Thanks.

I agree with your plan overall, but I'd also consider taking a hard look at those 15 VMs and see how you can deploy those in the cloud while reducing costs. Cloud workloads give the advantage of being elastic which can save you money if you deploy your applications correctly. If you just move VMs over 1:1 you aren't really leveraging the power of the cloud.

Can these applications be deployed so they can scale by using containers or at a minimum leverage autoscaling! Keep your normal operating cost is low, and only spikes when you need the resources.

@pete-s said in AD/AAD: Display Name for Professionals:

@gjacobse According to the standard personalTitle should have titles and not degrees. So it would be Dr. https://datatracker.ietf.org/doc/html/rfc1274#section-9.3.30

MDs are 10 tiers higher than your average person, or at least that's what they think

It's literally the only career where you don't have to the tiniest ounce of respect for your customers yet they expect to be hailed as heros and treated like demigods among pure mortals.

@DustinB3403 I'd love to hear your thoughts so you downvoted my post. I have no problem debating you and anytime I downvote you it is because I don't agree with you. You also know that I upvote you as well even if we aren't best buds

Any vote of yours that I've downvoted is because what you said is wrong or at a minimum disagree. You've been downvoting people out of spite, unless you have a really good argument to what I've posted then I recant the above statement and welcome your debate.

Also everyone that's downvoted you except maybe @stacksofplates has downvoted me before when they disagreed with stuff I've said. @JaredBusch @Obsolesce , @travisdh1 but they've had a reason or an argument to why they've disagreed with me. That's how it's supposed to work.

@notverypunny said in RMM Service:

@scottalanmiller I know you've said in the past that the smallest VPS from vultr or DO should be more than sufficient for a meshcentral server. Tactial's documentation specifies 2GB of RAM, would a VPS option like the $10/mth DO shared CPU option (2GB RAM, 1CPU, 50G HDD, 2TB transfer/mth) be sufficient or should something beefier be used as a minimum setup?

Containerize it and you will only use the resources you need with the ability to scale when needed.

https://wh1te909.github.io/tacticalrmm/install_docker/

@gjacobse said in Powershell Start-Process Differences:

@irj said in Powershell Start-Process Differences:

Have you gave any recommendations on how to use powershell in a secure way? You could ask for a bastion host to that's only purpose is to send out PS scripts and block internet access on it.

Since I'm the new guy.. they don't hear but so well.. maybe in time. And I do bring it up from time to time..

I think sometimes they listen to new guys more. You bring experience from other places

@stacksofplates said in KVM or VMWare:

@stacksofplates said in KVM or VMWare:

@scottalanmiller said in KVM or VMWare:

think

That's not apples to apples. One is support one is hiring engineers. Two different things.

No idea why this quoted so weird.

"Just because something may be supported, doesn't imply that it is support."

In the enterprise space, the vast majority of users have laptops, docks, and a spare AC adapter (so they don't need to borrow it from dock).

Exeptions would probably be assembly line or something like a shared nurse's station
Desktops are the exceptions though and not the rule.

@dashrender said in AD/AAD and VPN integration:

@scottalanmiller said in AD/AAD and VPN integration:

Ask it another way.... so you want to expose your AD infrastructure and fragility directly to the Internet? AD isn't meant to ever see light of day, the entire design of AD is that it is protected inside the LAN. If you do this, you are disabling the foundation of AD's security.

I can understand where you're coming from - I'll even go so far as to say I agree, at least to some point.

But the extra oneous on end users is what is trying to be avoided. I guess your answer to that is - tough, suck it up, this is security we're talking about here, and security is basically the antithesis of convenience?

The thing is you're not exposing your AD with SAML authentication. Worse case scenario a malicious user can spoof a session. MFA does alot to alleviate this concern, but even MFA isn't perfect.

Plenty of other ways to secure SAML or verify your IDP and service provider like azure has them in place.

https://cheatsheetseries.owasp.org/cheatsheets/SAML_Security_Cheat_Sheet.html

Even really basic stuff like IP filtering is helpful when authenticating SAML to a SaaS service. The attacker would have to know the IP range of SaaS application. Again not a save all security measure, but it helps more than you'd think.

Also short authentication timeouts with need to re
-authenticate in 15 or 30 mins when not in use is also a huge help.