It's not uncommon to have one job position that multiple recruiters are working on. Also, it could be that they want to bring in a specific set of skills and decide the title senior/junior level during interviews.
Posts made by IRJ
-
RE: Is this a fake job?
-
RE: ADUC Set Password Expiry
@gjacobse said in ADUC Set Password Expiry:
@irj said in ADUC Set Password Expiry:
You gotta teach good culture
Good Luck
Sometimes people have to be inconvenienced for security
Don't disagree - but can't stop doing business either.
Managing all these exceptions is an operational nightmare that will create a load of technical debt.
No lie - and no argument there. But reseting the expiry date/time doesn't seem all that different than resetting any password. few clicks and poof.
I can understand your point, but some responsibility for security must fall on the user. Management of course has to buy in on this and/or give full control of IT policies to a CISO/IT manager/generalist (depending on size of business).
-
RE: ADUC Set Password Expiry
@travisdh1 said in ADUC Set Password Expiry:
@irj said in ADUC Set Password Expiry:
@gjacobse said in ADUC Set Password Expiry:
It's likely we have all had to address this at some point in the last eighteen months or so; A person sent to work from home for whatever reason has just had their password expire. They don't expect to be back into the office for (x) number of days.
Why are they treated any different compared to any other user? You either need AD access or you don't. Working from home doesn't change that aspect.
If they work from home, authenticate to AD every day, then why can't they reset their password?
If they work from home and don't use AD for 90+ days, then why do they even have AD account at all?
Resetting a password remotely does not work automatically like it does on-site. The users have to manually do it themselves before the password expires. I'll give you one guess how many users even know how to change it manually
Yeah, but that's why you spam the hell out of them to do it with notifications. If they don't listen then they deserve to be inconvenienced and have to call Helpdesk.
-
RE: ADUC Set Password Expiry
@gjacobse said in ADUC Set Password Expiry:
@irj said in ADUC Set Password Expiry:
@gjacobse said in ADUC Set Password Expiry:
It's likely we have all had to address this at some point in the last eighteen months or so; A person sent to work from home for whatever reason has just had their password expire. They don't expect to be back into the office for (x) number of days.
Why are they treated any different compared to any other user? You either need AD access or you don't. Working from home doesn't change that aspect.
If they work from home, authenticate to AD every day, then why can't they reset their password?
If they work from home and don't use AD for 90+ days, then why do they even have AD account at all?
Nope - guess my question didn't get created right, because nope. that is totally NOT the point.
Example 1:
Director works in office two / three days a week. Had planned to be in office for when his password expired only be be stranded due to vehicle issues at the same time his password expired.Example 2:
In office staff is nearing end of password cycle and (since this is a medical facility) is exposed to COVID or any other potential contagion and must quarantine for set number of days of which then password expires.Regardless the password cycle ended when they were not in the office for them to change it, limiting them to only a few options.
Option 1:
Reset password - this means that they now have to deal with two passwords; Password on the device and the password for the domain. MFA plays so well into this.Option 2: Set password to not expire and try to remember to make a reminder or such that this was done upon their return.
Option 3: Do the above Powershell resetting the password timer, thus using the same password for another 90 days.
Option 4: Do the above, but in a manner that will force them to change the password after x Days so that neither party has to sit and clock watch.
I have worked for a very large hospital system. All their medical staff was on AD and we had people work remotely back then with expiring passwords.
- You gotta teach good culture
- Sometimes people have to be inconvenienced for security
- Managing all these exceptions is an operational nightmare that will create a load of technical debt.
-
RE: ADUC Set Password Expiry
@gjacobse said in ADUC Set Password Expiry:
It's likely we have all had to address this at some point in the last eighteen months or so; A person sent to work from home for whatever reason has just had their password expire. They don't expect to be back into the office for (x) number of days.
Why are they treated any different compared to any other user? You either need AD access or you don't. Working from home doesn't change that aspect.
If they work from home, authenticate to AD every day, then why can't they reset their password?
If they work from home and don't use AD for 90+ days, then why do they even have AD account at all?
-
RE: Why Do People Still Text
@dashrender said in Why Do People Still Text:
The same could happen in the US - but my question is - how is it paid for? And I already mentioned that the gov't definitely doesn't want a third party to get in the mix and block their access to monitor communications.
It's paid for by customer on a monthly basis
-
RE: KVM or VMWare
@francesco-provino said in KVM or VMWare:
@WLS-ITGuy I haven’t been in this forum for years, and after years I still see similar questions and the same arguing…
Do yourself a favor and learn something useful like Terraform to automate VMware or similar stuff, the real deal today is not wasting your time reinventing the wheel and doing manual operations, not saving a few bucks on hypervisor’s license.
I agree here. Many on here don't understand the benefits of IaC and proper SDLC because they haven't been exposed to it yet. Penny wise and pound foolish.
Granted many of these one man shops don't have the resources (IT employees) to do it. If you're fixing printers you don't have the bandwidth to do this kind of stuff. Either way there is still pain in the long run for not doing automation, but for them it's just not feasible.
-
RE: Does Mesh Central support blanking remote screen
@krzykat said in Does Mesh Central support blanking remote screen:
@dustinb3403 said in Does Mesh Central support blanking remote screen:
With another product I had a customer complain because we had to jump into a server because of performance issues, and they could graph that we too access the active console of the server (all virtual). And thought it was a security risk because we could potentially see confidential data.
Of course we are the domain administrator as well so...
Then their option is to hire their own onsite personnel that handle the same tasks, won't be as qualified and cost them more money. If you don't trust your IT team ... well time to move on. I don't want any clients that don't trust us.
Insider threat is the number one threat.
-
RE: Does Mesh Central support blanking remote screen
@dustinb3403 said in Does Mesh Central support blanking remote screen:
With another product I had a customer complain because we had to jump into a server because of performance issues, and they could graph that we too access the active console of the server (all virtual). And thought it was a security risk because we could potentially see confidential data.
Of course we are the domain administrator as well so...
It's all about the data. PHI and confidential secrets should not be seen by support. Yes there may be a patient up on a screen when troubleshooting an issue, but you should not have the ability to scroll through records unaudited. When you blank out the screen you could query patient data under the user's login.
I worked at the hospital system that treated all patients of the Orlando mass shooting. Our hospital system was very proud that we saved every person that made it to the ER alive. Anyway, in the aftermath 6-8 employees were fired for accessing PHI that wasn't a need to know. In most cases it was a friend or someone close to the family.
-
RE: I've been asked to set up MFA on internal computers and servers
@pete-s said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
@scottalanmiller said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
even internally for fully on-prem / non-remote access to user computers and servers?
Yeah, for sure. Things that are local have a way of becoming "non local" without people realizing. Whether by unplanned design, or malicious intent.
Well in my case, no local servers or workstation will accidentally become non-local, I am confident in that. Regardless, I'll set up MFA on them.
Any input as to what tool/application/settings are appropriate? I am currently looking at the NPS for Azure plugin
If you have MFA on your internal stuff then I think you will be dependent on internet for your internal assets as well.
Good to know for business continuity and disaster recovery.
All you need is a local break glass account on the application and you can bypass MFA and then turn it off for other users. This is common in DR planning
-
RE: Does Mesh Central support blanking remote screen
@scottalanmiller said in Does Mesh Central support blanking remote screen:
@jaredbusch said in Does Mesh Central support blanking remote screen:
@scottalanmiller said in Does Mesh Central support blanking remote screen:
Why load? MOst of the time we log into machines that have that stuff already on the screen. We just cause the screen to unlock and don't know who can see it. VERY often for us, that this case comes up, it is a medical system in a room where a doctor may or may not be, and a patient may or may not be, and the patient may or may not have someone watching them.
Logging in to a remote system with potential PHI active on it without a user present? Never. Your entire scenario is a PHI data breach.
Hence the need to blank the screen so that it is the same as any VDI style medical system.
No he's saying IT should not have unmonitored access to PHI data. You are logged in as that user so it's not really auditable.
-
RE: KVM or VMWare
@scottalanmiller said in KVM or VMWare:
@jaredbusch said in KVM or VMWare:
But that is not where things are moving.
There are always "trends" with the "follow the buzz word" crowd. Like "cloud". Did cloud become an import part of the equation, heck yeah. Is every workload going to cloud? Heck no. Is 90% of the workloads on cloud there because it was the right choice? No, it's because it was the word someone knew how to repeat to sound cool.
These are trends anymore. They are best practices.
It's more than should this specific workload go to the cloud or not. There's so many things at play beside the infrastructure of a single application. If you understood compliance frameworks and SDLC maturity, you'd know that doing all that stuff on premise is much more difficult and alot more work for the organization to maintain. In a large enterprise, audits are constantly going on, and there's so many things that I have to be in place.
You can say all these requirements are stupid, and the most companies fail at IT. At the end of the day, these companies are making billions of dollars and revenue and are leaders in their industry. These leaders are paying $200-300 an hour for contractors and consultants to increase their maturity levels.
Your expertise is mostly with businesses with less than 10 employees who are struggling to survive let alone care about IT processes. It's such an apple and oranges comparison to Fortune 500s. You may have had expertise in enterprise over a decade ago, but it's obvious that's it's been over 10 years since you've had any experience. Nothing wrong with having a niche, but I wonder why you left $500k + job to deal with these tiny businesses.
I also think you shouldn't reject new concepts without understanding them. You should do some training in modern IT. I honestly think you'd love it! Embrace new concepts and at least give them the time of day. The attitude of everyone is stupid except me gets old. Especially when you aren't grasping the concepts or are basing your opinions off how things were 15 years ago.
-
RE: Laptops versus desktops and roaming users
@obsolesce said in Laptops versus desktops and roaming users:
I've not worked in hospitals but can image them with different needs and device purposes.
I worked for an 18k employee hospital system. All the support staff (IT, administration, etc) had laptops. The hospitals themselves used desktops as shared stations, but even administrators (or anyone with an office who didn't use shared computer) at hospital locations used laptops.
-
RE: AD/AAD and VPN integration
@dashrender said in AD/AAD and VPN integration:
@stacksofplates said in AD/AAD and VPN integration:
@dashrender said in AD/AAD and VPN integration:
@stacksofplates said in AD/AAD and VPN integration:
@dashrender said in AD/AAD and VPN integration:
@stacksofplates said in AD/AAD and VPN integration:
@dashrender said in AD/AAD and VPN integration:
@irj said in AD/AAD and VPN integration:
@dashrender said in AD/AAD and VPN integration:
@scottalanmiller said in AD/AAD and VPN integration:
Ask it another way.... so you want to expose your AD infrastructure and fragility directly to the Internet? AD isn't meant to ever see light of day, the entire design of AD is that it is protected inside the LAN. If you do this, you are disabling the foundation of AD's security.
I can understand where you're coming from - I'll even go so far as to say I agree, at least to some point.
But the extra oneous on end users is what is trying to be avoided. I guess your answer to that is - tough, suck it up, this is security we're talking about here, and security is basically the antithesis of convenience?
The thing is you're not exposing your AD with SAML authentication. Worse case scenario a malicious user can spoof a session. MFA does alot to alleviate this concern, but even MFA isn't perfect.
Plenty of other ways to secure SAML or verify your IDP and service provider like azure has them in place.
https://cheatsheetseries.owasp.org/cheatsheets/SAML_Security_Cheat_Sheet.html
Even really basic stuff like IP filtering is helpful when authenticating SAML to a SaaS service. The attacker would have to know the IP range of SaaS application. Again not a save all security measure, but it helps more than you'd think.
Also short authentication timeouts with need to re
-authenticate in 15 or 30 mins when not in use is also a huge help.I don't understand how SAML isn't exposing your AD/AAD authentication?
Isn't it the same username/password for SAML as it is for AD/AAD?
So let's assume a logon to M365 with MFA, let's also assume there is federation between your local AD and AAD.... So you log into M365 and it shows you on the screen that it's waiting for MFA verification - when you see that you KNOW you have the correct username and password for AD/AAD... right?
If you're concerned with SAML then use openid connect with the authorization code flow. The users creds are never passed through the portal and an access token is generated. Then apps can verify user authorization through a JWT token.
I have literally zero clue what you just said.
How does what you just said apply to a user getting on their home laptop and logging into M365? or nearly any web portal?User creds are never passed to the system with the authorization code flow.
oh - I'm not worried about things like yelp in this case.... I'm worried about a hacker having the Google username/password in your example.
You don't seem to get the point. This doesn't have anything to do with Yelp other than that was the example in the image.
OIDC is a way to use properly designed IdPs. The VPN provider can use a properly designed IdP that doesn't have to be internal to authorize the user and the VPN provider never needs to know the users credentials.
Awww - you're sticking to the OP - (which is good ) I was only really thinking about website logons, Not VPN access.
yes, you're solutions look good for allowing the use of AD/AAD as the source of authentication without exposing it to the outside.
Oauth2 is used on alot of web applications. Here's a good saml vs oauth2 comparison.
-
RE: Laptops versus desktops and roaming users
@dashrender said in Laptops versus desktops and roaming users:
@jaredbusch said in Laptops versus desktops and roaming users:
@dashrender said in Laptops versus desktops and roaming users:
That dock powering the laptop isn't always the case.
My fleet isn't as old as you think anymore. 50% are less than 3 years old now, and really probably closer to 2.I haven't specifically checked, I'm sure most have USB C ports, only something like 3 in the lot have USB C power suppplies, the rest are normal barrel style. I have no idea if they can be charged via USB C.
Unless you bought, shit, they can.
I don't consider HP Probooks or Elitebooks shit - but I've never tested, so I have no idea.
Probooks are shit. Elitebooks are good. They both should have USB C though.
-
RE: AD/AAD and VPN integration
@gjacobse said in AD/AAD and VPN integration:
@scottalanmiller said in AD/AAD and VPN integration:
That's nota good pattern for security.
One suggestion is about a twenty-two minimum and going to a one year cycle.
-
RE: Laptops versus desktops and roaming users
@scottalanmiller said in Laptops versus desktops and roaming users:
Laptops are definitely getting used more and more, although I'm unsure why, I guess because more and more office workers don't have computers at home.
You don't want unmanaged systems connecting to internal resources in most cases. You can get away with it with something like Intune that creates separate space for data and doesn't allow uploads for non managed device, but it's not ideal.
-
RE: Laptops versus desktops and roaming users
@dashrender said in Laptops versus desktops and roaming users:
@irj said in Laptops versus desktops and roaming users:
In the enterprise space, the vast majority of users have laptops, docks, and a spare AC adapter (so they don't need to borrow it from dock).
Exeptions would probably be assembly line or something like a shared nurse's station
Desktops are the exceptions though and not the rule.The cost of a laptop plus docking station plus external keyboard plus external monitors plus secondary power supply significantly outweigh the cost of a standard desktop.
If you're very short sighted it might appear more expensive, but it's actually less expensive to company. Workers can be mobile and/or remote. Another short sighted view, would be our people only make X an hour so it doesn't matter. However, the company gets a much bigger return on their salary. Even 10-15 mins of work after business hours can offer company a huge return.
-
RE: AD/AAD and VPN integration
@dashrender said in AD/AAD and VPN integration:
@irj said in AD/AAD and VPN integration:
https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol
HAHAHAHAHA
that is doing exactly what I said - user is typing in the username and password - then the MFA prompt.... so a hacker who doesn't have MFA device will at least KNOW they have the correct username/password combo when they see the waiting for MFA notice.
Did you even look at the article?