Best posts made by notverypunny

I've been given the glorious task of exporting the content and metadata from a DocuShare 6.1 install and the dsexport tool has puked the last couple of times I've tried exporting a specific collection. I've kicked it off again but I was wondering if anyone here has any experience or tricks if it decides to tell me to pound sand again.

@stuartjordan Assume that you mean Xen Server 6.5 (Xen Center is just the Windows management GUI). I can't speak to any scripts, and XCP-ng might have a quirk or 2 different from Citrix Xen, but you should just be able to boot the install media and for the "traditional" Citrix hypervisor there's the options for both a clean install or to upgrade the existing hypervisor without touching the VMs. Coming from 6.5, and if you can move the VMs or perform a backup/restore I'd advocate a clean install since the default partition layout has changed and you won't be able to move to it with an upgrade. Good luck!

@fredtx said in How can I retrieve data from unbootable drive with Ubuntu Live?:

I've got a windows 10 machine that needs to be reloaded due to OS corruption (no hardware/disk failure). There is some files I need to retrieve, but can't seem to get them. I've tried using Hirens boot, and Ubuntu Live. In Ubuntu live, I can see the drive using the Gparted tool that is built-in Ubuntu, but I can't see it in Files aka ubuntu's version of file explorer. Maybe cause it's not mounted, I'm assuming? My next step is to plug it in my personal windows desktop, and see if I can retrieve from there. Just wanted to run it by the community real quick to see if there's an easy way to retrieve using Ubuntu Live, or any other tool.

If the drive or filesystem is bad you might be SOL... Grab a live USB of the distro with the most recent kernel you can find (in the hopes that it's got the necessary drivers) and see what it can detect / read. Good luck.

--EDIT --
If it's bitlocker encrypted it might be easier to pop the drive into another win10 machine to copy the data over (assuming that you have the bitlocker key somewhere)

@fredtx
Good to hear

Windows environment:

Does anyone know of any solutions for File Integrity Monitoring and / or File Access Auditing and Monitoring that can differentiate between explorer.exe getting basic file info (example: for a detailed file view or checking file attributes) vs a user actually accessing the file contents.

I've done some digging and, it looks like the functionality was introduced in Server 2016 / W10 as the "Audit Detailed File Share" group policy option. The only commercial product that I've seen that discusses or seems to leverage this is Rapid7's InsightIDR. Since we know the error code it generates it's reasonable to assume that something like Wazuh or Greylog could be setup to monitor for this event and alert based on it's contents, but I know that the powers-that-be generally prefer off-the-shelf as opposed to roll your own.

Followed the step by step instructions and it worked like a charm.... only problems I ran into was in the elasticsearch tuning section. curl didn't want to work correctly with http so had to use https with the -k switch to deal with the self-signed certs.

For hardware / chassis management Dell's openmanage enterprise is pretty useful. I'd suggest giving it a look if you've got a big Dell footprint to look after. Should be available for download when you check for downloads with any recent service tag. If you can't find it let me know and I'll see if I can find a direct link.

So I ended up getting the go-ahead to build this out and for the time being have a stock setup running with the out-of-the box baselines for compliance and security.

Since one of the selling points was to get greater visibility into file and folder access I've been trying to get it to play with the AuditDetailedFileShare settings mentioned in my initial post.
Does anyone have any guides / resources / pointers as far as how I can configure the FAAM aspect of things based event 5145?

I've tried adapting the information here: https://wazuh.com/blog/how-to-monitor-folder-access-on-windows/.

I can see the events on the server but can't seem to get them to flow into Wazuh.

I've removed the relevant negation on the agent, and added an entry in the local rules on the server (wazuh-manager). I know that the following rule is pretty wide open and would create a stupid amount of overhead in production, but I'm still at the debugging point of things....

  <rule id="100111" level="5">
     <field name="win.system.eventID">^5145$</field>
     <description>Object access information into critical folders</description> 
  </rule>

services have been restarted on file-share server and wazuh-manager

I've played around in the fileshare, creating log entries (event viewer) on the windows host with the desired event ID but am not seeing anything in the events for the agent in the interface on kibana. Am I wrong in thinking that the rule needs to be configured on the manager? Is it supposed to be on the elasticstack/kibana server? I'm sure it'll be one of those "I'm such a dumbass" moments when I get the answer, but if anyone can point me in the right direction it'd be appreciated.

Would something like crackmapexec do the trick? I've started playing around with it to validate that some of our security configs are actually doing what they're supposed to and it can be used to dump user lists from a lot of the native windows locations. Not sure that it would get everything that you're looking for but "hacking" tools might be something to consider in addition to the typical bevy of PS and Windows commands.

@jasgot To test the AV theory: either exclude the scan directory or temporarily disable the AV and try the job.

Refurb business grade. Either Dell Latitude 5xxx and up or an HP ProBook / EliteBook. Benefit is that you can get replacement parts for quite a while and they're so much easier to work on.

https://us.refurb.io/collections/dell-laptops/products/dell-5580-latitude-15-6-laptop-intel-i5-6300u-2-4ghz-8gb-ram-256gb-solid-state-drive-webcam-windows-10-pro-refurbished

@adamf I've bought from their Canadian store before for home, no issues. Actually got an upgrade if my memory is correct. Had ordered a 3020 full tower and got a 7020 or 9020 instead (with same or better spec).

@scottalanmiller said in Looking to learn/research MeshCentral:

@notverypunny said in Looking to learn/research MeshCentral:

@stuartjordan said in Looking to learn/research MeshCentral:

Tatical RMM integrates with meshcentral as well apparently. Although I've only tried the demo but looks promising. https://github.com/wh1te909/tacticalrmm

Doesn't just integrate, mesh now appears to be an integral part. Stood up a tactical server and it automatically installed and configured a mesh instance. Have to say that I'm pretty impressed with things so far.

It does that, but if you do that you get less flexibility. We run our own MC instance and our own Tactical instance and connect the two.

Hey Scott, can you elaborate on the increased flexibility? I have to admit that I'm not familiar enough with either product to see what the advantages of different deployment models could be.

@jasgot said in Routing from LAN/Sonicwall to Comcast DHCP Client:

@notverypunny said in Routing from LAN/Sonicwall to Comcast DHCP Client:

Have you got the appropriate rules in place to allow WAN > LAN as well as the NAT rules on the Comcast CPE? Can you get to the webserver from another connection? Keep in mind that since you're using the public IP it's got to be configured and managed as an independent, internet-facing service. Are all 3 devices (the 2 SW and the Comcast CPE) on the same connection and the IPs part of the same subnet or are we dealing with multiple discrete ISP lines? There's lots of room for incorrect assumptions to be made with the info you've provided. If possible, I'd put everything on one device, preferably the strongest of the 2 SW units and manage everything that way.

I have rules in the Sonicwall to allow from 10.1.10.x to 192.168.1.x, even though they are not required. (The traffic is initiated by the device on the 192.168.1.x LAN network)

No NAT rules on the Comcast CPE. It shouldn't be needed because I am not trying to use the CPE public IP address as a destination, only as a gateway.

Yes, all three are the same. The two SWs are plugged into the CPE.
CPE = xx.xx.xx.98
SW1 = xx.xx.xx.97
SW2 = xx.xx.xx.96

Only one ISP in the mix.

So this is what your setup looks like?

I'm not sure, but I wouldn't be surprised if the SW simply goes bork trying to deal with private IP ranges on a port that you've designated as a WAN.

Still puzzled as to why you've got 3 edge devices...

@krzykat said in Looking to learn/research MeshCentral:

@notverypunny
I'm curious on this as well. We have used MC successfully and now want to add TacticalRMM ... what is the advantages of having them seperate versus being on the same box? Don't like the idea of redoing all the existing MC clients, but if it makes things better, fine.

For your scenario it you really shouldn't have to re-do a deployment, IIRC you're in the same situation as @scottalanmiller (Mesh deployed and then adding TacticalRMM after). I got the go-ahead to give Tactical a try in our enterprise environment as a compliment or possible replacement to parts of our existing tool-stack / workflow so I'm not quite in the same situation from the jumping off point. I've got a mix of machines deployed and really like what I'm seeing so far.

@jaredbusch If I was still at work I'd quiz our HW guru, but I think your answer is somewhere in here: https://www.velocitymicro.com/blog/nvme-vs-m-2-vs-sata-whats-the-difference/

IIRC the nvme and SATA M2 drives don't have the exact same connectors

@voip_n00b Is it absolutely necessary to take the image from outside of the installed environment? Veeam's free windows agent / application runs within the installed OS so all you really need is remote access to the machine with admin rights and you're good to go. To answer your initial question, if they can't boot and follow clonezilla, I doubt that anything else is going to work out.

@dave247 said in I've been asked to set up MFA on internal computers and servers:

@notverypunny said in I've been asked to set up MFA on internal computers and servers:

@dbeato said in I've been asked to set up MFA on internal computers and servers:

@dave247 said in I've been asked to set up MFA on internal computers and servers:

@notverypunny said in I've been asked to set up MFA on internal computers and servers:

As far as the internet connectivity issues are concerned, AuthLite has 0 dependencies apart from AD. It can also integrate with NPS / RADIUS + AD to provide MFA to just about anything that can use RADIUS.

It's also per-user perpetual licensing

oh nice, I will check that out immediately. I was looking at Duo too (of course) so I wonder how that compares. I like the idea that it has no other dependencies than AD - that's perfect for our current environment.

Yeah, DUO has dependencies with their service and if the computer doesn't have internet it has the option to let you login without a prompt so that happens. Not sure if AuthLite does the same.

Authlite has support for offline logins (meaning if the machine can't talk to a DC), it just requires the installation of their client on the workstation / server / endpoint in question. You can also require / enforce 2FA on your endpoints.

Here's a thread where one of the authlite guys gives a quick comparison of AuthLite vs Duo.
https://www.reddit.com/r/sysadmin/comments/ct9m31/duo_vs_authlite_for_ad_mfa/

Duo seems to be the easiest and I've been playing with it with the tiral. Its super easy to configure it so without Internet or Duo service connectivity, MFA is bypassed. So in the event we have an Internet outage (happens 2-3 times a year here), users will still be able to get into their computers.

OK.... but then the only thing that you have to do to bypass the security is pull the network cable, right? Unless there's some other requirement it seems like a massive security hole.

@stuartjordan said in Hestia Development Full Webhosting Panel:

Still very active and now on version 1.4.17. I'm still using this for my hosting and had no problems. Now have Auto updates on and 2FA.

Looks nice, 1.5.0 just released today from what I can see on their github.