Posts made by notverypunny

If anyone else needs something for IPAM / network documentation I've just fallen in love with phpipam (https://phpipam.net/)

I'd tried netbox in the past but this just seems to work better for me. You can also set up polling / discovery of the configured ranges (on a per-range basis) either from the central server or from remote agents.

Anyways, it's rare that I'll advocate for something out of the blue, but I'm almost enjoying moving our horrible excel spreadsheet documentation over to this.

Happy Friday all

@justin867 Is there anything else as far as print-management going on? We use papercut-ng on our printservers, with one central server and the remote sites configured as secondary servers. If things are set too tightly, the secondary server will refuse print jobs if it can't call home to the master..... just some food for thought since most everything else seems to be working.

@jaredbusch said in offline, air-gapped backups / backup rotation (looking for hardware & ideas):

@notverypunny he did in the post right before mine.

But that is besides the point. It doesn’t matter what tool you are using. Only the toilet cell should you have the credentials for the back up repository. Not a fucking mapped drive in windows or something like that

Damn, you're right, missed that.

Not entirely sure what you mean about the toilet cell though. Bad speech to text or a reference that just can't get this morning?

What I had setup at a previous gig was a veeam copy job off to a USB3 HDD. There were 3 on rotation so that there was always 1 physically off-site.

The possible solutions are of course going to depend on what the initial backup repository is that you're looking to copy off to this air-gapped system. Jared mentions Veeam but I couldn't spot the OP indicating that he's using Veeam, and if yes, is it B&R for hypervisors or the agent individually installed on endpoints or are we only looking to backup a single server? I only raise the point because the veeam windows agent provides a mechanism to automatically mount and unmount the backup target between runs.

@mr-jones knowbe4. They provide training modules for users as well as allow you to run simulated phishing exercises. There are other companies out there that provide the same service(s) but we're using these guys for now.

@Dashrender said in Bad Pings from Windows, Good from Linux:

@notverypunny said in Bad Pings from Windows, Good from Linux:

@scottalanmiller said in Bad Pings from Windows, Good from Linux:

@notverypunny said in Bad Pings from Windows, Good from Linux:

Cloned VMs? P2V? Restored / Replicated VMs

I believe that this is the case, but the old ones are definitely powered down.

Hmmmm.... if they're powered down and not unplugged with WoL enabled?

How does that work for VMs?

And this wouldn't explain the PCs having the same issue.

Was thinking P2V. If the VM kept the MAC from the source physical box and the source box is still plugged it but has WoL enabled the MAC will be on the network 2x, right?

I'll concede the point about the PCs...... Although it's not impossible that depending on the size of the organization, the P2V source could have been repurposed as an endpoint, or the NIC been salvaged and put into service in a desktop.

A quick scan with nmap or advanced ip scanner and sort the results by MAC to see if there's anything funky going on.

I've had a couple of machines with Asus boards and Intel NICs blank the MAC to all 0s. Strangely they kept on working and no conflicts since they weren't on the same L2 but it's something that can happen. Not just Asus boards either, I had found the fix on an MSI site or forum if my memory is correct.

@scottalanmiller said in Bad Pings from Windows, Good from Linux:

@notverypunny said in Bad Pings from Windows, Good from Linux:

Cloned VMs? P2V? Restored / Replicated VMs

I believe that this is the case, but the old ones are definitely powered down.

Hmmmm.... if they're powered down and not unplugged with WoL enabled?

@scottalanmiller said in RDP Security / Hardening:

@notverypunny said in RDP Security / Hardening:

Question 1: Is what I'm trying to do possible?

Question 0: Is what you are trying useful?

Start there, likely it is possible. But use the effort to look at things that matter more. If someone CAN access your system, that's the concern. Not that they can access it WHILE you can still access it.

Fair point. Just went back through the audit report and can't find that as a recommendation so I don't know how that got on my list of things to lock down. I'll have to discuss with the boss 'cause there are some of the recommended hardening procedures that I'm not sure are a good idea, at least as a base-line across the board.

Thoughts on RDP restricted admin mode and disabling WDigest?

@JasGot said in Bad Pings from Windows, Good from Linux:

@scottalanmiller Corrupt Arp Table (cache)?

In the same vein as this: could there be duplicate MAC addresses in play? Cloned VMs? P2V? Restored / Replicated VMs.... Or someone just trying to get around MAC security somewhere?

I assume that physical cables and connections have been checked / swapped / ruled out?

Sorry if this is long-winded, I'll try to be as clear and succinct as possible.

Following a security audit we're trying to implement some additional security with regards to the administrative RDP access on our fleet of Windows servers. At the moment I've hit a roadblock trying to limit the number of simultaneous / concurrent sessions. Many of us have run into the issue of Windows servers allowing a default of 2 RDP sessions and 1 console session at the same time. I'm trying to lock that down to 1 interactive logon at a time and none of the settings I'm finding online seem to be having the proper effect.

So far I've tried:

• updating the MaxInstanceCount reg entry to 1
• Using a GPO to set "Limit number of connections" and "Restrict Remote Desktio Services users to a single Remote Desktop Services session"
  -- It looks like this is only leveraged for the full RDP Session Host role, if it's installed. It doesn't seem to have any impact on the administrative RDP access

So:
Question 1: Is what I'm trying to do possible?
Question 2: Does anyone have a link / article / instructions on how to make it happen?

Thanks in advance

• Subnet masks set properly across the board?
• Multiple IP addresses set on the adapters on the windows hosts?
• Ping by hostname vs ping by ip?
• AV or security software that's only on the Windows machines?

A strange one for sure, but it's got that weird "of course that was the problem" vibe.... let us know what it ends up being, I'm curious now

@JaredBusch I'm sure that some people would see that and want to know how to use the blurry font for extra security... then blame IT when they don't know which folder is which

@Dashrender said in One man IT shop looking for additional help options when needed. Hire a MSP?:

@JasGot said in One man IT shop looking for additional help options when needed. Hire a MSP?:

@Dashrender said in One man IT shop looking for additional help options when needed. Hire a MSP?:

@JasGot said in One man IT shop looking for additional help options when needed. Hire a MSP?:

A topic in Self Promotion for ITSPs and their geographic area may be helpful to this group.

ITSPs aren't limited by geography.
I know what you're trying to say - you'd like to see someone post where they have remote hands immediately if they are needed without waiting for a flight, etc...

Yes. That seems to be what most of us are missing with national support.

HP, Dell, Lenovo - they have all solved this by hiring companies local to an area to be those hands - presuming the ITSPs can find those companies, they could possibly become another customer of those companies.

The challenge might be what you would have to pay. The local guy that get's all of the Dell work (don't know about the others) is the 3rd or 4th sub down from the actual Dell organization if I recall correctly. Not that he's the 3rd or 4th choice, but that the request / ticket has gone from Dell to company A who subs to company B etc etc until it gets to him. So either he's only making peanuts off the call or the initial cost to Dell is more than a small shop might consider reasonable.

I'll concede that we're not exactly a bustling metropolis, so this might be a very uncommon scenario.

Yeah, something like this for server / datacenter access is too much of a gimmick, but I imagine that we can't be the only organisation who's stock of spare / loaner machines has been eaten by the long-term temporary work from home arrangements that we've been dealing with for the past year. Once upon a time we would have been able to swap a device via courier or have the user go to their local office, but between lack of equipment and varying degrees of lockdown across the country we more often than not have to fix what's on-site. There's been talk of a massive equipment refresh for the office staff, meaning new laptops for a whole lot of people, but that hasn't materialized yet...

Anyone else see a single day spike on spam with the latest batch of Exchange vulnerabilities making the rounds?

It's been a while, but I'm lazy and first try would be rescatux https://www.supergrubdisk.org/rescatux/

Just a reminder to step back and make sure that CPU and / or RAM are really your bottlenecks here. Network tuning / QoS can do wonders for the RDP experience and then there's the other side of the equation for the RDS server accessing those LoB apps. Some time spent with with processhacker watching not just RAM and CPU usage but process IO, network and disk / filesystem use is always a worthy investment to confirm your course of action. As soon as you've got users directly interacting with a system, be ready for surprises.

@Pete-S Yeah... problem is that for WFH folks you can rarely expect them to have a 2nd machine beyond a phone or tablet. For network connectivity, nothing's better than a cable, and even then we've had problems "configuring" that with some folks.
That CV211 would have been nice to have a few weeks back when the iDRAC at one of our remote sites decided to puke instead of reboot but that's another issue.

Saw this too. Using it for a server never crossed my mind, but having a couple at remote sites or that could be express-shipped to WFH staff for desktop / laptop troubleshooting seems like an interesting possibility.

Mentally preparing to deal with another 25cm of heavy snow after work today. At least there's no commute to deal with for the whole work from home / COVID business.