@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:

Having a mirror is perfectly fine, cut fiber, power outages, ISP issues - mundane earthly problems that can be resolved by geographic distance are where mirrors come in.

Ransomware is not one of those, and thus a BDRP needs to be developed and tested to ensure that recovery from such an event doesn't mean rewarding the people who are ransoming them.

If a BDRP can't be developed and meet the RTO and RPO objectives the business must then re-evaluate if the data is at all worthwhile.

As for paying the ransom, the business reputation is in the dumps, they've spent however much out of pocket (will likely hit their insurance), and still need to design a BDRP that actually works and meet the RTO an RPO objectives.

Hopefully there is a CYA email that their IT department/MSP has so they are covered when proper backups that would work within the above RTO/RPO guidelines - but likely refused to spend. (If such a conversation actually occurred, and that the IT department actually did their jobs).

RTO = Recovery Time Objective
RPO = Recovery Point Objective

BDRP = Building Disaster Resilience in Pakistan ?
CYA = CYa when things go blotto ?

@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:

@PhlipElder said in Payroll Provider gets Encrypted & Pays Ransom:

@scottalanmiller What happened?

Are you asking about one of the NTG clients who was hit with ransomware and they were back up and running in a few hours, or are you asking scott to exposit about this topic?

Asking about the 28 hour recovery.

@scottalanmiller What happened?

@JaredBusch Heh ... gives a whole new meaning to "Garbage in Garbage out".

@JaredBusch Once into the desktop the process I indicated does not kick the recovery question prompt. I don't even know where they are in Win10 since all of our systems are AD integrated or have an Admin and a Standard account for the user's day to day that we manage.

Easier is "Set up for an Organization" and choose a username. Ours would be Laptop Admin with the space and no password to avoid the questions.

Once logged on, CTRL+ALT+DEL and Change Password to set the new one. Note that the existing would be a blank.

Ugh
https://krebsonsecurity.com/2019/02/payroll-provider-gives-extortionists-a-payday/

https://www.microsoft.com/security/blog/2019/02/28/microsoft-security-intelligence-report-volume-24-is-now-available/

Trends and considerations. It's a good read.

@scottalanmiller The aside that once owned the machine should be flattened that's good info.

Trying to get the Pi-hole link posted and this bundle of cuteness won't leave me alone!

Norma Jean the kitten is an affection junky. She just melts in when held and has an amazing purr.

She and an older brother of hers have managed to win me over to cats ... at least them.

https://isc.sans.edu/forums/diary/Ad+Blocking+With+Pi+Hole/24690/

I have the above site set as my opening page. There's usually a really good article there whenever it gets updated. That was today's article.

@manxam vSAN is a hyper-converged setup with local storage being used on each node to provide HA storage for the compute.

The iSCSI Target on the standalone unit could be for backups, archival storage, or any other storage requirement that comes to mind.

If the three R710 servers are identical then use StarWind VSAN for the HA/VM setup and iSCSI Target the D2D4324-G2?

@pmoncho said in Windows Server Upgrade - MS Retail, Open, Open Value or Open Value Subscription:

Is there anyone out there using OV non-company wide with spread payments?

If so, I am trying to find out if I should purchase all licenses that I think I MAY need upfront?

If I can add to my license (additional CAL's or Server License), how is it calculated if it is during middle of the license year?

All of our clients, and us too, run Open Value Agreement with the spread payment option. Company-wide was too restrictive so we never did go with it.

You can always add licenses to the agreement at a later date. Keep in mind years two and three will have two and full payments for the license respectively so the numbers would be higher.

Our clients are a blend of Open Value Agreement with the Windows Desktop Upgrade/Enterprise license moving to Windows E5 to gain Advanced Threat Protection and security licensing for the desktop.

When renewing the Open Value Agreement the perpetual licenses stay with the client and the renewal is SA Only.

Looking long term, an Open Value Agreement pays for itself in the third renewal so years ten, eleven, and twelve all things being equal.

SA is required or O365 E3 and up (I think) for Office to run in a RDS setup.

If more than one Session Host is going to be set up then it's a best practice to put Broker/Gateway/Web on one VM and the Session Hosts on the other.

@pchiodo said in How many vCPUs can I have?:

@Obsolesce I have also found through experience that more memory on a SQL server does not necessarily improve performance. This is also true with VCPUs. I would monitor closely and change one thing at a time. Just my 2 pennies worth

Concur. We do a lot of testing with VMFleet and other utilities with monitoring via Performance Monitor or Telegraf/Grafana.

There is a sweet spot with so many variables coming into play. Disk subsystem being one key.

@scottalanmiller said in How many VCPU’s can I have?:

NUMA issues is a key reason why we often recommend a single proc with more cores than two procs with fewer cores each. No NUMA.

Don't some of the modern CPUs have multiple memory controllers per CPU thus multiple NUMA Nodes per CPU? I've seen drawings for such but not encountered in servers as of yet.

I suggest always setting a minimum of 2 vCPUs to allow access in case of a runaway thread within the guest.

When it comes to performance there are two boundaries to keep in mind:
1: Processor Physical Core Count
2: Memory per memory controller (NUMA Node)

Our rule of thumb for #1 is # physical cores (pCores) -1

Our rule of thumb for #2 is a bit more flexible as a VM may not start if too much vRAM is assigned and it is bound by a NUMA boundary.

A performance hit can be had by too many vCPUs and vRAM assigned that crosses NUMA boundaries (can be set in the VM's properties). In both cases, bits are bounced around either between physical CPUs or between memory banks within each NUMA node. That bouncing around is lost CPU cycles right there.

We've been replacing all of the 4000 series LaserJet printers (4100, 4300, 4350) at our client sites with HP LaserJet Enterprise M506x or M600 series printers with the extra tray set. In some cases the M600 series with the 1500 (3x reams) drawer setup is configured for high volume firms.

The HP Enterprise series just works. Plus, they work with Remote Desktop Services and EasyPrint in Server 2016+ without having to install any drivers on the session hosts.

EDIT: High Yield "X" series toners make the cost per page something like a penny per.

@scottalanmiller said in Should I bother to learn Windows Storage Spaces and what about Glances export?:

@PhlipElder said in Should I bother to learn Windows Storage Spaces and what about Glances export?:

@scottalanmiller said in Should I bother to learn Windows Storage Spaces and what about Glances export?:

@PhlipElder said in Should I bother to learn Windows Storage Spaces and what about Glances export?:

HCI or disaggregate with Hyper-V and SOFS S2D are they way we're deploying now. So, the whole conversation is essentially moot.

Not really HCI as described with the DataOn. That's just a software RAID version of the non-HC model.

HC has always meant physical convergence.

I believe I referred to the DataON setup as "Converged" or sometimes "Asymmetric" not Hyper-Converged which is what Storage Spaces Direct is when running with both Storage Spaces and Hyper-V on the nodes.

I see. Asymmetric is a decent term. What about it is converged, though? It seems "unconverged", if you will. Other than the software RAID running on the storage nodes.

"Converged" in this case refers to both Hyper-V and Storage Spaces running on the nodes to provide virtual machine and storage cluster based arbitration.