@dashrender said in Laptops versus desktops and roaming users:

@irj said in Laptops versus desktops and roaming users:

In the enterprise space, the vast majority of users have laptops, docks, and a spare AC adapter (so they don't need to borrow it from dock).

Exeptions would probably be assembly line or something like a shared nurse's station
Desktops are the exceptions though and not the rule.

The cost of a laptop plus docking station plus external keyboard plus external monitors plus secondary power supply significantly outweigh the cost of a standard desktop.

If you're very short sighted it might appear more expensive, but it's actually less expensive to company. Workers can be mobile and/or remote. Another short sighted view, would be our people only make X an hour so it doesn't matter. However, the company gets a much bigger return on their salary. Even 10-15 mins of work after business hours can offer company a huge return.

@dashrender said in AD/AAD and VPN integration:

@stacksofplates said in AD/AAD and VPN integration:

@dashrender said in AD/AAD and VPN integration:

@stacksofplates said in AD/AAD and VPN integration:

@dashrender said in AD/AAD and VPN integration:

@stacksofplates said in AD/AAD and VPN integration:

@dashrender said in AD/AAD and VPN integration:

@irj said in AD/AAD and VPN integration:

@dashrender said in AD/AAD and VPN integration:

@scottalanmiller said in AD/AAD and VPN integration:

Ask it another way.... so you want to expose your AD infrastructure and fragility directly to the Internet? AD isn't meant to ever see light of day, the entire design of AD is that it is protected inside the LAN. If you do this, you are disabling the foundation of AD's security.

I can understand where you're coming from - I'll even go so far as to say I agree, at least to some point.

But the extra oneous on end users is what is trying to be avoided. I guess your answer to that is - tough, suck it up, this is security we're talking about here, and security is basically the antithesis of convenience?

The thing is you're not exposing your AD with SAML authentication. Worse case scenario a malicious user can spoof a session. MFA does alot to alleviate this concern, but even MFA isn't perfect.

Plenty of other ways to secure SAML or verify your IDP and service provider like azure has them in place.

https://cheatsheetseries.owasp.org/cheatsheets/SAML_Security_Cheat_Sheet.html

Even really basic stuff like IP filtering is helpful when authenticating SAML to a SaaS service. The attacker would have to know the IP range of SaaS application. Again not a save all security measure, but it helps more than you'd think.

Also short authentication timeouts with need to re
-authenticate in 15 or 30 mins when not in use is also a huge help.

I don't understand how SAML isn't exposing your AD/AAD authentication?

Isn't it the same username/password for SAML as it is for AD/AAD?

So let's assume a logon to M365 with MFA, let's also assume there is federation between your local AD and AAD.... So you log into M365 and it shows you on the screen that it's waiting for MFA verification - when you see that you KNOW you have the correct username and password for AD/AAD... right?

If you're concerned with SAML then use openid connect with the authorization code flow. The users creds are never passed through the portal and an access token is generated. Then apps can verify user authorization through a JWT token.

I have literally zero clue what you just said.
How does what you just said apply to a user getting on their home laptop and logging into M365? or nearly any web portal?

User creds are never passed to the system with the authorization code flow.

oh - I'm not worried about things like yelp in this case.... I'm worried about a hacker having the Google username/password in your example.

You don't seem to get the point. This doesn't have anything to do with Yelp other than that was the example in the image.

OIDC is a way to use properly designed IdPs. The VPN provider can use a properly designed IdP that doesn't have to be internal to authorize the user and the VPN provider never needs to know the users credentials.

Awww - you're sticking to the OP - (which is good ) I was only really thinking about website logons, Not VPN access.

yes, you're solutions look good for allowing the use of AD/AAD as the source of authentication without exposing it to the outside.

Oauth2 is used on alot of web applications. Here's a good saml vs oauth2 comparison.

https://www.okta.com/identity-101/saml-vs-oauth/

@scottalanmiller said in KVM or VMWare:

@jaredbusch said in KVM or VMWare:

But that is not where things are moving.

There are always "trends" with the "follow the buzz word" crowd. Like "cloud". Did cloud become an import part of the equation, heck yeah. Is every workload going to cloud? Heck no. Is 90% of the workloads on cloud there because it was the right choice? No, it's because it was the word someone knew how to repeat to sound cool.

These are trends anymore. They are best practices.

It's more than should this specific workload go to the cloud or not. There's so many things at play beside the infrastructure of a single application. If you understood compliance frameworks and SDLC maturity, you'd know that doing all that stuff on premise is much more difficult and alot more work for the organization to maintain. In a large enterprise, audits are constantly going on, and there's so many things that I have to be in place.

You can say all these requirements are stupid, and the most companies fail at IT. At the end of the day, these companies are making billions of dollars and revenue and are leaders in their industry. These leaders are paying $200-300 an hour for contractors and consultants to increase their maturity levels.

Your expertise is mostly with businesses with less than 10 employees who are struggling to survive let alone care about IT processes. It's such an apple and oranges comparison to Fortune 500s. You may have had expertise in enterprise over a decade ago, but it's obvious that's it's been over 10 years since you've had any experience. Nothing wrong with having a niche, but I wonder why you left $500k + job to deal with these tiny businesses.

I also think you shouldn't reject new concepts without understanding them. You should do some training in modern IT. I honestly think you'd love it! Embrace new concepts and at least give them the time of day. The attitude of everyone is stupid except me gets old. Especially when you aren't grasping the concepts or are basing your opinions off how things were 15 years ago.

@gjacobse said in ADUC Set Password Expiry:

It's likely we have all had to address this at some point in the last eighteen months or so; A person sent to work from home for whatever reason has just had their password expire. They don't expect to be back into the office for (x) number of days.

Why are they treated any different compared to any other user? You either need AD access or you don't. Working from home doesn't change that aspect.

If they work from home, authenticate to AD every day, then why can't they reset their password?

If they work from home and don't use AD for 90+ days, then why do they even have AD account at all?

@gjacobse said in ADUC Set Password Expiry:

@irj said in ADUC Set Password Expiry:

@gjacobse said in ADUC Set Password Expiry:

It's likely we have all had to address this at some point in the last eighteen months or so; A person sent to work from home for whatever reason has just had their password expire. They don't expect to be back into the office for (x) number of days.

Why are they treated any different compared to any other user? You either need AD access or you don't. Working from home doesn't change that aspect.

If they work from home, authenticate to AD every day, then why can't they reset their password?

If they work from home and don't use AD for 90+ days, then why do they even have AD account at all?

Nope - guess my question didn't get created right, because nope. that is totally NOT the point.

Example 1:
Director works in office two / three days a week. Had planned to be in office for when his password expired only be be stranded due to vehicle issues at the same time his password expired.

Example 2:
In office staff is nearing end of password cycle and (since this is a medical facility) is exposed to COVID or any other potential contagion and must quarantine for set number of days of which then password expires.

Regardless the password cycle ended when they were not in the office for them to change it, limiting them to only a few options.

Option 1:
Reset password - this means that they now have to deal with two passwords; Password on the device and the password for the domain. MFA plays so well into this.

Option 2: Set password to not expire and try to remember to make a reminder or such that this was done upon their return.

Option 3: Do the above Powershell resetting the password timer, thus using the same password for another 90 days.

Option 4: Do the above, but in a manner that will force them to change the password after x Days so that neither party has to sit and clock watch.

I have worked for a very large hospital system. All their medical staff was on AD and we had people work remotely back then with expiring passwords.

• You gotta teach good culture
• Sometimes people have to be inconvenienced for security
• Managing all these exceptions is an operational nightmare that will create a load of technical debt.

@travisdh1 said in ADUC Set Password Expiry:

@irj said in ADUC Set Password Expiry:

@gjacobse said in ADUC Set Password Expiry:

It's likely we have all had to address this at some point in the last eighteen months or so; A person sent to work from home for whatever reason has just had their password expire. They don't expect to be back into the office for (x) number of days.

Why are they treated any different compared to any other user? You either need AD access or you don't. Working from home doesn't change that aspect.

If they work from home, authenticate to AD every day, then why can't they reset their password?

If they work from home and don't use AD for 90+ days, then why do they even have AD account at all?

Resetting a password remotely does not work automatically like it does on-site. The users have to manually do it themselves before the password expires. I'll give you one guess how many users even know how to change it manually

Yeah, but that's why you spam the hell out of them to do it with notifications. If they don't listen then they deserve to be inconvenienced and have to call Helpdesk.

I'm looking to scale down a large GKE cluster in a non prod environment to save costs. I have two main goals.

1. Scale down to use very minimal resources (basically shutdown).
2. Fast, automated restore

It's important that database persistent disk stays attached, and I don't mind keeping the database active and scaling other services down to zero.

Just looking for some thoughts on the subject.

@stacksofplates said in VDI Options - Modernization:

@jimmy9008 said in VDI Options - Modernization:

@jt1001001 said in VDI Options - Modernization:

@jimmy9008 We have a use case involving a legacy client/server app that we've determined we're going to have to go VDI for in order to secure it. One lousy app for approx 5 users that I hope we eventually move away from. We are currently reviewing Azure VDI for this and it so far will fit the bill though we had to go throught a lot of "hoops" to configure networking, VPN back into our infrastructure, etc. We have not yet presented budget numbers to the bean counters but Im hoping when we do they will see the $$$$$ wasted for 5 users and will force them to a new product.

What other products do you plan to look at? Still VDI or something else? Any experience of VMWare Horizon?

We have around 600 - 1000 users globally (mostly developers) on the VDI I need to replace. The company dictates that the VDI must be in the same datacenter as the rest of the developers environments, so I don't think Azure VDI would work for us because of that mandate.

I know this isn't VDI, but what about something like GitPod, Eclipse Che, Coder, etc? In everyone's defense, developing over VDI truly sucks. This would keep the development environments in the same data center, but would give a much better experience.

Yeah I agree. Putting developers on VDI is a total waste. But it sounds like OP doesn't want a different solution and is not interested in thinking outside the box to implement IT based on strategy vs this is way things were always done.

That's why these people won't be calling the shots or making big bucks because they can't think outside their comfort zones and refuse to stand up to their superiors in order to make positive change.

@pete-s said in ZeroTier & Security:

@notverypunny

If you assume that being connected to an ZeroTier network is the same as having the host sitting directly on the internet, you'll be fine.

That is the basic premise of the zero trust security model - assuming that the network is hostile.

Yes this ^

@gjacobse said in Chrome: unable to play YT Video; weirdness:

Well now that we have porn and the 'porn mode' out of the way...

Are there any thoughts on what could be causing this, how to prevent it, and on (a reminder) of how to rectify the issue? Preferably I would like to not lose saved passwords and such, or book marks. but I know where bookmarks are so that is easy enough.

I'd reinstall the browser. It's easy to backup all that stuff to your Google account or do it manually.

Also I'd recommend not saving passwords in Chrome.

I would restrict ssh to very specific hosts. If you want to be flexible on your location, you could just allow a bastion host and/or VPN. Both solutions are very low cost as bastion and VPN server uses very little resources. If you want to implement a solution that's even more proactive you could use a service like Okta that has MFA and short term token access to ssh sessions.

As far as host level, use CIS benchmarks as a good base for hardening template. Removing unnecessary packages can also help and limit potential vulnerabilities on the system. Also, the usual stuff like sending logs to SIEM.

I'm gonna play devils advocate here, and say it's a complete waste of time to build a hardware lab. If you want to work SMB for 100 employee company, then fine whatever. They want to pay you to monkey around with hardware for a few servers instead of doing Colo or cloud.

Everyone on here giving the advice is passionate about their work and thorough, but unless you want to do IT service work or be one man IT shop, there isn't really any value in this stuff. Get an edge router and buy a cheap hardware device as @Pete-S recommended.

I actually had to check the date a few times on this thread and make sure it wasn't nearly a decade old. Because man this is dated way to learn. You'll find very little of what you want to learn, has to do with hardware or even a specific Colo or cloud. Notice how everyone talked about sever configuration or networking. Neither of those pertain to actual hardware. The implementation you'll be doing in the real world is both hardware and cloud agnostic.

@Texkonc said in I Cant Even...:

I cant even....Begin to see the breach data and lawsuits coming....
https://www.bleepingcomputer.com/news/security/godaddy-hackers-stole-source-code-installed-malware-in-multi-year-breach/

Shitty security, shitty hosting, but at least they are expensive