@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@tim_g said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

Can we get a photo of the checklist with ur info scratched out?

That way we have what you have to go off of, and no more assumptions need to be made.

We need the complete context to give accurate recommendations.

I will have to get it from my boss. My boss only verbally told me about this and then sent me a snippet of the suggested solution which I transcribed and posted here.
0_1513983858592_23108526-83c5-4a26-8608-ae5b8e840eea-image.png

I see.

But we can't really use that.

We need to see the actual requirement, and for all we know that is just one of many possible recommendations for complying with some unknown requirements.

Right. I just provided that because that's what my boss provided me as it related to the auditors in that it is one of the solutions they provide on the matter -- a solution which I had completely un-done when I had enough of dealing with static IPs and rolled out DHCP again.

@scottalanmiller said in AD Emulation on *Nix:

@jrc said in AD Emulation on *Nix:

However the company that makes the software could care less about Windows client licensing, and as a franchisee they have zero options on using this software.

Of course they don't care, the responsibility for that falls 100% onto the end client to ensure that they have properly licensed their environment. The vendor has zero responsibility here.

Reminds me of a PBX appliance vendor that shipped their "server" with Windows XP Pro as the OS. 😉

Having TaskScheduler in Windows run PowerShell scritps is like rolling dice depending on the context in which you are running the script...

So when in doubt:

I always have guaranteed success when starting the PS script from a batch file first from a scheduled task.

Create a scheduled tasked using these lines in an elevated powershell window:

Creates a scheduled task:

$action = New-ScheduledTaskAction -Execute 'C:\ProgramData\scripts\PSKickoff.bat' $trigger = New-ScheduledTaskTrigger -AtStartup $principal = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest $settings = New-ScheduledTaskSettingsSet $task = New-ScheduledTask -Action $action -Trigger $trigger -Principal $principal -Settings $settings Register-ScheduledTask -TaskName "Scheduled Task Friendly but Meaningful Name" -InputObject $task

Note: Change above New-ScheduledTaskTrigger -AtStartup to match your schedule. Here's the info for it.

The batch file that the scheduled task runs:

Powershell.exe -executionpolicy bypass -File "C:\ProgramData\scripts\yourScript.ps1"

Here is an example of patching not being good enough. This needs an additional reg key.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8529

100% correct. I misread my quote, and thought it was X per socket, rather than X for two sockets.

@ccwtech said in RAID on SSD's:

@scottalanmiller said in RAID on SSD's:

That's not a way to measure RAID reliability. I actually a video about why we never mention "number of lost drives" in the SAMIT queue.

Which one? You have several RAID videos.

It posted.

Youtube Video

@coliver said in Remote Monitoring and Management:

Just got another call from Comodo from an Unknown Number. Same rep, answered (because I'm stupid) and asked him to take my email and phone number off the list and they we won't be considering any Comodo products in the future. I like Comodo as a company but man that's some bad salesmanship.

We had the same experience. Product was okay, but the company was impossible.

This points to the same place that others have pointed out, but seems to have two values 4 and 900, I'm assuming it's to set the type.

0_1513958557603_Screen Shot 2017-12-22 at 9.02.14 AM.png

This is what I see after I have put a new SSD and updated the firmware and ensured that all of computer(software, hardware) was up to date.

Anybody see anything wrong, I can't see anything wrong.

@jaredbusch said in Securing Fedora with rkhunter.:

@tim_g said in Securing Fedora with rkhunter.:

@travisdh1 Does it self-update definitions and such?

His instructions say to run an update as part of dnf-automatic.

Though he specified the wrong location for the conf file.

Not sure if that is a full update or what.

Doh! Fixing.

Around that time is when we started to find Nethserver to be the more interesting project.

And Nethserver is active here, whereas Zentyal is not.

@olivier said in Zimbra 8.8 Has Released:

Again, thanks for posting this, it helps me to remember I need to update my Zimbra from time to time 😛 (oh and thanks for the direct link too)

Good!

@rojoloco said in What's happening to Spicework?:

eer, then you have to pay them to talk about your product there. If you're not, then you have now felt the sting of their overzealous mods... frequently discussed around here. I've got no love for spiceworks, especially their mods (and especially one mod who I'm pretty sure literally gets off from nuking posts).

I know some people that are parts of companies and yet still can post... strange that it doesn't goes both ways...

@eddiejennings said in Configuration naming conventions: ERL, ASA, etc:

For my Edge Router Lite, I'm considering whether or not I want to create address groups for single hosts. My reasoning for "yes" would be I'd configure an IP address in one place (the address group), and then multiple configuration aspects can reference that address group. If the IP address of the host in question changes, then I only have to update one thing.

I'm curious to know if you folks do the same for your devices. I know ASA's have objects, which function similarly to the idea of an address group.

Sonicwall are Address Objects and there are groups as well. So yeah I do that.

@travisdh1 said in Looking for replacement to Hangouts On Air:

It'd take a few minutes to setup, but Spreed.me would probably work well.
https://github.com/strukturag/spreed-webrtc

It also has a NextCloud tie in.
https://github.com/strukturag/nextcloud-spreedme

I forgot about that one

@black3dynamite said in Has anyone tried DualMon Remote Desktop:

@rojoloco said in Has anyone tried DualMon Remote Desktop:

I've been trying this out on a couple of machines at work, plus a couple of machines at home. Works pretty well, simple but effective. Then today I saw this:

0_1513889907177_dualmon adblock warning.png

🖕 🖕 🖕 🖕 🖕 🖕 🖕

...eat a dick, dualmon. I shan't turn off my ad blocker for you or anyone... and besides, your entire site still functions 100% with the adblocker turned on, so suck on that. Ads blocked, new computers added, I win.

Is that happening with adblock, pi-hole or both?

Usually those types of things don't happen with pi-hole, another blessing of using pi-hole over browser based ad blockers.

@nerdydad said in O365 and MS's encrypted mail (portal):

Are these cox.net recipients repeat customers? If so, have you considered PGP keys between them?

LOL - they are spouses of the owners, etc, as well as customers. As mentioned in the OP about S/MIME, there is no chance the business, nor it's customers would deal with setting up a key exchange.

Hell, Edward Snowden barely go the journalist there to get a set of keys setup so he could trade messages with them, you really think you're going to get normal business people to do so? or house wives?

@travisdh1 said in Securing NextCloud:

@zachary715 said in Securing NextCloud:

@travisdh1 said in Securing NextCloud:

I forgot before: You can also login to the admin interface and looking at the settings page. It'll give you a list of performance and security optimizations with links to instructions on how to make the changes.

Yeah that's where this all started. It only states that I need to...

Modify/enable the HSTS header to at least 15552000 seconds PHP OPcache not properly configured and to make changes to the php.ini.

From that though, I got to the hardening and security guide and started to go even deeper down the rabbit hole.

I know you're doing this to learn, so this probably isn't needed at the moment. @scottalanmiller's guide to installing NextCloud with Salt has all the settings correct already according to that settings page.

Nice. Good going @scottalanmiller.

@tim_g said in question about Hyper-V resource management?:

@wirestyle22 said in question about Hyper-V resource management?:

@tim_g said in question about Hyper-V resource management?:

@wirestyle22 said in question about Hyper-V resource management?:

@tim_g said in question about Hyper-V resource management?:

@wirestyle22 said in question about Hyper-V resource management?:

@dave247 said in question about Hyper-V resource management?:

@dashrender said in question about Hyper-V resource management?:

@net-runner said in question about Hyper-V resource management?:
http://hv-manager.org/.

zEE4HQh.png

At least you get 5 VMs, but the 5Nines gives you 6..

I'll bring it back around and say that now that I've gotten past the couple of annoying obstacles with Hyper-V and remote management, Hyper-V is freaking awesome. It seems lightning fast.

The annoying thing for me is the versioning needed to manage hyper-v. Example: For Hyper-V 2016 you need a windows 10 machine to manage it.

No you don't.

You can pay for stuff to manage it, but I mean it doesn't automatically allow that

Windows 7+ with RSAT.

I just did that at my last job and it didn't allow it

I used Hyper-V 2016 with Win7 RSAT before I loaded Win10.

Hm. I should try it again I guess at home

@momurda said in DNS & OU issues:

@tracy_burton The being able to ping nonexistent computers means you have static dns entries of the old computers whose names point to ip addresses of computers that are being used.
You are probably able to ping these computers by nonexistent name and actual name, and they resolve to same ip.

Or DNS scavenging isn't on (I don't think it is by default). So the old DNS name could be there, just pointing to an IP that also belongs to another computer. Find the entry in DNS, look at the IP, then sort by IP and see if another host has that same IP.