@brianlittlejohn said in Solving poorly programmed app that requires local admin rights:

@aaronstuder You would have to give everyone admin rights on the Terminal Server.

3a923ace4ce91fac6c8d406d94bb9846.jpg

there-s-no-way-this-could-possibly-go-wrong.png

@aaronstuder said in Moving to a New WSUS server:

@BBigford No Problem. Once I realized that the port numbers change, I realized the issue right away.

Clients are being seen by the WSUS server now 🙂

Sweet!

Found it, nevermind.....

@Mike-Davis said in Ubiquiti wifi bridge static on VoIP calls:

I knocked it down to 20MHz channel width and ran it for 14 hours with no pings over 20 ms. Users have been on it for 2 work days now and everything is working fine. I wish I understood the science behind it so I could know...

You could always try to go on a Ubiquiti training course for this kind of thing. 🙂 - Depends on the location.

@JaredBusch said in VM from ESXi to Xenserver:

Specifically to the CentOS test, the boot image looks like it needs rebuilt prior to the V2V or from a boot media after the V2V.

This is what i'm thinking at the moment but unsure how to do this with my level of Linux skills.

Awesome, good progress, at least.

@tonyshowoff said in Hello Mr Chinese IP based hacker:

That's why we set any WAN-fancing SSH port to something obscenely high like 41022, not for "security" but because of the logs. In fact, all of our sshd services run following that pattern, as does our internal HTTP(S) servers but the load balancers take in 80/443.

This prevents as many services as possible from running as root, which anything running port < 1024 does. I don't think most people even know this. At the very least if there's a NAT in play, one can always set ssh and web services ports much higher and just translate the ports to avoid the same issue.

(I know there are some work arounds like setcap on Linux, but in general this is the default behaviour on most machines)

For some reason this made me think of The Venture Bros, Hunter Gather says:

And we want your sad ass undercover agents to stop trying to infiltrate our group. Frankly we're tired of killing them and we can't afford the body bags!

Useful piece of information. Thanks!

@aaronstuder said in Changing SQL SPN:

You missed blacking out some hostnames 😉

😆 Damn VNC!

@Dashrender said in ESXi recovery woes:

If backing up a 5.5 and restoring back onto a 5.5 still fails, then the only option you have (currently) is to do what the vendor said, backup the DB separately and the restore in the prescribed fashion.

I think you're right.

@Jason said in Why Faxing is Less Secure Than Email:

@scottalanmiller said in Why Faxing is Less Secure Than Email:

@BRRABill said in Why Faxing is Less Secure Than Email:

@Dashrender said

Tapping a phone line once it reaches a neighborhood hub is anything is trival I'm guessing. But the main point that I want to point out here is that tapping a phoneline requires physical access to something, somewhere in the path to make happen. This requirement makes the cost significantly higher than trying to get access to say email, through the previously mentioned malware attack.

Pretty easy to get access to phone lines if you are in any sort of business complex.

Even if you are not. In rural areas it is especially easy to tap lines. There is even equipment that allows you to tap the lines without climbing the poles, you can do it, touchless, from the ground!

Our buliding here is in a rural area.. but because we are the biggest company around Verizon brought the whole trunk of lines multiplex in to our buliding incase we need all of them we would have them.. there are resturants, stores, and urgent medical care centers all around us. all of their analog lines both phone and fax come into our building and we could listen in from the NID

Having worked as an alarm installer for 7+ years I too know how common this is.

I wander into the phone room and start clipping on to various pairs looking for the # I am supposed to use and end up finding all kinds of things that are not part of the company I am there working for.

2 things:

0_1463756625365_offended.jpg

0_1463756631307_da51d98179afa10507f2d70088d30488.jpg

All we know is that GPO for crytolocker was broken/denied thus any protection for CryptoLocker was disabled for at most 48 hours. It was a combination of incidents lead to CryptoLocker. Don't think flash is the cause here.

@Dashrender said in Linux: Creating a Filesystem:

I'm assuming LVM will be covered separately - I'm trying to understand what it's purpose is versus just using mkfs.

It will be. And it is unrelated. mkfs and lvm do totally different things. Neither replaces the other in any way.

@marcinozga Thanks, but already tried net.inet.ip.fastforwarding in all combinations with TCP and UDP.

@thwr said in Kickstart with LUKS:

@scottalanmiller said in Kickstart with LUKS:

@thwr said in Kickstart with LUKS:

@thwr said in Kickstart with LUKS:

But if the server walks, the TPM walks with it and the security has been totally bypassed. In fact, IMHO, if you have the key on TPM and it decrypts automatically on start up and you had to state if the system was encrypted or not, at best you could say "sort of." While you might get away with saying that it is encrypted, if asked the other way "is the data wide open", the answer would also be yes because it's not encrypted when someone looks at it.

Ah, sorry, misunderstood your posting in the first place. Well, that's chicken-egg. You can either have it decrypt automatically or not. If going for automatic decryption, we have to make sure the machine can't decrypt e.g. when it gets stolen or sold.

For this, storing the key on the host alone, even with TPM, may not be enough (don't know enough about TPM at this point. Sealing to system state seems quite safe, but...). Thus, we need to bring in another factor. Let's call it "location awareness", e.g. pulling the actual key from the network and TPM stores just something to authenticate against the "key server". Server offsite -> no decryption.

Past boot, it is up to you to secure the server by traditional means. Strong passwords, no or strongly secured RS232 TTY and so on.

Exactly, something externally has to trust that the system is where it is supposed to be physically so that it will release the key. We considered using this but decided that security trumped downtime and kept the system requiring human intervention and just accepted large downtimes in the event of a reboot.

Agree, downtime due to a misconfiguration, some failure on the network or the key server would be an issue. What if we look at some back approach: If some removeable storage with a key is present at boot, LUKS will use this key. Otherwise, it tries to pull it from the key server as described above? Should be pretty solid and a backup is in place (key on USB stick) in case something goes south.

This surely is an approach for environments requiring a very high level of security, but I like the idea.

I've seen places do that, pop in a key and use that, but you have to trust that people will remove it immediately and store it somewhere.

@Jason Having just a few timers failing is odd. Custom or built-in jobs?

A little logging 101 in WSS3: https://raiumair.wordpress.com/2007/06/19/quick-a-to-z-of-sharepoint-logs/

@alex.olynyk said in Cant UNC into Workstation on LAN:

@Dashrender TO the computer

UNC to the admin shares should have still worked, assuming you were logged into the computer you were coming from with a domain admin account (or an account that had local admin rights to the one you changed).

But if you were trying to do remote admin stuff.. then yah, you found the fix.