@scottalanmiller said in PVLAN (private VLAN) in the switch - are you using it?:

PVLAN, or Port Isolation as I think most of us know it, is one of the better uses of VLAN tech. The idea is for extreme environments (not really SMB generally) when normal security measures are not enough, that you make an individual VLAN for every single device on the network so that you control via central firewall a second layer of access for every single port that there is.

There are certainly legit cases for this. And I've worked for one of those places. But it's super rare. It is a lot of work, requires gear that supports it, and adds a lot of complication that you have to consider. It also adds a good deal of security.

In the SMB, most places have over the top security already and zero day threats rarely threaten OS level firewalls. So PVLAN, while legit, rarely has appreciable value to an SMB. But when you need that "second firewall per device", then yes, it's definitely the way to go.

Makes sense, but I'm thinking it doesn't have to be that much more work if you can apply automation to switch management as well.

I think you can do port isolation on the virtual switches in VM hosts in the same way as the physical ones. I understand that at least VMware has had it for a long time so assume other have it now as well.

Classic Curtis.

@jaredbusch said in You know any IT Security Awareness (from Home Users to Enterprise) resource?:

@irj said in You know any IT Security Awareness (from Home Users to Enterprise) resource?:

@jaredbusch said in You know any IT Security Awareness (from Home Users to Enterprise) resource?:

@irj said in You know any IT Security Awareness (from Home Users to Enterprise) resource?:

I guess we were wrong... This course has about $80k in sales. I would assume it was bought mostly by employers, but maybe home users are interested in it as well.

@zachary715 said in You know any IT Security Awareness (from Home Users to Enterprise) resource?:

I have not gone through it, but KnowBe4 has a "Home Course" I assume designed for what you're looking for.

Neither of these are designed originally for the consumer. They are successful businesses that add this component on as a "perk" for the few random consumers that do it.

There will never be a successful business model for this kind of security for consumers that is not forced on them by external factors.

Knoebe4 surely focuses on businesses, but I'm not so sure that is the case with the instructor on udemy. The 3 courses he offers seems to be focused on home users.

Consumers are still not going to just buy into this.

I would bet most of his stuff business paid for.

I would assume you are probably right. I have bought a few udemy courses for my mother in law. One of them was how to use an iphone. This course explained how to turn it on and do really simple stuff like reply to a text message, etc.

@obsolesce said in SSL Certs:

@wls-itguy said in SSL Certs:

OK. So if I have 3 servers that have the following:

pbxserver.site1.org at x.x.x.1
secserv.site1.org at x.x.x.2
weather.site1.org at x.x.x.3

I could use one wildcard cert for all three servers, correct?

IP addresses have nothing to do with it.

I knew that - I was just making sure people knew they were indeed on 3 separate servers.

Where I work, I dont have control over my colleagues. I am sure most places suffer from those people that are just there to stay in their lane and keep the status quo, at least everywhere I have ever worked. This sometimes applies to department heads and those people that should be taking charge of things like training. Generally, I find myself training users on specific tasks that they need to do their job, but a lot of times it comes down to how to process a specific task within our ERP, or somehow relating to how they use the technology we provide. I dont train our estimators how to make an estimation, but I will show them how to enter that into our ERP, or show then where to put all related documents. In a company our size, if there is no one that will take charge and try and force some sort of consistency and order, there will be chaos. A great example is the idea of a classic file server, whether it is a NAS or something else. Without proper permissions and forethought, you will end up with multiple users trying to share the same resources in multiple ways, that are often mutually exclusive. It also doesnt help, when talking about training, that some 'department managers' or other mid level managers are not really managing as much as they are just the most senior person in that department. We have a lot of these types of managers where their workload is still doing the primary task of the department, instead of managing their workers who do the actual work. It makes it hard to have consistency for training, when no one seems to even have the time to train any properly, let along work up any training materials and document any procedures ahead of time. It pays off in the end when it happens, but its never an organic thing that happens, that's not how entripy works. This is one of the primary struggles for our company, and I have taken on some of this (not all of it mind you), possibly because I happen to be able to find a solution that fits our variables, and other people are not as well suited to the task.

@black3dynamite said in Outlook Out of Memory to Open Large Folder:

Email/Mailbox hoarder!

Definitely

I got a 2-year SSL cert from NameCheap for $15 (it's Comodo). Installed and working great. No need for a $200/year cert lol.

@kelly last year it was Sunday or Monday evening. I forget which. I played that one.

I wasn't available this year.

@travisdh1 I thought that was the issue as well and temporarily disabled selinux and it did not fix my issue.

@momurda Great! Thanks for posting!

@scottalanmiller said in GDPR Requiring Centralized Password Management:

@pete-s said in GDPR Requiring Centralized Password Management:

This is the GDPR. You can check yourself what it says. It's only 88 pages.
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN

Every countries in the European Union are required to make it national law.

Yeah, I've read most of it. But anything 88 pages is long enough to make creating FUD pretty easy to do.

Yeah, FUD is how the big boys make their money. If it's not fear, uncertainty and doubt then it's complexity. Make something that could have been simple, as complex and convoluted as possible so that you absolutely need lots of consultants and experts helping you. Which of course the supplier can offer. And finish of the cocktail of deception with a big chunk of vendor lock-in on top.

@jaredbusch Ok thanks doing that now.
They do this quickly, i got the ticket open and closed in less than 30 minutes.
But what about the config?

@jaredbusch said in what language used in Mangolassi:

@scottalanmiller said in what language used in Mangolassi:

@it-admin said in what language used in Mangolassi:

@scottalanmiller but PHP still has the lion share in the web market, isn't it??

PHP is making a big come back now. It never went away, but since the PHP 7 series released it has greatly improved in performance and features and is way more viable today than it was at the time of this thread. Its ecosystem has blossomed again and there are more and more powerful frameworks than before.

It is still only one of many great options, but way better than it used to be.

WTF with the necro posting yesterday and today...

This ain't some phpBB forum with vidya games, son, everything is always worth talking about

That is supposed to sort of sound like Hank Hill

@jmoore said in Web Application VS Windows Application:

@scottalanmiller Certainly could be.

He has over 1,200 posts, one of our top posters over the years.

@dustinb3403 said in New pi-hole install has no defualt white list items:

You can add the lists rather quickly as well.

Obviously. But I think I will wait and see.

@phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

@scottalanmiller said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

@phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

@scottalanmiller said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

@phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

@jaredbusch said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

@scottalanmiller my problem with Certs on Windows, in general, is that you almost always have to copy it around to multiple servers to make everything work well, and that jsut defeats the purpose of LE.

Based on what is on the site, Microsoft has an intrinsic trust with LE's root store. I should be able to set up a RD Session Host with a LE certificate for publishing and there should be no untrusted publisher for RemoteApps or Session Host desktops once the certificate's thumbprint is published via Group Policy?

One would hope that they would. LE is like the standard in SSL Certs. It's from the EFF, way more trustworthy than other cert authorities, IMHO.

Snag: Valid for 90 days. In larger RDS farm settings this would be a bear to manage. That means the need for an automated process.

It is expected to be automated. SSL Cert updates should not be intrusive. All of the tools for LE SSL Certs are designed around the idea that you will automate them and never need to worry about them again. It's about being less of a snag, not more of one.

Got it thanks. Looks like a bit of a learning curve then. 🙂

It's not bad. I find learning the LE pieces easier than learning to do it the old fashioned way 🙂 And with LE it is "learn once and ignore", rather than "learn once, forget, do again in a year or two all over again."

@black3dynamite said in Automation with Ansible, Salt etc - at what point?:

@obsolesce said in Automation with Ansible, Salt etc - at what point?:

@black3dynamite said in Automation with Ansible, Salt etc - at what point?:

@scottalanmiller said in Automation with Ansible, Salt etc - at what point?:

@black3dynamite said in Automation with Ansible, Salt etc - at what point?:

@obsolesce said in Automation with Ansible, Salt etc - at what point?:

@black3dynamite said in Automation with Ansible, Salt etc - at what point?:

@scottalanmiller said in Automation with Ansible, Salt etc - at what point?:

@pete-s said in Automation with Ansible, Salt etc - at what point?:

Ansible seems to be the least complicated to get started with so I guess that'll be as good as anything.

Syntactically yes.

Salt has the simpler architecture, because it is clients reaching the server, not the server reaching the clients.

That’s the main thing I like about salt. But damn, if the minion service is hosed for whatever reason can be a real pain.

SaltStack can do agentless as well, like Ansible.

Ansible uses winrm to manage Windows. Can Salt do the same? Because Salt agentless uses SSH, so I would need to setup ssh server on Windows.
https://docs.saltstack.com/en/getstarted/ssh/index.html

Why would you want to do that, though? The agent is the key reason to be on Salt in the first place.

I'm all good with using the agent. But until I figured out the problem I'm having the agent on my Windows machines, Ansible will be used.

I've got the agent deployed across 700 win7, Win10, win server, and Hyper-V servers at work. All working, installed via chocolatey.

What is the issue you are having?

Edit: 50-100 of those 700 are Linux.

Its probably something stupid on my part but It's only happening on some of my Windows 10 1803 machines. They are installed via chocolatey too.
The service gets stuck in a paused state. It is working great on the other Windows 10, 7, servers, Hyper-V and Linux.

I think that means it has no contact with the salt master.

The place that I see them most is in DCs that allow questionable public access rather than having dedicated, screened DC workers only getting access.

@scottalanmiller said in SSO with Azure & On-Prem AD:

Have not tried that. Would be awesome to see working.

I'd love to have had more time to play with it than being given the go-ahead at 3 pm on Friday to have it done by Tuesday morning at 8 am. After cleaning up the Server 2016 that was an attempt @ ADFS by the on-site that assumed A records are auto-created because Azure is integrated and AD, AD Connect, IIS, and SQL would be "OK" on the same server.