I like the idea of the web application firewall, and that looks like something that can setup on the same VM as what would be running Nextcloud, etc.

@JaredBusch said in WP-CLI and database users:

@Pete-S said in WP-CLI and database users:

@JaredBusch said in WP-CLI and database users:

@Pete-S said in WP-CLI and database users:

And when you use -e you should have it after user and password so the SQL commands you want to execute comes after the -e.

That was a once off artifact of me doing it on this system after the root password has been set.

OK, so maybe this then:

sudo mysql -e "CREATE USER $DB_USER@localhost IDENTIFIED by '$DB_PASS';" sudo mysql -e "GRANT ALL ON $DB_NAME.* TO $DB_USER@localhost;" sudo mysql -e "FLUSH PRIVILEGES;"

right. Updating the guide. but half tempted to leave the single quotes everywhere it that causes no error in order to protect against spaces by others. Though I am using pwgen to to this.

It's kind of f*cked up to have spaces in user names and passwords. Personally I don't use something unless it's specifically needed but either way works.

@scottalanmiller

Whole article is great but the last 2 lines are 👍 👍

Shame that NextCloud + OnlyOffice is not really there, I tried it when I was working with MSFF... definitely interesting but needs some time.

Discussion on the policy side of this is over here:

https://mangolassi.it/topic/20894/policies-vs-network-access-control

I've seen issues with search for the last week or so. A few people here have been unable to search public folders or their inboxes on and off. Supposedly resolved. We'll see...

A proper DMZ is still a valid concept, but was never that big of a deal. There are almost no resources that make sense to put there. If you have those resources, then sure. But who does? The advent of cloud computing, cheaper colocation, better IT knowledge, etc. has led most shops to not try to make "internal/external" shared resources where one side is public and the other uses LAN security; and what little of that remains in need is generally addressed with VLANs in a slightly different way.

@marcinozga said in Evaluating Defender ATP:

@Dashrender said in Evaluating Defender ATP:

@marcinozga said in Evaluating Defender ATP:

@Dashrender said in Evaluating Defender ATP:

@Obsolesce said in Evaluating Defender ATP:

@marcinozga said in Evaluating Defender ATP:

@Dashrender said in Evaluating Defender ATP:

@marcinozga said in Evaluating Defender ATP:

@Ambarishrh said in Evaluating Defender ATP:

@marcinozga said in Evaluating Defender ATP:

I was about to evaluate it to, I had a webex session with Microsoft sales, and while it looks nice, it doesn't really offer anything special over other solutions. And it's expensive, really expensive. Perthaps sales mislead me but we either had to subscribe to O365 E5 or M365, or get Windows 10 Enterprise licenses. It worked out to being 15-18 times more expensive than 3rd party antivirus solution.

Not sure how did they gave you that info! An average pricing structure as below

7455634e-b366-4cb5-af6e-859115ac1fcd-image.png

And security products straight from O365 admin portal subscriptions page:
560b3413-64e4-4a77-9b6c-27030798a842-image.png

These are prices IF you already have one of their subscriptions. If you don't need them or have something else, you're paying $15-$20 per month per endpoint. That's how much it costs per year if you go with other av vendor.

But as mentioned - $15-20 per year is only for typical AV, not an ATP product.

And the difference between the two is.....? ATP is really just a marketing phrase at this point. Here are some features from "traditional" av:

malware protection, both behavioral and definition based ransomware protection phishing protection ids/ips device control exploit blocker botnet protection web filtering memory analysis central management, either cloud or local

And a full forensics audit trail?

I'm really curious which ones have this stuff for 15-18 times less the cost of Defender ATP?

I'm having a hard time finding what the real price here is?

I know that Intune is like $4/user/month. aka $48/user/year. this makes it 2-3 times more expensive than typical AV packages - of course, it gives you a lot more features at that price point.

The above posts have a dozen different security things listed.

As @marcinozga says, typical AV with many of the above mentioned features (but not all - and full forensics trails - forget about it) for like $15-20/user/year

ATP is not available if you have just Intune, you need O365 or M365 Enterprise subscriptions, or Windows 10 Enterprise.
O365 E3 is $20/mo plus ATP add-on, I think it's $2/mo. I don't know how much is Win 10 Ent, so I'm guessing O365 E3 is the cheapest route, at $22/mo, that's $264 a year. Depending on number of endpoints you can get AV for $15/year, perhaps even less.

That's an unfair assessment. If you already have O365 E3, then it's only $24/year/user

Also - is O365 E3 the requirement, or can you add ATP onto E1?

Is windows 10 Enterprise a requirement of ATP? Things I was reading last night never mentioned that.

It is fair. What if you don't have O365 because you don't need it or use something else? Other AV don't force you to buy any extra services, you can get AV on a plain vanilla Windows machine.

From the document I got from Microsoft, E3 is minimum. It's O365 E3 or Windows 10 Ent.

If you're not in the O/M365 ecosystem already - then you likely wouldn't even consider this plan, you would likely look at another option... so yeah, it's not a fair comparison.

Now, you could decide, since you are looking at this solution, that you might want to change your other solutions at the same time since MS has these bundled together... but you don't just line item this entire cost all on the ATP project, you split it out.

@sully93 said in Simple Password Compromise on MailGun:

@scottalanmiller, which service did you go with after dropping MailGun? We are looking at a relay service and have MailGun on our list. This is a bit concerning that they shut you down like that. We're also looking at Postmark and SendGrid.

We made the call to just move to Zoho and get email hosted. We've been super happy with Zoho.

@Kelly said in This doesn't sound right - 3rd-Party "Deduction Management Firm":

It hasn't gone into effect, but as of 1/1/20 you will be operating under this law: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375.

Thanks. At this point, it is only companies that this request would apply to.

@wrx7m said in Sales Person Wants Me to Provide Independent Rep With an Email Account:

@scottalanmiller said in Sales Person Wants Me to Provide Independent Rep With an Email Account:

My second thought is, if having an email account creates a security concern, it is not creating the account that creates the problem, it simply exposes an existing security problem.

Not necessarily security, but accessing features like SFB, OD and Teams. But, as Kelly mentioned, they have Exchange Online P1, which doesn't have any of the other services (different than E1.)

Right, i was assuming that they'd only get email. Even those other things, though, still have security. but no reason to think that you'd provision those, too.

Maybe they have a couple keys...

So I set this up again on a new jump box today.

SSH attempts did not log until I changed the mode to ddos

@mary said in Network Address Translation - CompTIA Network+ N10-007 Prof Messer:

Is there any kind of slowdown when using just one port if you are getting a lot of traffic?

No not really. The most commonly used ports are 80 and 443. They process quite a bit of traffic on your average workstation.

In fact, most servers are designed to work with a single port or just a handful of ports open. For custom applications using a specific port makes it easier to troubleshoot issues and restricts non application traffic. Many apps are defaulting to 443 these days. Although, keep in mind SSL /TLS can operate on other ports.

@brianwinkelmann said in Windows Firewall with Advanced Security - CompTIA A+ 220-1002 Prof Messer:

what about the Windows Defender, I mean the antivirus and the firewall of Windows They go hand in hand right?

They go together as in they are both security components of the Windows operating system. But that's about the extent of it. They are both very good, they should both always be used, they are both for the purpose of security. But they are not actually associated other than in name.

@scottalanmiller said in Network Services - CompTIA A+ 220-1001 Prof Messer:

@valentina said in Network Services - CompTIA A+ 220-1001 Prof Messer:

are proxy servers used for security purposes? do they have other functions?

Yes, very much so.

They are also very commonly used to allow a single IP address to be used for many services. The most common example... a single proxy server with a single (expensive) public IP address can handle requests for hundreds of thousands, or even millions, of websites. Behind the proxy server can be one or one million separate web servers each serving out applications or web sites or whatever and the proxy server can look at the incoming request and determine, based on the URL used, which server and port to send the request to behind itself.

Because of the above, they are often used for load balancing because they can send requests to different servers for the same application or site.

Proxy servers often have caches in them, too. So they quite often store simple, static information "at the edge" to deliver it faster while the application servers behind them do the heavy work for database requests and stuff.

Proxy servers are sometimes used to "hide" the true location of a server. Cloudflare famously does this so that attackers have no idea where a web site actually comes from, all they see is Cloudflare's proxies.

A proxy can also do things like handle SSL security so that web servers behind it (or other servers, proxy doesn't imply web) don't have to do that work, as well.

Hrm, I only have around 20 subdomains pointing to the same IP so far. If my home lab box was a little beefier I'd take this as a challenge. (Scott might as well be describing my home lab environment here.)

I like this too, especially since I've had that graphic (the one they reference on their site) on the wall in our Lab for many years!

@JaredBusch said in Make Simple User Passwords:

@scottalanmiller said in Make Simple User Passwords:

Ever need to make passwords for users and, let's face it, in the real world a lot of customers demand some pretty silly simply passwords. Using password generators often results in passwords that customers will not (and maybe cannot) use. A ridiculous situation, obviously, but it is reality. Passwords are simply difficult to often pass on to someone.

When generating temporary passwords, having something super strong is rarely very important. But avoiding something too hard to be used is needed. But just making up something non-random or even non-unique is really bad.

What's a compromise?

https://www.dinopass.com/

Yup, here is reality. Sometimes children's tools just make more sense when, well, you can draw your own conclusions.

I use CHBS
http://correcthorsebatterystaple.net/

1335539d-360c-48f7-83a1-3e3a03adbf45-image.png

@Dashrender said in WebAuthn now a standard:

@stacksofplates said in WebAuthn now a standard:

@Dashrender said in WebAuthn now a standard:

@stacksofplates said in WebAuthn now a standard:

@scottalanmiller said in WebAuthn now a standard:

@Dashrender said in WebAuthn now a standard:

but how do you use a YubiKey on your phone?

Screenshot from 2019-03-05 10-05-44.png

That's exactly how I do it. You can also use the Yubiauth app on both the phone and Windows to hold OTP codes for stuff that doesn't support u2f.

So there's a way to export the private key out of the YubiKey? or the sites allows for multiple public keys?

Huh? You scan the QR code like you normally would but it stores it on the Yubikey instead. Then when you need the code you either tap it to your phone and it shows you all of the one time codes or you do it on your computer. Just like how Google authenticator works. For the u2f stuff, it works the same on Android as on your pc. The browser needs to support u2f and it does the challenge response.

I've never used a YubiKey - I assumed the private code inside the YubiKey was there and no where else.

It depends on the type of authentication.