@notverypunny said in I've been asked to set up MFA on internal computers and servers:

I've been looking at some of the options out there. We've been using AuthLite for the IT team's access for years and it works great. The company wants to roll out MFA for all users and through the course of my research I've got the distinct impression that M$ wants people to go fully passwordless with something like a YubiKey.

You can also go MFA with Hello combining for instance fingerprint and pin code with secrets in TPM. It's not immediately obvious how to do it but it can be done.

@dave247 said in I've been asked to set up MFA on internal computers and servers:

@scottalanmiller said in I've been asked to set up MFA on internal computers and servers:

@dave247 said in I've been asked to set up MFA on internal computers and servers:

even internally for fully on-prem / non-remote access to user computers and servers?

Yeah, for sure. Things that are local have a way of becoming "non local" without people realizing. Whether by unplanned design, or malicious intent.

Well in my case, no local servers or workstation will accidentally become non-local, I am confident in that. Regardless, I'll set up MFA on them.

Any input as to what tool/application/settings are appropriate? I am currently looking at the NPS for Azure plugin

If you have MFA on your internal stuff then I think you will be dependent on internet for your internal assets as well.

Good to know for business continuity and disaster recovery.

@stacksofplates said in KVM or VMWare:

We work with large companies ranging from DoD (Platform One, GD, ), to Walmart, to big 4 accounting, to even training Red Hat. We also work with small companies down to 4-5 IT/devs. You are out of touch. All of them want CNCF landscape cloud native tooling. Some still use more legacy tools like Jenkins, but still want cloud native.
Just because the local branch of the single fortune 10 company you say that you work with uses on prem servers means nothing.

A used car sales man could with 100% confidence say that basically all families are looking to buy a new car. He meet lots and lots of them all the time and everyone has this same issue.

We all live in bubbles. I have no argument on either side of KVM hiring but it's very risky to think that what we ourselves is experiencing is happening everywhere.

The latest Goldman Sachs survey shows that the 2000 largest companies in the world, only have 23% of their workloads in the public cloud. Other surveys shows about the same numbers.

I have worked with a few of the companies on that list and they are not cloud centric at all. If I would guess I'd say they have maybe 5% in the cloud. But I wouldn't dare extrapolate that into thinking all of them are the same.

Another thing is that people lump things together. You're either running on-prem servers with no automation and no containers and nothing modern or you are 100% on cloud infrastructure and IaC. I don't think that's how things work. There might be huge difference just within the same company and different divisions.

Minimum Viable Secure Product is a minimalistic security checklist for B2B software and business process outsourcing suppliers.

MVSP was developed and is backed by companies across the industry, including Google, Salesforce, Okta, Slack and more.

Designed with simplicity in mind, the checklist contains only those controls that must, at a minimum, be implemented to ensure a reasonable security posture.

https://mvsp.dev/

Try this:
https://regex101.com/r/Mv2Wlc/1
It's very educational if you hover over the different parts of the regexp.

To use the regexp in php to split the string:

   $s='Jitsi2.10.5550Windows 10';
   $regexp='/(\D+)([\d\.]+)(\D+.*)/';
   preg_match($regexp, $s, $result);
	
   print_r($result);

Results in this output:

Array
(
    [0] => Jitsi2.10.5550Windows 10
    [1] => Jitsi
    [2] => 2.10.5550
    [3] => Windows 10
)

Then use for example $result[1] for the brand.

@dafyre said in Need to split this string in PHP:

@pete-s said in Need to split this string in PHP:

@dafyre said in Need to split this string in PHP:

If the preg_match stuff is too aggravating, I have a way that might work.

It's ugly and hacky, but I tested it with two random strings and it seems to format like you want it...

It returns an array.

I'm impressed by the effort!

Some of us do not get along with regex, lol.

I cheat...always. I try it out with something like https://regex101.com/

@dafyre said in Need to split this string in PHP:

If the preg_match stuff is too aggravating, I have a way that might work.

It's ugly and hacky, but I tested it with two random strings and it seems to format like you want it...

It returns an array.

I'm impressed by the effort!

@jaredbusch said in Need to split this string in PHP:

@jasgot said in Need to split this string in PHP:

@jaredbusch said in Need to split this string in PHP:

I have this bit of information.
"Jitsi2.10.5550Windows 10"

I need to split it into

$brand = "Jitsi";
$model = "Windows 10";
$firmware = "2.10.5550";

Jitsi is fixed, so easy to substring.

But the model and firmware not so much for me this morning.

I don't know what you are working on, so this may not work, but if you knew all known firmwares, you could put them in an array and then when you have a hit, all that remains is the OS.

it is a user agent sent by a sip register

Use a regular expression to split it.

The first group is letters, second is numbers and dots (perhaps some - and / as well), third group start with letters and ends at the end of the string.

Use this function: preg_match($regex, $string, $result)
https://www.php.net/manual/en/function.preg-match.php

@dashrender said in Laptops versus desktops and roaming users:

@pete-s said in Laptops versus desktops and roaming users:

@dashrender said in Laptops versus desktops and roaming users:

@scottalanmiller said in Laptops versus desktops and roaming users:

@dashrender said in Laptops versus desktops and roaming users:

@scottalanmiller said in Laptops versus desktops and roaming users:

@pete-s said in Laptops versus desktops and roaming users:

For the same money you get more power in the desktop.

The enterprises I know have a mix of both. Those that may have a need for a laptop have one. The rest are predominantly desktop based. Especially if they are not office workers.

My bigger concerns are always durability and usability. My desktop setups tend to be faster, sure, but also they don't get dropped, banged around, broken hinges, dropped, filled, with coffee, etc.

I love laptops, I'm on one now, but generally I like to have desktops for the desk and laptops on the go rather than docking stations. More money, but I think in many cases, especially more "advanced" users, it's the better way when you need to provide mobility. The laptop gets used much less, giving it more lifespan (less chance to be dropped) while also giving users a backup device.

While I get it - damn, that's a lot of spend.

But we get great laptops typically for $650 and desktops for like $900. So $1550 not including monitors and accoutrements. Spendy, yes, outrageous, no.

What laptops are you getting for $650 that are worth using?

JB posted a pic of a Ryzen 5 for $900.

I picked up an HP home user unit from Costco in early 2020 for $600 and it was OK.
I'm also not putting Linux, so I have to pay the MS tax for Windows Pro.

Define worth using. A quick search on Amazon showed 63 different models in the $500 to $600 range that have i3, i5, ryzen 3 or ryzen 5 CPUs, with 8G or more RAM and 128GB or larger SSD.

The i5 (8th or newer gen) or Ryzen 5 is likely good enough to use, the rest of that crap I wouldn't bother with...
The storage amount is basically whatever is cheapest

OK, then I get 56 different models. Almost the same. Don't know how many are Home versus Pro though.

@obsolesce said in Laptops versus desktops and roaming users:

@dashrender said in Laptops versus desktops and roaming users:

@irj said in Laptops versus desktops and roaming users:

In the enterprise space, the vast majority of users have laptops, docks, and a spare AC adapter (so they don't need to borrow it from dock).

Exeptions would probably be assembly line or something like a shared nurse's station
Desktops are the exceptions though and not the rule.

In the enterprise space you rarely see large groups of people sharing the same computers - it's one device one user.

As for Laptops vs Desktop - I have no idea if the reality is desktop are the exception today...

The cost of a laptop plus docking station plus external keyboard plus external monitors plus secondary power supply significantly outweigh the cost of a standard desktop.

If the user needs that level of flexibility of mobility it might make sense, but most desk workers likely don't.

I've only seen laptops in enterprise. The exceptions were purpose-specific desktops, being very few. But again it depends on the environment and industry not all enterprises are the same. I've not worked in hospitals but can image them with different needs and device purposes.

Statistics I've seen show that sales is about 2:1 in favor of laptops versus desktops.

But yes, there are a lot of enterprises. Just 1000 employees and it's an enterprise.

@dashrender said in Laptops versus desktops and roaming users:

@scottalanmiller said in Laptops versus desktops and roaming users:

@dashrender said in Laptops versus desktops and roaming users:

@scottalanmiller said in Laptops versus desktops and roaming users:

@pete-s said in Laptops versus desktops and roaming users:

For the same money you get more power in the desktop.

The enterprises I know have a mix of both. Those that may have a need for a laptop have one. The rest are predominantly desktop based. Especially if they are not office workers.

My bigger concerns are always durability and usability. My desktop setups tend to be faster, sure, but also they don't get dropped, banged around, broken hinges, dropped, filled, with coffee, etc.

I love laptops, I'm on one now, but generally I like to have desktops for the desk and laptops on the go rather than docking stations. More money, but I think in many cases, especially more "advanced" users, it's the better way when you need to provide mobility. The laptop gets used much less, giving it more lifespan (less chance to be dropped) while also giving users a backup device.

While I get it - damn, that's a lot of spend.

But we get great laptops typically for $650 and desktops for like $900. So $1550 not including monitors and accoutrements. Spendy, yes, outrageous, no.

What laptops are you getting for $650 that are worth using?

JB posted a pic of a Ryzen 5 for $900.

I picked up an HP home user unit from Costco in early 2020 for $600 and it was OK.
I'm also not putting Linux, so I have to pay the MS tax for Windows Pro.

Define worth using. A quick search on Amazon showed 63 different models in the $500 to $600 range that have i3, i5, ryzen 3 or ryzen 5 CPUs, with 8G or more RAM and 128GB or larger SSD.

@scottalanmiller said in Laptops versus desktops and roaming users:

@pete-s said in Laptops versus desktops and roaming users:

For the same money you get more power in the desktop.

The enterprises I know have a mix of both. Those that may have a need for a laptop have one. The rest are predominantly desktop based. Especially if they are not office workers.

My bigger concerns are always durability and usability. My desktop setups tend to be faster, sure, but also they don't get dropped, banged around, broken hinges, dropped, filled, with coffee, etc.

I love laptops, I'm on one now, but generally I like to have desktops for the desk and laptops on the go rather than docking stations. More money, but I think in many cases, especially more "advanced" users, it's the better way when you need to provide mobility. The laptop gets used much less, giving it more lifespan (less chance to be dropped) while also giving users a backup device.

I do the same. Desktop + laptop.

For the same money you get more power in the desktop.

The enterprises I know have a mix of both. Those that may have a need for a laptop have one. The rest are predominantly desktop based. Especially if they are not office workers.

@stacksofplates said in AD/AAD and VPN integration:

@dashrender said in AD/AAD and VPN integration:

@stacksofplates said in AD/AAD and VPN integration:

@dashrender said in AD/AAD and VPN integration:

@irj said in AD/AAD and VPN integration:

@dashrender said in AD/AAD and VPN integration:

@scottalanmiller said in AD/AAD and VPN integration:

Ask it another way.... so you want to expose your AD infrastructure and fragility directly to the Internet? AD isn't meant to ever see light of day, the entire design of AD is that it is protected inside the LAN. If you do this, you are disabling the foundation of AD's security.

I can understand where you're coming from - I'll even go so far as to say I agree, at least to some point.

But the extra oneous on end users is what is trying to be avoided. I guess your answer to that is - tough, suck it up, this is security we're talking about here, and security is basically the antithesis of convenience?

The thing is you're not exposing your AD with SAML authentication. Worse case scenario a malicious user can spoof a session. MFA does alot to alleviate this concern, but even MFA isn't perfect.

Plenty of other ways to secure SAML or verify your IDP and service provider like azure has them in place.

https://cheatsheetseries.owasp.org/cheatsheets/SAML_Security_Cheat_Sheet.html

Even really basic stuff like IP filtering is helpful when authenticating SAML to a SaaS service. The attacker would have to know the IP range of SaaS application. Again not a save all security measure, but it helps more than you'd think.

Also short authentication timeouts with need to re
-authenticate in 15 or 30 mins when not in use is also a huge help.

I don't understand how SAML isn't exposing your AD/AAD authentication?

Isn't it the same username/password for SAML as it is for AD/AAD?

So let's assume a logon to M365 with MFA, let's also assume there is federation between your local AD and AAD.... So you log into M365 and it shows you on the screen that it's waiting for MFA verification - when you see that you KNOW you have the correct username and password for AD/AAD... right?

If you're concerned with SAML then use openid connect with the authorization code flow. The users creds are never passed through the portal and an access token is generated. Then apps can verify user authorization through a JWT token.

I have literally zero clue what you just said.
How does what you just said apply to a user getting on their home laptop and logging into M365? or nearly any web portal?

User creds are never passed to the system with the authorization code flow.

OpenID Connect uses the same model as SAML so there is no difference there. It's called HTTP redirect binding in SAML. SAML can be setup in other ways too but that is what is commonly used.

Either way, the users password are never sent to or even known by the service you're connecting to.

@stacksofplates said in KVM or VMWare:

@pete-s said in KVM or VMWare:

@stacksofplates said in KVM or VMWare:

@pete-s said in KVM or VMWare:

@stacksofplates said in KVM or VMWare:

@irj said in KVM or VMWare:

@irj said in KVM or VMWare:

@stacksofplates said in KVM or VMWare:

The integration with the REST APIs is more important than any of the anscillary features of qemu/libvirt.

Exactly. Stuff isn't done manually anymore.

It's not even that about manual process. It's about being able audit, and have a repeatable process.

Auditing in KVM is pretty much not there lol.

Just a side note, but what type of auditing are you talking about? Security audit? Compliance audit?

All of the above.

OK, thanks.

But how about libvirt being used by openstack and openshift? There has to be a lot of enterprises running that in their hybrid cloud environment. Surely not everyone is running their workloads only on Amazon or Google. Red Hat has to be out there pushing a lot of this to their enterprise customers. And surely these environments are fully automated and auditable just like aws or gcp. Or isn't that the case?

I don't know anyone running RHEV. I also don't know anyone actually running openatack. I'm sure there are a few but it's hardly the norm.

Openshift may use libvirt underneath with kubevirt but I think most are just running containers. I don't know too many places running openshift either over just k8s.

There are 4000+ jobs on linkedin in the US when searching for openstack.
8000+ jobs when searching for openshift. And I see companies such as Bank of America, Citi, Delta Air Lines, Federal Reserve etc. So I'm guessing it's in use for sure.

@irj said in KVM or VMWare:

@pete-s said in KVM or VMWare:

@stacksofplates said in KVM or VMWare:

@pete-s said in KVM or VMWare:

@stacksofplates said in KVM or VMWare:

@irj said in KVM or VMWare:

@irj said in KVM or VMWare:

@stacksofplates said in KVM or VMWare:

The integration with the REST APIs is more important than any of the anscillary features of qemu/libvirt.

Exactly. Stuff isn't done manually anymore.

It's not even that about manual process. It's about being able audit, and have a repeatable process.

Auditing in KVM is pretty much not there lol.

Just a side note, but what type of auditing are you talking about? Security audit? Compliance audit?

All of the above.

OK, thanks.

But how about libvirt being used by openstack and openshift? There has to be a lot of enterprises running that in their hybrid cloud environment. Surely not everyone is running their workloads only on Amazon or Google. Red Hat has to be out there pushing a lot of this to their enterprise customers. And surely these environments are fully automated and auditable just like aws or gcp. Or isn't that the case?

Openshift is on azure now

https://cloud.redhat.com/products/azure-openshift

Yes, Red Hat says you can install and run it on:

• your laptop
• public cloud - Amazon Web Services (AWS), Microsoft Azure, and Google Cloud. Coming soon: IBM Cloud, Ali Cloud
• your datacenter
• managed by Red Hat

https://developers.redhat.com/products/openshift/download

I haven't used it though but it would be fun to look into. I always thought you needed a huge infrastructure just to run it.

@stacksofplates said in KVM or VMWare:

@pete-s said in KVM or VMWare:

@stacksofplates said in KVM or VMWare:

@irj said in KVM or VMWare:

@irj said in KVM or VMWare:

@stacksofplates said in KVM or VMWare:

The integration with the REST APIs is more important than any of the anscillary features of qemu/libvirt.

Exactly. Stuff isn't done manually anymore.

It's not even that about manual process. It's about being able audit, and have a repeatable process.

Auditing in KVM is pretty much not there lol.

Just a side note, but what type of auditing are you talking about? Security audit? Compliance audit?

All of the above.

OK, thanks.

But how about libvirt being used by openstack and openshift? There has to be a lot of enterprises running that in their hybrid cloud environment. Surely not everyone is running their workloads only on Amazon or Google. Red Hat has to be out there pushing a lot of this to their enterprise customers. And surely these environments are fully automated and auditable just like aws or gcp. Or isn't that the case?

@stacksofplates said in KVM or VMWare:

@irj said in KVM or VMWare:

@irj said in KVM or VMWare:

@stacksofplates said in KVM or VMWare:

The integration with the REST APIs is more important than any of the anscillary features of qemu/libvirt.

Exactly. Stuff isn't done manually anymore.

It's not even that about manual process. It's about being able audit, and have a repeatable process.

Auditing in KVM is pretty much not there lol.

Just a side note, but what type of auditing are you talking about? Security audit? Compliance audit?

@scottalanmiller said in Who do you call for IT assistance:

@pete-s said in Who do you call for IT assistance:

@scottalanmiller said in Who do you call for IT assistance:

It can't, IT isn't a certifiable process.

ITIL certification?

ITIL is a management cert, as well, not an IT one. It's specific to the management of IT, but at its core it's not even for IT people, just people who manage IT people.

Like being a certification for a coach, rather than a certification for a baseball player. It's related, but coaching baseball isn't baseball. It's an important ancillary. Just as is lawn mowing, security, and sports investment. BUt they are all ancillary.

I think there are certifications for both management and practitioners. But sure, it's the process of how to manage IT and the people doing it and not IT itself.