@scottalanmiller said in Does block level sync exist?:

@Fredtx said in Does block level sync exist?:

@scottalanmiller Let me clarify. I want to make sure the "good" backups are copied to the offsite storage. So if the building were to catch on fire or something, and the good copies are destroyed. I would want to be able to restore from the offsite storage. In my case, some of the data was missing from the offsite storage that should have been replicated from the local "good" backup. Not sure what happened, and why it was not copied over, but it did not. I figured there would be some kind of sync mechanism that would have caught that ahead of time, which Barracuda said there is no such sync. That is why I reached out to the community.

We understand. And that's important because clearly your sync failed. It's just that it also exposed the fact that the original backups are not application aware (unless there is no application) so something that you should see as a very, very large issue. If you are responsible for the backups, that is. Otherwise, not your monkeys, not your circus.

You're making an assumption that there's an app to backup - which wasn't 100% clear until this post. As you mention - he might just be backing up file servers - so no app involved - just files to backup.

@WrCombs said in Email auto CC:

@Dashrender said in Email auto CC:

@WrCombs said in Email auto CC:

@scottalanmiller said in Email auto CC:

@WrCombs said in Email auto CC:

@Pete-S said in Email auto CC:

@WrCombs said in Email auto CC:

Can someone help me understand GSuite email admin stuff??
Customer opened ticket to add her as a CC on another employees emails - we set up the rule yesterday and tested - worked fine from my understanding but ticket was reopened with the notes that when the employee who is copied emails send an email to the other employee from the email that is supposed to be cc'd on all incoming emails - there is no response /cc notification - My thought is because its coming from email that is supposed to be CC'd it's not sending the CC to prevent loop back emails - but I dont know much about it.

anyone have any insight?

Contact google support instead. They are there to help you and they should know how it is suppose to work and what settings to check if it doesn't. And they can probably see things in your account that you can't.

Gotcha. My manager and I were bouncing ideas off of each other on this one and we came to the conclusion that google is being to smart for it's own good - Like it's not copying her on emails being sent to that other employees email from the CC'd email to prevent loop back emails - we explained this to the customer -

Maybe a good chance to step back and figure out the end goal. Why would she want to be CC'd on her own email?

the employee doesn't know that this happening - there's some behind the scene sticky stuff going on that I'm really trying not to get involved in.

UG!

UG?

Yeah - this is straight up spying - in some states this would be illegal!

@pmoncho said in Email auto CC:

@scottalanmiller said in Email auto CC:

@WrCombs said in Email auto CC:

@Pete-S said in Email auto CC:

@WrCombs said in Email auto CC:

Can someone help me understand GSuite email admin stuff??
Customer opened ticket to add her as a CC on another employees emails - we set up the rule yesterday and tested - worked fine from my understanding but ticket was reopened with the notes that when the employee who is copied emails send an email to the other employee from the email that is supposed to be cc'd on all incoming emails - there is no response /cc notification - My thought is because its coming from email that is supposed to be CC'd it's not sending the CC to prevent loop back emails - but I dont know much about it.

anyone have any insight?

Contact google support instead. They are there to help you and they should know how it is suppose to work and what settings to check if it doesn't. And they can probably see things in your account that you can't.

Gotcha. My manager and I were bouncing ideas off of each other on this one and we came to the conclusion that google is being to smart for it's own good - Like it's not copying her on emails being sent to that other employees email from the CC'd email to prevent loop back emails - we explained this to the customer -

Maybe a good chance to step back and figure out the end goal. Why would she want to be CC'd on her own email?

A few users do that here. I asked why and the individuals stated that it was reassurance that the email went out if they see one come into their own mailbox.

I decided to win a different battle.

yeah - i was thinking the person making this request likely wanted to test if it was actually working - so they tested it from their own account and well - it failed - lol

@WrCombs said in Email auto CC:

@scottalanmiller said in Email auto CC:

@WrCombs said in Email auto CC:

@Pete-S said in Email auto CC:

@WrCombs said in Email auto CC:

Can someone help me understand GSuite email admin stuff??
Customer opened ticket to add her as a CC on another employees emails - we set up the rule yesterday and tested - worked fine from my understanding but ticket was reopened with the notes that when the employee who is copied emails send an email to the other employee from the email that is supposed to be cc'd on all incoming emails - there is no response /cc notification - My thought is because its coming from email that is supposed to be CC'd it's not sending the CC to prevent loop back emails - but I dont know much about it.

anyone have any insight?

Contact google support instead. They are there to help you and they should know how it is suppose to work and what settings to check if it doesn't. And they can probably see things in your account that you can't.

Gotcha. My manager and I were bouncing ideas off of each other on this one and we came to the conclusion that google is being to smart for it's own good - Like it's not copying her on emails being sent to that other employees email from the CC'd email to prevent loop back emails - we explained this to the customer -

Maybe a good chance to step back and figure out the end goal. Why would she want to be CC'd on her own email?

the employee doesn't know that this happening - there's some behind the scene sticky stuff going on that I'm really trying not to get involved in.

UG!

@garak0410 said in Camera Server Can't Ping Network Device:

Well, on a whim, I went out to this location, plugged in a wireless adapter with the existing IP Info and bam, the camera server could see the TREE, GATE SWITCH and ultimately, the camera. So I guess next is to find out why this was the fix and narrow down on the permanent solution.

perhaps something went to sleep?

@garak0410 said in Camera Server Can't Ping Network Device:

@Dashrender said in Camera Server Can't Ping Network Device:

what's the latency to that far off connection?

I've already left the location for the day and as mentioned, the camera server will not ping past the "BarnToTree" so I will try to check that tomorrow when I go back out there.

Sure, I get that - but about pinging from something else? - hell plug a laptop into that far end and ping back.

@scottalanmiller said in What Are You Doing Right Now:

@WrCombs said in What Are You Doing Right Now:

@scottalanmiller said in What Are You Doing Right Now:

Stressful morning at the office today. Have to meet with lawyers all morning. Ugh, I hate this stuff.

uh oh
that sounds horrible.

Oh, it is.

Still cleaning up the old mess? or is this for new business stuff?

@pmoncho said in Per User RDP license check:

I want to install a piece of software on the license server this afternoon to finish off a project and it will require a reboot.

I wanted to reboot it in the middle of the day but don't want to cause an issue and get "The remote session was disconnected because there are no Remote Desktop License Servers available ...."

Don't need 30-40 calling with an issue.

wow - OK... While my gut tells me you'd be fine - the issue I would expect you to POSSIBLY get is someone trying to sign in right while the reboot is happening - but otherwise I would expect everything else to just stay running. But don't really know.

Definitely don't know a definitive one - but I would assume only at logon - perhaps at a re-auth as well if one happens.

I'm curious where the question came from?

@scottalanmiller said in Weird DNS resolution issue:

@Dashrender said in Weird DNS resolution issue:

I suppose it's possible that would have resolved this specific issue as the router would have been the only device making connections to the external DNS... but then again - it could have caused all machines to go without DNS when the upstream server stopped responding...

Not very likely. Plausible, but not likely enough to avoid it.

sure - but then again, I've never seen this situation before either - so I would have previously called it unlikely.

@WrCombs said in Frist time Headset ?:

@Dashrender said in Frist time Headset ?:

@WrCombs said in Frist time Headset ?:

@Dashrender said in Frist time Headset ?:

@WrCombs said in Frist time Headset ?:

Mentioned that I was having issues with my headset to one of my coworkers - I guess we have a standard issue headset offered by the company.

https://www.amazon.com/dp/B08WJRMW17/ref=cm_sw_r_api_i_3YW5JM7SC9CNTRGQGTVK_0?th=1

It does seem kinda weird that either a) they supply you with one or b) they reimburse you for providing one of your own.

Though perhaps we don't have all the information.

I'm not following

do they
a) pay for a headset OR
b) reimburse you for one you buy yourself?

Using a headset is basically a requirement for a softphone (and since you're now work from home support - I fully expect you'll spend the better part of your day on the phone - so you'll want a headset for that so really that should be a business expense).

ah, they bought it and it'll be here tomorrow.

and what about the computer and monitor we see in your picture? did they provide those as well?

@scottalanmiller said in What does your desk look like?:

@Pete-S said in What does your desk look like?:

@Dashrender said in What does your desk look like?:

Might also consider a ring light.

Actually the white wall that is just behind the laptop is much better than a ring light. Just bounce a light source of it and you'll get a very nice light. Search for "bounce lighting" if you want examples.

Where light source could be.... a ring light!

LOL

what's the latency to that far off connection?

@JaredBusch said in Weird DNS resolution issue:

@Pete-S said in Weird DNS resolution issue:

I usually let the router act as a DNS forwarder or resolver and cache.

Always this.

meh - 6 of one!

I suppose it's possible that would have resolved this specific issue as the router would have been the only device making connections to the external DNS... but then again - it could have caused all machines to go without DNS when the upstream server stopped responding...

I didn't dig into the acient TP link router they had - they didn't want me to replace it with the newer Netgear they had once I got it working.

@WrCombs said in Frist time Headset ?:

@Dashrender said in Frist time Headset ?:

@WrCombs said in Frist time Headset ?:

Mentioned that I was having issues with my headset to one of my coworkers - I guess we have a standard issue headset offered by the company.

https://www.amazon.com/dp/B08WJRMW17/ref=cm_sw_r_api_i_3YW5JM7SC9CNTRGQGTVK_0?th=1

It does seem kinda weird that either a) they supply you with one or b) they reimburse you for providing one of your own.

Though perhaps we don't have all the information.

I'm not following

do they
a) pay for a headset OR
b) reimburse you for one you buy yourself?

Using a headset is basically a requirement for a softphone (and since you're now work from home support - I fully expect you'll spend the better part of your day on the phone - so you'll want a headset for that so really that should be a business expense).

@scottalanmiller said in RDP/RDS hardening (borrowed from another topic):

@Dashrender said in RDP/RDS hardening (borrowed from another topic):

Toss in the fact that a denial of service attack could be placed against users assuming a tie in to a centralized auth system with account lockout after x tries...

That's not a "toss in", that's the actual issue. Deploy RDP without that, and voila, key problems gone. Add proper MFA and voila, all problems gone.

We use RDP directly on the Internet all of the time, no issues. Because we know how to deploy it (e.g. we don't think of it as a magic black box and skip normal security oversight.) I still don't want to directly expose ANY key system, that goes without saying. But anytime you'd be okay exposing SSH, VPN, or other direct access method RDP is in the same ballpark.

How does adding MFA prevent the lockout problem? Doesn't MFA only come into account if the correct password is entered?

Are you saying then - that you don't put account lockouts on login attempts because you have MFA as the safeguard against stuffing attacks? I mean, I guess - supposedly that should help (of course users become numb to phone notices and just approve anything there just like they click on anything that pops in a browser and infect themselves)...

Do you have a post on the proper way to deploy it and not have these issues?

@JaredBusch said in RDP/RDS hardening (borrowed from another topic):

@scottalanmiller said in RDP/RDS hardening (borrowed from another topic):

It has not, that's a myth to the best of my knowledge.

Not a myth. It has been exploited more than once. Here is one I had a link for. Unauthenticated attacker could run code. Sure it is patched. Sure if you are up to date, you are likely very secure. But it most certainly is not a myth that RDS has not had issues.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0708

You beat me to it.

It's definitely been bent over, and more than just once I'm pretty sure. That in and of itself isn't an issue - nearly nothing software wise is perfect.

@scottalanmiller said in Production KVM server "hardening"?:

@Dashrender said in Production KVM server "hardening"?:

@scottalanmiller said in Production KVM server "hardening"?:

@Dashrender said in Production KVM server "hardening"?:

@scottalanmiller said in Production KVM server "hardening"?:

@Dashrender said in Production KVM server "hardening"?:

Doesn't his setup allow for two different authentications to be required? Assuming I'm right there, wouldn't that be another layer?
i.e. layer one creds (cert likely) at VPN
layer two creds (cert likely) at SSH

Yes, it has MFA. But you can have MFA on just SSH too. So while yes, you are correct that it does that, but not that it adds something special.

Well - MFA adds a third thing to the list of what I said.

No, it's already MFA. MFA is not an additional thing. You literally said "doesn't this allow for two different authentications", that's literally MFA.

Well then I meant three - the first logon to VPN (which is actually two verifications - creds and MFA) and then a - well I guess - third which is creds to SSH.

But then add three to SSH. Using totally unrelated technologies to layer authentication is valid, but a weird brute force method to get there. If your goal is just MFA, just do MFA in an elegant, efficient, easy way. Want two factor, do a key and passkey. Want a third, add Duo or Google Auth or Authy. Want a forth, text your phone or send an email. Want a fifth, do whatever forth one you didn't do. Want a sixth, have a script check that you are clocked in and at your desk. Want a seventh, do IP locking.

You can get more MFA factors from any one mechanism than you can use. VPN is often used to get MFA without someone realizing that that is what they were trying to accomplish or without realizing that that is where they are seeing the benefit. And because of that, because it's often done without any evaluation of what is really wanted, it rarely fits the need well. Is it MFA? Yes. Is it a good way to get that MFA? Not really. It's okay, but it isn't great. Lots of overhead to do something fundamentally pretty simple. And it makes the MFA location dependent (in most deployments.) You can bypass the MFA by changing your physical location. In most companies that do this, because they don't realize it is MFA that they are trying to do, they make it really easy to bypass the MFA for most people.

So how does this all fare against RDP/RDS?
Many don't want to publish RDP/RDS directly to the internet these days because the protocol has been bent over so badly several times.
Toss in the fact that a denial of service attack could be placed against users assuming a tie in to a centralized auth system with account lockout after x tries...

@scottalanmiller said in Frist time Headset ?:

@Dashrender said in Frist time Headset ?:

@scottalanmiller said in Frist time Headset ?:

@Dashrender said in Frist time Headset ?:

@WrCombs said in Frist time Headset ?:

Mentioned that I was having issues with my headset to one of my coworkers - I guess we have a standard issue headset offered by the company.

https://www.amazon.com/dp/B08WJRMW17/ref=cm_sw_r_api_i_3YW5JM7SC9CNTRGQGTVK_0?th=1

It does seem kinda weird that either a) they supply you with one or b) they reimburse you for providing one of your own.

Though perhaps we don't have all the information.

Also weird that they pay for a headset that costs more than an enterprise, top end phone, but make you use a laptop for phones. That's super weird.

What are you paying for phones? I think the Fanvil x4 was what $65? plus $20 for a headset?

$75 and $25 last I knew. That's $100. That headset on Amazon is $109.

This is what I see

Cool, my business account gets a pretty decent discount.

@scottalanmiller said in Production KVM server "hardening"?:

@Dashrender said in Production KVM server "hardening"?:

@scottalanmiller said in Production KVM server "hardening"?:

@Dashrender said in Production KVM server "hardening"?:

Doesn't his setup allow for two different authentications to be required? Assuming I'm right there, wouldn't that be another layer?
i.e. layer one creds (cert likely) at VPN
layer two creds (cert likely) at SSH

Yes, it has MFA. But you can have MFA on just SSH too. So while yes, you are correct that it does that, but not that it adds something special.

Well - MFA adds a third thing to the list of what I said.

No, it's already MFA. MFA is not an additional thing. You literally said "doesn't this allow for two different authentications", that's literally MFA.

Well then I meant three - the first logon to VPN (which is actually two verifications - creds and MFA) and then a - well I guess - third which is creds to SSH.