I think this is pretty far off topic from "Looking to buy a SAN" even for magolassi lol.

Switch to modern solution and leverage your identity service you are already using.

Use a solution like OneDrive, box, dropbox, etc.

Adding users and groups in linux for a file server only is time consuming and will actually lead to a security issue called privilege creep. Where you aren't properly managing a decentralized system and removing permissions/group membership as roles and needs change of users.

Too much complexity to save a tiny bit of money and create way more headache on arguably the most important aspect of the business (data)

Also, what if an incorrect command screws something up? Then you lose your ability to check history for troubleshooting. You should never be deleting any history.

Generally you dont move instances. You create new ones. You need to snapshot your EBS volume and create a AMI based on that EBS snapshot. Then you create your new instance.

@JasGot said in Who do you use for a 1U RackmountPC?:

I need a rackmount PC that will run Windows 10 pro. Must have room for 4 3.5" hard drives.

I guess I'll ask it since nobody else did....

Why?

@black3dynamite said in Sell the business??:

@siringo said in Sell the business??:

If I get hit by that bus, they will be in trouble.

That's not good, how up to date is your documentation, disaster plans, etc...

Yeah basically if you do these things you don't have to worry about what happens when you retire to the beach.

I doubt you can sell them as a client. Maybe if you had tens of clients you could sell the business. But with one SMB client, it's not worth much.

If that customer decides to cancel then they would lose everything you sold them. Which is why no one is willing to buy one SMB client. I'm sure you can find someone who can I take over for free, but I'd only worry about that on my way out.

@JaredBusch said in Yet another way Azure sucks:

When you want to delete a virtual machine, you have to clean up all the its manually.

There is not even an option to remove everything at once.

This is by design, because all your resources are separate. Companies that leverage Azure/AWS are not using the console to deploy resources for this very reason. Using infrastructure as code is the only way to go. Both Azure and AWS offer their own IaC at no cost, but you can use terraform as an open source cloud neutral deployment method as well.

Azure VMs and AWS EC2 are not VPS as you know. AWS does offer VPS style servers called lightsail. It's more affordable than EC2 and you would be able to delete with one click like youre used to doing. Of course you don't get all the other features like advanced networking, storage, etc.

@scottalanmiller said in RDP Security / Hardening:

Let's start with understanding the need. Why is RDP open at all? Is it only open to the LAN, or is it open to the world?

Yeah that is a much bigger concern than simultaneous connections.

@jaredbusch said in Changing subnet mask?:

@irj said in Changing subnet mask?:

How do you move to zero trust model without network segmentation?

Using a VLAN does not have anything to do with zero trust. Actually, using a VLAN implies you are still using a LAN trust model for the things within the VLAN.

Yeah, ideally each application would be separated. In enterprise, it's done on each tier within the application. Also you would just want to whitelist specific traffic needed and allow nothing else.

I didn't recommend zero trust in my first response due to amount of effort. I did recommend not having a flat network and using simple VLANs and firewall. At a minimum separate your servers and block access there.

@travisdh1 said in Network Admins: What are your daily BEST PRACTICE:

@scottalanmiller said in Network Admins: What are your daily BEST PRACTICE:

@mrwright4hire said in Network Admins: What are your daily BEST PRACTICE:

@dbeato said in Network Admins: What are your daily BEST PRACTICE:

@mrwright4hire said in Network Admins: What are your daily BEST PRACTICE:

What are some

You should always have good old WireSHark, nmap included and a great network scanner.

@dbeato what do you use for a network scanner? I use Advanced IP Scanner.

I use nmap, so much faster and easier.

Generally a full subnet scan using nmap is much slower than Advanced IP Scanner.

I'm annoyed that I even know this right now, such is the state of the documentation we have.

You aren't using Nmap properly... It's so configurable and definitely faster than any GUI scanner.

Use SSH keys and whitelist your IP using Vultr firewall. When your IP changes, login to vultr console and add it.

Much safer and way easier.

Hopefully the process is already documented. If it isn't documented yet, that is something that should have already been done. Nothing wrong with having someone following a documented process.

If not documented currently, it's just a huge annoyance and hindrance to doing his actual job. You could use this as an opportunity to guide him and have him document the process, however.

@gjacobse said in VPN vs SDP?:

Because - a LinkedIN advert is where you want to learn from - but taking a referenced technology FROM there and doing your search and learn.

This advert implied that SDP is the next thing to replace a VPN - Oh-kay what is it. What is an SDP and why would I want to investigate it.

That's not really a great comparison. VPN and SDP are truly apples and oranges. Alot of websites do try to compare SDN to VPN for some reason. I think that might be because some legacy places think VPN equals security. Yet they have flat networks with virtually no firewall rules.

I think it's easier to think about zero trust model which will require you to use SDN concepts. Zero Trust has been industry standard for probably a decade. Many companies are choosing to make the transition to ZT as they move workloads in the cloud. Cleaning up enterprise on premise networks can be a nightmare which is why many have made the transition in tandem with moving to public clouds.

Another reason they are being done on cloud workloads is because the major public clouds deny traffic by default. The fact that things don't work out of box with all access blocked. It does alot to encourage only opening what you absolutely need.

Zero Trust defends your biggest threat, internal actors. Internal actors can be malicious or just plain stupid. Both are extremely dangerous in an on premise network. VPN does nothing to protect you since they are employees who have VPN access.

@dafyre said in Does a script imply Automation?:

TLDR; That depends.

Does your script run entirely without human interaction? Then yes, it's automation.

If it's a script you run by hand to manually accomplish a certain set of tasks that requires your input, then no, it's not automation.

I disagree. You can require input and still have automation. Fully automated and automated are two different things.

@scottalanmiller said in Does Mesh Central support blanking remote screen:

@jaredbusch said in Does Mesh Central support blanking remote screen:

@scottalanmiller said in Does Mesh Central support blanking remote screen:

Why load? MOst of the time we log into machines that have that stuff already on the screen. We just cause the screen to unlock and don't know who can see it. VERY often for us, that this case comes up, it is a medical system in a room where a doctor may or may not be, and a patient may or may not be, and the patient may or may not have someone watching them.

Logging in to a remote system with potential PHI active on it without a user present? Never. Your entire scenario is a PHI data breach.

Hence the need to blank the screen so that it is the same as any VDI style medical system.

No he's saying IT should not have unmonitored access to PHI data. You are logged in as that user so it's not really auditable.

Scale Down

######################################
## Save Deployment State (excludes kube,mongo,k8 pods)
######################################

kubectl get deploy -A --no-headers | grep -v -E 'kube|mongo|k8s-api-proxy' > deploy_state_before_scale.txt

######################################
## Copy Deployment State to GCS Bucket
######################################

gsutil cp deploy_state_before_scale.txt gs://app1

#######################################
## Scale Deployments to zero
#######################################

kubectl get deploy -A --no-headers | grep -v -E 'kube|mongo|k8s-api-proxy' | awk '{print \$1,\$2}' | while read NS DEPLOY; do  kubectl scale --replicas=0 deployment/\$DEPLOY -n \$NS; done

#######################################
## Scale Daemons to zero
#######################################
kubectl -n <namespace> patch daemonset <name-of-daemon-set> -p '{"spec": {"template": {"spec": {"nodeSelector": {"non-existing": "true"}}}}}'


#######################################
## Turn off Autoscaler on GKE nodepools
#######################################

gcloud container clusters update <app1-cluster> --no-enable-autoscaling --region <region>  --node-pool <app1nodepool1>

gcloud container clusters update <app1-cluster> --no-enable-autoscaling --region <region>  --node-pool <app1nodepool2>


#######################################
## Resize Node Pools to zero
#######################################

gcloud container clusters update <app1-cluster> --num-nodes 0 --region <region>  --node-pool <app1nodepool1>

gcloud container clusters update <app1-cluster> --num-nodes 0 --region <region>  --node-pool <app1nodepool2>

Scale Up

#######################################
## Resize Node size to 1 for each node pool
#######################################

gcloud container clusters update <app1-cluster> --num-nodes 1 --region <region>  --node-pool <app1nodepool1>

gcloud container clusters update <app1-cluster> --num-nodes 1 --region <region>  --node-pool <app1nodepool2>


#######################################
##  Turn Autoscaling Back on
#######################################

gcloud container clusters update <app1-cluster> --enable-autoscaling --region <region>  --node-pool <app1nodepool1>

gcloud container clusters update <app1-cluster> --enable-autoscaling --region <region>  --node-pool <app1nodepool2>

#####################################################
## Copy Saved Deployment State from GCS bucket
#####################################################

gsutil cp  gs://<app1>/deploy_state_before_scale.txt . 



#####################################################
## Scale deployments using the previously saved state file
#####################################################

awk '{print \$1,\$2,\$4}' deploy_state_before_scale.txt | while read NS DEPLOY SCALE; do kubectl scale --replicas=\$SCALE deployment/\$DEPLOY -n \$NS; done


#####################################################
## Scale Daemons back up
#####################################################

kubectl -n <namespace> patch daemonset <name-of-daemon-set> --type json -p='[{"op": "remove", "path": "/spec/template/spec/nodeSelector/non-existing"}]'

@BraswellJay we don't allow public Docker images to be loaded on our network. What we do is download any images that are needed and upload them to our own Docker registry. We use GCR on Google cloud, but you could use AWS or Azure as well. Each of those providers have vulnerability scanners built-in so anytime you upload an image, it is scanned automatically.

I got a Steam Deck last week, and to say I am loving it is an understatement. This thing is a laptop killer for my uses, anyway. It runs a modified version of Debian and has read only file system. Read more about it here.
https://store.steampowered.com/steamos

The Steam Decks runs in too different modes:
Game Mode
Desktop Mode

Game Mode is basically the Steam App optimized for the Steam Deck. It is similar to Microsoft's Xbox interface as far as functionality and what we expect for gaming consoles.

Desktop Mode is a full KDE environment. In this mode, you use the touchpad on the deck to navigate like you would on a laptop. It works as expected (basically a laptop with a small screen), but it definitely isnt optimized for controller use.

@gjacobse said in PS ISE: Unsaved Projects:

Right now, I'll have to pencil GIT onto the project list. I just don't have the bandwidth to investigate it right now. If the unsaved scripts are lost,... they are lost - my own fault and I recognize that. I had some hope that I could recover them.

I just have to much going on to take on another project I can't truly invest time into. If I start something, I'll just have to ensure I save it - I think I saw something about making PS:ISE autosave....

Thank you for the suggestions and recommendations.

It took more time to write this post, then it would to create a git repo.

Tesla!