@JasGot said in Time Clock Software?:

a Windows Software based option.

gross!

I am looking at adding either AWS WAF or modsecurity to an all AWS environment.

Mod Security

Pros: FOSS
      CSP Agnostic
      Community and paid support
      Wazuh integration already there


Cons: Additional resource consumption on EC2 instances (potentially causing autoscaling and additional costs)

AWS WAF

Pros: No additional resource consumption
      Autoscaling handled by AWS
      Better DDOS protection
      Wazuh integration in latest version of wazuh agent


Cons: Unknown costs (many moving pieces like lambda calls, data streams, and log storage)
      Complexity (lots of terraform scripting)
      AWS only

@JaredBusch said in Securing SSH:

@IRJ said in Securing SSH:

You would store your key in an encrypted drive like druva or one drive

Umm WUT.

You don't store your key anywhere. Because that makes it useless.

Are you reusing the same key on different user devices?

Not your personal key of course. A break glass key for root access. You get a root key for all cloud servers that should be different from your user key. That was the key I was talking about storing.

@gjacobse said in Obtaining hardware from terminated remote employee:

@Dashrender said in Obtaining hardware from terminated remote employee:

you could make the costs of the equipment part of the hiring contract - you're talking what - $2000? I mean it's not nothing, but is it enough to be wasting much time over? and it's only $2000 when you first send it to them... half that at 1 year old, etc.

Eh, yes and no,
Hardware is of course one thing, but what of the data on that hardware?
It could be design specifications, HIPPA records, financials,.. all things that are owned by the company.

You must have some action in place to address this.

OneDrive and Intune would solve this issue.

@hobbit666 said in Securing SSH:

I think the common things i've seen so far are -

PasswordLess access i.e. Public/Private Keys
Timeouts
Disallow root logon
Harden Firewall
White-list IP's that can access.

That is a good quick list, but we can add use vpn and/bastion host for access to that list.

@stacksofplates said in Securing SSH:

Here's some ideas for you. https://mangolassi.it/topic/10391/fairly-hardened-jump-box

I would also look at CIS benchmarks when creating your images.

@Dashrender said in Securing SSH:

Is it normal to use the same key over many servers at a user level? or a different key for each server for each person?

Yes. You would use the same key per user (not sever) , but have some form of MFA.

You would store your key in an encrypted drive like druva or one drive

@bnrstnr said in MFA - who pays for authentication solution?:

@Dashrender said in MFA - who pays for authentication solution?:

for multiple sites? Just what everyone wants, a pocket full of tokens.

Who cares? If they're going to cry about the tokens give them the option to use their phone. But the tokens are what the company supplies...

I agree 100%. Give them the option. Most will choose their phone. I guarantee it

@Dashrender said in MFA - who pays for authentication solution?:

@IRJ said in MFA - who pays for authentication solution?:

Why not just supply hardware tokens? They are not that expensive.

for multiple sites? Just what everyone wants, a pocket full of tokens.

EHR
email
2nd EHR
3rd EHR
4th EHR
5th EHR

it's PHI so I could easily see insurance companies at some point also requiring it, so that could be another 20.

That's when you use a service like okta or jump cloud

Why not just supply hardware tokens? They are not that expensive.

@DustinB3403 said in Weird thing on O365 account:

@scottalanmiller said in Weird thing on O365 account:

@IRJ said in Weird thing on O365 account:

Second hack? Then you didn't do your job the first time.

Security is THEIR job, not his. They are the CIO, not him. You can't blame people down the chain for the decision makers making bad decisions.

What world are you living in? This is how 99.99999% of IT lives, getting blamed for other peoples bad decision making.

Sounds like an IT problem to me. They shouldnt need to pay for a security expert to pitch MFA.

@scottalanmiller said in Weird thing on O365 account:

@IRJ said in Weird thing on O365 account:

Second hack? Then you didn't do your job the first time.

Security is THEIR job, not his. They are the CIO, not him. You can't blame people down the chain for the decision makers making bad decisions.

I mean his job is a consultant for IT. MFA isnt really even security at this point, it's common sense. Unsurprisingly without MFA, they were hacked again.

@Dashrender said in Weird thing on O365 account:

@IRJ said in Weird thing on O365 account:

@coliver said in Weird thing on O365 account:

Pitch them MFA.

Nah. Just set it up, and say its security in place so you wont get hacked again.

No pitch needed, just do it.

I don't have that level of authority, I'm an IT consultant for them, nothing more.

I have a meeting with them tonight (the whole company actually - some training stuff), but in light of this SECOND hack - I'm seriously thinking I ditch all of my current conversation and talk about password managers and 2FA only.

Second hack? Then you didn't do your job the first time.

There is really no discussion. Its a must have and they could lose their Office 365 account otherwise. Their account already has a poor reputation with Microsoft.

It's not a conversation, it's you do this or a drop you as a client

@coliver said in Weird thing on O365 account:

Pitch them MFA.

Nah. Just set it up, and say its security in place so you wont get hacked again.

No pitch needed, just do it.

@JaredBusch said in Office 365 Suite - User Licensing T&C:

But the answer is O365 licensing is per user. Users get to use it on up to X devices.

If you have 1 device shared by 3 people, you need 3 licensees.

You can mark this as solved @DustinB3403

@DustinB3403 said in Office 365 Suite - User Licensing T&C:

I'm pretty certain I know the answer, which is hell no MS isn't allowing multiple people to use a single license (they'd be insane too).

Not only would MS be insane to allow that, but so would you unless you dont care about accountability at all in your organization.

@scottalanmiller said in BitWarden - Self Hosted for many users:

@IRJ said in BitWarden - Self Hosted for many users:

@scottalanmiller said in BitWarden - Self Hosted for many users:

@IRJ said in BitWarden - Self Hosted for many users:

You can however use an unofficial Bitwarden server fork that is free.

Is it a fork? Looks like a separate project.

Yeah, you are right. I didnt know much about it. My coworker uses it for his personal server and really likes it. When I saw this thread I asked him about it again so I could help @Kelly clear things up.

Looks perfectly nice, wish it had more of a "showing it off" website.

He says its actively maintained and follows BW updates pretty frequently.

@scottalanmiller said in BitWarden - Self Hosted for many users:

@IRJ said in BitWarden - Self Hosted for many users:

You can however use an unofficial Bitwarden server fork that is free.

Is it a fork? Looks like a separate project.

Yeah, you are right. I didnt know much about it. My coworker uses it for his personal server and really likes it. When I saw this thread I asked him about it again so I could help @Kelly clear things up.

@Kelly said in BitWarden - Self Hosted for many users:

It is mostly budget. I'm looking at licensing ~2000 users. $6k/per month is more than I could probably get through at this point on a nice to have kind of project.

If you want to use Bitwarden's official project it is going to cost the same whether you host on prem or cloud. Well on prem is more expensive since you have to host and maintain on top of per user cost.

You can however use an unofficial Bitwarden server fork that is free.

https://github.com/dani-garcia/bitwarden_rs