/r/sysadmin

Photograph via snooOG

A reddit dedicated to the profession of Computer System Administration.

A reddit dedicated to the profession of Computer System Administration


Rules

  1. Community members shall conduct themselves with professionalism.

  2. Do not expressly advertise products or services outside of approved threads.

More details on the rules may be found in the wiki.


For IT career related questions, please visit /r/ITCareerQuestions


Please check out our Frequently Asked Questions, which includes lists of subreddits, webpages, books, and other articles of interest that every sysadmin should read!

Checkout the Wiki Users are encouraged to contribute to and grow our Wiki.

So you want to be a sysadmin? RTFM


Sysadmin Jobs

Official IRC Channel - #reddit-sysadmin on irc.libera.chat Official Discord - https://discord.gg/sysadmin


/r/sysadmin

957,942 Subscribers

1

(Gmail) Google Groups spam filters - Bounced emails

This issue has been a pain as some Internal and external emails sent to our groups are getting blocked. I already contacted google like 8 times now and they still couldn't fix it. We and external senders are still getting the block message below:

Your email to group groupname@domain.com was rejected due to spam classification. The owner of the group can choose to enable message moderation instead of bouncing these emails. More information can be found here: https://support.google.com/a/answer/168383.

Here are the configurations we have applied (based from the Google engrs' inputs):

Group settings

  • Message moderation -> Moderate all messages
  • Spam message handling -> Post suspicious messages to the group

Spam, phishing, and malware settings:

  • Enhanced pre-delivery message scanning -> is currently turned on (should this be turned off?)
  • Email Allowlisting -> added the IP addresses from our previous ESP's safe senders list.
  • Bypass spam filters for internal senders -> enabled
  • Bypass spam filters for messages from senders or domains in selected lists -> created a safe senders lists and added the email addresses and domains from our previous ESP's safe senders list.

Safety:

  • All features are off

Google also said to that we are on a trial like period for 60 days that is why our filters are more strict. But the 60 days has passed and we still have the issue.

Kindly help, I don't know how to proceed now. I talked to an MSP and they said they could resolve this by implementing INKY. Any thoughts with this approach?

Appreciate all of your help in advance. Cheers!

0 Comments
2024/12/03
22:10 UTC

6

IT not talking to each other

Is it common for IT to barely talk to each other when in different offices in different states.

I am in a sister office where only 2 INF are and 1 help desk, I am a Jr. SYSADMIN, while the other office has SEC, Development, QA, Networking, and Executives. And I will only exchange a message or 2 a day with anyone over there. We are the last to hear anything, we barely talk to each other in my office, and it's overall super quiet on my side. I am the one messaging anyone at the other office, and tying to get a response is normally an all day ordeal for anyone in Sec or networking.

Just want to know if anyone experienced anything like this and how did you all deal with this.

9 Comments
2024/12/03
21:56 UTC

1

How to stop browsers from attempting to open the local Microsoft Teams app every time you open a teams meeting link when you have already deleted Teams from the computer and want to use the browser only.

tldr; found a way to stop MS Teams meeting links from prompting to use the Teams windows app every time I tried to join a meeting in the browser. Info/Instructions below in case anyone else has this issue too.

I hate the Teams app (all versions) with a passion, but am forced to use it for work calls. I've fully deleted any/all teams apps from my computer, and just do the calls in the browser, however both MS Edge and Chrome still prompt me every time I open a meeting link to open the local Teams app and it drives me absolutely nuts.

In theory, both MS Edge and Chrome are supposed to allow you to block protocols at the per-site level. MS Edge had a "Protocol Handlers" settings section that showed some blocked protocols, but wouldn't let me add them manually, and both of them had the global option to allow/block all sites to prompt for protocols, but I don't want to block protocol handlers at a global level. And while both had site-level permissions options that could be configured (microphone/camera/etc), neither listed protocol handlers as an option at the site-level under teams.microsoft.com, so I needed to find a different way to block the protocols that Teams uses to initiate the prompts.

I finally figured out how to fully stop it from prompting me and figured that there may be others out there who are dealing with the same issue that this may benefit. I'm not domain-joined, just local (other than the obligatory MS account login that Windows 11 so lovingly forces on you these days), so I haven't tested it in that context, but I don't see any obvious reason why this wouldn't work at the domain/GPO level also.

We're in r/sysadmin, so I assume we all know at least a little about how badly registry edits can end up, but obligatory warning just in case.

** Fair warning, this involves editing local GPO and registry, so make a registry backup, not responsible for issues, etc **

  1. Delete all Teams app version from your computer (there are various ways to do this already out there, so not going to go into detail on this here). A Reboot after this step wouldn't hurt

  2. Open gpedit.msc and navigate to Computer Configuration -> Windows Settings -> Security Settings -> Software Restriction Policies. If you haven't added any SRP yet, it'll show a warning and tell you to select "New Software Restriction Policies" from the "Action" menu. You can also just right-click on the "Software Restriction Policies" header in the navbar and select "New Software Restriction Policies" from there.

    1. Once you select "New Software Restriction Policies", it'll auto-populate the section with 2 new directories, select "Additional Rules"
    2. Right-click and select "New Path Rule". You're going to add the path to where teams /should/ be installed. Different versions may install in different paths, so I added 2 different Path Rules to cover the bases. Set both for a "Security Level" of "Disallowed", then click "OK"
      1. First rule path is "%LocalAppData%\Microsoft\Teams\current\Teams.exe"
      2. Second rule path is "%ProgramFiles%\WindowsApps\msteams_*"
    3. Reboot or run "GPUpdate /Force" from an elevated command/PowerShell prompt.
    4. This alone did not stop the browser prompts for me, though it seems to have worked for others on the web, so if it doesn't work for you, go to the next step
  3. Uninstalling Teams apparently doesn't remove the protocol hooks that it adds to the registry, so next I headed to regedit to delete them ** Second warning, editing the registry is dangerous, proceed at your own risk, I'm not responsible, make backups, etc **

    1. Open Regedit and navigate to Computer\HKEY_CLASSES_ROOT
    2. You're looking for 3 keys: "msteams", "ms-teams", and "msteamscanary"
    3. Right-click and Delete all 3 keys and their contents
  4. You can run "GPUpdate /Force" or reboot again if you want, but once I deleted the keys and clicked on a meeting join link, it finally didn't prompt me to open the local app.

Maybe there are better ways to do this, but this is the only way that I've found to stop the browsers from prompting me to open/install the Teams Windows app. If anyone knows other methods that actually work and don't involve manual registry edits, I'd love to hear them. And if there are any typos, etc in the instructions, feel free to point them out and I'll fix them. All I know is that I'm finally free of this multiple-times-a-day annoyance.

Sorry for the long post, but if there are others out there who hate this as much as I do, or sysadmins that want their users to use the browser instead of having to have the Teams software installed, I hope this helps. I also have a feeling that sooner or later, I'll have to reinstall/upgrade and will be able to save myself some sanity.

1 Comment
2024/12/03
21:55 UTC

1

Connect a USB-C Dock & USB-C Charging Cable to a laptop at the same time?

Dumb question. If I have a 90W USB-C dock, but my laptop requires 140W (via USB-C) to fully charge, can I plug in both my charging cable (140W) and my dock provided I have two USB-C ports? Will the laptop charge off the 140W charging cable? or both? will the dock still work?

4 Comments
2024/12/03
21:41 UTC

1

iPhone Administration

What are you guys doing for recycling of iPhone with employees? We have a good handful of older iPhones that are locked by activation lock and we have to play the game of guessing iPhone passwords or Apple account passwords. Any new devices are being enrolled in Intune and ABM, but is there an easier way for these older devices with accounts we cannot break into?

2 Comments
2024/12/03
21:38 UTC

2

Need to move our email off our server to cloud, what about our mailman server?

We have an old email server we inherited that is nothing but problems (and a gaping security hole) in my view ether is no reason a small IT shop should be running their own email server in 2024. I understand we can go with a provider to help us order/setup and migrate our email to office365, but my question is, on the same email server we have mailman running for lists we want people to subscribe too. Do we have to keep that mailman server running? If so how does it know of the cloud to move things back and for too? If not, what is the cloud version of mailman one uses then that hopefully integrates nicely with office365.

3 Comments
2024/12/03
21:37 UTC

1

issues with https://microsoft.com/devicelogin

Is anyone noticing issues with microsoft.com/devicelogin ? I've tried to log in using different Internet providers and I'm receiving an error:

An error occurred while processing your request.
Reference #97.xxxxxxxxxxxxxxxxxxxxxxxxxx
https://errors.edgesuite.net/97.xxxxxxxxxxxxxxxxxxxxxxxxxx

Some of my MS Teams devices have logged out and are requiring me to log back in.

edit: I'm not seeing issues relating to this in the Service Health portal.

0 Comments
2024/12/03
21:31 UTC

3

Newer junior sysadmin / network engineer

I have recently just retired from the marine corps, (where I did not do anything regarding IT I was infantry) and landed a job in the telecommunications world as an entry sysadmin / network engineer, I was hired under full comprehension that I had no prior knowledge. I am incredibly driven and interested in the field. And I have been pretty well taught in the last couple months, getting up to speed on most systems, infrastructure and operations. But… we have a very small team and the responsibilities are starting to increase and I hate being a liability. The previous primary admin has taken a promotion and is moving more towards business operations and management , and I need to be able to confidently assume his original roll.

The underlying understanding of everything is still a dark haze. I’ve taken a certified course for VMware, the install configure manage (and a majority of my work flow revolves around the virtual space)… but that is as far as certification goes for me. I am looking for a place to start, and I know that infinite access to knowledge exists on the internet, I am just curious if there were any guidelines or even a pipeline to follow, to achieve being able to genuinely understand and comprehend the complexities of this career.

I understand not every networker / admin is going to know the ins and outs of the complexities of ISPs, so I guess I’m phrasing the question more in a general sense (networking), rather than the intricacies of the telcom. We are primarily a Juniper shop, so I have a thought in my mind that CCNA might not be as important, but I could be vastly ignorant. I just want to be able to understand the roadmap, where everything goes, how the processes work, from ground up because that’s the only way I feel I’ll be able to actually be confident in operations.

Any advice you could give to a young aspiring networker would be greatly appreciated. I have hit a wall in the learning curve and don’t really know where to turn at this point, besides idling and picking up things as they come.

2 Comments
2024/12/03
21:30 UTC

1

Bypass RD Gateway doesn't work

Hi All,

I've spent a couple hours on troubleshooting but I can't find the reason why our internal clients are sent through the RD Gateway although we have the option "Bypass RD Gateway for local addresses"

We have the following setup:

Server 1: RD Connection Broker

Server 2: RD Gateway & RD Web

Server 3: Session host

FQDN: rdgw.example.com configured in external DNS and internal DNS.

Clients are in a different subnet than the servers.

From the Windows 10 clients we resolve the internal IP addresses for the gateway, connection broker and sessionhost. I can ping all addresses just fine.

When I use the Remote Desktop app from Windows Store (https://www.microsoft.com/store/p/microsoft-remote-desktop/9wzdncrfj3ps) the bypass function is working just fine.

Is anyone else experiencing the same issue?

0 Comments
2024/12/03
21:26 UTC

24

So I get an incident, I temporarily remediate the immediate issue and then submit a ticket so that the responsible parties can apply the long term fix then I close my own ticket.

My buddies across the ocean analyze the ticket I submitted to them, conclude the facts are indeed factual and begin their scheduling. Then they see I closed my own ticket so they just cancel their ticket and scheduling with no action taken. Am I right to find this mildly infuriating or should I just leave my tickets open even though I've done my part?

30 Comments
2024/12/03
21:25 UTC

1

2x Tenancies SharePoint Access

Hello all

Would like to seek some guidance regarding a recent acquisition under our parent brand.

The newly acquired company currently operates its own Microsoft 365 tenancy (Tenant 1) and uses SharePoint for file storage. As part of the integration process, we aim to migrate their SharePoint data to our tenancy (Tenant 2).

To ensure a seamless transition for their end-users, we would like to configure access so that:

  • End users can continue using their existing Tenant 1 credentials to log in to their PCs.
  • End users can access SharePoint in Tenant 2 with their Tenant 1 credentials, enabling them to interact with their migrated data without needing additional login steps.

Our Goal:

  1. Users log into their PCs with Tenant 1 credentials as they do currently.
  2. Users access the migrated SharePoint data in Tenant 2 using their Tenant 1 credentials.

Thinking B2B sync with Tenant 1 users as possible guests in tenant 2?

Could you advise if this configuration is possible and, if so, how we could implement it? Alternatively, if there are other solutions to achieve this seamless user experience, we would appreciate your recommendations.

Thank you for your help.

0 Comments
2024/12/03
21:19 UTC

0

Recommendation Server Proxmox

I need a recommendation for a server which has proxmox as host os and it should run 4x windows server and one nvr on Linux. The average ram per windows vom should be 32gb. Heavy loads. Which server would you recommend. It shouldn’t be to expansive. I’d also like to know if single or dual cpu and sas or sata storage.

Thank you fellas!

1 Comment
2024/12/03
21:17 UTC

7

Dear vendors, please give us callback options!

I've been stuck on hold with a vendor support line for an hour and can't get anything else done because it would require calling someone else.

Why doesn't everyone have callback options, or better yet, a ticket submission system? How are we not there yet in society?

Update: Was on hold for 83 minutes. Technician resolved the issue in less than 5.

4 Comments
2024/12/03
21:09 UTC

0

Printers unavailable for ~45 mins when no connection to print server

I have a user which has a issue where all printers (including print to PDF etc.) are not availble for around 45 minutes. After 45+ minutes the printers appear and are usable.

This user is in a remote location without a connection to the main office, so no connection to the print server without the user manually starting a VPN.

When the user does start the VPN the printers are available within a few seconds.

I don't remember ever seeing this issue before, and we have already given the user a new laptop (clean Windows 11 install with all driver/windows updates) but the issue stays the same.

Anyone has seen this issue before? Usually when you have no LoS to the printers these specific printer should just be unavailble right? Not all printers?

0 Comments
2024/12/03
21:08 UTC

0

Autodesk compliance

Hi, I am an architect from India. Just started my own firm after working for a firm for 3.5 years. We got 3 Aec collection licences for our 3 employees that also includes me and partner. Also purchased some second hand desktops because of the capital crunch. We recently got an email from autodesk that highlights two cracked revit software are installed on the same machine that is also hosting the genuine licences. It was quite a shock to me because we already have proper licences and why we even bothered to used cracked on the same system already holding original licences. I have been trying to explain the situation to the autodesk guy but he keeps on forcing me to buy additional two more licences to make the whole thing disappear. They also shared a snippet showing our pc name and serial number along with cracked keys and genuine keys too. I have drafted a whole email expressing everything in detail along with proof of the invoice of the genuine licences. In the trailing mail they have asked their legal council to take the case forward. What should I do?

17 Comments
2024/12/03
20:53 UTC

1

Question about unified MFA Migration on Azure AD; will it affect CBA ?

TLDR; - will the new unified MFA system we need to migrate to affect CBA at all, and if so in what way (can you find documentation, I cant) ?

Microsoft are enforcing a unified MFA policy which we all need to migrate to by 30th Sept 2025

I want to be on the ball with this and get everything in place, I would like to switch it to migration complete some time soon.

We use Windows Hello for Authentication on the workstations, the workstations are Azure AD Joined,

Most of our day to day work is done inside of an RDS environment, the users Authenticate to this via SCEP which is setup via an NDES service (like this) https://www.reddit.com/r/sysadmin/comments/k0zp4l/use_whfb_on_azure_ad_joined_workstation_to_access/

We have M365 Business Premium Licenses.

The RDS hosts are Hybrid joined on our local domain and Azure AD

The certificate also has some properties to let it be used for SSO in azure AD, and we have some rules setup to allow certain certificates to X.509 stamp the session to count as multi factor authentication.

This is technically multi factor.
Factor 1 = the AzureAD joined hardware (which must be added to a security group by an admin), Factor 2 = the users WHFB login (user must also be added to security group)
Admin accounts do not have this kind of MFA setup, only Microsoft Authenticator.

The certs cannot be exported with their private key from the machine, so they can't be moved to different hardware (unless there is an exploit for this)

There are lots of articles explaining how all the different MFA options get affected by the migration:
https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-methods-manage
https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods-manage
https://agderinthe.cloud/2024/10/18/another-deadline-another-deep-dive-legacy-mfa-authentication-methods-deprecation/

But I cant find anything talking about certificate based Authentication for SSO, and I need to know about this (specifically for using Multifactor on low affinity.

Annoyingly if I switch our tenant to "Migration complete" it seems to take 5-6 hours to take effect! (this broke things last time I did it, MFA did not work and it redirected many users to an error page not even giving them MFA options, but this is before we have CBA/SSO setup properly with AAD joined RDS hosts) and switching it back to Migration pending seems to take about the same, so its not easy to do a quick test.

So does anyone know, or can anyone point me in the right direction/documentation to find out how the new MFA policies after migration affect Certificate Based Authentication ?

0 Comments
2024/12/03
20:41 UTC

2

How do I setup Entra CBA as a second factor auth?

I have been tasked with setting up a POC for phishresistant MFA. The expected workflow is the user inputs their password, and then selects their certificate.

I have the authentication method for CBA setup as multifactor, and assigned it to my test group. At this point the cert works in lieu of a password for users in that group and will login without a second factor (not expected)

I then setup the conditional access policy for phishresistant MFA, and that uses the cert as my second factor and works as expected

So, how do I make the cert stop working as a password, and only work as a MFA?

6 Comments
2024/12/03
20:40 UTC

1

Should I restrict Confluence articles to only /h2 in an article considering the title is an /h1?

Hi there,

I wrote many many Confluence articles but realized that my articles are using /h1 for each section and within /h2 and /h3s. I was reading that it is not standard and that only 1x /h1 should be used which is generally the title itself, is that correct? Do I need to stick to only /h2?

Thanks!

2 Comments
2024/12/03
20:33 UTC

3

Is it a good idea to use a Domain Controller as an NTP server for non-domain joined machines?

I currently have my PDC (Server 2019) getting time from an Internet time provider. Then my secondary DC (Server 2019), gets time from the PDC and all domain joined machines get time from whichever DC they connect to, which seems to be a standard setup.

I also have a standalone server which is NTP.domain.com that other machines and appliances connect to to get the time. I want to eliminate this server and use one of my DC's as an NTP server. I see there is a way to setup a DC (or any Windows Server) to act as an NTP server (https://www.reddit.com/r/sysadmin/comments/135spx4/ntp\_server\_for\_nondomain\_joined\_pcs/). So, as my title, is it a good idea to use either DC as an NTP server?

13 Comments
2024/12/03
20:16 UTC

4

Mass Reset of Windows Hello for Business

Does anyone know a way to reset WHfB for every user all at once?

I recently had WHfB PIN break for every user because the the domain controller CA that handled the auth has been decommissioned.

I am looking at setting up cloud kerberos trust for my users, does anyone have experience with this and know the best way to mass re-enrol every user to use cloud kerberos trust instead? Ideally I would like to do this with out resetting everyone's TPM if possible?

Thank you.

4 Comments
2024/12/03
20:05 UTC

0

AT&T rejects our emails

We use Office 365. We have enabled DMARC/DKIM/SPF not too long ago. We have no problem to send emails to anyone except AT&T. I called AT&T email support and they admitted the issue was on their side and they would fix it within 48 hours.

However 10 days has been pasted, the issue is still there. I have spent a lot of time on calling AT&T and waiting in the line. It just wastes my time, but my users are still complaining after I explained to them the issue is on AT&T side.

I suspect one of DNS server which AT&T's mail server uses is not up to date. It still has our old record which DMARC wasn't enabled, thus rejects our email.

It's so frustrated. Any suggestion what I should do now?

Thanks in advance!

15 Comments
2024/12/03
20:00 UTC

16

Sister company is splitting off, they asked me to be a 1099 employee for them.

With the sister company leaving they're taking about a half dozen employees off my plate. They'll have to get new computers and some servers. They're still working out the details but basically what I want to bounce off you guys is what kind of rate you would charge for part time work? Is a minimum per week unreasonable? I'm not sure I'm totally interested in more work but the extra money would be nice.

24 Comments
2024/12/03
19:57 UTC

1

New outlook issues

I added some RSS feeds to my "old"(classic) Outlook account, but it doesn't show in new outlook or in the Mobile app, even though they both have the menu section for RSS feeds. Even the folders for the specific feeds are visible, but they show as being empty. I already ticked "Synchronize Outlook RSS Feeds with Common Feed List" but to no avail.

0 Comments
2024/12/03
19:56 UTC

0

AI Ticket Formatting Tool to help devs not waste time

I work on my company's internal resources software (our intranet) as a dev. Employees within the company enter help tickets when something goes wrong. These tickets are often extremely vague and require follow-up. It seems no matter how meticulously we setup a form to eliminate this follow up, the tickets are still vague enough to require follow up in every case.

I just want to be able to receive a ticket and then have a really good idea of how to solve it. To do this, I'm thinking of building an AI chat bot that will eliminate as much follow up as possible so that when an employee makes a really vague ticket, the ai chat bot responds by asking them to provide specific steps to replicate and etc.

At the end of the day I get a cleanly formatted and specific ticket automatically posted to Jira that I can work on.

Feel free to roast/destroy this idea, but if you think it has potential, I'd love to know that too! Perhaps some of you are already doing this.

5 Comments
2024/12/03
19:52 UTC

1

M365 GCC Win 11 Enterprise Licensing

For those of you who have setup smaller GCC Tenant's how have you managed to obtain Windows 11 Enterprise? We are under the 250 users/devices so we would not be eligible for EA or MPSA. Currently purchasing M365 G3 licensing through a CSP that does not do EA or MPSA. I have a commercial Tenant (no EA/MPSA) with E3 licensing and the license is there shows up as "Windows 10/11 Enterprise (Original)". Microsoft support told me I need to order the VRM-00001 SKU to make the license available for the user. The SKU is only available to those with EA/MPSA. I cant seem to wrap my head around why Microsoft does this for a GCC Tenant and not Commercial. Any insight would be much appreciated.

TIA

EDIT (more info):
To get Windows 11 Enterprise you need to order the $0 VRM-00001 SKU, this can only be obtained through an Enterprise Agreement which we cannot get due to our size.

9 Comments
2024/12/03
19:46 UTC

43

Interns

I can’t. The help mgr hired this intern. Took 5 minutes trying to plug in network cable into jack today on the desk, not under. Where you can visibly see all the ports.. I was like how was he hired. My first encounter with him, I was trying to show him some things and I see him sitting next to me weaving Naruto hand signs. I’m like wtf

My boss had him put up the Xmas tree. I walked by and this is what he did.

https://imgur.com/a/y27g4Ip

42 Comments
2024/12/03
19:26 UTC

2

Users “Versions” folder in their mailbox is 105GB?

We use Exchange Online, and a user is having issues with their mailbox and people getting a “mailbox is full” alert when trying to send them something.

I took a look, and they’re only using like 11% of their quota, but digging deeper I found their “Versions” folder in their recoverable items is at 105GB. I suspect this is the issue, but I’ll be damned if I can figure out how to get rid of all that data. They’re not on a Lit Hold or anything, and that stuff just can’t be deleted.

I attempted to follow MSFTS article on it, but that didn’t help either. Does anybody have any experience with this or any advice?

7 Comments
2024/12/03
19:22 UTC

5

Documentation Control

Hey Gang, what do y’all use to manage your documents; how to’s, end user guides, installation notes, so on and so forth?

We have a cluttered mixture of word docs, txt files, and a few PDF’s. Anyone what a better solution than just dumping them into a folder?

12 Comments
2024/12/03
19:19 UTC

2

Migrating on-premise Active Directory - Help-a-noob

Hello, helping a non-profit organization as one of my first experiences with Windows Server. They have a simple setup:

  • MS Server 2012
  • 1 hosted app for clients within the LAN
  • Active Directory, no other roles
  • 4 domain joined workstations
  • DC is running on the physical server.
  • There is only a handful of GPOs, not worried about those.

The current domain was set up a long time ago an it is running named .LOCAL which I read is not best practice anymore.

My plan is to:

  • Migrate to Server 2019
  • Create new domain using a owned TLD
  • Set up DC in hyper-v
  • Create trust relationship and migrate all objects to new domain

-----

My question is related to what happens once migrated:

  • Do the workstation require a any config?
    • Will users still log in to their regular user profiles or would they have to a new user profile?
      • Users are on the M365 platform so they use word, excel, etc. They use Sharepoint online to collaborate, all else is through the browser.
  • Any other tips? Excited about cleaning up and setting that up properly. Thanks

**Forgot to say, The hardware is getting migrated as well to a newer box.

13 Comments
2024/12/03
19:12 UTC

0

RDS Web and Brute Forcing

Greetings all, just seeing if their is something I'm not considering as a sysadmin for a particular situation.

Obviously if a client has an exposed RDS web gateway server, brute forcing is going to happen, and when the attackers gets a list of users (from a past email compromise, etc.) then this will cause lockouts to AD accounts as expected.

But as for options to prevent this, these are all the ideas we've come up with.

- Block all access to the website except the US, via geolocation policies
(Not really a solution as the attacker can change their location via proxies)
- Block all access to the website and make users VPN into the network first, then access the website
(here the VPN could still be brute forced, but the hope is the process, and firewall IPS/IDS would stem the attacks enough to make the users go away)
- Setup MFA for the users, then hope that is good enough, and disable the GPO policy locking the account after failed attempts. Not a huge fan of this one.

Appreciate any other ideas!

6 Comments
2024/12/03
18:57 UTC

Back To Top