We do our best to block phishing, with Avanan, restricting access from anonymous vpn/ Tor, requiring Intune compliant devices, MFA, 20+ CA rules, P2 licensing blocking risky sign ins, some users with no OWA access, and many more. Despite layer upon layer, if we were compromised, how would we know quickly?

Is there a way to create alerts if a large number of emails to go external users? I found this https://learn.microsoft.com/en-us/defender-office-365/recommended-settings-for-eop-and-office365#eop-outbound-spam-policy-settings but 400 seems way too high for spearphishing, which is what is happening.

M365 tells me the next day that a user may have clicked on a malicious URL, which is a day too late.

What I am looking for is detecting after we have been compromised. The goal of course is not to be compromised but I need plan to detect ASAP in case it has happened. According to Check Point (Avanan), at least 7 partners have been compromised in the past week or so.

thx

Hi

I need suggestions, Im thinking buy a refurbished mbp in Bangalore , India.

So I found a local store here they are selling mbp 16gb , 512ssd, m1 processor for 1 lakh rupees. With 3 month warranty.

And they have replaced the battery now, as it's saying the cycle count is two.

I have a tight budget that's why I'm looking for refurbished.

Shall I go ahead and buy one. Or anything should I check before buying it.

Please share your opinions.

Hi all!

So I am having an issue where around 350 Windows 11 devices will not update off of 21h2. Has anyone ever seen that? One I am testing on when I try to update by hand it just says windows is up to date when trying windows updates. Then if I try to manually install the update it just errors out. Anyone have any ideas?

I've heard about a few options like Uptime Kuma, VisualPing, and UptimeRobot. And if we need something more advanced, there's apparently Zabbix and Nagios, or so I'm told.

To be honest, I haven't messed with this kind of stuff in ages. Our CEO wants me to check out prices for some web tracking tool. They're after something that can tell us what sites people are visiting, what kind of sites they are, and how long they're spending on them.

The folks in charge are pretty tight with the budget, so we're not looking for anything too pricey or over-the-top. So if you guys can recommend something good, that would be great. I believe the ones I have mentioned above are pretty popular on this sub.

I've been in the industry for 10+ years and constantly find myself getting overwhelmed and discouraged about work. I used to be much more enthusiastic and optimistic about work, but lately I feel like I don't have the mental capacity to keep up with things. Officially I am a security analyst and the only person in this role, but I also end up acting as escalated support for end-user issues and system administrator for various systems that others don't have competency with. I am assigned service desk tickets, co-workers stop by my desk or message me on Slack, and I'm constantly applying patches and updates to dozens of systems and applications.

I am familiar with nearly all of our systems and while troubleshooting issues, making configuration changes, or reviewing logs I am constantly discovering things that could/should be improved like ACLs, host hardening, identity management, the list goes on. I really want to fix all of the problems, but I don't have enough time. To try to manage my time better I started blocking my calendar so I'm not interrupted as much.

Management has been aware of my feelings and the lists of needed improvements, but it doesn't seem to matter as much to them (or many others) as it does to me, but I understand they have competing priorities. I am not micromanaged and generally don't feel pressure from management to take care of things, but I struggle with wanting things to be better but not being able to do it all.

The pay is close to or above average considering the sector and location, and there is tremendous job security. I really like where I work, the people are friendly and the environment is pretty relaxed, but I feel an enormous amount of internal pressure. I used to feel a much stronger personal connection with my co-workers, but I think I've turned into an asshole and some people have started avoiding me.

Is this common? I welcome any feedback or suggestions.

We have an old app for which the previous guys made the following concessions in order to get it to run:

1. UAC disabled
2. FULL access to ProgramFiles\AppPath for all Users
3. (probably the worst) FULL access to HKLM\Software for all Users
4. On first launch the program must be run as a user with admin rights on the machine (Run As Different User)

We would like to re-enable UAC, remove the registry ACL, and if possible also the file ACL (though not as important)

If I just revert all of that to default, the program reports a failure to connect to the database, identical behavior to if condition (4) is not met. I thought maybe it was creating system DSNs on the fly---that does not appear to be the case.
If I give access to only the registry keys that seem to belong to that app and give the same file access, I get further but the program gets stuck later on ("loading views" -- whatever that means).

I have tried using the Application Compatibility tools including the Standard User Analyzer but I am not quite sure how to run it (do I run it in a working setup? the desired setup? as an Admin? etc). I've used the App Compatibility tool before to create a virtual registry shim, but this doesn't seem to do the trick here.

I have also tried dialing it back to Windows 98 compatibility mode, this also leaves me at the "loading views" status

Any help would be appreciated

I'm starting to accumulate more powershell scripts that create reports and e-mail them to me. We get reports from Meraki and Armis regularly. It would be pretty awesome to have all of this info displayed in a dashboard. Is there any sort of framework to do something like this? What terms should I be googling here?

I have a strange email problem. When any user in our domain (e.g., user1@domain.com) sends an email to a forwarder in our domain (forwarder@domain.com) that in turn forwards the message to another specific user in our domain (user2@domain.com), it gets rejected as blacklisted spam.

Our domain is not listed in any RBL's, and there's no internal blacklist (e.g., SpamAssassin) with our domain in it.

I can find no reason why an internal forwarder is being blocked by an internal user. I have checked user2's filters and find nothing out of the ordinary.

Does anyone have an insight into this?

Details:

This is running on AlmaLinux 8.10

Here is the failure report I'm getting:

From: Mail Delivery System <Mailer-Daemon@host.domain.com> 
Sent: Friday, July 26, 2024 7:25 AM
To: user1@domain.com
Subject: Mail delivery failed: returning message to sender

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  user2@domain.com
    (ultimately generated from forwarder@domain.com)
    Your email is spam. You have been blacklisted. 001

In addition, the email report above contains an attachment called "details.txt" which contains the following:

Reporting-MTA: dns; host.domain.com

Action: failed
Final-Recipient: rfc822;forwarder@domain.com
Status: 5.0.0

I have found the following error in the logs:

1 - user2@domain.com (forwarder@domain.com) forwarder@domain.com R=virtual_user_filter: Your email is spam. You have been blacklisted. 001

The R=virtual_user_filter refers to the following section of the Exim configuration:

virtual_user_filter:
    driver = redirect
    allow_filter
    allow_fail
    forbid_filter_run
    forbid_filter_perl
    forbid_filter_lookup
    forbid_filter_readfile
    forbid_filter_readsocket
    domains = \
        !$primary_hostname \
        : ${lookup \
            {$domain} \
            lsearch{/etc/userdomains} \
            {${perl{untaint}{$domain}}} \
        }
    require_files = "+%CPANEL-domain-owner-homedir%/etc/$domain_data/$local_part_data/filter"
    user = "%CPANEL-domain-owner%"
    router_home_directory = %CPANEL-domain-owner-homedir%
    local_parts = ${if exists{%CPANEL-domain-owner-homedir%/etc/$domain_data}{dsearch;%CPANEL-domain-owner-homedir%/etc/$domain_data}}
    condition = "${extract{size}{${stat:$home/etc/$domain_data/$local_part_data/filter}}}"
    file = "$home/etc/$domain_data/$local_part_data/filter"
    directory_transport = address_directory
    file_transport = address_file
    pipe_transport = ${if forall \
        {/bin/cagefs_enter:/usr/sbin/cagefsctl} \
        {exists{$item}} \
        {cagefs_virtual_address_pipe} \
        {${if forany \
            {%CPANEL-user-domain%:$r_suspended_shell} \
            {match{$item}{\N(jail|no)shell\N}} \
            {jailed_virtual_address_pipe} \
            {virtual_address_pipe} \
        }} \
    }
    reply_transport = address_reply
    local_part_suffix = +*
    local_part_suffix_optional
    retry_use_local_part
    no_verify

I am trying to find an ID badge system solution for the company I work for. Looking for some recommendations and also any companies to stay away from? I have used IdentiSys previously but their support wasn’t the best. I don’t have any other point of references though so maybe others are worse and I should just stick with the devil I know? Any help appreciated.

Hi, we all despise TeamViewer, right?

I'm not looking for an EDR, MDM, unattended access, nothing. I'm looking for a service with a Quick Support (incoming connections only) like client that can be branded and distributed with our software for end user support. User opens it, with or without admin rights, they tell us the code and we can connect. We have around 40 people in our CS team who will use it daily.

I'm also not looking for anything self hosted, so please no recommendations for MeshCentral (I use it personally and love it) even though it has MeshAssistant. Also no Anydesk, going from TW to Anydesk is like going from a pile of crap to a slightly less stinky pile of crap.

RustDesk is also a nogo since it doesn't have a QS client.

From what I have been able to Google, Splashtop is the only one.

Good morning all, i'm trying to pull a list of folder only permissions recursively to see who has access to what, the issue i'm running into is, that it's displaying the sid's i was hoping for friendly / human names, and it's pulling files as well. I'd like it to only pull folders.

Command i'm running, icacls H:\data2\docs\* /save c:\user_admin\Tdrive1.txt /T

We had a funny moment during our ISO27001 audit today - maybe one of you is deep enough into Microsofts ISO certifications to help me understand this:

The ISO 27001:2013 certificate for Microsoft Office 365 Services expires on 28.07.2024 (Certificate No: IS 552878)

without an 1:1 replacement.

Microsoft lists that as the main ISO 27001 certification for MS365 Cloud:

https://learn.microsoft.com/en-us/compliance/regulatory/offering-iso-27001#office-365-assessments-and-reports

After reading through the documents in the trust center, it seems like they now cover most of the MS365 Cloud Services under a different certificate:

Azure - Dynamics 365 - Online Services - ISO 27001 and ISO 27701 Certificate (5.15.2024)

This uses the updated ISO27001:2022 and could be used as a replacement.
But it seems to not include all services that were covered by the 27001:2013 certificate?!

It does include:

• Entra ID
• Intune

But it doesn't include:

• Microsoft Teams
• OneDrive
• SharePoint
• Exchange

Do I understand that right? Are there any other ressources for details? Shouldn't this be an issue for companies that care about their suppliers certification?

I don't care about the usefulness or anything - I just want to understand it :D

I'd appreciate any insights into this interesting topic of compliance(:

IDK how you guys would deal with this. I literally lost my shit on a call yesterday.

We're reviewing how a product is not living up to one of it's core specifications, timely delivery. A message is supposed to be delivered to a phone within our facility network within 10 seconds.

One of the errors they saw was "Connection reset by peer". They immediately started by saying this shows that the client was in a bad network spot. I reminded them that connection reset means that it received a TCP reset flag on a packet back. If the client was in a bad network spot it would be a timeout instead. This whole thing happened over 2 minutes. I asked why they don't implement pre-emptive timeouts for their http requests...no response.

Next they reviewed one clients logs and said look, there was a whole minute between long lines, the android app is getting suspended. I've never seen such inferences made like that. Log lines are pretty much a developer's take. I then asked if they saw any of the Android life cycle methods being called. No response.

I even asked if they understand that because you sent a push notification via sip to android does not make it an explicit guarantee. They keep responding with the same line, it will because we sent push notification to it.

This was with the senior support on the call. Like legit, the vendor is basically denying reality at this point. I want to scrap this crap.

Edit: wanted to add, this was my escalation too, I've been telling my boss to help line up serious people on their side. This is what they came back with. We've dumped millions in this POS over 3 years now. It only handles 500 concurrent TCP connections on a beefy Windows server (64 CPU, 128gb ram). Also the same vendor that reindexes the phone sqlite db after a single row insert and called it an "engineering decision".

curious... how often do you do office moves? the company I work likes to move to new office every time the lease is up, next year seems particularly bad as three office leases are up so, as you can imagine this becomes a logistical nightmare...

just trying to see if this "normal"

I have around 300 Dell latitude 5440 to prepare with a specific image. These little guys came with a monitor that serves as a docking station and it requires me enable MAC address passthrough becouse sadly our DHCP servers still work with MACs. I wanted to avoid having to go through every laptop enabling the passthrough and disabling the secure boot (in case the server requires it) by having a deployable Bios flash that puts those settings already in the state I want them and then procced with the imaging. In a matter that is more pratical than going to each individual laptop and configuring the bios myself. Is this possible or am I dreaming to high? Ive been searching the interwebs and havent found much. All help and directions are aprecciated.

I'm running an install bash script for power-mailinabox, which always worked just fine, but suddenly doesn't. Of course that means something changed. I had a look at the source file dates and they haven't been touched for almost 2 years, so it must be something in my environment. What exactly eludes me though :-(

I'm reasonable au fait with bash, but this is sneaky.

The initial script is setup/start.sh. In there is this:

# Start service configuration.
source setup/system.sh
source setup/ssl.sh
source setup/dns.sh
source setup/pgp.sh
source setup/mail-postfix.sh
source setup/mail-dovecot.sh
source setup/mail-users.sh
source setup/dkim.sh
source setup/spamassassin.sh
source setup/web.sh
source setup/webmail.sh
source setup/nextcloud.sh
source setup/zpush.sh
source setup/management.sh
source setup/munin.sh

The script completes up to "source setup/system.sh", but doesn't continue with setup/ssl.sh. So I would think the problem is in system.sh.

It starts with:

source /etc/mailinabox.conf
source setup/functions.sh # load our functions

# Basic System Configuration
# -------------------------

which gets the conf file contents and the functions. Then a bit further down:

echo Installing system packages...
apt_install python3 python3-dev python3-pip python3-setuptools \
        netcat-openbsd wget curl git sudo coreutils bc file \
        pollinate openssh-client unzip \
        unattended-upgrades cron ntp fail2ban rsyslog

which is does since the "installing system packages" message appears in on the screen running the setup.

Similary is sets the timezone, generates a random number, creates some keys and set a cron job for updates and this is all done successfully.

Here it becomes strange for me.

# ### Firewall

# Various virtualized environments like Docker and some VPSs don't provide #NODOC
# a kernel that supports iptables. To avoid error-like output in these cases, #NODOC
# we skip this if the user sets DISABLE_FIREWALL=1. #NODOC
if [ -z "${DISABLE_FIREWALL:-}" ]; then
        # Install `ufw` which provides a simple firewall configuration.
        apt_install ufw

        # Check if we have got an SSH server installed.
        # It's not critical for us to have one, so if it isn't installed,
        # no need to open the port
        if [ -x "$(command -v sshd)" ]; then
                # Allow incoming connections to SSH.
                ufw_limit ssh;

                # ssh might be running on an alternate port. Use sshd -T to dump sshd's #NODOC
                # settings, find the port it is supposedly running on, and open that port #NODOC
                # too. #NODOC
                SSH_PORT=$(sshd -T 2>/dev/null | grep "^port " | sed "s/port //") #NODOC
                if [ ! -z "$SSH_PORT" ]; then
                        if [ "$SSH_PORT" != "22" ]; then
                                echo Opening alternate SSH port $SSH_PORT. #NODOC
                                ufw_limit $SSH_PORT #NODOC
                        fi
                fi
        fi

        ufw --force enable;
fi #NODOC

First of all the script uses "apt_install ufw" instead of "apt install ufw". Why? If I try apt_install it obviously fails. The same is done a little lower down: "ufw_limit ssh" should be "ufw limit ssh"

I don't know this block of code completes or not, but the next step certainly does not.

apt_install bind9
touch /etc/default/bind9
touch /etc/default/named
management/editconf.py /etc/default/bind9 \
        "OPTIONS=\"-u bind -4\""
management/editconf.py /etc/default/named \
        "OPTIONS=\"-u bind -4\""

The file /etc/default/bind9 doesn't exist, so it was never done.

Is there something in the ufw block that is wrong and prevents the script from continuing?

There's not a lot of activity on power-mailinabox, so I'd like to learn what goes wrong and fix it. I'm hoping this community can help me do so :-)

Does anyone know if there's a way to script signature creation via the 'new' O365 roaming signature method that is account-based. Everything I'm finding online appears to use the older method and/or the "PostponeRoamingSignatureUntilLater" method, which doesn't seem very future-proof.

We'd like to standardize our company signatures but have them use the 'new' account-based roaming method so we don't have to worry about it breaking in the near future.

We may use a paid solution if we have to, but trying to do this for free if possible using 'built-in' methods.

Hi All,

Worked in the Service Desk area of IT for like 7 years now. Currently a Sr Engineer. I hate it.

Started three months ago and its very isolating and i miss working as a team as i did in my 2nd Line Role.

I think alot of it is due to struggling to work alone and getting distracted due to my ADHD.

Suppose the question is. Does it get better, or is IT work just known as a job you do on your own?

Plus I’m struggling to get anywhere with certifications… Net+ makes my brain melt and Security+ is ok I guess but again i don’t have a home lab currently, not sure what i would do if i had one apart from follow the Microsoft Learn steps for azure etc or study networks via wireshark.

I cannot code, my neuro-spicy brain cannot do it, its really upsetting and i have tried before.

Do i just jump ship and try a new department like marketing and try to include IT maybe in a digital marketing role?

Has anyone else had this type of crisis before?

TLDR: I've worked in IT Service Desk for 7 years and recently became a Senior Engineer, but I dislike it due to isolation and missing team collaboration. My ADHD makes it hard to work alone and stay focused. I'm also struggling with certifications like Net+ and Security+, and I find coding difficult due to my neurodiversity. I'm considering switching to a different field like marketing that incorporates IT. Has anyone else faced this kind of dilemma?

Thanks for reading

Company is expanding our operations hence we procured new servers and set them up in another state.

The servers need VMware esxi to run which was set up using a trial key, which is meant to be replaced with the actual license key later.

Little did we know that Broadcom has disabled the VMware partner associated code (PAC) redemption. Since we had purchased our VMware license from Dell, now we are unable to redeem the license from VMware.

Dell said that they have no idea if and when the issue will be resolved.

Broadcom said to contact Dell. Dell said they are waiting for Broadcom. It’s a mess.

Please advice if any of you have an idea of what could be done at this point.

We have TeamsVoice and we only have about 20 people using it in the office. Most of our users are remotely based but do not get a work mobile so our office will call personal mobile numbers with updates if needed. As these are personal mobile numbers we do not add them to the GAL. To update the telephone numbers of Leavers or New Starters, we upload a CSV to the user's Outlook and let that update their contacts in TeamsVoice. Is there a better way to do this, without buying 200 work sim's?

IS it possible to setup a 2nd GAL and have Teams Voice use this to pull it's number from? Then can we give permission for the 20 Voice users to this GAL.

I am relatively new to the project side of things, and I wanted to see if anyone here can help me understand something.

I inherited a client that was midway through an O365 migration. They have a few on-prem 2013 Exchange servers and the goal is to be fully O365 with ADSync for password sync.

I am nearly finished migrating mailboxes using Remote Move Migrations, and we are nearing the point where we will need to do the final cutover. I was under the impression that we will need to fully uninstall Exchange from all of their on-prem servers except for one, then power off the final server and install Exchange Management Tools somewhere to be able to manage the mailboxes using Powershell. However, the client brought up a good point. In their current configuration, if they want to change a migrated user mailbox to a shared mailbox they need to migrate back to on-prem, change to shared, and do another migration back to O365 (Or just "Set-RemoteMailbox "Test.Mailbox1@exoip.com" -Type Shared" from on-prem).

I feel like I am missing something and there should be a way to have all the mailboxes in O365 with password sync from AD without relying on any on-prem Exchange shell. I hope I did an adequate job of explaining this scenario I am picturing. They want to be able to convert a mailbox to shared directly from O365 instead of having to use the Exchange Management Shell at all. Is there a way to accomplish this?

How you celebrating?

Question for the hive mind that is sysadmin. Has anyone run across an issue where mapped drive disconnect on Entra joined devices. These are AutoPilot. It does not matter if the drive is mapped via Config profile or Powershell from intune. Some of the workstations are on the network in the building and some are remotely connected by VPN. The mapping is still there. It does thro an error “ The local device name is already in use”. I have found if we refresh the file explorer page it reconnects. Just spitballing here could it be the file server disconnecting the drive after a certain amount of time? Any help would be appreciated.

Brought to you by  'Trusted VARs':  u/SquizzOC and u/bad0seed with Trusted Telecom Broker u/Each1Teach1x27 for Telecom.

As always, PMs welcome with your questions any time, not just Fridays.

This weekly thread is here for you to discuss vendor expectations, software questions, pricing, and quotes of services, licensing, support, deployment and hardware. Last Post: July 12th

Required Info for accurate answers:

• Part Number - of utmost importance
• Manufacturer/vendor
• Service Type and Location
• Quantity (as applicable)

All questions welcome, keep in mind that there are of course more pieces to this IT puzzle we can dig out of the box

• Cloud Services - Security, configurations, deployment, management, consulting services, and migrations
• Server configs and quote answers
• Storage Vendor options, alternatives, details and selection
• Software Licensing - This includes Microsoft CSPs
• Network infrastructure - overlay software, segmentation, routers, switches, load balancing, APs…
• Security - Access Management, firewalls, MFA, cloud DNS, layer 7 services, antivirus, email, DLP….
• User gear - Usually you should buy the quote you have unless the quantity is +50 units
• Bandwidth - Internet, MPLS, dark fiber, carrier SD-WAN, Broadband

Hi. Can someone help me to find out if it's possible to disable internal calendar sharing with colleagues? I have already found that it's possible to disable it for external users, but I can't find how to do it for internal users.

Hey, is anyone have issues with the current version of outlook? Meeting disappeared, drafts breaking?

Maybe this belongs in r/no stupidquestions or possibly in r/rant, but it has always annoyed me that when I select to shutdown or restart a Windows server that the OS prompts for a reason and defaults to ‘Other (Unplanned)’. Does Microsoft really believe that most shutdowns or restarts that are initiated by an Admin are Unplanned? The only time one of my servers restarts or shutsdown that is ‘unplanned’ is when the box blue screens. Like WTF? Annoying.

I know that for many, the Crowdstrike fiasco is the end of them. Others see a mistake as inevitable (or multiple mistakes in this case) and that it can create improvements moving forward.

If you were choosing today, would you rule out Crowdstrike?

If you were offered Crowdstrike for free, would you accept?

Our state offers Falcon Complete to government entities for free and I'm weighing the pros and cons. We're scheduled for deployment next week. I tend think a security product like that is a necessary risk. It is hard to know if Crowdstrike is more or less risky at this point. I know we don't have the capacity to completely secure our systems, so we need to trust 3rd parties.

What are your plans moving forward?

Is there some ways of seeing when a local user account was created under windows 10?

Might be a weird question, but i just got a pc from another location where a secondary local admin account is present. Nobody in that location should have admin rights or know the credentials cause they like to do things behind the back of the main location.

So i wanted to check if thats something they did after our deployment last year.