Options

[sysadmin] on-call schedule - Always you

11718192123

Posts

  • Options
    FeralFeral MEMETICHARIZARD interior crocodile alligator ⇔ ǝɹʇɐǝɥʇ ǝᴉʌoɯ ʇǝloɹʌǝɥɔ ɐ ǝʌᴉɹp ᴉRegistered User regular
    Tangentially: automated emails going to staff who have no responsibility over or interest in the system generating the emails is both a ubiquitous problem and one of my biggest pet peeves.

    It only takes a little extra effort to configure email alerts properly and saves so much time & cognitive load over the long term. Yet very few people actually bother.

    every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.

    the "no true scotch man" fallacy.
  • Options
    ThawmusThawmus +Jackface Registered User regular
    At the end of the day, the most annoying spoofing I deal with is name spoofing. Someone sending an email from asdkfjhbsadfkjbsdf@gmail.com but their Display Name is "Thawmus"

    My only recourse there is for the user to see that the email address is horseshit. That's it, that's all the security I can offer.

    Twitch: Thawmus83
  • Options
    SiliconStewSiliconStew Registered User regular
    Feral wrote: »
    Lemme clarify a bit; what I've found (twice now) is that the email link scrubbers don't work appreciably better than plain old web filtering and spam filtering, and tend to catch the same types of low-hanging fruit. Their false negatives are largely (entirely?) the same false negatives as web & spam filters.

    If the email link scrubbers were as invisible as web and spam filters, I'd support their use out of defense in depth. But they don't seem to add enough additional value to be worth it.

    Edit: Mimecast and Zix, BTW

    Yes, defense in depth is exactly the point. It sits at about layer number 6 in our various email security systems. And it's just another feature of those tools so it's costs nothing extra for us to do it. It's not even the first pass at checking embedded links, we do that pass through a separate service so we get two different looks at it. It's basically the last thing we can do within the email system itself if all our more important technical controls have failed to identify it so the email has still managed to reach their inbox and even our user training has partially failed since they have then decided to click the link. Past that you're relying on other user training that helps them identify it's maybe not a good idea to enter their credentials in the site they just went to or on various other technical controls like firewalls, DNS blacklists, download scanning, security controls, MDR tools, and backups to protect them from malicious files.

    Just remember that half the people you meet are below average intelligence.
  • Options
    FeralFeral MEMETICHARIZARD interior crocodile alligator ⇔ ǝɹʇɐǝɥʇ ǝᴉʌoɯ ʇǝloɹʌǝɥɔ ɐ ǝʌᴉɹp ᴉRegistered User regular
    Feral wrote: »
    Lemme clarify a bit; what I've found (twice now) is that the email link scrubbers don't work appreciably better than plain old web filtering and spam filtering, and tend to catch the same types of low-hanging fruit. Their false negatives are largely (entirely?) the same false negatives as web & spam filters.

    If the email link scrubbers were as invisible as web and spam filters, I'd support their use out of defense in depth. But they don't seem to add enough additional value to be worth it.

    Edit: Mimecast and Zix, BTW

    Yes, defense in depth is exactly the point. It sits at about layer number 6 in our various email security systems. And it's just another feature of those tools so it's costs nothing extra for us to do it. It's not even the first pass at checking embedded links, we do that pass through a separate service so we get two different looks at it. It's basically the last thing we can do within the email system itself if all our more important technical controls have failed to identify it so the email has still managed to reach their inbox and even our user training has partially failed since they have then decided to click the link. Past that you're relying on other user training that helps them identify it's maybe not a good idea to enter their credentials in the site they just went to or on various other technical controls like firewalls, DNS blacklists, download scanning, security controls, MDR tools, and backups to protect them from malicious files.

    Well, I don't consider them to be zero-cost. If users are able to catch bad links X% of times by mousing over the link, and the link scrubber catches bad links Y% of the time, and X>Y, then the net value is negative. And that's exactly what I've seen. But obviously YMMV.

    every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.

    the "no true scotch man" fallacy.
  • Options
    SiliconStewSiliconStew Registered User regular
    Feral wrote: »
    Feral wrote: »
    Lemme clarify a bit; what I've found (twice now) is that the email link scrubbers don't work appreciably better than plain old web filtering and spam filtering, and tend to catch the same types of low-hanging fruit. Their false negatives are largely (entirely?) the same false negatives as web & spam filters.

    If the email link scrubbers were as invisible as web and spam filters, I'd support their use out of defense in depth. But they don't seem to add enough additional value to be worth it.

    Edit: Mimecast and Zix, BTW

    Yes, defense in depth is exactly the point. It sits at about layer number 6 in our various email security systems. And it's just another feature of those tools so it's costs nothing extra for us to do it. It's not even the first pass at checking embedded links, we do that pass through a separate service so we get two different looks at it. It's basically the last thing we can do within the email system itself if all our more important technical controls have failed to identify it so the email has still managed to reach their inbox and even our user training has partially failed since they have then decided to click the link. Past that you're relying on other user training that helps them identify it's maybe not a good idea to enter their credentials in the site they just went to or on various other technical controls like firewalls, DNS blacklists, download scanning, security controls, MDR tools, and backups to protect them from malicious files.

    Well, I don't consider them to be zero-cost. If users are able to catch bad links X% of times by mousing over the link, and the link scrubber catches bad links Y% of the time, and X>Y, then the net value is negative. And that's exactly what I've seen. But obviously YMMV.

    You have far more trust in the abilities of your users than my experience says is reasonable.

    Just remember that half the people you meet are below average intelligence.
  • Options
    ThawmusThawmus +Jackface Registered User regular
    I think it varies in industry, but also, in my case, I have over 1000 email users and like 950 of them aren't employees, they're private accounts or in some cases corporate email accounts for small businesses.

    I have to give them some modicum of trust because there are limits to how much control I can exert over their resources while still being RFC compliant.

    Twitch: Thawmus83
  • Options
    FeralFeral MEMETICHARIZARD interior crocodile alligator ⇔ ǝɹʇɐǝɥʇ ǝᴉʌoɯ ʇǝloɹʌǝɥɔ ɐ ǝʌᴉɹp ᴉRegistered User regular
    Feral wrote: »
    Feral wrote: »
    Lemme clarify a bit; what I've found (twice now) is that the email link scrubbers don't work appreciably better than plain old web filtering and spam filtering, and tend to catch the same types of low-hanging fruit. Their false negatives are largely (entirely?) the same false negatives as web & spam filters.

    If the email link scrubbers were as invisible as web and spam filters, I'd support their use out of defense in depth. But they don't seem to add enough additional value to be worth it.

    Edit: Mimecast and Zix, BTW

    Yes, defense in depth is exactly the point. It sits at about layer number 6 in our various email security systems. And it's just another feature of those tools so it's costs nothing extra for us to do it. It's not even the first pass at checking embedded links, we do that pass through a separate service so we get two different looks at it. It's basically the last thing we can do within the email system itself if all our more important technical controls have failed to identify it so the email has still managed to reach their inbox and even our user training has partially failed since they have then decided to click the link. Past that you're relying on other user training that helps them identify it's maybe not a good idea to enter their credentials in the site they just went to or on various other technical controls like firewalls, DNS blacklists, download scanning, security controls, MDR tools, and backups to protect them from malicious files.

    Well, I don't consider them to be zero-cost. If users are able to catch bad links X% of times by mousing over the link, and the link scrubber catches bad links Y% of the time, and X>Y, then the net value is negative. And that's exactly what I've seen. But obviously YMMV.

    You have far more trust in the abilities of your users than my experience says is reasonable.

    I think you misunderstand me, but that's okay. I don't want to give the impression that I'm gonna die on this hill. If they work for you, that's great.

    Just to clarify, and then I'll drop it, both the places I've worked that had it had real data and ran tests. (I genuinely recognize that "dude, I have data" is not convincing so I don't expect this to change anybody's mind. I'm just saying that I'm not taking it on faith.) And what we found in both cases was that the link scrubber's catch rate was extremely low.

    I think the technical problem is that the link scrubbers my employers have used were provided by the same companies that did their respective spam filtering. They're using the same or similar logic. Anecdotally, the link scrubber's false negatives lined up with the spam filter's false negatives. Phishing links that passed through the spam filter weren't caught by the link scrubber either.

    But like I said, I'm clarifying, not arguing. YMMV and if they work for you, great!

    every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.

    the "no true scotch man" fallacy.
  • Options
    LD50LD50 Registered User regular
    Feral wrote: »
    Feral wrote: »
    Feral wrote: »
    Lemme clarify a bit; what I've found (twice now) is that the email link scrubbers don't work appreciably better than plain old web filtering and spam filtering, and tend to catch the same types of low-hanging fruit. Their false negatives are largely (entirely?) the same false negatives as web & spam filters.

    If the email link scrubbers were as invisible as web and spam filters, I'd support their use out of defense in depth. But they don't seem to add enough additional value to be worth it.

    Edit: Mimecast and Zix, BTW

    Yes, defense in depth is exactly the point. It sits at about layer number 6 in our various email security systems. And it's just another feature of those tools so it's costs nothing extra for us to do it. It's not even the first pass at checking embedded links, we do that pass through a separate service so we get two different looks at it. It's basically the last thing we can do within the email system itself if all our more important technical controls have failed to identify it so the email has still managed to reach their inbox and even our user training has partially failed since they have then decided to click the link. Past that you're relying on other user training that helps them identify it's maybe not a good idea to enter their credentials in the site they just went to or on various other technical controls like firewalls, DNS blacklists, download scanning, security controls, MDR tools, and backups to protect them from malicious files.

    Well, I don't consider them to be zero-cost. If users are able to catch bad links X% of times by mousing over the link, and the link scrubber catches bad links Y% of the time, and X>Y, then the net value is negative. And that's exactly what I've seen. But obviously YMMV.

    You have far more trust in the abilities of your users than my experience says is reasonable.

    I think you misunderstand me, but that's okay. I don't want to give the impression that I'm gonna die on this hill. If they work for you, that's great.

    Just to clarify, and then I'll drop it, both the places I've worked that had it had real data and ran tests. (I genuinely recognize that "dude, I have data" is not convincing so I don't expect this to change anybody's mind. I'm just saying that I'm not taking it on faith.) And what we found in both cases was that the link scrubber's catch rate was extremely low.

    I think the technical problem is that the link scrubbers my employers have used were provided by the same companies that did their respective spam filtering. They're using the same or similar logic. Anecdotally, the link scrubber's false negatives lined up with the spam filter's false negatives. Phishing links that passed through the spam filter weren't caught by the link scrubber either.

    But like I said, I'm clarifying, not arguing. YMMV and if they work for you, great!

    I have similar experience. The link scrubbers do a great job of hiding the actual address the email is directing users to, and if it were malicious in a way that the link scrubber would detect it wouldn't have ever been delivered.

  • Options
    FeralFeral MEMETICHARIZARD interior crocodile alligator ⇔ ǝɹʇɐǝɥʇ ǝᴉʌoɯ ʇǝloɹʌǝɥɔ ɐ ǝʌᴉɹp ᴉRegistered User regular
    On other news, I'm unfairly and admittedly irrationally frustrated by a conversation in Slack this morning

    Manager: "Is there a problem with SystemX right now?"

    no no no stop doing this. if somebody reported a problem to you, just tell us what that they said. Don't make us guess why you're asking.

    Cue 237 techies going "no, everything is fine" "what's going on?" "i'm on it right now and it's okay" "here's a screenshot of a ping that shows it's up" etc etc etc

    so much noise. no signal.

    every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.

    the "no true scotch man" fallacy.
  • Options
    FeralFeral MEMETICHARIZARD interior crocodile alligator ⇔ ǝɹʇɐǝɥʇ ǝᴉʌoɯ ʇǝloɹʌǝɥɔ ɐ ǝʌᴉɹp ᴉRegistered User regular
    then we finally get details about the problem and it's application-level. The app hosted on it is giving an application error. And there are still people doing infrastructure-level troubleshooting. "Well, the server VMs are up." yeah no shit. what do you think is throwing the application error my brother in christ

    I should be listening to Yakety Sax right about now.

    every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.

    the "no true scotch man" fallacy.
  • Options
    MugsleyMugsley DelawareRegistered User regular
    edited April 16
    Carpy wrote: »
    DoD has probably the largest public key implementation in the world and significant amounts of infrastructure and personnel dedicated to facilitating key generation and distribution and they still regularly run into day to day problems making it work. PKI for the general public is an absolute pipe dream

    Yep.

    Also recent (like 2 yrs?) implementation of link scrubbers.

    And still no password managers in site sight despite mandates of 14-character passwords with specific complexity. And then people get yelled at for using stickies. But this is a different discussion.

    Mugsley on
  • Options
    SiliconStewSiliconStew Registered User regular
    Feral wrote: »
    On other news, I'm unfairly and admittedly irrationally frustrated by a conversation in Slack this morning

    Manager: "Is there a problem with SystemX right now?"

    no no no stop doing this. if somebody reported a problem to you, just tell us what that they said. Don't make us guess why you're asking.

    Cue 237 techies going "no, everything is fine" "what's going on?" "i'm on it right now and it's okay" "here's a screenshot of a ping that shows it's up" etc etc etc

    so much noise. no signal.

    How timely. Our CTO just last week suggested we should dump the entire IT division, help desk, infrastructure, DevOps, security, application specialists, business intelligence, etc, into a single Slack channel for major incident notifications. I'm so looking forward to the same wastes of everyone's time in our future.

    Just remember that half the people you meet are below average intelligence.
  • Options
    FeldornFeldorn Mediocre Registered User regular
    We get those sometimes, my first question is always: "why do you ask?"

    Then they say that Susan told them the network is down because it said her username or password was incorrect but it matches what she wrote in her notebook yesterday.

  • Options
    FeralFeral MEMETICHARIZARD interior crocodile alligator ⇔ ǝɹʇɐǝɥʇ ǝᴉʌoɯ ʇǝloɹʌǝɥɔ ɐ ǝʌᴉɹp ᴉRegistered User regular
    Feral wrote: »
    On other news, I'm unfairly and admittedly irrationally frustrated by a conversation in Slack this morning

    Manager: "Is there a problem with SystemX right now?"

    no no no stop doing this. if somebody reported a problem to you, just tell us what that they said. Don't make us guess why you're asking.

    Cue 237 techies going "no, everything is fine" "what's going on?" "i'm on it right now and it's okay" "here's a screenshot of a ping that shows it's up" etc etc etc

    so much noise. no signal.

    How timely. Our CTO just last week suggested we should dump the entire IT division, help desk, infrastructure, DevOps, security, application specialists, business intelligence, etc, into a single Slack channel for major incident notifications. I'm so looking forward to the same wastes of everyone's time in our future.

    but it will fix siloing!

    ron howard voice: it does not, in fact, fix siloing

    every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.

    the "no true scotch man" fallacy.
  • Options
    taliosfalcontaliosfalcon Registered User regular
    edited April 17
    Our CTO is absolutely in love with slack and insists all alerts go to slack as well, which essentially means we have several slack channels inundated with minor useless alerts that render it impossible to use them for anything remotely useful but it keeps him happy so *shrug* . Not even error messages, any time an automated pipeline does anything, it goes to slack, and some of them have hundreds of steps and run hundreds of times per day. sigh. We also have no dashboards etc. which i've advocated for but been told no, it should just all go to slack.

    taliosfalcon on
    steam xbox - adeptpenguin
  • Options
    FeldornFeldorn Mediocre Registered User regular
    If we're looking to get away from Citrix for app virtualization and RDS access, is a Windows RDS gateway something that can do that?

    Also, any of you utilized Azure Application Proxy for that sort of thing?

  • Options
    zerzhulzerzhul Registered User, Moderator mod
    Feral wrote: »
    On other news, I'm unfairly and admittedly irrationally frustrated by a conversation in Slack this morning

    Manager: "Is there a problem with SystemX right now?"

    no no no stop doing this. if somebody reported a problem to you, just tell us what that they said. Don't make us guess why you're asking.

    Cue 237 techies going "no, everything is fine" "what's going on?" "i'm on it right now and it's okay" "here's a screenshot of a ping that shows it's up" etc etc etc

    so much noise. no signal.
    “Let’s play 20 questions and at the end you may be in deep shit! my favorite game!”

    ugh…. i hate this so much. sorry you’re having to deal with that right now.

  • Options
    FeralFeral MEMETICHARIZARD interior crocodile alligator ⇔ ǝɹʇɐǝɥʇ ǝᴉʌoɯ ʇǝloɹʌǝɥɔ ɐ ǝʌᴉɹp ᴉRegistered User regular
    zerzhul wrote: »
    Feral wrote: »
    On other news, I'm unfairly and admittedly irrationally frustrated by a conversation in Slack this morning

    Manager: "Is there a problem with SystemX right now?"

    no no no stop doing this. if somebody reported a problem to you, just tell us what that they said. Don't make us guess why you're asking.

    Cue 237 techies going "no, everything is fine" "what's going on?" "i'm on it right now and it's okay" "here's a screenshot of a ping that shows it's up" etc etc etc

    so much noise. no signal.
    “Let’s play 20 questions and at the end you may be in deep shit! my favorite game!”

    ugh…. i hate this so much. sorry you’re having to deal with that right now.

    Luckily this time around I just got to sit back, watch the shit show, and take mental notes on who asked the best questions.

    every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.

    the "no true scotch man" fallacy.
  • Options
    FeralFeral MEMETICHARIZARD interior crocodile alligator ⇔ ǝɹʇɐǝɥʇ ǝᴉʌoɯ ʇǝloɹʌǝɥɔ ɐ ǝʌᴉɹp ᴉRegistered User regular
    Feldorn wrote: »
    If we're looking to get away from Citrix for app virtualization and RDS access, is a Windows RDS gateway something that can do that?

    Also, any of you utilized Azure Application Proxy for that sort of thing?

    Yes to the first question, for sure.

    I haven't used Citrix for that since 2011 so I don't know how it directly compares to current Microsoft RDS. And I'm not super hands on with RDS.

    every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.

    the "no true scotch man" fallacy.
  • Options
    SiliconStewSiliconStew Registered User regular
    Feral wrote: »
    Feldorn wrote: »
    If we're looking to get away from Citrix for app virtualization and RDS access, is a Windows RDS gateway something that can do that?

    Also, any of you utilized Azure Application Proxy for that sort of thing?

    Yes to the first question, for sure.

    I haven't used Citrix for that since 2011 so I don't know how it directly compares to current Microsoft RDS. And I'm not super hands on with RDS.

    Microsoft RDS Gateway certainly works for deploying published apps or remote desktops but it is pretty bare bones to what you get with Citrix. Citrix has better environment management tools and better control over various aspects of the user experience. But it comes at the cost of a significant increase in complexity and cost. RDS Gateway has the benefit of being free outside of the RDS licencing, which you'd already have if you're running Citrix.

    That said, in our case we're transitioning from a Citrix environment to AWS Appstream for published apps/remote desktops.

    One other thing we've run into in the past with MS RDS Gateway, and this may never come up for you, is a couple cybersecurity insurance providers that would have explicitly rejected coverage if we had an RDS Gateway deployed, but their policies made no mention about doing the exact same thing using Citrix or any other vendor. But that's more about insurance companies having very poor understanding of technology than anything particularly wrong about RDS Gateway.

    Just remember that half the people you meet are below average intelligence.
  • Options
    wunderbarwunderbar What Have I Done? Registered User regular
    As someone currently fighting with Microsoft RDS, I can say that I cannot stand this product.

    XBL: thewunderbar PSN: thewunderbar NNID: thewunderbar Steam: wunderbar87 Twitter: wunderbar
  • Options
    FeldornFeldorn Mediocre Registered User regular
    Thanks.

    We're mostly looking at the renewal and wondering if Citrix provides as much value as the cost, and the biggest gain we have from them is handling authentication through a Netscaler. If we utilize Azure Apps and Azure AD then it's suddenly much less value since we already own a product that is probably as secure as what Citrix provides.

    Main reason I was looking at RDS Gateway is to provide a way for a few people to access a desktop as well as some contractors use that for configuring apps and servers that they're engaged for.

    I have heard plenty of complains about Microsoft RDS though, but haven't ever used it other than to enable Citrix.

  • Options
    FeralFeral MEMETICHARIZARD interior crocodile alligator ⇔ ǝɹʇɐǝɥʇ ǝᴉʌoɯ ʇǝloɹʌǝɥɔ ɐ ǝʌᴉɹp ᴉRegistered User regular
    For remote contractor access I'd probably give them VDI

    every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.

    the "no true scotch man" fallacy.
  • Options
    SiliconStewSiliconStew Registered User regular
    Feldorn wrote: »
    Thanks.

    We're mostly looking at the renewal and wondering if Citrix provides as much value as the cost, and the biggest gain we have from them is handling authentication through a Netscaler. If we utilize Azure Apps and Azure AD then it's suddenly much less value since we already own a product that is probably as secure as what Citrix provides.

    Main reason I was looking at RDS Gateway is to provide a way for a few people to access a desktop as well as some contractors use that for configuring apps and servers that they're engaged for.

    I have heard plenty of complains about Microsoft RDS though, but haven't ever used it other than to enable Citrix.

    If you're already licensed for F3/E3/E5 (and a few others) in O365, then you already have rights to a VDI/app streaming instance for those people. You'd just have to pay the Azure infrastructure costs for running the session hosts. And external user (contractor) access is just $5-10 per user per month. If you already use o365, I'd be surprised if you would have lower TCO for Citrix licenses + RDS licenses + on-prem server licenses + on-prem hardware purchasing and support costs.

    For what it's worth, one of the reasons we're moving away from Citrix was all the vulnerabilities Netscalers have had over the last couple years.

    Just remember that half the people you meet are below average intelligence.
  • Options
    LD50LD50 Registered User regular
    Feldorn wrote: »
    Thanks.

    We're mostly looking at the renewal and wondering if Citrix provides as much value as the cost, and the biggest gain we have from them is handling authentication through a Netscaler. If we utilize Azure Apps and Azure AD then it's suddenly much less value since we already own a product that is probably as secure as what Citrix provides.

    Main reason I was looking at RDS Gateway is to provide a way for a few people to access a desktop as well as some contractors use that for configuring apps and servers that they're engaged for.

    I have heard plenty of complains about Microsoft RDS though, but haven't ever used it other than to enable Citrix.

    If you're already licensed for F3/E3/E5 (and a few others) in O365, then you already have rights to a VDI/app streaming instance for those people. You'd just have to pay the Azure infrastructure costs for running the session hosts. And external user (contractor) access is just $5-10 per user per month. If you already use o365, I'd be surprised if you would have lower TCO for Citrix licenses + RDS licenses + on-prem server licenses + on-prem hardware purchasing and support costs.

    For what it's worth, one of the reasons we're moving away from Citrix was all the vulnerabilities Netscalers have had over the last couple years.

    This 100%. We would be off of Citrix at my work and running like the above if it weren't for some 3rd party app support requirements.

  • Options
    FeldornFeldorn Mediocre Registered User regular
    I suppose I should engage our account team to find out, they're more than happy to demo stuff for customers.

    I've found that to be more effective than trying to work everything out through their documentation.

  • Options
    FeralFeral MEMETICHARIZARD interior crocodile alligator ⇔ ǝɹʇɐǝɥʇ ǝᴉʌoɯ ʇǝloɹʌǝɥɔ ɐ ǝʌᴉɹp ᴉRegistered User regular
    I have an on-prem Microsoft Active Directory replication question. @SiliconStew has strong MS skills, maybe he knows

    Is it possible to shorten the replication interval between domain controllers in different sites below 15 minutes?

    I'm in an environment will multiple datacenters across WANs and Azure AD. We have very fast links between our primary datacenters. It would be really helpful if we could selectively tell Site1-DC-01 to replicate with Site2-DC-01 every 60 seconds or so.

    The AD Sites & Services NTDS GUI allows a minimum of 15 minutes, of course.

    every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.

    the "no true scotch man" fallacy.
  • Options
    FeralFeral MEMETICHARIZARD interior crocodile alligator ⇔ ǝɹʇɐǝɥʇ ǝᴉʌoɯ ʇǝloɹʌǝɥɔ ɐ ǝʌᴉɹp ᴉRegistered User regular
    Spitballing: There's an ActiveDirectorySiteLink.Replication Interval constructor in .net that can be manipulated by Powershell but I don't know if that's a proven method, or if AD will actually respect arbitrary values below 15 minutes / 180 seconds.

    every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.

    the "no true scotch man" fallacy.
  • Options
    FeralFeral MEMETICHARIZARD interior crocodile alligator ⇔ ǝɹʇɐǝɥʇ ǝᴉʌoɯ ʇǝloɹʌǝɥɔ ɐ ǝʌᴉɹp ᴉRegistered User regular
    oh cool i just found this, using ADSI edit

    https://pertorben.wordpress.com/2016/01/12/enable-immediate-replication-between-ad-sites/

    haven't tried that yet

    funny how repeating your google searches with different synonyms & phrasing eventually works if you're persistent enough

    every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.

    the "no true scotch man" fallacy.
  • Options
    bowenbowen How you doin'? Registered User regular
    I hate saying this out loud but bing has been far more consistent and reliable for me in the past year or so.

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • Options
    SiliconStewSiliconStew Registered User regular
    Feral wrote: »
    oh cool i just found this, using ADSI edit

    https://pertorben.wordpress.com/2016/01/12/enable-immediate-replication-between-ad-sites/

    haven't tried that yet

    funny how repeating your google searches with different synonyms & phrasing eventually works if you're persistent enough

    That covers it.

    Though I suppose if for some odd reason someone really needed an automatic intersite replication interval between immediate and 15 minutes you could use the repadmin /syncall command in a scheduled task.

    Just remember that half the people you meet are below average intelligence.
  • Options
    FeralFeral MEMETICHARIZARD interior crocodile alligator ⇔ ǝɹʇɐǝɥʇ ǝᴉʌoɯ ʇǝloɹʌǝɥɔ ɐ ǝʌᴉɹp ᴉRegistered User regular
    Feral wrote: »
    oh cool i just found this, using ADSI edit

    https://pertorben.wordpress.com/2016/01/12/enable-immediate-replication-between-ad-sites/

    haven't tried that yet

    funny how repeating your google searches with different synonyms & phrasing eventually works if you're persistent enough

    That covers it.

    Though I suppose if for some odd reason someone really needed an automatic intersite replication interval between immediate and 15 minutes you could use the repadmin /syncall command in a scheduled task.

    Thank you!

    every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.

    the "no true scotch man" fallacy.
  • Options
    Dizzy DDizzy D NetherlandsRegistered User regular
    Even with immediate replication, I found that replication would take a few minutes

    Steam/Origin: davydizzy
  • Options
    wunderbarwunderbar What Have I Done? Registered User regular
    I personally wouldn't want immediate sync because that has the potential to add a ton of traffic over the WAN for no reason.

    The whole point of having multiple Domain Controllers across multiple sites (you know, aside from redundancy) is that you don't have to have the DC's syncing with eachother in real time, and passing that domain traffic between sites constantly.

    XBL: thewunderbar PSN: thewunderbar NNID: thewunderbar Steam: wunderbar87 Twitter: wunderbar
  • Options
    FeralFeral MEMETICHARIZARD interior crocodile alligator ⇔ ǝɹʇɐǝɥʇ ǝᴉʌoɯ ʇǝloɹʌǝɥɔ ɐ ǝʌᴉɹp ᴉRegistered User regular
    wunderbar wrote: »
    I personally wouldn't want immediate sync because that has the potential to add a ton of traffic over the WAN for no reason.

    The whole point of having multiple Domain Controllers across multiple sites (you know, aside from redundancy) is that you don't have to have the DC's syncing with eachother in real time, and passing that domain traffic between sites constantly.

    We'll measure it in our environment, but 1) we can set this between specific domain controllers, not just network-wide, which reduces the impact and 2) I'm not terribly worried about it because we're talking about standards that were set on early-2000s technology on fast pipes in 2024. But don't take my word for it:

    https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/configuring-change-notification-on-a-manually-created/ba-p/400188
    Back in the old days when remote sites were connected by a string and two soup cans, it was necessary in most cases to carefully consider configuring your replication intervals and times so as not to flood the pipe (or string in the reference above) with replication traffic and bring your WAN to a grinding halt. With dial up connections between sites it was even more important. It remains an important consideration today if your site is a ship at sea and your only connectivity is a satellite link that could be obscured by a cloud of space debris.

    Now in the days of wicked fast fiber links and MPLS VPN Connectivity, change notification may be enabled between site links that can span geographic locations. This will make Active Directory replication instantaneous between the separate sites as if the replication partners were in the same site.

    every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.

    the "no true scotch man" fallacy.
  • Options
    FeralFeral MEMETICHARIZARD interior crocodile alligator ⇔ ǝɹʇɐǝɥʇ ǝᴉʌoɯ ʇǝloɹʌǝɥɔ ɐ ǝʌᴉɹp ᴉRegistered User regular
    But of course the approach for us will be to do it one at a time, test, and measure with actual metrics.

    every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.

    the "no true scotch man" fallacy.
  • Options
    bowenbowen How you doin'? Registered User regular
    edited June 15
    I love how google just decided straight up to break a bunch of older "less secure" applications for shits and giggles with something like 3 months notice.

    Yeah I really don't give a fuck if the app and hardware I have generating logs for uptime and debugging gets hacked, let me let that stay less secured because some of the equipment has no knowledge of oauth2. In fact almost every piece of equipment that offers these kinds of logs has no knowledge of oauth2. Even my dell poweredge and vault that were made 3 years ago (long after oauth2 became a standard) both don't know how to handle that shit.

    Just going to spin up a stupid local SMTP/IMAP service for this shit. I shouldn't have to. Fuck Google.

    Also no, I'm not going to use my phone to enable 2fa to this dumb shit so I can enable it that way.

    bowen on
    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • Options
    InfidelInfidel Heretic Registered User regular
    How is OAuth going to help that at all anyways. We are talking log sending, right?

    If your log sender is hacked, it’s no longer able to trust the logs sent and you have a bigger problem? Like huh.

    OrokosPA.png
  • Options
    SiliconStewSiliconStew Registered User regular
    edited June 16
    bowen wrote: »
    I love how google just decided straight up to break a bunch of older "less secure" applications for shits and giggles with something like 3 months notice.

    Yeah I really don't give a fuck if the app and hardware I have generating logs for uptime and debugging gets hacked, let me let that stay less secured because some of the equipment has no knowledge of oauth2. In fact almost every piece of equipment that offers these kinds of logs has no knowledge of oauth2. Even my dell poweredge and vault that were made 3 years ago (long after oauth2 became a standard) both don't know how to handle that shit.

    Just going to spin up a stupid local SMTP/IMAP service for this shit. I shouldn't have to. Fuck Google.

    Also no, I'm not going to use my phone to enable 2fa to this dumb shit so I can enable it that way.
    Are you talking 2FA requirements with Oauth2 or them disabling IMAP/POP? Google was disabling "less secure apps" 2 years ago.

    At least in the first case you only need to set up 2FA on the main Gmail login/service account. You can then create an App Password under that account that printers/services can use to authenticate SMTP with just a username/password just as before that doesn't use 2FA.

    SiliconStew on
    Just remember that half the people you meet are below average intelligence.
  • Options
    bowenbowen How you doin'? Registered User regular
    bowen wrote: »
    I love how google just decided straight up to break a bunch of older "less secure" applications for shits and giggles with something like 3 months notice.

    Yeah I really don't give a fuck if the app and hardware I have generating logs for uptime and debugging gets hacked, let me let that stay less secured because some of the equipment has no knowledge of oauth2. In fact almost every piece of equipment that offers these kinds of logs has no knowledge of oauth2. Even my dell poweredge and vault that were made 3 years ago (long after oauth2 became a standard) both don't know how to handle that shit.

    Just going to spin up a stupid local SMTP/IMAP service for this shit. I shouldn't have to. Fuck Google.

    Also no, I'm not going to use my phone to enable 2fa to this dumb shit so I can enable it that way.
    Are you talking 2FA requirements with Oauth2 or them disabling IMAP/POP? Google was disabling "less secure apps" 2 years ago.

    At least in the first case you only need to set up 2FA on the main Gmail login/service account. You can then create an App Password under that account that printers/services can use to authenticate SMTP with just a username/password just as before that doesn't use 2FA.

    They're sunsetting the less secure apps and retroactively removing the app password stuff now. You need 2fa enabled, but I have no mechanism in which to enable 2fa for the main account to re-enable the app passwords. I'm certainly as shit not dropping a company profile on my personal phone for this.

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
Sign In or Register to comment.