Sysadmin

It started off with an employee sending an email to a distribution list called "Bedlam DL3" asking to be taken off the list. With 13,000 recipients and everyone replying all with, "Me too!" and other messages, it was estimated that over 15 million messages were sent through the system in an hour. This crashed the MTA service due to a recipient limit. Each time the MTA service recovered, it would attempt to resend the message again which lead to a crash loop.

As a result of the incident, the Exchange team introduced message recipient limits and distribution list restrictions to Exchange, which is something we all use today!

More on the story here: https://techcommunity.microsoft.com/t5/exchange-team-blog/me-too/ba-p/610643

cross-posted from: https://techy.news/post/2224

I do a lot of VMWare work but I'd like to tinker with proxmox at home- I just don't want to bring an awful old HPE server/etc home to try it out on-

Anyone have any reccomendations for a quiet, small homelab server with a solid (12-16 thread) core count?

Microsoft's documentation for revoking user access from Azure AD currently references cmdlets from the AzureAD PowerShell module, which will be deprecated on June 30th.

Microsoft reccomends using the MSGraph module or API as a replacement for the AzureAD module, but I'm having a hell of a time with it.

I'm trying to figure out how to use PoweShell to wipe corporate data off a user's BYODs, and I'm stuck trying to get a list of a user's BYODs through Graph. Ultimately this will be part of automation kicked off when a user leaves the company.

Queries for devices and managed devices for a given user seem to be missing devices that are shown through Azure Portal when looking at a user in Azure AD and then looking at their devices. The query for deleting data is also unclear in whether it wipes the whole device or just corporate data.

Does anyone have any resources or guidance on this? Most of what I'm finding is outdated or too vague for me to be comfortable utilizing it.

My company is just starting to utilize O365 email encryption for sensitive information, which I know a lot of people are already using.

One thing we've run into is when sending a sensitive email to a third-party vendor, a lot of them utilize shared mailboxes/distribution groups, so the encryption is not allowing the members of the external mailbox/group to open the encrypted email as their account doesn't have permissions (the group email address does, instead of their individual account).

The only way I've come up with to solve this issue is setting the encrypted emails to not allow a "social" sign-on for decryption, and instead only offer "send a one-time passcode" as the authentication method, then the group/mailbox receives the code to view the email.

Curious how others have combatted this issue if they've crossed it, this feature has been around a while and I am unable to find much on Google about it specifically.

For the moment, users are just re-sending the encrypted email to the external recipient that replies "We can't open this email", which solves the problem but creates more work and takes longer for everyone.

A few years ago I had a couple old and slow Optiplex's running Hyper-V, with Windows/Linux VM's, doing things like NPS, AD, etc.

Had some old equipment collecting dust, so I've built out a decent homelab and am curious if anyone else has done the same, and if so what are they running on them for fun?

In my new "rack":

• PowerEdge R430
  • Running ProxMox, with a Windows VM (DC), and a Linux VM with Docker for Plex
• EqualLogic PS4100
  • VM storage for both PowerEdge servers (10TB)
• Ubiquiti EdgeSwitch 24 250w
• PowerEdge R720
  • Running ProxMox, with some Linux VM's, most utilizing Docker for Plex "assistance/automations" (ahem), NextCloud for phone photo backup and wife's photography, and another DC as a failover of R430's DC.

Proof-of-concept exploit code is now available for a high-severity flaw in Cisco Secure Client Software for Windows (formerly AnyConnect Secure Mobility Client) that can let attackers elevate privileges to SYSTEM.

Cisco Secure Client helps employees to work from anywhere using a secure Virtual Private Network (VPN) and provides network admins with telemetry and endpoint management features.

The vulnerability (tracked as CVE-2023-20178) can let authenticated threat actors escalate privileges to the SYSTEM account used by the Windows operating system in low-complexity attacks that don't require user interaction.

Successful exploitation requires abusing what Cisco describes as a "specific function of the Windows installer process."

Cisco released security updates to address this security bug last Tuesday when it said its Product Security Incident Response Team (PSIRT) did not have evidence of malicious use or public exploit code targeting the bug in the wild.

CVE-2023-20178 was fixed with the release of AnyConnect Secure Mobility Client for Windows 4.10MR7 and Cisco Secure Client for Windows 5.0MR2. Escalating privileges to SYSTEM Escalating privileges to SYSTEM using the CVE-2023-20178 PoC exploit (Filip Dragović)

​Earlier this week, proof-of-concept (PoC) exploit code was published by security researcher Filip Dragović who found and reported the Arbitrary File Delete vulnerability to Cisco.

As Dragović explains, this PoC was tested against Cisco Secure Client (tested on 5.0.01242) and Cisco AnyConnect (tested on 4.10.06079).

"When a user connects to vpn, vpndownloader.exe process is started in [the] background, and it will create [a] directory in c:\windows\temp with default permissions in [the] following format: .tmp," the researcher says.

"After creating this directory vpndownloader.exe will check if that directory is empty, and if it's not, it will delete all files/directories in there. This behavior can be abused to perform arbitrary file delete as NT Authority\SYSTEM account."

The attacker can then spawn a SYSTEM shell through arbitrary file deletion by taking advantage of this Windows installer behavior and the fact that a client update process is executed after each successful VPN connection, using the technique described here to escalate privileges.

In October, Cisco warned customers to patch two more AnyConnect security flaws (with public exploit code and fixed three years before) because of active exploitation in attacks.

Two years ago, Cisco patched an AnyConnect zero-day with public exploit code in May 2021, six months after its initial disclosure in November 2020,

[email protected]

Greetings, all! I'm new to Lemmy and to this community, but hoping there might be some here with opinions to offer on whether Solarwinds Patch Manager is worth the price or if I should just continue to make due with plain WSUS. Initially I found WSUS to be unreliable and a general pain in the ass, but after some tinkering I actually have it running pretty well now so I'm not as sure that I need Patch Manager.

Anyway, I'm happy to be here on Lemmy with you all and look forward to participating in this community. Cheers!

It's confusing for new users, and this instance in particular has 7k users but no interactions. It's a bot army, with the top user being called @admin.

Extremely shady and misleading.

I'm interested to know whether you have a specific process or tool you use for managing your PGP keys?

I was thinking it'd be great if Lemmy allowed you to use PGP to verify your identity across multiple users on different instances. This made me think I need a good way to make sure I never lose my keys!

I am setting up a new RMM solution and my first thought was to create a VPN with active directory. It turned out to be harder than I expected so I'm looking for cost effective solutions.

The company I work for used to use pulseway but everyone who set it up either left or is deceased. It seems to be priced right and it seems to have all the features I need. If anything its overkill.

Has anyone here ever used it? I'm a bit scared of supply chain attacks but I think I can get over my fear with convenience and price.

When offboarding a user, the option to retain that user's mailbox and give other people access is, convert to a shared mailbox. When you do this it doesn't delete the user account. It still shows up as an active, unlicensed user. This can be sort of troubling as reporting of active user counts still includes those users. I'm not 100% sure that this is different, but many of our users are hybrid with an on-prem AD. When we try to delete the user and convert to a shared mailbox, the deletion fails, but the convert to shared succeeds. If we subsequently move to on-prem account to an un-synchronized OU, the user account and it's associated share mailbox also get deleted. The way I've found to fix this is to restore the AAD user account after we move the on-prem account. It's all a bit of a hassle and I wonder if there's a better way. How do you handle offboarding hybrid accounts?

I don't know how to crosspost properly.

I think this is a serious design flaw. If you agree please upvote the post on lemmy.ml community for visibility

cross-posted from: https://lemmy.world/post/288652

Thanks to a comment by @[email protected] , I checked and saw that 'Federation debugging' mode was enabled. I had enabled that when the server just started (less than 3 weeks ago) and I had an issue with federation.

I thought I had switched that off again, but apparently not. This mode causes the federation to be done in the foreground, so your 'Post' or 'Comment' action will wait for that to finish...

This solves the most annoying issue, and makes the site way more useable. There are many other issues, but we'll get there.

I'm wondering if anyone here can help me get my head around MS Defender for Business. We're currently in the process of switching over and have one month until the contract with our current AV Provider (Sophos) runs out.

So far it's been plain sailing with 100% of our standard users having an MS 365 License which includes defender. They all have "their own" computer so that works out nice and easy. The server licenses/onboarding has been working fine as well following the set process from MS (scripts etc.).

But we also have a few manufacturing departments where computers are shared for ease of use. Following MS's guide, we'd need at least one licensed user (i.e. the main one) per computer to get that working. We were initially hoping we could get away with onboarding the computers and using a single user for all 40+ of them but that seems impossible (MS wants to make money of course)

The workaround we've been considering was using a licensed dummy user per computer that we use to simply sign into MS 365 (for the license). So we'd keep our current structure but then have for example FactoryUserA1 etc. with the license. Simply creating the users would save us a ton of work and I'd rather not have to generate 40+ users in our AD and then painstakingly configure them all to fit our current structure.

Hope I'm making sense here and that someone can help.

Thanks for your time fellow Admins.

UPDATE: We've sorted it out. Our supplier neglected to tell us about the Defender for Endpoint licenses. We were under the false impression that the new licenses could oinly be assigned per user as they are included in the Business Premium package.

cross-posted from: https://lemmy.world/post/224140

My home ISP does CGNAT for IPv4, but provides native IPv6. I can use IPv6 just fine to access most of my resources, except for one specific server. I can access the server over IPv4 from my home network, and either over v4 or v6 from other networks I've tried. But I can't access it over IPv6 from my home network.

What could be the problem here? Where do I begin to diagnose it

cross-posted from: https://lemmy.ml/post/1300027

Here come the helpdesk tickets!

I am looking for a simple tool that I can monitor available bandwidth on my 3 different ISPs in real time. Not what is being used, but what is available...like a speed test, but one that can show historical data. I have PRTG but that shows what is being used. I also do not want it to constant speed tests, that would take up everything I have. I know I could just as easily do a spreadsheet and fill it in. Anyone maybe have a Powershell script that would do this, do a speed test and then fill in results on a spreadsheet?

cross-posted from: https://lemmy.ml/post/1163202

I setup this community specifically because of the time I've spent over the years browsing and relying on reddit.com/r/sysadmin for sources of information on tips/tricks, security exploits & patches, outages, and yes even the ranting about how our jobs all suck. (I like mine, for what it's worth.)

Come on down, ask questions, post what the sysadmin community needs to know about, or head in to get either sympathy or chastisement about why you haven't left your job yet. 🤣

Want to be a mod? Let me know!

This release brings two significant new features: a config-driven import workflow and check blocks. Config-driven import is a new declarative workflow to add existing resources into Terraform state and solves the limitations of the existing import command. Checks are a new way to perform functional validation of provisioned infrastructure to ensure the real world matches expectations.

I am a PSE for a large corporation that most people would not be familiar with (those users that frequent this sub probably would). However, we supply business critical software to many of the big companies you definitely do know. This puts me in a position where I work directly with some of the most well paid 'tech execs' you can find and has lead to many hilarious situations. Those are stories for another day however. Today is about Reddit - for they have angered me greatly.

I get a ticket this morning around 10 AM. As usual, I get a bunch of helpful information including an irrelevant screenshot and a one liner about how the RSS feed that they have pulling into one of their widgets wasn't working. On closer inspection, these mf's were hitting the r/sysadmin(!) RSS feed and pulling in new posts. Now, this is strictly business software we are dealing with. So while I can absolutely see why certain groups would value that feed, it was definitely the first I had ever seen such a thing in any of our environments.

Naturally (I feel), I am immediately floored with the potential possibilities and started thinking about how I might have to explain to this guy all that has transpired the last ~week in a business-professional email... I took a minute just to soak that in and let out a small chuckle. Fuck u/spez, I mutter.

Well since I was given zero actual information about their issue, other than 'no workie', I slid over to my main PC to go check r/sysadmin as I have done many times in the past - like muscle memory. I snap out of that, of course. I am done with Reddit. I had an idea. Just for fun I hit up Lemmy, just to see what was there. And lo and behold we have a fucking post about the massive reddit outage that went down today. I am all smiles at what has already happened here and hit downdector just to confirm. Yup, almost 50k reports at peak. LMFAO. I mean, really? My god Reddit. What are you doing?

So, given the info I was provided, I let him know that there was an outage and that was likely all the issue was - Try again once it has resided. A few small chuckles and I thought the story was done.

Now here's where I really lost it. I get word back a bit later and it's once again a one liner - 'No. Our sad, sad admins have been without r/sysadmin for almost two weeks now :(' I was laughing for a good 5 minutes at just the absurdity of it all (this issue obviously doesn't have anything to do with the recent changes, lol), all against the background of what we are seeing with Reddit. It also helped me realize how far reaching these failures are actually going to be once the end of the month rolls around. Colossal fuck up.

Happy to be here on Lemmy with you boys!

I'm fearful of people going redditZero and deleting their years-old accounts, as reddit has become a vast trove of information for a vast number of systems. If I go dark and delete, it won't be everything. Memes and regular conversations may go, but I'll be sure to leave every technical response I've ever given (or even edit it if I have since learned more precise information). It feels like so many are ready to cut off their nose to spite their face. The community we had was built by us collectively and enriched by the content we shared. I feel like despite reddit literally doing everything wrong, by deleting our collective wisdom, we aren't hurting reddit as much as we're hurting our own community of sysadmins.

Please consider that we are facing a Wisdom of the Ancients situation here, and I sure as shit know that I don't want to be the one on the other end of seeing "deleted", then "Thanks that worked!" in my future.

Just food for thought.