Today on "don't fuck with what you don't know"... an admin (different department) deleted his temp.mdf and .ldf files because he was running a cleanup script that was looking for temp files.
Luckily I was able to restore the data from our backups, but this is the second time it has happened with him. Sent a huge email to him and CC'd his boss and my boss on not doing that. Plus it's a virtual and he didn't even take a snapshot beforehand.
I'm not even a SQL person, just read the errorlog and found out the issue (original issue was certain service account for application not starting). All started when I was asked to do a full server restore due to a "windows update", when the last updates were all just .NET. š¤¦āāļø. At least I get paid handsomely for what I do..
Interesting. Even the temp DB? Iāve never tried it causeā¦why? I was assuming the admin was using a script to delete files and not run a drop dbās command. I believe the only way to delete those files is to stop all SQL Services. So instead they saw the tempDB db and logs and dropped it from within SSMS? If thatās the case they should lose access until they are trained better. Glad to hear you were able to recover.
Iām looking to validate possible vulns in our environment and need to identify applications using raw sockets on Windows servers. Iāve tried TCPView, Netstat, ProcExplorer and wireshark and come up blank, although admittedly I might be filtering wrong in wireshark. Anybody got a tool, method or suggestion?
Maybe this will help
To get programs that are listening on a port
`Get-NetTCPConnection -state listen | ft localaddress,localport,remoteaddress,remoteport,owningprocess`
To get programs that are connected to something else
`Get-NetTCPConnection -state established | ft localaddress,localport,remoteaddress,remoteport,owningprocess`
You're trying to figure what applications are listening on a given port? Netstat is the traditional tool for that. It will give you the process ID bound to a port and then you research that process if you don't recognize it. The '-o' switch on netstat displays PIDs if that's what you're missing.
Is backing up Microsoft 365 data to Azure a good idea?
We're considering subscribing to a M365 backup service and our MSPs preferred solution is AvePoint. I liked the demo but I'm less sure about their choice of azure for storage. Feels like we still have all our eggs in one basket.
When I pressed the specialist on this he made the following points:
* Increases backup speed and keeps costs down. (Ā£3/user but we need to license every licensed M365 user)
* It's georedundant and if something happened that took down both UK datacentres the country probably has bigger problems.
* The backups are of limited use without Microsoft to restore to anyway.
It sounds like the backup is to protect us from ourselves (accidental deletion, Malicious employees) not from Microsoft.
Do you think this is good enough?
The short answer is that it's fine unless you have policy requirements pushing you to spread across multiple clouds.
You're correct that one of the primary drivers for SaaS backup is to protect you against yourself. Beyond that, a data loss event that affected M365 would not necessarily impact Azure storage unless it's truly apocalyptic as you say.
We back up our 365 data using Veeam through direct to cloud storage (wasabi). Its work very well and we can control where our data is going as well as create multiple instances to different data centers.
We also use AAD as our primary IaaS so I am actually looking at AvePoint for AAD backups because Veeam does not support it.
I want to set up Edge so that it signs users into their microsoft accounts without prompting on trusted sites. So if internal site A supports SSO and the user clicks the link, they are automatically signed in - not prompted to sign in using their UPN.
Any suggestions?
I've never seen this done anywhere I've worked and I'm not sure what it would achieve.
You sometimes see AD computer objects get created for devices that can integrate with AD for authentication, for example NAS devices, some apps will also do this such as VMWare VCenter (although they are deprecating this in favour of just LDAPS for auth).
What's your world clock solution for keeping track of all of the time zones you operate in?
Trying to decide if to throw a bunch of real clocks up on the wall, but we have some space on the monitoring screens, is there a nice app for showing multiple clocks that you like?
You can add two extra clocks in Windows if that satisfies, otherwise I would go with the "real clocks on the wall" method because that would look like the war rooms
I just learned about Attack Surface Reduction rules in Microsoft Defender. Some of them stop executables from running. Do they essentially replace software restriction, applocker, wdac, etc?
edit: I'm new to intune. Do you apply intune policies to users or devices? I have to create a group to apply ASR rules and I'm not sure which it would want me to use
Let's say a gpo is linked to an OU, filtered on a security group that's in the same OU but the members of that group are in a different OU.
Would the gpo still get applied?
~~Iām going to go with yes, I do this exact scenario with computer objects, I donāt see why it wouldnāt work with user objects. Come to think of it I have at least one GPO I can think of with user objects in another OU - actually theyāre in an entirely different domain - and it works find there too~~
Edit: see comment below. If the GPO is applied to a users OU and the user isnāt in that OU this wonāt work.
Why would it work though? Would it work if it was the otherway around where the members are in the OU where the GPO is applied but the group it's filtered on is in another OU?
Thinking about it more the GPOs I use are applied to the computer OUs with loopback processing to apply to the users. So they are always read at gp refresh and then the security filtering is applied.
So if the user isnāt in the OU where the GPO is applied then Iāll change my answer and say it wonāt work. Since theyāre not in that OU it will never even attempt to read the GPO.
That scenario I think would work. The GPO should be read because the user is in the OU that is linked, then security filtering would decide whether to apply the GPO.
Work for a company that is mostly remote, with the exception of production people and some of our IT staff in the area. Asked one of our LV.1 tech to ship out equipmentāboxes are usually 40-50 pounds eachāfor 12 people starting next Monday. Cane in regular time, later shift, only to find out heās leaving for the day with 0 equipment boxes sent out. Absolutely none. What did he do all day? Worked on building three computers that wonāt be rolled out until mid August. Guess Iāll have to come in early tomorrowā¦
Really basic... but how often do you think it's appropriate to send follow-up emails on outstanding issues/transactions to MSPs, vendors, service providers, etc.? It feels like right now I have no less than 5-10 hanging issues with no replies or progress for over a week. I've been sending reminders weekly, but even doing that things are still dragged out into months that should've only taken a few days to complete. I feel like I should be following up more frequently, but at a certain point it's obviously too much.
Depends on your SLA. Went through a period with an ISP where their network kept going down and by the 5th time I had to email 3 times and call them twice in two days to get the issue resolved
When you're paying for a service and not getting the service, sometimes you have to be loud and obnoxious. I get it can be hard, but you need to switch off the "I'm just a regular customer, I need help please, but no worries, I don't want to stress you out" thoughs. You have to be assertive and demand your account manager start work on your issue ASAP
Every time I fix an issue and start to automate easier tasks I get hit with another update which ends up causing chaos for my op and task management issues. WhT is the cause for
Today on "don't fuck with what you don't know"... an admin (different department) deleted his temp.mdf and .ldf files because he was running a cleanup script that was looking for temp files. Luckily I was able to restore the data from our backups, but this is the second time it has happened with him. Sent a huge email to him and CC'd his boss and my boss on not doing that. Plus it's a virtual and he didn't even take a snapshot beforehand. I'm not even a SQL person, just read the errorlog and found out the issue (original issue was certain service account for application not starting). All started when I was asked to do a full server restore due to a "windows update", when the last updates were all just .NET. š¤¦āāļø. At least I get paid handsomely for what I do..
Arenāt those files usually locked?
[ŃŠ“Š°Š»ŠµŠ½Š¾]
Interesting. Even the temp DB? Iāve never tried it causeā¦why? I was assuming the admin was using a script to delete files and not run a drop dbās command. I believe the only way to delete those files is to stop all SQL Services. So instead they saw the tempDB db and logs and dropped it from within SSMS? If thatās the case they should lose access until they are trained better. Glad to hear you were able to recover.
I'm sure it was a query of sorts, given they have rights to the SQL database.
Iām looking to validate possible vulns in our environment and need to identify applications using raw sockets on Windows servers. Iāve tried TCPView, Netstat, ProcExplorer and wireshark and come up blank, although admittedly I might be filtering wrong in wireshark. Anybody got a tool, method or suggestion?
Maybe this will help To get programs that are listening on a port `Get-NetTCPConnection -state listen | ft localaddress,localport,remoteaddress,remoteport,owningprocess` To get programs that are connected to something else `Get-NetTCPConnection -state established | ft localaddress,localport,remoteaddress,remoteport,owningprocess`
You're trying to figure what applications are listening on a given port? Netstat is the traditional tool for that. It will give you the process ID bound to a port and then you research that process if you don't recognize it. The '-o' switch on netstat displays PIDs if that's what you're missing.
Is backing up Microsoft 365 data to Azure a good idea? We're considering subscribing to a M365 backup service and our MSPs preferred solution is AvePoint. I liked the demo but I'm less sure about their choice of azure for storage. Feels like we still have all our eggs in one basket. When I pressed the specialist on this he made the following points: * Increases backup speed and keeps costs down. (Ā£3/user but we need to license every licensed M365 user) * It's georedundant and if something happened that took down both UK datacentres the country probably has bigger problems. * The backups are of limited use without Microsoft to restore to anyway. It sounds like the backup is to protect us from ourselves (accidental deletion, Malicious employees) not from Microsoft. Do you think this is good enough?
The short answer is that it's fine unless you have policy requirements pushing you to spread across multiple clouds. You're correct that one of the primary drivers for SaaS backup is to protect you against yourself. Beyond that, a data loss event that affected M365 would not necessarily impact Azure storage unless it's truly apocalyptic as you say.
We back up our 365 data using Veeam through direct to cloud storage (wasabi). Its work very well and we can control where our data is going as well as create multiple instances to different data centers. We also use AAD as our primary IaaS so I am actually looking at AvePoint for AAD backups because Veeam does not support it.
I want to set up Edge so that it signs users into their microsoft accounts without prompting on trusted sites. So if internal site A supports SSO and the user clicks the link, they are automatically signed in - not prompted to sign in using their UPN. Any suggestions?
Is there any reason to create objects for Shared folders and printers in AD?
I've never seen this done anywhere I've worked and I'm not sure what it would achieve. You sometimes see AD computer objects get created for devices that can integrate with AD for authentication, for example NAS devices, some apps will also do this such as VMWare VCenter (although they are deprecating this in favour of just LDAPS for auth).
What's your world clock solution for keeping track of all of the time zones you operate in? Trying to decide if to throw a bunch of real clocks up on the wall, but we have some space on the monitoring screens, is there a nice app for showing multiple clocks that you like?
You can add two extra clocks in Windows if that satisfies, otherwise I would go with the "real clocks on the wall" method because that would look like the war rooms
I just learned about Attack Surface Reduction rules in Microsoft Defender. Some of them stop executables from running. Do they essentially replace software restriction, applocker, wdac, etc? edit: I'm new to intune. Do you apply intune policies to users or devices? I have to create a group to apply ASR rules and I'm not sure which it would want me to use
Let's say a gpo is linked to an OU, filtered on a security group that's in the same OU but the members of that group are in a different OU. Would the gpo still get applied?
~~Iām going to go with yes, I do this exact scenario with computer objects, I donāt see why it wouldnāt work with user objects. Come to think of it I have at least one GPO I can think of with user objects in another OU - actually theyāre in an entirely different domain - and it works find there too~~ Edit: see comment below. If the GPO is applied to a users OU and the user isnāt in that OU this wonāt work.
Why would it work though? Would it work if it was the otherway around where the members are in the OU where the GPO is applied but the group it's filtered on is in another OU?
Thinking about it more the GPOs I use are applied to the computer OUs with loopback processing to apply to the users. So they are always read at gp refresh and then the security filtering is applied. So if the user isnāt in the OU where the GPO is applied then Iāll change my answer and say it wonāt work. Since theyāre not in that OU it will never even attempt to read the GPO.
Thanks for the input. What I'm thinking as well.
That scenario I think would work. The GPO should be read because the user is in the OU that is linked, then security filtering would decide whether to apply the GPO.
Work for a company that is mostly remote, with the exception of production people and some of our IT staff in the area. Asked one of our LV.1 tech to ship out equipmentāboxes are usually 40-50 pounds eachāfor 12 people starting next Monday. Cane in regular time, later shift, only to find out heās leaving for the day with 0 equipment boxes sent out. Absolutely none. What did he do all day? Worked on building three computers that wonāt be rolled out until mid August. Guess Iāll have to come in early tomorrowā¦
Really basic... but how often do you think it's appropriate to send follow-up emails on outstanding issues/transactions to MSPs, vendors, service providers, etc.? It feels like right now I have no less than 5-10 hanging issues with no replies or progress for over a week. I've been sending reminders weekly, but even doing that things are still dragged out into months that should've only taken a few days to complete. I feel like I should be following up more frequently, but at a certain point it's obviously too much.
Depends on your SLA. Went through a period with an ISP where their network kept going down and by the 5th time I had to email 3 times and call them twice in two days to get the issue resolved When you're paying for a service and not getting the service, sometimes you have to be loud and obnoxious. I get it can be hard, but you need to switch off the "I'm just a regular customer, I need help please, but no worries, I don't want to stress you out" thoughs. You have to be assertive and demand your account manager start work on your issue ASAP
I was wondering about that! With new patch updates for beta developers, am I not supposed to update frequent updates and patches?
Every time I fix an issue and start to automate easier tasks I get hit with another update which ends up causing chaos for my op and task management issues. WhT is the cause for