Posts by Danny 14 4301 publicly visible posts • joined 15 Jun 2009
the core issue is that users can still invoke powershell remotely. They might not be allowed to do anything but it still starts the process, if there is an exploit in the process itself then this will instantly give you access as the process starts pre-authentication.
It is like unlocking your front door, letting the person into your house and THEN checking their ID hoping they dont know how to walk around you.
see this is a great approach till I read this:
https://learn.microsoft.com/en-us/powershell/exchange/control-remote-powershell-access-to-exchange-servers?view=exchange-ps
Especially THIS bit:
"By default, all user accounts have access to remote PowerShell. "
Wait what? It is qualified by:
"However, to actually use remote PowerShell to connect to an Exchange server, the user needs to be a member of a management role group, or be directly assigned a management role that enables the user to run Exchange cmdlets. "
Riiiight. So how about doing THIS instead:
USER->SERVER: Hi, I want to use powershell, totally not to pwn the server
SERVER->USER: credentials please.
USER->SERVER: No
SERVER->USER: .......
rather than
USER->SERVER: Hi, I want to use powershell, totally not to pwn the server
SERVER->USER: sure, here is powershell, please log in.
USER->SERVER: <sends exploit instead of powershell credentials>
And the fix? Surely you could set the default to deny and allow a select few? Nope! You cant set a default, you need to explicitly deny individual users! Insane.
We run hybrid so need an exchange server for management, however the exchange server is nicely locked away on its own subnet, external access is only granted from microsoft 365 IPs, not perfect but stops others knocking on the door.
to be fair though, education licensing is cheap. Even with no money you can have free office 365 with petabytes of storage plus google classroom and free veeam community editiin backing up to immutable storage.
pfsense with snort and pfblocker is free.
Ive worked for schools with no money and it is possible to keep a secure environment.
the truth is probably far more simple. He thought he could win quickly. He wants to make Russia great again. Hes been told that his army is fantastic with wonderful new tanks that are much better. The airforce is excellent, navy is fantastic, troops are in excellent condition. In short Russia is poised to be a superpower comrade. Eat Ukraine and unite the motherland. Europe will cower behind the might of our gas wielding state.
The truth is that Ukrainian farmers with tractors have more backbone and that the war ia going really really badly.
Noone has dared tell Putin this yet.
this is the part ive never understood. I used facebook and twitter with a disposable account for times I have no choice - ive needed ot to pull information on companies, speedier support (!) and contacting long lost friends for their proper contact information.
What always amazed me was the amount of personal information people voluntarily put on there for the world to see, moat of it fairly "look at me and what ive done" or worst still their kids (who have had no say bit will now have their info put on the net for them).
so you are likening civilians poisoning russian soldiers vs those same russian soldier lining up a villiage, raping mothers in front of their daughters, hacking limbs off people and pulling tongues out of people who would not say that the russians were welcome?
There is something wrong with you.
2016,2019, 365 and 2021 are all the same codebase. Even the registry keys and files are the same. 2016 isnt click to run so there are minor differences.
365 gets a few tweaks such as stream integration, live subtitle translations, autosave to cloud (2021 has this too).
The funny thing is, our users get all sorts of splashscreens, 2019, 2021 and 365. They dont even log this as tickets any longer.
enterprise kit. Errrr, have you seen the shitstorm after every firmware update? They even had one update that bricked your APs if you were using 4 SSIDs *and refused to replace them if you were out of warranty.
Have you tried adding your own ssl cert through the gui? Letsencrypt?
Powercycle their controllers that dont have journaling enabled, thats fun. Unless you have the new ones with a battery in them (so you have 18 hours to fix the power before they too power off without journaling)
the stuff is barely good enough for a campsite never mind enterprise.
unifi stuff is bargain basement. Looks good on paper and works well until you update the firmware. then you need a degree in googlefu to fix.
Simple tasks such as setting a proper ssl cert can only be done by rwcompiling a jks file via ssh Im sure a mom and pop outfit love that dont ask about letsencrypt support.
Their original controllers shipped with no journaling on their mongodb, so powwr outage killed the controllwr each time. Their second revision fixed this by adding a battery. you cant even make that stuff up. product lines are killed with little notice.
Their AP range used to be ok but i wouldnt touch them with a barge pole now.
not if the 500 phone has a 450worth kardashian label on it.
Depends on the 30 whiskey, ive had some bad "local" nolabel and some really good local nolabel stuff.
beats audio is shite, you pay for the label but is consistently more expensive.
Dell XPS line has almost the same components as an asus ROG line but is twice as expensive with the same level of basic RTB support (im not talking about adding on the onsite support: apples with apples)
They can spy via MitM. So now your browser trusts that KremlinTech has signed your webserver cert and is a trusted RootAuth. If they decided to MitM at KremlinISP the client will be presented with KremlinTech cert, which is trusted by the client.
Not totally invisible but much easier.
It also makes it much easier for the rst of us to put the cert in the bin where it belongs.
The problem is, what are they going to pay China with? Most likely cheap oil and gas. This will then free up global supplies for the rest of the world. China will go back to cheap manufacturing having had Russia over a barrel (literally). They will also gladly sell Russia knock off chips, parts, cars etc. Proxy state almost.
super hornets even had their transponders on yesterday flying CAP on Romanian border. Plenty UH60's going backwards and forwards too. It was decent enough to see the usual stratotanker lining up with a pair of hornets.
Seems the sky fuel trucks have an 8 hour shift too, as they cross over on the way back to Ramstein after 6.5 hours on station.
My mum is addicted to watching them, she got a nice picture of a pair of hercules circling to drop height, flying towards the border then the transponders went dark. She's an ex RAF SGT from the 50's and still has her marbles.
I was lucky enough to visit Moscow in the iron curtain years, it was a business trip at the time (not a necessary one, more of a "fancy a jolly" one. My only real knowledge of Russia in the late 80's was from watching films like Firefox etc.
TBH it felt fairly safe and just like many other large cities, I managed to get some nice photos and had an interesting midweek there.
There is no way I would have gone back in the past decade.
That was what I thought initially. Vlad thinking "I will invade Ukraine, absorb it into new found Peoples Democratic Republic of Russia all because I dont want NATO on my border". Then all of a sudden realises that NATO is next door.
Correct me if im wrong but I havent seen any massive major levelling of Palestinian *cities* by daily artillery, air strikes, missile strikes - all after a condemnation by the international community?
I cant seem to remember the US or UK doing so either.
oh im sure the US are looking at the stats and Russian response times. I bet it has been an ELINT fest. Looking at flightradar et al there have been so many AWACS, drones, sniffer planes flying along the border it will have been an intelligence feast.
The problem is, this is all on the backs of the poor Ukranians who are getting the shit kicked out of them, and not just the military.
Here is hoping some of his cronies end up being poor and taking it out on Vlad.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
