* Posts by Darkk

18 publicly visible posts • joined 30 Aug 2018

Fortinet squashes hijack-my-VPN bug in FortiOS gear

Darkk

The biggest issue I have with Fortinet is that they're releasing FortiOS with new features before it's ready. Now we have like 4 trains of FortiOS and all of them have bugs one way or another. Lucky for us I turned off SSL-VPN back in December when Fortinet tech support refused to issue a patch on an older FortiOS V6.0 as I wasn't ready to upgrade from V6 to V7. Ironically enough they did released a patched version of FortiOS v6.0 the other day for this vulnerability which I was able to apply.

If Fortinet keeps this up and with their ever high prices of their security subscriptions I will be forced to look for alternatives.

I've deployed several Netgate's pfsense appliances for remote offices and been happy with them. I use pfSense at home as well on repurposed Dell desktop PC.

Another Debian dust-up with Firefox dependencies – but there is an annoying and awkward workaround

Darkk

I am using Linux Mint on my laptop as well and my version of FF is showing v.95. However, being Mint for what it is they probably grabbed the latest version from Mozilla and compile it to make it work with with Mint.

I will have to check my Debian 11 with KDE workstation later to see what version of FF is installed.

Log4j RCE: Emergency patch issued to plug critical auth-free code execution hole in widely used logging utility

Darkk

vmware is a mess

If you manage a large vmware infrastructure you're in for LONG hours in patching all those vmware appliances such as vCenter and vReplication Appliance. Currently vmware don't have a patch available so have to use command line workarounds.

So far the only saving grace is that the vsphere exsi host servers aren't affected by this.

VMware recalls full vSphere update over driver dramas

Darkk

Lucky we're still on 7.0 Update 2d despite the warning of security issues and wanting us to upgrade to U3. I held off on the upgrade as was dealing with odd vCenter SSL cert issues and the stupid failed update from the previous version. Lucky it was an easy fix but made me weary of upgrading to anything new right now.

Riverbed Technologies files for Chapter 11 bankruptcy protection following pandemic 'headwinds'

Darkk

Riverbed is great back in the day when most companies can only get 1.5MB T1 connections for site to site VPNs. This is where Riverbed shines. Now we're into gigabit speeds on the cheap it doesn't make too much sense anymore to use their products.

VMware's divorce from Dell is complete: Virtualization giant now a separate biz with $64bn valuation

Darkk

Or take a look at ProxMox.

Facebook, WhatsApp, Instagram deplatform themselves: Services down globally

Darkk

I felt a great disturbance in the Force. As if millions of voices cried out in terror, and were suddenly silenced. I fear something terrible has happened.

The PrintNightmare continues: Microsoft confirms presence of vulnerable code in all versions of Windows

Darkk

Re: The solution to rule them all ... in that situation

This will ONLY work if you don't have Microsoft Exchange in your domain.

Darkk

Re: As much as I like to dump on microsoft a pile...

I have the print spooler disabled on all the DCs in our domain. I suppose I could turn it on once a day to do it's maintenance and then disable it until Microsoft push out a patch. Lucky all our DCs are running Server 2019.

Darkk

There are free open source solutions to this if companies don't want to pay $$$ to Microsoft. Hell, you can run a dedicated print server running Linux with CUPS. Windows, Mac and Linux workstations won't know the difference.

One company I've worked for did have print services on DC then later separated that out onto it's own server leaving DC strictly for domain controller functions along with DNS and DHCP.

Microsoft emits 83 security fixes – and miscreants are already exploiting one of the vulns in Windows Defender

Darkk

Re: Fug Bixes

Yep and we've been stung too many times with updates forcing us to rebuild the entire computer when the system restore couldn't fix it. I have little faith in Microsoft these days when it come to updates.

COVID-19 security tips: Ensure you sack your staff without leaving their IT access enabled, says Secureworks

Darkk

Re: Seems reasonable

If you use Remote Desktop Gateway server you can actually disable clipboard, printer and shares. I've tried using Fortigate's web-based RDP which does not support multi-monitors so had to build a Remote Desktop Gateway server and create policies. Then it connects to a real remote desktop server. The idea behind that is VPN client is not needed. They just use the gateway settings in Microsoft's native RDP client and boom you're in.

I've set up restrictions to only allow access to certain resources and the remote desktop servers. So if the hackers tried using an account that does not have the permissions to access the RDP servers they won't be able to log in.

I get it why you use your firewall's own SSL-VPN with RDP feature to limit your exposure to Microsoft servers to the internet. Sometimes it limits the users too much from what they need to do.

QUOTE:

"The downside is that there is no possible integration with the local PC so local devices like printers can't be mapped across if you needed to do this."

51 years after humans first set foot on the Moon, a deepfaked Nixon mourns how Armstrong and Aldrin never made it home

Darkk

Re: Alternative fakery

That's no moon...that's a space station!

Log us out: Private equity snaffles Lastpass owner LogMeIn

Darkk

Re: Ouch

Use keyfiles in addition to your password to make it harder to brute force the password alone. I have this on my Android devices, Linux Mint PC and Windows 10 PC.

Darkk

Re: Ouch

I use KeePass for my android devices, Linux Mint PC and Windows 10 PC. I keep the database sync'd with NextCloud running at home. Works very well.

Disk drives suck less than they did a couple of years ago. Which is nice

Darkk

Plus the fact Enterprise Class hard drives are designed for 24/7/365 operation so as a home user with constant power off and power on will put extra strain on the drive. They're great for NAS / Fileserver running all the time but not so much in a regular PC.

Error pop-up? Don't worry, let's just get this migration done... BTW it's my day off tomorrow

Darkk

Re: been there - done that

"Macros"

Won’t patch systems? Never run malware scans? Welcome to the US State Department!

Darkk

Patch Issues

There is actually no practical excuse for not patching personal computers and servers. Most of our machines are windows based and for the most part patches have gone without issues. Although I would have to say July 2018 patches are without problems which gave us grief for awhile. I had to suspend patching the machines for July and August to give Microsoft enough time to fix their screwups.

Don't get started on the WSUS server. I've rebuilt that POS thing so many times that I care to count. Will have to fork out some $$$ for a real patching server. Lucky for us, however, we already have endpoint security installed on all the machines that we can monitor and take immediate preventive measures if necessary.

There are some critical applications that can break after an update which is any IT's nightmare if patched on a large scale. However, it goes back to my original statement there is no reason NOT to patch at all.