Paul Bendall

#Crowdstrike recovery, and something to bookmark even if you weren't impacted today

Thanks for the advice

Struggling to understand or get an explanation from MS for the #LAPS setting introduced in Win 11 24H2. "Short words with unique prefixes" doesn't seem to do what it says on the tin and the docs don't explain exactly what it should do. Help! @12Knocksinna @NathanMcNulty

DynamoDB documentation suggests in supports high availability to other regions. So did many orgs not bother with HA, or did we discover just discover a SPOF 🤔

@AwakenedOf The reports I've seen state that the server outage suffered by AWS related to a data centre in the US and DynamoDB. Why is Gov. gateway tied to a data centre in the US when according to AWS documentation DynamoDB is multi-region and with fail over capabilities to other regions?

Morning all. You probably know that Amazon Web Server (AWS) is down affecting multiple services AWS hosts Gov One Login, the UK's single sign-on system for government services It's lucky that govt isn't trying to get us all on one Login isn't it 🙄 (sarcasm alert)

@LloydsBank If you are an Android user you may need to Force Stop the #lloyds bank app in Android settings. As of 12:00 the app is now working for me after I forced stopped. Reloading or retrying was failing. #AWS reported root cause "fix" with improvements an hour ago

You may have seen reports of issues with Amazon Web Services affecting a number of websites and apps across the UK today. We know this is impacting some of our services right now. We're sorry about this. Please bear with us as we investigate this.

@UK_Daniel_Card Interesting... Quick read of DynamoDB states it has multi-region support. So the follow-up question is why so impactful? Are other Amazon services reliant on DynamoDB and they aren't multi-region implemented. Or, have the effected orgs.not deployed multi-region support?

It looks like amazon (Amazon DynamoDB) are having a problem which appears to have affected loads of services! #everythingisdownrightnow #IsTheWebsitedown #Amazon #Internet #Outages health.aws.amazon.com/health/status

@ClarksonsFarm1 Yes, but also don't stop there.. Should clearly state grass fed, organic. Ban the use of ficticious farms that suggest small scale family owned when they are industrial, and only permit the use of the Union flag if the animal was raised, culled and butchered solely in the UK.

@NathanMcNulty @proximityNZ Love it. I used to have a Cerberus figure on my desk

@proximityNZ On my desk right now :)

What the... 🐉?

If you are an Uber eats user then please stop. Simply stop using them.

Wishing my Godmother @purpleglostick a wonderful birthday. I hope have an enjoyable day 🎂🎁🎉🎂😻

Last week I covered computer accounts, so this week let's talk about user accounts. There are several different types of user accounts - at least how they are used. There are standard user accounts, service accounts, and admin accounts. There are numerous user account settings that can make them vulnerable. These configurations include: * Inactive - account has not logged on or changed the password in over 180 days which may flag this account as inactive/stale - Accounts known to be inactive should be disabled. * Reversible encryption - effectively clear-text on DCs - there's no reason for this to be set. * Password not required - account may not have an associated password - possibly set by provisioning system - There's no reason for this to be set. * Password never expires - password very likely to be old - should not be set on standard user accounts. * Kerberos DES encryption enabled - DES is a weaker encryption method which enables faster password brute-forcing. There's no reason for this to be set. * Account does not require Kerberos pre-authentication - enables a trivial attack method for discovering the account's password (AS-REProasting). May have been set for a compatibility issue with an application. Kerberos pre-authentication should always be required. * Account cannot change password - password may not change. Standard user accounts should not have this set. Attackers will look for these configurations, so best to review and adjust regularly. Admin accounts and service accounts require additional protection above and beyond standard user accounts. PowerShell Code (using the Active Directory PowerShell module): github.com/PyroTek3/Misc/… $LastLoggedOnDate = $(Get-Date) - $(New-TimeSpan -days 180) $PasswordStaleDate = $(Get-Date) - $(New-TimeSpan -days 180) $ADLimitedProperties = @("Name","Enabled","SAMAccountname","DisplayName","Enabled","LastLogonDate","PasswordLastSet", "PasswordNeverExpires","PasswordNotRequired","PasswordExpired","SmartcardLogonRequired","AccountExpirationDate", "AdminCount","Created","Modified","LastBadPasswordAttempt","badpwdcount","mail","CanonicalName","DistinguishedName", "ServicePrincipalName","SIDHistory","PrimaryGroupID","UserAccountControl","DoesNotRequirePreAuth") [array]$DomainUsers = Get-ADUser -Filter * -Property $ADLimitedProperties [array]$DomainEnabledUsers = $DomainUsers | Where {$_.Enabled -eq $True } [array]$DomainEnabledInactiveUsers = $DomainEnabledUsers | Where { ($_.LastLogonDate -le $LastLoggedOnDate) -AND ($_.PasswordLastSet -le $PasswordStaleDate) } [array]$DomainUsersWithReversibleEncryptionPasswordArray = $DomainUsers | Where { $_.UserAccountControl -band 0x0080 } [array]$DomainUserPasswordNotRequiredArray = $DomainUsers | Where {$_.PasswordNotRequired -eq $True} [array]$DomainUserPasswordNeverExpiresArray = $DomainUsers | Where {$_.PasswordNeverExpires -eq $True} [array]$DomainKerberosDESUsersArray = $DomainUsers | Where { $_.UserAccountControl -band 0x200000 } [array]$DomainUserDoesNotRequirePreAuthArray = $DomainUsers | Where {$_.DoesNotRequirePreAuth -eq $True} [array]$DomainUsersWithSIDHistoryArray = $DomainUsers | Where {$_.SIDHistory -like "*"} Write-Host "Total Users: $($DomainUsers.Count)" Write-Host "Enabled Users: $($DomainEnabledUsers.Count)" Write-Host "`nEnabled Users Identified as Inactive: $($DomainEnabledInactiveUsers.Count)" Write-Host "Enabled Users With Reversible Encryption Password: $($DomainUsersWithReversibleEncryptionPasswordArray.Count)" Write-Host "Enabled Users With Password Not Required: $($DomainUserPasswordNotRequiredArray.Count)" Write-Host "Enabled Users With Password Never Expires: $($DomainUserPasswordNeverExpiresArray.Count)" Write-Host "Enabled Users With Kerberos DES: $($DomainKerberosDESUsersArray.Count)" Write-Host "Enabled Users That Do Not Require Kerberos Pre-Authentication: $($DomainUserDoesNotRequirePreAuthArray.Count)" Write-Host "Enabled Users With SID History: $($DomainUsersWithSIDHistoryArray.Count)" Write-Host "`nReview & clean up as appropriate" #ActiveDirectorySecurityTip

@NoFarmsNoFoods Pet hate is false advertising designed to mislead people. Along with other terms that suggest higher quality and lower processing. The Arianne Apple variety has been scientifically developed over decades rather than a product of natural selection over centuries. Buyer beware

Tesco Rosedene Farms apples. It gives off the impression of being a British farm, but the apples are often not from Britain, but from France. It’s time to end supermarket farmwashing that cons shoppers into thinking they are buying British food, when it’s foreign food.

@Lizzabuth @NoFarmsNoFoods Air miles measured in feet. Just can't beat it.

@NoFarmsNoFoods I've just collected some apples and pears from my garden. They are delicious so much more tasty than the French ones

@NathanMcNulty @maaverix Totally agree with you on the Bitlocker PIN. Balance between usability and security just annoys users, increases calls without any real security improvement. Now if your following a tiering model then maybe for higher privileged users.

@maaverix Not really a big fan of BitLocker PIN if TPM is in the CPU, but I get it :p The only way you could really make them use different PINs would be to only allow numeric for one (like BitLocker) and then require something more for WHfB where the PIN from BitLocker wouldn't work

@NathanMcNulty Any recommended guidance on the use of PINs for BitLocker & WHfB? Should these be numeric or alphanumeric? While alphanumeric PINs may enhance complexity, they could also resemble passwords, potentially leading to reuse existing passwords or choose weaker ones.

@UK_Daniel_Card I have come to the same conclusion. Previously my view on personal VPN was that it was OK if you wanted to bypass game and video controls. Now I'm like it's a must for privacy and mitigate identity risks.

I can believe it…… (but don’t kick our IC peeps too fast! It’s a complex world) Careful where put ur data UK tweeps! But also…. VPNs etc are now a must. I’m one of the historically biggest not a fan of commercial VPNs in the community I think…….. Now I’m at a point of saying: vpn everything….. but I’m hesitant….. 😬 this stuff needs thought. So today I’d say: use a VPN when you need to. And be careful which ones you trust.

@12Knocksinna @NathanMcNulty Thank you for looking, it confirms I haven't missed something obvious

@paulbendall @NathanMcNulty I don't see anything obvious popping out at me.

Does anyone know if, and if so the parameter name, in #EntraID for accounts to periodically review SSPR settings? @NathanMcNulty @12Knocksinna

@12Knocksinna @NathanMcNulty No. I was guessing it might be exposed in MS Graph, possibly Beta version of userRegistrationDetails. But it doesn't look like it is. The current client is set to 180 days so I was expecting a property like last confirmation date

@paulbendall @NathanMcNulty Do you have an API or cmdlet name? Or is this just a question if an API exists?

The government: “Give us your photo ID and credit card details if you want to access adult websites. They will kept confidential.” Also the government: “We accidentally sent the names of 20,000 enemies of the Taliban to the Taliban.”

Just a few minutes after the Online Safety Act went into effect last night, Proton VPN signups originating in the UK surged by more than 1,400%. Unlike previous surges, this one is sustained, and is significantly higher than when France lost access to adult content.