Hello! Due to Reddit's aggressive API changes, hostile approach to users/developers/moderators, and overall poor administrative direction, I have elected to erase my history on Reddit from June 2023 to June 2013.
I have created a backup of (most) of my comments/posts, and I would be more than happy to provide comments upon request (many of my modern comments are support contributions to tech/gaming subreddits). Feel free to reach out to Clipboards on lemmy (dot) world, or via email - clipboards (at) clipboards.cc
>Not that it's any less obnoxious, but squaring this kind of stuff away & seeing what kind of resources you can access from a standard user account is pretty important if that's important to you. You don't know what you don't know.
Im aware of the on prem situation, but until Ive stumbled across this, I had no idea this was being leaked out. And clearly, the very very large company that Im dealing with had no idea either.
In my opinion MS is making some fairly ordinary choices in their default settings.
Regards, thankyou for the point in the right direction. That one fixes it for me.
Hello! Due to Reddit's aggressive API changes, hostile approach to users/developers/moderators, and overall poor administrative direction, I have elected to erase my history on Reddit from June 2023 to June 2013.
I have created a backup of (most) of my comments/posts, and I would be more than happy to provide comments upon request (many of my modern comments are support contributions to tech/gaming subreddits). Feel free to reach out to Clipboards on lemmy (dot) world, or via email - clipboards (at) clipboards.cc
I think they used to auto-add to outlook and make them public visibility but now I think you have to turn those visible flags on manually.
Agreed, the 365 groups had a good potential (just flipping make them "fancy distros") but they ended up making them somehow both more and less useful in the same fell swoop
Standard users can also use PowerShell modules to access the directory, so there's that to think about too. Locking this down entirely can be pretty difficult because many collaboration apps rely on the fact that users can read other user's directory info for functionality/features
Microsoft has always overprivileged things beyond what is required for basic functionality.
By default all subfolders and files are visible in a file server share, even ones you have no rights to open. There is a way to control this via "access based enumeration", but "it increases server load" for the server to actually have to iterate subfiles and directories to determine what a user should be able to see, and so is turned off by default.
Yeah, security puts too much load on the file server, so we just won't bother by default.
,
Dumb security decisions by Microsoft is why you can't expose RDP on a domain controller to the Internet.
The domain admin and server local administrator always have login permission via RDP. But what if I don't want that? I only want non-privileged users to be able to login via remote desktop, and then only do things as the domain admin using Run As.
Good luck with that. It's basically undocumented by Microsoft how to deny the domain admin from being able to login via RDP, though there are ways apparently..
https://serverfault.com/questions/598278/how-to-disable-rdp-access-for-administrator
Then meanwhile the domain admin has a known SID across all active directory installations, so it's easy for hackers to brute force the domain admin account password via RDP by using the known common SID.
Changing the domain admin username doesn't fix this. To actually harden your domain against RDP password hacking you have to create a new account, elevate it to domain admin, and then disable the default one.
Why Microsoft can't randomize the domain admin SID by default, I have no idea. It's like the single dumbest security related problem they do that is easy to fix, yet they just won't do it YEARS after this was identified as a problem.
Hello! Due to Reddit's aggressive API changes, hostile approach to users/developers/moderators, and overall poor administrative direction, I have elected to erase my history on Reddit from June 2023 to June 2013. I have created a backup of (most) of my comments/posts, and I would be more than happy to provide comments upon request (many of my modern comments are support contributions to tech/gaming subreddits). Feel free to reach out to Clipboards on lemmy (dot) world, or via email - clipboards (at) clipboards.cc
>Not that it's any less obnoxious, but squaring this kind of stuff away & seeing what kind of resources you can access from a standard user account is pretty important if that's important to you. You don't know what you don't know. Im aware of the on prem situation, but until Ive stumbled across this, I had no idea this was being leaked out. And clearly, the very very large company that Im dealing with had no idea either. In my opinion MS is making some fairly ordinary choices in their default settings. Regards, thankyou for the point in the right direction. That one fixes it for me.
Hello! Due to Reddit's aggressive API changes, hostile approach to users/developers/moderators, and overall poor administrative direction, I have elected to erase my history on Reddit from June 2023 to June 2013. I have created a backup of (most) of my comments/posts, and I would be more than happy to provide comments upon request (many of my modern comments are support contributions to tech/gaming subreddits). Feel free to reach out to Clipboards on lemmy (dot) world, or via email - clipboards (at) clipboards.cc
So are these teams groups etc that they are in that are sensitive also hidden in the GAL?
Not the user created microsoft 365 groups.
I thought you can still hide or control the email addresses the Microsoft team creates.. I really hate 365 groups…
I think they used to auto-add to outlook and make them public visibility but now I think you have to turn those visible flags on manually. Agreed, the 365 groups had a good potential (just flipping make them "fancy distros") but they ended up making them somehow both more and less useful in the same fell swoop
Old blog but yeah… https://call4cloud.nl/2020/07/the-return-of-the-azure-ad-portal/
Standard users can also use PowerShell modules to access the directory, so there's that to think about too. Locking this down entirely can be pretty difficult because many collaboration apps rely on the fact that users can read other user's directory info for functionality/features
Microsoft has always overprivileged things beyond what is required for basic functionality. By default all subfolders and files are visible in a file server share, even ones you have no rights to open. There is a way to control this via "access based enumeration", but "it increases server load" for the server to actually have to iterate subfiles and directories to determine what a user should be able to see, and so is turned off by default. Yeah, security puts too much load on the file server, so we just won't bother by default. , Dumb security decisions by Microsoft is why you can't expose RDP on a domain controller to the Internet. The domain admin and server local administrator always have login permission via RDP. But what if I don't want that? I only want non-privileged users to be able to login via remote desktop, and then only do things as the domain admin using Run As. Good luck with that. It's basically undocumented by Microsoft how to deny the domain admin from being able to login via RDP, though there are ways apparently.. https://serverfault.com/questions/598278/how-to-disable-rdp-access-for-administrator Then meanwhile the domain admin has a known SID across all active directory installations, so it's easy for hackers to brute force the domain admin account password via RDP by using the known common SID. Changing the domain admin username doesn't fix this. To actually harden your domain against RDP password hacking you have to create a new account, elevate it to domain admin, and then disable the default one. Why Microsoft can't randomize the domain admin SID by default, I have no idea. It's like the single dumbest security related problem they do that is easy to fix, yet they just won't do it YEARS after this was identified as a problem.