📰 #OIB Windows v3.6 - Post-MMS Edition!
- More 24H2 baseline settings
- New LAPS account management
- M365 Apps Baseline!
Check out the release notes below:
https://t.co/xVKdY9EVe3
Obsidian is now free for work.
Starting today, the Obsidian Commercial license is optional. Anyone can use Obsidian for work, for free. If Obsidian benefits your organization, you can still purchase Commercial licenses to support development.
Nothing else is changing. No account required, no ads, no tracking, no strings attached. Your data remains fully in your control, stored locally in plain text Markdown files. All features are available to you for free without limits.
Why make this change? Simplicity. The Commercial license terms were confusing and added unnecessary complexity to our pricing. Furthermore, as the Obsidian Manifesto states: "we believe that everyone should have the tools to think clearly and organize ideas effectively". This change brings us closer to that principle.
People in over 10,000 organizations use Obsidian. Many work in high-security environments, like government, cybersecurity, and finance. Some of the largest organizations in the world, including Amazon and Google, have thousands of employees using Obsidian every day. These teams rely on Obsidian to think more effectively and keep total ownership over private data.
Previously, people at companies with two or more employees were required to purchase a Commercial license to use Obsidian for work. Going forward, the Commercial license is no longer required, but remains an optional way for organizations to support Obsidian, similar to the Catalyst license for individuals.
Organizations that support Obsidian are now featured on the Obsidian Enterprise page. Your organization can be showcased by purchasing 25 licenses or more.
Along with Commercial and Catalyst support, our add-on services, Sync and Publish help Obsidian remain 100% user-supported. In the future, we hope to offer more services designed for teams. As always, these will be optional.
Please share this far and wide. As far and wide as you can. NIST Password Guidelines for 2024 are in the process of being updated.
This is a HUGE pet-peeve of mine (when vendors in particular are still operating like its 2017 and keep changing passwords every 60 days, STOP DOING THIS, it's outdated and has been shown to put you MORE at risk than less -- NIST explains why it does in this document, meticulously outlining user behavior**) so I'm sharing this in the hopes all of you will pass it along to your bosses.
The Special Publication series governing passwords is SP 800-63 "Digital Identity Guidelines".
The 2024 version is 800-63-4.
Here: https://t.co/oX8YEJHxXg
The companion docs are also on that link. They are 800-63A, 800-63B and 800-63C. These are different documents for different scenarios in play at your org.
The previous update was in2020.
The changes in the 2020 version from the 2017 version were numerous but one of them was that the password verification method should NO LONGER require passwords be changed at specific intervals (i.e. every 60 days) but in the following circumstances instead:
1. After a breach/compromise
2. User request
2024 repeats this and adds a bunch more guidlines but here is a screenshot of page 13 of the new 800-63-4 (note the # 4 after it) which outlines how your systems should now and moving forward, be handling passwords.
This goes for Active Directory, too. All your systems which have passwords should align with these guidelines provided there isn't another standard or framework you must adhere to which overrules this.
Most frameworks, however, have moved away from arbitrary password resets and complexity rules.
**We cybersec researchers and hackers use wordlists from breaches in a variety of different ways. Hackers use them in tooling to crack passwords whereas researchers use breach dumps to see the kinds of passwords users are creating and the psychology behind them.
Using complexity rules gets you the user psychology of:
Password1
Password2
and so on
Use phrasing instead and allow for spaces, which is important. Humans type phrases with spaces. They also mention phish-resistant methods and most vendors are on-board with MS going to be turning off all Legacy Auth next month, across all free accounts and tenancies.
I'm so excited for the new changes!
Ok I'm off my soapbox.
Share the love! Thank you!
I think what non-diabetics really need to understand is that we are on life support. Our natural state is not “able-bodied”and then we eat sugar and that sends us spiraling. Our natural state is that we are dying, and we are actively, manually, 24/7, keeping ourselves alive.
After 37 years of injections moving to the Dexcom G6 and Omnipod 5 for 2 weeks is a game changer. Yesterday I hit 98% time in range and each day it's getting me more control and freedom with my life. #insulet#omnipod#dexcom#closedloop#t1d@parthaskar@DiabeticDadUK
@RicDixon85 G6 and OP5 here too.
Wonderful stuff. Not perfect. Many highs and lows still. But 99% reduction in mental activity over T1, and that's not too be sniffed at
@mcglubber In the water is fine as the seal for the cannula through the skin is nice and tight. And the other end is in the pod.
Found it best to be in the water for no more than 45m then break for an hour or so. Adhesive issues otherwise. Just my experience (Omnipod 5).
ACTIVE DIRECTORY SECURITY TIPS
Here are some additional tips relative to this presentation the first of which would defeat the perps' initial toehold:
1: Remote Desktop Gateway + DUO or other MFA
2: An example of a proper OU structure to visualize what is in the presentation
3: SMB Signing: In cluster settings with earlier than Server 2022 things will break. Use with caution
4: Never use Domain Users for any remote access default group
5: Protect Domain Admin accounts
6: Use MFA/2FA
7: Use a PAW
8: UAC Mandatory with prompt for credentials
One should _never_ expose Remote Desktop 3389 TCP/UDP to the Internet. Ever. See TSGrinder.
RD Gateway encapsulates the RD Protocol and forces a network authentication before authenticating to the RD Endpoint. This means that the password fail count and pause timer policies would be applied if someone tried to get in using bad credentials.
Add in DUO MFA for RD Gateway and it won't matter if the perp has a legit set of credentials they ain't getting in.
Oh, and two more very, very, important tips:
1: DO NOT USE "DOMAIN USERS" to delimit RD Gateway and RD Collection Access!!!
Set up a dedicated security group such as:
Remote Desktop Access Group
Place the required User AD Objects into that security group.
2: Never, put a Domain Admin Account in that Security Group! EVER!
Use a Jump Server with a dedicated _Standard_ domain user account, or Domain Jump Server Security Group, that allows that user in via the Remote Desktop Users security group on the Jump Server.
To move into management mode a right click and Run As Admin (sudo) would then be required.
And finally, an admin practice of using a Privileged Access Workstation (PAW) to protect your business and your client's business is critical segmentation in a day to day IT practice.
https://t.co/KpRtsmkAbv
https://t.co/0HibrJOR2h
Acronyms
OU = Organizational Unit
MFA = Multi-Factor Authentication
2FA = Two-Factor Authentication
SMB = Server Message Block
RD = Remote Desktop
Tags
.@DUOSec
#WindowsSecurity #NetworkSecurity #ActiveDirectory #GroupPolicy
💥 BOOM! We just can't stop with all the Entra announcements 😂
Platform SSO for macOS is here!!!! 👏 🎉🥳🙌🍾
With Microsoft Entra Join for macOS you can now use Touch ID to unlock your device and be signed into Entra ID under the hood using a device-bound key.
🧵👇
Making my computer unhackable after realizing "Security questions" are actually UTF-16LE JSON stored as ResetData REG_BINARY in HKLM\SAM\SAM\Domains\Account\Users\...
#TuesdayTuition
Things that help keep those with #T1D alive:
💙Insulin
Things that Insulin CANNOT be substituted with :
👉🏾Low/No Carbs
👉🏾Cinnamon
👉🏾Yoga
TYPE 1 DIABETES IS AN AUTOIMMUNE CONDITION NEEDING INSULIN TO SURVIVE
Stop listening to quacks
Also-don't be one
Thanks
Stumbled onto this article about theoretical chemistry. Turns out my great-grandfather (father of grandmother - think that's right!) is Sir John Lennard-Jones. Crazy what relatives get up to!
https://t.co/J2Eod4jqHv