Spam is dead

 “Spam is dead. Spam remains dead. And we have killed him. How shall we occupy our free time, the murderers of all murderers? What was the mightiest waste of time has bled to death under our knives: who will wipe this blood off us? What tradition is there for us to clean our inboxes? What habits of atonement, what sacred inbox cleansing games shall we have to invent? Is not the greatness of this deed too great for us?” - some guy who knows how to use email rules

Below is how my work inbox works.

Email Rules Physics:

1. Categorize

Create rules that apply labels and can help you to identify your email better. Example: If the sender's address contains the words 'amazon.com', then apply the following category “Amazon.”

2. Catch

Create rules that catch email; these rules are the same as categorize rules but include “Stop processing more rules.” Example: If the sender's address contains these words 'amazon.com', then apply the following category “Amazon” and stop processing more rules on this message.

Because you have stopped processing more rules on this message, no further rules will move this message to any other folder. Instead, it will stay in your inbox. Catch rules are how you whitelist mail.

3. Move

Create rules that move messages to folders. Most of us have this already. Example: If the sender's address contains these words 'lego.com', then move the message to folder 'lego stuff' and stop processing more rules on this message.

4. Screen

This is the final rule and the magic to becoming uninterruptable. Create a rule and a folder called “The Screen.” Example: If a message arrives in my inbox, move the message to folder 'The Screen,' except when the senders address contains these words: '@example.com'

All mail not whitelisted using a “Catch” rule will be moved to “The Screen.” I exclude internal mail from this rule so that my coworkers are never screened out of my inbox.

Applied Physics:

So, now that we know how the physics work let's do some applied science and go over some of my favorite email rules.

Useful Categorizations

1. Categorize external messages: If a message arrives in my inbox, apply the following category: “External,” except when the sender's address contains these words: 'example.com'
2. Categorize internal direct messages: If the sender's address contains these words: 'example.com' and the message was sent. only to me., apply the following category “Direct.”
3. Categorize Receipts: If the message includes specific words in the subject or body 'receipt' or 'order' or 'invoice,' apply the following category: “Receipts.”

Catch Rules

It's useful to know that you can catch email based on any context you can create a rule for, but the way I use them is I have a catch rule for individual email addresses and a catch rule for domains.

1. Catch a domain: If the sender's address contains these words 'microsoft.com', then categorize as “Whitelisted” and stop processing more rules.
2. Catch certain email addresses: If the sender is “[email protected],” then categorize as “Important” and stop processing more rules.

Move Rules

1. Move Indirect Messages: If you find that you get a lot of messages from internal mailing lists like “[email protected]” or if you find that people are using the BCC field to get past your mail rules, you should make an “Indirect” message folder and rule, make sure it's your last move rule otherwise it will sort mailing lists into indirect that you intended to go to their own folder: If the sender's address contains these words: '@yourorg.com' and my name is not in the to box move the message to folder 'Indirect.'
2. Something useful to know is that most email clients (outlook, apple mail, thunderbird) organize your folders alphabetically and numerically, so if you want a certain folder to appear at the top of your folders list, you can add “1.” in front of the name. So it will always be at the top.
3. Another useful tidbit is that messages moved by “move rules” do not generate alerts in most email clients.

The Screen

The screening rule should always be at the end of your rules. Otherwise, you will inadvertently screen everything. I always add my organization's domain as an exception to this rule but nothing else.

The end, this is how I now live a spam-free life. An honorable mention should go to fastmail.com, who gives their users the ability to make rules that filter out people not added to your contacts list; I wish more email providers had this. And Hey.com who's whole product is basically the screen rule.

Hide users in macOS

If you need to assist a user, but don't want them to see your user account when they log in, learn how to hide a user account on the macOS login window.

1. Log in as an admin user.

2. Use this Terminal command. Substitute the short name of the user that you want to hide for “hiddenuser”:

sudo dscl . create /Users/hiddenuser IsHidden 1

The user account is also hidden in System Preferences the next time it's opened. This command can't be used with the Guest user account. Learn how to manage the Guest user account.

Digital Security for Normal People

 This is an update to an original post, If I continue to rewrite this it will never be posted so I suppose I’ll need to update it yearly.

The other day I was in Starbucks and overheard a local computer tech helping someone reinstall windows on their laptop, the tech left, and I started a conversation with the laptop owner. His laptop had been infected with ransomware and he, unfortunately, didn’t have a backup. We had a short conversation about backups where the painfully obvious was stated and not much more. Having backups may not sound like a security strategy because most of the time when we think of security we think about keeping the bad guys out, in the day and age we live the paradigm of how to build a better digital moat has for the most part been dealt with and what we now need to turn to is how do we deal with threats already behind our gates. Digital security now must encompass a much wider practice security is now the art of protecting time. In the case of the man I met at Starbucks what he had lost was documents that he spends time writing, pictures he had spent time taking, bookmarks he had spent time finding, business data he had spent time working on, and a computer he now had to spend time getting fixed using money he had spent time earning. Correctly thinking about security depends on what you are trying to protect, for most people at a minimum that means their own time, for Systems Administrators that means protecting the time of others as well. To best do that it’s important to have a working definition of what security means. I define security as:

"Security is the art of protecting assets, knowledge or time in such a way that the “Cost” of destroying, disrupting, or disappearing them is insurmountably high. The “Cost” of attack is equal to the amount of either negligence or effort that you or an attacker must pay to destroy, disrupt, or disappear the protected asset.

Realistically if someone can pay the “Cost” in either time or money to conduct the attack they can compromise your security."

The following is the collection of advice I wish I could have also given him but just did not have the time to, this is also advice I give to family members, coworkers, and people like you who stumble across my website. This is how you increase the cost of an attack.

A. Securing Online Accounts

1. Use a password manager and avoid reusing passwords across sites like the plague, side note: it is the plague. LastPass and 1password are a great starting point. There are likely many other good online options. In my opinion, the most important thing about a password manager is that it be zero knowledge, meaning that the company running the service your using has no way to decrypt the data you entrust them to store. If you don’t like the idea of storing your passwords online look at offline options such as KeePass, password safe, or perfect paper passwords.
2. Enable second-factor authentication on all your accounts, especially your chosen password manager.
3. Setup haveibeenpwned.com for the email account/s you use.
4. Recognize the human error factor, humans make mistakes. When you use the web make sure you’re using an adblocker to avoid malicious advertisements that might lead you to a phishing site. U block Origin is great for this. Using 3rd party DNS is also a great help, Cloudflare, Quad9, and OpenDNS Greatly increases your security at no cost and are fairly easy to set up on your router.
5. Declare digital sovereignty, if your primary email account is tied to your internet service provider, I would strongly consider looking to either a big tech company (google, Microsoft, or apple) to get a new email address with or looking at a smaller independent company like fastmail or Hey if you’re willing to pay for email services.

B. Securing the Personal Computer

1. Don’t use an admin account for everyday computing this applies to macOS, Linux, and Windows no exceptions. Follow the Principle of least privilege.
2. Data security is just as important as account security in most cases, having backups is the best way to secure your data from accidental deletion, corruption, and ransomware. Veeam endpoint free is free and does a great job backing up your entire system.
3. Run an up to date version of your operating system and preferred web browser and ensure you have security updates installed.
4. If your computer does get infected just nuke and pave. If your system has been compromised it truly is the only way to be sure your safe again. Make sure you have a good backup, erase the internal disk, and reinstall your operating system.

A note on Antivirus Software: I did not mention antivirus here because consumer-grade antivirus systems seem to change like the wind lately. In general, if you’re looking for an antivirus system I would recommend looking at reviews from IT people as they will spend a lot more time than you can imagine looking at antivirus solutions for their respective companies. Nearing the end of 2017 I had begun to see a rise in malware that exploits antivirus systems to compromise the systems they were designed to protect, in general, your best antivirus option is having an up to date computer with the most recent security patches installed and following best practices, B.1 is your best bet.

C. Securing the Data

1. 3-2-1 Backups, If your data is not following 3-2-1 backups your data does not exist. Make sure you can restore your backups.
2. If your storing sensitive data in the cloud use some form of “pre-internet encryption” for windows, mac and Linux VeraCrypt is probably the golden standard but there are other encryption tools, even having an encrypted zip file is better than nothing. Note: password protected and encrypted are different things. Know the difference and use the right one.
3. Back up everything. If its unimportant data back it up if it’s important data back it up again. The number one reason important data can’t be restored is that someone didn’t think it was important and thus did not back it up. If you backup everything all the time this is an easy pitfall to avoid.

D. Securing the Network

1. If your router can be found at routerpwn.com consider getting a different router or looking for firmware updates the fix the issue listed. If your router does not have firmware updates or a fix for a known issue, then it’s time to get a different router.
2. Take a look at what GRC’s Shields UP has to say, if your router has open ports make sure you have NAT enabled on your router. The best option to avoid potential conflict is to simply not be there “True Stealth” is the result you want from the Shields UP! test.
3. If you have internet of things devices on your network use the 3 Dumb Routers method to separate out your network.
4. If you have Wi-Fi make sure you’re using a good password, only use WPA2 or greater authentication and disable WPS if possible.
5. Use a 3rd party DNS server on your router Quad9 or OpenDNS are good options. To find out what DNS server is the quickest around you run the DNS Name Speed Benchmark from GRC.com
6. If you don’t require devices in your wireless network to talk to each other (this is rare) or have devices that don’t need to talk to other devices for any reason consider putting those devices on your guest network. Doing so will isolate those devices from the rest of your network making them less risky.

E. Securing the Human

This is the hardest part, even if you have done everything else correctly, we are only human and are going to mess something up. Securing the human part of the system comes down to checking yourself as you use your technology. There are a lot of moving parts to this but in general, the following are true and if followed will make you less of a risk to yourself.

1. Always Go to the Source, if you receive a phone call from your bank and they want to verify your social security number over the phone just hang up, Google your bank’s phone number (or look on the back of your debit card) and call your bank. If it truly was them then your good to go, if it wasn’t congratulations you have just evaded an attack. The same applies to handling email phishing messages. A common email I’ve seen is a message warning that your inbox is about to run out of space. If you click the link it then prompts you to login to your cloud email. The right thing to do is ask your email admin if you are running out of space or go to the source and find out if you are approaching a space limit. By going to the source all phishing attacks can be thwarted.
2. TNO, Trust No One. Criminals don’t target computer systems they target people. Be cautious about giving out information. Well-designed systems and services shouldn’t require you to have any trust in the people running them for your data to be safe.
3. If it’s too good to be true… (you know the rest of this one, your mother told you, my mother told me, the attacker’s mother told him we all know this.) SPOILER ALERT: it is. There is no Indian prince willing his inheritance to you and there is no free iPad you won. There is always a phishing campaign in the works run by smart people who are looking to make you the sucker. Think about the cost of a phishing message, how much it cost you to send an email? Right… if it only costs the bad guy a couple minutes of their time to try and cheat people out of their money then guess what they are going to try and do. Furthermore, attackers have reduced the cost of an attack by using automation. The result of this is that it’s no longer a couple minutes per person phished it’s a couple minutes per millions, and its target is not you… its target is everyone.

Resource List

• securityplanner.org is a great site that will walk you through what you should be aware of.
• digital first aid kit is a great resource for reactionary advice.
• There are a lot of good insights from the Surveillance self-defense page at the EFF.
• Roger G. Johnston, Ph.D., CPP Security Maxims is a great read and provides lots of insight into the nature of security.
• Microsoft’s 10 Immutable Laws of Security Administration is a great read for fellow systems administrators as is the article 10 Immutable Laws of Security

Final Thoughts: We live in a world now where hackers are driving the cost of attacking systems down by having systems and automation do the attacks for them. Microsoft said it best I think “Eternal vigilance is the price of security”.

TiddlyWiki + GitHub + Cloudflare

My Existential Crisis, “Storing Knowledge is hard”

I should mention that although this is generally true what I really mean by “storing knowledge is hard” is that storing Knowledge is hard for me. It’s funny to think that in some ways the scribblings of a two-year-old have a better chance of weathering our world than the bits of information needed to keep the modern enterprise afloat. Computer systems were designed to make the impossible possible, in most cases this does not mean preserving data past one lifetime, admittedly many enterprise systems will fail at that. When confronted as to why the scribblings of a youngling have better data durability than our enterprise grade systems the answer is wonderfully simple, someone cared for them. Someone put the drawings in a box, in the closet, where it would be undisturbed and knew it would be re-discovered years later by them, or by their grandchildren. The scribblings of a toddler are self-contained they do not need a program to be interpreted or relayed only the eyes, brain and heart of a human. Care it would seem is synonymous with data durability. From toddlers’ scribblings, oral traditions, hieroglyphs, Runes and words set in stone it would seem the amount we care is often deterministic and proportional to how long something exists on the face of our planet. As a Sysadmin it truly is hard to look out and see anyone building systems with that level of care, don’t get me wrong, there are passionate site reliability engineers out there, but when it comes to distributed systems what shapes the design of care is company culture and that’s both hard to measure now and difficult to predict long term. Humans are inconsistent creatures at best and at worst care far too little about each other and what is important to our fellow man.

Evernote, OneNote, Simplenote, Apple Notes, Text Files, Collected Notes, google keep, Outlook Notes, Super Notes, Zettelkasten (the archive), Roam Research, Obsidian, Standard Notes and many others… I have tried enough of them and after copious amounts of experimentation I have finally discovered what I need as a sysadmin.

The things I want as a Sysadmin:

1. Plain text Search, I need fast, full note, plain text search.

2. Different reading and editing modes just like vi, I want to be able to reference, copy and send what’s in my knowledge base and know that when I’m highlighting text to copy I’m not going to accidentally add, subtract, delete or move anything I’ve written unless I unlock the note first. This is important since a good chunk of what I might be copying I also might paste into another systems terminal.

3. Markdown Support, I like markdown, it makes my life objectively better, and honestly that is no small feat on its own, I love code blocks, so much.

4. Cross platform reading, writing, editing, I want to be able to use it on my mac, my iPhone, and my ThinkPad regardless of what OS my ThinkPad might be running.

5. Far, it needs to work in the future not just now, more importantly my data is mine and I want to be responsible for it long term.

So, after a lot of flipping between Evernote, OneNote, etc… I discovered TiddlyWiki I spent some time and built what I needed. The next step was delivery and I struggled for far too long trying to figure out how to sync the thing between my computers, I tried OneDrive, Dropbox, Google Drive, iCloud, Syncthing (which impressed me), then I gave up and put it in Dropbox for no other reason than it was convenient and I was able to use https://twcloud.github.io/for wiki access which worked ok. But then I found something I felt was better, that is where the title of this blog comes into play:

TiddlyWiki + GitHub + Cloudflare, let me explain.

TiddlyWiki is unique, it’s an HTML Quine with a Java backbone, the output of TiddlyWiki is itself plus what you added to it. It is a self-replicating, self-contained program where saving is exporting a new TiddlyWiki source code and all, if you use it in an editor like TiddlyDesktop then your work is saved over your previous file. Someone quite cleverly figured out how to write a GitHub saver where when you hit save TiddlyWiki saves itself out to a GitHub repo.

GitHub has a wonderful feature called GitHub pages, a GitHub page gives a user the ability to expose an HTML file in their Git repo to the world, this is great! (and I bet you can see where I’m going with it already) TiddlyWiki has a built in GitHub API saver where you can save your wiki back to Github using an access token (PAT). This means you can have a TiddlyWiki that writes its output over itself directly to your GitHub repo and with a little tweaking you can store your PAT in the TiddlyWiki file itself… Except for how do you protect it? If anyone load your TiddlyWiki file, which is also the client and holds the PAT key for your GitHub someone could steal your PAT Key and do anything you can in your GitHub! Truly this is an awful Idea, so how do you keep this from happening? 1. Use a dummy GitHub account as a collaborator and give the dummy access to only your TiddlyWiki repo using the dummy’s pat key in your TiddlyWiki file. This way if your TiddlyWiki file is ever compromised the most someone can do with the PAT is access the dummy account and its data. 2. I am using this for my technical notes, they do not contain passwords, keys, or information I would hesitate to share with my peers. Be smart and store sensitive information in an encrypted password vault/manager where it belongs not on a potentially public website.

Let’s make it secure, enter Cloudflare Access and custom domains for github.io, Cloudflare Access is awesome it allows you to take a custom domain or subdomain and prevent access to it unless a user can verify themselves with a one time code sent via email. With Cloudflare Access in front of your Wiki the security model changes to a verification model, in theory as long as there’s no alternate way to load your HTML file outside of your domain the access control remains. GitHub fortunately allows custom domains, when you add a custom domain to your GitHub.iopage GitHub will redirect any request to your GitHub page to your domain and thus to Cloudflare access as the gate keeper.

Disclaimer, as far as I know there’s no way around the GitHub pages redirect, if there is a way to query GitHub pages for an HTML page without going through the custom domain this whole setup is borked and will never be secure, do your research, be smart, make good choices.

Setup, Let’s Build It!

1. Some prerequisites own a domain, choose a subdomain and make Cloudflare your DNS host (Cloudflare Access is $3 per month). You will also need a GitHub Pro account.

NOTE: In Cloudflare you should make the following changes,
	1. Set your SSL/TLS Encryption mode to Full Strict
	2. Under Edge Certificates allow only TLS 1.3 Connections
	3. Consider creating firewall rules that disallow endpoints from connecting to your wiki subdomain from outside of your current country.

2. In GitHub build a private repo for your Wiki.

3. Create another GitHub free account which will be the writer to your wiki enable 2fa for both accounts and generate a PAT in the free account save this for step 8.

4. Create the subdomain you want your wiki to be hosted at in Cloudflare creating the following A records that point to the following IP addresses:

Warning DO NOT USE CNAME RECORDS HERE GITHUB WILL PROMPT YOU TO BUT DO NOT DO IT, doing so will bypass Cloudflare access, it may also be a good idea not to use Cloudflare Proxied records for these records doing so caches content and you want to make sure your TiddlyWiki is loaded fresh each time you load it.

185.199.108.153
185.199.109.153
185.199.110.153
185.199.111.153

5. Enable Cloudflare access and allow either your email address or a set of addresses in your domain to login to the subdomain.
6. Enable GitHub pages and add your subdomain and enable encryption, you may need to wait to do this and temporarily disable Cloudflare's proxy so you can get the lets encrypt certificate. Don't forget to re-enable these later.
7. Wait for DNS to propagate and go to your new subdomain you should be brought to the Cloudflare Access page.

Before step 8 I should point out that if you have not configured Cloudflare correctly you may compromise your dummy GitHub Account. You should never store secrets in a GitHub repo, its ill-advised and without taking steps to secure the gate with Cloudflare you will end up with someone else holding one of your Personal Access Tokens. YOU HAVE BEEN WARNED.

8. Danger Will Robinson! Danger! STEP 8

On line 25 in $:/core/modules/savers/github.js change the password entry to look like the following:

password = this.wiki.getTiddlerText("$:/GitHub/PAT"),

9. Next make a Tiddler named $:/GitHub/PAT and add your Personal Access Token into this Tiddlers text and plan on bookmarking it so when you change your access token in the future you can easily change this Tiddler as well. Once done you can click the save button in TiddlyWiki which should write to your GitHub repo, with an HTML file in place you can now enable GitHub pages.

If you have done everything correctly you should find that when you go to the subdomain you set in Cloudflare that you are greeted by Cloudflare access and that once authenticated you can load your TiddlyWiki file, and write back to it.

Tweaks and best practices for Office 365

A list of tweaks and best practices for configuring Office 365 most of these were shamelessly stolen from the sysadmin today podcast, some were also taken from Microsoft Office 365 deployment guidance. As Microsoft continues to develop their platform much of this will change but I think at the moment this is a great starting point.

1. Establish main tenant administrator with strong password and MFA and create a break glass global admin account using yourtenet.onmicrosoft.com so if a mistake is made you can still login to Office 365 as a global admin. 

2. Enable/Verify that modern authentication is enabled and or enable security defaults in azure AD, if you are deploying hybrid configure conditional access rules so your Exchange service account is never prompted for 2fa from your exchange servers IP.

3. Setup tenant profile with organization information: https://admin.microsoft.com/AdminPortal/Home#/companyprofile

4. Configure Account Recovery Options: https://aka.ms/ssprsetup

5. Grant Delegated Admin to CSP (if MS Partner)

6. Disable self service Purchases across the board:

Install-Module -Name MSCommerce #once you install you should remove this line
Import-Module -Name MSCommerce 
Connect-MSCommerce #sign-in with your global or billing administrator account when prompted
Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase | forEach { 
Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId $_.ProductID -Enabled $false  }

7. Consider limiting group creation so that only users of the group “Group Admins” security group are allowed to create office 365 groups: https://docs.microsoft.com/en-us/office365/admin/create-groups/manage-creation-of-groups?view=o365-worldwide

8. Configure Tenant alerts email addresses as a distribution group and set it in powershell.

Set-AzureADTenantDetail -SecurityComplianceNotificationMails "[email protected]" - TechnicalNotificationMails "[email protected]" -MarketingNotificationEmails "[email protected]"

9. Enable Unified Audit Logging

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $True

10. Enable Mailbox Audit Logging

$AuditSettings = @{
AuditEnabled = $True AuditLogAgeLimit = 365 AuditOwner =
"Create,HardDelete,MailboxLogin,Move,MoveToDeletedItems,SoftDelete,Update,UpdateCale ndarDelegation,UpdateFolderPermissions,UpdateInboxRules"
AuditDelegate = "Create,FolderBind,HardDelete,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelet e,Update,UpdateFolderPermissions"
AuditAdmin = "Copy,Create,FolderBind,HardDelete,Move,MoveToDeletedItems,SendAs,SendOnBehalf,Soft Delete,Update,UpdateCalendarDelegation,UpdateFolderPermissions,UpdateInboxRules"
}

Get-Mailbox | Set-Mailbox @AuditSettings

11. Set Language and Time Zone for All Users this will save them a step when they first sign in

Get-Mailbox | Get-MailboxRegionalConfiguration | ? {$_.TimeZone -eq $null} | Set-MailboxRegionalConfiguration -Language 1033 -TimeZone "Central Standard Time"

12. Increase Deleted Item Retention from 14 to 30 Days

Get-Mailbox -ResultSize unlimited | Set-Mailbox -RetainDeletedItemsFor 30

13. Show mailtip for External Recipients

Set-OrganizationConfig -MailTipsExternalRecipientsTipsEnabled $True

14. Show mailtip for large number of recipients (Shows tip Beyond threshold)

Set-OrganizationConfig -MailTipsLargeAudienceThreshold 10

15. Set Outbound Spam Notifications

Set-HostedOutboundSpamFilterPolicy Default -NotifyOutboundSpam $true - NotifyOutboundSpamRecipients “[email protected]”

16. Prevent Inbox Rules Forwarding Messages Externally, strongly recommend. 

Set-RemoteDomain Default -AutoForwardEnabled $false

17. Prepend Disclaimer on External Messages

$TransportSettings = @{
Name = 'External Sender Warning'
FromScope = 'NotInOrganization'
SentToScope = 'InOrganization'
ApplyHtmlDisclaimerLocation = 'Prepend' ApplyHtmlDisclaimerText = "<p><div style='border:solid #9C6500
1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='line- height:12.0pt;background:#FFEB9C'><b><span style='font- size:10.0pt;color:#9C6500'></span></b><span style='font- size:10.0pt;color:black'>[EXTERNAL]<o:p></o:p></span></p>"
ApplyHtmlDisclaimerFallbackAction = 'Wrap' }

New-TransportRule @TransportSettings

18. Increase OneDrive Deleted User Retention (up to 3650 days) no typo 10 years is correct and can be configured.

Set-SPOTenant -OrphanedPersonalSitesRetentionPeriod 180

19. Disable IMAP / POP Protocols For Current Users, also strongly recommend.

Get-CASMailbox -Filter {ImapEnabled -eq "true" -or PopEnabled -eq "true" } | Select-Object @{n = "Identity"; e = {$_.primarysmtpaddress}} | Set-CASMailbox -ImapEnabled $false -PopEnabled $false

and for Future Users

Get-CASMailboxPlan -Filter {ImapEnabled -eq "true" -or PopEnabled -eq "true" } | set-CASMailboxPlan -ImapEnabled $false -PopEnabled $false

20. If migrating a large environment call Microsoft and ask them to disable throttling for your tenet.

Misc.

• Have an Office 365 Backup Policy in place.
• Enable DKIM and DMARC
• Setup Anti-SPAM and Anti-Phishing policies
• Use email encryption
• Setup Alert Polices. (Creation of forwarding/redirect rule, permissions changes, Unusual volume of external file sharing etc)
• Use MDM for all mobile devices that store company data.
• Use Rights Management.
• Setup compliance reviewers for eDiscovery and Supervision.
• DLP Policies: * Setup External Sharing Polices * Define what data is important (SSN, CC, Health Records, Salaries, Accounts, PST MSG etc) * Create notifications when users share external data based on your defined criteria. * Take it to the next level in your policy and prevent data from being sent that matches the criteria.
• Secure SharePoint with multiple doc libraries.
• Always use group level permissions. Use custom permission levels. (i.e. edit but not delete)
• Disable anonymous guest link sharing

Azure AD Notes (Some features may require advanced licensing like Azure AD Premium P1)

• Enable Group-Based Licensing to automatically assign O365 Licenses based on AD group (TIP: you can create groups with dynamic membership based off user principle name, this is a great way to give every new user a base set of apps while excluding your break glass and other admin accounts automatically)
• Branding: Customize logos and colors to provide a branded and recognizable logon
• experience. Train users to not enter their password if they don’t see the branding
• MFA: Enable MFA for all users
• Trusted IPs: Configure trusted IPs to bypass MFA for the office; This will ease resistance to the MFA burden for end users
• Review Secure Score and work to increase it: https://securescore.office.com/
• Use Conditional Access to prevent all access from outside your country (be sure to exclude
• an account as a safety measure against accidentally locking yourself out of the whole tenant)

Reporting Audits

• LicenseReconciliationNeeded (Mailboxes at risk of being deleted due to lack of license)
• Tenants with more licenses than consumed (wasting money)
• Users without MFA Enabled/Enforce

Useful Group Policy WMI Filters

One of group policy’s best yet seldom used features is WMI filtering which allows an admin to apply policies to windows computers conditionally instead of statically based on what OU a computer or user object is in. Here are a few of my favorites, all of them are in root\CIMv2 unless otherwise specified.

Filter by OS Install Date Incredibly useful if you are looking to push new software automatically to only new computer or computers that have been freshly imaged with MDT. The example below will only apply to computers that have an install date greater than 2016-04-09

SELECT * FROM win32_operatingsystem WHERE Installdate>="20160409111400.0+0"

Filter by Memory Type This allows you to filter by desktops and laptops if you have desktops that do not have sodimm memory. If you do have desktops with sodimm memory you might combine this with another WMI filter that queries if systems have a battery present

Note that If you have systems which are small form factor and have UPS’s attached this may not work for you.

Desktops (devices not using SODIMMs)

Select * from Win32_PhysicalMemory WHERE (FormFactor != 12)

Laptops (devices using SODIMMs)

Select * from Win32_PhysicalMemory WHERE (FormFactor = 12)

Filter by Windows Desktop Operating Systems Filtering by Windows Desktop Operating Systems is useful if you have changed the default Computers Container to an OU with policies applied, doing this ensures that when Servers are joined to the domain and appear in an OU instead of a container they do not pickup group policies designed for desktops.

select * from Win32_OperatingSystem WHERE ProductType = "1"

Filter for Windows 10

select * from Win32_OperatingSystem where Version like "10.%" and ProductType="1"

Filter for a specific build of windows 10 In this case windows 10 1909 useful if you want to control windows update with group policy.

select * from Win32_OperatingSystem where Version like "10.0.18363" and ProductType="1"

Filter for 64 Bit Windows Servers

select * from Win32_OperatingSystem where (ProductType = "2") OR (ProductType = "3") AND  OSArchitecture = "64-bit"

From these you should find that you can filter just about all the various parts of your windows 10 infrastructure.

Changing Default Containers to OU's in AD

In windows by default there are two containers, the Computers container and Users Containers. When you join new workstations, servers or add new users to your domain they will show up in either of these by default and no policies will be applied to them until you move the user or computer object into an OU. This is because Group Policy Objects do not apply to containers only OU’s. Luckily you can change where active directory puts computers and users upon creation using the following commands:

Set the default OU for new computers to land in using redircmp

C:\Windows\system32>redircmp "OU=New Computers,OU=Computers,OU=Your OU,DC=ORG,DC=COM"
Redirection was successful.

Set the default OU for new user accounts to land in using redirusr

C:\Windows\system32>redirusr "OU=New Accounts,OU=Accounts,OU=Your OU,DC=ORG,DC=COM"
Redirection was successful.

Once done you should find that newly added users and computer land in your newly designated OU’s which will allow you to do things like automatically push software to new workstations via group policy or make sure that new users get their home folders and network drives mapped without any further changes.

Useful Links

A collection of things that I’ve found useful for one reason or another during my time troubleshooting windows workstations and helping end users. Hopefully you will find them as helpful as I have.

The links to these tools contain the MD5 as the downloads are hosted by myself from a Backblaze bucket you should check the MD5 of what you download before you run any of it, checking the MD5 does not make the software safe but it does make sure that at least you got what you attempted to download check your MD5 elsewhere to confirm. None of this software is mine this is just a collection of links to acquire it use at your own risk.

TFC MD5: 788fcddd88240a85039f7f561093b118

The temp file cleaner by old-timer is a classic utility designed to clean all the old temp files off of windows systems, works with Windows xp - Windows 10

Take Ownership MD5: 38a8674b9bb64a27ec999fcc9e3df662

An old registry hack that enables a take ownership right click option, useful for when you’re stuck with a file you can’t seem to change the permissions of even though you have admin access.

hpflash1 MD5: e30ffd26b45c78303085dc4f35a24a80

The HP flash utility, great for making DOS boot drives.

DoubleDriver MD5: 98f948a5806cf6d84bfb2dabc8c48a95

Double Driver, the unsung hero of printer migrations and new system builds. This utility can suck the drivers right out of an existing windows install and throw them directly at a new one.

Putty! For all your SSH, Serial and Telnetting needs, no direct download provided go get it from the source.

Group Policy Reference

for when you really need to check and see if you can configure something with Group Policy.

Windows CLI things Get the service tag of dell PC’s from Command Prompt or PowerShell

wmic bios get serialnumber

Expire a computers kerberos ticket thus forcing the computer to get a new one this helps windows detect a change in AD OU’s without rebooting so that you can run gpupdate /force without needing to reboot. Useful for systems that cant be shut down but do need to be moved in AD.

klist -li 0x3e7 purge