I met with a prospective client today over video chat (wanted to reduce physical exposure for everyone until we're in a place where onsite visit is necessary) and she walked me through her current setup and what she'd like to do. One thing stood out for me as potentially problematic so wanted to check here to see if someone could point me in the right direction.

Her current IT admin (still employed there...for now) has setup a Windows 2016 server with Hyper-V role. He's the used Disk2VHD to create a disk image of each of their business' 8 PCs and loaded them up on the Windows server to run as virtual desktop. He then uninstalled all of the business software from each of their desktops so they are now essentially running their entire business via those virtual Win10 machines. Each physical desktop is now essentially a client for accessing the users' virtual PCs. Nothing is running on their physical PCs except Windows 10 Pro. All their software is running on their virtual desktops.

I'm pretty sure that's problematic in that they are in breach of MS licensing terms (I think). There are no CALs. They simply use the Remote Desktop client on their physical desktops to access their virtual PCs and it is a 1:1 setup with everyone having their own virtual Win10 PC. There is no AD of any kind.

If I understand the licensing correctly, in this setup, they would require Windows Software Assurance, Windows VDA subscription, or Windows E3/E5 licenses, do I have that right? They would also require CALs for the appropriate # of users, correct?

I have a client that uses Kimai for this.

https://www.kimai.org/

Got this email from MS today. Oh goody! MS is publicly announcing it is getting into the PUP/malware business

Getting flashbacks of Netscape v. Microsoft.

Starting with Version 2020 of Office 365 ProPlus, an extension for Microsoft Search in Bing will be installed that makes Bing the default search engine for the Google Chrome web browser. This extension will be installed with new installations of Office 365 ProPlus or when existing installations of Office 365 ProPlus are updated. If Bing is already the default search engine, the extension doesn't get installed.

https://docs.microsoft.com/en-gb/DeployOffice/microsoft-search-bing

https://know.bishopfox.com/advisories/connectwise-control

Don’t know who Bishop Fox is or whether they’re reliable and accurate but thought I’d share since many of us use the ConnectWise products.

https://pi-hole.net/2020/01/19/announcing-a-beta-test-of-pi-hole-5-0/

@DustinB3403 said in Break-Glass Access Control For Business Owners:

@NashBrydges said in Break-Glass Access Control For Business Owners:

That would work but would not provide the "notification" that it was used. Ideally, I would setup some kind of process so that I can be notified when they actually "break the glass". I think that's an important piece of the puzzle I'm trying to solve is to be notified when they access the credentials storage/file.

Break-glass would in my mind, be used because you had an emergency (like firing your IT personal) a notification to that same person or group seems worthless in my opinion.

In my case, if my clients accessed this storage/file, it would be important to know. Not only would that mean they are potentially looking to terminate relationship (not too worrying since this is part of doing business...the majority of my clients are from other IT service providers who have screwed the pooch) or that there was some reason for someone to access the credentials and, provided I'm still the service provider of choice, would now need to closely evaluate what was done and what caused them to need to access those credentials.

*edited for spelling

@DustinB3403 said in Break-Glass Access Control For Business Owners:

@NashBrydges said in Break-Glass Access Control For Business Owners:

As stated here, wondering what process/tools people use for this process.

https://www.mangolassi.it/post/497853

A set of one time credentials setup and not managed by the leaving IT party/personnel that are put into a vault at the time of creation and only used for that case.

The creator of the credentials doesn't actually set the password(s).

That would work but would not provide the "notification" that it was used. Ideally, I would setup some kind of process so that I can be notified when they actually "break the glass". I think that's an important piece of the puzzle I'm trying to solve is to be notified when they access the credentials storage/file.

As stated here, wondering what process/tools people use for this process.

https://www.mangolassi.it/post/497853

In my inbox this morning...

@JasGot said in Best Plex player to use with a non smart tv or as a portable HDMI player?:

@NashBrydges I looked at these. The Rokus do not present themselves as a mobile device, so this means I cannot use the Plex SYNC feature. This wouldn't really be that bad if it had internal storage it can play from. Managing everything from Plex would be nice, but I wouldn't mind copying stuff to an SD card or USB stick if I needed to.

Do you know if any of the Rokus can play from local storage while offline?

No, you're correct. While I haven't tried, they are supposed to be able to play content from a USB connected drive. That being sai, if you're looking at Plex, I'm assuming you have a Plex server installed. I have my Plex server in the datacenter and I can play content from that server from anywhere in the world using my Roku device. No transcoding required from the Plex server since the Roku handles all of that heavy lifting. The only thing required is to make sure your outbound bandwidth would allow full feed of your video files via internet from your Plex server. If you want this to run like this, you'll need to expose port 32400 (or other custom port you designate) to the internet otherwise all playback is handled through the Plex.tv servers and your playback will be throttled to 2Mbps max. I've been able to play a 70Mbps 4k HDR10 video from a remote location at full bandwidth this way.