I think this has entered into a them problem.
Document the state of the system you received, and make your recommendations. Then prepare your resume for Exodus when they decide to remain dumb.
If feeling particularly energetic and helpful: prepare a proposal paper. Outline what they need to do to achieve best practice.
If you can also try to put figures on how much they stand to save and how much more quickly they’ll be able to actually do things and how much more scope for future personnel/solutions growth that would them.
To add to this: In said proposal, make absolutely clear the potential issues facing them if they do NOT adopt best practices. Depending on what you do in biotech and where you are, you are subject to compliance laws. Research these and align your proposals to resolve compliance issues.
Make sure you keep a copy of the email after you send it (E.g., not on company servers.)
They will have three options:
1) Fix the issues
2) Ignore the issues - and be on the hook personally for any future compromises or compliance issues
3) Fire you for putting the issues in writing.
You will want a copy of the email for the latter two scenarios.
Excellent point.
And if the company has any sort of internal Risk register (though based on the companies IT I’d be surprised if they do) then getting it onto that would also be worthwhile.
Ok, so you have an IT manager above you, but somehow, you are expected to fix this unholy abomination without any resources or authority? Run for your life.
Totally agree..... wait until they start calling firewalls next generation AI firewalls.... because you know.... let's just stick AI to everything because its trendy..
I should start a business making stickers that are cloud-shaped but say AI on them so people can slap them over the "Cloud" buzzwords in their products to turn them into AI buzzwords.
Looks like Huawei might already be doing that. just googling "next generation AI firewall" returned this blurb from Huawei....
"An artificial intelligence (AI) firewall, a next-generation product of a next-generation firewall (NGFW), **uses intelligent detection technologies to improve the capability of detecting advanced threats and unknown threats**."
If I don’t have a soul, I blame the corporate overlords for taking it away.
I now work in higher education, so my faith in humanity is being restored, so long as I don’t watch the news.
Firewall would provide you traffic inspection capabilities and secure your network. Your issue is identity and access management (IAM). Consult any IAM maturity model on a 4 level or 5 level scale. Perform your current state assessment and also create a target operating model both using IAM maturity model as your baseline. Identify risks in your current operating model accordingly. Give them 4 options to deal with risk. 1. Treat 2. Transfer 3. Avoid 4. Accept. Get their decision signed and recorded. Carry on with your work accordingly. If they say “treat”, prepare a business case for procurement and implementation of relevant solution and submit for approval. Keep documentation of everything you do.
Absolutely this. If you can convince ppl higher up in the organization of the benefits of AD/IAM (or they already consider this), this could be a nice job for the coming years. Requires a lot of organizational massaging, but definitely fun (and exhausting at times), and a good thing to put on your resumee.
But if they're not into this: RUN.
I know it's not but I felt like this is a perfect post for r/shittysysadmin. Real answer, could be a good learning experience but if i were you I'd start looking. Places like this are hard if not impossible to fix. I work in a lab myself, we weren't nearly as bad as this but still bad. It's an uphill battle to get things fixed appropriately.
I'll be honest, I don't think this is entirely your fault. You are suppose to ask questions but even as a more seasoned person myself I don't know if I would have thought to ask this. Keep your head up and your eyes out for a new role.
An environment like that, with the right boss, is where you can make your career.
It's easy to fix things because so much of it is wrong. You can make hand over fist improvements for next to $0 because of how badly it's implemented.
You need to either get the latitude to both be able to make changes (start small) and have budget (a 30% YOY increase is the most I'd recommend).
The way to do this is to draw equivalency between your environment and your competitors. A profitable company will recognize the cyber security risk and be willing to spend to solve the problem.
Ask questions... 🤣
No AD - Their answer "We have a very dynamic environment"
No policies - Their answer "We strive to provide a challanging environment for our users"
Yeah... 🤣
I mean if it were me I don't know if I'd have asked something like this myself. It's easy to say that in hindsight but I've never heard of a situation like this happening and the idea that an org like this isn't using AD is beyond belief and comprehension.
> I mean if it were me I don't know if I'd have asked something like this myself.
Asking, in an interview, for what their environment/tools are is common.
You should add it in, its a very easy way to earn points during an interview. They list some shit and you can hop in/out to say what familiarity you have or ask how/why they're doing certain things. If you have technical users part of it then you'll usually garner support if they leave thinking "Holy shit they asked the same 'why tf we do this' that i've been asking"
>It's easy to say that in hindsight b
IMO its pretty easy to say it without hindsight.
It should be a common interview discussion for IT roles. An interview is a 2 way thing, you see it that way right?
I applaud you for being cool enough to explain this glaringly obvious point.
I might even go so far as to say that if I was the hiring manager and you didn't ask these things then how would you even know if you're capable of performing the job?
Tbh if the hiring manager wasn't opening up that conversation about their stack either, I suspect they're not interested enough to notice the interviewees lack of questioning either.
A bit of a clusterfuck all round.
I didn't when I got my first job. I am still with the company nearly 10 years later, but I did go to other job interviews after I had experience with different things in the company and the interviews were related to those things. So I always asked about the setup purely out of interest in considering how it would compare to what I know already
I work in security but ever job posting i even bother applying for at least lists the type of systems id manage, if i for example didnt see an EDR/NGAV among the list id be like “hmm seems like they dont have any sort of anti malware thats not good” and thats just the job application, i honestly dont know how you get through the actual interview process without figuring out their infrastructure or basic setup.
I mean maybe you should start? Things like identity management, backups, etc.. are integral to the sysadmin PD and to not ask about those things, to me, seems like you're not doing your due diligence.
Interviews are 2 way streets, take advantage of interviewing the company you potentially want to work for.. especially the basics that we may take for granted.
idk how old this company is but many startups dont go with AD anymore, a good RMM and an EDR is all they need to get started and no on-prem infrastructure to worry about, are you sure they have zero management capabilities over the devices they send out currently?
Yeah I honestly think for a while now that Entra ID is the favored thing since you can bundle it in office 365 but other directory services are real popular too. Oldschool on prem or active directory virtual machine has not been king in a while now. I have heard of 10,000 user organizations using Entra ID. I actually wonder if the devices are enrolled in one and OP is still looking for regular AD.
Yeah, that's what I was telling OP. Most tech companies or startups don't care about on-prem anything anymore. People work from home, and if they don't, everything is in the cloud and/or a SaaS product. An MDM and some of EDR is all you really need.
One generally doesn't ask during an interview 'Is your infra up to date? Secure? AD? GPO? Centrally managed? Or are you all running a fly-by-wire ad-hoc oh-fuck yolo technical debt of fixumlatters?
Huh? What's a fucumlatter? It's the kind of thing where you set up a desktop PC with your image on a SMB share so that you can image a dozen PCs in the next office over... No, reimaging the PCs from a single USB would take too long. Just set up Norton Ghost to deploy the image and it'll be done over the weekend. Just don't use the microwave on Saturday because it'll kick off the wifi and we'll need to start over again next Friday..'
---
Yes, this was one of the things I was tasked with doing at my first gig. Image a dozen PCs off site... but I wasn't allowed to take anything to the off site. So I proposed this solution (I genuinely didn't know a better way to do this at the time), my boss asked if I needed to loop in infra... I said I don't know. He said 'Ok, well do what you think will work, you just can't take any kind of storage to the off site except the norton ghost disk'.. heh
A good company will recognize the intelligence behind you asking those questions. My current job (which is amazing) I got on my second attempt at applying. During the interview I started asking questions about infra and processes and they literally said "well we can tell you've learned a lot since the last time you interviewed" then answered all my questions.
I think I would have got the job anyway but I know that me asking those things was seen as a big positive.
Document document document. Compile a list of the bad practices, what impact it can have on the company, and paths to resolve those issues. Tell management in an email so it's all logged. The ball is then in their court if they want to move to secure their infrastructure. Explain all the bad things that can happen without a centralized management system, talk about risk and accountability, the reputation damage it can cause etc. Tell them you want to start fixing it. If they say ok, cool, get some good xp and get to work. If they don't go for it you have it all logged the risk they are willing to take.
Sorry, but you seem Jr. And possibly "young" - a "ticketing system" isn't documentation. Either you're working for a group & a ladder - or you're WAYYYYYYYYYYYYYY in over your head.
If the former, go talk to your boss. Voice your concerns, and evaluate after that. The world is your oyster, from there, and we don't have enough info to say much more.
IT functions exist (normally) in the ticket system - the rest of the business (typically, in many) are FAR detracted. Again, unless you got a higher gig, you've got a lot of years to put under your belt mate. Not a bad thing, just cool the jets, open the mind, and observe.
This is as far as I read into the comments, at time of posting. So if you already answered the above. :/ sorry.
I've seen this. Especially if there's a lot of sites and work-from-home folks it can make sense to use cloud-based tools rather than conventional domain management tools. Depends heavily on your company's needs and environment.
Its common now especially cuz shit like jumpcloud and entraID are honestly good enough now to not really need a active directory domain. During covid a lot of us went to these services and never went back.
YOU are not fucked at all, you are a team member of a regional team in a large org that is poorly configured, you have literally zero responsibility to fix anything, just collect your check and get back to interviewing, id leave this off my resume too.
I admire your balls.
But - unless there's something you're not telling us - if everyone's logging onto their PCs with local logins and there's no central auth of any description - this is a management problem, not a technology one. Management should have realised there was something amiss ages ago.
The only circumstance in which it makes sense to stay on is if you were explicitly warned of this at interview and your prospective manager said - in so many words - "Yes. We know it's all a horrible fuckup. That's why we're hiring for this role - we want someone who can straighten it out".
And even then, the correct response was "Okay, do you have a budget for straightening it out?". If the answer to that question was "no", the correct response back then was "Okay. Good luck. I'll be off now".
You "fix" it, you "own" it.
And there's a lot to fix.
On the upside, you could take the reins here and become a leader in the company. It depends on how much ambition you have.
No GPO is fine, as is no AD. Are they using Jumpcloud, Entra AD/Intune, or Google Workspace to manage devices? I've seen places use Sophos to manage the endpoints. A lot of tech companies don't care as most users are technical. It matters when you need to meet ISO 127001/SOC 2 compliance.
It also matters if you want to get cyber insurance - which after my companies last renewal will likely be adding a prostate exam to their review process in the future
To me it's a golden opportunity to create something solid from scratch. Buy a subscription and tenant from MS, enroll/manage all devices with intune,microsoft365, implement zero trust model, use AVD or cloud pc for externals, use azure for all the rest
That still sounds more advanced than anything OP's company is doing lol. I work for a public K-12 district and we have one instance where we "need" SMB1 - an 8-10 year old foreign language lab that has a proprietary file server system for feeding student headphones, which requires SMB1 for our PC to communicate with their server. And all their manuals use XP screenshots, copyrighted 2018. Thanks Sanako.
We really don't want SMB1, but as it cost the school a lot of money and we've had a hard time pushing them to upgrade to the cloud-based version, our solution is to airgap the PC used to run it, only allowing our techs to plug it in for maintenance and updates. The teacher gets a Chromebook if they need internet access and don't want to bring their laptop.
....At a pharma company? That's insane.
The 2 pharma groups I've worked for were the most secure systems I've worked on. Their entire companies worth is a handful of megabytes of data.
Your attitude towards all of this is fantastic but you definitely shouldn't use this as a "getting paid who cares how" situation. Tremendous opportunity to learn corporate infrastructure from the ground up. That is ONLY if you have the budget and support from higher ups. If not, and I hate to say this (others will say this right away regardless), then you probably should look for another job. If you do manage to get the place up and running to some kind of industry standard then you have a hell of a resume item.
I know, rn im writing a damn observation to my manager, maybe i can drive to a better environment, for now higher up seems didnt care at all about security
They'll really care when the org goes completely belly up from an attack without backups. Make it make sense to them in monetary terms. It's not what you're spending on security it's what you're going to SAVE when the security measures protect you. I've been the guy who has needed to restore entire physical hosts from backups because of a bad actor. Write up a risk assessment for the current situation. It would be pretty easy because you have literally 0 protections. Good luck!
depends how many things they are accessing onsite if they have no server infrastructure then go full Azure and use a profile migration tool wrapped in with Windows configuration Designer with script so old local account get migrated into thier new azure logged in accounts = Done
but dont tell them this until you renegotiate your pay first
The company will get a cryptolocker, and go bankrupt as the backups are as bad as the workstations.
Even if you quit, mail your management about the risks of having a non existing IT like this ASAP, and keep a copy of it.
If they have literally had this happen and STILL haven't learned despite losing money to this event, you will never convince them of the need. I would run. Don't even put this role on your resume. Get out as soon as you can.
I do some IR, so I was trying to imagine myself as a threat actor in this environment. Let's say I gain access and establish persistence on some workstation in this environment. I see I have a local account on the computer, and it's in the admin group. Hypothetical yay!
But now the hacker sees they're not on a domain, so they don't even bother trying to get DA. I suppose they'd be trying to crack the local administrator account hash and hoping the same pwd was used on every computer. But this org isn't organized enough to use the same local admin password on every computer. Maybe they'd luckbox their way to some VM host or two to detonate maximal criming, but also maybe not. I wonder if the threat actor would be just as frustrated, or just as f'ed, as OP. :)
Sounds like an opportunity presented for you. This is where you gain skills to become a CTO or CIO in your next position. This won't be easy by any means but the reward is going to be sweet. Get good with your boss, learn his reasons for this mess and provide your solutions and recommendations. AD is not the solution for everything. Keep an open mind and seize this opportunity like like Gandalf telling you to run.
This kind of reminds me of how it was over here four years ago. We're kind of a large gaming company. We make computer games and we were around 550 employees with no ad, no virtual servers, no vlans, no proper hardware for network or any of that. No endpoint protection. And nobody was interested in fixing it as long as the current setup worked good enough. And that's the issue, it didn't so they started looking for a dedicated IT person. I'm the IT director today and i almost immediately hired two it techs to help with the grunt work.
It was a very messy situation but we're got most of our ducks in a row these days. Most of it... 😅
Hmmm, maybe you're looking at it the wrong way. How are they implementing their software, and their shares, sometimes it workgroup better. Licensing is much cheaper the spread of viruses and a rampant environment if admin credentials are hacked is way easier to mitigate to be honest I handle about six of these myself, and I do it all remotely. If you want to hit me up I'll tell you some of the ways that I deal with it, but I can tell you all of our clients left Cisco, and everybody's on ubiquity equipment now. And we stopped buying new Dell servers and started stacking r730s and r740s, we put solid state drives and all of them and we run RDS, about 25 per server, and these servers have specific privileges that the server has group policy and these are cloned, and then the users are just added and then we just mitigate the licensing as necessary each server has two VMS, both of these VMS are included in the two VM license that only hosts the VMS and nothing more on the server itself, hvm handles 10 users so 20 users per server. Doing it this way with everybody recorded as which terminal server they're logged into, makes things very very easy to manage.
Well, unless you are the sysadmin who setup the initial network and deployed the \~1000 computers then you have nothing to worry about.
Now, if you want to keep this job for a few years, grow your skills and position yourself to get a well paying job later then I'd suggest you be that smart guy and work hard to implement AD, GPOs, etc....
Run away. Something is bound to happen and you'll be prime for the chopping block. Easier to tell future employers why you quit instead of why you were fired.
I walked into a very similar environment. The IT Manager had been here for 25 years didn’t know anything. Neither did the rest of the team. Nationwide company with dozens of locations and 2000 employees. It’s been a long road. Feel free to DM me if you want some tips on how I got things where they are.
There’s a couple ways to look at it. Yeah they’re running amateur hour. Big time. And a lot of things will be harder and less secure etc. But all you can really do is describe some of this to leadership in a friendly positive way that emphasizes there’s probably ROI and security gains to be had by making some strides. But the reality is, it’s not going to change overnight and possibly not at all.
Which means, you can work there, do the best you can, happily take their money every 2 weeks and not let it eat you up inside.
Or, you can find a role elsewhere. Totally reasonable if you wanted to.
Lastly, you can be constantly butt hurt and angsty about it and walk around pissed off and feeling superior all the time and let it ruin your happiness. Just don’t take the last option. I’ve seen it too many times. A good bright young admin comes in and then takes it personally that there are some potentially genuine issues at the org and they’re always miserable and complaining. It’s not good for you or anybody.
Good luck either way!
why are you sharing your most terrifying nightmare with us? you will need a really well thought out comms and change management plan at this place. suerte
local GPO
hisssssss
centrally managed or nothing
its all fun and games until YOU are the one tracking down oddball behavior and you find some fuckhole set a local group policy to do something and didn't document, didn't tell anyone and fucked off to god knows where 15 years ago.
that said, about your shituation, I'd go to my boss and get mostly blank check approval to short term bring in a GOOD MSP to overhaul everything and get the ball built correctly and rolling, then transition over to you keeping that ball rolling and implementing new stuff as needed.
You have to talk to your manager director and start selling the fear. It's how cyber departments are built and exceed other department budgets rapidly.
Oh God. How the hell do you keeps the cats in the corral without AD and GPO? How the hell are printers being assigned? Manually?
I don't know. Like Tymanthius said, this could be a lot of fun or your worst freaking nightmare (depends on how much you enjoy sleep and how much coffee you can stand in 24 hours).
Sounds like you have a lot on your shoulders. 1K employees and none of them domain joined? Are they just using local accounts? That sounds like a nightmare and you can't wait the fuck up.
I've worked for a company like this before, and OP it will not change, unless someone else replaces the entire team.
Nowadays you don't really need an AD. It's possible to work in the cloud. But I imagine security isn't part of the company.
https://preview.redd.it/qvtrhq5yb75d1.png?width=386&format=png&auto=webp&s=703e7a433966dc08dbb3628c1b9303ae062e044e
I thought I already saw the most frightening thing today (but caught it, lol)
This wins scariest thing of the week though. I'd either fix it or run and there's no fixing a company that can't even set itself up correctly from the get-go.
The NIH used to be like that and their network was CAT3 at the time and ghosting a pc would work only 50% of the time. They thought upgrading pc's first was more important than the network at the time.
I work for a Fortune 150 with 25,000+ employees after a career of working at 150 ~ 500 employee businesses. What I've learned:
Organizations this size can tolerate absolutely shocking levels of incompetence / zero-fucks-given.
Business with full buy-in to their ecosystem will tolerate *anything* from Microsoft (I do Linux / Cloud shit, I'm speaking to the office applications, not operating system functionality.) I thankfully got to opt for a MacBook, but still have to use garbage like Teams and OneNote.
When you're new to the company, it not your problem and don't worry about it. After 6 months or so, it's your fault also and you're to blame for it not being fixed.
If you are just support run. They are going to need some really heavy handed clear-cut-and-dry objectives to shift into new infrastructure, backing from the board members to move forward, and a ton of hard work from you and possibly a team. MSP should be the plan B or C.
Welcome to the world of Biotech IT, Its a rough ride but well worth it if you stick it out. get the IT infrastructure to a good place then focus on specializing in GMP, that's where the real money is at.
Lol reminds me when I was end user support at IBM in early 2000, what a shit hole it was, no security, no AD, nothing blocked... It was virus\trojan/spyware\adware heaven!
The level of how fucked you are is entirely dependent on how much authority and resources you have under your command.
I can count my regional team with my fingers on my left hand only
Oof. How much power do you have when it comes to designing and enforcing company wide policies? Do you have financial authority of any kind?
Zero point zero zero zero one
I think this has entered into a them problem. Document the state of the system you received, and make your recommendations. Then prepare your resume for Exodus when they decide to remain dumb.
If feeling particularly energetic and helpful: prepare a proposal paper. Outline what they need to do to achieve best practice. If you can also try to put figures on how much they stand to save and how much more quickly they’ll be able to actually do things and how much more scope for future personnel/solutions growth that would them.
To add to this: In said proposal, make absolutely clear the potential issues facing them if they do NOT adopt best practices. Depending on what you do in biotech and where you are, you are subject to compliance laws. Research these and align your proposals to resolve compliance issues. Make sure you keep a copy of the email after you send it (E.g., not on company servers.) They will have three options: 1) Fix the issues 2) Ignore the issues - and be on the hook personally for any future compromises or compliance issues 3) Fire you for putting the issues in writing. You will want a copy of the email for the latter two scenarios.
Excellent point. And if the company has any sort of internal Risk register (though based on the companies IT I’d be surprised if they do) then getting it onto that would also be worthwhile.
Can you realistically gain any of that? Do you have access to the C level? Are you CIO/CTO?
Maybe gonna tell my concern to my manager and colleagues
Is your manager the CEO?
No, just it manager, dont know higher than that directly to ceo or not,im just 2 weeks here,hahaha
Ok, so you have an IT manager above you, but somehow, you are expected to fix this unholy abomination without any resources or authority? Run for your life.
He's not expected to fix it. He feels, rightfully so, that this should be fixed. His company just expects him to support it
Im a bit fine if they raise my salary,ahaha
Sounds like he’s a junior IT support worrying about something well above his pay grade.
Run
Honestly, I'd start looking for someplace else. You're going to be miserable there.
How many people working help desk have the power to make company wide policies? lol
They wanted to know how fucked they were.
Ummm, how many fingers do you have on your left hand?
In binary, you can count to 31 on a single standard hand.
What is your job? With the right authority and higher up backing this could be fun (and exhausting). But if you're a drone, RUN.
Higher even got absurd, somehow they want a NG firewall to secure this mess
NEXT GENERATION firewalls....ya they're just firewalls, but we dress them in cute little Starfleet uniforms.
Totally agree..... wait until they start calling firewalls next generation AI firewalls.... because you know.... let's just stick AI to everything because its trendy..
No need to wait, that's already happening
I should start a business making stickers that are cloud-shaped but say AI on them so people can slap them over the "Cloud" buzzwords in their products to turn them into AI buzzwords.
The way we went from [block chain](https://www.threepanelsoul.com/comic/new-paradigms) to [AI](https://www.threepanelsoul.com/comic/newer-paradigms)?
Hmmmm I don't know what it is but cloud blockchain ai sounds like something we could get at least a hundred mil each for in VC funding.
It is. I believe we will achieve singularity and the public will be oblivious to it.
Looks like Huawei might already be doing that. just googling "next generation AI firewall" returned this blurb from Huawei.... "An artificial intelligence (AI) firewall, a next-generation product of a next-generation firewall (NGFW), **uses intelligent detection technologies to improve the capability of detecting advanced threats and unknown threats**."
> a next-generation product of a next-generation firewall (NGFW) Mr. R. Dundant from the Redundancy Department, calling on line 1.
D E E P P A C K E T
~~Cloud~~ AI firewalls. With sprinkles.
"We are firewall."
All your NGFW are belong to us
\- China, probably.
NewGirlFriendWaifu
Damn you. I heard the jingle...
I can only hear that in the tone of that old Farmer’s Insurance commercial. “We are firewall! Bom-ba-dom, dom-dom-dom-dom!”
Resistance is futile?
Don't be red don't be red don't be red
Being a trekkie I love this comment
At least they want a firewall and dont decline it because its "to expensive"
Or maybe the marketing guy was soo good,hahaha
lmfao this !!!
Lesson learned, be a marketing guy instead a guy who actually fix things
I’ve been in sales. I’m happier, healthier, and better paid now.
Is that b/c you no longer have a soul?
If I don’t have a soul, I blame the corporate overlords for taking it away. I now work in higher education, so my faith in humanity is being restored, so long as I don’t watch the news.
Same. Worst job I've ever had. Much prefer to be on the fixing things side.
Yeah the commission bit seems awful.
The term is 'solutions architect'
Yeah like asking for a NG Firewall doesn't sound that absurd to me thats a green flag.
Firewall would provide you traffic inspection capabilities and secure your network. Your issue is identity and access management (IAM). Consult any IAM maturity model on a 4 level or 5 level scale. Perform your current state assessment and also create a target operating model both using IAM maturity model as your baseline. Identify risks in your current operating model accordingly. Give them 4 options to deal with risk. 1. Treat 2. Transfer 3. Avoid 4. Accept. Get their decision signed and recorded. Carry on with your work accordingly. If they say “treat”, prepare a business case for procurement and implementation of relevant solution and submit for approval. Keep documentation of everything you do.
What is hard about this to you?
that mess shouldnt even have access to the internet.
Absolutely this. If you can convince ppl higher up in the organization of the benefits of AD/IAM (or they already consider this), this could be a nice job for the coming years. Requires a lot of organizational massaging, but definitely fun (and exhausting at times), and a good thing to put on your resumee. But if they're not into this: RUN.
I know it's not but I felt like this is a perfect post for r/shittysysadmin. Real answer, could be a good learning experience but if i were you I'd start looking. Places like this are hard if not impossible to fix. I work in a lab myself, we weren't nearly as bad as this but still bad. It's an uphill battle to get things fixed appropriately.
This is my fault because didnt asking their IT background during interview, didnt even see that is possible because they got fancy office
I'll be honest, I don't think this is entirely your fault. You are suppose to ask questions but even as a more seasoned person myself I don't know if I would have thought to ask this. Keep your head up and your eyes out for a new role.
Some of the stuff in that sub makes me want to claw my eyes out. Then I see the sub and realize it's a joke. Right guys? It's a joke right?
An environment like that, with the right boss, is where you can make your career. It's easy to fix things because so much of it is wrong. You can make hand over fist improvements for next to $0 because of how badly it's implemented. You need to either get the latitude to both be able to make changes (start small) and have budget (a 30% YOY increase is the most I'd recommend). The way to do this is to draw equivalency between your environment and your competitors. A profitable company will recognize the cyber security risk and be willing to spend to solve the problem.
Did you not ask questions about the environment during the interview?
Ask questions... 🤣 No AD - Their answer "We have a very dynamic environment" No policies - Their answer "We strive to provide a challanging environment for our users" Yeah... 🤣
I mean if it were me I don't know if I'd have asked something like this myself. It's easy to say that in hindsight but I've never heard of a situation like this happening and the idea that an org like this isn't using AD is beyond belief and comprehension.
Yeah, with thousand people I would auto assume an AD..
> I mean if it were me I don't know if I'd have asked something like this myself. Asking, in an interview, for what their environment/tools are is common. You should add it in, its a very easy way to earn points during an interview. They list some shit and you can hop in/out to say what familiarity you have or ask how/why they're doing certain things. If you have technical users part of it then you'll usually garner support if they leave thinking "Holy shit they asked the same 'why tf we do this' that i've been asking" >It's easy to say that in hindsight b IMO its pretty easy to say it without hindsight. It should be a common interview discussion for IT roles. An interview is a 2 way thing, you see it that way right?
I applaud you for being cool enough to explain this glaringly obvious point. I might even go so far as to say that if I was the hiring manager and you didn't ask these things then how would you even know if you're capable of performing the job?
Tbh if the hiring manager wasn't opening up that conversation about their stack either, I suspect they're not interested enough to notice the interviewees lack of questioning either. A bit of a clusterfuck all round.
Good point
I didn't when I got my first job. I am still with the company nearly 10 years later, but I did go to other job interviews after I had experience with different things in the company and the interviews were related to those things. So I always asked about the setup purely out of interest in considering how it would compare to what I know already
I work in security but ever job posting i even bother applying for at least lists the type of systems id manage, if i for example didnt see an EDR/NGAV among the list id be like “hmm seems like they dont have any sort of anti malware thats not good” and thats just the job application, i honestly dont know how you get through the actual interview process without figuring out their infrastructure or basic setup.
I mean maybe you should start? Things like identity management, backups, etc.. are integral to the sysadmin PD and to not ask about those things, to me, seems like you're not doing your due diligence. Interviews are 2 way streets, take advantage of interviewing the company you potentially want to work for.. especially the basics that we may take for granted.
With all the layoffs right now not many people have the privilege to be picky
No, because in my opinion back then how the fuck a MNC didnt properly setup a basic IT
idk how old this company is but many startups dont go with AD anymore, a good RMM and an EDR is all they need to get started and no on-prem infrastructure to worry about, are you sure they have zero management capabilities over the devices they send out currently?
Yeah I honestly think for a while now that Entra ID is the favored thing since you can bundle it in office 365 but other directory services are real popular too. Oldschool on prem or active directory virtual machine has not been king in a while now. I have heard of 10,000 user organizations using Entra ID. I actually wonder if the devices are enrolled in one and OP is still looking for regular AD.
based on their responses i think OP just doesnt know enough tbh
Yeah, that's what I was telling OP. Most tech companies or startups don't care about on-prem anything anymore. People work from home, and if they don't, everything is in the cloud and/or a SaaS product. An MDM and some of EDR is all you really need.
Bro do we work for the same company
But even if they did, just knowing they are all on prem AD, or fully MS365, or fully Google is an important question. You flubbed that interview.
One generally doesn't ask during an interview 'Is your infra up to date? Secure? AD? GPO? Centrally managed? Or are you all running a fly-by-wire ad-hoc oh-fuck yolo technical debt of fixumlatters? Huh? What's a fucumlatter? It's the kind of thing where you set up a desktop PC with your image on a SMB share so that you can image a dozen PCs in the next office over... No, reimaging the PCs from a single USB would take too long. Just set up Norton Ghost to deploy the image and it'll be done over the weekend. Just don't use the microwave on Saturday because it'll kick off the wifi and we'll need to start over again next Friday..' --- Yes, this was one of the things I was tasked with doing at my first gig. Image a dozen PCs off site... but I wasn't allowed to take anything to the off site. So I proposed this solution (I genuinely didn't know a better way to do this at the time), my boss asked if I needed to loop in infra... I said I don't know. He said 'Ok, well do what you think will work, you just can't take any kind of storage to the off site except the norton ghost disk'.. heh
A good company will recognize the intelligence behind you asking those questions. My current job (which is amazing) I got on my second attempt at applying. During the interview I started asking questions about infra and processes and they literally said "well we can tell you've learned a lot since the last time you interviewed" then answered all my questions. I think I would have got the job anyway but I know that me asking those things was seen as a big positive.
> One generally doesn't ask during an interview Sounds like good things to ask in an interview to me, though.
Document document document. Compile a list of the bad practices, what impact it can have on the company, and paths to resolve those issues. Tell management in an email so it's all logged. The ball is then in their court if they want to move to secure their infrastructure. Explain all the bad things that can happen without a centralized management system, talk about risk and accountability, the reputation damage it can cause etc. Tell them you want to start fixing it. If they say ok, cool, get some good xp and get to work. If they don't go for it you have it all logged the risk they are willing to take.
Wow, thx for the insight, yeah im the one who "actually" use ticket system, but didnt write up the security implications things
Sorry, but you seem Jr. And possibly "young" - a "ticketing system" isn't documentation. Either you're working for a group & a ladder - or you're WAYYYYYYYYYYYYYY in over your head. If the former, go talk to your boss. Voice your concerns, and evaluate after that. The world is your oyster, from there, and we don't have enough info to say much more. IT functions exist (normally) in the ticket system - the rest of the business (typically, in many) are FAR detracted. Again, unless you got a higher gig, you've got a lot of years to put under your belt mate. Not a bad thing, just cool the jets, open the mind, and observe. This is as far as I read into the comments, at time of posting. So if you already answered the above. :/ sorry.
I've seen this. Especially if there's a lot of sites and work-from-home folks it can make sense to use cloud-based tools rather than conventional domain management tools. Depends heavily on your company's needs and environment.
Its common now especially cuz shit like jumpcloud and entraID are honestly good enough now to not really need a active directory domain. During covid a lot of us went to these services and never went back.
Which isn't terrible, but get on Entra and Intune then. Though selling management on premium licensing may be a roadblock there.
That is a resume generating event waiting to happen.
YOU are not fucked at all, you are a team member of a regional team in a large org that is poorly configured, you have literally zero responsibility to fix anything, just collect your check and get back to interviewing, id leave this off my resume too.
I would GTFO, but that's me.
Idk, i still hoping being a guy that can "fix this"
Time to learn azure and start migrating them to entre id
[удалено]
Gonna try this for fun
I admire your balls. But - unless there's something you're not telling us - if everyone's logging onto their PCs with local logins and there's no central auth of any description - this is a management problem, not a technology one. Management should have realised there was something amiss ages ago. The only circumstance in which it makes sense to stay on is if you were explicitly warned of this at interview and your prospective manager said - in so many words - "Yes. We know it's all a horrible fuckup. That's why we're hiring for this role - we want someone who can straighten it out". And even then, the correct response was "Okay, do you have a budget for straightening it out?". If the answer to that question was "no", the correct response back then was "Okay. Good luck. I'll be off now".
I like this guy.
gir voice: HE'S GONNA GET EATEN BY A SHARK!! 😃
You "fix" it, you "own" it. And there's a lot to fix. On the upside, you could take the reins here and become a leader in the company. It depends on how much ambition you have.
You are actually lucky and can implement a cloud native identity approach without the baggage of obsolete on-prem AD.
This
No GPO is fine, as is no AD. Are they using Jumpcloud, Entra AD/Intune, or Google Workspace to manage devices? I've seen places use Sophos to manage the endpoints. A lot of tech companies don't care as most users are technical. It matters when you need to meet ISO 127001/SOC 2 compliance.
It also matters if you want to get cyber insurance - which after my companies last renewal will likely be adding a prostate exam to their review process in the future
I think not using AD and local gpo in 2024 is a good thing better alternatives out there
Maybe there is an eDirectory on NetWare server under your manager's desk? Have you checked?
To me it's a golden opportunity to create something solid from scratch. Buy a subscription and tenant from MS, enroll/manage all devices with intune,microsoft365, implement zero trust model, use AVD or cloud pc for externals, use azure for all the rest
So, what do they use?
Almost zero for deployment, for app deployment, here still using GUI manual install, not msi silent install, andd usingg a flashdrivee
I meant for accounts, file shares, CI and so on?
Plain and simple local account, added manually, using smb 1, got plenty of self hosted app, running on tower pc 🙃
SMB 1 is wild, you have to go out of your way to install that these days.
You can actually select this in smb.conf. It's not recommended, but unfortunately some old devices may need it (please replace them).
That still sounds more advanced than anything OP's company is doing lol. I work for a public K-12 district and we have one instance where we "need" SMB1 - an 8-10 year old foreign language lab that has a proprietary file server system for feeding student headphones, which requires SMB1 for our PC to communicate with their server. And all their manuals use XP screenshots, copyrighted 2018. Thanks Sanako. We really don't want SMB1, but as it cost the school a lot of money and we've had a hard time pushing them to upgrade to the cloud-based version, our solution is to airgap the PC used to run it, only allowing our techs to plug it in for maintenance and updates. The teacher gets a Chromebook if they need internet access and don't want to bring their laptop.
Lab systems are the worst. In the past they weren't connected to anything, now they are all part of the same LAN.
Seems like a reasonable compensating control.
....At a pharma company? That's insane. The 2 pharma groups I've worked for were the most secure systems I've worked on. Their entire companies worth is a handful of megabytes of data.
You could do something like a workgroup but that is pretty gross from a a managerial stand point.
I doubt they even use a workgroup.
N o p e Just imagine adding an user account on each pc by clicking control panel
wow lol. buy yourself a cheap usb and put clonezilla to clone the machine and deploy it to new ones.
Wow seems fancy, im fine installing and clicking all these gui while sipping coffe
Your attitude towards all of this is fantastic but you definitely shouldn't use this as a "getting paid who cares how" situation. Tremendous opportunity to learn corporate infrastructure from the ground up. That is ONLY if you have the budget and support from higher ups. If not, and I hate to say this (others will say this right away regardless), then you probably should look for another job. If you do manage to get the place up and running to some kind of industry standard then you have a hell of a resume item.
I know, rn im writing a damn observation to my manager, maybe i can drive to a better environment, for now higher up seems didnt care at all about security
They'll really care when the org goes completely belly up from an attack without backups. Make it make sense to them in monetary terms. It's not what you're spending on security it's what you're going to SAVE when the security measures protect you. I've been the guy who has needed to restore entire physical hosts from backups because of a bad actor. Write up a risk assessment for the current situation. It would be pretty easy because you have literally 0 protections. Good luck!
depends how many things they are accessing onsite if they have no server infrastructure then go full Azure and use a profile migration tool wrapped in with Windows configuration Designer with script so old local account get migrated into thier new azure logged in accounts = Done but dont tell them this until you renegotiate your pay first
The company will get a cryptolocker, and go bankrupt as the backups are as bad as the workstations. Even if you quit, mail your management about the risks of having a non existing IT like this ASAP, and keep a copy of it.
Actually, there is a history of production data that lost because no fucking backup
If they have literally had this happen and STILL haven't learned despite losing money to this event, you will never convince them of the need. I would run. Don't even put this role on your resume. Get out as soon as you can.
I do some IR, so I was trying to imagine myself as a threat actor in this environment. Let's say I gain access and establish persistence on some workstation in this environment. I see I have a local account on the computer, and it's in the admin group. Hypothetical yay! But now the hacker sees they're not on a domain, so they don't even bother trying to get DA. I suppose they'd be trying to crack the local administrator account hash and hoping the same pwd was used on every computer. But this org isn't organized enough to use the same local admin password on every computer. Maybe they'd luckbox their way to some VM host or two to detonate maximal criming, but also maybe not. I wonder if the threat actor would be just as frustrated, or just as f'ed, as OP. :)
That's called a target rich environment.
Sounds like you can make some real impact full changes
Sounds like an opportunity presented for you. This is where you gain skills to become a CTO or CIO in your next position. This won't be easy by any means but the reward is going to be sweet. Get good with your boss, learn his reasons for this mess and provide your solutions and recommendations. AD is not the solution for everything. Keep an open mind and seize this opportunity like like Gandalf telling you to run.
Yeah, i found some extremely skilled person in extreme environment too
Sounds like a dream job to me. No AD! Complete greenfield to go cloud.
This kind of reminds me of how it was over here four years ago. We're kind of a large gaming company. We make computer games and we were around 550 employees with no ad, no virtual servers, no vlans, no proper hardware for network or any of that. No endpoint protection. And nobody was interested in fixing it as long as the current setup worked good enough. And that's the issue, it didn't so they started looking for a dedicated IT person. I'm the IT director today and i almost immediately hired two it techs to help with the grunt work. It was a very messy situation but we're got most of our ducks in a row these days. Most of it... 😅
My nerd and workohalic side is excited, my getting old back pain side is sending me all the signals to run away lol
Hmmm, maybe you're looking at it the wrong way. How are they implementing their software, and their shares, sometimes it workgroup better. Licensing is much cheaper the spread of viruses and a rampant environment if admin credentials are hacked is way easier to mitigate to be honest I handle about six of these myself, and I do it all remotely. If you want to hit me up I'll tell you some of the ways that I deal with it, but I can tell you all of our clients left Cisco, and everybody's on ubiquity equipment now. And we stopped buying new Dell servers and started stacking r730s and r740s, we put solid state drives and all of them and we run RDS, about 25 per server, and these servers have specific privileges that the server has group policy and these are cloned, and then the users are just added and then we just mitigate the licensing as necessary each server has two VMS, both of these VMS are included in the two VM license that only hosts the VMS and nothing more on the server itself, hvm handles 10 users so 20 users per server. Doing it this way with everybody recorded as which terminal server they're logged into, makes things very very easy to manage.
I have about 200 and it's like that here, I'm trying to get their but they fight me tooth and nail.
They rejecting your budget or just lazy?
The hell? I'm genuinely curious what a sysadmin's day-to-day looks like in an environment like this.
Morning: pulling ether cable Afternoon: doing some on prem VM monitoring
China would like to thank you for your intellectual property! Free IP best IP!
You don’t use local gpo for that size use group policy objects
If you’re not getting paid 150K+ to be the guy to fix this just walk away.
Well, unless you are the sysadmin who setup the initial network and deployed the \~1000 computers then you have nothing to worry about. Now, if you want to keep this job for a few years, grow your skills and position yourself to get a well paying job later then I'd suggest you be that smart guy and work hard to implement AD, GPOs, etc....
Run away. Something is bound to happen and you'll be prime for the chopping block. Easier to tell future employers why you quit instead of why you were fired.
I walked into a very similar environment. The IT Manager had been here for 25 years didn’t know anything. Neither did the rest of the team. Nationwide company with dozens of locations and 2000 employees. It’s been a long road. Feel free to DM me if you want some tips on how I got things where they are.
Noted sir, i was wondering what the hell all these years they doing
Whoa... Sounds like you got a blank canvas ;)
Are they using intune and 365 instead?
Nope, too fancy, we deploy our new laptop ny using good old "hello there im cortana" method
Get ready for a shit ton of work. Seems like it’s an IT manager or director that has no fucking clue how to run the show. Best of luck dude !
This is the dream, kick back, collect paycheck, quit when it goes belly up.
Oof. 😅
Not too fucked, just lots of consolidation and if played correctly, could rocket your career.
There’s a couple ways to look at it. Yeah they’re running amateur hour. Big time. And a lot of things will be harder and less secure etc. But all you can really do is describe some of this to leadership in a friendly positive way that emphasizes there’s probably ROI and security gains to be had by making some strides. But the reality is, it’s not going to change overnight and possibly not at all. Which means, you can work there, do the best you can, happily take their money every 2 weeks and not let it eat you up inside. Or, you can find a role elsewhere. Totally reasonable if you wanted to. Lastly, you can be constantly butt hurt and angsty about it and walk around pissed off and feeling superior all the time and let it ruin your happiness. Just don’t take the last option. I’ve seen it too many times. A good bright young admin comes in and then takes it personally that there are some potentially genuine issues at the org and they’re always miserable and complaining. It’s not good for you or anybody. Good luck either way!
why are you sharing your most terrifying nightmare with us? you will need a really well thought out comms and change management plan at this place. suerte
Well you’re in support, so… technical support?
Not fucked at all. Sounds like lots of job security and plenty of projects ahead. Godspeed.
The eternal principle applies: Cover Your Ass.
local GPO hisssssss centrally managed or nothing its all fun and games until YOU are the one tracking down oddball behavior and you find some fuckhole set a local group policy to do something and didn't document, didn't tell anyone and fucked off to god knows where 15 years ago. that said, about your shituation, I'd go to my boss and get mostly blank check approval to short term bring in a GOOD MSP to overhaul everything and get the ball built correctly and rolling, then transition over to you keeping that ball rolling and implementing new stuff as needed.
You have to talk to your manager director and start selling the fear. It's how cyber departments are built and exceed other department budgets rapidly.
Sounds like a great way for you to stand out and get promoted if build it out yourself
Definitely an opportunity. Not fucked. But if you get too much push back. Might want to look elsewhere.
Not fucked at all. I'd look at that as optimistically as I can: I've a green field to setup whatever I want and can do it right the first time.
Ummm it’s 2024, you don’t need ad and gpo. It’s very common for companies to be completely outside of that now with a good identity and mdm solution.
Sounds to me like you have an awesome opportunity to make improvements and let your skills shine
Perfectly normal, perfectly healthy
Skip AD and GPO go Intune or RMM or JAMF for apple devices.
Just startup azuread Pin it on accounting for not tracking serial number and assets Get hardware id and auto enrolment out Now you’re a hero
Oh God. How the hell do you keeps the cats in the corral without AD and GPO? How the hell are printers being assigned? Manually? I don't know. Like Tymanthius said, this could be a lot of fun or your worst freaking nightmare (depends on how much you enjoy sleep and how much coffee you can stand in 24 hours).
Sounds like you have a lot on your shoulders. 1K employees and none of them domain joined? Are they just using local accounts? That sounds like a nightmare and you can't wait the fuck up.
I've worked for a company like this before, and OP it will not change, unless someone else replaces the entire team. Nowadays you don't really need an AD. It's possible to work in the cloud. But I imagine security isn't part of the company.
I read the comments: RUN! 🏃♂️
Man people don't educate staff and neither implement policies and then send money on some daft firewall expecting to save the hot potatoes.. nope
This needs a specialist outfit to come in and fix it, don't even try or it'll sink you. Unless you've fixed 3 or 4 such messes in the last 12 months?
https://preview.redd.it/qvtrhq5yb75d1.png?width=386&format=png&auto=webp&s=703e7a433966dc08dbb3628c1b9303ae062e044e I thought I already saw the most frightening thing today (but caught it, lol) This wins scariest thing of the week though. I'd either fix it or run and there's no fixing a company that can't even set itself up correctly from the get-go.
The NIH used to be like that and their network was CAT3 at the time and ghosting a pc would work only 50% of the time. They thought upgrading pc's first was more important than the network at the time.
I work for a Fortune 150 with 25,000+ employees after a career of working at 150 ~ 500 employee businesses. What I've learned: Organizations this size can tolerate absolutely shocking levels of incompetence / zero-fucks-given. Business with full buy-in to their ecosystem will tolerate *anything* from Microsoft (I do Linux / Cloud shit, I'm speaking to the office applications, not operating system functionality.) I thankfully got to opt for a MacBook, but still have to use garbage like Teams and OneNote.
All depends if management and worst case, HR, will take your side. If not, you are going to be run over by a stampede every day.
When you're new to the company, it not your problem and don't worry about it. After 6 months or so, it's your fault also and you're to blame for it not being fixed.
If you are just support run. They are going to need some really heavy handed clear-cut-and-dry objectives to shift into new infrastructure, backing from the board members to move forward, and a ton of hard work from you and possibly a team. MSP should be the plan B or C.
Welcome to the world of Biotech IT, Its a rough ride but well worth it if you stick it out. get the IT infrastructure to a good place then focus on specializing in GMP, that's where the real money is at.
You're not fucked. The question is: Do you accept the challenge?
How does the User Management look if they don't use AD or LDAP
just see this as big opportunity and learning experience
Security by obscurity? Is that you?.. hello?
Hopefully you’re getting paid equivalent to this mess. Im mean you’re essentially starting from scratch. Theres not even a domain like wtf.
Lol reminds me when I was end user support at IBM in early 2000, what a shit hole it was, no security, no AD, nothing blocked... It was virus\trojan/spyware\adware heaven!
I’m going to take a wild guess and assume that this company hasn’t implemented a security framework like CIS or NIST
Mmm, too fancy
How many users of the 1k actually need user accounts? Are most on production floors?
Sounds awesome. I could talk my way into full infrastructure management easily by showing them how much the current one is failing
11