Basic Server Security Questions

Hey Everyone -

Long story short, I manage a team of about 15 people in our warehouse/logistics area that uses a small app I've built that basically connects via SOAP API to another system (3rd party). Theres one function it tho that we can basically only send one request every 1 minute or things get stuck. So currently I had built out kind of a broker on each app that says "send request...wait 1 minute...send next request...wait 1 min" - the problem is obviously that each persons computer would just be doing the same thing and they would all still be sending to many requests to our third party service.

So my thought process was to get a small VPS and rig up a queue manager to a database in the air. Our app sends the request up to the vps, it gathers all the requests and then shoots them out to the third party service. I'm not an IT guy - im just a manager try to help live an easier life by using this app.

Anyways, I've got it setup. And it works fine. My question is im just concerned about basic security because now I am shooting up a username/ssh key into the server and it holds it there.

What I have done so far - and honestly, this is just me reading online for several days:

For Basic Security -

\- for the domain/nameservers i got cloudflare which seems to offer protection against DDOS and offers basic SSL certificate for the domain. Have the domain running from https://

\- Installed fail2Ban on the server

\- closed access to all ports except 22, 80, 443

\- (I have in my notes to also change port 22 to something else but havent done it yet)

\- disabled root access

On the App on the desktop side - the username/ssh is already using encryption for windows dpai and I added an AES-256 encryption for when it sends the code i have a key on the desktop side and got a key on the server side. on the server side it holds the key just until it processes and then dumps it.


Just wanted opinions if I am on the right track here - am i not doing enough? am i doing too much? or am I complete idiot? I'm not doing much and I dont think my small little thing would attract much attention - but never know. I just need to be able to tell the boss that were secure lol. Thank you all!

https://redd.it/1ob2jax
@r_systemadmin

Scammers

Recently got hit by some scammers* claiming to be Verifone support. End user followed their instructions and sold things, faked with cash, them provided card numbers to refund to. Then requested the clerk tie a card number to the clerks personal apple wallet and do.the refund again.

Be on the lookout and let your end users know.

I have 2 phone numbers, but I'm sure they're spoofed or VoIP. They answered when I called and definitely sound like they're state side.

https://redd.it/1ob4am2
@r_systemadmin

Oct emergency patch question

I haven’t approved Oct updates yet in WSUS. With this emergency patch MS is putting out, will that overwrite the existing bad patch in WSUS? Are they pulling the bad patch and I’ll see the new one listed at some point?

https://redd.it/1ob77up
@r_systemadmin

State of ReFS on Windows 11 25H2

Deploying a new desktop and took the opportunity to mess around with ReFS as the Bootable Partition on Windows 11 25H2.

HP EliteDesk 8 G1i Mini
Intel Core Ultra 7 265
64GB RAM
Samsung SSD 980 Pro 2TB with Heatsink

Features that are available and probably worked:
• ReFS Integrity on and off
• ReFS Compression
• ReFS DeDuplication
• ReFS DeDupe & Compression

Features that did not work in my case:
• Booting Win 11 25H2 from ReFS (it was not stable)
• Block Cloning in File Explorer
(I've just read the restrictions on block cloning and saw that the max file size is 4GB. Possibly I was testing with 10GB files (I don't remember). Bit disappointing as I do a lot of duplicating of large files and was very interested in "instant" copy creation. However this feature apparently is a game changer with Hyper-V, and vhdx are all over 4GB, so maybe Hyper-V does it's block copy intelligently, breaking it down into >4GB blocks, while File Explorer doesn't).

CrystalDiskMark 9.0.1 with default settings

All benchmarks were performed with ReFS Integrity Off. (NTFS doesn't have integrity streams). I was going to do additional benchmarks with DeDupe and Compression&DeDupe as well as storage use, and then repeat with ReFS integrity on, however the OS kept freezing so was unusable.

| | Integrity Off | | Compression (ZSTD L3) | | | | NTFS | | | |
|:-------------:|:-------------:|:------------:|:---------------------:|:------------:|:------:|:-------:|:-----------:|:------------:|:------:|:-------:|
| | Read (MB/S) | Write (MB/s) | Read (MB/S) | Write (MB/s) | % Read | % Write | Read (MB/S) | Write (MB/s) | % Read | % Write |
| SEQ1M Q8T1 | 6778.33 | 4939.53 | 6682.05 | 4944.06 | -1% | 0% | 6725.4 | 4857.13 | -1% | -2% |
| SEQ1M Q1T1 | 3179.05 | 2363.24 | 1987.87 | 2679.29 | -37% | 13% | 3239.23 | 2419.95 | 2% | 2% |
| RND4K Q32T1 | 414.32 | 340.42 | 414.31 | 361.3 | 0% | 6% | 395.45 | 394.05 | -5% | 16% |
| RND4K Q1T1 | 61.09 | 120.88 | 29.43 | 113.79 | -52% | -6% | 45.38 | 126.18 | -26% | 4% |

All the benchmarks I'd read were with ReFS with default settings (Integrity on) against NTFS (which doesn't have integrity streams) and were showing performance deficits of ReFS. Based on above, possibly ReFS has very comparable performance to NTFS when configured with the same feature set.

Compression benchmarks were very odd. Big speedup for write and big slowdown for read are not logical. One would expect slowdown for write and similar or possible slight speedup for read (with costs to CPU). Seeing as the benchmarks were run once, and I paid little attention to if background tasks were running, it's possible this is just a bad benchmark result.

As I understand the features:
Compression
With ReFS, you set the compression state using PowerShell Set-ReFsDedupVolume, however the PowerShell command doesn't seem to let you specify the compression settings. If you use 'refsutil compression', you can enable/disable compression, set the format (LZ4 - Fast or ZSTD - Balance between compression and speed) as well as the compression level and chunk size.

Using refsutil also causes a job to run to de/compress the entire drive. Using PowerShell requires a

separate command to run the initial compression pass: Start-ReFSDedupJob, which is were you specify the compression properties, but it's unclear if that sets the default for the volume or just for that run?

Unless I'm remembering it incorrectly, setting compression on with refsutil resulted in PowerShell saying that it wasn't enabled for the volume and refsutil saying it was enabled. I enabled it with both just to be sure.

DeDupe
DeDuplication volume properties are set with the PowerShell Set-ReFsDedupVolume command. Then DeDupe passes are scheduled with Start-ReFSDedupJob/SetReFSDedupeSchedule. A DeDupe pass seems to run with relatively low priority (in my very limited experience of one partial pass) doesn't seem to take much CPU or drive resources on a relatively idle machine, takes a very long time, and as expected, uses inclemently more RAM as it continues. ReFS DeDupe only scans the entire volume on the initial pass. Subsequent scans will do an incremental DeDupe.

DeDupe and Compression can be combined.

Integrity Streams
Integrity steams can be enabled/disabled on format /I:enable or disable. The property can then be adjusted for a volume, a folder or a file with Set-FileIntegrity, which I believe will calculate the checkums for each included file/folder so may take significant time.

By default ReFS runs a File Integrity Scrubber every four weeks to validate infrequently accessed data checksums. This can be configured with PS.

Installing Win 11 onto ReFS
a) Install Win 11. I like to install it onto an unpartitioned drive and Win 11 will create the default FAT32 UEFI and NTFS Recovery partitions, in addition to the main partition for OS.
b) Once complete, boot back into Win 11 setup USB, and on the disk selection screen press Shift+F10 for command prompt, format the main partition with ReFS with your desired properties and then close CMD.
c) Select the main partition in the installer and it will install Win 11 onto ReFS.

Notes:
• Win 11 25H2 booted from ReFS was NOT stable. After some number of hrs of use, the storage would stop responding properly and the system would run incredibly slow.
• Same machine booted on NTFS did not have the same issue.
• This was just for fun, and the benchmarks are rough indications only and were not performed in was designed to generate exactly reproduceable results.

https://redd.it/1ob92me
@r_systemadmin

Thickheaded Thursday - October 23, 2025

Howdy, /r/sysadmin!

It's that time of the week, Thickheaded Thursday! This is a safe (mostly) judgement-free environment for all of your questions and stories, no matter how silly you think they are. Anybody can answer questions! My name is AutoModerator and I've taken over responsibility for posting these weekly threads so you don't have to worry about anything except your comments!

https://redd.it/1odz8ea
@r_systemadmin

An ATM jackpotting incident has increased my hatred for dealing with law enforcement.

The credit union I work at had two of their ATMs jackpoted and every law enforcement agency involved wants the footage a different way. Between the two cities, one state, and two federal agencies that want footage we have 7 different versions archived for two different ATMs. That is before what insurance wants. I swear the next person who asks is just getting the 7 hour raw footage. It is legitimately less paperwork at this point to get robbed at gunpoint. Also, given how close NCR thinks they are to a countermeasure for the technique used it would have been nice of them to let people know a bypass for the dispenser security was in the wild. Our ATM support company was seemingly unaware that was done. Still determining if that was on NCR or them.

https://redd.it/1oe7bqa
@r_systemadmin

I genuinely struggle to find any use case for AI

When ChatGPT first hit the market I was genuinely impressed, but then I played with it for a few hours and quickly learnt that it's pretty dumb. Fast forward to today and I still test various glorified keyword predictors a.k.a AI from time to time and it's mostly the same slop generator as it always was.

Take my job for example, mainly dealing with networks and linux. If you give it a denoscription of a problem and ask for suggestions, it always spills out the same slop which usually goes like "check the obvious thing A, then another obvious thing B, and if it fails consult user manual". Wow thanks, I've already tried all of that, that's why I'm searching for the solution online now. And don't even get me started on it inventing brand new commands that do not exist.

What I noticed though is that a lot of my let's call it less technically gifted colleagues seem to love it. They use it every day and think they're great at their job, leaving the mess for me to often clean up after. If they manage to implement/fix something using AI it often results in super insecure implementations or messed up configs that affect other services they haven't considered. The AI slop gets copied into emails, tickets, teams messages; It's everywhere to the point I can spot it from miles away and usually just chose to completely ignore it.

The only good use case I observed is that some of my foreign colleagues use it to clean up their English grammar when sending emails. Pretty cool I guess, however as someone whose English is not their first language I believe that the only way to learn a language is to make mistakes.

My company is now pushing co-pilot and encourages everyone to use it to improve productivity, is there any good use case for it that I am missing? It genuinely feels to me like it's a tool to enable people who just can't read, write or think on their own.

Edit: Ok, plenty of comments here. The ones were people claim it to be useful talk about using it to digest data, filter through documentation, or use it as a base for quick noscripts. I will try to force myself to use it like that and see where it goes.

https://redd.it/1odxk0c
@r_systemadmin

Fuck Atlassian, and Fuck AI

This is a full on rant spilling out of the absolute trash heap that is now support in all areas, especially with Atlassian. I don't want your fucking chat bot, I want a real human working with me to answer my questions.

Especially when you make it SO INCREDIBLY EASY for users to accidentally create organizations within our tenant and then make me wait 60 fucking days to delete them and ONLY if there are no actual "services" (even if they're free) in an active state. Especially especially if you roll out your stupid "rovo" AI nonsense app to all of said organizations without my opt in consent, then make it actually impossible for me to remove Rovo without opening a support request for some reason. Because there's no way to deactivate it or delete.

And a special fuck you for now forcing me to type in the form to contact support only to reach an AI chat bot, and then have to hunt down the tiny link to click because actually no thank you I need to have a human do something on my account even though I should be able to do it myself and I don't think a chatbot could perform this work, so please give me a human, only to have that link do...nothing. Absolutely nothing. Except blank out the page and make me start over.

So here I am, trying to remove 6 rogue, empty, annoying organizations in my Atlassian tenant with no way to do it and no way to contact support.

Fuck your chat bots, and fuck you.

https://redd.it/1odirup
@r_systemadmin

Finally made the jump to Sysadmin.

After being burnt out at my last job (Desktop Support) I made the jump over to a 6 month contract doing IT support during a transition from GCP, with the possibility of extension or conversion after it ended. Now that the contract is finally coming to an end, and I just got the good news from my boss that they want to not only keep me, but convert me as well. I was initially hired on as support for their transition from one cloud platform to another, but now I’m being converted over to the infrastructure team, and my new noscript will be Jr SysAdmin for a bit while I get my bearings and learn the systems/tools. Then after 6 months or so I’ll get the full Sysadmin noscript (and a pay bump)! So, just wanted to hop on here to say thanks for all the good advice that you guys give in this sub (and r/ITCareerQuestions) and thanks for the encouragement to keep pushing up the career ladder for bigger and better positions. If it could happen for me, someone with no related college degree and no certs, it can happen for you. Cheers! 🍻

https://redd.it/1oecxn7
@r_systemadmin

I barely have any work to do, should I be worried about getting fired?

I honestly only have about three hours of actual work per week. During daily standup meetings, I usually have to come up with things to say, like “I’m doing this or that,” which is technically true , but those tasks are very manual and only take a few minutes to complete.

This is a remote job, so it basically feels like being on paid vacation. For some people, that might sound great, but for me it’s stressful because I constantly feel like I could be fired at any moment.

I’m also not learning anything new, since I don’t have much access within the company. There are just two of us working as sysadmins, and the other guy barely does anything, he actually has another job. Sometimes after the daily standup he messages me asking if there’s anything to do, and my answer is always “no.” Then that’s it for the day.

Nobody seems to care about what we’re doing, or maybe they’ve just forgotten about us. For example, the last time I did any real work was almost two weeks ago. Since then, I’ve just been going to the gym and watching stuff online.

What would you do in my situation? I feel like it’s only a matter of time before I get fired , it doesn’t make sense for a company to keep an employee who’s doing nothing. Has anyone else been through something similar?

https://redd.it/1oeegur
@r_systemadmin

Solo IT guy - What now?

Well, I have been at a place for 2 years now and everything is running like a toyota hilux. No breaches, no spam emails, no phishing, not internet outages. Intune has been implemented; iOS devices are no longer activation locked to personal accounts. No laptops lying around with less than 8 GB of RAM and Windows 10 has been removed from the office environment, we have an offsite failover.

It was what I would call a low complexity environment, where you have your standard ADsync domain server, 1 app server, firewalls, a VPN tunnel between sites and a whole bunch of random web applications.

My question is. What now? There are some things that can be done, but I no longer know what.

https://redd.it/1oefwnm
@r_systemadmin

I’m curious how other admins weigh buying criteria between Dell PowerEdge and HPE ProLiant.

My take:


The main decision factor isn’t CPU, RAM, or bay count.

It’s remote management. I generally prefer iDRAC over iLO for day-to-day work (UX feels quicker, fewer clicks), and I also find Dell boxes arrive fully assembled and are easier to rack, which speeds up deployment.

Questions for the room:

Do you also view OOB management as the #1 differentiator? If not, what is?
Which vendor has treated you better on firmware hygiene and RMA in the last 12–24 months?

https://redd.it/1oed8my
@r_systemadmin

Looking for a Postman alternative that works fully offline

I’ve been relying on Postman for API testing and documentation for a while, but lately the heavy cloud sync and account requirements have been driving me nuts especially when working in restricted or air-gapped environments.

I’m curious what others here are using as an offline or self-hosted alternative to Postman?
Ideally something that:

Runs fully locally (no cloud dependencies)

Can import Postman collections

Supports environment variables and OpenAPI specs

Works cross-platform (Windows/Linux/macOS)


I recently came across a few options like Bruno, Hoppscotch (self-hosted mode), and Apicat curious if anyone here has tried them in a production or secure network environment.

Would love to hear what’s worked best for your workflow.

https://redd.it/1odz605
@r_systemadmin

Alaska Airlines IT staff...

Y'all have my sympathies. Hopefully it's not DNS....

Alaska Airlines issues temporary ground stop for IT outage
https://mynorthwest.com/chokepoints/alaska-airlines-3/4146461

https://redd.it/1oel8bs
@r_systemadmin

What's your go-to PC deployment method in 2025?

Curious what everyone’s go-to method for PC deployment is these days! I used to be a PXE boot guy myself - boot, image, throw at user. Now I’ve joined the Autopilot + Intune club and I must say, It’s great! That is if you survive the initial setup. 😂

https://redd.it/1oendam
@r_systemadmin

I swear SaaS renewals are slowly turning into a full-time job

Just finished chasing down 3 auto-renewals from tools nobody remembers buying.
One’s on the company card, one’s on someone’s personal card (who left 6 months ago), and one was “just a free trial.”

I’ve got a shared spreadsheet to track this junk but it’s always out of date.

How do you all keep SaaS subnoscriptions under control without spending half your life in Excel?

https://redd.it/1oeo21h
@r_systemadmin

Tier 2 Technician - $50/hr?

I'm being hired by a Gas Station company in the East Coast to be a Tier 2 technician, mainly troubleshooting and fixing issues at their retail locations. I've done this work for about a year, at another company, for only $22/hr. This new position offers $40/hr starting, but since I have about 1.5 years of experience, they offer a range of $40-$60/hr based off of experience. Has anyone done this kind of work before that can give me some insight into what I'm stepping into? Since I have about 1.5 years of experience in this kind of IT, and 7-8 years experience in Deskside Support in general, can I feel comfortable about asking for $50/hr? Advice needed.

https://redd.it/1oen665
@r_systemadmin

Weekly 'I made a useful thing' Thread - October 24, 2025

There is a great deal of user-generated content out there, from noscripts and software to tutorials and videos, but we've generally tried to keep that off of the front page due to the volume and as a result of community feedback. There's also a great deal of content out there that violates our advertising/promotion rule, from noscripts and software to tutorials and videos.

We have received a number of requests for exemptions to the rule, and rather than allowing the front page to get consumed, we thought we'd try a weekly thread that allows for that kind of content. We don't have a catchy name for it yet, so please let us know if you have any ideas!

In this thread, feel free to show us your pet project, YouTube videos, blog posts, or whatever else you may have and share it with the community. Commercial advertisements, affiliate links, or links that appear to be monetization-grabs will still be removed.

https://redd.it/1oetnqf
@r_systemadmin

What visitor management system are you guys using? I need something stupid simple

Need to implement something for our office. Our front desk isn't always staffed, so we want something that can run as self-serve.

We always have mix of vendors/clients/candidates coming through, so simplicity is the main thing (while still feeling “premium”, or at least not homemade).

And we have a fair chunk of regular visitors, so I ideally want them to be able to sign-in quickly (IE not having to start from the top every time they visit).

Anything specific I should know about and ask during demos (I have calls booked with Arc⁤hie and Env⁤oy this week)?

P.S. Main ask is proper integrations for badge printers and doors access, and Slac⁤k notifications for hosts would also be nice to have!

https://redd.it/1oepsxb
@r_systemadmin

Teams is apparently going to soon start offering location tracking, not just in buildings but also to identify people working outside of the office

https://www.windowscentral.com/microsoft/microsoft-teams/microsoft-teams-is-about-to-become-your-boss-lapdog

Sitting here wondering just what kind of fallout this is going to engender, particularly with the subset of remote users who pretend to be working from one location but are actually nowhere even close to where they should be. The tracking will apparently be automatic whenever Teams is running, not just when on a call.

https://redd.it/1oewcr8
@r_systemadmin