Alternative to ssh tunnel

I’ve inherited a setup where a central Windows server has SSH tunnels to multiple client servers (all Windows).

Devs RDP into the central server, and Jenkins pipelines use SSH tunnels (key-based, non-standard port, IP restricted) to copy files and execute commands on client machines.

It works, but I’m not fully comfortable with the model: if the central box gets compromised, it feels like all clients are potentially exposed.

I’m considering redesigning this and would like some external opinions.

Options I’m thinking about:
• Site-to-site VPN (WireGuard f.e.) with proper segmentation
• Jenkins agents on each client (pull model instead of push)
• Some kind of bastion / hub separation

All servers are Windows but client is open to deploy linux
From a security + operational point of view, what would you consider a more sane / standard approach today?

https://redd.it/1qr4jm7
@r_systemadmin

The "Just connect the LLM" phase was bad enough. Now they want Agents.

I posted here a few weeks ago about an internal LLM that surfaced sensitive legal docs because our permissions were a mess.
The dust hasn't even settled yet, and now leadership is already pushing for AI Agents. They don’t just want the AI to summarize stuff, they want it to trigger workflows, send emails, and basically do what an employee is supposed to be doing.

I tried to explain that it's one thing when an AI shows someone content they shouldn't see, but when that same AI starts acting on that data, moving info between systems or triggering actions it's a whole different level of risk.

Before we kid ourselves again and create another round of chaos at the office, I truly want to know how to address the risk before anything happens. I’ve talked to some friends in the industry, and it seems everyone is stuck in one of four approaches:

1. Some are creating small silos of data and letting the AI work within them. I get the logic, but this won't stand for long. The data will grow, the use cases will expand, and the problem will eventually hit.

2. Then you have the companies that are connecting agents to broad data sources and relying on existing permissions. Basically saying "we'll fix the leaks if they pop up." IMO - they’ll pop up way before anyone even notices.

3. Others are inspecting everything "closely" and assigning people to act like a monitoring team and hoping the alerts catch problems in time. I don’t think I even need to explain why this is a disaster waiting to happen.

4. And then there's the "Safe" route - using agents in super-strict, tiny automated processes with "zero harm potential." Honestly, they're only using agents just to say they’re using them. Why even bother?

I’m really curious - how can we actually handle this properly before the shit hits the fan AGAIN? Is there a fifth option I’m missing, or are we all just choosing our favorite way to fail?

https://redd.it/1qr71jh
@r_systemadmin

Security vendors wanting their IPs to be white listed for pen testing. does anyone does this?

Am I the one who is wrong here? Every vendor who we have reached out for blackbox pentesting always asks for full whitelisting of their IPs and remove geoblocking for certian countries during the test. This isn't just one vendor either. We have seen this multiple times in the past few years.

https://redd.it/1qr84b7
@r_systemadmin

New employee can't receive laptop shipments - what would you do here?

We've got a new hire in a state that's getting blasted by snow and ice. He was meant to start monday, but literally can't get any shipments. We've sent two laptops already, and neither made it.

\- First laptop was shipped a week ago and made it to the state he's in, but is sitting in a FedEx warehouse, and they won't/can't tell us what's going on when we call their support.

\- Managers decided to try overnighting a second laptop yesterday, and today the tracking says it's 4 states PAST the state he's in. Not even close.

Now they're asking me if there's some way he can drive to a nearby BestBuy and just pick up whatever laptop they have himself, and have me "set it all up remotely". I doubt BestBuy supports enrolling in AutoPilot from a retail store.. I guess I could call him and walk him through the OOBE and downloading some kind of remote control tool, and take over from there?

Just such a stupid situation. What would you do in my position, what's the best way to go about this? Just tell them to wait for one of the two laptops to arrive - whichever comes first? Or should I start googling BestBuy's in his area and see what they have in stock?

Edit: Got a response from FedEx. 1st packaged delayed due to "severe weather", second delayed due to "mechanical issues". Neither one has an ETA yet.

Edit2: Thanks for the dozens of responses and ideas! I'm going to tell them a local electronics store won't have a business appropriate device that can fit into our fleet (win home vs pro, etc). I'm looking into W365 as some suggested, as well as setting up a laptop at the office and finding a way for them to remote into it from their personal pc.

https://redd.it/1qrbvym
@r_systemadmin

Microsoft to disable NTLM by default in future Windows releases

I hope that we are finally getting to the point where we can disable NTLM. We have been unable to disable NTLM due to the lack of an alternative to local authentication, but with the introduction of "Local KDC" we may be finally able to disable NTLM.



https://www.bleepingcomputer.com/news/microsoft/microsoft-to-disable-ntlm-by-default-in-future-windows-releases/


> Microsoft also outlined a three-phase transition plan designed to mitigate NTLM-related risks while minimizing disruption. In phase one, admins will be able to use enhanced auditing tools available in Windows 11 24H2 and Windows Server 2025 to identify where NTLM is still in use.

> Phase two, scheduled for the second half of 2026, will introduce new features, such as IAKerb and a Local Key Distribution Center, to address common scenarios that trigger NTLM fallback.

> Phase three will disable network NTLM by default in future releases, even though the protocol will remain present in the operating system and can be explicitly re-enabled through policy controls if needed.

> "The OS will prefer modern, more secure Kerberos-based alternatives. At the same time, common legacy scenarios will be addressed through new upcoming capabilities such as Local KDC and IAKerb (pre-release)."


Also: https://techcommunity.microsoft.com/blog/windows-itpro-blog/advancing-windows-security-disabling-ntlm-by-default/4489526



> Phase 2: Addressing the top NTLM pain points

> Here is how we can address some of the biggest blockers you may face when trying to eliminate NTLM:

> * **No line of sight to the domain controller**: Features such as IAKerb and local Key Distribution Center (KDC) (pre-release) allow Kerberos authentication to succeed in scenarios where domain controller (DC) connectivity previously forced NTLM fallback.
> * **Local accounts authentication**: Local KDC (pre-release) helps ensure that local account authentication no longer forces NTLM fallback on modern systems.
> * **Hardcoded NTLM usage**: Core Windows components will be upgraded to negotiate Kerberos first, reducing instances on NTLM usage.

> The solutions to these pain points will be available in the second half of 2026 for devices running Windows Server 2025 or Windows 11, version 24H2 and later.

https://redd.it/1qrec1q
@r_systemadmin

Fuck GoDaddy

Pretty much the noscript, fuck GoDaddy. Setting aside their horrific website which somehow doesn't have a sign in button, it does have the button but once you load the homepage the button gets hidden, their dark pattern bullshit is partially responsible for an email outage yesterday.

I work for an MSP. Some of our clients will come to us with pre-existing domains. Sometimes we take those over, other times we just manage the DNS. This particular client and domain is one of those types. We manage the DNS in our Cloudflare, but the domain itself lives in the clients GoDaddy account with name servers pointed to Cloudflare.

Well a couple days ago the marketing director of this client was looking in the GoDaddy portal for something, and upon logging in saw a message stating something like "GoDaddy isn't fully managing your example.com domain, click here to fix it." Upon clicking there, it reverted the name servers back to GoDaddy. Notable GoDaddy DNS isn't configured for Microsoft exchange email. So cut to about 24 hours later and they can't get email anymore. I come into the office to phone calls that external emails are not working, but internal are working fine. I log into the Microsoft tenant, and the MX records are missing. I check the name servers, moved back to GoDaddy.

So I added the proper MX records to GoDaddy to get them up and running ASAP, and so if this happens again it won't be an issue. Then I moved the NS back to Cloudflare and had a conversation with said marketing person about not pushing that button again. Made sure the client knew what happened, and that it wasn't our fault, everyone is happy.

Anyway, fuck GoDaddy.

https://redd.it/1qriz2y
@r_systemadmin

Calendar Items from terminated employees

I'm sure this one comes up for people quite often, especially at large orgs.

About once a month, we get a request from a user regarding a calendar item that no longer exists, from a user who was termed months ago.

I know we have the option to run some powershell cmdlets to remove it from all mailboxes, but that is PITA.

Usually we tell users that the meeting must be deleted by everyone and the event needs to be recreated by someone who is around.

Anyone have a better way to deal with this? I've been in IT for 25 years now and this same problem has been around for as long as I can recall.

https://redd.it/1qrh1vy
@r_systemadmin

Yeah I did it again (interview)

Simple t1 help desk question of connected but no internet.

I simply forgot to mention check ip. Instead I went with check the port, patch wall to switch to ensure its correctly set ( cant count the times network teams messed this up).

Yes reboot was part of the answer but I somehow skipped that in my head. Could've said if ip is 169.xxx then dhcp or if I ran ipconfig it'll show mac disconnected.

Oh well. My mind always freaks out no matter how much I prep and such.

https://redd.it/1qrrtsq
@r_systemadmin

Sysadmin-on-Sysadmin stuff that’s super annoying

Just venting a little and wondering what little things really grind your gears (and maybe why they irk you so bad) when they come from other IT professionals.

I’ll start - sending a screenshot of useful/needed text or tables. Making me retype something that was literally in your session is just so damn lazy and unprofessional. When an end user does it I can give them a little grace because at least they’re providing something and they might not know better.

Looking at you, vendor licensing backend support lady!

https://redd.it/1qsmuay
@r_systemadmin

Do you consider 'enshittification' a professional term?

We all know what it means and it's a term I'm seeing mentioned very casually in a lot of different articles, videos, conversations... Would you use it in a professional setting? Have you? Do you have another word for it?

The amount of products that have been 'enshittified' with the push for AI has gone up a lot. Microsoft is the easiest target with Copilot but a ton of vendors have worsened their products lately. Upper management is not ignorant to this and it has to be called out. It's been called out in my own org by several engineers.

https://redd.it/1qs6qt3
@r_systemadmin

Do you back up your password manager vault?

If your company uses a commercial, cloud-based password manager (like Keeper or Bitwarden), would you be fine if your vault was suddenly gone?

If you're backing up your password manager vault, what is your strategy?

I'm not talking about self-hosted solutions, like KeePass or Vaultwarden, though they should be backed up too (in which case it's even simpler than with a cloud-based, SaaS password manager).

"But why would my vault be gone suddenly?" Think of any hypothetical scenarios: "master" account was hacked and deleted, vendor decided you violated their terms and terminated your account with no chance of recovery, etc. The moral is: two is one, and one is none.

https://redd.it/1qsg1z7
@r_systemadmin

Service Desk Dashboard Display Suggestions

Looking for a platform that will allow me to create a combination dashboard/status display board for two separate service desk offices on 90 inch displays.

My thought is to carve the display so different quadrants have different content (almost all of it web based (i.e. one section kanban board app (focalboard), one section our help desk queue, one section a weather map, and other sections with other stuff.

It either needs to be cloud based or run on windows/windows server (our environment has a strict no open source/Linux on the network policy (don't ask...)

Any suggestions, or should I go the "digital signage" app route?

https://redd.it/1qsof04
@r_systemadmin

Windows Admin Center Virtualization Mode "Access denied"

We have Azure Local, migrated our "classic" AD environment from VMWare.

I install Windows Admin Center Virtualization Mode, then when I register the app with Entra ID the same way I did with a "normal" WAC creating a new app for it, log in with the same azure onmicrosoft account that worked with wac, allow, etc, i lose control / access, and only get "You are not authorized to access this site. Please contact your administrator."

Which account has to have what access to where exactly?

I may have misinterpreted the use case of Windows Admin Center Virtualization Mode.

https://redd.it/1qstsya
@r_systemadmin

How do I replace Office 2016 with Microsoft 365 Apps on an on-prem server?

Hi all,

I am very new in IT support, and we have an on-prem Windows Server used as a server for a business unit.

Office 2016 is currently installed on it.

About 8–10 users RDP into the server in a week

Management wants to replace Office 2016 with Microsoft 365 Apps

What is the correct and supported way to do this on an RDP server?

Specifically:

Do I need to fully uninstall Office 2016 first?

How I install office365, and it should work for everyone same as now.

Thank you

https://redd.it/1qsw0o8
@r_systemadmin

BitTitan just put me in an extremely difficult position, GCC High

I've been preparing migrating our business from 365 commercial to GCC High. For the past 4 weeks I've been staging backups of mailboxes, OneDrive, etc. I have literally all my users data staged with all 90+ day data ready to migrate.

Suddenly, the OneDrive staging starts failing across the board after having plenty of success with 100% of my user's OneDrive.

I open a ticket and I'm simply told BitTitan does not support migrating to GCC High.

I'm dumbfounded that they just pulled support, or whatever it is, and just let the product break.

"Sorry for the inconvenience!"

No kidding. I'm 2 weeks away from a cutover I planned with YOUR product at the center of it, and now the rug has been pulled out from under me.

I sure hope it's something on Microsoft, and not BitTitan's determination to pull the support for GCC High.

If anyone has any advice, I'm all ears. I was thinking of Veeam backup for 365, but I don't know that it would support restore to 365 the same way BitTitan would.



https://redd.it/1qswdub
@r_systemadmin

ntp jitter on metas.ch

I sync my routers time with the Swiss meteorologic institute (metas) and use the router as my local ntp source. Yesterday I saw a jitter of under 0.5 today over 1.0 . What could cause this?

\## 31.01.2026

remote refid st t when poll reach delay offset jitter

==============================================================================

+ntp11.metas.ch .PZF. 1 u 10 64 377 14.604 -0.216 0.439

*ntp12.metas.ch .PZF. 1 u 39 64 377 14.433 -0.288 0.159

+ntp13.metas.ch .PZF. 1 u 42 64 377 14.435 -0.376 0.327

## 01.02.2026

remote refid st t when poll reach delay offset jitter

==============================================================================

*ntp11.metas.ch .PZF. 1 u 62 64 377 13.868 -0.253 1.246

+ntp12.metas.ch .PZF. 1 u 7 64 377 13.566 -0.351 1.150

+ntp13.metas.ch .PZF. 1 u 56 64 377 13.454 -0.435 1.296

https://redd.it/1qsvipl
@r_systemadmin

Conditional Access Initial Setup

I am just starting the process of building a set of CA policies. I have enabled the standard two (block legacy and enforce phishing-resistant for admins). I am playing with restricting login to home country (aware of the various caveats and loopholes that exist and that this is only part of the overall setup).


I have set the home country as a named location. I have set up a policy that includes all locations, excludes the named location (country), and blocks.


The issue is that users cannot log in - review of the sign in logs shows that the CA policy is matching the location despite the fact the login location is correctly seen by Entra as being in the home country (i.e. to mind, it is failing to respect the exclude setting in the rule).

Am I missing something simple?

I am aware that this set up is relatively high risk of generating login failures and tickets. As an alternative, I was considering setting up a rule to block the top 10 or 20 high risk locations worldwide (does anybody take this approach, and what list do you use). Again aware the many loopholes here but still makes sense to deploy some sort of location policy as part of the setup I think.


Very grateful for any advice!

https://redd.it/1qsyt9t
@r_systemadmin

How do you handle sharing supervision on Google Workspace Drive ?

At my work, we would like to have a global overview of external file shares. We are aware of the DLP solution in Google Workspace but we are on the standard Plan and paying 7$/user/month on top to upgrade to Business Plan seems a bit steep.

Also, it seems that you can only restrict from there. I do not foresee it as a viable solution, as we are a small company of 50 people, I am the only IT guy and we have a good amount of external partners. Having to approve each specific email/domain before being able to share seems a bit time-consuming (also it seems it does not allow specific rules for shared drives?)

Moreover, I would like to empower users by giving them the opportunity to say "This file is shared to this external entity for this reason". And being able to export that list to prove to auditors that we know what we are doing.

Finally, I don't see in there a good dashboard to see a global "health" of our current Google Drives.

Is this something you dealt with or are dealing with ? How do you deal with it ? Every solution that I look up for is more entreprise oriented, with steep cost and other tools I do not need. I am even thinking to build the solution myself in the future.

Thanks for your advices !(https://www.reddit.com/submit/?sourceid=t31qt0q4x)

https://redd.it/1qt0vii
@r_systemadmin

ISO 27001 risk assessment

Hi,

We are working theough ISO 27001. Then all the risk assessment are comming up.

What is expected and how is it expected to look? There is so much that is possible to assess, but how do you structure it?

Open for a discussion on how to do it propperly.

https://redd.it/1qt2tix
@r_systemadmin

Worst part of the Job today

Today I had to do the worst part of a sysadmin drive and disable the account of a coworker that passed away. This is only the second time I have had to do it. It sucks. We lost a great guy last night.

https://redd.it/1qw2e87
@r_systemadmin

Ringcentral = Professional Scammers

I'm the admin. Absolute nightmare trying to cancel this service. I attempted to cancel back in June 2025 with written requests via email and their portal, complete with chat logs and confirmation PDFs as proof. They completely ignored it, let my contract auto-renew without warning, and now they're refusing to let me out until next August while continuing to bill us monthly.

We've followed up multiple times—calls, more emails—and every time it's the same runaround: "We have no record," or "Your request wasn't processed in time."

RingCentral is running a scam operation—avoid them at all costs if you don't want to get ripped off.

https://redd.it/1qvwgaq
@r_systemadmin