| ▲ | seanieb 5 hours ago |
| I spent the past year working for a company that relies heavily on Microsoft for email, productivity tools, and identity management. After that experience, I can say with confidence: never again. The support is astonishingly poor, and user experience feels like an afterthought. More importantly, using Microsoft at scale can leave your organization fundamentally insecure. The obscure, insecure defaults are, at best, dangerous missteps and, at worst, borderline negligent. I’m convinced that only a small fraction of enterprises using Microsoft have the expertise and budget required to secure it properly. My personal view is that if your organization depends heavily on Microsoft, it’s not serious about security, whether they’re aware of it or not. |
|
| ▲ | mcv an hour ago | parent | next [-] |
| I work for a company that now uses everything from Microsoft. They used to have Jira, AWS and tons of other different products, but now everything is Microsoft, and it's terrible. Azure DevOps is particularly horrific. It's like Jira+Jenkins except you can never find anything. Nothing about it makes sense to me. As far as I can tell, the databases on Azure are all either slow, expensive, or both. And of course it means we hand over all of our highly sensitive data to a company that has said that US law will overrule EU law. How can anyone trust a company that says they will not obey the law? |
|
| ▲ | project2501a 4 hours ago | parent | prev | next [-] |
| Where do I find money to fund my rewrite of Kerberos 5 in Rust, removing the dumb options and Kerberos 4 compatibility and eventually create Kerberos 6 + AD that will solve a metric buttload of issues in Linux and knock a major peg of MS off? |
| |
| ▲ | lokar 2 hours ago | parent | next [-] | | Kerberos solves the problem that doing public key authentication is slow on a i386 | | |
| ▲ | project2501a 42 minutes ago | parent [-] | | kerberos solves the problem that you can have short one time tokens using your password. Add public key infrastructure support, make ldap the default store and you got AD. Even better, you can throw all the OAuth crap down the drain. now, starting services with a password becomes an issue of booting the machine. | | |
| ▲ | lokar 22 minutes ago | parent [-] | | No one would build KRB4/5 today, it makes no sense. It's only advantage over an X.509 cert based system is speed on really really slow CPUs. |
|
| |
| ▲ | mr_mitm 2 hours ago | parent | prev | next [-] | | Memory safety or type safety are the least of Kerberos' issues. The protocol itself is fundamentally flawed. | |
| ▲ | nightfly an hour ago | parent | prev | next [-] | | What issues on Linux would this actually solve? | | |
| ▲ | project2501a 36 minutes ago | parent [-] | | simplify gssapi, for one. single authentication and authorization: submit on slurm? ask kerberos + ldap. can i upload to this service? as kerberos + ldap. Policies applied on this computer? ask kerberos + ldap i may be naive a bit, i'll accept that, but I really like how AD works (which is essentially kerberos + ldap) |
| |
| ▲ | cyberax 3 hours ago | parent | prev | next [-] | | Ask IBM/RedHat. They did a lot of foundational work with SSSD (aka "too many 'S' D"). Kerberos is not a great protocol, though. | | |
| ▲ | project2501a 44 minutes ago | parent | next [-] | | sssd is a dogpile of dogcrap. I have 15 tickets on github about fixing their manpages. and you really need to read the kerberos book before picking up sssd. | |
| ▲ | kakacik 3 hours ago | parent | prev [-] | | > Kerberos is not a great protocol Understatement of the week |
| |
| ▲ | NuclearPM 4 hours ago | parent | prev [-] | | Did you respond to the wrong comment? |
|
|
| ▲ | LPisGood 4 hours ago | parent | prev | next [-] |
| What kind of obscure insecure defaults are there? |
| |
| ▲ | mr_mitm 2 hours ago | parent | next [-] | | Check out the Microsoft baseline security guidelines for Windows 11. It's about 400 entries. 400 settings that Microsoft themselves recommend changing from the defaults to achieve a baseline security. Why does windows 11 show stock values in the task bar by default? Why does it show ads, games and yellow press headlines when you click on it? On the enterprise edition! Xbox services are installed and running by default. Why? | | |
| ▲ | lokar 2 hours ago | parent [-] | | Changing the default would cost sales and increase support costs. |
| |
| ▲ | seanieb 3 hours ago | parent | prev | next [-] | | Direct Send was my favorite. Direct Send allows devices to send unauthenticated email to internal recipients using your organization’s domain, which can expose you to internal emails for phishing etc. It bypasses user authentication, making sender identity difficult to verify or audit. For all orgs made before mid 2025 it was enabled by default. I saw a great Blackhat talk this year about Entra misconfiguration that got Microsoft's own sensitive internal services owned by a researcher, one of them owned by their security team. After the report they reconfigure their services, didn't pay a bounty and considered the problems solved. What about their customers making the same config errors as the Microsoft team... no changes planned. There's much much more... | |
| ▲ | e12e 3 hours ago | parent | prev | next [-] | | One not-so-obscure problem is how hard it is to only elevate yourself to admin when you need it (and run as a regular user the other time). Essentially you need to pay double license for admin users so they can have two logins; and it's a pain to quickly elevate privilege to do day to day admin tasks. So if your friendly domain admin clicks the wrong link, your entire network is owned. | |
| ▲ | downrightmike 2 hours ago | parent | prev [-] | | Everything on by default in general has plagued them, because they don't want users to complain it doesn't work. |
|
|
| ▲ | BenFranklin100 an hour ago | parent | prev [-] |
| This is blatant nonsense. The best security choice for any small business that doesn’t have a dedicated full time security staff is Microsoft 365. |
| |
| ▲ | seanieb 40 minutes ago | parent [-] | | Have you admined a Google Apps account and an MS365 account? I'm curious why you think Microsoft is more secure? For me they are completely different, Google is secure by default, Microsoft is not. Do you have "Direct Send" enabled on your account for example? | | |
| ▲ | BenFranklin100 17 minutes ago | parent [-] | | Because outside of a handful of nerdy tech companies, all small businesses need to use Microsoft Office. From there, it’s a no brainer to stay in the MS ecosystem and use Sharepoint etc… For a small business without a dedicated IT team, simply hire a IT contractor to harden the tenant (MFA etc…), have them review every six months and be done with it and focus your resources on running your business. |
|
|
