Wednesday, May 09, 2018

CredSSP RDP Error

In March, Microsoft released some CredSSP updates for CVE-2018-0886.  These may result in the following error displaying for some clients when trying to use RDP (such as using Remote Apps):


As noted here https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018, the registry key impacted may need to be created and set.

You can set this to two (2), which is the least secure, to resolve the situation and get people back into older RDP servers that were impacted by the change.

I recommend using 1 if 0 (the default) is not working, where possible.
Posted by at No comments:

Friday, May 12, 2017

IIS Security

If you are setting up an IIS server or installing an app that will enable IIS, take a look at these links on how to harden IIS:

  • http://resources.infosecinstitute.com/hardening-iis-security/#gref
  • https://technet.microsoft.com/en-us/library/jj635855(v=ws.11).aspx
  • https://msdn.microsoft.com/en-us/library/dd163542.aspx
Posted by at No comments:

Weak Service Permissions

Now Exploiting Windows!
Weak Service Permissions


Making press recently is the not quite new but always exciting ability to exploit a remote PC by gaining access to replace a file on the PC that is started up when the computer boots.

This happens because a third party service application is running in a location on the PC where anyone who connects to the PC (aka a regular user) can modify the files in that folder.

A good write up on this can be found here: http://travisaltman.com/windows-privilege-escalation-via-weak-service-permissions/

That same article links to several other great articles on privilege escalation and other security blogs.
Posted by at No comments:

Tuesday, September 20, 2016

DIY Cloud Print

Ever struggle with how to deliver the ability for guests to print out that all-important boarding pass, hilarious Dilbert cartoon (does anyone print them out anymore) or the occasional business document to be shared at a meeting? How about completing the solution for free? Nothing combines my two loves... the smell of toner and free together like guest printing; and there are a ton of complex and cool solutions out there; but why not build a simple and easy to use solution? Here's what you can make happen:


  1. Build yourself a Windows server, the version I used was a VM of Windows 2012 R2.
  2. License that server.
  3. Patch the server.
  4. Get yourself an Internet IP (you probably already have this and can NAT an address to it)
  5. Decide on some cool DNS name, like makeitprint.coolcompanyname.com.
  6. Create a DNS record (inside and outside of your company if needed) for that DNS address (Note: for guests, you probably need to put this out on the Internet.
  7. On your firewall, configure NAT to pass traffic through on port 443, you may also want to restrict the access to your solution to just your corporate Internet IPs.
  8. On the Windows server, install the Internet Printing role.
  9. Setup your printers on your server.
  10. They will now have a URL of https:\\makeitprint.coolcompanyname.com\printers\.
  11. You can use the URL for each printer to print to, share that with your guests and they will be good to go 
For printing from Chromebooks, you can also setup Google Chrome on your server and share the printers out to Google users (keep it secure by limiting who can access it via Google's security)

Note: Using Google Chrome in this way allows the approved accounts to print from anywhere, ignoring your firewall security.

This will allow Windows, Linux, and Macs to be able to print to your printer from the office (via https printing) and any system running Google Chrome (such as Chromebooks) to print via Google Chrome.

Suddenly you are saving the company money and providing an easy to use solution to guest printing.
Posted by at No comments:

Tuesday, September 29, 2015

Bimodal IT and How It Applies to the Digital Workplace (From Gartner)






Source: Gartner (April 2015)
Goal: The inherent goal of digital workplace bimodal Mode 2 is to boost employee agility and efficiency, and to boost employee engagement levels by empowering them and giving them a sense of ownership over technology strategies.
Value: The value shifts from investment protection (in Mode 1) to workforce optimization and empowerment in the digital workplace (Mode 2).
Approach: The Mode 2 approach is to deliver a more consumerized work environment that emphasizes mobility, integration of social networking services and self-service access to analytics. Allowances for personal choice and departmental choice of services (where such choices make sense) are important. A more iterative style of development is adopted.
Governance: Governance is more flexible in Mode 2, with greater allowance for exceptions and a willingness to rethink Mode 1 practices that may have been in place for decades.
Sourcing: By nature, the digital workplace will be more expansive in its sourcing strategies since it allows for employee- and business-unit-led procurement, which may result in consumer-oriented applications and an emphasis on cloud services.
Talent: IT employees that are close to digital workplace initiatives are typically more business-focused and in tune with employee technology requirements. They typically favor an iterative approach to problem resolution and are comfortable with a fail-fast project strategy, and therefore are more accepting of uncertainty.
Culture: This is perhaps the greatest change from bimodal Mode 1. Mode 2 culture focuses on employee needs, and stresses the role that technology can play in boosting employee engagement levels. This emphasis on employees requires the IT organization to foster a continuous dialogue with the employee community to ensure that it has a loud voice in technology investments.
Cycle Times: Mode 2 emphasizes the ability to rapidly exploit business opportunities and react quickly to changing business requirements. This results in an agile and iterative approach to development, faster procurement, a preference for cloud services, and fast and effective support.

Mode 1, of course, still plays a huge role in the digital workplace. Many digital workplace services sit on top of Mode 1 infrastructure, and many projects started under Mode 2 — such as enterprise file sync and share services, enterprise social networks and app stores — will become part of the Mode 1 operating responsibility as they mature.

(Gartner, April 2015)
Posted by at No comments:

Friday, August 21, 2015

Building a Hyper-V and Microsoft Based Virtual Environment with Virtual Hosts and Session Hosts

Hello all,

Recently I stood up a "VDI" environment using Microsoft Windows 2012 R2.  The environment was not very complex, it featured:

1 Server running as the web host, connection broker, and gateway (a VM).
1 Server running as the virtualization host (a physical box).

Then I wanted to add a Session Host.  The Virtualization host provides you with a way to host VMs in the VDI environment, allowing you to deploy desktops for users from templates.

The session host allows you to deploy applications that are installed on that host as virtual applications.  What it really does is like sharing an app on WebEx or in instant messenger, instead of displaying the whole desktop, you get a window that just displays the application.

However if you click around the Server Manger interface it is not very intuitive how you add a new session host.

My first attempt was:

I built a new VM and installed the session host service on it.  Then I added it to the host I was using to manage the environment.  However I still could not see it as part of the RDS farm.

Then I called Microsoft (because I did not want to mess around with it).  The answer turns out to be that I had to uninstall the role from the new VM and then from my connection broker where I was managing the environment I had to step through the process to install the RDS services again.

What I did was:


  1. Click on Manage from server manager
  2. Select Add Roles and Features
  3. Move past the introduction screen
  4. Select the option to install Remote Desktop Services
  5. Select the standard install option
  6. Now it gets to the Virtualization or Session option.  Since I had already installed the virtualization option that was grayed out.  So I picked session.
  7. Then it walked me through picking the hosts again.  The connection broker, web host, etc were all grayed out, I was not able to make a selection until I got to the session host.  There I was able to pick my new server and I was able to install the role.
  8. It did require a reboot of the new session host and once that was complete I was able to instantly create a new collection and toss applications out for users to access.

The process is painless but there is little documentation to take you through it.  Hopefully this helps anyone who finds themselves in the same spot I was.
Posted by at No comments:

Tuesday, February 24, 2015

New Phishing Scams Hit the US

Two new phishing scams are hitting the waves recently.  The first is a group that pretends to be the IRS, they are leaving messages saying that if you do not call back your SSN will be "blacklisted" forever.  Check out the story here: http://www.irs.gov/uac/Newsroom/IRS-Warns-of-Pervasive-Telephone-Scam

Scammers are also calling the family of recently deceased.  They scan the obituaries then contact the family saying they have important documents that cannot be shared with anyone else.  The story can be found here: http://www.csoonline.com/article/2885141/malware-cybercrime/scammers-using-obituary-notices-to-acquire-new-victims.html
Posted by at No comments:

Thursday, April 10, 2014

Looking for Mr. Right Cloud Storage Provider

I have been checking out the many different web storage services that are out on the Internet today for various different purposes and looking for things that were the “perfect fit”.  The tools that I looked at were:
The important part of the reviews is what I was looking to get from the services; and the scope of my search was a bit “vast”.  Here are the things I was thinking about while looking at the services:
  • I have a ton of MP4/M4V videos and people have been talking about Plex, which is an awesome service that allows you to install some software on your PC or storage device in your home; but I do not want to store the files in my home, I want them in the cloud where I can share them and access them from anywhere without my PC being on.
  • I need a service that stores documents and easily allows me to share them with friends.
  • I was looking at services that work well for a company to eliminate local file servers.
  • I did NOT need a service that backed up my PC(s).
  • I needed a service that would easily upload photos from my phone (which is an iPhone).

So with that in mind, let’s look at our services; because in the end I decided on a couple of services because each of them offers me different functionality that I can use.  I know that sounds like a pain; but sometimes keeping things separated can be good.  I provide an introduction to the later services; but Dropbox and Box are almost household names these days so I do not really introduce them.  For those that do not know these services they are both file storage and sharing services that allow you to upload/sync files and share them with friends and coworkers.

Dropbox:
This service is perfect for the average home user who wants a place to store files they want to “privately” share with friends.  The features of Dropbox are:
  • Free service to get started that grows as you use it and invite friends.  You can quickly get 5-10 GB of space that will keep most people happy.  You can then make the decision to grow beyond that for 10 bucks a month.
  • Dropbox will host videos that are easily viewable from a mobile device using their application.
  • Dropbox will suck the photos AND videos out of your phone.
  • Dropbox allows you to easily share files with friends via an email address (they will have to create or use their Dropbox account).
  • Dropbox will sync files with all of your PCs and any shared files will be synced down to your friend’s PCs.
  • If your friend deletes some of your files, you can easily recover that which is lost.
  • You can upload content from multiple PCs without additional costs.
Some of the downsides of Dropbox:
  • Dropbox, while cool, does not provide any real security around files you share.  If you grant friends access, they have full access to the folders and can add, change, or delete items.
  • Unlike Box.com, everything in your Dropbox account syncs down to your PC.
  • Posting photos to Facebook from Dropbox requires using URLs.
  • Sharing with friends requires you to share an entire folder.
Box.com:
 Box has a ton of options and runs the gambit from similar to Dropbox to control around individual files.  You can set sharing to allow only specific people to have “view” access and others to have full access.  It allows for a lot of safety around your documents while allowing collaboration and sharing.
  • Box is really designed for business.  It is focused on security, has a wide range of offerings, and can meet a lot of needs.  It is one of those services that will allow you to eliminate a file server.
  • Box has a free version that offers a limited amount of storage like Dropbox; but does not grow as you use it without purchasing.
  • File recovery in Box is better than Dropbox, because your file control is better.
  • In the higher level accounts you get collaboration tools like users being able to edit files at the same time so you can collaborate on a document seeing the changes each of you make “in real time”.
  • You can get a Box.com account for 5 dollars for 100 GB per month; but you cannot upgrade a free account to that service.  The upgrade to 100 GB for a personal account costs 10 dollars a month.
  • You can upload content from multiple PCs without additional costs.
  • Sync can be controlled via the web, allowing you to only sync the files and folders you want.
Downsides of Box.com:
  • There is no automatic uploads from mobile devices (although there are some third party apps that support this).
  • Box does not convert videos into playable media on mobile devices, so your files may not be useable from a mobile device if they are not the right format.
  • While more secure, it is tougher to share files than in Dropbox; although the functionality is much stronger so for business this is not a negative, it is more of a negative for individual/home users.

Stream Nation:
Stream Nation is a new service that works a lot like Plex; but everything is in the cloud.  It extends beyond Plex though, it is really a cloud based “Media Center”.  Where you can pull in your photos, videos, and movies that you have stored in your home and can access from devices around the world.  You can also share your files with friends.  Features of Stream Nation:
  • Easy to upload and queues uploads of your photos, videos, and movies.
  • Allows you to add the covers for movies.
  • Sharing with friends and family is easy (but does require a Stream Nation account).
  • Stream Nation is able to pull in photos and videos from services such as Facebook, Flickr, Dropbox, and others.  It can pull in specific folders or all of your photos/videos from those services.
  • The mobile apps allow you to suck photos and videos out of your devices.
  • They have free accounts with limited storage and paid accounts with up to unlimited storage.
  • You can upload content from multiple PCs without additional costs.

Downsides of Stream Nation:
  • Let’s face it, the number one downside of any cloud storage is that it might be gone tomorrow, so if you are uploading all of your media and expect it to be there in the future you might be sorry.  Stream Nation is a new service and I hope they are around for a while because I find it handy; but it could be gone soon.
  • Stream Nation costs about 20 dollars a month for unlimited storage, which is at the high end of cloud providers; but they are offering a service that is currently very unique.
  • If you have a lot of movies, videos, and photos the upload process can take a long time.
  • The Stream Nation uploader is easy to add content into; but you only see the current uploads and cannot really manage the queue. 

My Shoebox:
This application came into my radar when I was looking for a place to store photos and videos from my phone without cluttering up Stream Nation where I want to store “family friendly” photos – because it keeps my wife happy when she doesn’t have to see photos of some monkey throwing poo.  Anyway, My Shoebox is a service like Flickr, Instragram, and other photo sharing services.  They offer unlimited storage and provide mobile apps to easily upload photos.  Some of my thoughts on them are:
  • They offer unlimited storage for a low cost.
  • They ONLY upload photos, your videos on your phone are out of luck.
  • They have some good photo editing and management tools.
  • Not a lot of people have heard of the service; but they do have free accounts.
  • Their website URL is a bit odd, http://shoeboxapp.com/

Backup Services:
Here is where I get really vague… I was looking at a couple of services for storage of movies and media.  The upload process makes this difficult and the mobile applications are weak in a lot of cases.  These services are good if you want to backup and restore files from your PC; but otherwise they do not offer much.  Looking at the different services, I would look at what you get for the cost.  The cheaper the better; but be sure to try out the services (if they do not have a free account or a trial, move on to the next service). 

Conclusion
In the end, I came to the realization that no one service would meet my needs; but that I could live with two different services for my personal needs and one for work.

I ended up going with Dropbox for pulling photos out of my phone and sharing files with friends for personal use.  The ability to easily access files via my mobile device (such as funny videos) was really the winning factor in trying to decide between Dropbox and Box.com when looking at these two services.  Dropbox is like Box for individuals who are not concerned about securing down their data at an enterprise level.

However, the initial driver behind my rabid search was looking for a place to store my movies… I have a lot of iPad/iPhone videos.  For that and storing photos I went with Stream Nation.  I am able to upload photos from my phone by going into the application and selecting them, while all of my photos and videos are uploaded into Dropbox, which keeps them safe and secure for me.

Of course, safe and secure is a bit of an amusing statement.  Dropbox, Box, Stream Nation, and so on do not really provide you any long term protection (as individuals).  Many of these companies do not provide any disaster recovery services and offer no promises for your data.  If they are gone tomorrow your data is gone too.

Now, for my work needs Box.com is really the way to go.  The functionality within Box is a lot like a file server in your office with some additional features such as the ability to allow users to share files in a secure environment.  Your users are able to send links and retain the data within your “cloud,” keeping this safer.

With the enterprise agreements you can get a lot more security and “warm fuzzies” around backup and disaster recovery as well when looking at Box.com


Posted by at 1 comment:
Subscribe to: Posts (Atom)