tag:blogger.com,1999:blog-110369802023-03-15T22:00:48.658-04:00The Tech GuyA blog from a technical consultant about some of the technical challenges he faces from his clients. And business challenges he faces with running his own company.Douglas P. Smithhttp://www.blogger.com/profile/06033282231232318995noreply@blogger.comBlogger115125tag:blogger.com,1999:blog-11036980.post-1140668535647648952006-02-22T23:22:00.000-05:002006-02-22T23:22:15.653-05:00Security: How To Part 3<br /><br />Now that we have configured the external and perimeter networks most people would say they were done. I say we are just getting started. In this article, we will look at setting up a VLAN structure at a main site. We will look at why we would create VLANs and how they can be a major part of our security policy.<br /><br />Before we start going into VLAN, let’s take a trip in time, and look at the original networks. We would have flat networks covering entire buildings servers and workstations. There would be so many nodes within a segment that <a href="http://en.wikipedia.org/wiki/Broadcast_storm">broadcast storms</a> would commonly occur. A need to segment the flat network, to break up the <a href="http://http://en.wikipedia.org/wiki/Broadcast_storm">broadcast domain</a>, was eventually solved with the creation of Virtual Local Area Networks (VLAN). This allowed a router to create them and for each port on a switch to be assigned a different VLAN. This was a quick high-level overview of the creation of VLANs.<br /><br />VLANs are created either on a router or a layer 3 switch. VLANs are trunked using <a href="http://en.wikipedia.org/wiki/IEEE_802.1q">IEEE 802.1q</a> tagging to other switches. They are configured like any other layer 3 interface. These days it is commonly configured on a layer 3 core switch. This covers what they are and how they are created.<br /><br />Let’s look at why, we briefly touched on it to break up broadcast domains. You would also do it to separate servers from workstations, to group users together who need access to common resources, separate services like VOIP or teleconferencing, etc.<br /><br />Design on implementing can vary from extremely easy to extremely complex, it would all depend on your security requirements and your budget. But some common design concepts I try to work with our:<br /><br />Do not use VLAN 1 for anything. If a hacker is good he will use this common knowledge to attack your switched network. Use another VLAN for management and only for management.<br /><br />Put all servers with services requiring Internet connectivity in the same VLAN. You could place your internet connection in this VLAN or have the Internet connection have it own VLAN. But segregate the Internet based servers from your regular data servers. This would be e-mail, IM, web, databases for web resources, CMS, and proxy servers. This is helpful if a worm does breach your network. You can shut this VLAN down to help stop the spread of infection.<br /><br />Then obviously place production servers that do not require Internet services in their own VLAN. <br /><br />Group users together by function. What I mean if you have employees that access the same resources, but don’t need access to the other resources. This way we can apply VACLs to increase security. You will find that many departments will have the same requirements.<br /><br />Now that your VLAN policy is well established, you can start planning your VACLs. Do not place them on your server VLANs. You will want to place them on your user VLANs. My only suggestion to this is carefully plan, test, and document everything. Also, don’t go crazy with them use the KISS method. You can lock resources down using other methods. <a href="http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/vacl.htm">Cisco</a> has some information for you to look at. <br /><br /><div class="blogger-post-footer"><script type="text/javascript"><!--
google_ad_client = "pub-6071039689758983";
google_ad_width = 728;
google_ad_height = 15;
google_ad_format = "728x15_0ads_al_s";
google_ad_channel ="";
google_color_border = "336699";
google_color_bg = "FFFFFF";
google_color_link = "0000FF";
google_color_url = "008000";
google_color_text = "000000";
//--></script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script></div>Anonymoushttp://www.blogger.com/profile/06033282231232318995noreply@blogger.com0tag:blogger.com,1999:blog-11036980.post-1140668510970340142006-02-22T23:21:00.006-05:002006-02-22T23:21:50.976-05:00Well it’s been a while!<br /><br />Sorry I havent posted in a while, I have been looking for work either contract or at this point W-2. In the last few weeks the IT market has dried up real bad, so I have expanded the distance I am willing to go for work. About two weeks ago I got a call from a recruiter (Headhunter) asking me if I would be interested in a full-time position in the city (NYC). So after a few interviews it is looking good. I am waiting for an offer and will see were it leads to.<br /><br /> In other news, I finished my recertification of CCNP and CCDP. I have taken one of the two required exams to upgrade to MCSE 2003 as well. I got a call from this national body shop, I mean temporary employment agency, and asked if I wanted to do a one week install of Cisco Secure ACS, sure why not. Well after doing the entire meet and greet and start getting down to the nitty-gritty. Well this new network setup is not completed. They have not decided what to do about VLANs. So for two days they are asking me, what we should do. Answer, well group users by function. Meaning if you have a group of users that need access to Servers A, B, and C but not D then group them together so you can place VACLS in place to help secure the network. Then they were trying to pump me for information on that as well.<br /><br />So I install the ACS and machine authentication was working fine, but then they wanted to work with user authentication. I knew this was going to be a headache, I knew there was a reason we did not implement this at the hospital. So after headbanging and attitudes from the client it was figured out.<br /><br />The client needs to be Windows XP SP2, which they were only at SP1. The PEAP settings need to be set, which thanks to Bill Gates and Microsoft there is no easy way to do it for a WIRED 802.1x device. I think Bill and crew need to fix that for SP3. Then since they want to user authentication, you need to tweak Windows. Windows does not send an EAP-Logoff request by default so you need to go to HKLMSoftwareMicrosoftEAPOLParametersGeneralGlobal and you need to create a DWORD AuthMode and set it to 1. Then create a second DWORD SupplicantMode and set it to 3. Now if that was not enough, if you want PEAP Fast Reconnect to work you need to apply post-SP2 hotfix 885453 to fix that issue.<br /><br />What a job, for only three days worth of work. I would have been done sooner if I could have set the whole thing up myself. My biggest issue was I had too much help, but that is a whole other story. So after all that, they will not be deploying it anytime soon since their systems group will need to figure out when they will go to XP SP2. Until next-time keep computing.<br /><br /><div class="blogger-post-footer"><script type="text/javascript"><!--
google_ad_client = "pub-6071039689758983";
google_ad_width = 728;
google_ad_height = 15;
google_ad_format = "728x15_0ads_al_s";
google_ad_channel ="";
google_color_border = "336699";
google_color_bg = "FFFFFF";
google_color_link = "0000FF";
google_color_url = "008000";
google_color_text = "000000";
//--></script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script></div>Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-11036980.post-1140668509818624102006-02-22T23:21:00.005-05:002006-02-22T23:21:49.823-05:00<div class="blogger-post-footer"><script type="text/javascript"><!--
google_ad_client = "pub-6071039689758983";
google_ad_width = 728;
google_ad_height = 15;
google_ad_format = "728x15_0ads_al_s";
google_ad_channel ="";
google_color_border = "336699";
google_color_bg = "FFFFFF";
google_color_link = "0000FF";
google_color_url = "008000";
google_color_text = "000000";
//--></script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script></div>Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-11036980.post-1140668484654567652006-02-22T23:21:00.004-05:002006-02-22T23:21:24.663-05:00<div class="blogger-post-footer"><script type="text/javascript"><!--
google_ad_client = "pub-6071039689758983";
google_ad_width = 728;
google_ad_height = 15;
google_ad_format = "728x15_0ads_al_s";
google_ad_channel ="";
google_color_border = "336699";
google_color_bg = "FFFFFF";
google_color_link = "0000FF";
google_color_url = "008000";
google_color_text = "000000";
//--></script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script></div>Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-11036980.post-1140668476935760602006-02-22T23:21:00.003-05:002006-02-22T23:21:16.940-05:00Authentication Methods White Paper<br /><br />This paper is taking me longer than expected, I keep getting sidetracked with other issues that keep popping up. So I have decided to post what I have into sections. I will post what I have and will post each completed subsection as I complete this. I figure this way it may take a while, but at least something is being shown.<br /><br /><div class="blogger-post-footer"><script type="text/javascript"><!--
google_ad_client = "pub-6071039689758983";
google_ad_width = 728;
google_ad_height = 15;
google_ad_format = "728x15_0ads_al_s";
google_ad_channel ="";
google_color_border = "336699";
google_color_bg = "FFFFFF";
google_color_link = "0000FF";
google_color_url = "008000";
google_color_text = "000000";
//--></script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script></div>Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-11036980.post-1140668475833180992006-02-22T23:21:00.002-05:002006-02-22T23:21:15.836-05:00<div class="blogger-post-footer"><script type="text/javascript"><!--
google_ad_client = "pub-6071039689758983";
google_ad_width = 728;
google_ad_height = 15;
google_ad_format = "728x15_0ads_al_s";
google_ad_channel ="";
google_color_border = "336699";
google_color_bg = "FFFFFF";
google_color_link = "0000FF";
google_color_url = "008000";
google_color_text = "000000";
//--></script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script></div>Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-11036980.post-1140668474951159302006-02-22T23:21:00.001-05:002006-02-22T23:21:14.956-05:00Security: How to Part 1<br /><br />When question I get a lot as a consultant is “Is my network secure?” My response is usually, “If you are asking that question then NO!” So I will spend sometime on my blog discussing overall network security.<br /><br />First of all a network is never be secure, I don’t care what anyone says it will never be secure. The reason being with all the patches, updates, poorly written code, and the end-user there will always be some weak spot on your network. So lets look at all the different steps that I have done and have suggested to customers about securing their networks. But before just rushing out and implementing any of these suggestions first sit down and plan out the implementation. Will this have any effect on your end-user, if so how, will it effect their ability to do their job? These are just a few a a slew of questions that you should be asking and answering. With that said lets begin.<br /><br />We shall begin at the perimeter and work our way in. The first thing we should look at is the router. Your router is your first line of defense from the Internet. Most companies are so predictable they will either by a basic router and/or do a basic configuration and be done with it. Here is what you should be doing:<br /><br /><br />Turn off telnet, DO NOT TELNET to your perimeter router. Why you may ask? Telnet is plain-text and if something on your network is compromised a hacker will be able to get those packets, including the password. If you need remote access use SSH if it is supported and lock it down with an ACL to which IP addresses are allowed remote access. If SSH is not supported use HTTPS (not HTTP), if not shut the web server piece off is possible. In a perfect world you would do everything from the console in a secure data center, but in reality use SSH. Note: Use a 14 character password with Upper, Lower and Numbers.<br /><br />Next, we will use ACLs for everything. ACLs will use a lot of processing power, but since most routers are hooked up to T1s it shouldn’t effect overall performance significantly. What, and where do these ACLs go you may ask. On your outside interface you should apply an ACL that does the following:<br />Deny all RFC private addresses this includes 10.0.0.0, 172.16.0.0, 169.254.0.0 and 192.168.0.0.<br /><br />Deny all incoming traffic from you internal network. An incoming packet should not have a source address from your internal network.<br /><br />Deny all IANA reserverd, test, multicast and loopbacks address blocks. If you go here you will see in his template a list of bogons that have been created for an IOS router.<br /><br />Now we shall place a simple ACL on your internal interface to allow any outgoing traffic from your internal IP range to anything.<br /><br />If you are using SNMP on your outside router you should use an access-list to allow SNMP traffic to be received from only a specific source. Also, do not use the default community string of public, and don’t name it private. This should be kept as if it is a password.<br /><br />Use an access-list to allow only specific IP addresses for remote administration, via SSH, or HTTPS. Do not use HTTP or telnet.<br /><br />You should also create a null interface and add route statements so your bogon list will route to this interface. This is an added level of security in case a packet from another interface gets into the router it will route to nowhere. I will say this for saying it. DO NOT USE A ROUTING PROTOCOL. Never use routing protocols on your perimeter router. Always use static routes! The only exception if you are a big company with multiple Internet connections then you would use BGP or IS-IS.<br /><br />These are some basics that you can do to. Specifically for Cisco routers you can enter the following commands:<br /><br /><br /><br />No service tcp-small-servers<br /><br />No service udp-small-servers<br /><br />No ip bootp server<br /><br />No service fingeer<br /><br />No snmp-server (Only if you are not going to use it)<br /><br />No cdp run<br /><br />No service config<br /><br />No ip source-route<br /><br />No ip directed-broadcast<br /><br />No ip mask-reply<br /><br />No ip proxy-arp<br /><br />You will also want to shutdown all unused interfaces. Another Cisco centric suggestion would be to upgrade the IOS to include the firewall feature set and into configure CBAC for some common protocols. More reading on this can be retrieved from the NSA and from here.<br /><br />In the next part we shall look at firewalls. The different types and design for implementing.<br /><br /><div class="blogger-post-footer"><script type="text/javascript"><!--
google_ad_client = "pub-6071039689758983";
google_ad_width = 728;
google_ad_height = 15;
google_ad_format = "728x15_0ads_al_s";
google_ad_channel ="";
google_color_border = "336699";
google_color_bg = "FFFFFF";
google_color_link = "0000FF";
google_color_url = "008000";
google_color_text = "000000";
//--></script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script></div>Anonymoushttp://www.blogger.com/profile/06033282231232318995noreply@blogger.com0tag:blogger.com,1999:blog-11036980.post-1140668471373391662006-02-22T23:21:00.000-05:002006-02-22T23:21:11.380-05:00<div class="blogger-post-footer"><script type="text/javascript"><!--
google_ad_client = "pub-6071039689758983";
google_ad_width = 728;
google_ad_height = 15;
google_ad_format = "728x15_0ads_al_s";
google_ad_channel ="";
google_color_border = "336699";
google_color_bg = "FFFFFF";
google_color_link = "0000FF";
google_color_url = "008000";
google_color_text = "000000";
//--></script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script></div>Anonymoushttp://www.blogger.com/profile/06033282231232318995noreply@blogger.com0tag:blogger.com,1999:blog-11036980.post-1140668452830418902006-02-22T23:20:00.011-05:002006-02-22T23:20:52.836-05:00Authentication Methods White Paper<br /><br />This paper is taking me longer than expected, I keep getting sidetracked with other issues that keep popping up. So I have decided to post what I have into sections. I will post what I have and will post each completed subsection as I complete this. I figure this way it may take a while, but at least something is being shown.<br /><br /><div class="blogger-post-footer"><script type="text/javascript"><!--
google_ad_client = "pub-6071039689758983";
google_ad_width = 728;
google_ad_height = 15;
google_ad_format = "728x15_0ads_al_s";
google_ad_channel ="";
google_color_border = "336699";
google_color_bg = "FFFFFF";
google_color_link = "0000FF";
google_color_url = "008000";
google_color_text = "000000";
//--></script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script></div>Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-11036980.post-1140668447822441092006-02-22T23:20:00.010-05:002006-02-22T23:20:47.826-05:00<div class="blogger-post-footer"><script type="text/javascript"><!--
google_ad_client = "pub-6071039689758983";
google_ad_width = 728;
google_ad_height = 15;
google_ad_format = "728x15_0ads_al_s";
google_ad_channel ="";
google_color_border = "336699";
google_color_bg = "FFFFFF";
google_color_link = "0000FF";
google_color_url = "008000";
google_color_text = "000000";
//--></script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script></div>Anonymoushttp://www.blogger.com/profile/06033282231232318995noreply@blogger.com0tag:blogger.com,1999:blog-11036980.post-1140668445876160502006-02-22T23:20:00.009-05:002006-02-22T23:20:45.883-05:00<div class="blogger-post-footer"><script type="text/javascript"><!--
google_ad_client = "pub-6071039689758983";
google_ad_width = 728;
google_ad_height = 15;
google_ad_format = "728x15_0ads_al_s";
google_ad_channel ="";
google_color_border = "336699";
google_color_bg = "FFFFFF";
google_color_link = "0000FF";
google_color_url = "008000";
google_color_text = "000000";
//--></script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script></div>Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-11036980.post-1140668440326918772006-02-22T23:20:00.008-05:002006-02-22T23:20:40.333-05:00Hardening the TCP/IP Stack<br /><br />There is an article on Microsoft’s <a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod109.asp">website</a> about hardening the TCP/IP stack on Windows Server 2003. From my knowledge of TCP/IP I find this article indispensable for setting up new servers, or hardening existing networks for my clients. Click on the title to goto the article. I suggest reading the article in whole, but below are some excerpts from the article.<br />Set SYN Protection Thresholds<br />* Registry key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices<br />* Value name: TcpMaxPortsExhausted<br />* Recommended value: 5<br />* Value name: TcpMaxHalfOpen<br />* Recommended value data: 500<br />* Value name: TcpMaxHalfOpenRetried<br />* Recommended value data: 400 <br />Set Additional Protections<br />* Registry key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices<br />* Value name: TcpMaxConnectResponseRetransmissions<br />* Recommended value data: 2<br />* Value name: TcpMaxDataRetransmissions<br />* Recommended value data: 2<br />* Value name: EnablePMTUDiscovery<br />* Recommended value data: 0<br />* Value name: KeepAliveTime<br />* Recommended value data: 300000<br />* Value name: NoNameReleaseOnDemand<br />* Recommended value data: 1 <br />Protect Against ICMP Attacks<br />* Registry key: HKLMSystemCurrentControlSetServicesAFDParameters<br />* Value: EnableICMPRedirect<br />* Recommended value data: 0<br />Protect Against SNMP Attacks<br />* Registry key: HKLMSystemCurrentControlSetServicesTcpipParameters<br />* Value: EnableDeadGWDetect<br />* Recommended value data: 0<br />AFD.SYS Protections<br />* Registry key: HKLMSystemCurrentControlSetServicesAFDParameters<br />* Value: EnableDynamicBacklog<br />* Recommended value data: 1<br />* Value name: MinimumDynamicBacklog<br />* Recommended value data: 20<br />* Value name: MaximumDynamicBacklog<br />* Recommended value data: 20000<br />* Value name: DynamicBacklogGrowthDelta<br />* Recommended value data: 10<br />Additional Protections<br />* Registry key: HKLMSystemCurrentControlSetServicesTcpipParameters<br />Protect Screened Network Details<br />* Value: DisableIPSourceRouting<br />* Recommended value data: 1<br />Avoid Accepting Fragmented Packets<br />* Value: EnableFragmentChecking<br />* Recommended value data: 1<br />Do Not Forward Packets Destined for Multiple Hosts<br />* Value: EnableMulticastForwarding<br />* Recommended value data: 0<br />Only Firewalls Forward Packets Between Networks<br />* Value: IPEnableRouter<br />* Recommended value data: 0<br />Mask Network Topology Details<br />* Value: EnableAddrMaskReply<br />* Recommended value data: 0<br />You should test all these setting in a test environment before implementing them in production, this can not be stressed enough. You may find that you may need to tweak the setting to best suit your network environment. Also for additional reading check out Microsoft KB articles 315669 for Windows 2000 and324270 for Windows 2003.<br /><br /><div class="blogger-post-footer"><script type="text/javascript"><!--
google_ad_client = "pub-6071039689758983";
google_ad_width = 728;
google_ad_height = 15;
google_ad_format = "728x15_0ads_al_s";
google_ad_channel ="";
google_color_border = "336699";
google_color_bg = "FFFFFF";
google_color_link = "0000FF";
google_color_url = "008000";
google_color_text = "000000";
//--></script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script></div>Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-11036980.post-1140668431120739782006-02-22T23:20:00.007-05:002006-02-22T23:20:31.126-05:00New client can't run Windows Updates<br /><br />Derrick, who is a good friend of mine, runs a company names SystemsEng. He uses me as a sub contractor quite a bit. Derrick is currently in the process of signing a new client. He wanted me to go with him to help impress them to get the contact signed quicker. So after the two of us poking around this domain setup we found several things that needed to be fixed, but none were a quick fix. After discussing with the on-site tech people, we found out that they were unable to get to the Windows Update site to run patches on all XP workstations. I have run into this before at another state agency. So I hop onto this guy's computer and checked to see if he was a local admin. SInce he was we headed out to Microsoft's support site to look for an article. Contrary to popular belief I can't remember everything. So after some searching I find article Q883821 which define a workaround for there error. Running from the command-line a command to reapply the security settings allowing them to do this. The guy saw that it worked and was ecstatic, he definitely wants us there now.<br /><br /><div class="blogger-post-footer"><script type="text/javascript"><!--
google_ad_client = "pub-6071039689758983";
google_ad_width = 728;
google_ad_height = 15;
google_ad_format = "728x15_0ads_al_s";
google_ad_channel ="";
google_color_border = "336699";
google_color_bg = "FFFFFF";
google_color_link = "0000FF";
google_color_url = "008000";
google_color_text = "000000";
//--></script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script></div>Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-11036980.post-1140668427485876682006-02-22T23:20:00.006-05:002006-02-22T23:20:27.493-05:00How to Ghost a RAID 5 Boot partition<br /><br />I have always been from the motto that a good engineer only works 10% of the time and sits around 90% of the time. While I have never been able to achieve this goal, I do strive towards it. I have been able to take a slow day once in a great while. What I am getting to is that given enough time and imagination there is ALWAYS a more efficient (easier) way of doing something. You are probably wondering where I am going with this. <br /><br />Last year I was working a project for the state where I needed to replace 50+ servers, of which 39 needed to be installed and ready for a forklift replacement for the existing 39 servers they were replacing. Timeframe, 6 weeks. To top it off here are the details 13 regions, 3 servers each, 1 DC/ISA 2004 server, 1 Exchange Server, 1 file/print server. <br /><br />I know what you are saying just setup a bunch servers on a KVM switch and start installing the OS, etc. Well, the staff knowing of my motto wanted me to help the two domain administrators that are responsible for the whole state a way to recover in case of catastrophic failure. Specifically, they asked me to come up with this method. <br /><br />Alright so let’s go see what Symantec says. Answer, not supported. Well I have run into that in the past but was able to get away with things. With no help from Symantec I went to Dell to see if I could find a driver for DOS, well there was none. Now I have a problem. <br /><br />I remember an article from The Screen Savers (back when it was Leo and Patrick, and fun to watch). I won’t bother with a link because the show, in my opinion, is not any good anymore (except for some of Kevin Rose’s content). Now this article discussed a freeware solution named <a href="http://www.nu2.nu/pebuilder/">Bart PE</a> which allows you to use a stripped XP kernel to boot too. <br /><br />I remember that Dell had an XP driver for the RAID controller, this might work. So I find a forum located on a website named <a href="http://www.911cd.net">911 Rescue CD</a>. After looking around I found some information on not only how to configure the driver for Bart PE, but how to get the Gigabit NIC to work at a full Gig while using this Pre-install Environment (PE). I added ghost 8.0, and a couple of other utilities. Next, I created the iso file and burned it to a bootable CD.<br /><br />Now I made three different images, 1 DC/ISA server, 1 Exchange server (uninstalled), and 1 file/print server. I used Sysprep to make life even easier. I then booted from the CD we made, and it sees the RAID partition (YAH!!!). So now we ghost it to a network server, it goes real quick running at 1 Gigabit. I then hook up another server and downloaded the image, again quickly (about 5 minutes). A quick reboot and it worked!<br /><br />I have now saved myself time to devote to other parts of the project. We also got some good points for achieving our rather ambitious goal, which sometimes is better than billable hours.<br /><br /><div class="blogger-post-footer"><script type="text/javascript"><!--
google_ad_client = "pub-6071039689758983";
google_ad_width = 728;
google_ad_height = 15;
google_ad_format = "728x15_0ads_al_s";
google_ad_channel ="";
google_color_border = "336699";
google_color_bg = "FFFFFF";
google_color_link = "0000FF";
google_color_url = "008000";
google_color_text = "000000";
//--></script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script></div>Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-11036980.post-1140668414681212072006-02-22T23:20:00.005-05:002006-02-22T23:20:14.686-05:00MCSE-RGB.jpg<br /><br /><br /><br /><div class="blogger-post-footer"><script type="text/javascript"><!--
google_ad_client = "pub-6071039689758983";
google_ad_width = 728;
google_ad_height = 15;
google_ad_format = "728x15_0ads_al_s";
google_ad_channel ="";
google_color_border = "336699";
google_color_bg = "FFFFFF";
google_color_link = "0000FF";
google_color_url = "008000";
google_color_text = "000000";
//--></script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script></div>Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-11036980.post-1140668413769733942006-02-22T23:20:00.004-05:002006-02-22T23:20:13.776-05:00Active Directory authentication for Linux Part 3<br /><br />As promised here is the rough write-up. If any one has any questions, let me know.<br /><br /><strong><font size="4">LDAP with SSL (LDAPS)</font></strong><br /><font size="2">With normal LDAP authentication there is a major weakness, and that is all information is transmitted between the client and server in clear-text. In most secure environments this would not be acceptable. Another issue that we can run into is that Active Directory will not let you change your password unless you can do it securely.<br />To solve these issues we will simply encrypt all LDAP requests using Secure Socket Layer (SSL). This will require an additional prerequisite of a certificate server.<br />You will need to install at least one Microsoft Enterprise Certificate Server and allow automatic computer enrollment for the domain, or at least the domain controller. You will need to confirm that OpenSSL is installed on the Linux workstation.</font><br /><strong><em><font size="4">Converting the CA certificate</font></em></strong><br /><font size="2">Now that the lab is setup we will need to get the CA certificate from the server. This can be done by downloading it from the certificate server web page located at http://</font><em>certificate _server</em>/certsrv/ where <em>certificate_server</em> can be either the hostname, FQDN or the IP address of the machine. You should save it in your home directory on the Linux workstation.<br />Once you have the certificate you must now convert this to the PEM format. This is easily done by using the OpenSSL command. The command would have the following syntax:<br /><font size="2">openssl x509 inform DER outform PEM in cacert.cer out cacert.pem<br />The output should be the new certificate in PEM format that the Linux workstation will use. This new certificate needsto be placed in the /etc/ssl/certs directory. Make sure that the file permissions are set for everyone to have read access on the certificate.</font><br /><strong><em><font size="4">Edit /etc/ldap.conf</font></em></strong><br /><font size="2">Now that the certificate stuff is done, we now need to edit ldap.conf. We need to add three lines to the file. The first line will be to turn the SSL feature on. The next line is to tell the PAM module where to find the CA certificate that we just converted. The last line tells the client not to request the cert since we have already installed it on the local client. Here is the text that I added to my ldap.conf file.<br />ssl </font>on<br />TLS_CACERT /etc/ssl/certs/adcert.pem<br />TLS_REQCERT never<br /><font size="2">Once I saved this file, I wanted to make sure that I could test this, so I copied my /etc/ldap.conf to /etc/openldap/ldap.conf. This way I am able to use this with my ldap tools.</font><br /><br /><div class="blogger-post-footer"><script type="text/javascript"><!--
google_ad_client = "pub-6071039689758983";
google_ad_width = 728;
google_ad_height = 15;
google_ad_format = "728x15_0ads_al_s";
google_ad_channel ="";
google_color_border = "336699";
google_color_bg = "FFFFFF";
google_color_link = "0000FF";
google_color_url = "008000";
google_color_text = "000000";
//--></script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script></div>Anonymoushttp://www.blogger.com/profile/06033282231232318995noreply@blogger.com0tag:blogger.com,1999:blog-11036980.post-1140668407535508562006-02-22T23:20:00.003-05:002006-02-22T23:20:07.540-05:00Caching of Universal Groups<br /><br />Here is some information I came across about the caching of universal groups on non-GC Domain Controllers. The universal group info is stored in the users msDS-Cached-Membership attribute and given a timestamp in the msDS-Cached-Membership-Time-Stamp value.The user's logon site is placed in the msDS-Site-Affinity value. Only the msDS-Site-Affinity value is replicated.<br /> <br />When a user logs on, if the data stored in the msDS-Cached-Membership is older then 7 days it is considered stale and the system consults a Global Catalog. By default the cached information is updated every 8 hours and 500 accounts at the most will be refreshed in each cycle.<br /> <br />With this being said, if you add a user to a new universal group it could take 8 hours for it to fully cycle through the domain. In Microsoft article 871159 they list several resolutions and a workaround to resolve this issue.<br /><br /><div class="blogger-post-footer"><script type="text/javascript"><!--
google_ad_client = "pub-6071039689758983";
google_ad_width = 728;
google_ad_height = 15;
google_ad_format = "728x15_0ads_al_s";
google_ad_channel ="";
google_color_border = "336699";
google_color_bg = "FFFFFF";
google_color_link = "0000FF";
google_color_url = "008000";
google_color_text = "000000";
//--></script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script></div>Anonymoushttp://www.blogger.com/profile/06033282231232318995noreply@blogger.com0tag:blogger.com,1999:blog-11036980.post-1140668402575592272006-02-22T23:20:00.002-05:002006-02-22T23:20:02.580-05:00A vbscript to migrate all those network shares<br /><br />Here is a treat for you. You need to migrate 13 file servers at once, each with a minimum of 60 shares, and a maximum of 200+ shares. What are you to do? Well manual recreation is definitely out of the question, because you have 13 servers to do it to and only 6 weeks to build them along with 13 DC/ISA and 13 exchange servers. What to do? Well the base server is built now what.<br /><br />Being old school I know I can do an xcopy to copy the data from one server to another. I know I could script this as well but I am only given a handful of weeks to set this process up and get servers out the door. Restoring from tape is out of the question, restoring from over a T1 would take to long an eventually incur issues with business applications. And old tape drives and new tape drives are different make all together. So I go with the tried and true method. I set up a batch job to copy the main folders from the old server from the D: drive to the new servers E: drive. This command line would look something like the following:<br /><br />Xcopy oldserverd$ newservere$ /E /V /I /F /O<br /><br />I could use the /C switch in here, but I actually wanted to see if it would bomb and where to verify all data made it over. This was a good thing since domain admins were locked out of a few things (of which we fixed). So I would set up this batch job to start on a Friday night and would wait for it to finish. Once done I would manually inspect that all files were copied. Now came the fun part, writing and testing a script.<br /><br />My script was simple and to the point attach to the old server. Then attach to the new server. Once both connections were established, all shares on the old server would be enumerated one at a time, and as they were they would be re-created on the new server with the new drive location. The script would then close the connections at the termination of the script automatically. The script is not the neatest written script but it was written quickly and served it purpose. Use it “as-is” or modify it some more. Below is the script I wrote:<br /><br />Set ShareSrvObj = GetObject("WinNT://oldserver/LANMANSERVER")<br />set Newsharesrvobj = GetObject("WinNT://newserver/LANMANSERVER")<br />on error resume next<br />For Each ShareObj in ShareSrvObj<br />Set newshareobj = Newsharesrvobj.create("FileShare", ShareObj.Name)<br />newshareobj.path = "e" & Right(ShareObj.Path, (len(ShareObj.Path)-1))<br />newshareobj.MaxUserCount = shareobj.MaxUserCount<br />newshareobj.SetInfo<br />set newshareobj = nothing<br />Next<br /><br />Happy scripting until next time!!<br /><br /><div class="blogger-post-footer"><script type="text/javascript"><!--
google_ad_client = "pub-6071039689758983";
google_ad_width = 728;
google_ad_height = 15;
google_ad_format = "728x15_0ads_al_s";
google_ad_channel ="";
google_color_border = "336699";
google_color_bg = "FFFFFF";
google_color_link = "0000FF";
google_color_url = "008000";
google_color_text = "000000";
//--></script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script></div>Anonymoushttp://www.blogger.com/profile/06033282231232318995noreply@blogger.com0tag:blogger.com,1999:blog-11036980.post-1140668402551221182006-02-22T23:20:00.001-05:002006-02-22T23:20:02.560-05:00<div class="blogger-post-footer"><script type="text/javascript"><!--
google_ad_client = "pub-6071039689758983";
google_ad_width = 728;
google_ad_height = 15;
google_ad_format = "728x15_0ads_al_s";
google_ad_channel ="";
google_color_border = "336699";
google_color_bg = "FFFFFF";
google_color_link = "0000FF";
google_color_url = "008000";
google_color_text = "000000";
//--></script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script></div>Anonymoushttp://www.blogger.com/profile/06033282231232318995noreply@blogger.com0tag:blogger.com,1999:blog-11036980.post-1140668402100132332006-02-22T23:20:00.000-05:002006-02-22T23:20:02.106-05:00<div class="blogger-post-footer"><script type="text/javascript"><!--
google_ad_client = "pub-6071039689758983";
google_ad_width = 728;
google_ad_height = 15;
google_ad_format = "728x15_0ads_al_s";
google_ad_channel ="";
google_color_border = "336699";
google_color_bg = "FFFFFF";
google_color_link = "0000FF";
google_color_url = "008000";
google_color_text = "000000";
//--></script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script></div>Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-11036980.post-1140668395865184372006-02-22T23:19:00.028-05:002006-02-22T23:19:55.873-05:00Still working on it!<br /><br />I am still working on the first part, using LDAP authentication with with Linux against AD. I will prbably post version 1.5 from the Whitepaper. I am also stuck on getting LDAP with Kerberos using SASL as well; so I have been trying to balance writing with research. Soon I promise!<br /><br /><div class="blogger-post-footer"><script type="text/javascript"><!--
google_ad_client = "pub-6071039689758983";
google_ad_width = 728;
google_ad_height = 15;
google_ad_format = "728x15_0ads_al_s";
google_ad_channel ="";
google_color_border = "336699";
google_color_bg = "FFFFFF";
google_color_link = "0000FF";
google_color_url = "008000";
google_color_text = "000000";
//--></script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script></div>Anonymoushttp://www.blogger.com/profile/06033282231232318995noreply@blogger.com0tag:blogger.com,1999:blog-11036980.post-1140668395728851352006-02-22T23:19:00.027-05:002006-02-22T23:19:55.733-05:00Time can fly!<br /><br />Wow, has time flown by, and a lot has happened. I have switched my blog to my own server using WordPress. I have gotten a new contract. I have been extremely busy, the last couple of months. You now how it is everyhting hits you at once. I have been working on some exciting new stuff involving Linux and Windows 2003 R2. In depth look at Kerberos, LDAP, and Samba. I will be filling everyone in shortly so keep track!<br /><br /><div class="blogger-post-footer"><script type="text/javascript"><!--
google_ad_client = "pub-6071039689758983";
google_ad_width = 728;
google_ad_height = 15;
google_ad_format = "728x15_0ads_al_s";
google_ad_channel ="";
google_color_border = "336699";
google_color_bg = "FFFFFF";
google_color_link = "0000FF";
google_color_url = "008000";
google_color_text = "000000";
//--></script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script></div>Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-11036980.post-1140668392987945482006-02-22T23:19:00.026-05:002006-02-22T23:19:52.993-05:00<div class="blogger-post-footer"><script type="text/javascript"><!--
google_ad_client = "pub-6071039689758983";
google_ad_width = 728;
google_ad_height = 15;
google_ad_format = "728x15_0ads_al_s";
google_ad_channel ="";
google_color_border = "336699";
google_color_bg = "FFFFFF";
google_color_link = "0000FF";
google_color_url = "008000";
google_color_text = "000000";
//--></script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script></div>Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-11036980.post-1140668392827377042006-02-22T23:19:00.025-05:002006-02-22T23:19:52.833-05:00<div class="blogger-post-footer"><script type="text/javascript"><!--
google_ad_client = "pub-6071039689758983";
google_ad_width = 728;
google_ad_height = 15;
google_ad_format = "728x15_0ads_al_s";
google_ad_channel ="";
google_color_border = "336699";
google_color_bg = "FFFFFF";
google_color_link = "0000FF";
google_color_url = "008000";
google_color_text = "000000";
//--></script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script></div>Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-11036980.post-1140668388347114652006-02-22T23:19:00.024-05:002006-02-22T23:19:48.356-05:00Security: How To Part 4<br /><br />How do we prevent unauthorized machines and users from getting on to our network? Well we can keep them from resources, by not allowing them to logon to the domain. This does not stop them from plugging in a laptop that could be infected with a worm or from attempting to sniff traffic. So you may be asking how I stop them. There are several methods. <br /><br />The first method is to shutdown all unused ports. Depending on the size of your network, this could become very overwhelming and tedious. You could use sticky MACs where the layer 2 port remembers or has a hardcoded MAC address(es) placed in it and will only work for those particular NICs. This works great for servers in a datacenter, but is unrealistic in the networking closets. <br /><br />Let’s kill two birds with one stone. In the last article I mentioned placing users in VLANs with common functions. What is we can assign VLAN by user account and/or machine account; and shutdown the port off if neither is approved. Well with IEEE 802.1x we can. <br /><br />As a quick high level overview here is how it works. An 802.1x compliant switch is configured to contact a RADIUS server. The RADIUS server can be a Microsoft IAS server, CiscoSecure ACS, or other third-party RADIUS server. It will authenticate information from a central database like Active Directory. Then it will send the correct RADIUS tag information (64, 65, and 81) to assign the VLAN.<br /><br />Now it is a little more complicated than that, but it depends on what RADIUS server you use. I would look into who you use for your infrastructure and also who you use for wireless, 802.1x is big for enterprise wireless. I am just covering the basics.<br />So, we have a switch and a RADIUS server, now what? Well we need to decide the authentication method we will use. Here are the common choices:<br /><br />PEAP <br /><br />EAP-TLS<br /><br />EAP-MD5<br /><br />PEAP is usually my preferred favorite, especially when authenticating against an Active Directory. The specific PEAP I use for this is EAP-MSCHAP2 which is supported in Microsoft® Windows® XP SP1, but we will get into specifics in a few minutes. PEAP uses a server certificate from the RADIUS server to establish a SSL tunnel over which all authentications takes place. I think this is the easiest deployment since you only need the one certificate. This certificate can be published to all clients as a Trusted Source via Group Policy.<br /><br />EAP-TLS will require an Enterprise Certificate server be installed. Automatic enrollment will need to be configured and publishing to Active Directory as well. EAP-TLS will require each client to have a certificate, because authentication is done via PKI. The client authenticates the server via its certificate and the server authenticates the client via its certificate. I do like this method, but I personally feel there is a lot of overhead to maintain this authentication method. But this method could be used for non Windows based clients.<br /><br />EAP-MD5 basically is using a password to get on the network. This method is good for outside consultants that do not want to join there computer to the domain. It is also good for non-Windows clients. Authentication is done via password hash. It is not a recommended authentication method, because it is the easiest to crack and does not support mutual authentication.<br /><br />Since most of the IT world out there uses Windows, we will talk about it. Microsoft Windows XP supports EAP. SP1 specifically supports PEAP, but not well without some modification. Here is where good planning comes into play. Microsoft at this time does not make deploying IEEE 802.1x on a wired world easy at all. You cannot apply EAP settings to computer via GPO. Your choices are to setup everything in advance in your image or recruit some desktop resources during a deployment. Next, order of business, while Microsoft states that it will work with SP1 I find that SP2 is required to work out a lot of bugs. So this may require testing of user applications to see is SP2 can be deployed if it is not already. Next, for user authentication to work we need to do some registry hacking. This can be done via group policy, using a number of methods. The keys are listed in another article where I vented a little bit. And there is a post SP2 hot fix if you will be using FAST-Reconnect, but that is mostly used for wireless. If these steps are taken then machine and user authentication will succeed.<br /><br />If you are assigning a VLAN via RADIUS, then you will need to assign the information using the following RADIUS attributes:<br /><br /><strong>64</strong> - Tunnel Type = VLAN<br /><br /><strong>65</strong> – Tunnel-Medium-Type = 802<br /><br /><strong>81 </strong>– Tunnel-Private-Group-ID = VLAN Name or VLAN ID (VLAN Name is case sensitive)<br /><br />Until next time!<br /><br /><div class="blogger-post-footer"><script type="text/javascript"><!--
google_ad_client = "pub-6071039689758983";
google_ad_width = 728;
google_ad_height = 15;
google_ad_format = "728x15_0ads_al_s";
google_ad_channel ="";
google_color_border = "336699";
google_color_bg = "FFFFFF";
google_color_link = "0000FF";
google_color_url = "008000";
google_color_text = "000000";
//--></script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script></div>Anonymousnoreply@blogger.com0