Passwords: Ending an era…

Passwords: Ending an era…

As I think back to “the old days” in the authentication world, we’ve come a long way; or have we?  In the early 90’s I ran a BBS, who knows what that is?  I required users to connect with a username and password of their choice.  Sounds like what we do today.  While login names and passwords have become increasingly complex the process has not changed.  Tell me, who you are and I will let you in!  This is a great strategy, actually it’s not.  There are millions if not billions of login credentials stolen annually and the majority of data breaches involve stolen credentials.  NY Times reports in August 2014 “Russian Hackers Amass Over a Billion Internet Passwords” and InformationWeek DarkReading reports in April 2014 “Stolen Passwords Used In Most Data Breaches”.  In the technology world we live in today, a username and password by itself is not enough, I repeat, a username and password by itself is not enough.  Have you been or known someone who’s been hacked?  We all do.  Simple steps can reduce the chances drastically for both businesses and personally.

  1. Use multi-factor authentication

    1. What is multi-factor authentication?  Wikipedia says; Multi-factor authentication (MFA) is a method of computer access control in which a user is only granted access after successfully presenting several separate pieces of evidence to an authentication mechanism - typically at least two of the following categories: knowledge (something they know); possession (something they have), and inherence (something they are).

    2. Many sites already offer multi-factor authentication.  Turn this feature on.  If you are a business owner add this to access your business resources.

      1. Banks – usually required

      2. Facebook – optional

      3. Google – optional

      4. Amazon – optional

    3. Reduce the complexity and time between password changes.

      1. Change the password requirements to be less complex and less characters required after adding addition factor to the authentication process.

      2. Reduce the frequency between password changes.  If the policy is currently 90 days perhaps 180 days is now acceptable after adding addition factor to the authentication process.

  2. Close access to resources not secured by multi-factor authentication

    1. Shutdown access from outside your network to resources inside your network which are not secured with multi-factor authentication.

    2. Provide a way to access those resources once inside a resource (virtual desktop, published application, etc) within the boundaries of your network.

That’s great Sean, but how do I accomplish the recommendations you have made?  To start with login to each of the sites you use and see if they offer multi-factor authentication.  Usually this will be something like; send me an email or text before allowing access.  If you are a business look at products like Duo, AuthAnvil, Azure, and others to add this functionally to your infrastructure.  The main idea is to determine what needs to be secured, then you can determine the best multi-factor product to secure it.

In conclusion, while all of these technologies have been in existence for many years the viability is now such all sizes of business should adopt.  The deployment of multi-factor products has simplified and with smartphones end user acceptance and adoption is very high.

Windows 10 KMS Activation against Windows Server 2012 R2 KMS Server

Note: This document assumes the Windows Server 2012 R2 is running the VA Services Role (KMS Server) if it is not install the Role and follow these steps.

Update Windows 2012 R2 to support activating Windows 10

https://support.microsoft.com/en-us/kb/3058168

Call Microsoft Volume Licensing to get Windows Srv 2012R2 DataCtr/Std KMS for Windows 10 Key

Support Center Contact Info
Country:  United States
Email(s): vlserva@microsoft.com
Toll Free Number(s): (866) 230-0560
Hours of Operation: 5 AM – 5 PMPST Mon - Fri
Languages Supported: English and French

  1. Login to VLSC

  2. In VLSC - click License, then Relationship Summary.

  3. Now click the License ID of your current Active license.

  4. Once the page changes, click Product Keys.

  5. Scroll down the list and look for "Windows Srv 2012R2 DataCtr/Std KMS for Windows 10". Use this key.

Add the new key you obtained by calling Microsoft Volume Licensing

  1. Open an elevated command prompt (admin)

    1. slmgr /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX (replace with your Windows Srv 2012R2 DataCtr/Std KMS for Windows 10 KMS Key obtained above)

    2. slmgr /ato

    3. slmgr /dlv

    4. Add the Windows 10 KMS Client Key to your clients:

Windows 10 Professional

 

W269N-WFGWX-YVC9B-4J6C9-T83GX

Windows 10 Professional N

 

MH37W-N47XK-V7XM9-C7227-GCQG9

Windows 10 Enterprise

 

NPPR9-FWDCX-D2C8J-H872K-2YT43

Windows 10 Enterprise N

 

DPH2V-TTNVB-4X9Q3-TJR4H-KHJW4

Windows 10 Education

 

NW6C2-QMPVW-D7KKK-3GKT6-VCFB2

Windows 10 Education N

 

2WH4N-8QGBV-H22JP-CT43Q-MDWWJ

Windows 10 Enterprise 2015 LTSB

 

WNMTR-4C88C-JK8YV-HQ7T2-76DF9

Windows 10 Enterprise 2015 LTSB N

 

2F77B-TNFGY-69QQF-B8YKP-D69TJ


Use Powershell to Disable Computer and User accounts in Active Directory over XXX days

As a consultant for clients one common problem I come across is IT doing a poor job at managing old objects in Active Directory.  So generally I have to do that cleanup.  Here are some simple Powershell commands that I find help disable these objects for security reasons.  Once you have disabled them and let changes soak for a bit you can easily find the disabled accounts and delete them.

 

OpenPowershell as an Administrator

 

Import the ActiveDirectory Module for PowerShell.
Import-Module activedirectory

 

Set the number of days you want to check for inactivity, in my examples I will use 120 days.
$datecutoff = (Get-Date).AddDays(-120)

 

To Simply List those that have not been logged into in last 120 days (or # of days defined above)

Computers:

Get-ADComputer  -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Sort LastLogonDate | FT Name, LastLogonDate –Autosize

Users:

Get-ADUser  -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Sort LastLogonDate | FT Name, LastLogonDate –Autosize

 

To test the process but not execute the actual disable using the above criteria.

Computers:

Get-ADComputer  -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Set-ADComputer -Enabled $false –whatif

Users:

Get-ADUser  -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Set-ADUser -Enabled $false –whatif

 

Preform/Execute the process and execute the actual disable using the above criteria.

Computers:

Get-ADComputer  -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Set-ADComputer -Enabled $false

Users:

Get-ADUser  -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Set-ADUser -Enabled $false


Hope anyone who finds this article finds it as useful as the commands have been for me.

 

Disconnected Network Drive with Red X on Server 2012 R2 RDS using DFS Namespace

Came across an issue where drive mappings from the DFS Namespace would show up correctly for the first user that logs in.  Each additional users the drive mappings from would show as "Disconnected Network Drive" with a Red X.  In the logs the error was logged as, Group Policy object did not apply because it failed with error code '0x80070055 The local device name is already in use.'

OS: 2012 R2 Fully patched as off 6/30/215
RDS and Citrix XenApp 7.6
UAC is disable not by GPO but by pulling bar to lowest level
DFS Namespace used for all drive mappings profiles
Drives mapped through GPO Preferences

Symptom:
2 drives of the 6 mapped using namespace will one show as connected for 1st user to login after that the other users get "Disconnected Network Drive" with a Red X.  You can double-click and gain access to the drive but it continues to be shown as disconnected. 

Attempts to resolve:
Changed mappings to login script instead of GPO...no change
Changed different settings on the drive mappings in GPO...no change
Many other solutions tested, not worth mentioning...no change

Our Solution:
Created a Computer Based GPO and in Preferences - Registry deleted the following registry key: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
EnableLinkedConnections

This solved the issue!

Powershell IP Changes Static/DHCP

Recently, a Windows 10 computer I was working on would not allow me to change any network setting from the GUI.  I needed to change to a static IP address from DHCP to do some maintenance.  I also needed to add a secondary IP address.  How did I do this?  The step are below and may come in handy to someone else.

Set IP Address to Static from Powershell

  1. Disable DHCP
    Open PowerShell
    Get-NetAdapter


    (note) review the output from the above command to get the Interface Name
    Get-NetAdapter –Name Ethernet
    Set-NetIPInterface -DHCP Disable

  2. Set IP Address

    New-NetIPAddress -AddressFamily IPv4 –InterfaceAlias “Ethernet” -IPAddress 192.168.1.100 -PrefixLength 24 -Type Unicast -DefaultGateway 192.168.1.1

    (note) -IPAddress 192.168.1.100 change to the IP Address you want to assign

    (note) –PrefixLength is the Mask -24 is 255.255.255.0

    (note) –DefaultGateway 192.168.1.1 change to the gateway for your network
    Set Static DNS Servers

    Primary:               netsh interface ip add dns name="Ethernet" addr=192.168.1.10 index=1
    Secondary:         netsh interface ip add dns name="Ethernet" addr=192.168.1.11 index=2
    Tertiary:               netsh interface ip add dns name="Ethernet" addr=8.8.8.8 index=3

  3. Add Secondary IP Address (If you want to add another IP Address to your interface)
    netsh interface ipv4 add address name=Ethernet 192.168.2.100 mask=255.255.255.0

Set DHCP from Powershell

  1. Enable DHCP

    Get-NetAdapter -Name Ethernet
    Set-NetIPInterface -DHCP Enable
    netsh interface ip set dns name="Ethernet" dhcp

CryptoWall and its Wreaking Havoc Impacts!

Emerging next generation threats are everywhere in this digital age.  In the late 90’s we were protecting our systems against unwanted access to our systems, and that’s still the case today.  It’s a never ending battle that has Security Professional battling “the BAD guys” and the “the BAD guys” are always 3 steps ahead.  While the complexity continues to rise at all levels in technology so does the knowledge of these systems.  The landscape changes few minutes thus security professional can never catch up. 

Enter the world of Ransomware.  The let’s make all your data unusable and if you want to use it again, PAY ME!  With good backups this world it an inconvenience and disruptive.  Without good backups, welcome to a nightmare.  There are numerous horror stories and likely some “Out of Business” signs as a result of Ransomware incidents like CryptoWall infections.  If you have not been impacted by an infection like this, you most likely know someone who has. 

What is CryptoWall?

CryptoWall is a Trojan virus (Ransomware) that performs encryption on files and requires a ransom to decrypt the files it has encrypted.  The virus was introduced in April of last year and continues to be updated.  CryptoWall 3.0 is the latest version at the time of this article.  It targets all versions of Windows.  CryptoWall generally comes in via emails with attachments or links, the attachments are usually ZIP files that contain PDF files which are actually executables.  These files will commonly be presented as invoices, bills, complaints, PO’s, or some other type of business related communication. 

How do I become infected with CryptoWall?

The typical ways to become infected would be through an email message or through an infected website.  The email message would contain a link or an attachment which would require clicking the link or opening the attachment.  A malicious website will execute against outdated browser addins (Adobe Flash, Java, etc) to infect the system.   

How can I protect against CryptoWall?

There are a number of preventive measures that can be employed.  Again there is no way to prevent an infection; short of disconnecting from the internet grid permanently, but you can reduce the risk by training end users, implementing safe internet surfing practices, leveraging your gateway firewall security appliance (SonicWALL, FortiNET, etc), keeping antivirus updated on all devices, deploying a malware scanner and keep it updated on all devices, using DNS filtering services (OpenDNS, Dyn, etc) and deploying software restriction policies on all end user desktops including Terminal Servers and Citrix Servers.

What are the impacts of these methods of protection?

As mitigations are deployed to reduce the risk there is almost always an impact to end users.  These impacts can be reduced performance, additional steps to do a task, or the inability to perform a task.  When deploying a mitigation it’s important to communicate with end users so they are aware of the potential impacts and what steps they should take when they are impacted. 

Examples of Impacts and Remediation

Implementing Stricter Anti-Virus Protection
Problem: User(s) is not able to launch a program or a program is slow.
Solution: Add exclusions to the antivirus program to allow and/or not scan that program

Deploying stricter Firewall Security Rules (Content Filtering, Application Controls, Gateway AntiVirus, etc)
Problem:
User(s) are not able to access a business website or public cloud application
Solution: Add a whitelist or exception to the firewall

Deploying Software Restrictions Policy Group Policy
Problem: User is not able to launch an application and is alerted “Your system administration has blocked this program. For more information, contact your system administrator”
Solution: If this is a valid application the systems administrator will add the program to allow it to run

Implementing DNS Threat Protection and Controls
Problem: User is not able to access business website or cloud based application “Site has been blocked” or “Page cannot be displayed in browser”
Solution: Add the site to the whitelist on the DNS Controls Software, Site, or System

Additional Information on CryptoWall

Source: http://www.techrepublic.com/article/cryptowall-what-it-is-and-how-to-protect-your-systems/
Source: http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#prevent
Source: http://www.symantec.com/security_response/writeup.jsp?docid=2014-061923-2824-99
Source: http://news.techworld.com/security/3582363/disaster-as-cryptowall-encrypts-us-firms-entire-server-installation/
Source: http://www.pcworld.com/article/2600543/cryptowall-held-over-halfamillion-computers-hostage-encrypted-5-billion-files.html
Source: http://blogs.cisco.com/security/talos/cryptowall-3-0

VMware Horizon 6 with View: Performance Testing and Best Practices

Great article from VMware on Horizon 6 with View.  

http://blogs.vmware.com/euc/2015/04/vmware-horizon-6-view-performance-best-practices-testing.html

Very happy with progress and performance VMware Horizon View 6 delivers, architect it properly and it is a super platform to deliver the end user experience...

While there are many technology challenges with a Virtual Desktop Infrastructure "VDI" deployment.  Getting the required resources correct is the ONE challenge that will determine success or failure.  The most common mistake I find is related to storage, simply put it's the hardest to get right and the most expensive to fix.  If you are involved in a VDI project it's paramount to get storage correct.  Look at complete SSD solutions like Cybernetics iSAN and stay away from the Hybrid SAN's. 

Sean