Passwords:
Ending an era…
As I think back to “the old days” in the authentication
world, we’ve come a long way; or have we?
In the early 90’s I ran a BBS, who knows what that is? I required users to connect with a username
and password of their choice. Sounds like
what we do today. While login names and
passwords have become increasingly complex the process has not changed. Tell me, who you are and I will let you
in! This is a great strategy, actually
it’s not. There are millions if not
billions of login credentials stolen annually and the majority of data breaches
involve stolen credentials. NY Times
reports in August 2014 “Russian
Hackers Amass Over a Billion Internet Passwords” and InformationWeek
DarkReading reports in April 2014 “Stolen
Passwords Used In Most Data Breaches”.
In the technology world we live in today, a username and password by
itself is not enough, I repeat, a username and password by itself is not enough. Have you been or known someone who’s been
hacked? We all do. Simple steps can reduce the chances
drastically for both businesses and personally.
Use multi-factor authentication
What is multi-factor authentication? Wikipedia says; Multi-factor authentication
(MFA) is a method of computer access control in which a user is only granted
access after successfully presenting several separate pieces of evidence to an
authentication mechanism - typically at least two of the following categories:
knowledge (something they know); possession (something they have), and inherence
(something they are).
Many sites already offer multi-factor
authentication. Turn this feature on. If you are a business owner add this to
access your business resources.
Banks – usually required
Facebook – optional
Google – optional
Amazon – optional
Reduce the complexity and time between password
changes.
Change the password requirements to be less
complex and less characters required after adding addition factor to the authentication
process.
Reduce the frequency between password
changes. If the policy is currently 90
days perhaps 180 days is now acceptable after adding addition factor to the authentication
process.
Close access to resources not secured by
multi-factor authentication
Shutdown access from outside your network to
resources inside your network which are not secured with multi-factor
authentication.
Provide a way to access those resources once
inside a resource (virtual desktop, published application, etc) within the boundaries
of your network.
That’s great Sean, but how do I accomplish the
recommendations you have made? To start
with login to each of the sites you use and see if they offer multi-factor
authentication. Usually this will be
something like; send me an email or text before allowing access. If you are a business look at products like Duo, AuthAnvil,
Azure,
and others to add this functionally to your infrastructure. The main idea is to determine what needs to
be secured, then you can determine the best multi-factor product to secure it.
In conclusion, while all of these technologies have been in existence
for many years the viability is now such all sizes of business should
adopt. The deployment of multi-factor
products has simplified and with smartphones end user acceptance and adoption
is very high.
Note: This
document assumes the Windows Server 2012 R2 is running the VA Services Role
(KMS Server) if it is not install the Role and follow these steps.
Update Windows 2012 R2 to support activating Windows 10
https://support.microsoft.com/en-us/kb/3058168
Call Microsoft Volume Licensing to get Windows Srv 2012R2 DataCtr/Std KMS for Windows
10 Key
Support Center
Contact Info
Country: United States
Email(s): vlserva@microsoft.com
Toll Free Number(s): (866) 230-0560
Hours of Operation: 5 AM – 5 PMPST Mon - Fri
Languages Supported: English and French
Login
to VLSC
In
VLSC - click License, then Relationship Summary.
Now
click the License ID of your current Active license.
Once
the page changes, click Product Keys.
Scroll
down the list and look for "Windows Srv 2012R2 DataCtr/Std KMS for Windows 10".
Use this key.
Add the new key you obtained by
calling Microsoft Volume Licensing
Open
an elevated command prompt (admin)
slmgr /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
(replace with your Windows Srv 2012R2 DataCtr/Std KMS for Windows 10 KMS
Key obtained above)

slmgr /ato

slmgr /dlv

Add the Windows 10 KMS Client Key to your
clients:
Windows 10 Professional
|
|
W269N-WFGWX-YVC9B-4J6C9-T83GX
|
Windows 10 Professional N
|
|
MH37W-N47XK-V7XM9-C7227-GCQG9
|
Windows 10 Enterprise
|
|
NPPR9-FWDCX-D2C8J-H872K-2YT43
|
Windows 10 Enterprise N
|
|
DPH2V-TTNVB-4X9Q3-TJR4H-KHJW4
|
Windows 10 Education
|
|
NW6C2-QMPVW-D7KKK-3GKT6-VCFB2
|
Windows 10 Education N
|
|
2WH4N-8QGBV-H22JP-CT43Q-MDWWJ
|
Windows 10 Enterprise 2015 LTSB
|
|
WNMTR-4C88C-JK8YV-HQ7T2-76DF9
|
Windows 10 Enterprise 2015 LTSB N
|
|
2F77B-TNFGY-69QQF-B8YKP-D69TJ
|
Recently, a Windows 10 computer I was working on would not allow me to change any network setting from the GUI. I needed to change to a static IP address from DHCP to do some maintenance. I also needed to add a secondary IP address. How did I do this? The step are below and may come in handy to someone else.
Set IP Address to
Static from Powershell
Disable DHCP
Open PowerShell
Get-NetAdapter

(note) review the output from the above command to get the Interface Name
Get-NetAdapter –Name Ethernet
Set-NetIPInterface -DHCP
Disable
Set IP Address
New-NetIPAddress -AddressFamily IPv4 –InterfaceAlias
“Ethernet” -IPAddress 192.168.1.100 -PrefixLength 24 -Type Unicast
-DefaultGateway 192.168.1.1
(note) -IPAddress 192.168.1.100 change to
the IP Address you want to assign
(note) –PrefixLength is the Mask -24 is
255.255.255.0
(note) –DefaultGateway 192.168.1.1 change
to the gateway for your network
Set Static DNS Servers
Primary: netsh
interface ip add dns name="Ethernet" addr=192.168.1.10 index=1
Secondary: netsh interface ip add
dns name="Ethernet" addr=192.168.1.11 index=2
Tertiary: netsh interface ip
add dns name="Ethernet" addr=8.8.8.8 index=3
Add Secondary IP Address (If you want to
add another IP Address to your interface)
netsh interface ipv4 add address name=Ethernet 192.168.2.100
mask=255.255.255.0
Set DHCP from
Powershell
Enable DHCP
Get-NetAdapter -Name Ethernet
Set-NetIPInterface -DHCP Enable
netsh interface ip set dns name="Ethernet" dhcp