Passwords: Ending an era…

Passwords: Ending an era…

As I think back to “the old days” in the authentication world, we’ve come a long way; or have we?  In the early 90’s I ran a BBS, who knows what that is?  I required users to connect with a username and password of their choice.  Sounds like what we do today.  While login names and passwords have become increasingly complex the process has not changed.  Tell me, who you are and I will let you in!  This is a great strategy, actually it’s not.  There are millions if not billions of login credentials stolen annually and the majority of data breaches involve stolen credentials.  NY Times reports in August 2014 “Russian Hackers Amass Over a Billion Internet Passwords” and InformationWeek DarkReading reports in April 2014 “Stolen Passwords Used In Most Data Breaches”.  In the technology world we live in today, a username and password by itself is not enough, I repeat, a username and password by itself is not enough.  Have you been or known someone who’s been hacked?  We all do.  Simple steps can reduce the chances drastically for both businesses and personally.

  1. Use multi-factor authentication

    1. What is multi-factor authentication?  Wikipedia says; Multi-factor authentication (MFA) is a method of computer access control in which a user is only granted access after successfully presenting several separate pieces of evidence to an authentication mechanism - typically at least two of the following categories: knowledge (something they know); possession (something they have), and inherence (something they are).

    2. Many sites already offer multi-factor authentication.  Turn this feature on.  If you are a business owner add this to access your business resources.

      1. Banks – usually required

      2. Facebook – optional

      3. Google – optional

      4. Amazon – optional

    3. Reduce the complexity and time between password changes.

      1. Change the password requirements to be less complex and less characters required after adding addition factor to the authentication process.

      2. Reduce the frequency between password changes.  If the policy is currently 90 days perhaps 180 days is now acceptable after adding addition factor to the authentication process.

  2. Close access to resources not secured by multi-factor authentication

    1. Shutdown access from outside your network to resources inside your network which are not secured with multi-factor authentication.

    2. Provide a way to access those resources once inside a resource (virtual desktop, published application, etc) within the boundaries of your network.

That’s great Sean, but how do I accomplish the recommendations you have made?  To start with login to each of the sites you use and see if they offer multi-factor authentication.  Usually this will be something like; send me an email or text before allowing access.  If you are a business look at products like Duo, AuthAnvil, Azure, and others to add this functionally to your infrastructure.  The main idea is to determine what needs to be secured, then you can determine the best multi-factor product to secure it.

In conclusion, while all of these technologies have been in existence for many years the viability is now such all sizes of business should adopt.  The deployment of multi-factor products has simplified and with smartphones end user acceptance and adoption is very high.

Windows 10 KMS Activation against Windows Server 2012 R2 KMS Server

Note: This document assumes the Windows Server 2012 R2 is running the VA Services Role (KMS Server) if it is not install the Role and follow these steps.

Update Windows 2012 R2 to support activating Windows 10

https://support.microsoft.com/en-us/kb/3058168

Call Microsoft Volume Licensing to get Windows Srv 2012R2 DataCtr/Std KMS for Windows 10 Key

Support Center Contact Info
Country:  United States
Email(s): vlserva@microsoft.com
Toll Free Number(s): (866) 230-0560
Hours of Operation: 5 AM – 5 PMPST Mon - Fri
Languages Supported: English and French

  1. Login to VLSC

  2. In VLSC - click License, then Relationship Summary.

  3. Now click the License ID of your current Active license.

  4. Once the page changes, click Product Keys.

  5. Scroll down the list and look for "Windows Srv 2012R2 DataCtr/Std KMS for Windows 10". Use this key.

Add the new key you obtained by calling Microsoft Volume Licensing

  1. Open an elevated command prompt (admin)

    1. slmgr /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX (replace with your Windows Srv 2012R2 DataCtr/Std KMS for Windows 10 KMS Key obtained above)

    2. slmgr /ato

    3. slmgr /dlv

    4. Add the Windows 10 KMS Client Key to your clients:

Windows 10 Professional

 

W269N-WFGWX-YVC9B-4J6C9-T83GX

Windows 10 Professional N

 

MH37W-N47XK-V7XM9-C7227-GCQG9

Windows 10 Enterprise

 

NPPR9-FWDCX-D2C8J-H872K-2YT43

Windows 10 Enterprise N

 

DPH2V-TTNVB-4X9Q3-TJR4H-KHJW4

Windows 10 Education

 

NW6C2-QMPVW-D7KKK-3GKT6-VCFB2

Windows 10 Education N

 

2WH4N-8QGBV-H22JP-CT43Q-MDWWJ

Windows 10 Enterprise 2015 LTSB

 

WNMTR-4C88C-JK8YV-HQ7T2-76DF9

Windows 10 Enterprise 2015 LTSB N

 

2F77B-TNFGY-69QQF-B8YKP-D69TJ


Powershell IP Changes Static/DHCP

Recently, a Windows 10 computer I was working on would not allow me to change any network setting from the GUI.  I needed to change to a static IP address from DHCP to do some maintenance.  I also needed to add a secondary IP address.  How did I do this?  The step are below and may come in handy to someone else.

Set IP Address to Static from Powershell

  1. Disable DHCP
    Open PowerShell
    Get-NetAdapter


    (note) review the output from the above command to get the Interface Name
    Get-NetAdapter –Name Ethernet
    Set-NetIPInterface -DHCP Disable

  2. Set IP Address

    New-NetIPAddress -AddressFamily IPv4 –InterfaceAlias “Ethernet” -IPAddress 192.168.1.100 -PrefixLength 24 -Type Unicast -DefaultGateway 192.168.1.1

    (note) -IPAddress 192.168.1.100 change to the IP Address you want to assign

    (note) –PrefixLength is the Mask -24 is 255.255.255.0

    (note) –DefaultGateway 192.168.1.1 change to the gateway for your network
    Set Static DNS Servers

    Primary:               netsh interface ip add dns name="Ethernet" addr=192.168.1.10 index=1
    Secondary:         netsh interface ip add dns name="Ethernet" addr=192.168.1.11 index=2
    Tertiary:               netsh interface ip add dns name="Ethernet" addr=8.8.8.8 index=3

  3. Add Secondary IP Address (If you want to add another IP Address to your interface)
    netsh interface ipv4 add address name=Ethernet 192.168.2.100 mask=255.255.255.0

Set DHCP from Powershell

  1. Enable DHCP

    Get-NetAdapter -Name Ethernet
    Set-NetIPInterface -DHCP Enable
    netsh interface ip set dns name="Ethernet" dhcp