Data Offloaded Transfers – ODX
As we are seeing more and more Windows 2012 based Clouds and services.. I wanted to alert you to the following technology which is becoming more and more available in backend storage systems (and Windows 2012): ODX
If you are implementing Hyper-V, File services or any other Windows Server 2012 with a backend SAN (iscsi, fiber, smb3.0) check out:
ODX.. what is it:
Does my Windows Server 2012 host (hyper-v/fileserver/etc) support it? Is it enabled? Can I disable for test?
What does it need?
http://technet.microsoft.com/en-us/library/jj200627.aspx
The MS document
http://msdn.microsoft.com/en-us/library/windows/hardware/hh833784.aspx
NOTE: Always check with storage vendor for ODX compatibility.. the storage array might require a firmware update..
Mitigating attacks on your Active Directory network
Posted by RZomerman in . All Posts, Active Directory, Other on December 13th, 2012
Microsoft released a new whitepaper this week that gives an insight in why you should protect your privileged accounts. One of the techniques described is the PassTheHash attack which is a sophisticated attack but fairly easy to execute. These attacks have been seen in the “field” and are being used today.
If you work with active directory, if you do not have a very strict control over administrative groups, read it, shiver and make sure to protect to the maximum extend if you think your companies assets should be protected.
Back to the future…
Posted by RZomerman in Active Directory on November 25th, 2012
Did your AD jump back to the year 2000 during the past weekend? .. This could have happened if you are syncing your time with the USNO.NAVY.MIL, as they apparently had a disruption on the 19th. see
http://tycho.usno.navy.mil/ntp.html
But if time jumped back on your AD, you’re in trouble.. and the way to get out of it? take a cup of coffee, do NOT reboot anything yet.. and read the extensive blogpost ..
MBAM – Install guide – tips
Posted by RZomerman in . All Posts, Other, Windows 2008 R2 on January 3rd, 2012
So as promised.. the install guide.. or at least some small tips as the installation is not that hard..
First of all, we are going to use a three server architecture. One server for the databases, one for the administration and monitoring and a group policy server.
To start, we need to create some groups in Active Directory, the service account for SQL and a service Account for the MBAM compliancy part. Create the following groups in AD and the following service accounts:
Read the rest of this entry »
Microsoft BitLocker Administration & Monitoring – intro
Posted by RZomerman in . All Posts, Other on September 21st, 2011
Why we should BitLocker (or any other drive encryption) should be clear. A stolen laptop is only worth as much as the retrievable data on it + the value of the laptop. In large enterprises this could be millions of dollars, but for personal use this could lead to embarrassment or worse.
But enterprises seem to struggle with the implementation of BitLocker, amongst the pain points:
- No auditing – unsure which laptops have it enabled or which ones don’t
- Administrative overhead – administrators must manually enable it
- Scripting – if enabled during deployment scripting is required
- Storage of keys in Active Directory – clear text storage of recovery keys
In order to cope with these and other challenges, Microsoft has released the BitLocker Administration and Monitoring toolkit. For the ones that try to download it on the website, sorry, it is only available in the Microsoft Desktop Optimization Pack which comes with a software assurance agreement with Microsoft.
This post goes into the architecture, what users see of it.. and more in depth knowlegde.. soon, the post with the install instructions!
2FA via the cloud – Cryptocard
Posted by RZomerman in . All Posts, Kerberos, Other on September 15th, 2011
So many of you probably have been wondering what type of 2FA I am using for my tests. Instead of setting up internal servers, dealing with encryption keys and various tokens, I stumbled upon a cloud service that handles all of this for you. Now before we dive into the “commercial” part (although I did not see any money from them) the basics for configuring TMG with radius are also covered in this post, so if you prefer another vendor, your own radius/2FA solution, this post still applies.
Office 365 – OWA Access
Posted by RZomerman in . All Posts, Office 365 on September 15th, 2011
When migrating to Office 365 users must retain access to Outlook Web Access. While the guides for the OWA access are present, users see themselves being challenged for username and password multiple times. This is even worse when most users are located on Exchange 2007 in a mixed environment.
In order to cope with this problem TMG can be setup to only authenticate users once. Even more, users can also be authenticated already when they are sent to the Office365 OWA site and need to request a token from the ADFS server.
Office 365 – Two Factor authentication
Posted by RZomerman in . All Posts, Office 365 on August 24th, 2011
As we have seen, passive clients have a different connection scenario than active clients. As passive clients can actually input data, this can be used to configure the request for additional authentication data. When users are accessing Outlook Web Access they are redirected to the federation services to retrieve their token. This is where we can add the additional authentication hop. Users who reside within the internal network are not required to add additional information as their device and location are already in a trusted location. Therefore this authentication path is excempted from the picture below and described later.
Office 365 – Exchange interaction Design
Posted by RZomerman in . All Posts, Office 365, Other on August 24th, 2011
Office 365 is booming.. everyday new companies decide to make the switch to easy online messaging and collaboration services on the cloud. While the cloud should make life easier for administrators, setting up the co-existence environment seems a bit harder. Although Microsoft has tons of help material available .This post is to clearify the interaction when settings up a co-existence environment with Office 365.
For this example I have added a TMG server to validate the requests. As many companies have additional firewalls in front of the TMG server, this is also displayed. And the TMG server serves another role to in the advanced setup, where we explain that it is possible to have OWA users use two-factor authentication while ActiveSync users can continue to authenticate against the federation server with their “passive” clients. (see the next post)
Import/Export Active Directory data…
Posted by RZomerman in Active Directory, Scripting on January 13th, 2011
I was trying to get a test environment up and running that should reflect the production environment of my customer (off course at the customers site.. secured and all).. one task was to duplicate the OU structure, group structure and user information (without passwords).
Browsing through the web I found a VBS script that can do this, and while the export was good, the import script did not work.. The following changes have been made to the scripts (link down under).. to make the OU part of the script work..
wscript.echo “Creating OU”‘Parse OUs.txt
iOU = 0
ReDim arrActOU(2000,3)
Do While Not ousFile.AtEndOfStream
strLine = ousFile.ReadLine arrOU = split(strLine, “,”) iOU = iOU + 1 iLvl = UBound(arrOU) – 2
If iHighLvl < iLvl then iHighLvl = iLvl strObject = “”
For x = 1 to UBound(arrOU)
If Left(arrOU(x), 3) <> “DC=” then
strObject = strObject & arrOU(x) & “,”
End If
Next
strObject = strObject & newDomainName
�
arrActOU(iOU, 1) = iLVL
arrActOU(iOU, 2) = arrOU(0)
arrActOU(iOU, 3) = strObject Set oOU = GetObject(“LDAP://” & strObject) Set oOUnew = oOU.Create(“organizationalUnit”, arrOU(0)) oOUnew.SetInfo
If Err <>0 Then
wscript.echo “Error ” & Err.description
End if �
Set oOU = Nothing
Set oOUnew = Nothing
Loop
End Sub
Get the rest of these great working scripts on: http://community.spiceworks.com/scripts/show/39-ad-export and http://community.spiceworks.com/scripts/show/40-ad-import
PS: Make sure to open the txt files and look for \, entries.. they must be deleted.. else they will crash the import