Microsoft released a new whitepaper this week that gives an insight in why you should protect your privileged accounts. One of the techniques described is the PassTheHash attack which is a sophisticated attack but fairly easy to execute. These attacks have been seen in the “field” and are being used today. If you work with […]
So as promised.. the install guide.. or at least some small tips as the installation is not that hard..
First of all, we are going to use a three server architecture. One server for the databases, one for the administration and monitoring and a group policy server.
To start, we need to create some groups in Active Directory, the service account for SQL and a service Account for the MBAM compliancy part. Create the following groups in AD and the following service accounts:
Why we should BitLocker (or any other drive encryption) should be clear. A stolen laptop is only worth as much as the retrievable data on it + the value of the laptop. In large enterprises this could be millions of dollars, but for personal use this could lead to embarrassment or worse.
But enterprises seem to struggle with the implementation of BitLocker, amongst the pain points:
- No auditing – unsure which laptops have it enabled or which ones don’t
- Administrative overhead – administrators must manually enable it
- Scripting – if enabled during deployment scripting is required
- Storage of keys in Active Directory – clear text storage of recovery keys
In order to cope with these and other challenges, Microsoft has released the BitLocker Administration and Monitoring toolkit. For the ones that try to download it on the website, sorry, it is only available in the Microsoft Desktop Optimization Pack which comes with a software assurance agreement with Microsoft.
This post goes into the architecture, what users see of it.. and more in depth knowlegde.. soon, the post with the install instructions!
So many of you probably have been wondering what type of 2FA I am using for my tests. Instead of setting up internal servers, dealing with encryption keys and various tokens, I stumbled upon a cloud service that handles all of this for you. Now before we dive into the “commercial” part (although I did not see any money from them) the basics for configuring TMG with radius are also covered in this post, so if you prefer another vendor, your own radius/2FA solution, this post still applies.
Office 365 is booming.. everyday new companies decide to make the switch to easy online messaging and collaboration services on the cloud. While the cloud should make life easier for administrators, setting up the co-existence environment seems a bit harder. Although Microsoft has tons of help material available .This post is to clearify the interaction when settings up a co-existence environment with Office 365.
For this example I have added a TMG server to validate the requests. As many companies have additional firewalls in front of the TMG server, this is also displayed. And the TMG server serves another role to in the advanced setup, where we explain that it is possible to have OWA users use two-factor authentication while ActiveSync users can continue to authenticate against the federation server with their “passive” clients. (see the next post)
So no posts for a long time, been busy though.. and the latest addition to this blogpost is about SharePoint. Who would have thought.. In my case the customer wanted to enrich the User profiles that came from Active Directory with Novell attributes that where in a central identity store. While SharePoint is capable of […]
So everybody should enable firewall policies in order to keep their environment secure. Best practice is to manage the firewalls through policies.. keep a default policy to enable the firewall and do not allow incoming connections.. then based on server role add exceptions and ports. That way, each server added to the domain is secured by the firewall by default, but additional policies can enable applications to receive traffic.
We had no hope at all, we send him off to Seattle expecting nothing except total failure.. seems the dude is more knowledgeable than expected .. Three written exams and one lab later, co-worker J. Reijling achieved MCM OCS.. congrats.. http://www.reijling.nl/
Once in a while, antivirus companies create a new signature file that kinda stops the entire system instead of just the virus..
It’s like the docter amputates the heart of the patient, just to cure a brooze
Congratulations McAffee this time:
So I tried to install the FIM RC (u3) in a demo environment, and what a hush hush was that.. My setup was fairly easy, all (except SQL) on a single box.. offcourse reading is not my best skill, but the install went fine.. and the portal was ready for the administrator account (installed it with). It opened on the fim server without a problem, but getting it to work remotely, that was another problem..
The guide tells you to register SPN’s for the Kerberos to work if the FIM Portal and FIM service are on seperate servers, but ALSO if you want to use the FIM password reset extension.. however registering the http/servername to a service account renders the remote login useless.. you will receive an HTTP Error 401. The requested resource required used authentication.
If you where to google (or bing) on that error code the links tell you to disable Kernel Mode kerberos in IIS.. well that kinda did NOT do the trick either and although the Sharepoint site comes up then, the FIM portal dies..