Category Archives: Security

WP-Captcha Free Broke My Comments

Apologies to anyone that has tried to comment on my posts. I noticed some apache errors and decided to do some digging.

In an effort to keep commenting as easy as possible but not wade through tons of spam, I was using a wordpress plug-in called WP-Captcha free. It appears that it was breaking the comment section after one of the updates, but was awesome prior to that. I’ve removed it and am trying another now that will only ask you for captcha if Akismet flags the comment as spam.

Happy computing!

Direct Access Computers Can’t Ping Domain Controller on Internal Network?

Can’t ping the domain controller via FQDN while on the internal network?  Trouble accessing any of the internal domains that are available via Direct Access while on your internal network?

This is a quick blog post to document an error I encountered that took me a while to figure out, as is typical with errors that are caused by configuration mistakes, yes self-inflicted.  In the Microsoft Unified Access Gateway administration documentation for configuring Direct Access (DA), it says 2 things that are extremely important but does not emphasize just how important they are, or the errors that will be encountered if they are not followed.

Your Network Location Server (NLS), which must be able to serve HTTPS requests, is used by your DA clients to determine whether they are on the internal network, this site must not and cannot be accessible through DA or any other means from outside your network, so make sure the HTTPS resource is NOT something you need to access from external networks.  If your clients can access the NLS then they will not attempt a DA connection.  If they cannot access the server, then they will attempt a DA connection.  There are a few key points to this server that also cannot be overlooked.

Continue reading Direct Access Computers Can’t Ping Domain Controller on Internal Network?

Free SSL Certificates for Public Domains and Sub-Domains via StartSSL

I’ve been using internally generated SSL certificates for testing and publishing, as most developers, IT pros, and DIY people have, and though it works, it can be a little frustrating when dealing with CRLs and OCSP Responders if you don’t want to receive warnings from browsers and applications about them being untrusted.  For public facing sites, there’s a vendor that is now providing free certificates and an excellent toolbox for managing them.

StartSSL logo
Read on for more info or take the link: https://www.startssl.com.

Continue reading Free SSL Certificates for Public Domains and Sub-Domains via StartSSL

Enable Web Server Certificate Requests On Windows Server 2008R2 CA Server

So I’ve run into this problem multiple times and ‘hacked’ my way around it various ways, but there is a better way that doesn’t require the use of certutil.exe or any other console utilities.  This scenario applies under the following conditions:

  • CA (Certificate Authority) Server is running on Windows Server 2008 R2
  • Web Server is running on Windows Server 2008 R2
  • Both servers are members of the same domain
  • You want to use the Certificates snap-in
  • You want to stay away from the console if you can

By default, you cannot generate a web server certificate request directly from your servers and you are presented with this screen based on the default Active Directory Enrollment Policy:

001 denied

As you can see from the screenshot, most of the certificate templates are unavailable with the exception of the computer certificate template.

Continue reading Enable Web Server Certificate Requests On Windows Server 2008R2 CA Server

Vyatta Blocking Email Download of Attachments

I check my site logs pretty often to find out how people are arriving at this blog and have seen an increase in traffic that points to an exchange I had with a visitor about Vyatta blocking email attachment downloads.  I wanted to post this quick entry so that people looking for a quick fix could get to this without running through the complete conversation on the other post: http://d3planet.com/rtfb/2009/11/02/vyatta-firewall-basics-and-configuration/

Here’s the quick and dirty solution:

Problem:  Vyatta is blocking download of email attachments.  This solution only applies if your implementation is using the web proxy and squidguard URL filtering.

Solution:  Use the following command to get Vyatta to allow IP addresses to be called directly.

set service webproxy url-filtering squidguard allow-ipaddr-url

or

set service webproxy url-filtering squidguard rule XX allow-ipaddr-url

Keep reading for more info on the issue…

Continue reading Vyatta Blocking Email Download of Attachments

Create a Router with Front Firewall using Vyatta on VMware Workstation

Vyatta is a powerful enterprise class software router that has some really incredible features.  It has a CLI (command line interface) as well as a web interface.  I’ve gotten a few requests about configuring it as a front system but until now have only really worked with Vyatta as a pure routing appliance internal to my network.  It has been my traffic cop between my lab subnet, user subnet, and server subnet but now I’ll try to configure it as a front end based on an exchange I had on another thread.

This should be able to give you some examples with getting started using Vyatta as a front firewall.

If you don’t have the software, you can download a free version, called Vyatta Core, from Vyatta’s website.  You have to register, but don’t worry, they won’t spam you and they have extensive documentation on the product that you can pull down after registering.  It’s an excellent resource to learn and practice your routing skills, especially since you can stand up the product on random hardware or in a virtual machine.  Vyatta even has downloads specific to VMware implementations.  Check it out and come back if you’re interested in seeing this post through.  http://www.vyatta.com.

And now for the good part.

Continue reading Create a Router with Front Firewall using Vyatta on VMware Workstation

SSL Sniffing – How Safe Is Your Information?

Some firewalls now have a new feature (or not so new), unbeknownst to most web users:  The little lock in your browser that shows that you are using a secure connection is not what it used to be.

When you make a secure connection to a web site, your bank for example, and you see the little lock appear, that is an indicator that your browser is connecting to and exchanging information with a server through a secure, certificate based channel.  Behind the scenes, some encryption keys are exchanged and the information that you are transmitting and that is being transmitted back to you is encrypted and not easily readable by others.  That perception of safety is the basis of all financial, as well as other, transactions on the Internet and you as the consumer believe when you see that lock, your information is safe.

There’s a lot that happens and can happen in between you and the server that you’re communicating with.  To illustrate what I’m talking about, here is a simplified diagram of a typical network configuration.  Using the example of a bank:

sslsniffing001

You can click the image above to enlarge it.  Your computer connects to your bank through firewalls.  The close firewall protects your network and the firewall on the bank’s end protects their network.  The is typically a certificate installed on the bank’s firewall and server that allow you to establish a secure connection to that server.

Continue reading SSL Sniffing – How Safe Is Your Information?

Install Certificate Services on Windows Server 2008 R2

This post picks up where the last post left off.  In the last post, we created a Windows Server 2008 R2 Active Directory Domain Controller and stopped short of going on to add Certificate Services into the mix.

If you’re not sure if you need certificate services for your environment, it never hurts to have it available.  It does not add much overhead so for development environments and small businesses you can consider adding the role to a DC (domain controller) as we are here.  Certificate Services will allow you to issue certificates to your internal resources, use client/server certificates for authentication, and set up SSL enabled websites.

I believe best practice is, and I’m sure someone will correct me if I’m wrong, to set up an Enterprise Root CA (Certificate Authority), then set up one or more subordinate CA’s.  You can then make your Root CA unavailable for access and have the subordinates handle all of the traffic without fear of compromising your Root CA.  In this tutorial, we’ll just be installing and configuring a Root CA, but the process is basically the same for the subordinates.

Now that you’ve got some background information, onto the installation/configuration of Windows Server 2008 R2 Certificate Services.

In ‘Server Manager’, select Roles in the left pane, then Add Roles in the right pane.  Place a check mark in the checkbox for Active Directory Certificate Services.  Then click Next.

002

Keep reading…

Continue reading Install Certificate Services on Windows Server 2008 R2

Build a Windows Server 2008 R2 Domain Controller

I posted a tutorial on creating a domain controller using Windows Server 2003, and decided to post an update that included step-by-step instructions for Windows Server 2008 R2.  This should be the same for Windows Server 2008.

This is great for developers, testers, and anyone looking to learn Active Directory or deploy to a small network.  If this is for a production deployment, you might want to bring in a professional to help you.  There are many other things to consider, like ‘hardening’ your server and setting up Group Policy.  Having an insecure or unprotected domain controller is inviting havoc on your network.

So without any further ado and in the immortal words of ‘Marv’, “Let’s get to it!”

In the Server Manager click on Add Roles.

001 

Keep reading…

Continue reading Build a Windows Server 2008 R2 Domain Controller

Vyatta Firewall Basics and Configuration

For a post that is a little more advanced, try this one: Create a Router With Front Firewall Using Vyatta on VMware Workstation.

Otherwise… read on. 🙂

A few weeks ago, I installed Vyatta Open Source as a router internal to my network to see how it handled traffic between multiple subnets.  To put it plainly, it worked like a champ!  I put the router in place, assigned IP addresses to the NICs (network interface cards), and let the system do its thing.  It now connects traffic between my physical network, my production virtual network, and my virtual lab running on ESX 3.5.  I can easily manage most firewalls and routers that have a GUI but Vyatta presented a new challenge to me.  In the case of this system, for some tasks it’s a lot easier to use the command line interface (CLI).

So without further ado, here’s the basics of Vyatta’s firewall.

console001

Keep reading…

Continue reading Vyatta Firewall Basics and Configuration