You are at the newest post.
Click here to check if anything new just came in.

12:16

January022014

16:12

PowerShell $Profile Type$profile into a PowerShell Windows, and you’ll get something as C:\Users\username\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 in return.

It’s actually just another ps1-file that gets loaded when you open a powershell command.
This gives the user the possibility to really easy add custom PS-snippets into your environment!
And we all have these pieces of code we use almost daily…

To get started, follow this technet guide.

In the end, you’ll get yourself a notepad file you can edit

Here some usefull function you can paste into it!
Some functions come directly from David Little (thanks!)
 $ProfileRoot = (Split-Path -Parent$MyInvocation.MyCommand.Path) $env:path += ";$ProfileRoot"

November212013

09:05

Windows Remoting Differences

ws-management (wsman), the cross platform open source technology
winrm, Microsoft’s implementation of wsman
pssession, build on top of winrm, made very easy to use in powershell
invoke-command uses pssession, meant to to distributed computing on multiple client machines

Jej!
Play with it!

September262013

11:15

Azure Powershell

Did you know you can actually deploy an entire server farm in just a bunch of code =)
Just by using Powershell!

Powershell for Microsoft Azure was introduced in june 2012 (src), so it has been around for quite some time. Still, I learned from it existence only recently…
And DAMN, you can do awesome things with it!

Some Czech University got me started.
The article can be found over here: http://ulita.ms.mff.cuni.cz/pub/predn/NSWI152/azure/watk/Labs%5CDeployingActiveDirectoryPS%5CHOL.htm

First, of course, download the Azure Powershell pack!
This pack contains the Azure Module for Powershell, and provides a whole bunch of CMDlet’s: http://msdn.microsoft.com/en-us/library/jj152841.aspx

Second, you need a subscription file. This file let’s you connect to the Azure environment.
The subscriptionfile is actualy just an XML-file, containing the Management Certificate.
You can connect to azure using this file, or manually load the certificate from azure (yay, 2 options)
You can get this publishsettings-file by running the

Get-AzurePublishSettingsFile
Import-AzurePublishSettingsFile C:\users\deswale\Desktop\mendelazure.publishsettings

Run this only once, because each time you run it, you’ll create a new certificate (gets messy in Azure).

So, you’ve imported your publishsettingsfile and you’re connected to Windows Azure.
Next on the todo-list.

The very first time, you have to create a storage account to host all your data (virtual hard disks and stuff).
Next you’ll have to create a virtual network. Yep, you can even define your networks in xml, and upload them to Azure! For example: this one!
And you need an affinity group! (This makes sure your virtual environment is hosted in the same geographical region. You don’t want your cpu’s running in America with your data stored in Asia, do you? )
So, run some basic command

Get-AzureSubscription
Get-AzureStorageAccount
New-AzureStorageAccount
Get-AzureAffinityGroup
New-AzureAffinityGroup
get-AzureLocation
New-AzureAffinityGroup –Name "MendelGroup1" –Location "North Europe"
New-AzureStorageAccount -StorageAccountName "mendelstorage1" -Label "First Storage Group" -AffinityGroup "mendelgroup1"
Set-AzureSubscription –SubscriptionName "Gratis evaluatieversie" –CurrentStorageAccount "mendelstorage1"
Get-AzureVMImage | select imagename
$ConfigPath = "c:\users\mendel\desktop\networkconfig.xml" Set-AzureVNetConfig -ConfigurationPath$ConfigPath

New-AzureQuickVM –Windows –ServiceName "MendelService" –Name "THEMachine" –ImageName "a699494373c04fc0bc8f2bb1389d6106__Windows-Server-2012-R2-Preview-201306.01-en.us-127GB.vhd" –Password "AdminPassword123456798" -AdminUsername "mendel" -location "North Europe"

And in the end, you can create something like this: http://blogs.technet.com/b/yungchou/archive/2013/07/31/automating-windows-azure-infrastructure-services-iaas-deployment-with-powershell.aspx – WARNING, can be to awesome to handle…

At the moment we’re writing a script with a nice collection of azure-features.
Will be publicly available later!

August282013

09:05

Working with AD RMS

In powershell is quite a hassle…

Yes, that are the only cmdlets available…

Import-Module AdRmsAdmin


First you need to create the virtual drive using new-pssdrive
Call it whatever you want

 new-psdrive -name test -psprovider adrmsadmin -root https://localhost

Browse to it

set-location test:\trustpolicy
or simply cd test:\

And now you have a virtual “drive” containing all the rms configuration.
You can even “dir”  and “cd” in it!

PS test:\trustpolicy\TrustedPublishingDomain> dir
Id         DisplayName           Type                  CSP                   KeyContainer          CryptoMode
--         -----------           ----                  ---                   ------------          ----------
100        tsfdemo2013app1       Internal              AD RMS centrally m... AD RMS centrally m... 2

Here, you can run the cmdlets from the links mentioned above


PS test:\trustpolicy\TrustedPublishingDomain> Export-RmsTPD -Path .\100 -SavedFile C:\users\tsfadmin.CORP\Desktop\file12
3.xml
cmdlet Export-RmsTPD at command pipeline position 1
Supply values for the following parameters:
PS test:\trustpolicy\TrustedPublishingDomain>

August132013

09:28

IIS as a reverse proxy for Apache and wordpress

Another story standing since November 2012 (lol ).
The only thing that has changed: ARR (read on) is now officially supported by Microsoft!
They’re even almost/perhaps/maybe/theoretical/optional considering it as a successor for TMG2010

Anyway, this post is not entirely correct. What we were trying to do was reverse proxy to an sub-directory. That didn’t work…
But  you can get some feeling with the possibilities of IIS’s ARR .

3 days later, but I solved this terrible situation…

The story

Our current website http://www.smartsys.be runs on an asp-powered cms called “umbraco” (url).
So, that makes it needs IIS and MS SQL accordingly…

Second part of the story: we want to introduce a blog with our success stories!
Number one blog software of our choice: wordpress (ofcourse )

But, as we all know, wordpress runs on php and not asp, and an accompanying database…

The options:

1. install php/fastcgi on IIS, mess around with it’s config, use ms sql as backend db, and run everything in IIS…
2. use apache for both reverse proxying and serving the wordpress pages
3. let IIS serve our umbraco web pages and set it up as reverse proxy for apache!

So, in the end, we tried only both last options.
I didn’t actually want to try and install php in IIS and maybe mess up our actual web service…

The result

Apache as reverse proxy didn’t end very well…
Actually, it didn’t work at all…
No idea why, didn’t put much effort in it…

On the other hand, IIS as reverse proxy wasn’t easy as well…
It took almost 3 days to figure out what went wrong, how to avoid it from happening, and in the end: how to solve it!
note: not 3 full days, but “some time during 3 days” ^^

How!

So, a little how-to:

First of all, you need IIS, just enable the feature on your Windows or Windows Server.
Secondly, you need “Application Request Routing“. You can download and install this without taking down your website.
This module is officially supported by Microsoft!

So, when both are installed, you can start configuring…

Enable ARR for your site : select your server in IIS Manager, open Application Request Routing under IIS options, choose “Server Proxy Settings” from the actions tab, and mark “enable” and press apply.

Secondly, we can start reverse proxying!

Select your site, in our example the “default web site”, and open the “url rewrite” module.
Here is where the magic should happen!

You can easily add a new rule clicking “add rule(s)”. And in our case, we’re choosing for “reverse proxy”.

Next, choose the path for your destination server, in our case being “http://localhost:8080/test/&#8221; .
Also, in the case for wordpress (very important): enable outbound rules, these are the rewrite rules…

One of the main issues want took so long to understand was a redirection issue: wordpress itself tries to redirect your to its config page, and IIS trying to rewrite the request to the wordpress folder. Resulting in endless 301 redirections… So, watch out here!
At first, I believed I could fix it by changing the config in wordpress. And I took to long to try to fix it that way. In the end (and what we’re doing in this manual) letting IIS handle all this reverse proxy work does the job…

So after adding this rule, we need to correct it somehow.
The default settings are not really good enough (maybe in your case it is!)

So, let’s have a look at the Inbound rule. Just open it.
I’m going to change the “pattern” IIS filters on from “(.*)” to “^test/(.*)” . This makes only requests for “blog.smartsys.be/test/” to be accepted.

Secondly, you have to add {R:1} to the end of the “rewrite url”. Otherwise things as http://blog.smartsys.be/test/wordpress/wp-admin/index.php would never work. It’s just the argument from the initial request that’s forwarded to the rewritten url…

That’s it, apply and close, next we’ll have a look to the outbound rule.

So, the big problem with wordpress is something with redirection. So, in the end, I made it undectectable for wordpress it’s being reverse proxied. So, in wordpress its point of view, it’s just running on localhost:8080 .

This implies we need to rewrite localhost:8080 to something external available, in our case “blog.smartsys.be”…
This is where the “outbound rule” comes in!

I just modified some parts of the default configuration the “add reverse proxy” wizard from before created.

At first: match all content!
The pattern should be” ^http(s)?://localhost:8080/(.*)”
And action value becomes: “http://blog.smartsys.be/{R:2}”

So, I hope you don’t spend any time on trying to let wordpress fix it (because it won’t), just let IIS do all the work!

August122013

08:34

Secure sync of Passwords!

The interwebz is a complex wasteland.
Almost every websites requires a login. And I don’t want to use the same password everywhere!
I have some categories in my “default” passwords, the simple password (19bit) for the “one-time-use” websites , the more complex ones (still only max 65 bit) for the “special sites” like facebook, google, of my hr department…  Actually, my “toughest” password (my cronos admin password) only reaches 87 bits…

only a couple of my accounts…

Anyway, when you’re on the internet for a couple of years, you gather some accounts.

Lots of them

LOTS OF THEM……

And in the beginning, it was fun.
You only have 1 computer, you only use 1 browser, you just store everything in there.

But then something new shows up.
You start experimenting with Firefox.
And you buy a laptop.
And you have a network profile at school, or at work.
Or you’re on a holiday and you need to login on your webmail.

You need something to sync all your information, and to make it all available wherever you are.
Same for bookmarks, but that’s another story…

The last couple of years I always made use of random sync tools. At first, the sync-tools from Mozilla itself, later on some other 3th party tools, but the last tool I got stuck with was xmarks. But last year it was bought by lastpass. So all my passwords were suddenly in their hands…
I’m not sure I like that…

But I kept using it, because it comes in damn handy!
All your password perfectly in sync between devices, nice plugin’s for every browser, and even a nice web interface!

But, still, you trust your password with someone else…

Anyway, this week I started doing some consultancy (read, they’re teaching me) for another Cronos Group Company working on InfoSec (another blogpost about this will follow!). And the first thing that happened when firing up my laptop in front of these guys, was firefox opening, and lastpass popping up…

fuck

10 seconds later, my new boss mentioned something like “goe bezig”, roughly translated to “nice going”

Anyway, today I present you: THE SOLUTION

You’re own sync tool build around keepass!

I’ve been using keepass as long as I can remember. It contains all my secrets, my passwords, my configs, my life. But I always used it off-line. I open it, copy paste something, close it and erase my clipboard.
Actually, it never occurred to me you can use it otherwise!

Until today, on my first hit on google: “keepass firefox”

After trying out some random extensions, I kept using PassIFox. And it works! And it works gooood!

Just install the plugin for Firefox, you also need a plugin for lastpass (to enable an http web service), and you’re good to go! Uninstall lastpass, throw away all other 3th party related crap you don’t want to be associated with your passwords!
From now on, you only have 1 place you store your passwords in: your own aes-256 encrypted keepass db!

The really interested reader now wants to shout “you’re not syncing anything between computers!”.
But, then I would answer “you’re to soon with your remark”

Put all of the above in a skydrive/dropbox/owncloud/anything, and you can run around using your passwords everywhere!

Jej!

————–

Some remarks on passifox: browse to any website with a login field, rmb -> fill user & pass. This is the ony known interface to the firefox plugin! Use this to setup the initial connect with lastpass (connect will appear).

Some remarks on the entire process: I always trusted sites like lastpass. I don’t know exactly why. But when you work for a InfoSec company, you can’t risk anything. Right?
Maybe it was of laziness, because lastpass just works that handy But in the end, so does passifox! So please, when you read this, thing twice about who you trust with what!

Remark on skydrive/dropbox/owncloud: even Microsoft’s skydrive can, in the end, leak information. Or I can forget to log off somewhere. Forget to logoff from any live-enable website and someone can have access to these files as well. Even when you run owncloud, your provider can be the target of an attack (happened in the Netherlands last week…). But hey, the only thing these “21the century burglars” can download, is an aes encrypted file! Good luck with that
Hell, with this setup you can even put an hidden truecrypt container in skydrive containing a portable firefox and keepass… But only, who’s that paranoid?

August052013

21:10

Active Directory Federation Services

AD FS, STS, SSO, Claims, Realms, Tokens, SAML, WS-Federation, WS-Security, … All these fuzzy terms that where thrown at my last month…

The project was to implement AD FS (see title) in our environment.
The single and only purpose of AD FS is to create a “single sign on experience” between applications. Sign on on any website, and you can visit all other websites with that same account! (Only trusted websites that is, ofc…)
There are claims providers for Exchange OWA, Sharepoint. You can use it native in custom and cross-platform applications, on Microsoft Azure and in our case Office 365.
And because it’s based on an open standard, you don’t have to use .net, but you can use Java (jeej) as well! Or even php -> http://code.google.com/p/simplesamlphp/.
As long as your application is compatible with saml, you’re good to go!

So, all mentioned abbreviations also have a meaning! And if you want to know what it means and what their purpose is, read this article on msdn!

A more “conceptual” article you can read: A Guide to Claims-Based Identity and Access Control (2nd Edition)
Especially the part about “the airport” explains a lot

Some more “academic” OASIS articles on WS-Trust and WS-Federation

And if you want to know more about WSDL, just read wikipedia

July312013

14:07

synergy-foss

Aka synergy aka synergy+
And now it’s named synergy-foss!

It’s a shame people don’t know this application…
It has so many possibilities!

Basically, it let’s you use your computer as a kvm switch…
So, you can control multiple different computers with just one mouse and one keyboard.
It’s awesome if you use your laptop next to your desktop.
Or a portable version synergy-foss when working with multiples other computers!

Go check it out!

July222013

18:43

TestMX

Is only awesome…

Created by the guy(s) from dataenter.com, this utility does some automated debug tests for mailservers! Just like mxtoolbox.com, but local on for example your mailhub/smtp server…

If you run the executable from the command line, you’ll note some arguments you can pass towards the application.

For example:

TextMX.exe -drecipentdomain.be -tmendel@recipientdomain.be -fmendel@senderdomain.be -a -qDNS8.8.8.8

Just have a look if you’re interested into mail servers

March232013

16:02

Not so random

Random generators suck…
Apparently none can make a good one…

My car (bmw), my previous car (opel), my ipod, itunes, windows phone, youtube, …

After a song, always the same “random” song follows..
It’s kind of strange…
If you let me create a random() function, I would include the time somehow.
At least in a car you can create some mathematical function, which divided by the current amount of minutes, will give you something pseudo random, right?
At least random enough to not always let a specific song be the next one at another certain song?

Random.org gives you the real analysis of how true randomness can be achieved.

As you can see on the random.org page mentioned above, even php on windows rand() sucks! Spot the “pattern” in the picture below!
According to Bo Allen php performs better on Linux… Shame on you Microsoft!

php’s rand() function on windows!

Anyway, I don’t want to know the next song, when I enable “shuffle” in my audio player…

Microsoft, BMW, Apple, please fix it!

March172013

19:05

Powershell!

Powershell is being positioned by Microsoft as a “unix shell loookalike”.
And with the release of W8 it’s lifted to edition 3.0

If you have absolutely never heard of it: it’s the successor of dos -> cmd -> cscript (VBscript) -> powershell.

Nowadays, you can actually script a big part of almost any Microsoft product installation/configuration/administration in this shell (like windows, exchange, sharepoint, lync, …)
Plus, you can make calls do .net/COM/windows!

Let’s get you started!

Start -> search for “powershell” -> start it!

You can run commands you already know like ipconfig/nslookup, cd/ls/dir or even something like “Get-Counter -ListSet processor | Get-Counter” (more info) for more advanced usage

I’m not going to rephrase great readings, but I am going to put them in a list to get you started!

1. Read this: http://www.johndcook.com/PowerShellCookbook.html
It’s very brief summary of how to get you started in powershell scripting (the setup, especially the “set-executionpolicy”, and some real basic commands!)
It’s also a very good introduction to the conditional branching, comparators and loops syntax in powershell!
3. or google anything with “powershell” and your question

If you’ve programmed before, you’ll be up and running in no time!
Otherwise, it’ll take you like 2 minutes

Anyway, some example scripts for you! -> http://www.mendelonline.be/code/index.php?filename=get%20all%20servers%20from%20ad%20and%20get%20version%20of%20specific%20file.ps1

February142013

18:15

First World Problems

Working in a big company is fun.
You’ll get in touch with private server parks, HA clusters, and a loooot of problems…

SQL -> SQL 2012 SP1 bloating the windows registry to the max (2048mb), making windows do VERY weird things… http://blogs.msdn.com/b/sqljourney/archive/2012/10/25/why-the-registry-size-can-cause-problems-with-your-sql-2012-alwayson-setup.aspx, http://connect.microsoft.com/SQLServer/feedback/details/770630/msiexec-exe-processes-keep-running-after-installation-of-sql-server-2012-sp1
Cisco/Windows8 -> Windows 8 and Cisco WiFi doesn’t work! http://support.microsoft.com/kb/2749073
NetApp/VMware -> Random storage disconnects… http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2016122
Exchange -> story of an exchange 2003 user with a working mailbox, but a corrupted OWA… Even Microsoft didn’t found a solution http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_27900912.html

I’m not saying, we weren’t the very first in the world with the problems above…
I’m just saying we where one of the first with those problems…

And I’m probably forgetting some issues…

Smartsys blog is coming up later this year!
It’ll be a place providing awkward situations as mentioned above, and as much answers and solutions possible!

Stay tuned!

January302013

13:20

The curse of Crypt32.dll

One single file, soooo may problems with it…

The file “crypt32.dll” is part of the Windows NT family.
It resides in c:windowssystem32crypt32.dll, and its main function it to provide all kinds of cryptographic functions to the Windows OS.

Using yet another great tool from our good friend nirsoft, an overview of it’s first 50 (or so) functions:

Now, as some people already know, cryptography evolves (yep, it really does ). The main reason, because the old methods for securing data get cracked everyday… So new methods are needed!

This story goes about the setup of a new PKI: a new CA in a mixed OS environment: XP, WS03, 7, 8, linux, mac, …
All these operating systems should be able to validate AND use the one root certificate.

So, we chose for a deployment with a windows server 2008 r2 as root certificate authority.
One of the steps in this deployment is the decision for the hash of the root certificate.

Now, sha-1 isn’t that much of a deal anymore these days… It’s still good. But hey, we chose for the much stronger sha-256 method (it’s direct successor).

Now the fun part starts.

Windows server 2003, R2 and XP untill SP3 aren’t compatible with the sha-256 algorithm…
It’s only after a specific version of the crypt32.dll, the function to verify sha-256 signatures is available…
Aka: they can’t validate our new root certificate

And from here, things get only worse…

The version for crypt32.dll you need should be 5014 (5.131.3790.5014).
From 2009, there is a hotfix available with this version. Also, from august 2012, there is an update available trough the Windows Update Channel, containing this 5014-edition of the dll.

They are different…

Two builds, 2 different files, 1kb in size bigger, build time 30 minutes apart…

Using winmerge we see quite some difference…

So don’t bother the Windows Update version (gdr - general distribution release), go for the hotfix version (qfe - quick fix engineering). You’ll have to install it manually (or using a gpo). But it’s a real dissapointment to first try the gdr version, and finding out nothing works as expected…

January232013

18:19

AMD Madness with Windows 8

So I’ve installed Windows 8.
I didn’t install any driver manually.
Windows found almost everything using Windows Update.

And I like that

I don’t like hunting down drivers.
It’s stupid, consumes hours of precious time, and most of all: really boring…

Today, in my quest for good video editing software, I stumbled upon Sony Vegas 12.
So…

And a crash report…
Which was useless…

Because the most valuable crash report mentions something about “gpu acceleration”. I started wondering if its corresponding Windows driver was up to date…

I knew, from issues in the past, that AMD/ATI stopped supporting my -not that old- radeon 4870 in Windows 8…
Rendering my gpu legacy 2 years after purchase date… (see what I did there? )

Anyway, things like that have been overcome for years thanks to guru3D (modded mobility drivers anyone?)

And again, they came up with modded drivers for legacy graphics cards

windows update driver

guru 3d’s DriverVer=07/03/2012, 8.970.100.3000

Nevertheless, after installing this “seemingly” older driver, Sony Vegas still crashes…

And even better!

Now I have this as well:

Rolled back the driver to it’s “Windows Update” alter ego fixed one of the above issues.
But not all…

Stupid amd…

January162013

20:34

Variable signing…

In my bed, the weirdest things happen…
Today, I woke up, and tough to myself: “why do people sign their code, but not their stored data & variables?”

Let’s explain what I mean…

I’ve been messing around with Windows Phone 7 quite some time.
And now Windows 8 has the same fun challenges.

Some (most) applications which are developed by home-programmers, don’t make time to “secure” their applications. Mostly because their isn’t time, money, or the effort is just too high…

Anyway, this results in a lot of apps you can play with

codeintegrity.cat

Nowadays, when you edit a W8 xaml file, the codeintegrity.cat (miaow) file makes sure you app crashes…
The codeintegrity file (part of the MS App Store) verifies the integrity of the code (no way ).
It’s a quick fix for a hack that came out a long time ago (the one where you could edit anything you wanted): www.extremetech.com/computing/143002-how-to-pirate-windows-8-metro-apps-bypass-in-app-purchases-and-more

Some thoughts: why isn’t all this encrypted/obfuscated/minimised/…, aka: why it it plain text?

A really good read from justin angel! It’s quiet funny too!

So at least I’m not the only one who thinks like that!

But a solution can be that easy!
Take your vars, and multiply them with 4. Convert them to another type (var something = (new int32(1234).tochar() ). Create a stupid mathematical formula to “hide” your variables. Or even: don’t store your variables with easy names (The function of the variable “AmountOfGold=5000″ isn’t THAT difficult to guess :-p ), or just salt the entire variablebullshit!

If only our precious NMBS would do that!

Older posts are this way If this message doesn't go away, click anywhere on the page to continue loading posts.