Tumblelog by Soup.io
Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

February 17 2014




Bitlocker is that often forgotten FDE tool from Microsoft.
It basically gives you the ability to encrypt your entire hard drive (or any external device), and roam safely around the globe without fear.

Default setting is AES with a 128 bit key with diffuser.

There are some powershell commands in windows with kernel 6.2+ and two bde-commands for other windowses :-)
And the console of course…

Most configuration is done using Local Group Policies. Some of those changes must be made BEFORE encrypting your disk…
So check out the options before encrypting everything!

bitlocker components_2

To quickly check your current status (and which encryption type you’re using):

PS C:\Windows\system32> manage-bde -status
 BitLocker Drive Encryption: Configuration Tool version 6.3.9600
 Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Disk volumes that can be protected with
 BitLocker Drive Encryption:
 Volume C: []
 [OS Volume]
Size: 237,96 GB
 BitLocker Version: 2.0
 Conversion Status: Used Space Only Encrypted
 Percentage Encrypted: 100,0%
 Encryption Method: AES 128
 Protection Status: Protection On
 Lock Status: Unlocked
 Identification Field: Unknown
 Key Protectors:
 Numerical Password

Sidenote on this subject

AES 256 isn’t safer then AES with an 128 bit key length.

Choose the encryption strength

BitLocker supports two levels of cipher strength for BitLocker: 128-bit and 256-bit. Both use the Advanced Encryption Standard (AES) to perform encryption. Longer encryption keys provide an enhanced level of security and are less likely to be successfully attacked by the use of brute-force methods. However, longer keys can cause slower encryption and decryption of data. On some computers, using longer keys might result in noticeable performance degradation. You can use Group Policy to change the length of the encryption key used by BitLocker.

In addition, BitLocker supports a Diffuser algorithm to help protect against ciphertext manipulation attacks, a class of attacks in which changes are made to the encrypted data in an attempt to discover patterns or weaknesses. By default, BitLocker uses AES encryption with 128-bit encryption keys and Diffuser. You can also select encryption without Diffuser by using Group Policy if your organization is Federal Information Processing Standard (FIPS) compliant.

It is recommended that most organizations use AES 128-bit with Diffuser. For organizations that are required to use 256-bit encryption, the AES 256-bit with Diffuser option can be enabled by using Group Policy. => howto









Sidenote on recovery key

Keep that key somewhere quickly accessible. Especially with windows 8…
On your phone, a hardcopy in your wallet, a tattoo on your arm…

When Windows 8 detects something has gone wrong booting itself, it will try to recovery.
But it can’t recover without the partition unlocked. So you’ll need to enter the key.
When you cannot unlock it, and reboot again, it’s just going to try to recover again.
And you’re looping forever…

Damn windows 8!

January 02 2014


PowerShell $Profile

Type $profile into a PowerShell Windows, and you’ll get something as C:\Users\username\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 in return.

It’s actually just another ps1-file that gets loaded when you open a powershell command.
This gives the user the possibility to really easy add custom PS-snippets into your environment!
And we all have these pieces of code we use almost daily…

To get started, follow this technet guide.

In the end, you’ll get yourself a notepad file you can edit :-)

Here some usefull function you can paste into it!
Some functions come directly from David Little (thanks!)

$ProfileRoot = (Split-Path -Parent $MyInvocation.MyCommand.Path)
$env:path += ";$ProfileRoot"

function elevate
$file, [string]$arguments = $args;
$psi = new-object System.Diagnostics.ProcessStartInfo $file;
$psi.Arguments = $arguments;
$psi.Verb = "runas";
$psi.WorkingDirectory = get-location;
function Edit {
[Parameter(Mandatory = $False, ValueFromPipeline = $True, ValueFromRemainingArguments = $True, Position = 0)]
Process {
$app = "C:\Program Files (x86)\Notepad++\notepad++.exe"
if ($File -ne $null) {
$parameters = '"' + $File + '"'
$options = New-Object "System.Diagnostics.ProcessStartInfo"
$options.FileName = $app
$options.Arguments = $parameters
$options.WorkingDirectory = $pwd
$temp = [Diagnostics.Process]::Start($options).WaitForInputIdle(500)
Invoke-Item $app
function Open($path) {
explorer $path
function Edit-Profile
edit "C:\Users\lennert\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1"
function sleepcomputer
Add-Type -Assembly System.Windows.Forms
[System.Windows.Forms.Application]::SetSuspendState("Suspend", $false, $true)

You can also add other ps1-files from that directory!
More coming up later ;-)

December 20 2013


A Sony Vaio Pro!

Let’s review my new laptop. :-)

Sony’s successor for their well-known Z-series!
It’s incredibly thin, and deserves Intel’s “Ultrabook” label (hence, without touchscreen :P ).WP_000427 (2)

  • It features Intel’s latest generation Central Processing Unit: Haswell
  • A nowadays basic amount of ram: 8GB
  • An awesome M.2 PCIe-based Solid State Disk (not really a disk any more, but more fancy PCB)
  • A a 1080p IPS display
  • And a pretty good battery as well!
  • An optional Trusted Platform Module (jej bitlocker!)

So, the first thing you notice when you hold it, it sooooo incredible light (<1kg!)! :-d
Even when you ever held a MacBook Air, you would be stunned. And that’s just awesome <3

The carbon feels not that strong, but I’m always pretty careful with my tech :-)
But I can imagine people could actually break the device…

The Hasswell I7 4500u (1.8GHz – 3.0GHZ, running at 0,677 volts and using between 0,93 and 8,78  watts of power), is just awesome. On high performance it’s actually really fast, on battery saver it’s really slow. :-)
8GB of RAM is perfect! You can run multiple VM’s (of course using Hyper-V) simultaneously without any stuttering.

The touchpad performs great as well, it’s plastic (not glass like on Apple devices), so it’s not always that great.

Battery, runs around 7-8 hours. Which is pretty good! :-D

The presence of a Trusted Platform Module makes that bitlocker works fine :-)

I’m currently using Windows 8.1 Enterprise x64 on it, it feels just incredibly fast, and that how I like it!

The only thing I’m actually missing, is an Ethernet port… I wouldn’t use it often, but sometimes, it’s just that little bit easier to get into a foreign network =)
So I ordered one on DX.com :-)


December 18 2013


Enhanced Mitigation Experience Toolkit



Install it on your computer.

It’s just that nice extra barrier between Microsoft Windows and a whole lot of malware around.

In fact, Microsoft should just enable these settings by default, but apparently they’re afraid to do it…
(In some cases it can actually break applications. For example Skype has known issues with EMET…)


Troubleshooting AD RMS

Because there still is a huge lack of documentation about Microsoft AD RMS, here some hints and tricks to use!

  • First thing: irmcheck! Go use it!
  • Always check ntsf acl permissions on the server side files asmx-files.
  • ConnectionString for SQL is located in registry


  • MSIPC (RMS client 2.0 in windows 8 and office 2013) caches in registry and %localappdata%
  •  REGISTRY:\Software\Classes\Local Settings\Software\Microsoft\MSIPC\<Server Name> \Template (HKCU or HKLM)
  • %localappdata%\microsoft\msipc
    Hint: you can delete huge file names with  “rmdir MSIPC /s” in cmd (for some reason it doesn’t work in powershell)success
  • Advanced troubleshooting on OSI Layer 7: fiddler! (enable https decryption) Really, put it in between! You’ll get some far more usefull error messages then “cannot connect to the server”, or “cannot use this feature without credentials”…
    Even better, go Wireshark (note: ssl mitm here…)!
  • The older MSDRM (RMS Client 1) puts everything in your %localappdata%\Microsoft\DRM . There you can find your user- & machine certificates, and templates.
    Regkeys under REGISTRY:\software\microsoft\msdrm
  • always check the IIS certificates! If there’s something wrong, nothing will ever work!

Please, open them up, they’re just XML-based, and contain a lot of information! For example, in the GIC-file you can confirm your RMS-location. Don’t bother trying to modify them, they’re hashed… But you definitely should check them for having :443 in their url’s (check this article)
GIC (Group Identity Certificate) = RAC (Rights Account Certificate)
CLC (Client Licensor Certificate)
CERT-Machine = SPC (Security Processor Certificate)

More about those 3 files in here

  • When you need to go deeper, use debugview (or something new: Trace Spy). This works for bot MSDRM and MSIPC
    Server-side and Client-side
  • Go and check Windows Event Logs. RMS Client doesn’t actually logs something there, but it can be a source of good information anyway!

November 27 2013


Migrate users to lync online!

After a few years of fighting with Lync2010 , we decided to stop using this service on premise and migrate everyone to the cloud/Office365!

For something as Lync, privacy and auditing isn’t that important (not yet), so we guessed we can trust Microsoft on this one…

  • First thing to do: create a trust between Microsoft and our on-premise AD.

This is done by implementing ad fs.
On top, you need to have an active “DirSync”, syncing your AD to the cloud.

To create the hybrid set-up with an on-premise Lync environment, and the “in the cloud”-office365 one, you’ll need the latest iteration of the Lync server software: version 2013.
So, we added the Lync 2013 servers to our 2010 deployment. And after some little hassles, everything started to work. (Single IP deployment, you can google around how to set it up)

You need a lync2013 edge and front-end, because we’ll need some specific features introduced in 2013.

  • Next: the Office 365 part.

Office 365 is a complete infrastructure as a service platform from Microsoft offering Sharepoint, Exchange,  Lync and some more Microsoft Services in the cloud. It’s pretty cool actually.
I’ve never been too fond of office 365: it’s cool, nice and cheap when everything is working. But when it start failing… You’re gone… AAAND you always have to mention the Patriot Act…

Anyway, since it’s February wave of updates, office 365 became even more functional!
It’s PowerShell support got an update, and now supports Lync Online cmldlets!

Before, you actually had to ask Microsoft to enable the PowerShell for Lync Online because it was in beta. Nowadays (since august), everyone gets it!
So, nice again :-)

Msol-powershell doesn’t support a lot of cmdlets, but at least some essentials.

  • To be able to migrate a user, we’ll have some more requirements: on premise active directory tweaking and office 365 domain setup.

Of course you need to connect your DNS-domain to your office365 tenant (can be done easily using dns-verification)

Next, make sure your AD upn (username@domain.com) corresponds to your lync domain and your office 365 account. You can add the domain as a custom suffix in ad.
So, you’ll have an internal AD user frafra@domain.com, name.firstname@lyncdomain.com as sip-address, and the same frafra@domain.com as office 365 user (synced by dirsync).
Your lyncdomain doesn’t exactly has to be the same as your login domain, but hey, “why make it simple and functional if you can make it complex and wonderful?!”…

After that, you can fire up PowerShell!

Fist of all, you have to add Lync Online as an trusted host on your onpremise lync and you have to make your on premise Lync share the SIP address-space with Lync online
Use “Set-CsHostingProvider” here…

And then you can actually move someone between both environments! :-) (make sure the user has a office365 license assigned). Again, all can be done in PowerShell.

So, connect to your onprem lync and office365, and push your clients to the cloud!

$CSSession = New-PSSession -ConnectionUri https://onpremlync.contoso.lcl/ocspowershell -Credential $AdminUsername -ErrorAction SilentlyContinue
Import-PSSession -Session $CSSession
#exchange online
$ExSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $ExSession
connect-msolservice -Credential $cred
#lync online
Import-Module LyncOnlineConnector
$CSolSession = New-CsOnlineSession -Credential $cred
Import-PSSession $CSolSession –AllowClobber

get-msoluser -UserPrincipalName user@contoso.com | Set-MsolUser -UsageLocation “BE”
Set-MSOLUserLicense -UserPrincipalName user@contoso.com -AddLicenses CONTOSO:MCOSTANDARD
get-csuser user@contoso.com | Move-CsUser -Credential $cred -target “sipfed.online.lync.com” -HostedMigrationOverrideUrl “https://admin0a.online.lync.com/HostedMigration/hostedmigrationservice.svc&#8221; -ProxyPool “onpremlync13registrar.contoso.lcl”

November 21 2013


Windows Remoting Differences

ws-management (wsman), the cross platform open source technology
winrm, Microsoft’s implementation of wsman
pssession, build on top of winrm, made very easy to use in powershell
invoke-command uses pssession, meant to to distributed computing on multiple client machines

Play with it!

September 26 2013


Azure Powershell

Did you know you can actually deploy an entire server farm in just a bunch of code =)
Just by using Powershell!

Powershell for Microsoft Azure was introduced in june 2012 (src), so it has been around for quite some time. Still, I learned from it existence only recently…
And DAMN, you can do awesome things with it!

Some Czech University got me started.
The article can be found over here: http://ulita.ms.mff.cuni.cz/pub/predn/NSWI152/azure/watk/Labs%5CDeployingActiveDirectoryPS%5CHOL.htm

First, of course, download the Azure Powershell pack!
This pack contains the Azure Module for Powershell, and provides a whole bunch of CMDlet’s: http://msdn.microsoft.com/en-us/library/jj152841.aspx

Second, you need a subscription file. This file let’s you connect to the Azure environment.
The subscriptionfile is actualy just an XML-file, containing the Management Certificate.
You can connect to azure using this file, or manually load the certificate from azure (yay, 2 options)
You can get this publishsettings-file by running the

Import-AzurePublishSettingsFile C:\users\deswale\Desktop\mendelazure.publishsettings

Run this only once, because each time you run it, you’ll create a new certificate (gets messy in Azure).

So, you’ve imported your publishsettingsfile and you’re connected to Windows Azure.
Next on the todo-list.

The very first time, you have to create a storage account to host all your data (virtual hard disks and stuff).
Next you’ll have to create a virtual network. Yep, you can even define your networks in xml, and upload them to Azure! For example: this one!
And you need an affinity group! (This makes sure your virtual environment is hosted in the same geographical region. You don’t want your cpu’s running in America with your data stored in Asia, do you? :P )
So, run some basic command

New-AzureAffinityGroup –Name "MendelGroup1" –Location "North Europe"
New-AzureStorageAccount -StorageAccountName "mendelstorage1" -Label "First Storage Group" -AffinityGroup "mendelgroup1"
Set-AzureSubscription –SubscriptionName "Gratis evaluatieversie" –CurrentStorageAccount "mendelstorage1"
Get-AzureVMImage | select imagename
$ConfigPath = "c:\users\mendel\desktop\networkconfig.xml"
Set-AzureVNetConfig -ConfigurationPath $ConfigPath 

New-AzureQuickVM –Windows –ServiceName "MendelService" –Name "THEMachine" –ImageName "a699494373c04fc0bc8f2bb1389d6106__Windows-Server-2012-R2-Preview-201306.01-en.us-127GB.vhd" –Password "AdminPassword123456798" -AdminUsername "mendel" -location "North Europe"

And in the end, you can create something like this: http://blogs.technet.com/b/yungchou/archive/2013/07/31/automating-windows-azure-infrastructure-services-iaas-deployment-with-powershell.aspx – WARNING, can be to awesome to handle…

At the moment we’re writing a script with a nice collection of azure-features.
Will be publicly available later!

August 28 2013


Working with AD RMS

In powershell is quite a hassle…

You need this http://technet.microsoft.com/en-us/library/ee221079.aspx
And this http://technet.microsoft.com/en-us/library/ee617271.aspx

Yes, that are the only cmdlets available…

Import-Module AdRmsAdmin
Import-Module adrms

First you need to create the virtual drive using new-pssdrive
Call it whatever you want

 new-psdrive -name test -psprovider adrmsadmin -root https://localhost

Browse to it

set-location test:\trustpolicy
or simply cd test:\

And now you have a virtual “drive” containing all the rms configuration.
You can even “dir”  and “cd” in it!

PS test:\trustpolicy\TrustedPublishingDomain> dir
Hive: Microsoft.RightsManagementServices.Admin\AdRmsAdmin::test:\trustpolicy\TrustedPublishingDomain
Id         DisplayName           Type                  CSP                   KeyContainer          CryptoMode
 --         -----------           ----                  ---                   ------------          ----------
 100        tsfdemo2013app1       Internal              AD RMS centrally m... AD RMS centrally m... 2

Here, you can run the cmdlets from the links mentioned above

 PS test:\trustpolicy\TrustedPublishingDomain> Export-RmsTPD -Path .\100 -SavedFile C:\users\tsfadmin.CORP\Desktop\file12
 cmdlet Export-RmsTPD at command pipeline position 1
 Supply values for the following parameters:
 Password: **************
 Please type in a confirmed password:**************
 PS test:\trustpolicy\TrustedPublishingDomain>

August 13 2013


IIS as a reverse proxy for Apache and wordpress

Another story standing since November 2012 (lol :D ).
The only thing that has changed: ARR (read on) is now officially supported by Microsoft!
They’re even almost/perhaps/maybe/theoretical/optional considering it as a successor for TMG2010 :P

Anyway, this post is not entirely correct. What we were trying to do was reverse proxy to an sub-directory. That didn’t work…
But  you can get some feeling with the possibilities of IIS’s ARR .

3 days later, but I solved this terrible situation…

The story

Our current website http://www.smartsys.be runs on an asp-powered cms called “umbraco” (url).
So, that makes it needs IIS and MS SQL accordingly…

Second part of the story: we want to introduce a blog with our success stories!
Number one blog software of our choice: wordpress (ofcourse :-) )

But, as we all know, wordpress runs on php and not asp, and an accompanying database…

The options:

  1. install php/fastcgi on IIS, mess around with it’s config, use ms sql as backend db, and run everything in IIS…
  2. use apache for both reverse proxying and serving the wordpress pages
  3. let IIS serve our umbraco web pages and set it up as reverse proxy for apache!

So, in the end, we tried only both last options.
I didn’t actually want to try and install php in IIS and maybe mess up our actual web service…

The result

Apache as reverse proxy didn’t end very well…
Actually, it didn’t work at all…
No idea why, didn’t put much effort in it…

On the other hand, IIS as reverse proxy wasn’t easy as well…
It took almost 3 days to figure out what went wrong, how to avoid it from happening, and in the end: how to solve it!
note: not 3 full days, but “some time during 3 days” ^^


So, a little how-to:

First of all, you need IIS, just enable the feature on your Windows or Windows Server.
Secondly, you need “Application Request Routing“. You can download and install this without taking down your website.
This module is officially supported by Microsoft!

So, when both are installed, you can start configuring…

Enable ARR for your site : select your server in IIS Manager, open Application Request Routing under IIS options, choose “Server Proxy Settings” from the actions tab, and mark “enable” and press apply.

Secondly, we can start reverse proxying!

Select your site, in our example the “default web site”, and open the “url rewrite” module.
Here is where the magic should happen!

You can easily add a new rule clicking “add rule(s)”. And in our case, we’re choosing for “reverse proxy”.

Next, choose the path for your destination server, in our case being “http://localhost:8080/test/&#8221; .
Also, in the case for wordpress (very important): enable outbound rules, these are the rewrite rules…

One of the main issues want took so long to understand was a redirection issue: wordpress itself tries to redirect your to its config page, and IIS trying to rewrite the request to the wordpress folder. Resulting in endless 301 redirections… So, watch out here!
At first, I believed I could fix it by changing the config in wordpress. And I took to long to try to fix it that way. In the end (and what we’re doing in this manual) letting IIS handle all this reverse proxy work does the job…

So after adding this rule, we need to correct it somehow.
The default settings are not really good enough (maybe in your case it is!)

So, let’s have a look at the Inbound rule. Just open it.
I’m going to change the “pattern” IIS filters on from “(.*)” to “^test/(.*)” . This makes only requests for “blog.smartsys.be/test/” to be accepted.

Secondly, you have to add {R:1} to the end of the “rewrite url”. Otherwise things as http://blog.smartsys.be/test/wordpress/wp-admin/index.php would never work. It’s just the argument from the initial request that’s forwarded to the rewritten url…

That’s it, apply and close, next we’ll have a look to the outbound rule.

So, the big problem with wordpress is something with redirection. So, in the end, I made it undectectable for wordpress it’s being reverse proxied. So, in wordpress its point of view, it’s just running on localhost:8080 .

This implies we need to rewrite localhost:8080 to something external available, in our case “blog.smartsys.be”…
This is where the “outbound rule” comes in!

I just modified some parts of the default configuration the “add reverse proxy” wizard from before created.

At first: match all content!
The pattern should be” ^http(s)?://localhost:8080/(.*)”
And action value becomes: “http://blog.smartsys.be/{R:2}”

So, I hope you don’t spend any time on trying to let wordpress fix it (because it won’t), just let IIS do all the work!

August 12 2013


Secure sync of Passwords!

The interwebz is a complex wasteland.
Almost every websites requires a login. And I don’t want to use the same password everywhere!
I have some categories in my “default” passwords, the simple password (19bit) for the “one-time-use” websites , the more complex ones (still only max 65 bit) for the “special sites” like facebook, google, of my hr department…  Actually, my “toughest” password (my cronos admin password) only reaches 87 bits…


only a couple of my accounts…

Anyway, when you’re on the internet for a couple of years, you gather some accounts.

Lots of them


And in the beginning, it was fun.
You only have 1 computer, you only use 1 browser, you just store everything in there.

But then something new shows up.
You start experimenting with Firefox.
And you buy a laptop.
And you have a network profile at school, or at work.
Or you’re on a holiday and you need to login on your webmail.

You need something to sync all your information, and to make it all available wherever you are.
Same for bookmarks, but that’s another story…

The last couple of years I always made use of random sync tools. At first, the sync-tools from Mozillaphoto.jpg itself, later on some other 3th party tools, but the last tool I got stuck with was xmarks. But last year it was bought by lastpass. So all my passwords were suddenly in their hands…
I’m not sure I like that…

But I kept using it, because it comes in damn handy!
All your password perfectly in sync between devices, nice plugin’s for every browser, and even a nice web interface!

But, still, you trust your password with someone else…

Anyway, this week I started doing some consultancy (read, they’re teaching me) for another Cronos Group Company working on InfoSec (another blogpost about this will follow!). And the first thing that 6556_3b90_500happened when firing up my laptop in front of these guys, was firefox opening, and lastpass popping up…


10 seconds later, my new boss mentioned something like “goe bezig”, roughly translated to “nice going”

Anyway, today I present you: THE SOLUTION

You’re own sync tool build around keepass!

I’ve been using keepass as long as I can remember. It contains all my secrets, my passwords, my configs, my life. But I always used it off-line. I open it, copy paste something, close it and erase my clipboard.
Actually, it never occurred to me you can use it otherwise!

Until today, on my first hit on google: “keepass firefox” :P

After trying out some random extensions, I kept using PassIFox. And it works! And it works gooood!

Just install the plugin for Firefox, you also need a plugin for lastpass (to enable an http web service), and you’re good to go! Uninstall lastpass, throw away all other 3th party related crap you don’t want to be associated with your passwords!
From now on, you only have 1 place you store your passwords in: your own aes-256 encrypted keepass db!

The really interested reader now wants to shout “you’re not syncing anything between computers!”.
But, then I would answer “you’re to soon with your remark” :P

Put all of the above in a skydrive/dropbox/owncloud/anything, and you can run around using your passwords everywhere!



Some remarks on passifox: browse to any website with a login field, rmb -> fill user & pass. This is the ony known interface to the firefox plugin! Use this to setup the initial connect with lastpass (connect will appear).

Some remarks on the entire process: I always trusted sites like lastpass. I don’t know exactly why. But when you work for a InfoSec company, you can’t risk anything. Right? :-)
Maybe it was of laziness, because lastpass just works that handy :P But in the end, so does passifox! So please, when you read this, thing twice about who you trust with what!

Remark on skydrive/dropbox/owncloud: even Microsoft’s skydrive can, in the end, leak information. Or I can forget to log off somewhere. Forget to logoff from any live-enable website and someone can have access to these files as well. Even when you run owncloud, your provider can be the target of an attack (happened in the Netherlands last week…). But hey, the only thing these “21the century burglars” can download, is an aes encrypted file! Good luck with that :-)
Hell, with this setup you can even put an hidden truecrypt container in skydrive containing a portable firefox and keepass… But only, who’s that paranoid? :P

August 05 2013


Active Directory Federation Services

AD FS, STS, SSO, Claims, Realms, Tokens, SAML, WS-Federation, WS-Security, … All these fuzzy terms that where thrown at my last month…

The project was to implement AD FS (see title) in our environment.
The single and only purpose of AD FS is to create a “single sign on experience” between applications. Sign on on any website, and you can visit all other websites with that same account! (Only trusted websites that is, ofc…)
There are claims providers for Exchange OWA, Sharepoint. You can use it native in custom and cross-platform applications, on Microsoft Azure and in our case Office 365.
And because it’s based on an open standard, you don’t have to use .net, but you can use Java (jeej) as well! Or even php -> http://code.google.com/p/simplesamlphp/.
As long as your application is compatible with saml, you’re good to go!

So, all mentioned abbreviations also have a meaning! And if you want to know what it means and what their purpose is, read this article on msdn!

A more “conceptual” article you can read: A Guide to Claims-Based Identity and Access Control (2nd Edition)
Especially the part about “the airport” explains a lot :P

Some more “academic” OASIS articles on WS-Trust and WS-Federation

And if you want to know more about WSDL, just read wikipedia :-)

July 31 2013



Aka synergy aka synergy+
And now it’s named synergy-foss!

It’s a shame people don’t know this application…
It has so many possibilities!

Basically, it let’s you use your computer as a kvm switch…
So, you can control multiple different computers with just one mouse and one keyboard.
It’s awesome if you use your laptop next to your desktop.
Or a portable version synergy-foss when working with multiples other computers!

Go check it out!

July 22 2013



Is only awesome…


Created by the guy(s) from dataenter.com, this utility does some automated debug tests for mailservers! Just like mxtoolbox.com, but local on for example your mailhub/smtp server…

If you run the executable from the command line, you’ll note some arguments you can pass towards the application.

For example:

TextMX.exe -drecipentdomain.be -tmendel@recipientdomain.be -fmendel@senderdomain.be -a -qDNS8.8.8.8

Just have a look if you’re interested into mail servers ;-)

March 23 2013


Not so random

Random generators suck…
Apparently none can make a good one…

My car (bmw), my previous car (opel), my ipod, itunes, windows phone, youtube, …

After a song, always the same “random” song follows..
It’s kind of strange…
If you let me create a random() function, I would include the time somehow.
At least in a car you can create some mathematical function, which divided by the current amount of minutes, will give you something pseudo random, right?
At least random enough to not always let a specific song be the next one at another certain song?


Random.org gives you the real analysis of how true randomness can be achieved.

As you can see on the random.org page mentioned above, even php on windows rand() sucks! Spot the “pattern” in the picture below!
According to Bo Allen php performs better on Linux… Shame on you Microsoft! :P

php’s rand() function on windows!


Anyway, I don’t want to know the next song, when I enable “shuffle” in my audio player…

Microsoft, BMW, Apple, please fix it!

March 17 2013



Powershell is being positioned by Microsoft as a “unix shell loookalike”.
And with the release of W8 it’s lifted to edition 3.0

If you have absolutely never heard of it: it’s the successor of dos -> cmd -> cscript (VBscript) -> powershell.

Nowadays, you can actually script a big part of almost any Microsoft product installation/configuration/administration in this shell (like windows, exchange, sharepoint, lync, …)
Plus, you can make calls do .net/COM/windows!

Let’s get you started!

Start -> search for “powershell” -> start it!

You can run commands you already know like ipconfig/nslookup, cd/ls/dir or even something like “Get-Counter -ListSet processor | Get-Counter” (more info) for more advanced usage :-)

I’m not going to rephrase great readings, but I am going to put them in a list to get you started!

  1. Read this: http://www.johndcook.com/PowerShellCookbook.html
    It’s very brief summary of how to get you started in powershell scripting (the setup, especially the “set-executionpolicy”, and some real basic commands!)
  2. Check this page: http://www.computerperformance.co.uk/powershell/index.htm
    It’s also a very good introduction to the conditional branching, comparators and loops syntax in powershell!
  3. or google anything with “powershell” and your question ;-)

If you’ve programmed before, you’ll be up and running in no time!
Otherwise, it’ll take you like 2 minutes :P

Anyway, some example scripts for you! -> http://www.mendelonline.be/code/index.php?filename=get%20all%20servers%20from%20ad%20and%20get%20version%20of%20specific%20file.ps1

February 14 2013


First World Problems

Working in a big company is fun.
You’ll get in touch with private server parks, HA clusters, and a loooot of problems…

SQL -> SQL 2012 SP1 bloating the windows registry to the max (2048mb), making windows do VERY weird things… http://blogs.msdn.com/b/sqljourney/archive/2012/10/25/why-the-registry-size-can-cause-problems-with-your-sql-2012-alwayson-setup.aspx, http://connect.microsoft.com/SQLServer/feedback/details/770630/msiexec-exe-processes-keep-running-after-installation-of-sql-server-2012-sp1
Cisco/Windows8 -> Windows 8 and Cisco WiFi doesn’t work! http://support.microsoft.com/kb/2749073
NetApp/VMware -> Random storage disconnects… http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2016122
Exchange -> story of an exchange 2003 user with a working mailbox, but a corrupted OWA… Even Microsoft didn’t found a solution :-) http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_27900912.html

I’m not saying, we weren’t the very first in the world with the problems above…
I’m just saying we where one of the first with those problems… :P

And I’m probably forgetting some issues… :P

Smartsys blog is coming up later this year!
It’ll be a place providing awkward situations as mentioned above, and as much answers and solutions possible!

Stay tuned! 8-)

January 30 2013


The curse of Crypt32.dll


One single file, soooo may problems with it…

The file “crypt32.dll” is part of the Windows NT family.
It resides in c:windowssystem32crypt32.dll, and its main function it to provide all kinds of cryptographic functions to the Windows OS.

Using yet another great tool from our good friend nirsoft, an overview of it’s first 50 (or so) functions:

gdr qfe

Now, as some people already know, cryptography evolves (yep, it really does :P ). The main reason, because the old methods for securing data get cracked everyday… So new methods are needed!

This story goes about the setup of a new PKI: a new CA in a mixed OS environment: XP, WS03, 7, 8, linux, mac, …
All these operating systems should be able to validate AND use the one root certificate.

So, we chose for a deployment with a windows server 2008 r2 as root certificate authority.
One of the steps in this deployment is the decision for the hash of the root certificate.

Now, sha-1 isn’t that much of a deal anymore these days… It’s still good. But hey, we chose for the much stronger sha-256 method (it’s direct successor).

Now the fun part starts.

Windows server 2003, R2 and XP untill SP3 aren’t compatible with the sha-256 algorithm…
It’s only after a specific version of the crypt32.dll, the function to verify sha-256 signatures is available…
Aka: they can’t validate our new root certificate :-(

And from here, things get only worse…

The version for crypt32.dll you need should be 5014 (5.131.3790.5014).
From 2009, there is a hotfix available with this version. Also, from august 2012, there is an update available trough the Windows Update Channel, containing this 5014-edition of the dll.

They are different…


Two builds, 2 different files, 1kb in size bigger, build time 30 minutes apart…

Using winmerge we see quite some difference…


So don’t bother the Windows Update version (gdr - general distribution release), go for the hotfix version (qfe - quick fix engineering). You’ll have to install it manually (or using a gpo). But it’s a real dissapointment to first try the gdr version, and finding out nothing works as expected…

January 23 2013


AMD Madness with Windows 8

So I’ve installed Windows 8.
I didn’t install any driver manually.
Windows found almost everything using Windows Update.

And I like that :-)

I don’t like hunting down drivers.
It’s stupid, consumes hours of precious time, and most of all: really boring…

Today, in my quest for good video editing software, I stumbled upon Sony Vegas 12.

After downloading the 30-days trial, all I got was this lousy loading screen…
And a crash report…
Which was useless…

Because the most valuable crash report mentions something about “gpu acceleration”. I started wondering if its corresponding Windows driver was up to date…

I knew, from issues in the past, that AMD/ATI stopped supporting my -not that old- radeon 4870 in Windows 8…
Rendering my gpu legacy 2 years after purchase date… (see what I did there? :P )

Anyway, things like that have been overcome for years thanks to guru3D (modded mobility drivers anyone?)

And again, they came up with modded drivers for legacy graphics cards


windows update driver


guru 3d’s DriverVer=07/03/2012, 8.970.100.3000

Nevertheless, after installing this “seemingly” older driver, Sony Vegas still crashes…

And even better!

Now I have this as well:



Rolled back the driver to it’s “Windows Update” alter ego fixed one of the above issues.
But not all…

Stupid amd…

January 16 2013


Variable signing…

WP_000313 (1)

In my bed, the weirdest things happen…
Today, I woke up, and tough to myself: “why do people sign their code, but not their stored data & variables?”

Let’s explain what I mean…

I’ve been messing around with Windows Phone 7 quite some time.
And now Windows 8 has the same fun challenges.

Some (most) applications which are developed by home-programmers, don’t make time to “secure” their applications. Mostly because their isn’t time, money, or the effort is just too high…

Anyway, this results in a lot of apps you can play with 8-)



Nowadays, when you edit a W8 xaml file, the codeintegrity.cat (miaow) file makes sure you app crashes…
The codeintegrity file (part of the MS App Store) verifies the integrity of the code (no way :P ).
It’s a quick fix for a hack that came out a long time ago (the one where you could edit anything you wanted): www.extremetech.com/computing/143002-how-to-pirate-windows-8-metro-apps-bypass-in-app-purchases-and-more

Some thoughts: why isn’t all this encrypted/obfuscated/minimised/…, aka: why it it plain text?

A really good read from justin angel! It’s quiet funny too!

So at least I’m not the only one who thinks like that!

But a solution can be that easy!
Take your vars, and multiply them with 4. Convert them to another type (var something = (new int32(1234).tochar() ). Create a stupid mathematical formula to “hide” your variables. Or even: don’t store your variables with easy names (The function of the variable “AmountOfGold=5000″ isn’t THAT difficult to guess :-p ), or just salt the entire variablebullshit!

If only our precious NMBS would do that! :lol:

Older posts are this way If this message doesn't go away, click anywhere on the page to continue loading posts.
Could not load more posts
Maybe Soup is currently being updated? I'll try again automatically in a few seconds...
Just a second, loading more posts...
You've reached the end.

Don't be the product, buy the product!