mendel129.wordpress.com
Open in
urlscan Pro
192.0.78.12
Public Scan
Submitted URL: http://blog.mendelonline.be/
Effective URL: https://mendel129.wordpress.com/
Submission Tags: phish.gg anti.fish automated Search All
Submission: On October 01 via api from DE — Scanned from NL
Effective URL: https://mendel129.wordpress.com/
Submission Tags: phish.gg anti.fish automated Search All
Submission: On October 01 via api from DE — Scanned from NL
Form analysis 3 forms found in the DOM
GET https://mendel129.wordpress.com/
<form method="get" id="searchform" action="https://mendel129.wordpress.com/">
<fieldset>
<input name="s" type="text" onfocus="if ( this.value=='Zoeken' ) this.value='';" onblur="if ( this.value=='' ) this.value='Zoeken';" value="Zoeken">
<button type="submit"></button>
</fieldset>
</form>POST https://subscribe.wordpress.com
<form method="post" action="https://subscribe.wordpress.com" accept-charset="utf-8" style="display: none;">
<div>
<input type="email" name="email" placeholder="Voer je e-mailadres in" class="actnbr-email-field" aria-label="Voer je e-mailadres in">
</div>
<input type="hidden" name="action" value="subscribe">
<input type="hidden" name="blog_id" value="4373088">
<input type="hidden" name="source" value="https://mendel129.wordpress.com/">
<input type="hidden" name="sub-type" value="actionbar-follow">
<input type="hidden" id="_wpnonce" name="_wpnonce" value="b1958983b7">
<div class="actnbr-button-wrap">
<button type="submit" value="Meld mij aan"> Meld mij aan </button>
</div>
</form><form id="jp-carousel-comment-form">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Laat een reactie achter...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Laat een reactie achter..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">E-mail (Vereist)</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Naam (Vereist)</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Site</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Reactie plaatsen">
</div>
</form>Text Content
—..::MENDEL'S WEBLOG::..
MENDEL ALIAS'S STUFF ON THE WEBS
* Home
* Projects
* Mobile Vikings gadget
* PrefabSMS
* RegularDommel
* SMSer
* TrafficCamsFlanders
* WOL
* Sony Bravia W6 – 2013 model
DOORBELL
07/11/2020
home automation, infrastructure
Een reactie plaatsen
Something as mundane as an intercom doorbell, yet so difficult to conclude on…
Or is it just me?
A nice looking, black, Power over Ethernet, video, no cloud, local push
notifications, SIP, not too expensive… Can’t be too difficult, right?
Finding PoE video intercoms is doable, obviously there is Google Nest and Amazon
Ring, but you also find Dahua or GrandStream. Ubiquity, which has a doorbell
these days, or yoosee. Next there is Hikvision. And last but, definitely not
least, doorbird.
But either it’s too expensive, PoE isn’t sure, it’s all cloud, … None to my
likes…
After 2 years without doorbell, a knock on the door works as well, akuvox came
across.
Horrible software, even worse documentation, but it seems to be able to do what
it is supposed to do: 720p video, onvif, sip, all local!, PoE, motion detection
yet it doesn’t work the best, and it seems some options from the E11’s bigger
brothers are hidden.
But it allows for an HTTP trigger via node-red to HASS, which is able to take
care of the rest; take a picture, send it to a phone, and play a music file on
pimusicbox hooked to the speakers via dlna as virtual gong…
Box is running some Android 4.2.2 version on an Allwinner sun8i 1GHz SoC with
64MB RAM. Some notes via https://mendelonline.be/wiki/index.php/Akuvox
As the led for the rfid cannot be disabled from the webgui, I had to rewrite
some startupscripts. Luckily the ssh password wasn’t too difficult to find… See
wiki above.
A LITTLE BIT OF HOME AUTOMATION
03/11/2020
home automation, infrastructure, internet
Een reactie plaatsen
1 siemens logo
1 core os
1 esxi on some nice hardware
Siemens does provide a mobile application, but it basically lacks everything… No
remote access, no media, an ugly UI, you have to pay for it (although you
already paid for the logo), no push messages…
That’s where Home Assistant comes in the picture.
Get your network up and running. Hook your Logo up. Get CoreOS up and running.
Install Home Assistant from the Docker hub. Install Node-Red while you’re at it.
The PLC offers modbus, and HASS integrates with modbus, so it’s a match made in
heaven.
Alhough a very rough match…
But it works!
Currently working:
* control of the PLC via modbus
* lights
* garage
* motion detectors
* reverse proxy with mutual authentication over IIS
* html5 push messages
* Belgium’s waste collection
* solar panels statistics
* pi-hole statistics
* onvif camera’s
* doorbell via http in node-red
* pimusicbox management
*
BELGIUM EID – THE TECHNICAL PART
07/06/2017
computer, infrastructure, microsoft, security, windows
2 reacties
Because I actually got some requests on how to accomplish this on my previous
Belgium eID post, a more technical post here… It’s a bit chaotic, so I hope
you’ll figure the details out on your own
I’m not reinventing wheels here. All of the things are loosely based on
http://blog.debilloez.net/2010/12/ad-authentication-with-be-eid.html ,
http://setspn.blogspot.be/2014/10/configure-windows-logon-with-electronic.html
and https://social.technet.microsoft.com/Forums/office/en-US/4eae5d60-c90c-4238-82b7-67b0ac261b8e/eid-login-for-domain?forum=winserversecurity
,
https://blogs.msdn.microsoft.com/spatdsg/2008/04/17/smartcard-in-2008-and-vista-national-id-card-no-upn-no-eku-no-problem/
and there even was a word document i can’t seem to find anymore…
You can have this up and running in less then an hour.
REQUIREMENTS:
* Active Directory Domain Services
* Active Directory Certificate Services with Enterprise CA (in good
circumstances, this role is NOT installed on your DC…)
* Some server or workstation (Windows Desktop or Terminal Server or whatever
where you want your users to log-on)
CONFIGURATION
FOREST/DOMAIN
Basically, the certificate chain consists of end-entity -> intermediate -> root
( -> globalsign, FEDICT made 2 roots)
Root needs to be in “Trusted Root Certification Authorities”, intermediate needs
to be in “Intermediate Certificate Authorities” of all involved machines: DC,
client, server.
Download all useful certificates from http://certs.eid.belgium.be/ (please
script this)
“useful” meaning:
* non expired root certificates
* all non expired citizen intermediate certificates
* (foreigner if your use case needs this)
For easy deployment: create a new group policy, and add the root’s to “Computer
Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted
Root Certification Authorities” and the intermediates to the “Intermediate
Certificate Authorities” store in the same location.
Deploy this GPO to all servers involved: Domain Controllers, IIS, RDP, …
ADCS
Make sure the “Kerberos Authentication” certificate template is made available
for Domain Controllers on your freshly installed CA, DC’s have enrolled them,
and have them actually available in the certlm.msc (this is the newer version
of Domain Controller Authentication template, which is a newer version of the
very original Domain Controller template). On of them good enough). Make sure
your general PKI is healthy.
DC
Create a user.
Export the authentication certificate from the smart card (either with the Be
eID viewer or using certmgr.msc).
The mapping of a Be eID to an active directory user happens in Active Directory
Users and Computers (dsa.msc). Go to a user, right mouse click, name mapping,
and add the exported version of the Be eID authentication certificate here.
The DC’s also need a modification in the registry
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001
"CRLTimeoutPeriod "=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider]
"AllowCertificatesWithNoEKU"=dword:00000001
"AllowSignatureOnlyKeys"=dword:00000001
Note: the new 2017 BE eID’s don’t require the AllowCertificatesWithNoEKU
and AllowSignatureOnlyKeys anymore (as they actually set the correct EKU), old
eID’s do.
CRL timeout is also not really required if outgoing network access allows it.
TARGET
IIS/Terminal Server/Windows logon
Always install the eID middleware, download from https://eid.belgium.be/
And set the same registry keys again
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001
"CRLTimeoutPeriod "=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider]
"AllowCertificatesWithNoEKU"=dword:00000001
"AllowSignatureOnlyKeys"=dword:00000001
"ForceReadingAllCertificates"=dword:00000001
Same notes on regkeys as above, for the newest eID’s only
ForceReadingAllCertificates is really required.
ForceReadingAllCertificates is needed because the smart card contains 2 certs.
WINDOWS LOGON
You can use a eID for regular logon on a physical machine (with a reader – think
cherry keyboard or terminals)
On the lock screen, logon but select smart card.
Rest should be self explanatory.
RDP HOST
It’s best to set an gateway in between, as NLA sometimes blocks smart card logon
(or disable NLA, but not recommended).
Under normal operations, use mstsc to connect to an RDP, in the authentication
windows select the correct smart card (authentication) and logon.
Once connected, you’ll notice a 1-4 seconds delay, just give it some time to
tunnel the reader over the rdp connection and logon will occur.
On the computer you are using to connect to the RDP server, also set the
registry keys and install the eID middleware (driver for the smart card), see
below for more info.
IIS
To be updated…
Basically use the iisClientCertificateMappingAuthentication, which needs to
installed as an additional feature, and us that from there on. It’s also
possible to cover the mapping directly in asp. Will update this part if I find
some time.
CLIENT
The machine you’re actually working on, and connecting to the servers above.
Install the eID middleware, download from https://eid.belgium.be/
The chip on the eID itself contains 2 certificates: 1 meant for signing, 1 for
authenticating.
By default, Windows only reads the 1 certificate on a smart card, and tries to
use that one to authenticate. On the Belgium eID’s, this is the signing one.
(plus, with pre-2017 certificates, it has a wrong EKU). So we need to configure
the Windows Client to actually read both certificates and allow certificates
without EKU… (Note, in the 2017 eID’s the correct EKU, client authentication, is
actually set, but still on the 2nd certificate)
Registry keys!
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider]
"AllowCertificatesWithNoEKU"=dword:00000001
"AllowSignatureOnlyKeys"=dword:00000001
"ForceReadingAllCertificates"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001
"CRLTimeoutPeriod "=dword:00000001
Also, same comments on regkeys as earlier.
LIMITATIONS
There are some limitations for this solution, such as the certificate-user
mapping process, deployment of eID certificates to servers, exceptions when
someone lost his eID, etc…
At tSF we did try to fix those limitations, using extra policies when a user
forgot their smart card and give them an exception on the authentication policy,
and by building some extra tools to manage all this way easier.
But of course I can’t share those… =)
Other way around, if you’re interested, you’re always free to contact tSF:
https://www.thesecurityfactory.be
TRACKS
05/04/2017
development, software
4 reacties
Everyone is tracking everyone nowadays…
Yet, sometimes I really have trouble remembering what I did, and where I was…
The “what I did” is easily reproducable by using NirSoft’s LastActivityView,
checking my send e-mails, and my browsing history… (But as I’m using 3 computers
not in logical order, this is also not ideal)
The “where I was” is more difficult…
Enter tracks: https://mendelonline.be/tracks/
Clientside it’s built on top of Nokia’s SensorCore SDK example Tracks (yes, i
stole the name, and the layout, and actually just about everything =) )
https://github.com/Microsoft/tracks
The only thing it does it getting all track points containing geographical
information from the co-processor on my old but trustworty Nokia 930 running
W10M, and posting it to some stupid php “api” putting it in a MSSQL db. (nope,
no authN here…)
I build some stupid front-end for it, but for now, it looks something like this:
https://mendelonline.be/tracks/share.php?accesskey=xqnmSI4vAEItrRaQKaiVnGTx
But you can do way cooler things with it! For example heatmaps! Where did I go
most:
Next on the to-to list are statistics…
* how much time in the car a week
* how many km in a week
* how much time in traffic
* ..
BACKUPS
16/06/2016
computer, infrastructure, security
Een reactie plaatsen
I hate backups, I really do… Even more than I hate printers
But, as recent happenings proved again, you definitely need one… Either being it
for a virus or ransomware, or a failing hard disk, or even if you just delete
something (why would you delete something?)
I’ve been looking around for a good off-site backup for ages, but never found a
“good” (read: cheap) one… If you look at cloud-hosted backup solutions such as
backblaze, crashplan, …, you’re always going to spend more than $50 yearly…
(http://www.pcmag.com/article2/0,2817,2288745,00.asp)
I always figured, yeah, that’s the price of a physical disk you can keep
forever…
Anyway, next issue, backup software… If someone can give me a tool that just
actually works… PLEASE be my guest…
In the past I’ve used the build-in Windows one… But that one failed terrible
resulting in me losing a lot of pictures…
One of my last interests was backup up to Amazon’s Glacier service… But never
took the actual step.
Last week, I took two steps!
AZURE SIMPLE FILE
https://azure.microsoft.com/en-us/services/storage/files/
A couple of months ago, a new “feature” was made available on Azure. Basically
it’s just an oldskool file server in an Azure datacenter… Meaning: accessible
over smb
\\fileserver.onmicrosoft and you’re good to go!
Jieehaa!
No shitty REST-interfaces!
It’s SMB 3.0, so authentication, encryption and data integrity are handled by
the protocol (hey, you’re communicating over a public network, of-course you’ll
need that!)
Having a “regular” interface to the cloud opens possibilities… But, bringing me
back to my earlier point of having the right tool for the job…
I don’t trust the file-history any more, so I’m looking around for other tools…
Currently running Iperius -> http://www.iperiusbackup.com/
Curious how that’s going to turn out…
It doesn’t have a restore option? WTF?
AZURE BACKUP
https://azure.microsoft.com/en-us/services/backup/
Another service I’m testing on Azure is the Backup functionality.
It comes with a client application. Install, configure, select data and you’re
good to go! This app definitely impressed me!
I know it says “failed”, one of the big issues with cloud storage is your upload
speed… As I’m only a Belgian internet user, I’m stuck with a 5 mbit upload rate
over adsl… So uploading 120GB takes forever… (forever being 2.5 days). So, on a
daily schedule, after a day, the previous backup hasn’t finished yet
http://beta.speedtest.net/result/4976075067
Big plus, I crossed my “downloadlimit” uploading 650GB on backup data
JEEEEJ CLOUD
Did I tell you it’s slow as hell?
And you have to pay extra for outbound network traffic, aka: to restore data you
have to pay more…
I’m even considering installing this on all computers from my family!
LOCKING DOWN USB ON WINDOWS
11/05/2016
computer, HowToImproveTheWorld, security, windows
Een reactie plaatsen
A cool trick that was shown a couple of years ago, called BadUSB, turns random
USB devices into possible snooping devices.
What if you plugin a USB-stick you found on the street and it turns out to open
up an Internet Browser and steers you into a specific website, downloading and
launching an application? USB has many profiles, so instead of a “mass storage
device” (what you would expect from a USB drive that looks like an mass storage
device) it imitates a HID device such as a keyboard or mouse… So your “drive”
becomes a keyboard!
Automate some pre-defined keystrokes that randomly start after plugging in the
USB device, like windows-logo+r, type https://mendelonline.be/temp/runme.exe,
press enter a couple of times, and then run the same with
%userprofile%\downloads\runme.exe and you’ll be pretty close running your
executable without any user interaction!
Edit 26/05/2016: Exactly like this:
https://www.informationsecurity.ws/2016/01/pwning-windows-7-with-avg-av/
Not that many technologies exist to prevent this from happening on Windows
though… But I found some document on irongeek explaining how to block USB
devices using Group :Policy. (local policy can also be used, you don’t need to
have a domainjoined computer):
http://www.irongeek.com/i.php?page=security/locking-down-windows-vista-and-windows-7-against-malicious-usb-devices
Open your local policy editor, open up “Computer Configuration->Administrative
Templates->System->Device Installation->Device Installation Restrictions”, and
start messing around
local group policy settings
I started with checking which USB devices were already known on my computer… You
can use, always awesome, nirsoft’s “USBDevview” to have a look at your USB
history.
So, I deleted all history, with the idea to start clean.
After deleting everything, I let Windows re-discover all devices default to my
laptop.
Next, I started plugging some USB devices I owned and let it register and
install.
Then, the actual blocking policy was enabled.
Another USB-device I didn’t install for testing purposes was plugged into my
computer. And nothing happened.
Perfect
I still needed to install that device anyway, but starting device manager with
administrative credentials, allowed me to overrule the blocking policy, and to
install the USB device for future use…
(Note: once a USB device is “installed”/”registered” into windows, it can be
plugged in an used anytime in the future without the admin-overrule technique…)
Or you can start defining classes of usb devices, manufacturers, etc… Just check
irongeek’s page
unrecognized
datatraveler not being used
update driver as administrator
good to go
datatraveler active!
BELGIUM EID
25/04/2016
security, windows
5 reacties
All official Belgium eID applications are eventually wrappers around the by
FedICT provided eid-sdk, which on its turn is a Java applet… This Java applet
has the possibility to authenticate any known Belgium eID against FedICT’s
database. Even FedICT’s FAS service can be used as a saml-compatible
authententication provider (adfs!)… But you don’t always want to use Java, or
FAS…
Did you know, you can fully integrate the Belgium eID in a Windows environment?
Yes, ADFS, yes RDP, yes Windows logons, yes IIS… The fun part, it’s all built-in
and you don’t need Java, and you don’t need FAS!
Downside: you’ll need to do some user mapping yourself: your servers still need
to map you to an account, and it still needs to authorize that account… So a
little administrative overhead here (with FAS FedICT does this for you)
There are some other tricks needed, as for example to enable your client to read
both certificates on the smartcard, and to map your eid to a “Windows” user
account, but when that’s set-up, you’re good to go!
The key to all this is the implicit certificate mapping feature of Active
Directory Certificate Services working together with an enterprise PKI.
RDP/WINDOWS
IIS
For IIS, the “SSLVerifyClient require” http specification is used to leverage
cert-based client authentication. This should even work in other HTTP-servers,
and in all major browsers.
http://wiki.cacert.org/ApacheServerClientCertificateAuthentication
LOCAL AUTH
For the tricks above, you’ll need a functional Active Directory including
integrated enterprise PKI environment.
Thanks to Vincent of mysmartcardlogon you can also run it stand-alone on your
computer!
Unless you’re running Windows Enterprise, like me
Plus, my laptop doesn’t has a built-in cardreader, so it’s ugly having to take
an USB-cardreader to logon at mornings
THE WHY?
Strong “Multi-factor” authentication is strong.
A certificate in either a virtual or a physical smartcard is always a bunch more
secure than a password you’ll have to remember as a simple human being.
And an eID is obligatory in Belgium, you have to buy it anyway, so why buy yet
another token for Multifactor AuthN from a 3th party provider instead of the one
you already have?
It’s not confidential or secret technology, so if you’re interested in the exact
how and what, just leave a comment
LOCAL ACCOUNT MANAGEMENT IN A WINDOWS DOMAIN.
10/03/2016
computer, powershell, security
Een reactie plaatsen
One of the recent security “packs” in the Microsoft ecosystem is LAPS, Local
Administrator Password Solution
(https://technet.microsoft.com/library/security/3062591). It tries to solve one
of the ancient issues regarding the local administrator account on a Windows
machine. It needs to exists, and it needs to have , preferably, secure and
unique password. Yet, in many organizations, the default administrator account
is enabled, with the exact same password on every machine…
Result: once you know the password, you’re an admin on every
workstation! (latteral movement)
The idea of LAPS is to randomize each password of each workstation, and store it
in the Active Directory as an confidential attribute of the computer object.
LAPS can be configured to manage the local administrator account,
.\administrator, or another, configurable and existing, account.
Suprise!
Enter MS14-025.
MS14-025 disables the usage of CPasswords in Group Policy
https://support.microsoft.com/en-us/kb/2962486 .
This is a good thing!
CPasswords allowed unsuspicious administrators to put plaintext password in
publicly-readable group policy xml-files!
(almost plaintext as the passwords are encrypted with a known password).
Here is the password btw
(https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx#endNote2):
4e 99 06 e8 fc b6 6c c9 fa f4 93 10 62 0f fe e8
f4 96 e8 06 cc 05 79 90 20 9b 09 a4 33 b6 6c 1b
Yet, this also means you cannot create a new account using Group Policy anymore.
Little “forgotten” side-effect…
And there is no real alternative to actually create a local account on a domain
member…
(At installation of LAPS clientside-MSI, an argument can be set to actually
create a new account…)
One way to solve this is to create a new local user is using a startup script!
The script below was tested on Windows 10, some things did break between 8.1 and
10!
Deploy it using SCCM or GPO startupscripts!
It creates an account and LAPS will change its password on first gpupdate
Note, another point of discussion is the fact whether the .\administrator should
be used or not. There are a lot of different opinions here…
For LAPS, some people at Microsoft advise to “just use the .\administrator
account, because you know it will always be there”. (note: account is prone to
bruteforce attacks as a lockoutpolicy never applies to the rid500)
In other cases (src1, src2, src3), Microsoft advises to disable the
.\administrator account, create another administrator account and use that one…
Point is, when you’re not using bitlocker, there is a tool called “Offline
Windows Password & Registry Editor” by pogostick which can always enable and
reset the .\administrator account’s password.
So, the choice is up to you! My humble opinion is to use another account
(otherwise I wouldn’t be going through all this trouble to get another one )
See https://gist.github.com/mendel129/59a175e49c57b8ef9847
#https://gist.github.com/mendel129
function create-localaccount ([string]$accountName = "testuser", [string]$Computer = "localhost") {
$comp = [ADSI]"WinNT://$Computer"
$user = $comp.Create("User", $accountName)
$user.SetPassword(([char[]](50..150) + 0..9 | sort {get-random})[0..18] -join '') # set a random password, let it be changed by LAPS afterwards
$user.SetInfo()
}
function get-currentlocaladministrators([string]$Computer = "localhost"){
$obj_group = [ADSI]"WinNT://$Computer/Administrators,group"
$members= @($obj_group.psbase.Invoke("Members")) | foreach{([ADSI]$_).InvokeGet("Name")}
$members
}
function add-localadministrators([string]$accountName = "testuser", [string]$Computer = "localhost"){
$AdminGroup = [ADSI]"WinNT://$Computer/Administrators,group"
#$User = [ADSI]"WinNT://$hostname/$accountName,user" #something broke on windows 10
#$AdminGroup.Add($User.Path) #something broke on windows 10
$objUser = [ADSI]("WinNT://$accountName")
$AdminGroup.PSBase.Invoke("Add",$objUser.PSBase.Path)
}
get-currentlocaladministrators -Computer "localhost"
create-localaccount -Computer "localhost" -accountName "testuser"
add-localadministrators -Computer "localhost" -accountName "testuser"
get-currentlocaladministrators -Computer "localhost"
Some good LAPS references:
* https://adsecurity.org/?p=1790
* https://flamingkeys.com/2015/05/deploying-the-local-administrator-password-solution-part-1/
* https://blogs.msdn.microsoft.com/laps/2015/06/01/laps-and-password-storage-in-clear-text-in-ad/
* http://www.petenetlive.com/KB/Article/0001059
* https://technet.microsoft.com/en-us/library/security/3062591.aspx
BOTS
22/02/2016
computer, internet
Een reactie plaatsen
What are they even trying?
https://mendelonline.be/files/bots.htm
Count Name 48 185.130.5.224 36 115.230.124.164 29 46.163.104.194 16
199.115.117.117 7 69.50.70.3 6 208.67.1.72 6 212.48.68.133 6 208.67.1.2 6
185.40.4.43 5 185.130.5.247
QUICKFIX IIS HEADER SECURITY
19/02/2016
console, internet, security
Een reactie plaatsen
Quick version to improve client-side browser behaviour… (client-side best
effort, so nothing is enforced…)
* remove asp info
* enforce https
* specify thumbprint of known expected certificates and intermediate, and root
for website
* whitelist content security sources
* set x-frame, aka preventing your site can be used in an iframe
* enable xss protection
* disable content type niffing
Add the following to your website’s web.config
(yes, web.config needs that ‘"’ around the thumbprints…)
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
<add name="Strict-Transport-Security" value="max-age=31536000" />
<add name="Public-Key-Pins" value="pin-sha256="thumbprintofcertificate1"; pin-sha256="thumbprintofcertificate2-intermediate"; pin-sha256="thumbprintofcertificate3-rootcert"; max-age=31536000" />
<add name="Content-Security-Policy" value="default-src https: data: 'unsafe-inline' 'unsafe-eval'" />
<add name="X-Frame-Options" value="DENY" />
<add name="X-Xss-Protection" value="1; mode=block" />
<add name="X-Content-Type-Options" value="nosniff" />
</customHeaders>
</httpProtocol>
Long version: https://scotthelme.co.uk/hardening-your-http-response-headers/
Check via
https://securityheaders.io/?q=https%3A%2F%2Fhome.mendelonline.be&hide=on
← Oudere berichten
MENDEL @ TWITTER
.net 7 614C 2009 active directory ad amd android app apps artesis backup belgium
bootloader c# computer defqon defqon 1 development dommel downloadlimiet
elektronica Firefox gadget gent Google gsm herexamens HP intel internet ip ipod
isp java leuven linux live mail maps microsoft mobile vikings mobilevikings
Mozilla music muziek mv new year nieuwjaar nokia omnia PDA phone picasa
powershell q dance random samsung school security sidebar software sony ssd
telenet touchpad vista w8 windows windows 8 windows mobile windows phone windows
phone 7 wp wp7
*
BLOG STATS
* 83.960 hits
Blog op WordPress.com.
..::Mendel's Weblog::..
Maak een gratis website of blog op WordPress.com.
* Volg Volgend
* ..::Mendel's Weblog::..
Meld mij aan
* Heb je al een WordPress.com-account? Nu inloggen.
* * ..::Mendel's Weblog::..
* Aanpassen
* Volg Volgend
* Aanmelden
* Inloggen
* Deze inhoud rapporteren
* Site in de Reader weergeven
* Beheer abonnementen
* Deze balk inklappen
Reacties laden....
Laat een reactie achter...
E-mail (Vereist) Naam (Vereist) Site