Adding users to AD Groups with PowerShell

If you are adding a number of users or computers within Active Directory to one or more groups it can be time consuming.  I needed to add AD objects into groups, over time, sometimes with duplicate objects in the source data and the group, so created a txt file per AD group and a small script (one code block per group/file) to help with the additions.

My source text files were raw lists, plain text, one entry per line.

When the script is run, it will add all the entries in the relevent .txt file into the relevent group.  This allows you to add to the text file with additional lines, even if there is the odd duplicate, and providing it matches a valid AD object, it will get added!

A nice time saver…..

Script Output

Files….



These groups were linked to GPS’s and software rollout tasks but they could be for anything, I have also used this for exchange mailbox operations and more.

Enjoy.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Digitally signing email with S/MIME and the iPhone / iOS

You can use S/MIME certificates, also called “Digital Certificates” or “Personal Certificates”, with most email clients to digitally sign and/or encrypt email messages. In order to digitally sign or encrypt your email, you will need a digital certificate.

For a run down on how to get a certificate, and also how to use it in Outlook 2016, see my earlier post: Digitally signing email with S/MIME and Outlook 2016

In order to use this certificate to sign email from your iPhone, you are going to need to transfer the public/private key pair to your phone, install it, and configure it for use.  In this example we will build on the exchange/Office365 model, and continue where I left off on the previous post.

Getting a certificate

See my earlier post: Digitally signing email with S/MIME and Outlook 2016

Transferring a certificate to the iPhone

There are a number of ways, however in every case I would recommend you secure the key with a strong passphrase and transfer as securely as possible.

In this example we will send it to ourselves in an email, keeping it within the same account, that we have connected to over a TLS session. I do not recommend emailing this in any other way.  We will then purge the email from the server as we need to keep this file safe.  A direct file copy maybe better, so you could investigate that.  For this example, we will send an email message with the certificate file as an attachment to ourselves within the same account.  The file will be either a .p12 or .pfx file, that is also passphrase protected.

Installing the certificate

On your iOS device, open the email message. Tap the attached file to start the installation. On the “Install Profile” screen, tap Install. You may see a warning that the profile is not signed, tap Install and then Install again.

When prompted, enter the passphrase created when exporting the certificate.

Tap Next, and then Done.

Configuring Apple Mail

Access your account settings:

iOS 11: Go to Settings > Accounts & Passwords.
Earlier versions: Go to Settings > Mail > Accounts.

Select the email account that the certificate relates to.

Tap the Account button with your IU email address.
On the “Account” screen, tap Advanced Settings, then switch the “S/MIME” setting on. The “Sign” and “Encrypt” options are off by default.

To enable digital signing, tap Sign, and then slide “Sign” to the on position. If you have installed multiple certificates on this device, ensure the check is next to the correct and current certificate.  To verify, tap the right arrow to view the certificate details.

The encryption option will attempt to encrypt all email from your device, I will cover this in a seperate post and link to it here.  For now, we do not want to encrypt all email sent from the account by default, so do not enable encryption.

Digitally Sign Email

When you create an email, you should see the padlock in the top right, if so, then it’s likely all will be well.

Send a test email and verify the certificate!  In Outlook, you will see the red rosette icon by the message as shown below.

Hope this helps!

Facebooktwittergoogle_plusredditpinterestlinkedinmail

HTTP Strict Transport Security with Apache

HTTP Strict Transport Security (HSTS) is a web security policy which helps to protect websites against protocol downgrade attacks by allowing web servers to declare that web browsers should only connect via secure HTTPS connections. The HSTS Policy for the site is communicated by the server to the browser via a HTTPS response header field named “Strict-Transport-Security” which sets the period of time the site should only be accessed via HTTPS.

Whilst this header can not protect the first HTTPS connection to the server, it does ensure all future connections made before the expiry are over HTTPS. Each valid response also resets the time period.

If your looking to enable HSTS on Apache this should help:

First setup your site, eg:

/etc/apache2/sites-enabled/default-ssl.conf

ServerAdmin webmaster@example.com
ServerName www.example.com
ServerAlias example.com www.example.com

Then configure SSL/TLS and the Strict-Transport-Security header, this wI’ll need to include you’re desired time in seconds:

Header always set Strict-Transport-Security "max-age=31536000; preload"

SSLCertificateFile /etc/ssl/certs/example.crt
SSLCertificateKeyFile /etc/ssl/private/example.key
SSLCACertificateFile /etc/ssl/certs/example-ca.crt

Lastly we will need to enable the headers module, and restart apache.

root@server:~# a2enmod headers
Enabling module headers.
To activate the new configuration, you need to run:
  service apache2 restart
root@server:~# service apache2 restart
 * Restarting web server apache2                                                                                                         OK
root@server:/etc/ssl/certs# 

You will likely need to adjust the above for your needs, however on a clean server this would get you up and running.

Hope this helps!

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Digitally signing email with S/MIME and Outlook 2016

You can use S/MIME certificates, also called “Digital Certificates” or “Personal Certificates”, with most email clients to digitally sign and/or encrypt email messages. In order to digitally sign or encrypt your email, you will need a digital certificate.

Get a certificate

For this example, we will use the free certificate service from Comodo.

Head over to: https://www.comodo.com/home/email-security/free-email-certificate.php

Another Option: https://www.entrustdatacard.com/products/digital-signing-certificates/secure-email-certificates

Once you sign up, you will receive an email with a link to download the digital certificate.

Installing the certificate

Click the link to obtain the certificate.  You will then need to import it.  My system automatically imported it, but as I was running Firefox it went into the Firefox certificate store, rather than the Windows Certificate Store as used by Internet Explorer.

We need the certificate in the Windows Certificate Store so Outlook 2016 can use it.  I accessed the Firefox preferences to locate the certificate.  Preferences > Privacy & Security > Certificates > Your Certificate > (Select Certificate) > Backup.  Choose a safe location and backup the certificate.  You can also delete it from the Firefox Certificate Store.

On the computer to which you’re importing the certificate:

  • Locate your certificate file, right-click the file, and click Install PFX.
  • When the Certificate Import Wizard starts, click Next.
  • On the “File to Import” page, click Next.
  • Enter the passphrase that you used to secure the private key, click Next.
  • On the “Certificate Store” page, leave the default option Automatically select the certificate store based on the type of certificate. Click Next.
  • Click Finish. To complete importing your certificate, click OK.

Also backup your certificate file (the one you just imported) to a safe and secure place.

OPTIONAL: Open the Certificates MMC if you would like to double check its there.  (Start > Run > type: mmc > File > Add Snap-in > Certificates).

Configuring Outlook

Next we need to configure Outlook 2016 S/MIME.

  • Go to: File > Outlook Options > Trust Center > Email Security > Settings.
  • Under the “Security Settings Name” text box, enter a name; this will simply be a label for your security settings, e.g “S/MIME”.
  • Next to “Signing Certificate”, click Choose…. Select your certificate and click OK.
  • Next to “Encryption Certificate”, click Choose…. Select your certificate and click OK twice.
  • To digitally sign all your messages, check ‘Add digital signature to outgoing messages’.

Digitally Sign Email

In Outlook, click New Email to compose a new message. Click the Options tab, and you will see:

Sign: This option digitally signs the message so others can be sure it came from you.
Encrypt: This option encrypts the message content and attachments.

You will see the icon next to signed messages.

 

Compatibility

Email clients not using S/MIME certificates will not be able to view encrypted email. Clients that cannot use S/MIME certificates include OWA accessed using Chrome, Firefox, and Safari.  Email recipients who use one of these clients will be unable to view an encrypted email. However, all mail clients can view digitally signed email.

More?

Digitally signing email with S/MIME and the iPhone / iOS

Facebooktwittergoogle_plusredditpinterestlinkedinmail

ROCA – Return of Coppersmith’s Attack

So it is big in the news this week, ROCA, what’s the deal?

I’m not going to cover this in detail yet, however here is what you need to know now:

The ROCA vulnerability (tracked as CVE-2017-15361) enables computation of RSA private keys from their public certificate/key counterparts.  The flaw affects the implementation of RSA key pair generation by Infineon’s Trusted Platform Module (TPM).  It is possible for a range of key lengths, including commonly used 2048 bit and older 1024 bit certificates. Chips as early as 2012 are affected and these are common place in TPM v1.1 modules.

Source: https://crocs.fi.muni.cz/public/papers/rsa_ccs17

A successful computation of a private key allows, depending on its use, the attacker to decrypt sensitive data (eg: file encryption, disk encryption, HTTPS), forging digital signatures (used for email security, and file signing), or even impersonation and identity theft from (access control cards to e-ID cards).

Major vendors including Microsoft, Google, HP, Lenovo, Fujitsu already released the software updates and guidelines for a mitigation.

The ‘The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli’ (ROCA) research paper will be released at ACM CCS in 2 weeks time. 

Recommended Reading & Tools (Online and Offline)

 

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Deny access to all .php files in a folder using htaccess

In order to further harden a folder, for example an ‘uploads’ folder as used by WordPress, it maybe appropriate to block the execution of key file types. If you have a specific folder where content can be more easily written, blocking execution of script files will help reduce the chance of an attacker executing a script, even if they are able to upload it.

A lot of attacks automaticity identify vulnerable sites, and then attempt to exploit them. These attack scripts then essentially report a list of exploited sites, which are then used in a second stage, such as relaying spam email.

By creating a .htaccess file within this specific folder on your Apache web server, you can more tightly control what content is served.

Hope this helps.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Samsung S6 won’t charge – Only white lighting bolt battery symbol, no charge light!

So I had a Samsung S6 that would not charge, when you plugged it in, the white lighting bolt battery symbol came on but no charge led light. I suspected the charger or cable, but that didn’t help. I fast came to the conclusion it could be the USB port.

Reset Keys!
I then found some posts about ‘hard restarting’ the phone, by holding the home and power buttons together, it seems to work for some, but not me.

Factory Reset
Next was factory resetting the phone, by holding the home, volume up and power buttons together, no luck with this either. By this point the phone had no charge left at all, so it could be this may have helped but it was too little too late.

Wireless Charging
Next up was to try a wireless charger, yay! The phone started charging and is now working once more!

CLICK HERE for list of compatible Genuine Samsung and 3rd Party chargers for the Samsung S6 and similar phones on Amazon.

Hope this helps you!

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Cisco ASA Unicast Reverse Path Forwarding Verification Was Disabled

If you have had a firewall audit, and your report states that ‘Unicast Reverse Path Forwarding Verification Was Disabled’ on your Cisco ASA then read on.

“Network administrators can use Unicast Reverse Path Forwarding (Unicast RPF) to help limit the malicious traffic on an enterprise network. This security feature works by enabling a router to verify the reachability of the source address in packets being forwarded. This capability can limit the appearance of spoofed addresses on a network. If the source IP address is not valid, the packet is discarded. ” Cisco – https://www.cisco.com/c/en/us/about/security-center/unicast-reverse-path-forwarding.html#1

Within the Cisco ASDM, Unicast Reverse Path Forwarding Verification is referred to as Anti-Spoofing / IP Spoofing.

Unicast RPF can be configured on the ASA Security Appliance on a per-interface basis, in ASDM:

Or with the following command:

ip verify reverse-path interface interface_name

Enjoy.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Security Hardening – Apache and PHP Information Disclosure

Do you want to reduce the version information that Apache and PHP are providing in the HTTP headers? This may help.

/etc/apache2/conf-available/security.conf

# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
#ServerTokens Minimal
#ServerTokens Full
ServerTokens Prod

#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of:  On | Off | EMail
#ServerSignature Off
ServerSignature Off

/etc/php5/apache2/php.ini

;;;;;;;;;;;;;;;;;
; Miscellaneous ;
;;;;;;;;;;;;;;;;;

; Decides whether PHP may expose the fact that it is installed on the server
; (e.g. by adding its signature to the Web server header).  It is no security
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
; http://php.net/expose-php
expose_php = Off
Facebooktwittergoogle_plusredditpinterestlinkedinmail