Tag Archives: Security

Set SharePoint Content Database in Read-Only Mode

This weekend I am working on a SharePoint 2010 to 2013 upgrade.

One of the steps; the beginning steps I will do is set the databases I am upgrading into read only mode to prevent users or automated process from upgrading the database during the upgrade window.

Now I could have taken the system offline for this; but that would be simple and inconvenient for anyone looking for information.  And in IT its all about the Information now isn’t it. You can find my steps below.

SharePoint Application Server

  • I first logged into my central administration of my SharePoint Server (SharePoint 2010).
  • Under Application Management, Select Manage content databases
  • Chose your web application  and select the database
  • You will notice that there isn’t a location to set this database into read only mode; however you do see that its status indicates its not in read only mode.
  • Keep this page open, as we will reload it later.

SharePoing SQL Database Server

  • Log into your Microsoft SQL Database Server (Or use SSMS).
  • Launch SQL Server Management Studio (SSMS)
  • Connect to the SQL Database Server instance
  • Select the database in question
  • Right click and select Properties
  • Under properties select Options
  • Scroll down to the area that reads “State”
  • You will see Database Read-Only
  • Change the value from False to True, then click OK
  • You will see a notification that it will momentary kick active users.
  • Click OK to continue.

Now you can revisit the SharePoint Application Server and reload the page and you will now notice that the status has changed and is in read only mode.

Congrats, if you followed these steps you did it right.

Tech Short: CryptoLocker

CryptoLocker is a type of “ransomware” that encrypts the data on an infected computer so that it can’t be read and then demands payment to decrypt it.

A CryptoLocker attack may come from various sources; one such is disguised as a legitimate email attachment. When activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware’s control servers.

After the initial infection a message is normally displayed to the computer user informing them to pay to gain access to their files. At this point your files; Normally the target files are office document files and photos as they are deemed very important to individuals.

CryptoLocker typically propagates as an attachment or, it is uploaded to a computer already recruited to a botnet by a previous trojan infection.

To protect yourself you should always keep your systems up to date, be vigilant when opening email attachments and when dealing with sites that attempt to download these infections to your computer.

Most CryptoLocker infection do not require a user to have elevated rights on the machines as it targets anything the local users has access to.

The only way to recover form being infected is to restore the machine and its files from a clean backup.

I suggest using a real-time backup solution such as CrashPlan for something such as this as it supports version controls and point of time backup restoration.

I also suggest using Malwarebytes : Free Anti-Malware to aid in cleanup of the infection; however this does not give you access to files that have already become compromised.

Additional Notes:

CryptoLocker does not need Administrator privileges to run so don’t think you’re safe just because none of your users are domain/local admins. The CryptoLocker.exe is placed in the user’s %appdata% and/or %localappdata% folders which runs under the user’s context and doesn’t require privilege escalation.

What could be done here is to add restrictive policies on the %appdata% and/or %localappdata% folders.

To do this

  • Open the Group Policy Editor
  • Computer configuration
  • Windows settings
  • Security settings
  • Software Restriction Policies
  • Right click and create new
  • Go tin click additional rules

Create new path rules for the following

%appdata%\*.exe – Security Disallowed
%localappdata%\*.exe - Security Disallowed

Also message to my fellow systems admin’s:

If you are smart you will also block all executable attachments along with zips that are in emails. This will effectively reduce the footprint of possible infections, via email.

Communicate this with your management;

If they choose not to entertain alternative ways for transfer files then you can rest that you know you’ve taken the proactive and security measures you know, and are confident are best.

Tech Short: Data Encryption

Data Encryption is the intentional scrambling of information into unreadable form – until it is later converted back into its original form by the intended recipient.

Looking for data encryption tools or info have a look below:

GNU Privacy Guard - GNU Privacy Guard (GnuPG) is an open-source implementation of the famed Pretty Good Privacy (PGP) encryption

TrueCrypt - TrueCrypt is a free, powerful, and on-the-fly disk encryption tool. This happens to be my very favorite tool.

Pidgin-Encryption - Pidgin-Encryption transparently encrypts your instant messages with RSA encryption. Its simple and very secure.

SharePoint 2013: Upgrade to Claims Based Authentication

Claims-based authentication is an essential component to enable the advanced functionality of SharePoint 2013.

To move classic-mode web applications from SharePoint 2010 Products to SharePoint 2013, you can convert them to claims-based web applications within SharePoint 2010 Products, and then migrate them to SharePoint 2013.

The procedures in this post will address the issue I had faced after upgrading to SharePoint 2013 from 2010.

Due to classic mode authentication being officially depreciated by Microsoft, the database needed to be updated to claims based authentication.

During my testing; I noticed many (if not all) users accounts had issued logging into sites which worked prior to the upgrade.  I was removing and re adding them to work around this issue ; which was very tedious.

Using the Convert-SPWebApplication PowerShell command simplified this task.

Here are the steps I took

Launched SharePoint 2013 Management Shell as Administrator

Enter the following commands

Convert-SPWebApplication -Identity <URL> -To Claims -RetainPermissions

Please note the <URL> is the http://address to your SharePoint 2013 site application. Example: http://corp.jermsmit.com

For more info check out: http://technet.microsoft.com/en-us/library/gg251985.aspx

Firefox: Add a Trusted Certificate Authority

By default Firefox has its own certificate store from well-know and trusted commercial Certificate Authorities. So today when I pushed out an internal self signed certificate; Firefox did not reconcile it as valid.

To correct this issue I did the following:

  • Launched Firefox
  • Opened the options panel and selected Advanced
  • Selected View Certificates to access the Certificate Manager
  • Then by clicking Import and browsing to your exported CA Cert you can import the internal certificate.

I hope this helps.

 

 

 

Chat with no central authority using BitTorrent Chat

With the many communication platforms out today it’s a hard for I or anyone else for that matter to recommend one that is best for you. One this is similar about many of them today. They all relay on some centralized server to route and store all of your communication. They also store what you have talked about on their servers.

Whoa!  Seriously, I kid you not. They do!

This means that at any time they could pull up your chat logs, photos you have sent via chat and one day use them. Now if you are not doing anything via chat that you wouldn’t do in public that isn’t’ a concern to you now is it.

Well!!! Is it?

The point I am making is, all it takes is the wrong person(s) to gain access to your communication platforms servers, databases and your perceived privacy is no more.

So how do we solve such an issue?

Well we have private chat programs that work using peer to peer, but that is complex for the simply day to day user to setup and maintain.

Then we have BitTorrent Chat.

BitTorrent Chat uses public key encryption to protect your privacy. There aren’t “usernames”. You are not required to login to a central server. Instead, your identity is a cryptographic key pair. What does this mean? Well to other users you are simply a public key, meaning you do not need to tell anyone who you are. All you need to do is exchange your public keys with another user so you can communicate.

Benefits:

Using public key encryption provides us with a number of benefits. The most obvious is the ability to encrypt messages to your sender using your private key and their public key. Every time you begin a conversation with one of your contacts, a temporary encryption key will be generated. Using each of your keypairs, this key will be generated for this one conversation and that conversation only, and then deleted forever. So even if someone was able to gain access to your computer to take your private key. The history is gone, gone forever.

All of this is using what is known as BitTorrent encrypted DHT, which is a method used to translate a public key to an IP address, similar to how BitTorrent clients work

So if you are interested sign up for the Private Alpha and let’s start communicating online the way it should be.

Here are some links you might be interest in:

Wikipedia article on BitTorrent’s version of the DHT

Wikipedia article on DHT technology in general

Wikipedia article on public key encryption

Wikipedia article on forward secrecy

 

I hope you enjoyed this post, please visit me on Facebook @ http://www.facebook.com/jermsmitcom & via twitter: #jermsmit

My Quick TOR Socks / Web Proxy

I originally preformed similar steps to setup a raspberry pi for this reason, later using a very tiny Ubuntu server install.

  1. Using a clean Ubuntu / or / Debian installation (recommended, not necessary) add the following repositories to /etc/apt/sources.list: deb http://deb.torproject.org/torproject.org <DISTRIBUTION> main
  2. to figure out the name of your distribution. A quick command to run is lsb_release –c (Ubuntu) or cat /etc/debian_version (Debian)
  3. Next add the gpg key that was used to sign the TOR packages: gpg –keyserver keys.gnupg.net –recv 886DDD89
  4. Then, type sudo apt-get install deb.torproject.org-keyring
  5. Next type sudo apt-get update
  6. Next type apt-get install tor
  7. Once completed TOR will be installed and listening on port 9050 on 127.0.0.1 of the host. You will need to modify the following file /etc/tor/torrc and add your servers address and SOCKS Port to listen on.
  8. Once completed you can restart the tor service and test remotely with a machine on your network; assign a web browser the SOCKS proxy info for your server and test with: https://check.torproject.org/ if all working you will be notified that you are on the TOR network.

But what if you don’t want to use SOCKS or an application / device doesn’t have a configuration for SOCKS proxy?  Well I encounter this same thing and there is a fix for that.

Using privoxy you can proxy your data via the computers current network, a VPN tunnel and in our case a SOCKS proxy.

  1. Back onyour server type  sudo apt-get update , then sudo apt-get install privoxy
  2. Once installed you will need to edit the following file: /etc/privoxy/config
  3. You need to:
  4. add a listen address and port for your client machines to use.
  5. you need to setup a forward-socks5 connection, something like: forward-socks5  / 127.0.0.1:9050
  6. Restart the privoxy server and your good to test. As we did above, setup your web browser with the proxy settings and check the following address https://check.torproject.org/ all should be working and you have an always on TOR Network proxy.

For more info on TOR: https://www.torproject.org

 

dSploit – An Android network penetration suite

Not to cause paranoia; Just know that there are people out there looking to compromise your security, especially when you are using wireless networks via your laptop, tablet, or smartphone.

One of such tools are the well known tool called dSploitdSploit, a security toolkit for Android, makes that process so simple anyone can do it.

This network analysis and penetration suite which aims to offer to IT security experts/geeks the most complete and advanced professional toolkit to perform network security assessments on a mobile device.

Once dSploit is started, you will be able to easily map your network, fingerprint alive hosts operating systems and running services, search for known vulnerabilities, crack log-on procedures of many tcp protocols, perform man in the middle attacks such as password sniffing with common protocols dissection, real time traffic manipulation, etc…

Requirements

An Android device with at least the 2.3 ( Gingerbread ) version of the OS.
The device must be rooted.
The device must have a BusyBox full install

A full list of features can be found here: http://www.dsploit.net/features

Twitter Wants to Start Tracking You

Many sites do it today, why not Twitter right?

Today, Twitter announced that they will be experimenting with targeted adds. What this means is they are going to go down the same path as well known sites such as Facebook and track you around the web and share information about you with advertisers. For now there is a way to opt-out, but as we have all experienced in the past (that which we should learn from) the ability to opt-out will be to no longer use the service.

One thing I can say about this is they are being honest and upfront about it.

For now, to opt-out of the new tracking:

  1. Log in to Twitter and visit your account settings page.
  2. Uncheck the box that says “Tailor Twitter based on my recent website visits.”
  3. Uncheck the box that says “Tailor ads based on information shared by ad partners.”
  4. Scroll down and click “Save Changes.”

 

Primary target IP address responded with: “451 5.7.3 Cannot achieve Exchange Server authentication.”

In my previous post I was banging my head over an Exchange 2013 issue. I was able to finally resolve it. And it took some steps to do so…

451 4.4.0 Primary target IP address responded with: “451 5.7.3 Cannot achieve Exchange Server authentication.”

After an Exchange 2013 Install I found myself having issues with sending emails between two Exchange Servers; 2010 and 2013. The messages on both server seem to be stuck in the mail Queue.

Full message reads: 451 4.4.0 Primary target IP address responded with: “451 5.7.3 Cannot achieve Exchange Server authentication.” Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.

This issue existed because the Exchange servers could not authenticate with one another. This type of authentication is required for Exchange to route email internally. The respective servers use the X-EXPS command to authenticate. This error will happen when servers don’t have this method of authentication enabled.

In my case this wasn’t true, however there was another issue preventing the X-EXPS command from being passed and that was our Cisco security appliance/router. In fact the Extended SMTP verbs X-ANONYMOUSTLS, X-EXPS, and GSSAPI must be able to pass. I will get to this a bit later…

In my adventure to troubleshoot this issue the following was done (thank you Microsoft for providing details. While useful did not directly solve the overall issue. These steps are below

 

Step 1 – Enable Exchange Authentication on Receive Connectors

For Microsoft Exchange Server 2013 remote servers:

  1. Go to the following website to access the Exchange Administration Center (EAC):

https://<CAS>/ECP

  1. Sign in to the ECA by using the administrator account.
  2. Click mail flow.
  3. Click receive connectors.
  4. In the Select server box, select the remote Exchange server that the email message should be sent to.Note To determine the correct Exchange server, review the send protocol logs from the server that the email message is stuck in.
  5. Select the receive connector and then click Edit.Note Typically, the receive connector is the Default server_name receive connector for the remote Exchange server
  6. Click security, under Authentication, make sure that Exchange Server Authentication check box is selected.

For Microsoft Exchange Server 2007 or 2010 remote servers:

  1. Start Exchange Management Console.
  2. Expand Server Configuration and then click Hub Transport.
  3. Click the Receive Connectors tab.
  4. Locate the remote Exchange server receive connector that the e-mail message is trying to be sent to.
  5. Right-click the receive connector and then click Properties.
  6. On the Authentication tab, make sure that the Exchange Server authentication check box is selected.

For Microsoft Exchange Server 2003 remotes servers:

  1. Start Exchange System Management.
  2. Expand the Servers container.
  3. Under the problematic remote Exchange server, locate to the Protocols container.
  4. Expand the Protocols container, right-click SMTP.
  5. Right-click Default SMTP Virtual Server and then click Properties.
  6. Click the Access tab and then click Authentication.
  7. Make sure that the Integrated Windows Authentication check box is selected.

As I mentioned above this did not resolve my issue as this was already enabled, so I went onto the next step in troubleshooting the problem.

 

Step 2 – Event ID 12014 (MSExchangeTransport)

I had (for some time) many errors in my Application Event Log referencing the ID of 12014, where the TLS Certificate for SMTP was no longer valid. Event message below.

Log Name:      Application
Source:        MSExchangeTransport
Date:          7/3/2013 4:30:06 PM
Event ID:      12014
Task Category: TransportService
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      exchange.jermsmit.com

Description:

Microsoft Exchange could not find a certificate that contains the domain name mail.jermsmit.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector To Internet with a FQDN parameter of mail.jermsmit.com. If the connector’s FQDN is not specified, the computer’s FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

To correct this issue I needed to log open the Exchange Power Shell on my Exchange 2010 server and enter the following: New-ExchangeCertificate -DomainName mail.jermsmit.com -services SMTP” followed by a restart of the Transport Services (I did this on both).

I tested out my change and now the event error message is gone however I am still unable to send email between the Exchange Servers.

 

Step 3 – Back to the basics

I later logged into each Exchange Host (2010/2013) and used telnet to connect to the respective hosts SMTP address. I got a response: 220**************************************************** but this was not the proper response for an Exchange SMTP.

Then it was apparent that a firewall was blocking the communication between one Exchange host and the other. In my case it was a Cisco ASA which has a mailguard feature turned by.  The Auth and Auth login commands (Extended Simple Mail Transfer Protocol [ESMTP] commands) are stripped by the firewall

So the logical thing was to turn it off. This was done by entering the following command:
no fixup protocol smtp 25

Once this command was issued I restarted the transport services on each host and to use an old coined phrase “You Got Mail” I was back in business.

 

Info Resources:

http://support.microsoft.com/kb/979175

http://technet.microsoft.com/en-us/library/bb123786(v=exchg.65).aspx

http://support.microsoft.com/kb/320027