Security

Fix for Checkpoint VPN tunneling Option being grayed out on Check Point Endpoint Security Client

I noticed that my Windows VPN client on my computer was forcing all traffic through the gateway of my VPN endpoint. Something that in most cases would be find however this limited my ability to access local network resources in addition to browsing the internet via my local internet provider (Split Tunneling).

What I soon noticed was that I could not remove the setting that encrypted all traffic, routing it to the gateway

To make these changes to the client the following needs to be done.

Step 1: Modify configuration allowing for trac.config to be edited as its obscured for security purpose.

  1. Exit the Check Point Endpoint Security Client
  2. Stop the “Check Point Endpoint Security” service
  3. Edit c:\program files (x86)\checkpoint\endpoint connect\trac.defaults

Change the top line from:

OBSCURE_FILE INT 1 GLOBAL 0

to

OBSCURE_FILE INT 0 GLOBAL 0

Step 2:

  1. Start the “Check Point Endpoint Security” service
  2. Start the Check Point Endpoint Security client
  3. Verify that the c:\program files (x86)\checkpoint\endpoint connect\trac.config file is de-obscured.
  4. Shutdown the Check Point Endpoint Security Client
  5. Stop the “Check Point Endpoint Security” service
  6. Edit c:\program files (x86)\checkpoint\endpoint connect\trac.config

Search and edit the following line:

From: <PARAM neo_route_all_traffic_through_gateway=”false”></PARAM>

To: <PARAM neo_route_all_traffic_through_gateway=”true”></PARAM>

Step 3:

  1. Delete c:\program files (x86)\checkpoint\endpoint connect\trac.config.bak
  2. Start the “Check Point Endpoint Security” service
  3. Start the Check Point Endpoint Security Client

Notes: Pros and Cons of Split VPN you should know about

Pros

If you are going to split tunnel, then you are going to reduce the overall bandwidth impact on your Internet circuit. Only the traffic that needs to come over the VPN will, so anything a user is doing that is not “work related” will not consume bandwidth. In addition, anything external to your network that is also latency sensitive will not suffer from the additional latency introduced by tunneling everything over the VPN to the corporate network. Users will get the best experience in terms of network performance, and the company will consume the least bandwidth.

Cons

If security is supposed to monitor all network traffic, and protect users from malware and other Internet threats by filtering traffic, users who are split tunneling will not get this protection and security will be unable to monitor traffic for threats or inappropriate activity. Traffic to websites that use HTTPS will still be protected, but other traffic will be vulnerable.

Ref: https://www.cpug.org/forums/archive/index.php/t-14545.html

Check Point 600 Appliance Software Blade Stuck in Updating status

Recently I had a chance to get my hands on this excellent Firewall by Checkpoint. And as you know not everything goes perfectly, and this is where you get a chance to learn how it works, while you fix.

I encountered an issue where one of the Threat Prevention Blades was stuck in updating mode for several hours. I had logged into the appliance via SSH to view to CPU utilization and observed nothing which would indicate an issue.

I started thinking about what events occurred which may have caused this. So I looked at the auto update schedule for the blades and noticed that all 3 blades where set to upgrade simultaneously.

I have observed that these updated can causes very high consumption of CPU and which that perhaps the blade with the issue became stuck in an upgrading status.

To address this situation, I issued the update command from the CLI :

  1. Log into the firewall via SSH
  2. Enter into expert mode by typing ‘expert’ in the CLI – You will be asked for your expert password. Once in export you will be in a standard Linux bash prompt.
  3. Run the following while in expert mode depending on which update you require:
  • Anti-Virus Blade: [Expert@jermsmit.com]# online_update_cmd -b AV -o update
  • IPS Blade: [Expert@jermsmit.com]# online_update_cmd -b IPS -o update
  • Application Control Blade: [Expert@jermsmit.com]# online_update_cmd -b APPI -o update

 

Now return and refresh your webUI and you should notice that the blade(s) that were once stuck in the upgrading status are now showing up to date.

Office 365 IRM & Azure Rights Management

I recently configured IRM to protect documents and email communications as part of a security initiative.

Information Rights Management (IRM) in Exchange Online uses Active Directory Rights Management Services (AD RMS), an information protection technology service in Office 365. IRM protection is applied to email by applying an AD RMS rights policy template to an email message. Usage rights are attached to the message itself so that protection occurs online and offline and inside and outside of your organization’s firewall

Need to know info:

  • Time to complete this task: 30-60 minutes
  • You need to be assigned admin permissions to manage IRM
  • Knowledge of using Windows PowerShell to connect to Exchange Online

Steps Taken:

Step 1: Activating Azure Rights Management

  1. Log into the Office 365 admin center
  2. In the left pan expand the services settings
  3. Click Rights Management
  4. On the Rights Management page, click Manage
  5. On the Rights Management page, click Activate
  6. You will be prompted with the question: Do you want to activate Rights Management? click activate.

You should now see Rights Management is activated

Step 2: Using Exchange Management Shell to log into Office 365

Here I use PowerShell ISE to step through he process

# Login to the Office 365 Account

Set-ExecutionPolicy RemoteSigned

$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session

Step 3: Use the Exchange Management Shell to configure the RMS Online key sharing location in Exchange Online

#Displaying the IRM Configuration

Get-IRMConfiguration

# List of Locaitons

#North America https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc

#European Union https://sp-rms.eu.aadrm.com/TenantManagement/ServicePartner.svc

#Asia https://sp-rms.ap.aadrm.com/TenantManagement/ServicePartner.svc

#South America https://sp-rms.sa.aadrm.com/TenantManagement/ServicePartner.svc

#Office 365 for Government (Government Community Cloud) https://sp-rms.govus.aadrm.com/TenantManagement/ServicePartner.svc

Set-IRMConfiguration -RMSOnlineKeySharingLocation “https://sp-rms.na.aadrm.com/TenantManagement/ServicePartner.svc”

#Checking that the configraiton was applied

Get-IRMConfiguration

Step 4: Importing Trusted Publishing Domain (TPD) from RMS Online

Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”

Test-IRMConfiguration -RMSOnline

Step5: Enabling IRM in Exchange Online

Set-IRMConfiguration -InternalLicensingEnabled $true

Step 5: Testing the IRM configuration

Get-IRMConfiguration

Test-IRMConfiguration -Sender jsmith@jermsmit.tld

Expected Results should show that each area verified has passed

Ref Links:

https://technet.microsoft.com/en-us/library/jj983436(v=exchg.150).aspx

https://support.office.com/en-us/article/Set-up-Information-Rights-Management-IRM-in-SharePoint-admin-center-239ce6eb-4e81-42db-bf86-a01362fed65c

Summery  image of my PowerShell ISE

 

Activating RMS in Office 365

Microsoft Azure Rights Management provides a comprehensive policy-based enterprise solution to help protect your valuable information, no matter whom you share it with.

These policies help improve data security using both Both Information Rights Management and Office 365 Message Encryption

To activate rights management:

  1. Log into Office 365 with an account which has been assigned an administrator role. To do this simply go to the portal site: https://portal.office.com
  2. Click on admin to enter the Office 365 admin center via the admin app icon

  3. In the left pane, expand the service settings
  4. Click on Rights Management to enter the Rights Management dashboard
  5. Here on the dashboard, click on Manage
  6. Click on Activate to active Rights Management

For additional options and steps please have a log over on technet

 

Thanks for visiting – jermal

Tech Short: Change Password VMware vCenter 6

The day would come where I would need to change my password in vCenter… Today was that day; Thankfully vCenter places am informative notice of your expiring password.

Here is how you can change your password using vCenter 6:

Log into vCenter 6

  1. Click Home.
  2. Click Administration.
  3. Click Single Sign-On > Users and Groups.
  4. Click the Users tab.
  5. Right-click the affected user account, selecting edit user
  6. Enter in the current password, followed by your new (it could be the same, I don’t ever recommend this practice)
  7. Click OK to save changes.

 

I hope you enjoyed this techshort, thanks for visiting – jermal

Disable Windows Firewall Server Core

Server Core now installed and what is the first command I choose to run in PowerShell

Its a command to disable all firewall profiles:

 

Windows 10 Enterprise 2015 LTSB, What’s That?

If you pondered on what is “LTSB”. Here is some “shared” info for you.

What is the Long Term Servicing Branch?

“Windows 10 uses a new approach to providing updates to users. Traditionally Microsoft would release a version of Windows and then provide updates such as security and bug fixes, but not add any major, new functionality. Every few years Microsoft would release a new version of Windows that contains updates and new features but this meant customers would always have to wait years for new functionality. With Windows 10, Microsoft is giving users greater choice in how they receive new features with the introduction of a long-term servicing branch (LTSB) and a current branch (CB) version.

The LTSB is similar to how versions are delivered today with a new one delivered every couple of years and in between each new version Microsoft will provide security updates, bug fixes and so on. Alternatively, customers can choose to use the CB method which provides security updates, bug fixes, and new features every few months.

When each LTSB is released it will converge with the currently existing CB, allowing customers to transition from CB to LTSB, in the event they decide they no longer want to receive updates so frequently. Customers using LTSB will be able to upgrade between LTSB builds and likely one additional time prior LTSB (current Windows 8.1 would count as a LTSB).”

source of info shared here

To sum this up in a short way:
The Long Term Servicing Branch versions of Windows 10 act like older versions of Windows in that you will still receive security patches and bug fixes through Windows Update but you will not receive enhancements and new feature upgrades.

Office 365: Self Service of Distribution Groups

The ability to self service the creation of distributions groups has been a feature for quite some time in my Exchange experiences.  Now that I am in Office 365 / Exchange Online this functionally is no longer available for synced groups. This now forces the enlistment of the support department to facilitate all mortification for the end user.

Looking into this to get an understanding as to why this is, I’ve learned that if you’re an Office 365 Exchange Online customer and currently utilizing Directory Synchronization (DirSync) between an on-premise Active Directory and Office 365’s Azure Active Directory you will face such incidents as the objects on the Office 365 are in read only mode and are updated via the synchronization that has been put in place

You are even given a a little message when you attempt to make modification to groups:  The action ‘Update-DistributionGroupMember’, ‘Identity,Members’, can’t be performed on the object ‘Group Name’ because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.

Now aware of this limitation that exist around group modification due to them being read only how do I work like this? I have the following two ideas to work with.

One: 

One method is to go old school and use the Use the ‘Find Users, Contacts and Groups’ tool to allow group modification. However there is an issue regarding the fact that the computer used needs to be a member of the domain and at the time of change also connected to the on premise domain network (internal or via vpn).

Note: After changes have been made the condition of waiting for Directory Synchronization (DirSync) to complete its sync cycle must take place.  This can take up to 3 hours time.

 

Two:

The Second method is to change all Directory Synchronization (DirSync) Distribution Group Objects to the Azure Active Directory and make the On-Clound

SOTD: Statement from MARKETING & TECHNOLOGY GROUP, INC.

Another case of Monday morning spam/malware

– message body –

Dear Customer :

Your statement is attached. Please remit payment at your
earliest convenience.

Thank you for your business – we appreciate it very
much.

Sincerely,

MARKETING & TECHNOLOGY GROUP, INC.

– end of message –

 – message also has a file attachment –

docs2015.zip

– inside of the zip file is an executable –

docs2015.exe

Virus Found: Win32/Kryptik.DBCZ trojan

– end –

Please note:  The company associated with the domain used for this email may not have any knowledge of this email being sent out as its clearly forged.

The best suggestion is to delete this if your spam / malware /antivirus solution has not.

 

Microsoft Security Bulletin: Windows, IE, Exchange and Office

Microsoft has released their Advance Notification for the December 2014 security bulletins. There will be a total of seven bulletins, three of which will update critical vulnerabilities. 

Critical update affects Windows Vista, Windows 7, Windows Server 2003 and Windows Server 2008

The critical update also affect Exchange Email Product Line as well as Office 2010. Office 2013 and even Office Web Apps.

So it looks like there is a need to patch as soon as these are released.

Don’t forget to patch, and update your  MSRT (Malicious Software Removal Tool)

Source:  zdnet

For more info and details:  Microsoft Security Bulletin Advance Notification for December 2014

https://technet.microsoft.com/library/security/ms14-dec