Category Archives: Uncategorized

Sophos Active directory authentication with SSL/TLS Failure

Attempted to setup AD authentication to Sophos Firewall, and kept getting the following error: Test connection failed as server is down or unreachable

The connection would work successfully when using Plaintext, but fail when using SSL/TLS or STARTTLS.

The root issue was that the Domain Controller I was trying to connect to, did not have an SSL certificate associated with it. You could go out and purchase an SSL cert that matched the FQDN, or setup an internal CA service, but if you need a quick and dirty solution, you can just generate a self-signed cert and add it as a trusted CA.

  1. Open Powershell as Administrator
  2. Type in the following command to create a self-signed cert:
    New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName “fqdn-of-server” -FriendlyName “Server Cert” -NotAfter (Get-Date).AddYears(10)
  3. Next, copy the generated cert which will reside under the Personal\Certificates store to the Trusted Root Certification Authorities\Certificates Store

Now you should be able to test using any of the other connection security methods successfully.

Manage Bitlocker with PowerShell / Command Prompt

When attempting to enable Bitlocker on computers remotely, using an RMM tool, here are some PS commands that will assist in this process.

View the current status of Bitlocker on a machine.
manage-bde c: -status

Add a key protector so the machine can be encrypted. This is useful on some OEM machines that come with Bitlocker enabled, but no key can be retrieved from the machine.
manage-bde c: -protectors -add -rp

Backup the Bitlocker keys to Active Directory
manage-bde -protectors -adbackup c: -id “{3500023E-381E-449B-878B-0CD1067DCD79}”

Notice, the ID will be the unique ID shown from the manage-bde c: -protectors -add -rp command. You will need to add parenthesis before and after the brackets.

Lastly, if you need to require a user to login to the machine with a PIN, you can use the following command, in addition to those above:
manage-bde -protectors -add c: -TPMAndPIN

From there, you will enter the desired PIN and test by rebooting the machine.



PowerShell Script

$Pin = ConvertTo-SecureString “205020” -AsPlainText -Force


Enable-BitLocker -MountPoint “C:” -EncryptionMethod Aes256 -Pin $Pin -TPMandPinProtector -UsedSpaceOnly

Automatically Move Archived Event Logs to another Location

I have a client who requires security event logs be kept. They enabled archive log retention on the Security Event Logs, but it kept filling up their C: drive.

To remedy this, I created a PowerShell script that moves these files when they are 7 days old to another location, and then used Task Schedule to automate the process. Here are the steps to do that.

The source folder where these logs are stored: C:\Windows\System32\winevt\Logs
The destination folder where they want the logs moved to: E:\Windows-System32-winevt-Logs

Created a PowerShell script for this process:
get-childitem -Path “c:\windows\system32\winevt\logs” Archive-Security*.evtx | where-object {$_.LastWriteTime -lt (get-date).AddDays(-7)} | move-item -destination “E:\Windows-System32-winevt-Logs” -Verbose

Created a new Task Scheduler task called AutoMove Security Logs Its Actions are set to run PowerShell and execute the following: -ExecutionPolicy Bypass C:\support\AutoMove_SecurityLogs.ps1

Get iOS Device in Supervised Mode

When using Sophos Mobile or any other MDM solutions, putting a device is Supervised mode unlocks additional management capabilities. 

Requirements for putting a device in Supervised Mode:
– Apple Mac Computer running the Apple Configurator App
– iOS or iPad OS device will need to connect to that computer via USB cable
– This process will require the device to be wiped. All settings and content will be erased. 

Step by Step Process

  1. On the Mac computer, download and install the Apple Configurator App

2. In the Configurator App, select Account and login with the Apple Business Manager account.
Select the appropriate Location:  This is the Business that the IOS device will be deployed to.

3. Connect your device to the computer using a USB cable and select Trust when prompted on your iPad. Turn off Find My iPad by tapping SettingsApple ID, then iCloud.

4. In the Configurator App, right-click the device and select Prepare.


5. Prepare with Manual Configuration and select both Supervise devices and Allow devices to pair with other computers.


6. In the next section, select Do not enroll in MDM.


7. Select the appropriate location


8. Leave All Steps selected and click Prepare. It will ask to Erase the device to Continue, which you will agree to.

9. If you got into Settings App, you should see that the device is now in Supervised Mode

Upgrade to SQL 2019 Express for Veeam Backup

Veeam has been shipping with SQL 2012 which is end of life, and newer patches of Veeam does not upgrade SQL during the patching process. It is on the end-user to upgrade their instance of SQL, which is pretty easy to do.

Before you Upgrade

You will want to do a few things before you start the upgrade process:
– Disabled all Veeam jobs in Veeam
– Stop and Disable all Veeam Services on Windows, making sure you notate the original Startup state (Automatic vs Automatic Delayed Start).
– If Veeam is running on a VM, please snapshot the VM
– Backup the databases manually using SQL Studio

On to the Upgrade Process

  1. Download SQL 2019 Express from Microsoft. The download links always seem to change, so you will need to snag a copy yourself.
  2. Run the executable and select Custom as the Installation Type.
  3. Choose a location to save the files that will be downloaded for the install. The default path is fine.
  4. When the Installation Center window appears, choose Upgrade from a Previous Version of SQL Server.

5. Choose the SQL instance you would like to upgrade. For a reference of which build numbers equal which version of SQL, see this Microsoft Doc here:


6. The installation will then start.


I ran into an issue where SQL Upgrade was looking for a Microsoft OLE DB Driver from source installation. I tried to download this driver from Microsoft and point the installer there, but that did not work.

To remedy this, I uninstalled this driver, rebooted the server, and restarted the installation, and it upgraded the Database Engine Services which failed the first time, but was successful now.

Verify Upgrade Success

You can view the upgrade build status by opening the database in SQL Studio Manager and going to properties of the instance. Refer to the version build numbers link I posted earlier in this post.

You can also view this info by going to properties of the SQL service, and reference the path to the executable.

Post Upgrade

Now that the upgrade is complete, enable the Veeam services and Veeam jobs.

Veeam One Issue

After the upgrade, Veeam Backup worked great, but I noticed I could not get into Veeam One, and would receive the following error: “Veeam One monitoring service cannot access its database

This was resolved by opening the Veeam One Settings application (C:\Program Files\Common Files\Veeam\Veeam ONE Settings\VeeamOneSettings.exe) and testing the connection. All the settings looked good, but it would fail the connection test. I clicked Browse by Server Name and selected the server again, and this time it tested successfully and I could use Veeam One again.

iDRAC6 Virtual Console Java – (Connection Failed)

Here is a quick fix to connect to an iDrac Console session using Java, if you are getting the “Connection Failed” error. You simply need to re-enable SSLv3 support in Java temporarily.

  1. Browse to the Java Security File (C:\Program Files (x86)\Java\jre1.x.x\lib\security)
  2. Edit the java.security file. (May need to open Notepad as Admin first)
  3. Comment out the following line “jdk.tls.disabledAlgorithms=SSLv3“.

That should allow you to connect without any errors. For security purposes, you should uncomment that file line when you are finished to disable SSLv3 again.

Disable “Send Read Receipts” via OWA

Believe it or not, disabling Read Receipts in Outlook does not disable this feature from your mobile device. In fact, Send Read Receipts is enabled out of the box, and it has to be disabled via OWA. Big thanks to Gostev from Veeam for pointing this out!

Disabling it is easy, and I can’t think of many scenarios in which someone would NOT want to disable this. It can be disabled by logging into OWA from a computer (or a mobile browser that will disable the mobile view) and go to the following:
Settings -> General -> Mobile Devices -> and make sure to check the “Don’t send read receipts for messages read on devices that use Exchange Active Sync” checkbox.

Sophos XG Firewall Review

Sophos has been climbing the Security leaderboard of the Magic Quadrant for some time now, and we have utilized their amazing Endpoint protection within our company and with our customers. I was excited to get my hands on their XG Firewalls and takes notes of my experience with the initial deployment, configuration, and ongoing feedback.
Note- this review is based off a week or so of usage, and does not incorporate feedback over time, which is where most issues with any product usually creep up.

Aesthetics – Initial impressions of the nuts/bolts

The XG135w is a desktop form factor unit, that has the ability to be rack-mounted (mounting kit not included). It has a nice clean shell, three large omni-directional antennas, with the ability to add two additional antennas with an add-on module. It has 8 x 1GbE ports plus an additional 1GbE SFP port, which when in use, takes the place of Port 5. It has an HDMI port which I haven’t had time to try out, two USB ports and one Micro USB for console access. It feels like they have taken a really nice gaming motherboard and converted it to an awesome firewall. Its rare that you see SFP, HDMI, and Micro USB ports on a firewall, but it’s what makes the XG so unique. The expansion bay allows you to add any one of the following: SFP DSL Module, 3G/4G module, additional Wifi Radio, or additional SFP ports.
The DC power plug threw me off a little bit though, as it is a 12v banana plug that goes into the firewall itself, while the other end requires an adapter to convert it to a US or European power socket. Not a bad thing, but not what you would expect. (There are two DC ports for dual power supplies). 

White Gloss Shell

Banana Plug DC Power

 

Deployment

Deployment was very easy, with a Setup Wizard that takes you through everything. From Power-On to Management login. It ships with default IP of 172.16.16.16, so you will need to give your laptop an IP on that subnet and then hit that IP through a web browser. You can probably take most of the defaults throughout the 5 page wizard, but the only real decisions you will need to make during setup is a New Admin Password, and whether you want to use the firewall in Route Mode or Bridge Mode. 5 min deployment couldnt be easier.

 

GUI and Management

Sophos has always been very good at “simplicity of management”, and the Sophos Firewall OS keeps to that style. There are basically four areas of management with the XG-
Monitor and AnalyzeOverview, Alerts, Reports
Protect: Policies, Rules, Security Features
Configure: Network Routing, VPN, etc
System: Device related management

Control Center – Overview

 

Do not mistake the simplistic design as a lack of features and security granularity. The XG has a LOT of pre-built policy and rule templates, as well as the ability to create your own.

Built-in Web Policies

Application Profiles

 

Little Gotchas and Thing to Improve

There are a few things that were confusing and more complex than they should be, which I will briefly describe.

Using LAN Ports as Switch Access Ports:
I spent an hour or so at least trying to figure out how to use Ports 3-8 on the same subnet as my LAN traffic. After much trial/error, and even reaching out to Sophos Support, it was finally resolved by a local Sophos SE (Thanks Joe!who has ran into this before. Not only do you have to bridge the interfaces together, you also need to create a LAN to LAN firewall rule allowing the traffic. I guess in hindsight you could say this is just an extra step to maintain security more than it is a software issue, but if so, they should at least document this or train their support staff on how to properly set this up.

Bridge the LAN interfaces then apply the following firewall rule

LAN to LAN Firewall Rule

Default Security Policies:
This could also be considered an extra layer of security, but many multimedia websites/services were semi-broken with the default policies of the XG. For example, NetFlix and Amazon Video would allow you to browse content, but would error out when you attempt to play the content. This also caused some issues in company website hosting services. The solution here was to use the “Allow All” web policy for all Outgoing Traffic. I am sure there is a more granular policy to use here, but with the limited testing I have had with this, that was the quick and dirty fix.

 

Final Thoughts

I have been VERY happy with what I have seen so far and am excited to continue digging into more. I wish I had another XG to test HA failover, and I would love to test out some of their wireless access points. I didn’t do much Wireless testing with the XG itself, since it usually doesn’t make sense to have the wireless enabled in the data center or server room, but I am very interested to see if their Access Points can replace some of the broader brands. In general, the XG is worthy of replacing most legacy vendors in the data center. The hardware is great, the security features are even better!

“Your computer can’t connect to the Remote Desktop Gateway server” error

A customer gave me access to their Remote Desktop Gateway server to do some after-hour consulting. Every time I attempted to connect from my Microsoft Surface Book, I got the following error:

Your computer can’t connect to the Remote Desktop Gateway server. Contact you network administrator for assistance.

I assumed my account was not setup correctly, but the customer was able to successfully connect with the account they assigned me. When I attempted to connect from my Desktop PC (same Windows 10 build as my Surface Book), I was able to connect successfully. The following registry edit fixed the issue for me, although I am still baffled as to why it is needed, since it doesn’t exist on my Desktop PC registry which worked from the start.

  • Open Regedit
  • Go to HKCU\Software\Microsoft\Terminal Server Client\
  • Create a new DWORD (32-bit) called: RDGClientTransport
  • Give it a Value of: 1

As soon as I added that entry, I was able to connect. No reboot required.

SmartThings Home Automation – Laundry Alerting

I have tried to create a fully automated “Smart Home” using many technologies with integrated workflows and automation. Alerting when the Washer and Dryer have finished their cycles has been one of the most convenient automation feature for my wife and I. I can’t tell you how many times we have started the laundry, forgot about it, and had to rewash the sour wet clothes. Here is how we do it.

First, and explanation of how this works.

I have my Washing Machine and Dryer, each plugged into their own Z-Wave Power Metering Switch/Plug. This give me insight into how much energy each are using, when they are powered on vs off. I use these plugs specifically: Zooz Zen15

When we start a load of laundry (Washer or Dryer), these Zooz Power Switches sense the energy being used, and SmartThings Hub assumes (correctly) that the laundry is being ran. Since there will always be a tiny bit of power being used, even when the laundry isn’t used, it only assumes the laundry is on when power usage exceeds 10 Watts. This power usage fluctuates during the cycle, especially for the Washing Machine. So the rule I have set in place is to monitor the usage and alert my phone when the Laundry is done. It knows when the laundry is finished when the power usage drops below 8 Watts for 4 mins. BOOM! Perfect solution, and it works every time.

Here is what you will need to pull it off, and I assume if you are reading this, you are already a SmartThings user and have some idea of how the IDE works.

After you have added the “Better Laundry Monitor” device type in your SmartThings IDE, go into your SmartThings app, Marketplace, Smart Apps, and scroll down to My Apps.
See Video Below

https://youtu.be/71jaF62DjLc