Windows Server, Exchange Server, Cisco Networking, and other IT Pro Stuff

Intro to Python Network Automation

2017-06-23T08:56:00.002-04:00

http://packetpushers.net/intro-python-network-automation/

PowerShell Desired State Configuration of Cisco UCS

2017-06-20T11:17:00.000-04:00

http://www.powershellmagazine.com/2017/05/29/cisco-ucs-custom-resource-for-the-windows-powershell-desired-state-configuration-dsc/

EncryptionandDecryption.com

2017-06-17T09:22:00.001-04:00

http://encryptionanddecryption.com/

Nice starting point for learning some of the basics about encryption.

Cisco ASA 5506 no switch ports!

2015-05-18T07:00:00.000-04:00

Cisco recently began selling the ASA 5506 with FirePower Services. This expanded the existing next generation firewall line replacing the ASA 5505.

A few days ago I got a chance to configure one for a client. I was excited to learn a bit about the new IPS features before doing a basic configuration. Based on the very limited amount of documentation available, it appears the new model offers a nice increase in capacity.

One the great features of the ASA 5505, was its ability to act as both a firewall and switch. For small offices with small budgets, this meant an affordable option to add a firewall with some switch port capacity.

The ASA 5506, looks very similar aside from its black and case and red label.

I was disappointed to learn that the 5506 really isn't a replacement for the 5505. It does everything and more the 5505 did, with one exception:

You cannot use any of the 8 ports as a switch port!

I'm not sure what Cisco is planning with this new hardware, but I'm really hoping that a later release of software will enable the same functionality we have grown accustomed to in the 5505.

The little documentation specific to the 5506 is a little misleading. Previously, with the 5505, you could have 3 VLANs. With the new 5506, the referenced document states that you can have 5 VLANs. Good luck trying to get it working though!

If you refer to some the other higher end models you can see they also have an allowed number of VLANs. The 5505 truly acts as a switch when it comes to VLANs, access ports, and trunk ports. The 5506 acts just like a router, where you can apply 802.1q tagging to place sub interfaces in different VLANs.

I'm a big Cisco fan, so I'm very hopeful that a later software release will offer more flexibility and allow us to use the 5506 just like we're used to with the 5505.

Cisco ASA OS versions that address security vulnerabilities

2015-03-08T13:53:00.000-04:00

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa

PKI Step by Step Server 2012 R2: Great posts!

2015-03-07T13:45:00.001-05:00

Part 1
http://blogs.technet.com/b/yungchou/archive/2013/10/21/enterprise-pki-with-windows-server-2012-r2-active-directory-certificate-services-part-1-of-2.aspx

Part 2
http://blogs.technet.com/b/yungchou/archive/2013/10/22/enterprise-pki-with-windows-server-2012-r2-active-directory-certificate-services-part-2-of-2.aspx

FBI claims North Korea responsible for attack on Sony

2014-12-21T07:00:00.000-05:00

http://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation/

After 65000 complaints Microsoft suing tech support scammers

2014-12-20T08:39:00.000-05:00

http://hothardware.com/news/after-receiving-65000-complaints-microsoft-files-suit-against-tech-support-scammers

Check out Veeam version 8

2014-11-12T08:14:00.001-05:00

Veeam version 8 was released to the world last week.
Check out some of the new features
http://www.veeam.com/veeam_backup_8_whats_new_en_wn.pdf

Goodbye SHA-1

2014-10-08T08:06:00.000-04:00

In November 2013, Microsoft announced plans to deprecate issuing certificates using the SHA-1 algorithm. Chromium, and other browsers, also has plans to change the way SSL certs using SHA-1 are treated.

Industry expert Bruce Schneier explains the need in an article he posted October 2012, When Will We See Collisions for SHA-1?

For more info:

https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html
http://www.symantec.com/connect/blogs/google-s-sha-1-deprecation-plan-chrome
https://technet.microsoft.com/library/security/2880823
https://support.godaddy.com/help/article/4818/information-about-requiring-the-sha-2-hash-function
http://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html
https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/
http://www.entrust.com/sha-1-deprecation-on-to-sha-2/

The Shellshock Vulnerability

2014-10-01T13:05:00.001-04:00

If you are running any Unix-based systems (which you most likely are) you'll want to read this article about the Shellshock Vulnerability.

The Scoop on Shellshock

Two-Factor Authentication

2014-09-26T09:13:00.000-04:00

Are you using two-factor authentication for your system?

User names and passwords, as pointed out in a recent Trustwave article, were never meant to live this long. And with all of the recent breaches we should be looking for more secure login methods.

This is where two-factor authentication comes in. It combines the traditional login (something you know) with another of two factors (either something you have or something you are). Two-factor authentication can utilize biometric scanning, key fobs, login tokens, or a second password that is sent to a unique device that you carry.

One option is to use a product like Duo Security to have a second, randomly generated password sent to the users cell phone. A more complete option would be SafeNet, who offers a range of two-factor options including one-time password authenticators, USB tokens, smart cards, Mobile PASS, cell phone options, cloud based options, and more.

There are many options available with a simple Google search. Find something that works for you and add an extra layer of defense to your network.

Waiting on Co-workers

2014-09-22T13:14:00.000-04:00

A recent article on CIO.com about co-workers negatively impacting productivity suggested that project management software might lead to better results. However, the article failed to explore the many options available on the market today.

The first option is to go with Microsoft Project. My personal experience with this software is that it is not intuitive and therefore you have to allocate time to learn it, teach it, and then implement it. Also, it is not an open source package so you have licensing expenses to budget for.

Next up is the option of installing a Sharepoint server and creating your own central collaboration resource. Again, this is going to take time, budget, and education resources in order to achieve results.

A better option may be to use a free online resource such as Basecamp. I have experience with Basecamp and have found it to be much more intuitive than other software, such as Project. New projects are easy to create, as are tasks, and you can easily administer group communication settings. The free version will limit you on the total number of projects you can maintain, so this isn't meant to be used enterprise-wide on a large scale. However, to get immediate results with minimal expense and training this is a great route to go.

Click here to check out Basecamp. Or, alternatively, click here for another option called Teamwork.

Enterprise Vulnerability Scanning Tools

2014-09-17T08:53:00.001-04:00

Good article with practical tips and suggestions about selecting a vulnerability scanning tool for your business.

Enterprise Vulnerability Scanning Tools

Tips for User Education

2014-09-10T10:14:00.000-04:00

Monday I posted about the difficulties in securing e-mail and the need for more user education in organizations. As promised I have a few suggestions for establishing user training in your organization on a shoestring budget.

I’ll begin with a question. Which type of movie do you remember better when you leave the theatre: an action movie like The Avengers or a chick flick like The Fault in our Stars? Personally, I retain more from X-Men and action movies than I remember from the chick flicks that I watch to keep my wife happy. But I’m sure women (and a few guys) prefer the emotional movies.

Your choice doesn’t matter as much as your motivation here. Why do you remember certain movies more than others? Because they aren’t boring to you. They are exciting and they likely have your interest before the opening credits begin to roll.

In security training your focus needs to be on making the material interesting to the users. No one cares how interesting the technical details are to you. Your job is to make it memorable for the users. My suggestions to make it memorable, practical, educational, and inexpensive:

Create the material in-house rather than hiring an outside consultant.
Make the presentation yourself (it’s good practice in a safe environment).
Show people why they should care and what benefits they get from a secure system.
Use a Powerpoint presentation rather than lecturing.
Use real-life examples.
Have a competition to see who can identify the most fraudulent e-mails and advertisements. The winner gets a restaurant gift card or cash. Cash is great incentive to pay attention.
Make the reward large enough to get attention but small enough to ensure future budget approval (somewhere in the $25-50 range should do).
Offer more rewards for real incident reports. Getting it right in the training is great, but catching spam and malware in real-time is a game changer.
Create a safe environment for questions. The reason most non-IT people don’t understand attacks is because IT people make them feel stupid. Don’t be that guy (or gal).
Use a tool (examples listed below) to create and track test e-mail. You can use the results to reward users that detect the phony stuff and also to sell management on the benefits of future training (which may lead to a larger budget).

The bottom line is that if you make it fun and safe and offer some sort of incentive your audience will engage, and that is a win for everyone in your organization.

Free Phishing Security Test

Simple Phishing Toolkit

Securing E-mail

2014-09-08T09:54:00.000-04:00

Securing e-mail is a big challenge for admins. You have to mix expertise in hardware, software, and user education in order to construct a complete defense. Even then you probably won’t rest well, and for good reason.

Users are still the number one way into a system and one of the oldest tricks in the book to gain access via users, spam, is still in full force. According to this CIO.com article banks and social media have improved their security and the focus has now shifted to the travel industry, which experienced an 800% increase in threats from Q1 to Q2 2014. There are a couple of reasons for this – people are fatigued and people are on mobile devices, which are not secured as well.

Hardware and software anti-spam measures are constantly being usurped. This recent article from SpiderLabs demonstrates a rekindled method of obscuring text from spam filters. It is simple, brilliant, and effective. It will lead to changes in the spam filtering algorithms, at which point attackers will have moved on to another method. Rinse, lather, and repeat…

User education is, and will likely always be, the most effective defense against spam and phishing scams. However, almost no companies have formal training programs and even fewer have e-mail education in their annual budget. I think the CIO article summarizes it best when they say that hackers/attackers are “businessmen and businesswomen” and as such are “incentivized to be successful”. Are we creating incentives to be successful in defense? Do users have incentives to be educated and proactive?

Come back Wednesday and I’ll have some suggestions on how to train and incentivize with a shoestring budget.

Cisco Error Message Decoder

2014-09-08T09:47:00.001-04:00

Cisco devices can log some fairly cryptic messages. To help you get additional information, they have provided an Error Message Decoder. Enjoy!

https://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi

How to Mitigate Vulnerability in Windows

2014-09-03T09:09:00.000-04:00

Although this article was intended as a guide to those still using unsupported Windows XP the guidelines are quite practical for any user in any operating system. The basics:

Don't use Internet Explorer. Quite honestly I didn't know people still used IE. However, it does still have quite a following as the default browser in most systems, both old and new, and it is commonly used by those that are less tech-savvy. I strongly encourage the use of Chrome or Firefox, just as the article advocates.
Remove Java. The article lists Flash next but Java has been the big offender over the past few years. Uninstall it...immediately. Re-install if absolutely necessary and quickly trash it when your task is complete.
Don't use administrator accounts. You need one admin account but it shouldn't be the one you use when you are surfing, checking Facebook, Instagramming, or whatever else consumes your time online. All you need is the admin password in case you need to install something. You're better off leaving the admin account unused as much as possible.
Disconnect from the network. An attempted attack occurs on your PC or laptop every 37 seconds. How many attacks could you prevent by turning the machine off when you go to bed? Or when you hop in the shower? Or while you prepare dinner? The safest way to prevent attacks is to disconnect from the internet or power down completely.

Cisco Prime NCS Demo License

2014-08-30T13:50:00.000-04:00

If you try acquiring a demo license from www.cisco.com/go/license you'll be frustrated with invalid serial prompts.

Instead, use this version of the same form, and you'll be all set.

https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=3999

How to Identify Soft Skills in IT Job Candidates

2014-08-27T22:07:00.000-04:00

How to Identify Soft Skills in IT Job Candidates

Outstanding article on the value of "soft" skills, especially in IT. The best quotes:

"IT is in the room with the business leaders when decisions are made."

"The heads-down IT person who's just programming is becoming less and less attractive to employers, because you have to be able to communicate with your business partners or their customers."

"In IT, it's important to go to the non-IT people who don't understand what technology can actually do."

"IT should come out of behavioral interviewing."

If you are, as the article puts it, "in the back room with the lights off writing code" you may find yourself on the outside looking in as IT moves into decision-making roles and business roles. Technical skills can be taught to anyone that is eager to learn and are almost universally taught on-the-job. People skills, as the article points out, are more rare and in high demand.

What are you doing to sharpen your soft skills?

Cisco Bug Search Tool

2014-08-12T21:42:00.003-04:00

Cisco support is pretty good. I just hate it when I open a support request for some wierd issue and then find out they just used the bug search tool and found out an IOS upgrade would probably fix the problem.

For my own future reference, and anyone else out there who's been there, here is a link to the tool https://tools.cisco.com/bugsearch .

How the LinkedIn CEO Manages Projects

2014-08-11T13:07:00.001-04:00

I do the same thing that Jeff Weiner does. We are almost indistinguishable.

Well, that may be a slight exaggeration. Weiner is the CEO of LinkedIn, he is the 3^rd highest influencer on LinkedIn, he has over 1.5 million connections on LinkedIn, and he is on the board of directors or advisors of at least 6 different organizations. Me? I’m slightly behind those accomplishments.

However, the one thing we both do is manage projects. Project management is a trendy topic and can be made to sound as complex as constructing an AI algorithm. In his recent interview with Fortune magazine Weiner spoke about his style as CEO of LinkedIn and I couldn’t help but notice that some project management techniques were sprinkled and hidden in the interview. They are the same basic principles that I use every day, and you can apply them as well for effective project management. They are:

· Define the purpose of the project. Weiner is quoted as saying “I don’t just want to make money. I want to add value and feel as though I am making a contribution to the world around me.” Approaching each project with the general purpose of improving the bottom line is not specific enough. Have a specific purpose. Define where you want to add value. Find specific ways to make a contribution to the workplace around you.

· Put your plan in writing. In the article Weiner is reviewing a letter that he wrote to his father 20 years earlier. In the letter Weiner stated specific goals and a planned path to achieve those goals. He goes back to the letter often and reviews it to ensure that he is still on track. If the CEO of LinkedIn puts goals in writing and reviews them often shouldn’t we do the same with our teams?

· Communicate clearly to your team. There is a great deal of history shared about how Weiner looked at the future direction of such companies as Yahoo and created a vision and plan of how to get to that point. One of his former employees called it an “ability to develop conceptual frameworks and render them in understandable formats”. The overall project is made up of pieces and chunks that combine together to achieve the end result. Become an expert at making the plan easy to understand, simple to follow, and constantly moving towards the final goal.

· Assign tasks to the right people. Reid Hoffman may be the founder of LinkedIn but he realized that his strength is in thinking and building. He needed a CEO to run the company that was well suited for operations. In your project management you need to find solid performers and assign them the tasks that they are the best at.

· Plan a wrap-up before the next project. Some of the advice that Weiner gives as influencer for LinkedIn includes proper leader feedback, how to retain top talent, and the importance of removing people that are wrong for the job. It is important to review the project at conclusion, not just for the purpose of congratulating the team for how well things went, but also to determine what could have been better, what changes are needed, who needs more responsibility, who was a top producer, and who needs to be replaced for increased efficiency.

It’s basic stuff but it works like magic. The same process works for me that works for Jeff Weiner and it can work for you too.

The Russian Internet Audit

2014-08-07T09:54:00.000-04:00

Let's not call it an e-mail or website hack - in this NY Times article there is a quote stating that the Russian crime ring had "audited the Internet".

I recently wrote a post advocating an overhaul of e-mail addresses. Specifically, there should be no correlation between the e-mail address and username. In light of this breach I have to renew my suggestion. It may also be in your best interests to do a personal password overhaul. Chances are good that at least one of your accounts has been compromised, and if one is compromised how many of your other accounts could they access with the same credentials?

The Best Programming Languages

2014-08-05T13:23:00.005-04:00

I don't normally put much value into this sort of article. However, when someone supports their selections with technical knowledge and then illustrates with actual code samples it does add a degree of credibility.

It's well worth the read, even if you're not a programmer. It will help you keep abreast of the most current technologies, structures, and platforms.

5 Programming Languages You’ll Need Next Year (and Beyond)

Usernames and E-mail Addresses

2014-08-01T12:00:00.000-04:00

Is your username the same as your e-mail address, sans the @domainname extension?

Most likely the answer is yes. One of the basic steps in hacking and/or penetration testing is to scour the web for e-mail addresses of the domain that is being hacked/tested. The logic is that you can obtain a list of good usernames to be used in an attack, whether it be by brute force, rainbow tables, etc.

I'm not sure why more companies aren't overhauling their e-mail address name conventions but perhaps the following two articles will help to convince you of how necessary it is.

First is this article explaining how to easily get a large list of Google e-mail addresses, even the ones that are hosted for businesses.

One Token to Rule Them All

Next is an article explaining how to go from username to a full account takeover. They also touch on how interconnected your e-mail account is with all other online accounts.

From a Username to Full Account Takeover

Did you think that you were safe having Google host your e-mail service? Perhaps it's time to start pushing Google to sandbox business accounts, as the first article suggested. But it's also time to start restructuring e-mail naming conventions. We can't make it so simple for attackers to get login credentials.