Random SysAdmin Thoughts...

Adventures in DevOps and other random technical musings

Basic Security Practices

Sections: Passwords AntiVirus Firewall Encryption VPN

I recently had a friend ask me about basic “cyber-security” for thier small business. When I say a small business they are a one person shop but handle some very personal information for their customers. While I was trying to compose a good human answer to this very generic question I was thinking that personal digital security isn’t any different from corporate security. The only real difference is if you can outsource the technical components to the IT department or if you need to do it yourself. True security requires a mindset to prevent exposure. Not using systems for things they weren’t intended for, being very cautions about emails, etc. Good digital hygine is a habit that can be learned and takes time. However, here are a few tips and technologies to help.

Passwords

This is probably the most important thing I can recommend to anyone, change your passwords! All of them! This may seem like over kill but it’s really important to prevent certain types of attacks. A simple example is if you are using the same password for your email and social media accounts and someone is able to compromise one they are able to get to the other. Now imagine someone now has access to your email. It’s possible they could reset passwords on sites they currently don’t have access to, additionally they could peruse your messages for information of other sites you use and build a larger more believable online presence as you.

It seems ridiculous at first glance to maintain and remember hundreds or more passwords, however there is a simple solution. Use a password manager. I am a personal fan of Lastpass but any manager that allows for access via mobile device, application and web then also encrypts the data at rest is good. I’m partial to them because of these features and it uses a web plugin to create and fillin my passwords so I never need to type a password for when logging into a site.

I’m sure everyone has heard that complex passwords are needed and you should have passwords of a certain length, numbers, letters, uppercase, etc. but they are hard to generate and remember. With a password manager you don’t need to worry about any of these issues. It allows me to create complex passwords similar to: b8RrNFstRJH!&WrVK*fVMrkmT92MKF for each account without concern about memorizing or typing them.

Encryption

This is something I’m certainly not an expert at but can give some basic guidance. The first question you need to ask is what are you protecting against? Are you protecting against your laptop being stolen or against files and data being taken with out your knowledge? This is significant because the anwser to each of those are different and varying degrees of complexity.

Hard Disk Encryption

If you are looking to protect your personal data if someone steals your laptop from your car or office, this is what you are interested in. Whole hard disk encryption makes your entire entire drive appear to be random bits of data. Anyone trying to read that data should not even be able to tell what is free space or a file on the drive. This is built into the operating system of current versions of Windows 10 called BitLocker, and Mac OSX uses FileVault. All you need to do is enable it and the system will encrypt the drive without needed to do anything else.

Windows will present you with a backup key YOU NEED TO PROTECT THAT KEY. Print it out and lock it in a filing cabinet or take a picture and put it in your phone. If your computer updates the certain sections of the drive you will need to prove it’s yours and the only way to get access is with that key. DON’T LOSE IT!

Mac users have a bit of an easier time - the key can be backed up to iCloud and protected that way.

File Level Encryption

This encrypts individual files or directories on your workstation NOT the entire disk. This has the advantage of being very granular but also requires a bit more management to ensure proper security. Also it doesn’t encrypt the file system structure or additional parts of the files or filesystem which could also contain confidential data (directory is name of client?). This protects against someone getting access to your system and copying data from it after it was already running. Access could be achieved physically, programatticly such as through malware.

Firewalls

Every major operating system has a firewall built into it and it should be enabled. Some applications will require modification to work properly but as a general rule they should be turned on and limit incoming connections. If you have the option to install a hardware firewall for your network I have two options I am partial to. If you are not afraid of getting your geek on, have some spare hardware and want to learn I would recommend pfSense for it’s ease of installation and capabilities. You are getting a commercial grade firewall for OpenSource prices.

That said if you want commercial support and everything that goes with it I would seriously consider the FortiGate 50E. It’s an enterprise level firewall with support and is more than enough for the small office. It can also be combined with wireless, webfiltering and much more so if you don’t mind paying for it, I would consider this the way to go. (Disclaimer - it’s March 2019 by the time you read this something may have changed)

AntiVirus

AntiVirus is the thing we all hate but need to have. There is no glamour in it but it’s going to help keep us safe. People that have fewier than ten systems I would look to Sophos Home. There is a free component but I would recommend purchasing the whole thing. Also I would combine it with FortiClient which will scan your systems for known vunerabilities. The two combined offer a reasonable solution for a great price.

VPN

What do you do when you’re working from Starbucks, shared office space or some other open wireless access point? You certainly don’t send your traffic over the airwaves unencrypted. Use a VPN service. This will tunnel al your traffic to the endpoint rendering it unreadable to anyone on the local networks or between you and the VPN termination point. Proton VPN is my personal favorite. They are based in Switzerland and don’t log traffic so there is no ability of anyone hacking or requesting logs. Additionally they have endpoints in multiple countries so if you need/want to change your connection points it’s extremely simple. There is even the option of connecting your firewall to them so all traffic from your local network is tunneled out. This is useful to prevent your ISP from spying or tampering with your traffic. (Yes, this is now legal in the US)

Conclusion

I know this was a long post and there is a lot I didn’t cover but I’m hoping that people find it useful and learn from it. If you have any comments, questions or suggestions send me a message on Twitter and I’ll be happy to reply.

Cheers

New Blog - New Look

This is the first post with the new framework so we will see how it works out over the long run. I was previously hosting this on Blogger but it didn’t offer all the flexibility I wanted so I’ve transitioned it to a static site using templates to build it out then compiling it with Hexo. Hopefully this will work without any issues and will allow me to be a lot more consistent with the look and feel, especially when posting code snippets.

This is the first post using the new format so let’s see how it works out :)

Cheers

Another Rename and Refocus

I look at the statistics for this blog and it’s pretty bad but I do hope there are a few people that have gotten some value from the content I’ve posted over the years. I try to post things that I find interesting, I’ve had to figure out more than once or had a really difficult time solving. Over the last few years I’ve changed who signs my paycheck more than once and it’s always been a good move bringing me to a more challenging or interesting environment and each with lessons to be learned. Some of those lessons have been in business, communication, technical applications and even public speaking. It’s been an interesting few years to say the least.

The last two years I’ve been working at a HBCU in New Orleans implementing the VMware stack of what seems like everything. That’s brought me into implementing ServiceNow to codify our processes. Now we are trying to tie all this together and deploy systems and software anywhere in our environment programmatically when initiated from a service ticket. So now we are leveraging Chef for managing all the configurations of our systems and Terraform to deploy.

This is going to start getting interesting and DevOps is a completely new area of being a SysAdmin for me. I’m going to try and keep this updated as best I can and share my learning. I hope it’s bennificial and somewhat entertaining.

Cheers

Assign missing tag to VM

We run our backup job schedules based on the tags assigned to the VM. This keeps it relatively simple and to add a system to a backup job you only need to tag it, not go into another software and edit a backup job. 

Recently, while working on a production system I noticed it wasn’t tagged! Whoever had created it never tagged it and so it’s been in production for a while and has never been protected. Obviously, this is a bad situation and I needed to make sure it was fixed across the board. 

Did a quick PowerCLI script to find and assign a nightly backup job to anything it found. We can go back and audit this later if a system needs better protection. 


$Tag = get-tag -Category BDR -Name Bronze
Get-VM | Where-Object{(Get-TagAssignment $_) -eq $null} | New-TagAssignment -Tag $Tag

Changing AD User Login Hours

Today I received a request to remove the login hour restrictions for all the users in our forest. After a little bit of research didn’t have my curiosity satisfied so I decided to look into the specifics of this. First, the script is pretty simple - sometime in the organization’s past, someone decided to set the login hours so people could not login between 02:00 and 04:00. We have a new system and since students are 24x7 we needed to remove these restrictions. I was asked to simply remove it so I’m querying all the enabled users and simply updating them.

$Users = Get-ADUser -Filter {enabled -eq $true}  
[byte[]]$LogonHours = @(255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255)  

$Users | ForEach-Object {  
  Set-ADUser $_ -Replace @{logonhours = $LogonHours}  
}  

As you can see the script isn’t complex and simply does its job. My curiosity was with the LogonHours value and why was it so peculiar.

I opened ADSIEdit and looked at the field in question and it appears like this:

ADSI LogonHours Data
As you can see it’s separated into 21-byte fields. Each field represents eight hours starting midnight Sunday morning. If the byte is set to 0 they are not able to log in for that hour, however, if it’s set to 1 then the user has authority to log in. As an example, if you wanted no restrictions they would all be set to 255. If you wanted to enable 8am until 6pm (08:00 - 18:00) it would appear as “00 FF 02”. This would allow them to log into the system until 17:59, however at 18:01 they would be unable to log in.

It took me a few seconds to figure out what was going on here and why it wasn’t in a standard format, however, once I put it together it actually makes perfect sense. 

Hope this helped someone out. 



The same field in binary just so you can see:

logonHours in Binary
each bit represents an hour