Monthly Archives: September 2015

Google Authenticator

Google Authenticator is an application that implements Time-based One-time Password Algorithm (TOTP) security tokens in mobile apps made by Google.The Authenticator can also generate codes for third-party applications or file hosting services.Previous versions of the software were open source but subsequent releases are proprietary.
GA
Working
The service provider generates an 80-bit secret key for each user (in contravention of RFC 4226 §4[33]). This is provided as a 16, 24 or 32 character base32 string or as a QR code. The client creates an HMAC-SHA1 using this secret key.
users will install the Authenticator app on their smartphone to log into a site or service that uses two-factor authentication, they provide user name and password to the site and run the Authenticator app which produces an additional six-digit one-time password. The user provides this to the site, the site checks it for correctness and authenticates the user.
how works fig2
How to two-step authentication is enabled for your Google account

1.Make sure that two-step authentication is enabled and configured for your account.
2.Download and install the app on your Android device or on your iPhone, iPad or iPod Touch
3.Login to your Google account at http://accounts.google.com. Choose “Security” from the left-side menu, then look for “2-step verification” and click “Edit”. You may need to login again.
Connect your Google Authenticator app to your Google account by following the prompts after “How to Connect” a Mobile Application.

Setting up for google applications.
fig1 fig5 fig4 fig3
Setting up OTP for  WordPress

GAwp1

GAwp2

GAwp3

GAwp4

GAwp5

GAwp6

GAwp7

GAwp8

Install Google Authenticator
https://support.google.com/accounts/answer/1066447?hl=en

Symantec VIP

Symantec Validation & ID Protection (VIP) Service provides online service providers and enterprises with increased security of their applications in the form of two-factor authentication and better
protection for their End Users against identity theft.
The VIP Network is governed by the VIP Network Policy (VIP Policy),which may be accessed from the repository link on http://www.verisign.com.

VIP Self-Service Portal:- A Symantec hosted web portal providing End Users with credential lifecycle services VIP Enterprise Gateway:- An enterprise-hosted software component providing integration with enterprise applications and directories.

VIP Manager:- A Symantec hosted web portal providing VIP Service customers with Service configuration, reporting and management capabilities.
One Time Password (OTP):- Credentials (VIP Credentials) can use for end users.

Benefits
Provides security and convenience: Meet IT’s security requirements and the user demand for convenience with two-factor authentication options that are as easy as one-touch Push verification and passwordless authentication
Accelerates time-to-security: Speeds deployments by eliminating infrastructure and physical tokens; and through user friendly self-service options for token registration and provisioning
Enables compliance: Helps enable compliance by establishing controls over access to sensitive networks, applications, and data

Reduces capital costs: Eliminates the expense of building and maintaining in-premise infrastructure
Delivers

Scalability: Carrier-class availability and reliability accommodates rapid changes in user base and allows for easy delivery of new VIP capabilities

Third-party Integration’s

Symantec VIP supports integration with many popular enterprise

applications. The following is a list of our current integration’s:
Apache Networks
Apache HTTP Server
Array Networks
Array SSL VPN
Barracuda Networks
Barracuda SSL VPN
Check Point
SSL VPN Software Blade
Firewall Software Blade
IPSec VPN Software Blade
Cirix System
Citrix Access Gateway
Citrix GoToMyPC
Citrix Netscaler
Citrix XenApp
Cisco Systems
Cisco Secure ACS
Cisco Adaptive Security Appliances
Cisco ISE
Cisco VPN
F5 Networks
BIG IP APM
Firepass VPN
IBM Corporation
IBM Tivoli Access Manager
Juniper Networks
Juniper SA VPN
Juniper Steel Belted Radius
Microsoft Corp.
Active Directory Federation Services
Microsoft Credential Provider
Threat Management Gateway (2010)
Internet Acceleration Server (2006)
Microsoft Forefront Unified Access Gateway
Microsoft GINA
Network Policy Server (NPS)
Internet Information Server (IIS) 7 and 8
Outlook Web Access
Remote Desktop Web Access
SharePoint Portal Server
Netmotion
Netmotion with SBR (Steel Belted Radius)
Oracle Corporation
OpenSSO
Oracle Access Manager
Oracle Corporation and Red Hat
Pluggable Authentication Modules
Salesforce
Salesforce integration with ADFS
SAP
Netweaver
SonicWALL
SonicWALL Aventail® SSL VPN
Third Party IDP
ADFS as IDP for SSP
VMWare
VMWare View 5.1

How does it works?.
how vip works screen

Installing the VIP Access Software
1. Get the Symantec VIP Access software.
2. You are required to install this on your mobile device, so go to your “store” and download the app:
Apple Devices: iPhone, iPad, etc. Search for “Symantec VIP” in the Apple App Store
Android Devices: Phones/Tablets. Search for “Symantec VIP” in the Play Store
Blackberry: Phones. Search for “Symantec VIP” in the Blackberry World Store
Microsoft Windows Devices: Search for “Symantec VIP” in the Windows Store
3. If you don’t have a mobile device (smart-phone/tablet), and only use a laptop or desktop computer, you will have to install the Symantec VIP application onto your desktop.

For mobile devices
https://m.vip.symantec.com/home.v
For desktop
https://vip.symantec.com/desktop/home.v
For tokens
https://vip.symantec.com/orderstart.v

Registering your credentials in the VIP Self Service Portal
Go to the VIP Self Service Portal to register your credentials

Logging into the web Portal
Log into the Haas Portal using credentials received in your device.

Below document shows how can use Symantec VIP
how vip works

Refferences
vip-service-descriptionvip-service-description
Self_Service_Portal_User_Guide_v1Self_Service_Portal_User_Guide_v1_2(1)
sms-otp-service-descriptionsms-otp-service-description

Adding certificates using commands

Unix
cat foo.crt > /etc/pki/certs/ca.crt

Enable the dynamic CA configuration feature:
update-ca-trust enable

Debian
copy and update store
sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt

Update the CA store

sudo update-ca-certificates

Windows
Certutil –addstore –f “TrustedPublisher” <pathtocertificatefile>
Certutil –addstore –f “CA” <pathtocertificatefile> for intermediate
certutil -addstore “Root” “c:\cacert.cer” for root
certutil -addstore “MY” “<pathtocertificatefile>” for local/personal
certutil -addstore “spc” “<pathtocertificatefile>” for software publisher certificates
certutil -addstore “user_created_store “<pathtocertificatefile>” for name of a user-created certificate store

AddressBook -> specifies “Other People” store
Trust -> specifies “Enterprise Trust” store
TrustedPublisher -> specifies “Trusted Publishers” store

certutil –f –p [certificate_password] –importpfx C:\[certificate_path_and_name].pfx

Is it possible to update IE11 from IE10 in 2012 servers?.

Internet Explorer 11 is preinstalled with Windows 8.1 and Windows Server 2012 R2.Any other versions has to upgrade to support IE11.

supported operating systems are

•Windows 10
•Windows 8.1
•Windows Server 2012 R2
•Windows 7 with Service Pack 1 (SP1)
•Windows Server 2008 R2 with Service Pack 1 (SP1)

IE11 offers improvements to Enhanced Protected Mode, password manager, and other security features. IE11 also turns on Transport Layer Security (TLS) 1.2 by default.

Refferences
https://technet.microsoft.com/library/dn268945.aspx

What is logonfailure-4625 means

An account failed to log on.

Subject:
Security ID:  NULL SID
Account Name:  –
Account Domain:  –
Logon ID:  0x0
Logon Type:  3
Account For Which Logon Failed:
Security ID:  NULL SID
Account Name:  asdf
Account Domain:
Failure Information:
Failure Reason:  Unknown user name or bad password.
Status:   0xc000006d
Sub Status:  0xc0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: –
Network Information:
Workstation Name:
Source Network Address:
Source Port:  53176
Detailed Authentication Information:
Logon Process:  NtLmSsp
Authentication Package: NTLM
Transited Services: –
Package Name (NTLM only): –
Key Length:  0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.

•Transited services indicate which intermediate services have participated in this logon request.
•Package name indicates which sub-protocol was used among the NTLM protocols
•Key length indicates the length of the generated session key. This will be 0 if no session key was requested

Status and Sub Status Codes Description
0xC0000064 user name does not exist
0xC000006A user name is correct but the password is wrong
0xC0000234 user is currently locked out
0xC0000072 account is currently disabled
0xC000006F user tried to logon outside his day of week or time of day restrictions
0xC0000070 workstation restriction
0xC0000193 account expiration
0xC0000071 expired password
0xC0000133 clocks between DC and other computer too far out of sync
0xC0000224 user is required to change password at next logon
0xC0000225 evidently a bug in Windows and not a risk
0xc000015b The user has not been granted the requested logon type (aka logon right) at this machine

How to upgrade windows 2012 edition with out media?

Using command-line utility, DISM, the Deployment Image Servicing and Management tool can upgrade server editions with out lose any data(A backup prior to making the change is always good) .

Note:If the server is a domain controller,demote the DC to a member server before you upgrade edition.)

Editions
The editions of Server 2012 fall into three groups. First there are the main editions, Standard and Datacenter. These are what most businesses will license.

Next there are the low-end editions aimed at small businesses, Essentials and Foundation.

Finally, there are specialist editions for specific roles. These are Storage Server and Hyper-V Server.

Read below blogs to know more
http://windowsitpro.com/windows-server-2012/q-can-i-switch-windows-server-2012-standard-server-windows-server-2012-datacente
http://cloudtidings.com/2012/08/09/windows-2012-converting-a-full-gui-version-to-server-core-and-vice-versa/

So next question,can i downgrade?
Answer is no,you may have to install from scratch.

How to disable Symantec NTP

Below is a document to disabling Symantec firewall.

sepm_firewalNTP-disable

customized(modify)Symantec setup

Here describing how to customizing/modifying Symantec components.

Symantec_modify setup

Open DNS

OpenDNS is a company provide DNS resolution service acquired by Cisco On June 30, 2015(https://www.opendns.com/).OpenDNS provides the following recursive name server addresses for public use.
208.67.222.222 (resolver1.opendns.com)
208.67.220.220 (resolver2.opendns.com)
208.67.222.220
208.67.220.222

OpenDNS also provides the following recursive nameserver addresses as part of their FamilyShield parental controls which block pornography, proxy servers, and phishing sites:
208.67.222.123
208.67.220.123

OpenDNS supports the DNSCrypt protocol, which authenticates DNS traffic between the user’s computer and the name servers.This requires installing free software onto supported devices.

Similar service providers

Norton ConnectSafe is a free public DNS service offered by Symantec Corporation.

Policy A — Security
This policy blocks all sites hosting malware, phishing sites, and scam sites. To choose Policy A, use the following IP addresses as preferred and alternate DNS server addresses:
199.85.126.10
199.85.127.10

Policy B — Security + Pornography
In addition to blocking unsafe sites, this policy also blocks access to sites that contain sexually explicit material. To choose Policy B, use the following IP addresses as preferred and alternate DNS server addresses:
199.85.126.20
199.85.127.20

Policy C — Security + Pornography + Non-Family Friendly
This policy is ideal for families with young children. In addition to blocking unsafe sites and pornography sites, this policy also blocks access to sites that feature mature content, abortion, alcohol, crime, cults, drugs, gambling, hate, sexual orientation, suicide, tobacco, or violence. To choose Policy C, use the following IP addresses as preferred and alternate DNS server addresses
199.85.126.30
199.85.127.30

FreeDNS is an open, free and public DNS Server(http://freedns.zone/en/).
server addresses
37.235.1.174
37.235.1.177

Google Public DNS(https://developers.google.com/speed/public-dns/)
IP addresses 8.8.8.8 and 8.8.4.4

Open NIC(https://www.opennicproject.org/)
server addresses
103.250.184.85
103.25.202.192

Configuring windows 2012 DFS

The Distributed File System (DFS) technologies offer wide area network (WAN)-friendly replication as well as simplified, highly available access to geographically dispersed files.The Distributed File System role service consists of two child role services:
• DFS Namespaces
• DFS Replication
DFS offers the following benefits:
Shared folders on a network appear in one hierarchy of folders created by a DFS Root with links. This simplifies user access.
Fault tolerance is an option by replicating shared folders. Uses the Microsoft File Replication Service (FRS).
Load balancing can be performed by distributing folder access across several servers.
There are two DFS models as follows:
Standalone
No Active Directory implementation
Can implement load balancing, but replication of shares is manual
DFS Root cannot be replicated
DFS accessed by \\Server_Name.Domain_Name\DFS_Root_Name

Choose a stand-alone namespace if any of the following conditions apply to your environment:
• Your organization does not use Active Directory Domain Services (AD DS).
• You need to create a single namespace with more than 5,000 DFS folders in a domain that does not meet the requirements for a domain-based namespace (Windows Server 2008 mode).
• You want to increase the availability of the namespace by using a failover cluster.
Domain-based
Available only to members of a domain
Can implement fault tolerance by Root and Link replication and load balancing, and replication of links and root is automatic
DFS accessed by \\Domain_Name\DFS_Root_Name

Choose a domain-based namespace if any of the following conditions apply to your environment:
• You want to ensure the availability of the namespace by using multiple namespace servers.
• You want to hide the name of the namespace server from users. Choosing a domain-based namespace makes it easier to replace the namespace server or migrate the namespace to another server.
DFS Topology:
The DFS root (a table of contents)
Main container that holds links to shared folders
Folders from all domain computers appear as if they reside in one main folder
DFS links (pointers to shares)
Designated access path between the DFS root and shared folders
Replica sets (targets (duplicated shares))
Set of shared folders that is replicated to one or more servers in a domain

Below document shows configurations

2012dfs

%d bloggers like this: