Monthly Archives: September 2015
Google Authenticator is an application that implements Time-based One-time Password Algorithm (TOTP) security tokens in mobile apps made by Google.The Authenticator can also generate codes for third-party applications or file hosting services.Previous versions of the software were open source but subsequent releases are proprietary.
The service provider generates an 80-bit secret key for each user (in contravention of RFC 4226 §4). This is provided as a 16, 24 or 32 character base32 string or as a QR code. The client creates an HMAC-SHA1 using this secret key.
users will install the Authenticator app on their smartphone to log into a site or service that uses two-factor authentication, they provide user name and password to the site and run the Authenticator app which produces an additional six-digit one-time password. The user provides this to the site, the site checks it for correctness and authenticates the user.
How to two-step authentication is enabled for your Google account
1.Make sure that two-step authentication is enabled and configured for your account.
2.Download and install the app on your Android device or on your iPhone, iPad or iPod Touch
3.Login to your Google account at http://accounts.google.com. Choose “Security” from the left-side menu, then look for “2-step verification” and click “Edit”. You may need to login again.
Connect your Google Authenticator app to your Google account by following the prompts after “How to Connect” a Mobile Application.
Install Google Authenticator
Symantec Validation & ID Protection (VIP) Service provides online service providers and enterprises with increased security of their applications in the form of two-factor authentication and better
protection for their End Users against identity theft.
The VIP Network is governed by the VIP Network Policy (VIP Policy),which may be accessed from the repository link on http://www.verisign.com.
VIP Self-Service Portal:- A Symantec hosted web portal providing End Users with credential lifecycle services VIP Enterprise Gateway:- An enterprise-hosted software component providing integration with enterprise applications and directories.
VIP Manager:- A Symantec hosted web portal providing VIP Service customers with Service configuration, reporting and management capabilities.
One Time Password (OTP):- Credentials (VIP Credentials) can use for end users.
Provides security and convenience: Meet IT’s security requirements and the user demand for convenience with two-factor authentication options that are as easy as one-touch Push verification and passwordless authentication
Accelerates time-to-security: Speeds deployments by eliminating infrastructure and physical tokens; and through user friendly self-service options for token registration and provisioning
Enables compliance: Helps enable compliance by establishing controls over access to sensitive networks, applications, and data
Reduces capital costs: Eliminates the expense of building and maintaining in-premise infrastructure
Scalability: Carrier-class availability and reliability accommodates rapid changes in user base and allows for easy delivery of new VIP capabilities
Symantec VIP supports integration with many popular enterprise
applications. The following is a list of our current integration’s:
Apache HTTP Server
Array SSL VPN
Barracuda SSL VPN
SSL VPN Software Blade
Firewall Software Blade
IPSec VPN Software Blade
Citrix Access Gateway
Cisco Secure ACS
Cisco Adaptive Security Appliances
BIG IP APM
IBM Tivoli Access Manager
Juniper SA VPN
Juniper Steel Belted Radius
Active Directory Federation Services
Microsoft Credential Provider
Threat Management Gateway (2010)
Internet Acceleration Server (2006)
Microsoft Forefront Unified Access Gateway
Network Policy Server (NPS)
Internet Information Server (IIS) 7 and 8
Outlook Web Access
Remote Desktop Web Access
SharePoint Portal Server
Netmotion with SBR (Steel Belted Radius)
Oracle Access Manager
Oracle Corporation and Red Hat
Pluggable Authentication Modules
Salesforce integration with ADFS
SonicWALL Aventail® SSL VPN
Third Party IDP
ADFS as IDP for SSP
VMWare View 5.1
Installing the VIP Access Software
1. Get the Symantec VIP Access software.
2. You are required to install this on your mobile device, so go to your “store” and download the app:
Apple Devices: iPhone, iPad, etc. Search for “Symantec VIP” in the Apple App Store
Android Devices: Phones/Tablets. Search for “Symantec VIP” in the Play Store
Blackberry: Phones. Search for “Symantec VIP” in the Blackberry World Store
Microsoft Windows Devices: Search for “Symantec VIP” in the Windows Store
3. If you don’t have a mobile device (smart-phone/tablet), and only use a laptop or desktop computer, you will have to install the Symantec VIP application onto your desktop.
Registering your credentials in the VIP Self Service Portal
Go to the VIP Self Service Portal to register your credentials
Logging into the web Portal
Log into the Haas Portal using credentials received in your device.
Below document shows how can use Symantec VIP
how vip works
cat foo.crt > /etc/pki/certs/ca.crt
Enable the dynamic CA configuration feature:
copy and update store
sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt
Update the CA store
Certutil –addstore –f “TrustedPublisher” <pathtocertificatefile>
Certutil –addstore –f “CA” <pathtocertificatefile> for intermediate
certutil -addstore “Root” “c:\cacert.cer” for root
certutil -addstore “MY” “<pathtocertificatefile>” for local/personal
certutil -addstore “spc” “<pathtocertificatefile>” for software publisher certificates
certutil -addstore “user_created_store “<pathtocertificatefile>” for name of a user-created certificate store
AddressBook -> specifies “Other People” store
Trust -> specifies “Enterprise Trust” store
TrustedPublisher -> specifies “Trusted Publishers” store
certutil –f –p [certificate_password] –importpfx C:\[certificate_path_and_name].pfx
Internet Explorer 11 is preinstalled with Windows 8.1 and Windows Server 2012 R2.Any other versions has to upgrade to support IE11.
supported operating systems are
•Windows Server 2012 R2
•Windows 7 with Service Pack 1 (SP1)
•Windows Server 2008 R2 with Service Pack 1 (SP1)
IE11 offers improvements to Enhanced Protected Mode, password manager, and other security features. IE11 also turns on Transport Layer Security (TLS) 1.2 by default.
An account failed to log on.
Security ID: NULL SID
Account Name: –
Account Domain: –
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: asdf
Failure Reason: Unknown user name or bad password.
Sub Status: 0xc0000064
Caller Process ID: 0x0
Caller Process Name: –
Source Network Address:
Source Port: 53176
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: –
Package Name (NTLM only): –
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
•Transited services indicate which intermediate services have participated in this logon request.
•Package name indicates which sub-protocol was used among the NTLM protocols
•Key length indicates the length of the generated session key. This will be 0 if no session key was requested
Status and Sub Status Codes Description
0xC0000064 user name does not exist
0xC000006A user name is correct but the password is wrong
0xC0000234 user is currently locked out
0xC0000072 account is currently disabled
0xC000006F user tried to logon outside his day of week or time of day restrictions
0xC0000070 workstation restriction
0xC0000193 account expiration
0xC0000071 expired password
0xC0000133 clocks between DC and other computer too far out of sync
0xC0000224 user is required to change password at next logon
0xC0000225 evidently a bug in Windows and not a risk
0xc000015b The user has not been granted the requested logon type (aka logon right) at this machine
Using command-line utility, DISM, the Deployment Image Servicing and Management tool can upgrade server editions with out lose any data(A backup prior to making the change is always good) .
Note:If the server is a domain controller,demote the DC to a member server before you upgrade edition.)
The editions of Server 2012 fall into three groups. First there are the main editions, Standard and Datacenter. These are what most businesses will license.
Next there are the low-end editions aimed at small businesses, Essentials and Foundation.
Finally, there are specialist editions for specific roles. These are Storage Server and Hyper-V Server.
Read below blogs to know more
So next question,can i downgrade?
Answer is no,you may have to install from scratch.
Below is a document to disabling Symantec firewall.
Here describing how to customizing/modifying Symantec components.
OpenDNS is a company provide DNS resolution service acquired by Cisco On June 30, 2015(https://www.opendns.com/).OpenDNS provides the following recursive name server addresses for public use.
OpenDNS also provides the following recursive nameserver addresses as part of their FamilyShield parental controls which block pornography, proxy servers, and phishing sites:
OpenDNS supports the DNSCrypt protocol, which authenticates DNS traffic between the user’s computer and the name servers.This requires installing free software onto supported devices.
Similar service providers
Norton ConnectSafe is a free public DNS service offered by Symantec Corporation.
Policy A — Security
This policy blocks all sites hosting malware, phishing sites, and scam sites. To choose Policy A, use the following IP addresses as preferred and alternate DNS server addresses:
Policy B — Security + Pornography
In addition to blocking unsafe sites, this policy also blocks access to sites that contain sexually explicit material. To choose Policy B, use the following IP addresses as preferred and alternate DNS server addresses:
Policy C — Security + Pornography + Non-Family Friendly
This policy is ideal for families with young children. In addition to blocking unsafe sites and pornography sites, this policy also blocks access to sites that feature mature content, abortion, alcohol, crime, cults, drugs, gambling, hate, sexual orientation, suicide, tobacco, or violence. To choose Policy C, use the following IP addresses as preferred and alternate DNS server addresses
FreeDNS is an open, free and public DNS Server(http://freedns.zone/en/).
Google Public DNS(https://developers.google.com/speed/public-dns/)
IP addresses 126.96.36.199 and 188.8.131.52
The Distributed File System (DFS) technologies offer wide area network (WAN)-friendly replication as well as simplified, highly available access to geographically dispersed files.The Distributed File System role service consists of two child role services:
• DFS Namespaces
• DFS Replication
DFS offers the following benefits:
Shared folders on a network appear in one hierarchy of folders created by a DFS Root with links. This simplifies user access.
Fault tolerance is an option by replicating shared folders. Uses the Microsoft File Replication Service (FRS).
Load balancing can be performed by distributing folder access across several servers.
There are two DFS models as follows:
No Active Directory implementation
Can implement load balancing, but replication of shares is manual
DFS Root cannot be replicated
DFS accessed by \\Server_Name.Domain_Name\DFS_Root_Name
Choose a stand-alone namespace if any of the following conditions apply to your environment:
• Your organization does not use Active Directory Domain Services (AD DS).
• You need to create a single namespace with more than 5,000 DFS folders in a domain that does not meet the requirements for a domain-based namespace (Windows Server 2008 mode).
• You want to increase the availability of the namespace by using a failover cluster.
Available only to members of a domain
Can implement fault tolerance by Root and Link replication and load balancing, and replication of links and root is automatic
DFS accessed by \\Domain_Name\DFS_Root_Name
Choose a domain-based namespace if any of the following conditions apply to your environment:
• You want to ensure the availability of the namespace by using multiple namespace servers.
• You want to hide the name of the namespace server from users. Choosing a domain-based namespace makes it easier to replace the namespace server or migrate the namespace to another server.
The DFS root (a table of contents)
Main container that holds links to shared folders
Folders from all domain computers appear as if they reside in one main folder
DFS links (pointers to shares)
Designated access path between the DFS root and shared folders
Replica sets (targets (duplicated shares))
Set of shared folders that is replicated to one or more servers in a domain
Below document shows configurations