Endless Face Zoom Oct. 8, 2019, 3:51 p.m.

Animated gif generator

TeePublic Sept. 30, 2019, 1:55 p.m.

Pop culture t-shirts, posters, gifts, and more.

Group Policy Preferences: Understanding “Run in Logged on User’s Security Context” Sept. 26, 2019, 4:29 p.m.

Every preference item applied is processed under the local SYSTEM account. This applies to preference items created under both the Computer and User Configuration nodes. When you select  “Run in Logged on User’s Security Context”, the security context is changed from SYSTEM to the current logged-in User. This is a huge distinction when you are creating preferences for Files, Shortcuts, or Drive Mappings.

How to use special permissions: the setuid, setgid and sticky bits Sept. 26, 2019, 10:22 a.m.

Ownership of files and directories is based on the uid (user-id) and gid (group-id) of the user who created them. The same thing happens when a process is launched: it runs with the effective uid and gid of the user who started it, and with the corresponding privileges.

The setuid bit modifies this behaviour so that an executable runs with the privileges of the executable file’s owner. This can be identified by an s in the executable bit for the file’s owner, eg:

ls -l /bin/passwd
-rwsr-xr-x. 1 root root 27768 Feb 11  2017 /bin/passwd

The setgid bit can be identified by an s in the executable bit of the file or directory’s group, eg:

drwxrwsr-x. 2 egdoc egdoc 4096 Nov  1 17:25 test

When set on an executable, the setgid bit causes it to run with the privileges of the executable’s group. When set on a directory, the setgid bit causes the group of files created inside the directory to be the group of the directory, not the user who created them.

When used on a directory, the sticky bit causes all files to be modifiable only by their owner, eg:

ls -ld /private/tmp
drwxrwxrwt  11 root  wheel  352 26 Sep 09:04 /private/tmp

Ansible module development: getting started Sept. 23, 2019, 12:18 p.m.

A module is a reusable, standalone script that Ansible runs on your behalf, either locally or remotely. Modules interact with your local machine, an API, or a remote system to perform specific tasks like changing a database password or spinning up a cloud instance. Each module can be used by the Ansible API, or by the ansible or ansible-playbook programs. A module provides a defined interface, accepting arguments and returning information to Ansible by printing a JSON string to stdout before exiting. Ansible ships with thousands of modules, and you can easily write your own. If you’re writing a module for local use, you can choose any programming language and follow your own rules. This tutorial illustrates how to get started developing an Ansible module in Python.

Extending Ansible – modules Sept. 19, 2019, 1:51 p.m.

One of possible use cases for custom modules is a wrapper for shell command. If there is a task you do with cli command on different remote hosts and in differen parts of your playbook/project, you may want to wrap it into idempotent module with check-mode support to make your playbooks’ code clean and easy to read.

OpenSSL Quick Reference Guide Sept. 18, 2019, 3:07 p.m.

OpenSSL is an open-source command line tool that is commonly used to generate private keys, create CSRs, install your SSL/TLS certificate, and identify certificate information. We designed this quick reference guide to help you understand the most common OpenSSL commands and how to use them.

Active Directory - How to Enable LDAPS Using Self-Signed Certificates Sept. 18, 2019, 3 p.m.

To enable LDAP over SSL (LDAPS) all you need to do is "install" an SSL certificate on the Active Directory server. Most enterprises will opt to purchase an SSL certificate from a 3rd Party like Verisign. In my case, I created my own certificate using OpenSSL. Here are the steps I used to secure my Active Directory server using a self signed certificate.

Building an Enterprise Root Certification Authority in Small and Medium Businesses Sept. 18, 2019, 2:46 p.m.

This step-by-step guide will help you set up a public key certification authority (CA) in a network with servers running Microsoft Windows Server 2003 operating systems.

sp_whoisactive SQL Server Monitoring Stored Procedure Sept. 11, 2019, 5:03 p.m.

sp_whoisactive is a comprehensive activity monitoring stored procedure that works for all versions of SQL Server

Self updating OSMC Distribution Sept. 10, 2019, 11:22 a.m.

Here is a small tutorial on how to get OSMC / linux self-updating.

Run a command before & after ubuntu apt upgrade & unattended-upgrades Sept. 10, 2019, 11:21 a.m.

There are three hooks you can use for this:

• DPkg::Pre-Invoke is run once, before all the package manipulation sequences in one apt invocation
• DPkg::Pre-Install-Pkgs is also run once, before the package manipulation sequences, after the Pre-Invoke hook, and with a list of all the packages which will be installed
• DPkg::Post-Invoke is run once, after the package manipulation sequences.

APT Configuration Sept. 10, 2019, 11:20 a.m.

/etc/apt/apt.conf is the main configuration file shared by all the tools in the APT suite of tools, though it is by no means the only place options can be set. The suite also shares a common command line parser to provide a uniform environment.

Deploying an Enterprise Root Certificate Authority Sept. 5, 2019, 12:21 p.m.

Setting up an Enterprise Root Certificate Authority isn’t a task that you’ll complete on a regular basis and something I think I’ve done twice, maybe 3 times, ever. Each time I forget what I did previously and you can guarantee I’m using a different version of Windows Server each time.

OpenVPN Access Server: Authentication options and command line configuration Sept. 5, 2019, 11:48 a.m.

In the Admin UI under “Authentication" it is possible to select one of 4 methods for authenticating user credentials; LOCAL, PAM, RADIUS or RADIUS. This can be done by changing the configuration key auth.module.type. This configuration key is not optional and is by default set to PAM. With LDAP and RADIUS additional settings are required to be able to authenticate users, for example which server to contact and any required shared secret code to be able to access the external authentication backend.

LDAP Authentication Primer Sept. 5, 2019, 11:44 a.m.

This document provides background on what LDAP authentication is, what specific LDAP authentication methods and mechanisms Active Directory and more specifically the NETID domain supports, and finally gives some guidance on which method and mechanism you should use.

Are you using LDAP over SSL/TLS? Sept. 5, 2019, 11:42 a.m.

Today, many applications and devices connect to Active Directory over LDAP. Many of those are still performing insecure LDAP “simple binds” where credentials are transferred in clear text over the network. Those exposed credentials typically include the “service account” used to connect to LDAP, but also include the user credentials used during the application login.

Also note that the terms “LDAP over SSL” and “LDAP over TLS” are used interchangeably. By default, LDAP communications between client and server applications are not encrypted. This is especially problematic when an LDAP simple bind is used.

How to add DNS filtering to your NAT instance with Squid Sept. 5, 2019, 11:36 a.m.

In this post, I discuss and give an example of how to use Squid, a leading open-source proxy, to implement a “transparent proxy” that can restrict both HTTP and HTTPS outbound traffic to a given set of Internet domains, while being fully transparent for instances in the private subnet.

Creating Custom Secure LDAP Certificates for Domain Controllers with Auto Renewal Sept. 4, 2019, 12:15 p.m.

The primary reason for enabling this functionality is to allow third-party applications that aren’t capable of performing secure binds or encrypted LDAP sessions (over TCP 389) to connect securely.

Identifying Clear Text LDAP binds to your DC’s Sept. 4, 2019, 12:15 p.m.

The core of the issue is this, when an application performs a simple LDAP bind, the username and password is transmitted in clear text in the very first packet. The DC doesn't even have a chance to prevent this exposure from occurring.  If this connection is not encrypted at a lower layer such as TLS or IPSec, it may be intercepted and a bad day may soon follow.