Setting up an Enterprise Root Certificate Authority isnât a task that youâll complete on a regular basis and something I think Iâve done twice, maybe 3 times, ever. Each time I forget what I did previously and you can guarantee Iâm using a different version of Windows Server each time.
security windowsIn the Admin UI under âAuthentication" it is possible to select one of 4 methods for authenticating user credentials; LOCAL, PAM, RADIUS or RADIUS. This can be done by changing the configuration key auth.module.type. This configuration key is not optional and is by default set to PAM. With LDAP and RADIUS additional settings are required to be able to authenticate users, for example which server to contact and any required shared secret code to be able to access the external authentication backend.
This document provides background on what LDAP authentication is, what specific LDAP authentication methods and mechanisms Active Directory and more specifically the NETID domain supports, and finally gives some guidance on which method and mechanism you should use.
ldap security windowsToday, many applications and devices connect to Active Directory over LDAP. Many of those are still performing insecure LDAP âsimple bindsâ where credentials are transferred in clear text over the network. Those exposed credentials typically include the âservice accountâ used to connect to LDAP, but also include the user credentials used during the application login.
Also note that the terms âLDAP over SSLâ and âLDAP over TLSâ are used interchangeably. By default, LDAP communications between client and server applications are not encrypted. This is especially problematic when an LDAP simple bind is used.
ldap security windowsIn this post, I discuss and give an example of how to use Squid, a leading open-source proxy, to implement a âtransparent proxyâ that can restrict both HTTP and HTTPS outbound traffic to a given set of Internet domains, while being fully transparent for instances in the private subnet.
tutorial aws networking squidThe primary reason for enabling this functionality is to allow third-party applications that arenât capable of performing secure binds or encrypted LDAP sessions (over TCP 389) to connect securely.
active directory security windowsThe core of the issue is this, when an application performs a simple LDAP bind, the username and password is transmitted in clear text in the very first packet. The DC doesn't even have a chance to prevent this exposure from occurring. Â If this connection is not encrypted at a lower layer such as TLS or IPSec, it may be intercepted and a bad day may soon follow.
active directory security windows ldapThe unattended-upgrades package can be used to automatically install updated packages, and can be configured to update all packages or just install security updates.
To configure unattended-upgrades, edit /etc/apt/apt.conf.d/50unattended-upgrades.
To enable automatic updates, edit /etc/apt/apt.conf.d/20auto-upgrades.
In looking into compromised systems, often what is needed by incident responders and investigators is not enabled or configured when it comes to logging. To help get system logs properly Enabled and Configured, below are some cheat sheets to help you do logging well and so the needed data we all need is there when we look.
documentation sysadmin tipsTools and settings for the windows time service.
windowsDocumentation of API endpoints on the UniFi controller software. This is a reverse engineering project that is based on browser captures, jar dumps, and reviewing other software that has been written to work with the controller. It's received minimal testing.
ubiquiti documentation apiRemembering the current directory for each drive has been preserved ever since DOS 1.0, although there isnât actually such a concept as a per-drive current directory in Win32. The appearance that each drive has its own current directory is a fake-out by cmd.exe which uses environment variables to create the illusion to batch files that each drive has its own current directory.
windowsWindows Server 2019 and the most recent version of Windows 10 include the ability to install both an SSH client and an SSH server. To get an SSH client onto Windows 10 or Windows Server 2019, without using 3rd party software or installing Windows Subsystem for Linux, use the PowerShell command:
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
windows
windows server 2019
ssh
Systems Manager Automation simplifies common maintenance and deployment tasks of Amazon EC2 instances and other AWS resources. Automation enables you to do the following.
This is a fork of Michal Gajda's PSWindowsUpdate PowerShell module. The original module can be found on the PowerShell Gallery.
windows github powershellThe Windows Update Agent (WUA) API is a set of COM interfaces that enable system administrators and programmers to access Windows Update and Windows Server Update Services (WSUS). Scripts and programs can be written to examine which updates are currently available for a computer, and then you can install or uninstall updates.
windows scriptingIf the router is filtering too, ubuntu has to be aware of the gateway's existence for both interfaces and use table and rule settings for a correct routing.
Normally, a Linux system only has one routing table, in which only one default gateway can make entries. With iproute2, you have the ability to setup an additional routing table, for one thing, and allow this table to be used by the system based on rules, for another.
linux networking homelabThis project describes the Ubiquiti EdgeRouter Lite (and EdgeRouter 4), EdgeSwitch 24 and UniFi Access Point network design for a SOHO (Small Office/Home Office) network.
ubiquiti networkingThis guide outlines basic steps used to troubleshoot Group Policy application errors using the Group Policy Service Debug logs (gpsvc.log).
Enable by setting HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics\GPSvcDebugLevel REG_DWORD to 30002 (hex), and ensure %windir%\debug\usermode exists. The gpsvc.log log will be created in this directory when updating group policy (eg gpupdate /force).