Wednesday, January 1, 2014

New Post! Merging Blogs!

Hi Guys!

I've given up on trying to manage a bunch of different blogs seperately, so I'm posting new content on a single consolidated blog at http://extraparts.info.  Tonight I posted a fun little bit about mapping printers based on the OU of a workstation using logon scripts.  It's at http://www.extraparts.info/2014/01/options-for-automating-per-location.html.  Go on over and take a look!

I'm religiously tagging my posts, so if you only want to see the IT related posts, use this link instead.
http://www.extraparts.info/search/label/IT.

Thanks!
-ellie

Wednesday, March 2, 2011

Apache SVN and LDAP group authentication

Today I worked on our new SVN server. I wanted it to do authentication to our AD and to an AD group. I created the AD group, stuck my users in it, and swapped out the "Require valid-user" with Require ldap-group DN=foo,OU=Bar,DC=Myco,DC=Local.

It didn't work.

So I fired up Wireshark and the ldap DN compareRequest was failing. wtf?!

So I fired up my handy-dandy LdapAdmin tool and pointed it at the ldap server and...

At this point I should mention that my Apache ldap configuration is pointed at the Global Catalog port, not the regular LDAP port.

... the ldap browser showed there were NO members in the group. I verified they were in there via the AD users and computers tool, but not in the Global Catalog server.

Why you ask? Because Global and Domain Local group memberships are NOT replicated to the Global catalogs. The fix is to either a.) connect to the true ldap port in AD or b.) convert the group to a universal group.

I chose b.

-ellie

Wednesday, January 27, 2010

Krickey, spammers!

Sorry about the comment spam on here, I didn't realize moderation was off. I'll fix that right now.

-e

Backticks for windows. (almost)

In Linux, or more specifically in the sh and bash shells, backticks " ` " execute a command and insert the results into a command. I found a great trick to do almost the same thing over at PcReview

This snippet will save the hostname of a PC to an environment variable.


for /f "delims=" %%A in ('hostname') do set hostname=%%A
echo %hostname%


It loops over the output and keeps setting the variable. Cool.

Thursday, January 14, 2010

Setting IP addresses from the command line

netsh interface ip set address name="Local Area Connection" static 192.168.0.100 255.255.255.0 192.168.0.1 1

Monday, October 19, 2009

That's the brakes.

Yesterday I put brakes on the Hyundai. One of the Caliper slider pins was rusted solid. :( I heated it up with a torch, applied PB blaster, and beat the crap out of it. The replacement pin and boot was $50. Conveniently I just bought a new hammer that has a longer handle. The extra leverage helped a lot. It was supposed to be for teaching Derek blacksmithing, but now I might keep it.

The garage is pissing me off. It's time to get that shit cleaned up.

arg.

-ellie

Wednesday, September 16, 2009

SQL Network (Transport) Level Encryption. (TDS)

By default, Microsoft SQL connections only encrypt the login credentials. Everything else can be sniffed right off the wire. Sql 2008 (and some earlier versions) allow you to do encrypted SQL connections pretty easily. Here is how.

You will need:
Sql server (well duh!)
A certificate server or "MakeCert".
On Windows server 2008, "WinHttpCertCfg".

MakeCert is a tool to "easily" make a self-signed certificates without installing a full Certification Authority. It is part of the Windows SDK available from here. I am on XP, but downloaded the Windows Vista version, Ran Setup and DE-selected all of the items except for the SDK. Total download size was about 18mb.

Since my SQL Server is Windows 2008, I also needed WinHttpCertCfg. This tool is needed on Server 2008 to set permissions for the Private Key. More on that in a second. That is available here.

So, lets get to work.

First, you need your database server's FQDN. This is the windows FQDN, not your internet FQDN. Right-Click "Computer" or "My Computer" and write down the "Full computer name:" On Server 2008 this is on the "System" pane. On prior versions of windows this is on the Computer Name tab.

Next you get to make your certificate. If you have a domain CA, go request a computer certificate, install it, and skip down to the "Assigning permissions to the service account" step. If you don't have a CA, we can use MakeCert.

The command for makecert is:
C:\Program Files (x86)\Windows Resource Kits\Tools\makecert -r -pe -n "CN=yourhost.yourdomain.com" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 c:\MyCertificate.cer

The certificate will be saved to c:\MyCertificate.cer.

Now we import the certificate to the Local Machine's Personal store.
Start -> Run -> MMC.
File -> Add/Remove Snap-in -> Certificates -> Add -> Local Computer -> Next -> Finish -> Ok.
Expand Certificates and Right-Click the "Personal" Store. Select "Import".
Browse to c:\MyCertificate.cer -> Next. There is no password -> Next -> finish.

Almost Done. Now we need to give the SQL service account permissions to the private key of the Cert.
Pop open your command prompt and run this command. You need to substitute the appropriate Server FQDN (yourhost.yourdomain.com) and the SQL Service account. (SqlServiceAccount).

C:\Program Files (x86)\Windows Resource Kits\Tools\winhttpcertcfg.exe -g -c LOCAL_MACHINE\My -s yourhost.yourdomain.com -a SqlServiceAccount

Next, Enable the Sql Encryption.
Start -> All Programs -> Microsoft SQL Server 2008 -> Configuration Tools -> Sql Server Configuration Manager.
Expand "Sql Server network Configuration" and Right-click Protocols for MSSQLSERVER. Select Properties.
On the Certificate tab, Select the yourhost.yourdomain.com certificate.
On the flags tab, Select "Force Encryption=Yes"
Click ok.
Click ok to close the warning message.

Finally you need to restart the SQL Server service.

Viola! Network Encryption is done.

MS KB316898 is the reference for this topic.

For the record, this is a "weak" security measure. It only does encryption. It still can be defeated with a man-in-the-middle attack, because SQL doesn't verify the certificates.

Hth,
Elizabeth Greene