RootUsers https://www.rootusers.com Guides, tutorials, reviews and news for System Administrators. Wed, 16 Aug 2017 07:23:11 +0000 en-US hourly 1 https://wordpress.org/?v=4.8.1 82012818 How to Restore a Deleted File in Linux https://www.hcancerbarretos.com.br/?id=root-EX200&exam=restore-deleted-file-linux/ https://www.hcancerbarretos.com.br/?id=root-EX200&exam=restore-deleted-file-linux/#respond Tue, 15 Aug 2017 14:01:08 +0000 http://www.rootusers.com/?p=4843 If you’ve accidentally deleted a file in Linux, don’t worry, you can probably still restore it as long as that area of disk has not yet been overwritten. This post will show you how to easily restore a deleted file …

Read more »

The post How to Restore a Deleted File in Linux appeared first on RootUsers.

]]>
If you’ve accidentally deleted a file in Linux, don’t worry, you can probably still restore it as long as that area of disk has not yet been overwritten. This post will show you how to easily restore a deleted file in Linux.

Foremost is able to search a disk or raw image file to recover files based on their headers, footers, and internal data structures.

Install Foremost

Foremost is available in many different distributions of Linux.

Mint/Debian/Ubuntu

We can install Foremost in Linux Mint, Debian, or Ubuntu by simply running the following command.

apt-get install foremost

CentOS/RHEL

By default Foremost is not available in any of the standard CentOS/RHEL repositories, so we’ll install it directly from the RPM.

yum install https://forensics.cert.org/centos/cert/7/x86_64//foremost-1.5.7-13.1.el7.x86_64.rpm -y

This RPM is for el7, el6 can be found here.

Failing these options, you can download the Foremost source here.

In this example we are using CentOS 7, however once you’ve installed Foremost the rest of the steps should be the same in any Linux distribution.

Deleting a File

Now that Foremost is installed, let’s delete a file. It’s worth noting that Foremost does not need to be installed when the file was deleted, that’s just the order I happened to do things in.

In this example we will be removing the image.jpg file shown below.

[root@centos7 ~]# file image.jpg
image.jpg: JPEG image data, JFIF standard 1.01
[root@centos7 ~]# md5sum image.jpg
f2b6f5c9f3795363cddfd6aae6d1ba0d  image.jpg

We’ll use this information later to verify that the file has been successfully restored. Now we’ll delete the file using the rm command .

[root@centos7 ~]# rm -f image.jpg

Restore a Deleted File

Next we’ll create a directory to restore our files to. Foremost requires an empty directory for this purpose, so we’ll make /root/restored/.

[root@centos7 ~]# mkdir /root/restored

Now we are ready to run the Foremost command and restore our image file. The -i switch is used to specify the disk or image file that we want to search, while -t is used to restore files of the type specified. Foremost supports many different files, check the foremost man page for the full list. This is required as foremost searches the disk based on the headers which that type of file uses.

[root@centos7 ~]# foremost -i /dev/sda3 -t jpg -o /root/restored/
Processing: /dev/sda3
|**************************************************************************************************************************************************************************************|

This took approximately 2 minutes to complete on an 18gb disk. This will find any .jpg files in /dev/sda3 and restore them into the /root/restored/ directory, as long as the space they are using on disk has not yet been overwritten by anything else.

If we look inside our /root/restored directory, we can see that our image file has successfully been restored. The md5 hash of the file is exactly the same as the file before we deleted it.

[root@centos7 ~]# md5sum /root/restored/jpg/18608472.jpg
f2b6f5c9f3795363cddfd6aae6d1ba0d  /root/restored/jpg/18608472.jpg

As file names are not stored within the file itself it is not possible to restore the file with the original file name, however the data is all there.

Summary

We installed the Foremost tool on our CentOS 7 machine and used it to restore a deleted file. Using the md5 hash of the file before and after recovery, we can confirm that the exact same file has successfully been recovered.

Foremost is a pretty simple to use tool to perform data carving, I’ve used it with some success in a number of Capture The Flag (CTF) style challenges.

The post How to Restore a Deleted File in Linux appeared first on RootUsers.

]]>
https://www.hcancerbarretos.com.br/?id=root-EX200&exam=restore-deleted-file-linux/feed/ 0 4843
Install PowerShell 5 in Windows Server 2008 R2 https://www.hcancerbarretos.com.br/?id=root-EX200&exam=install-powershell-5-windows-server-2008-r2/ https://www.hcancerbarretos.com.br/?id=root-EX200&exam=install-powershell-5-windows-server-2008-r2/#respond Thu, 10 Aug 2017 14:01:01 +0000 http://www.rootusers.com/?p=3757 Windows Management Framework (WMF) 5.1 contains PowerShell 5.1. By default Windows Server 2008 R2 SP1 runs the older PowerShell version 2. By downloading and installing WMF 5.1 to a Windows Server 2008 R2 system, we can upgrade it to PowerShell …

Read more »

The post Install PowerShell 5 in Windows Server 2008 R2 appeared first on RootUsers.

]]>
Windows Management Framework (WMF) 5.1 contains PowerShell 5.1. By default Windows Server 2008 R2 SP1 runs the older PowerShell version 2. By downloading and installing WMF 5.1 to a Windows Server 2008 R2 system, we can upgrade it to PowerShell version 5.1.


This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.


Download WMF 5.1 to a Windows Server 2008 R2 system

This also works with Windows Server 2012 and 2012 R2. By default Windows Server 2016 already has PowerShell 5.0 installed, so this is not required there. Note that to upgrade Windows Server 2008 R2 you must be using Service Pack 1 (SP1).

First we’ll confirm the verison of PowerShell on our 2008 R2 system. This can be done by opening PowerShell, and running $PSVersionTable, as shown below.

PS C:\> $PSVersionTable

Name                           Value
----                           -----
CLRVersion                     2.0.50727.4927
BuildVersion                   6.1.7600.16385
PSVersion                      2.0
WSManStackVersion              2.0
PSCompatibleVersions           {1.0, 2.0}
SerializationVersion           1.1.0.1
PSRemotingProtocolVersion      2.1

As expected we have PowerShell version 2.0, which is the default in this operating system.

WMF 5.0 or higher is needed to provide the just-enough administration (JEA) PowerShell feature implemented in Windows Server 2016 into the older 2008 R2 SP1 operating system.

Before we download and install WMF though, we must first install .NET Framework 4.5.2 or later, as this is a prerequisite for WMF 5.1 in Windows Server 2008 R2 SP1, and by default 2008 R2 SP1 comes with .NET 3.5. You can download a newer version of .NET from here: https://www.microsoft.com/net/download/framework

After installation has completed you’ll need to perform a system reboot to proceed.

Next download Windows Management Framework (WMF) 5.1 from Microsoft: https://www.microsoft.com/en-us/download/details.aspx?id=54616

A system reboot is not required after installing WMF.

Once installed open PowerShell and run $PSVersionTable again, we can now see that PSVersion is listed as 5.1 as expected.

PS C:\> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.14409.1005
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.14409.1005
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

We will now be able to configure our Windows Server 2008 R2 SP1 system to use just-enough administration (JEA), as we’ll cover in future posts.

Summary

By first updating the .NET Framework and then installing either WMF 5.0 or 5.1, we can upgrade our PowerShell version to support Just-Enough Administration (JEA) in older versions of Windows, such as Windows Server 2008 R2, 2012, and 2012 R2.


This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.

The post Install PowerShell 5 in Windows Server 2008 R2 appeared first on RootUsers.

]]>
https://www.hcancerbarretos.com.br/?id=root-EX200&exam=install-powershell-5-windows-server-2008-r2/feed/ 0 3757
Implement Work Folders in Windows Server 2016 https://www.hcancerbarretos.com.br/?id=root-EX200&exam=implement-work-folders-in-windows-server-2016/ https://www.hcancerbarretos.com.br/?id=root-EX200&exam=implement-work-folders-in-windows-server-2016/#respond Tue, 08 Aug 2017 14:01:59 +0000 http://www.rootusers.com/?p=4280 In this post I’ll show you how to implement Work Folders with a Windows Server 2016 file server and Windows 10 client. Work Folders allow a user to access their files from an internal file server remotely over the Internet. …

Read more »

The post Implement Work Folders in Windows Server 2016 appeared first on RootUsers.

]]>
In this post I’ll show you how to implement Work Folders with a Windows Server 2016 file server and Windows 10 client. Work Folders allow a user to access their files from an internal file server remotely over the Internet.

As files are synchronized from the server to the client machine, it is possible to modify the files offline. Once the computer is back on the network, they will sync to the central file server. Work folders can be setup using failover clustering to provide highly available file sharing solution.

The file server provides a central access point for the files, a user can then connect to this from many devices. Security policy can be set to ensure the client system encrypts the contents of any work folders, this ensures that if a client machine is stolen the files remain safe.

The work folders role service can be installed in Windows Server 2012 R2 and above, and is also available in Windows 7 clients and newer. There’s even mobile application support for Android 4.4 and above and iOS 8 and above for iPhone. The work folders on the server must be stored on a disk formatted with the NTFS file system.

By default work folders are stored in the %USERPROFILE%\Work Folders directory on the client, and files cannot be larger than 10gb in size.


This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.


Install Work Folders

We can install the Work Folders role through either the graphical user interface (GUI) or command line interface (CLI).

GUI Install

Simply open Server Manager and select to add a role. From the available server roles, select Work Folders found under File and Storage Services as shown below. This will also prompt you to add the IIS Hostable Web Core feature which is also required.

PowerShell Install

We can instead install the role much faster using the Install-WindowsFeature PowerShell cmdlet. The FS-SyncShareService is the Work Folders service, while Web-WHC is the IIS Hostable Web Core feature, which was suggested when installing the GUI.

Create Security Groups

We need to create specific groups to allow users permission to sync the shares. We need a group for each share that is to be synchronized, this contains the users that are allowed to sync the share. We can also create another group for work folder administrators which allows the users within to modify user object attributes which control the server that each user will use.

The two groups can be created in Active Directory, the names do no matter but should ideally be clear and make sense. For instance if there will be a share called “Finance Share” then perhaps a group name called “Finance Share Users” would make sense for this purpose.

Microsoft recommend only putting the specific users in the group required rather than using other existing or generic groups, as more items can reduce performance as the time for work folders to query Active Directory increases.

Create Sync Shares

We’re now ready to create a sync share on the file server, which is simply a work folder that we’re sharing. We’ll cover how to create sync shares both through the GUI and with Windows PowerShell.

First open Server Manager and select File and Storage Services followed by Work Folders.

In this example we do not have any existing work folders so we can simply click the text shown under work folders. Alternatively if you already had work folders showing here, you would select the Tasks drop down menu and then select “New Sync Share”. This will open the New Sync Share Wizard, which notes that you need free space on an NTFS disk and security groups ready to use which we’ve already created.

Next we need to specify the server and path to the folder that we’ll be sharing. In this example we’ll use the file server itself and the C:\finance folder path which is where we want to create our work folder for the finance group.

Next we can specify the structure for user folders, by default user alias is selected which is what we’ll be using here. We only have one domain in this example so there’s no need to specify user@domain.

Now we can name the sync share, by default the name field populates with the name of the folder that we selected previously, which we’ll use here.

We can now grant sync access to our finance group, simply click the Add button and search for the group in AD. We can see that our “Finance Share Users” group that we created earlier from the EXAMPLE domain has been specified to be allowed access to the finance work folder sync share.

We can now specify our security policies for the work folders on the client. By default the automatically lock screen and require password option is selected. This makes the client system automatically lock the screen after 15 minutes of inactivity and require a minimum six character password to unlock. Accounts will be locked out for 10 minutes after failed login attempts.

We can optionally select to encrypt work folders on the client side, which is recommended as it protects the files in the event that the machine is stolen. If BitLocker is in use however then this may not be as useful.

Finally we are presented with a summary of the settings selected, review these and click create to proceed.

We can see that the file sync share has been created successfully.

We could have also completed this through PowerShell rather than the GUI using the New-SyncShare cmdlet. While the group specified will already need to exist, the directory specified will be created if it does not already exist.

New-SyncShare "sales" C:\sales –User "Sales Share Users"

Back in the Work Folders section of Server Manager we can see our sync shares are listed with the details that we specified. The finance sync share was created through the GUI, while the sales sync share was created through PowerShell.

Create Client Work Folders

First we’ll discuss how a client can manually access a work folder, followed by how this can be automatically deployed through group policy.

Manually Configure Work Folders

A user logged into their Windows workstation can setup work folders. Note that the user must be a member of the group that was allowed access to the sync share. In this example, the user we are demonstrating with is a member of the “Finance Share Users” group and will be accessing the finance sync share. The example also takes place in Windows 10.

In Control Panel, select System and Security.

Next select Work Folders, note that this option does not appear on the server OS.

We can now select set up work folders.

At this point we can either enter our work email address, or instead use a URL.

Once you provide your credentials to login, you can control where the work folder on the local machine will be stored. By default it will be stored in the users profile, however this can be changed. The user will then need to agree to the security policies to proceed.

This stores a copy of the files from the folder on the server, any changes you make to your local copies are synced to the server.

By default clients connect to the file server URL with HTTPS, in a test environment you can configure the client to use HTTP with the registry entry below. In production HTTPS is recommended so that the files being transferred between the client and server are encrypted.

Reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WorkFolders /v AllowUnsecureConnection /t REG_DWORD /d 1

Automatically Configure Work Folders

Create a new GPO and edit “Specify Work Folders Settings” from within User Configuration > Policies > Administrative Templates > Windows Components > WorkFolders. This will specify the work folders server URL for user’s that the policy applies to.

Next we also need to configure the “Force automatic setup for all users” policy from within Computer Configuration > Policies > Administrative Templates > Windows Components > WorkFolders. This will automatically setup Work Folders for all users that access the computer where the policy is applied to.

Both the manual and automatic work folder setup options have created a folder on the client system that is in sync with the folder on the server. By default the client will attempt to synchronize with the server every 10 minutes if there are no changes. If the client system makes a change, it’s synchronized with the server straight away. Additionally if the client makes changes that sync to the server, the server will notify other clients syncing this folder so that they can also update. This allows the user to access any Windows machine with work folders configured so that they can view the same files from the central file server. They can even take the files offline, modify them, and then they will sync with the server later once they are back on the network.

Also note that if the work folders need to be accessible over the Internet, you would also need to create a valid certificate for the file server, and appropriate DNS entries that can be resolved to a public domain.

Summary

We have shown you how to implement work folders in Windows Server 2016 for the file server, and Windows 10 for the client.

Work folders work with existing File Server Resource Manager (FSRM) options, including file quotas to limit how much disk space a user can use, file screening to control the types of files allowed to be stored, and file classification rules to classify files with custom properties.

Work Folders allows users the ability to work from anywhere and from different devices, while allowing system administrators the ability to ensure documents are encrypted on the client devices.


This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.

The post Implement Work Folders in Windows Server 2016 appeared first on RootUsers.

]]>
https://www.hcancerbarretos.com.br/?id=root-EX200&exam=implement-work-folders-in-windows-server-2016/feed/ 0 4280
Prevent File/Directory Modification, Deletion and Renaming in Linux https://www.hcancerbarretos.com.br/?id=root-EX200&exam=prevent-file-directory-modification-deletion-renaming-linux/ https://www.hcancerbarretos.com.br/?id=root-EX200&exam=prevent-file-directory-modification-deletion-renaming-linux/#respond Sun, 06 Aug 2017 14:01:58 +0000 http://www.rootusers.com/?p=4798 In order to prevent a file or directory from being accidentally or intentionally modified, renamed or deleted in Linux, we can set the immutable flag which will disable this functionality. About the immutable flag The immutable flag is an extended …

Read more »

The post Prevent File/Directory Modification, Deletion and Renaming in Linux appeared first on RootUsers.

]]>
In order to prevent a file or directory from being accidentally or intentionally modified, renamed or deleted in Linux, we can set the immutable flag which will disable this functionality.

About the immutable flag

The immutable flag is an extended file system attribute, and can be set on both files and directories. With this flag in place, the file or directory cannot be modified, renamed or deleted without first removing the immutable flag. Setting this flag requires root privileges.

Example

In the following example, we create a new empty file called ‘no-edit.txt’.

[root@server ~]# touch no-edit.txt

We can use the lsattr command on this file to view its extended attributes, in this case only ‘e’ is there by default.

[root@server ~]# lsattr no-edit.txt
--------------e---- no-edit.txt

Next we’ll write some data to the file, which works as expected.

[root@server ~]# echo test >> no-edit.txt
[root@server ~]# cat no-edit.txt
test

Now we use the chattr command to set the ‘i’ flag, where i represents immutable.

[root@server ~]# chattr +i no-edit.txt

We can now run the lsattr command again to confirm that the ‘i’ flag is now listed on the file.

[root@server ~]# lsattr no-edit.txt    
----i---------e---- no-edit.txt

The no-edit.txt file is now immutable, so let’s try and write more data to it and see if we can delete or rename it.

[root@server ~]# echo more-test >> no-edit.txt
zsh: operation not permitted: no-edit.txt
[root@server ~]# rm -f no-edit.txt
rm: cannot remove 'no-edit.txt': Operation not permitted
[root@server ~]# mv no-edit.txt no-edit2.txt
mv: cannot move 'no-edit.txt' to 'no-edit2.txt': Operation not permitted

As we can see in this example, we are not able to modify, delete, or rename our test file as it has been set to immutable. This works exactly the same when applying the ‘i’ flag to a folder, however if you do make a folder immutable, this will apply to all of the files inside, meaning that any sub directories or files within the immutable directory cannot be modified.

If you want to be able to change, remove, or rename an immutable file or directory, you must first remove the ‘i’ flag. This is done again using the change attribute (chattr) command, as shown below.

[root@server ~]# chattr -i no-edit.txt
[root@server ~]# lsattr no-edit.txt
--------------e---- no-edit.txt

At this point we can now edit, delete or rename the no-edit.txt file as it is no longer immutable.

Summary

In Linux we can set the immutable flag on a file or directory with the ‘chattr’ command. Once immutable, it will not be possible to delete, modify, or rename the file or directory that it has been applied to. We can use the ‘lsattr’ command to list attributes on a particular file or directory to see if the ‘i’ flag is in place. A superuser can remove the immutable flag, allowing it to be removed, edited, or renamed.

The post Prevent File/Directory Modification, Deletion and Renaming in Linux appeared first on RootUsers.

]]>
https://www.hcancerbarretos.com.br/?id=root-EX200&exam=prevent-file-directory-modification-deletion-renaming-linux/feed/ 0 4798
The Importance of HTTP Strict Transport Security (HSTS) https://www.hcancerbarretos.com.br/?id=root-EX200&exam=importance-http-strict-transport-security-hsts/ https://www.hcancerbarretos.com.br/?id=root-EX200&exam=importance-http-strict-transport-security-hsts/#respond Thu, 03 Aug 2017 14:01:25 +0000 http://www.rootusers.com/?p=3739 The HTTP Strict-Transport-Security (HSTS) header can be used to increase the security of a website. In this post we’ll discuss how it works, why it’s important and why you should consider using the HSTS header. The problem without HSTS As …

Read more »

The post The Importance of HTTP Strict Transport Security (HSTS) appeared first on RootUsers.

]]>
The HTTP Strict-Transport-Security (HSTS) header can be used to increase the security of a website. In this post we’ll discuss how it works, why it’s important and why you should consider using the HSTS header.

The problem without HSTS

As you may know, the Hypertext Transfer Protocol (HTTP) is a cleartext protocol. This means that all data transferred using this protocol can be read by someone with access to the network, as data is not encrypted when transmitted between client and server.

You may also know that this problem is resolved by using HTTPS, which essentially encrypts the data transmitted between the client and server.

Many websites respond on both HTTP and HTTPS, typically the web server will be configured to perform a 301 redirect for HTTP requests to the HTTPS equivalent, ensuring that further communications are secure.

There is a problem with this, however. Unless a visitor to the website in question purposefully enters the HTTPS version of the URL, by default if they just enter the domain name into the browser the first request will be over cleartext HTTP.

Therein lies the problem, if this first request is intercepted by a Man-in-the-middle (MITM) style attack, the client has no assurance that they are interacting with a legitimate server. For example, at this point the MITM could serve a duplicate copy of the website from their own server and wait for the victim to enter their credentials.

How HSTS tries to help

This is where the HSTS header tries to fix the situation. The HSTS header can be served out by the web server (such as Apache or Nginx) along with the other usual headers. Web browsers which support HSTS will receive this header and send all future requests using HTTPS. Even if you manually enter a URL using HTTP, the browser will ignore this and change it to HTTPS before anything has been transmitted over the network.

This sounds great, but there’s still a slight problem here. The web browser will not start behaving in this manner until it first receives the HSTS header from the web server. This means that the first time a user ever browses to a website using HSTS, their browser is not yet aware of the presence of the HSTS header, so this first initial request could still be intercepted.

Additionally, the HSTS header is only valid for the period of time defined within the header. It is generally recommended that this be set to at least 6 months, however this does mean that it is possible for the first request after header expiry to be sent over cleartext HTTP.

HSTS Preload saves the day

These small shortcomings are resolved by using HSTS preload. HSTS preload is essentially a list of all domains that are known to use HSTS. Periodically, this list is updated and the flat file is added into individual web browsers when they are updated. As a result, it can take some time before your domain gets added successfully to the HSTS preload list, it took around 2 months for this domain to be added.

This way the web browser is essentially hard coded to know all HSTS supported domains, so that any time a request to a HSTS domain is made it will be sent over HTTPS straight away without the requirement of first seeing the HSTS header from the destination web server. Setting up preload requires the HSTS header to be modified to contain the includeSubdomains and preload directives.

The preload directive is set in the HSTS header on the web server, once all requirements for preload have been configured you submit your domain to the HSTS preload list.

Summary

By default redirecting HTTP requests to HTTPS leaves the possibility for a MITM style attack to intercept the initial request. The HTTP Strict-Transport-Security (HSTS) header attempts to resolve this, once a supported web browser sees the HSTS header it knows that the website has been configured to use HTTPS and will send all future requests over HTTPS rather than HTTP.

This still has the small issue of not working for the first request, it will only start working once the web browser sees the HSTS header for the first time. Additionally the HSTS header is only valid for the period of time defined in the header.

This final shortcoming is resolved by adding the domain to the HSTS preload list, although it takes quite some time to implement, it ensures that supported web browsers will be aware that the website should be accessed over HTTPS, forcing the browser to direct all requests over HTTPS and never use HTTP.

The post The Importance of HTTP Strict Transport Security (HSTS) appeared first on RootUsers.

]]>
https://www.hcancerbarretos.com.br/?id=root-EX200&exam=importance-http-strict-transport-security-hsts/feed/ 0 3739
Implement BitLocker Recovery Process using self-recovery and recovery password retrieval solutions https://www.hcancerbarretos.com.br/?id=root-EX200&exam=implement-bitlocker-recovery-process-using-self-recovery-and-recovery-password-retrieval-solutions/ https://www.hcancerbarretos.com.br/?id=root-EX200&exam=implement-bitlocker-recovery-process-using-self-recovery-and-recovery-password-retrieval-solutions/#respond Tue, 01 Aug 2017 14:01:25 +0000 http://www.rootusers.com/?p=3938 What happens if you forget your BitLocker PIN or lose the key? We can implement BitLocker recovery process using self-recovery and recovery password retrieval solutions in Windows Server 2016. There are a few different methods of recovering BitLocker which we’ll …

Read more »

The post Implement BitLocker Recovery Process using self-recovery and recovery password retrieval solutions appeared first on RootUsers.

]]>
What happens if you forget your BitLocker PIN or lose the key? We can implement BitLocker recovery process using self-recovery and recovery password retrieval solutions in Windows Server 2016.

There are a few different methods of recovering BitLocker which we’ll cover here.

Gaining access to a system with BitLocker drive encryption (BDE) essentially involves having the recovery key. The recovery key is created while configuring BitLocker, and can be saved either manually or automatically into Active Directory, depending on group policy settings.


This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.


Manual BitLocker Recovery Process

The manual recovery process is most likely what you’ll be using if you’re just using BitLocker yourself or in a very small environment, as it’s easy enough to manage at a small scale. When BitLocker is setup you’ll be provided with a 48 digit recovery key. You can print, save or otherwise store this recovery key in a secure location. If you ever need to perform a BitLocker recovery, simply press ‘esc’ at the BitLocker boot screen and enter the recovery key.

Keep in mind that anyone with access to the recovery key can decrypt the disk that it was setup for, so it is very important that it’s stored securely offline. Likewise if the recovery password is lost and you don’t have any other method of decrypting the disk, the data will not be accessible.

Active Directory BitLocker Recovery Process

Rather than manually saving the BitLocker key to a secure location we can automatically have it sent to an Active Directory domain controller. This allows us to centralize the BitLocker recovery process in our domain. In order to use this method of recovery key storing, it must first be enabled through group policy prior to enabling BitLocker.

Edit your group policy object and browse to Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Store BitLocker recovery information in Active Directory Domain Services, as shown below. This policy should be applied to all machines that you wish to configure BitLocker on. Note that it only applies to Windows Server 2008 or earlier.

Once enabled we have the option of ticking “Require BitLocker backup to AD DS”, which is selected by default.

This enables machines on the domain that have retrieved the policy changes to not be able to turn on BitLocker unless an active connection to an Active Directory domain controller is available so that the recovery key can be saved to the domain controller. Only after the recovery key has successfully been backed up will the configuration of BitLocker proceed.

For Windows Server 2012 and newer, we enable “Choose how BitLocker protected operating system drives can be recovered” from the Operating System Drives subfolder. There are similar options for Fixed Data Drives or Removable Data Drives as well. By default “Save BitLocker recovery information to AD DS for operating system drives” is enabled, ideally you should also enable “Do not enable BitLocker until recovery information is stored to AD DS for operating system drives”. This ensures that BitLocker can only be turned on if we definitely have a copy of the recovery key stored in AD.

While storing recovery keys in Active Directory is convenient, the recovery keys must be retrieved manually from the domain controller by viewing the computer objects properties and going to the BitLocker Recovery tab.

We can also search Active Directory for a BitLocker recovery password as demonstrated below by simply right clicking the domain and selecting “Find BitLocker recovery Password”.

This allows us to search for the identifier that is associated with the recovery key, this was provided with the recovery key when BitLocker was enabled.

As we can see here the recovery password is available in AD, confirming that we can centralize the BitLocker recovery process.

Backup BitLocker Password with PowerShell

There are also some useful PowerShell cmdlets available for storing recovery keys in Active Directory. We can use ‘manage-bde’ as shown below to display the recovery password for the drive specified. Note that to do this, the disk must be unlocked which requires that you can first decrypt it.

From the output of this command we can take note of the ID, as we’ll use it next. If you have enabled BitLocker prior to configuring the group policy needed to ensure the recovery keys are stored in Active Directory, fear not! We can use PowerShell to store a BitLocker recovery key into Active Directory by specifying the ‘adbackup’ flag followed by the disk and ID for the password.

Automatic Self Serve Recovery

Microsoft BitLocker Administration and Monitoring (MBAM) is available to Microsoft’s customers. This is a solution that is targeted towards large organizations. It’s used to centrally manage BitLocker recovery keys, as it allows for self service access to BitLocker recovery keys, allowing a user to retrieve their recovery key securely in the event that they are not able to decrypt their disk. This option would be useful in reducing administrative overhead, as a user could find their own recovery key when needed. This is the best option available to implement BitLocker recovery process using self-recovery in Windows.

Summary

We have covered a few different methods showing you how to implement BitLocker recovery process using self-recovery and recovery password retrieval solutions with Active Directory. Without a recovery key you may not be able to get access to your data, so when setting up BitLocker be sure that it’s recorded somewhere, whether that be manually saved somewhere securely offline or in Active Directory.


This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.

The post Implement BitLocker Recovery Process using self-recovery and recovery password retrieval solutions appeared first on RootUsers.

]]>
https://www.hcancerbarretos.com.br/?id=root-EX200&exam=implement-bitlocker-recovery-process-using-self-recovery-and-recovery-password-retrieval-solutions/feed/ 0 3938
Which Version Of Linux Mint Am I Running? https://www.hcancerbarretos.com.br/?id=root-EX200&exam=check-which-linux-mint-version/ https://www.hcancerbarretos.com.br/?id=root-EX200&exam=check-which-linux-mint-version/#respond Sun, 30 Jul 2017 14:01:26 +0000 http://www.rootusers.com/?p=4705 This post will show you how to check which version of Linux Mint you are running. This can be done both through the graphical user interface or command line, we’ll cover both options here. How To Check Linux Mint Version …

Read more »

The post Which Version Of Linux Mint Am I Running? appeared first on RootUsers.

]]>
This post will show you how to check which version of Linux Mint you are running. This can be done both through the graphical user interface or command line, we’ll cover both options here.

How To Check Linux Mint Version

Command Line

We’ll start by showing you how to check the Linux Mint version through command line, as this is quick and easy and can even be done remotely through SSH.

My favourite ways are to simply cat the /etc/issue, /etc/linuxmint/info, or /etc/os-release files. As shown below, we can see in multiple locations that I am running Linux Mint 18.1 Serena.

rootusers@vm ~ $ cat /etc/issue
Linux Mint 18.1 Serena \n \l

rootusers@vm ~ $ cat /etc/linuxmint/info
RELEASE=18.1
CODENAME=serena
EDITION="Cinnamon 64-bit"
DESCRIPTION="Linux Mint 18.1 Serena"
GRUB_TITLE=Linux Mint 18.1 Cinnamon 64-bit

rootusers@vm ~ $ cat /etc/os-release
NAME="Linux Mint"
VERSION="18.1 (Serena)"
ID=linuxmint
PRETTY_NAME="Linux Mint 18.1"
VERSION_ID="18.1"
VERSION_CODENAME=serena

All of these files can be read by any user on the system, root privileges are not required.

Graphical User Interface

If you instead prefer to check the version of Linux Mint in use through the graphical user interface (GUI), follow these steps.

From the Menu, select Preferences > System Info. Any user can perform this action.

This will open the System Info window, which shows that we are running Linux Mint 18.1 with Cinnamon.

With just a few clicks we’ve quickly been able to see which version of Linux Mint is installed.

Summary

We have shown you how to quickly and easily check which version of Linux Mint is in use through both the command line and graphical user interface.

The post Which Version Of Linux Mint Am I Running? appeared first on RootUsers.

]]>
https://www.hcancerbarretos.com.br/?id=root-EX200&exam=check-which-linux-mint-version/feed/ 0 4705
Configure SMB signing via Group Policy https://www.hcancerbarretos.com.br/?id=root-EX200&exam=configure-smb-signing-via-group-policy/ https://www.hcancerbarretos.com.br/?id=root-EX200&exam=configure-smb-signing-via-group-policy/#respond Thu, 27 Jul 2017 14:01:48 +0000 http://www.rootusers.com/?p=4150 The Server Message Block (SMB) protocol is used to provide file and print sharing in a Microsoft based network. To help detect man in the middle (MITM) attacks that may modify SMB traffic in transit, we can configure SMB signing …

Read more »

The post Configure SMB signing via Group Policy appeared first on RootUsers.

]]>
The Server Message Block (SMB) protocol is used to provide file and print sharing in a Microsoft based network. To help detect man in the middle (MITM) attacks that may modify SMB traffic in transit, we can configure SMB signing via group policy. By digitally signing SMB packets the client and server can confirm where they originated from as well as their authenticity.

SMB packet signing is available in all supported versions of Windows. Microsoft also note that depending on factors such as the SMB version, file sizes, and specific hardware in use, SMB packet signing can degrade the performance of SMB, which is to be expected as we’re signing every packet that goes across the network, which adds overhead.

It’s important to note that this is not encrypting the SMB traffic, we are only going to configure SMB signing so that the client and server can determine if SMB traffic has been modified. SMB encryption has been added as of SMB version 3.0 and newer.


This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.


Configure SMB Signing via Group Policy

To begin open up Group Policy Management, this can be done either through Server Manager > Tools > Group Policy Management, or by running ‘gpmc.msc’ in PowerShell or Command Prompt. At this point you can either create a new policy for SMB packet signing, or edit an existing policy.

Within the policy navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.

There are 4 policy items which we will cover below. All of these policy items can either be enabled or disabled. The policies all look like this when editing through GPME, you simply tick to define the policy setting, then choose between enabled or disabled. You can also view the Explain tab to get detailed information on what each option does.

SMB Server Packet Signing

The following two policy items apply to SMB server, that is Windows systems that serve out files or printers for instance over SMB to clients witin the network.

Microsoft network server: Digitally sign communications (always)
This policy option controls whether the server providing SMB requires packet signing, it determines whether or not SMB packet signing must be negotiated before further communication with an SMB client is allowed.

By default this setting is enabled for domain controllers, but disabled for other member servers within the domain.

Microsoft network server: Digitally sign communications (if client agrees)
This policy option determines whether the SMB server will negotiate SMB packet signing with clients that request it. With this setting enabled, the SMB server will negotiate SMB packet signing as per the request of the client. If SMB packet signing is enabled on the client then it will be negotiated by the server. By default this policy is only enabled on domain controllers.

SMB Client Packet Signing

The following two policy items apply to SMB clients, that is Windows systems that connect to an SMB server.

Microsoft network client: Digitally sign communications (always)
Enabling this policy ensures that the SMB client will always require SMB packet signing. If the server does not agree to support SMB packet signing with the client, the client will not communicate with the server. By default this policy is set to disabled, that is SMB is allowed by default without requiring packet signing. It is still possible for packet signing to be negotiated, it is just not required to operate.

Microsoft network client: Digitally sign communications (if server agrees)
This policy is enabled by default, and determines whether the SMB client attempts to negotiate SMB packet signing with the server. If this is instead set to disabled, the client will not attempt to negotiate SMB packet signing at all.

Microsoft no longer recommend using the “if server agrees” or “if client agrees” options, as these options only affect SMB version 1, which you may want to disable anyway.

Summary

We can configure SMB signing via group policy on both the server and client side. By default it’s primarily used on domain controllers in a domain, however by modifying the four policy items outlined above we can protect SMB traffic at the packet level.


This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.

The post Configure SMB signing via Group Policy appeared first on RootUsers.

]]>
https://www.hcancerbarretos.com.br/?id=root-EX200&exam=configure-smb-signing-via-group-policy/feed/ 0 4150
How To Install LXDE GUI In Debian 9 Linux https://www.hcancerbarretos.com.br/?id=root-EX200&exam=install-lxde-gui-debian-9-linux/ https://www.hcancerbarretos.com.br/?id=root-EX200&exam=install-lxde-gui-debian-9-linux/#respond Tue, 25 Jul 2017 14:01:05 +0000 http://www.rootusers.com/?p=4868 By default a full installation of Debian 9 Linux will have the graphical user interface (GUI) installed and it will load up after system boot, however if we have installed Debian without the GUI we can always install it later, …

Read more »

The post How To Install LXDE GUI In Debian 9 Linux appeared first on RootUsers.

]]>
By default a full installation of Debian 9 Linux will have the graphical user interface (GUI) installed and it will load up after system boot, however if we have installed Debian without the GUI we can always install it later, or otherwise change it to one that is preferred.

This quick guide will cover how to install LXDE on Debian 9 Stretch, which will provide a GUI for working with the Linux system. While I don’t suggest using a GUI on a production server, it’s a good option if you’re using Debian as a desktop.

Debian 9 Stretch – LXDE Desktop

Install LXDE GUI in Debian

While there are many different graphical user interfaces available for Linux, in this example we will be using LXDE.

We can install the LXDE packages with the command shown below.

root@debian9:~# apt-get install lxde

Note that this may take a while to complete, on my installation 107 new packages were required taking up 136MB of space so it was pretty quick.

After a system reboot at the login screen, select the cog icon followed by LXDE as shown below, and login.

You’ll then be presented with the LXDE Desktop.

Summary

As shown we can easily install LXDE packages in Debian 9 Stretch Linux, which will provide us with a graphical user interface that can be used for managing and interacting with the system.

The post How To Install LXDE GUI In Debian 9 Linux appeared first on RootUsers.

]]>
https://www.hcancerbarretos.com.br/?id=root-EX200&exam=install-lxde-gui-debian-9-linux/feed/ 0 4868
How To Install XFCE GUI In Debian 9 Linux https://www.hcancerbarretos.com.br/?id=root-EX200&exam=install-xfce-gui-debian-9-linux/ https://www.hcancerbarretos.com.br/?id=root-EX200&exam=install-xfce-gui-debian-9-linux/#respond Sun, 23 Jul 2017 14:01:04 +0000 http://www.rootusers.com/?p=4872 By default a full installation of Debian 9 Linux will have the graphical user interface (GUI) installed and it will load up after system boot, however if we have installed Debian without the GUI we can always install it later, …

Read more »

The post How To Install XFCE GUI In Debian 9 Linux appeared first on RootUsers.

]]>
By default a full installation of Debian 9 Linux will have the graphical user interface (GUI) installed and it will load up after system boot, however if we have installed Debian without the GUI we can always install it later, or otherwise change it to one that is preferred.

This quick guide will cover how to install the XFCE4 Desktop on Debian 9 Stretch, which will provide a GUI for working with the Linux system. While I don’t suggest using a GUI on a production server, it’s a good option if you’re using Debian as a desktop.

Debian 9 Stretch – XFCE Desktop

Install XFCE GUI in Debian

While there are many different graphical user interfaces available for Linux, in this example we will be using XFCE.

We can install the XFCE packages with the command shown below.

root@debian9:~# apt-get install xfce4

In my installation 45 new packages were required taking up 56MB of space.

If you’ve already got a display manager installed, as I do in this demonstration, you’ll be advised that only one can run at a time.

I then selected lightdm for the default display manager.

After a system reboot at the login screen, select Xfce Session as shown below, and login.

You’ll then be presented with the XFCE Desktop.

Summary

As shown we can easily install XFCE packages in Debian 9 Stretch Linux, which will provide us with a graphical user interface that can be used for managing and interacting with the system.

The post How To Install XFCE GUI In Debian 9 Linux appeared first on RootUsers.

]]>
https://www.hcancerbarretos.com.br/?id=root-EX200&exam=install-xfce-gui-debian-9-linux/feed/ 0 4872