Jun 21
Decrypt MEO File (Recipient)

Follow these steps to decrypt an MEO file.

  1. Save the file to your device.
    1. The file that's encrypted will be an executable file (.exe) and the icon will display an arrow as indicated in the below image. In this example the file that is encrypted and is a .exe file which will open a prompt for the file password.
  2. Open the file by double clicking or using the right mouse click and selecting open.
  3. When prompted provide the Password provided by the sender.
  4. A new file (See below image) will be created in the same directory from where you opened the encrypted file named similar to "crypted.zip"
  5. Open this file to retrieve the file contents.

 

For the IT Professional - Encrypt Files for Recipient (Lean Method)

Jun 21
Encrypt Files for Recipient (Lean Method)

When it comes to encrypting file(s) and having a recipient open the file successfully isn't always as transparent as it could be. The mention of "I am sending you an encrypted file" generally raises the eyebrows of any novice and even IT Pros! However, the following tool from NCH Software named "MEO Encryption" http://www.nchsoftware.com/encrypt has proven to me a real winner for the ease of use. The benefit of this application is that the recipient of the file(s) does not need to install ANY software, they just need to provide the correct password which you create and provide them via another communication. The software provides Blowfish and DES encryption which isn't the strongest algorithms for today for long term storage, however the key is long enough to feel very secure for a file transfer. There are many worse encryption strategies, better to be somewhat secure than not at all!

Install the software and use the following methods for guidance.

  1. Select Encrypt files.
  2. Click Add File(s)…
    1. You can also add additional files or entire folders.
  3. Select Next
  4. Select from the options available.
    1. By selecting "Create Self-Decrypting file", the recipient has the ability to decrypt the file without requiring the installation of any software on their device. I find this extremely flexible and useful when sending sensitive files through e-mail when the recipient does not have a mail certificate.
  5. Provide matching passwords and select Next.
    1. The utility will also indicate the password/passphrase strength which is useful.
  6. Click OK
  7. The file you created will be located in the same directory from which the original file exists.
  8. The file that's encrypted will change to an executable file (.exe) and the icon display an arrow as indicated in the below image.
  9. Send the file to the recipient and make everyone smile.

 

For the Recipient - Decrypt MEO File

May 10
Say Goodbye to Password and Passphrases!

iPhone.PNGMicrosoft on Tuesday announced the general availability of its phone sign-in for customers with Microsoft accounts -- a system that could be the beginning of the end for passwords.

 

This is a screenshot of the accounts section from within my iPhone application.

MicrosoftAuthenticator.PNG
 

 

 

 

 

 

 

 

 

 

 

 

 

 

More...​

Apr 21
Disable SMB

​​Its been best practice to disable SMBv1-x since 2003, however doing so will compromise your ability to use file shares, etc.  The following process will Disable what is commonly called SMB or NetBios and secure your client while still maintinaing file services.

Do not use the GPO Computer Configuration > Policies > Windows ettings > Security Settings > Windows Firewall with dvanced Security > Global Settings and the inbound/outbound preconfigured rule "File and Print Sharing (......)".  This setting will open the following ports:

  • 137 (UDP)
    138 (UDP)
    139 (TCP)
    445 (TCP)

Instead create a rule for just 445 to the file server inbound/outbound.  This will limit the SMB footprint and without the Spooler, NB-Datagram, NB-Name, NS-Session, and SMB combination, you can limit the security threat significantly.  Also unless you have a need for NetBT (like legacy clients on the domain) you might want to think about disabling NetBT:

  1. Open the Network Connections folder and view available connections.
  2. Right-click the connection that you want to configure, and then click Properties
  3. On the General tab, click Internet Protocol (TCP/IP) in the list of components, and click the Properties button.
  4. Click the Advanced button.
  5. Click the WINS tab. Click Disable NetBIOS over TCP/IP.

You can do this via GPO using a syntax startup approach - http://coryretherford.com/Lists/Posts/Post.aspx?ID=365

Apr 17
Windows 10 and Windows Server 2016 Policy Settings

Attached are the Group Policy Settings Reference policy settings for computer and user configurations that are included in the Administrative template files (.admx and .adml).  This spreadsheet helps identifying policy settings when using the Group Policy Management Console (GPMC) to edit Group Policy Objects (GPOs).

Group Policy Settings Reference Guide​​​​​

http://coryretherford.com/_layouts/download.aspx?SourceUrl=http://coryretherford.com/Documents/Windows10andWindowsServer2016PolicySettings.xlsx

Apr 17
"Disable" Local Multicast Name Resolution (LLMNR) and NetBios
By default Microsoft Windows clients can use local multicast name resolution (LLMNR).  Windows clients typically broadcast to resources such as file servers or to SharePoint sites as you are at this moment.  If that client is on that same subnet as the broadcast it will respond to the connection without using DNS.  Scary, but local, right?  Let's hope no client on that network isn't compromised, however I would suggest if you haven't heard of this feature, don't use it, especially in the enterprise networks.  There are many methods to carry out this attack and a simple Google will be enlightening.

Description of Setting​​

LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible.

​If you enable this policy setting, LLMNR will be disabled on all available network adapters on the client computer.
If you disable this policy setting, or you do not configure this policy setting, LLMNR will be enabled on all available network adapters.
 
You can disable this using Group Policy or by disabling NetBios.  Note*  there is no setting to Disbale NetBios in Group Policy, you can however use scripts to run startup settings to disbale them.
  1. Open gpedit.msc
  2. Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client
    1. Choose Turn Off Multicast Name Resolution and set it to Enabled.

​NetBios registry syntax to use

​​Create script file and push script through logon script.

  1. ​The following reg location will have one or several GUIDS.
    1. HKLM\SYSTEM\CCS\Services\Netbt\Parameters\interface\Tcpip_{........}
      1. The DWORD value for NetbiosOptions shoud be set to 2 to disable.
    2. Use the following syntax to adress the varied Pcpip Guids.
      1. set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\tcpip* -Name NetbiosOptions -Value 2
  2. You need to restart computer or disable and re-enable NIC for registry to come info effect.

​Resources​

https://blogs.technet.microsoft.com/networking/2008/04/01/how-to-benefit-from-link-local-multicast-name-resolution
http://www.fixitscripts.com/problems/script-to-disable-netbios-over-tcp-ip​​ 

 
 
Apr 13
iOS Encryption (FileVault) Using Symantec Encryption (PGP)

​Installing Symantec Mobile Encryption on your device

  1. Install the iOS Symantec Mobile Encryption application from the Apple Store.
    1. Search for Symantec Mobile Encryption
    2. Select the Symantec Mobile Encrypt (FREE)
    3. Tap INSTALL APP.
  2. Its likey you will need to enter your Apple ID credentials to install.

You will have two options for setup; Automatic and Manual.

If you have been provided a Symantec Mobile Encryption configuration file, slect this option.  If not proceed with the manual setup.

Resources

Symantec Mobile Encryption for iOS
Create Symantec Mobile iOS configuration file - You can use the same configuration file created for the iOS device can be used for various Adndroid devices and Operating Systems.

Apr 13
Create Deep Security Manager TLS Certificate

The following includes the steps to create your TLS Deep Security Management website console an authentication certificate in a Windows environment.

  1. Go to the Deep Security Manager installation directory and create a new folder called Backupkeystore.
  2. Copy .keystore and configuration.properties to the newly created folder Backupkeystore.
  3. From a command prompt
    1. Open Cmd as an admin.
      1. cd /d E:\Trend_Micro\Deep_Security_Manager\jre\bin
      2. keytool -genkey -alias tomcat -keyalg RSA -dname cn=dsm.domain
    2. Certificate Signing Request (CSR)
      1. When prompted, enter a password.
  4. There is a new keystore file created under the user home directory. If you are logged in as "Administrator", You will see the.keystore file under C:\Documents and Settings\Administrator.
  5. View the newly generated certificate using the following command.
    1. E:\Trend_Micro\Deep_Security_Manager\jre\bin>keytool -list -v
  6. Run the following command to create a CSR for your CA to sign.
    1. E:\Trend_Micro\Deep_Security_Manager\jre\bin>keytool -certreq -keyalg RSA -alias tomcat -file dsm.domain.csr
  7. Send the certrequest.csr to your CA to sign.  After receiving the serveral options use the .cer or .crt to instal the requested CA, in this case dsm_cert.crt.
  8. Copy the files to E:\Trend_Micro\Deep_Security_Manager\jre\bin\.
  9. Navigate to the E:\Trend_Micro\Deep_Security_Manager\jre\lib\security\ folder and then rename the cacerts file to _cacerts.
  10. Run the following command to import the CA cert in JAVA trusted keystore.
    1. "E:\Trend_Micro\Deep_Security_Manager\jre\lib\security\cacerts>keytool -import -alias root -trustcacerts -file dsm.domain.cer -keystore.
  11. Run the following command to import the CA certificate in your keystore.
    1. keytool -import -alias root -trustcacerts -file dsm.domain.cer.
      1. Selesct YES to warning message.
  12. Run the following command to import the certificate reply to your keystore.
    1. keytool -import -alias tomcat -file dsm.domain.cer.
  13. Run the following command to view the certificate chain in you keystore.
    1. E:\Trend_Micro\Deep_Security_Manager\jre\bin>keytool -list -v
  14. Copy the .keystore file from your user home directory C:\Documents and Settings\Administrator to E:\Trend_Micro\Deep_Security_Manager\.
  15. Open the configuration.properties file in folder E:\Trend_Micro\Deep_Security_Manager using Notepad.
  16. It will look something like.
    1. keystoreFile=C\:\\\\Program Files\\\\Trend Micro\\\\Deep Security Manager\\\\.keystore
      port=4119
      keystorePass=CHANGE THIS
      installed=true
      serviceName= Trend Micro Deep Security Manager
  17. Replace the password in the following string.
    1. keystorePass=xxxx
      where "xxxx" is the password you supplied in step five.
  18. Save and close the file.
  19. Restart the Deep Security Manager service.
  20. Connect to the Deep Security Manager with your browser and you will notice that the new SSL certificate is signed by your CA.
Apr 11
Installing Hyper-V or VMware client on Symantec Encryption Management Server

Running the following installation requires command-line access to the Symantec Encryption Management Server (SEMS) using its user interface or via SSH - www.symantec.com/docs/TECH171773

Installing Hyper-V or VMware Native Tools

  1. Mount the .iso from within the VMware vSphere or Hyper-V client user interface which will make the VMware or Linux Integration Services for Hyper-V tools available to the virtual machine as a CD-ROM that contains the necessary installation files.
  2. At the moment (4/21/2017) the Hyper-V client is not supported - https://support.symantec.com/en_US/article.TECH175006.html. When it does become available the following steps should be followed.

Connect to SEMS via SSH or from the Linux interface

Power on the server and push Page Up or Down immediately to force the Linux book menu options.

Note* For you non-linux Users Linux is case sensitive so make sure to maintain the upper/lower case.  You will get an Error if you miss the case sensitivity.

  1. ​Boot the server, as it boots push the Page Up or Page Down key.
  2. Red Hat Linux page type e.
  3. Select Kernel.
  4. Type e again.
  5. Click the Space bar and click 1.
  6. Hit Enter.
    1. Type b for Boot.
  7. It will now boot into the single user mode.
  8. At the [root@servername /]# prompt type the following (you will be running as root).
    1. ​screen
      • Note* If the SSH session terminates, reopen the SSH session and type # screen -r, this will allow you to connect to the same session and continue the installation process)
    2. Create a folder to mount the CD-ROM contents.
      • mkdir /mnt/cdrom
    3. Mount the CD-ROM to the new directory you created /mnt/cdrom.
      • mount /dev/cdrom /mnt/cdrom
        • It will respond with mount: block device /dev/sr0 is write-protected, mounting read-only
    4. List or display the contents of the Virtual CD-ROM (ISO).
      • ls /mnt/cdrom
        • For this example you will see VMwareTools-versionxxxxx.tar.gz or for Hyper-V and install.sh among the various flavors of Linux displayed.
    5. Create a directory to copy the contents of the VMware tools, not Hyper-V.
      • mkdir /temp-vmware-tools
    6. Navigate to the new directory (skip to step #9 for Hyper-V).
      • cd /temp-vmware-tools or cd /temp-hyperv-tools
        • Extract the contents of the Virtual CD-ROM.
          • tar zxpf /mnt/cdrom/VMwareTools-*.tar.gz
            • This will extract all the contents of the CD-ROM needed to install VMware or Hyper-V tools into a directory named vmware-tools-distrib.
    7. Navigate to this new directory and run the script.
      • cd /temp-vmware-tools/vmware-tools-distrib
    8. List or display the contents of the folder and find the installer script.
      • ls –al
    9. Run the installer script which is a file called vmware-install.pl and accept all the default answers to prompts.
      • ./vmware-install.pl –d
    10. Once the installation is complete reboot the server.
      • pgpsysconf –reboot
    11. Confirm the VMware toolsd is running by running the following command.
      • ps aux | grep vm
        • This should display the running process for VMware Tools vmtoolsd.
        • Check that tools is running and set to load at boot.
          • status vmware-tools
            • This should return vmware-tools start/running
    12. Remove the installation files.
      • rm -fr /temp-vmware-tools
  9. Navigate to the .iso for the Hyper-V installation.
    • cd /mnt/cdrom
      • Verify the correct directory and contents of the .iso by running the following.
        • ls
    • Run the installation using the following.
      • ./install.sh
  10. Reboot the server.
Apr 10
Modify Symantec Encryption Server Network Settings from Linux Console
​The scenerio is that your organizations Symantec Encryption Server is moving to another Data Center which will be in a different vLAN and Zone.  Changing the Network settings in the https://Console:9000 is not possible because after doing so the server will reset and the Console interface will become inaccessible and verification of such change when moved to the appropriate vLAN may not be possible.  In this scenario once moved the Console was not accessible.
 
I suggest taking a snaphot of the server image if possible and backing up the organization key and others of importance and performing a backup previous to making the following network preference changes.​
  1. ​Boot the server, as it boots push the Page Up or Page Down​ key.
  2. Red Hat Linux page type e.
  3. Select Kernel.
  4. Type e again.
  5. Click the Space bar and click 1.
  6. Hit Enter.
  7. Type b for Boot.
    1. It will now boot into the single user mode.
  8. Type vi /etc/ovid/prefs.xml.
  9. Make changes to the network area of the prefs.xml file
    1. For example I changed the values for the IP's, Gateway, and Netmask to match my new IP space vLan settings.
  10. Page Down all the way to the </ovidprefs>.
  11. Hit the Esc key.
  12. Hold Shift key and type zz at the same time.
  13. @ the root@machinename type the following:
    1. pgpsysconf --network.
    2. Hit Enter (this commits the network changes).
  14. Reboot the server
  15. The Symantec Encryption Server Administration page should now display the new web interface(s) console IP(s).

 

Here are some useful commands - https://support.symantec.com/en_US/article.TECH149336.html

1 - 10Next
Copyright © | CoryRetherford, LLC | Contact MeNetwork Storage and Security Solutions, LLC, Rights Reserved.®

TLS 1.2, AES with 256 bit encryption

 ‭(Hidden)‬ Blog Tools