binaryfactory.ca

I’ve spent some time in the last weeks testing Cyber-Ark’s Enterprise Password Vault. First of all, let me say that I am in no way associated with them, and that this post reflects only my opinion of the software, and not that of any of my clients. This is not a review of the tool, but a bit of information on it and on why everyone should think about using such a solution to secure credentials and become compliant with various laws, guidelines, best practices and policies.

What’s Cyber-Ark Enterprise Password Vault?

Cyber-Ark’s password management environment is made out of multiple separate, secure pieces. At the core of the solution is the Cyber-Ark Vault itself. This server runs on a secured Windows server OS, with no standard services running, and with multiple security layers added. This machine can be considered as an “appliance”, as it is very different from a stock Windows environment. This is what will store files, which in the case of the Enterprise password vault, represent passwords. The vault can be highly available, in a cluster, and replicated as well.

In order to use those files, an interface is needed. The best way to do this is using the Password Vault Web Access, which resides on a web server and communicates with the Vault using proprietary protocols. This allows all systems administrators, operators, developers, etc, to access the vault without needing particular client software.

The third important block is the CPM (Central Password Manager), which will act as the enforcer of policies and as a bridge between the vault containing the accounts and the machines where they are used, when necessary.

Why should it be used?

A solution such as this one should be used at least to store “generic” accounts, while providing separation of duty, auditing, and ease of management. A good example would be the built-in Administrator account of an Active Directory domain. In many cases, the enterprise will want to keep this password somewhere, in case it is ever needed. However, if anyone knows it, there can be no traceability proof if something is done using it.

Companies often design complex pen and paper based systems to store these accounts, often in separate parts, in different safes, in different locations. This is all well until there are just too many generic accounts to keep track of. By using a good password vault product, you should be able to separate duties between password owners and users. Allow management to approve requests for viewing the passwords, allow sysadmins to reset some passwords but not others, and most importantly, log every access to those passwords.

Once someone has seen the password, it is important that it be changed. This is where the CPM comes handy. It is able to change passwords for multiple platforms. Coupled with the ability to delegate only “connect” access (basically, establishing a direct RDP or SSH session with the credentials without showing the password), it can be used to manage a list of passwords that should never be known by anyone until they need to be used. This can also be used to share accounts on systems that do not support multiple users. By changing the password every time it is used, and logging everything, even an appliance that only has a “root” user now has some traceability.

Another great improvement to security that can be made is proper management of service accounts. Many service accounts in environments are set to not expire, as they are to be managed manually.. this means that a lot of manual labor will be done managing them, or in many cases, that they will simply not be managed. Now, with a product such as this one, you can discover what service accounts are being used for what service on what server, as well as enable central management. Yes, this means that it can connect back to Windows servers (among others) and change the passwords used to start up services so that they match. This effectively means that service accounts could be set up with a temporary password during installation, and once managed by the tool, never seen or known again.

Do yourself a favor, and start studying those solutions. Start by storing “generic” and built-in administrative credentials, and work your way up to shared accounts and service accounts. Once they are all in the vault, you can start experimenting with automated management features. It is better to start now and have something ready to use than to wait until something bad happens and then do it in a hurry..

To get facetime working on your firewall you need to be sure some ports can be used. For most home users this won’t be a problem but it may be different at work. Here is the Apple KB Article on it :

http://support.apple.com/kb/HT4245

If the Wi-Fi network router that you are connected to uses a firewall or security software to restrict Internet access, contact the network administrator and reference this technical article. To use FaceTime on a restricted Wi-Fi network, port forwarding must be enabled for ports 443 (TCP), 3478–3497 (UDP), 16384–16386 (UDP), and 16393–16402 (UDP).

Make sure those UDP port ranges have a good priority in your QoS configuration and you should be good to go. It is worth noting that DNS and HTTP must be open to the outside as well, but they are probably used only to establish the call (same for HTTPS/443) so the QoS config should not matter.

Hi everyone,

I know there are 2billion iPhone 4 reviews out there already, but I know some of my friends want to know what my take on it is. I’ve had my 32GB iPhone 4 on Fido for a few days now.

Build Quality

It feels solid in your hands, and feels quite dense. As it is thinner and slimmer than the 3g(s), it really does feel heavier even though it is but by only 2 grams. It doesn’t twist, and looks great. The Micro SIM card is probably the most impressive thing about it. As you eject it, and see the precision work that went into it, you instantly realize that the iPhone has industrial design that is far better than most consumer electronics. However, the ergonomics are not so good. First of all, when it is in your pocket, you have to touch either the volume buttons or the home button in order to know what side is where. It also gets rather slippery if it’s hot and you have moist hands, and considering it won’t survive a drop on concrete, I’m going to watch out..

The buttons also feel pretty good. The home button clicks well, which is a nice change from my old 3g, but I don’t know how it compares how the 3g was when it was brand new.

Screen

Impressive is the only word to describe it. I read a PDF of normal text on a 8.5×11 sheet without zooming in. You’ll need to be wearing your glasses because the text can go so small but it is incredibly clear and easy to read. The pixels are closer to the surface, so it looks like you’re reading on the glass and not through it.  It is so good that I now find my laptop screen completely ridiculous.

Cameras

The main camera is a lot better than the camera in the 3g, that is for sure. Back then, we didn’t even have tap to focus. The video filming is very smooth. It is a bit hard  not to shake while holding it though, so maybe some videos will need to be stabilized after the fact. Pictures look OK, but don’t expect it to outclass a good point and shoot. The flash is lame, but is better than no flash. For me, it is good enough, which means I can ditch the point and shoot for most occasions, and when I need to take real pictures, I can bring the DSLR.

The main camera seems to be pretty good for its main purpose which is facetime. Framerate looks smooth, resolution is good enough for a face !

Reception

Reception is hard to judge for now. I was running 4.0 on my 3g and I have 4.0.1 on the new one, which means bar levels are considerably lower on the new phone. I got a call in an area where I’ve always had major issues speaking on the phone, and the call was clear even though I only had 1 bar. Death gripping it resulted in “skipping”. 3g download speeds also seem impressive, though lately Rogers/Fido has been slower than ever, so I don’t have any numbers to back that up. But I did download some stuff on MxTube once at a very great speed (close to 5mbps) which is something I hadn’t seen on the iPhone 3g before.

OS/Experience

The OS is exactly the same as what I had on my 3g, so no big surprises there. I had enabled multitasking on my old one, and I can say that on the iPhone 4 with 512megs of RAM, application switching is absolutely great. Sbsettings pops up so fast now, and Cydia is actually usable ! Running trapster in the background also seems to work nicely. Browsing sites with Safari is a charm with the great resolution and faster CPU. Make sure you keep it on 4.0.1 so you can jailbreak it !

Battery life

I managed a bit over 4hours of usage (reading in safari, playing Galcon Labs, watching a few videos in mxtube, shooting a few test videos) and a day and a half of standby on my first full charge. The battery should be good enough to avoid having to recharge during the day even if you use it quite a bit.

Facetime

Are you kidding? With the current shortage, I’ve heard that there isn’t a single person in this city that owns an iPhone 4 and knows someone else who does ! Short of giving out my number in a forum, there’s no way I’ll get to try Facetime soon. Anyways, I don’t really care. Why can’t we initiate calls on Facetime? I’d like to be able to call people in Europe over facetime but I don’t want to pay long distance for the first minute or so..

Bottom line

Buy it, unless you hate really high pixel density screens and a fast phone which responds in a very snappy manner. Then, Jailbreak it and install Sbsettings, 3g unrestrictor, lockinfo, etc..

When installing vCenter update manager in a lab, I got this :

“Error 25005.Setup failed to generate the SSL keys”

It appears that since I have installed vCenter Server, vSphere client, and tried to install the update manager all in one sitting without rebooting, there has been some path confusion and it could not find openssl.exe (or the right version of it). Allowing it to roll back, rebooting, and trying again fixed the issue for me.

As many companies have skipped Vista and may be starting to migrate to Windows 7, the need for servers running KMS (Key Management Services) is going to be felt for many of them.

KMS allows you to do the authorization/activation of Windows in-house, and allows you to get stats about what is going on. However, running this on a full blown Windows installation could be too expensive, overkill.

This article explains the steps to get KMS working in your domain, using a Windows 2008 R2 server in Server Core mode, virtualized. Yes, it is possible to run a KMS in a VM, unlike a few years ago when the EULA explicitly stated you were not allowed to.

Another good reason to go with Windows 2008 R2 is that it supports being a KMS for Windows 7 as well as 2008 servers. If you had a Windows 7 KMS, not only could you not run it in core mode but it would only be able to authorize workstations. And Windows 2008 first release is simply not supported.

Create a Virtual Machine

This VM can be in a Hyper-V environment or a VMware environment.

As we will be running Core, the requirements are lower. I suggest starting with:

• 1 vCPU
• 512MB of RAM
• 10GB of Hard drive (single drive)
• Low resource shares relative to your other VMs

Install Windows Server

Select your Windows 2008 R2 ISO from your data stores. Obviously, this article is not about that, I assume people interested in KMS know how to install Windows.

Select the core mode.

 

Windows is up – now what?

Log into the server’s console through VMware or hyper-v (well this guide mostly works for physical servers too – I just find it’s a waste of metal !). You will be greeted by the minimal UI of Core.

Configure the networking

Run the sconfig command. Chose option 8.

Select your NIC (normally number 0 if you only have one).

Configure it with a static IP , and make sure you configure the DNS settings properly for your domain.

KMS relies on DNS a lot so having a static IP will save you trouble in the future. Alternately depending on your setup, how you manage VLANs and IPs etc, have a reservation for it. ipconfig /all will show you the MAC address of the card, as on the standard Windows install.

Once you’re done configuring the network, go back to the main menu of sconfig.

Configure your Windows Update Settings

Set it to obtain updates from Microsoft for now. Later on you will surely manage this by GPO so it does not really matter. Back to the main menu, chose option 6 to download the updates that are required right now. (As core has no Internet explorer or Windows update UI that’s the way of getting them manually).

Configure date and time (option 9)

Configure the hostname (option 2)

I recommend rebooting after you changed it and before you join the domain – if the computer account is pre-staged in AD it will use the old name instead of the pre-staged one if you don’t.

Join the domain (option 1)

You can also use the typical netdom commands if you want to join it and force a specific OU.

Reboot

Add a local administrator

Once the server reboots, on the domain, log in with your local admin account. Run sconfig, and use option 3 (or use net localgroup – faster!) and add a domain account to your local admins, so you can login with an AD account and manage the server. While you are there, you may want to change the local admin password (the ctrl-alt-del screen does have that option).

Remote management

Once the server is fully patched up, and your local admin account is secured and you can now login using a domain account, consider enabling remote management. Option 4 in sconfig allows you to enable remote powershell, remote MMC, WinRM, etc. An interesting thing you can do once this is open is open the event log remotely easily, which may be useful. Be aware that KMS is very low maintenance and that keeping everything locked down may prove more secure, but be sure your operational teams will have a way to get into the server, either through the virtualized console, powershell, or RDP (enabled in the sconfig main menu – with two options, one to allow only secure RDP clients like Vista and Win 7 or one to allow any clients, useful if you still use XP workstation).

Enable KMS

Enabling KMS is very simple. The only thing you will need is your “KMS Key”, which can be found on the Microsoft licensing website.

Run this command:

slmgr.vbs /ipk KmsKey

You should then see a small window pop up and confirm the product has been activated.

Now, we should activate our server, while we’re at it.

slmgr.vbs /ato

There we go. KMS is enabled, the server is activated. What else needs to be done?

Well first of all, clients rely on DNS to locate the KMS. So if you do not have dynamic updates enabled, start by disabling the automated registration by running:

slmgr.vbs /cdns

The command to enable automatic updates (default but try it if you run into issues or change your mind) is :

slmgr.vbs /sdns

After running these, make sure to restart sppsvc by using net stop and net start or by using the services MMC, if you enabled remote MMC.

If using manual DNS, create an entry with the following settings:

Verify the DNS entry

Manual or automated, let’s check if it worked.

nslookup -type=srv _vlmcs._tcp.<your DNS domain>

If this command returns the SRV record pointing to your KMS server on port 1688, it means clients will now find the KMS.

Open the firewall

As you noticed while creating or verifying the SRV record, the KMS, by default, is listening on port 1688. This can be changed with the slmgr.vbs command. However, no matter what port you do, you will need to open it up in the firewall. You can use netsh…

netsh firewall set portopening tcp 1688 KMS enable

However, the beauty of Server core is that you should never have to connect to it. For this, I highly recommend that you apply your standard Windows 2008 security baseline GPOs, and create a KMS Specific one. In this GPO, you should ensure that the KMS service is set to automated, and that this TCP port is opened.

You can then apply further hardening to the machine, and configure Windows updates by GPO as well. As server core is not a service that is very visible to the users, this server could easily be patched and rebooted at almost any time, but you can patch it like any server that you use. Less patches will be required, as Server core does not include a lot of software that comes with the full install.

Troubleshooting

Read the slmgr.vbs documentation for more information. slmgr.vbs /dli will show you some information, and there will be an Event Log created just for KMS where you can get useful information about activations. If you have any issues, remember to check the DNS record from the workstation you’re trying to activate, as well as test connectivity to port 1688.

The error you receive on a workstation may seem cryptic but most of them have a good explanation, so Google them ! Remember you need at least 25 workstation licenses or 5 server licenses to use KMS, and have fun !