Thursday 19 December 2013

It's been a while... [CISSP]

It's been a while since I've blogged, and for that I'm sorry.  The other thing I haven't done in a while is take an exam, so what better way to get my blog kick started again, but talk about the exam I've recently taken!

I've been working at e92plus for a while and have meant to take my CISSP (Certified Information Systems Security Professional) exam, but was put off by my peers with the old adage that "it's a mile wide and an inch deep" or putting other things first, like my family.

I did mean to take the exam this summer, but other commitments meant I rescheduled it to the end of this year.  September this year was my 7 year anniversary at work, so I decided to go for it, rather than reschedule it to next year.

I did my research and I bought a few books.  I had the following books:

  • The Official (ISC)2 Guide to the CISSP CBK (3rd Edition)
  • All in One CISSP Exam Guide by Shon Harris (6th Edition)
  • CISSP Study Guide by Eric Conrad, Seth Misenar & Joshua Feldman (2nd Edition)
  • CISSP 11th Hour Study Guide by Eric Conrad
  • Exam Cram CISSP Practice Questions by Michael Gregg (3rd Edition)

Before I tell you how I found these books, I have to give some of my background. I've worked in IT for 19 years, starting from a more generalist IT support role, to a more focused security role.  I have been an MCP since 1998, as well as hold an MCSE for NT4 and Windows 2003.  I have had roles where I was part of the DR/BCP planning team as well.  I carry out presales consultancy, installations, some support and training in a number of solutions, but seem to focus on two factor authentication and SSL-VPNs.

With that in mind, I'll let you know what I think of the books!

The Official (ISC)2 Guide was a little dry for me, but was starting at too basic a level for me.  I would expect my less experienced engineers to be able to read and understand the topic from this book, but it's a thick book!

The Shon Harris book is recommended by a lot of people, but I found the book too chatty for me.  I wanted my facts and less fluff.

The Eric Conrad books helped me pass my exam!  It was written at the right level for me, and there was a lot less "chat" with these books.  The study guide is around 500 pages, but the 11th Hour book which I read on the train into London is less than 200 pages summarising what I consider the essentials.

The Exam Cram was good for the software to let me test my knowledge after reading the Conrad book.

My experiences may not work for you, but I was using the books above, the supporting Conrad website for podcasts and tests, as well as the TechTarget website.

There is no score, but I was thankful I passed the exam today!

I have been unsociable (more so than normal) for the last month or so, and my Freeview (PVR) box is overfilling with programmes I haven't watched.  My children will see me again, just in time for Christmas!

So Merry Christmas to you all and if you decide to do you CISSP, let me know how you get on.

Wednesday 11 September 2013

Creating a SSTP split tunnel in UAG

I like to provide remote access by publishing applications on UAG, but there are times when a full VPN tunnel gets around a number of issues, but may reduce your security posture.  I don't like to make changes to the security unless they are respected or being used by responsible people.  For most people using the SSTP VPN tunnel feature in UAG would be adequate, but there are times when a user needs a split tunnel.

I was told that SSTP in UAG did not support split tunnels, but there seems to be a workaround with this blog post:

In trying this myself, I did the following:

I went to the following location: C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0 (The location of your files may be different depending to what service pack level you are at with UAG). 

Copy the 'sstp.pbk' file to the desktop, and rename the original file in the original location (I chose 'sstp.pbk_old').  Go back to the desktop and double click on the 'sstp.pbk' file you just copied.

You will be presented with the following box, where you need to select 'Properties':

Highlight 'Internet Protocol Version 4 (TCP/IPv4)', and then click on the 'Properties' button:

From this screen, you will need to selected the 'Advanced' button:

From this box, uncheck the 'Use default gateway on remote network' option, and close all the boxes.

Take the modified 'sstp.pbk' file and copy it back to the original location.

To prove the difference it makes, I took a 'route print' using the original 'sstp.pbk' file, and a 'route print' of the modified 'sstp.pbk' file.

I haven't tested this in anger, but looks like it will solve the issue we currently encountering.

Tuesday 10 September 2013

UAG ActiveX issues on IE10

I saw something today that I had not encountered before.  I had a user connecting to my UAG setup, but it seemed like the UAG client would install when running as administrator, but would not run.

After running a remote session, I spotted that there was an extra icon that I had not seen before on the IE10 address bar:

It turns out this is an ActiveX filter built into Internet Explorer.  Although with it running, the UAG components can not execute, meaning only web applications will run.

This feature can be disable by going to the cog icon, clicking on "Safety" and then unchecking "ActiveX Filtering"

Wednesday 21 August 2013

Importing UAG applications to another server

Today, I had to build two additional UAG servers with the same applications as the original one I deployed.  I used the following procedure to achieve this:
  1. On the original UAG server, export the configuration and give it a password.
  2. Configure the new UAG server with the appropriate networking information, including LAN and WAN IP details, static routes on the server, ensure the networking is reflected in TMG.
  3. Patched up the new UAG server to the same level as the original server.
  4. Import the configuration to the new UAG server.
  5. Activate the configuration.
  6. Change the hostname on the truck (and remember to change the hostname on OWA, if you are using this feature)
  7. Ensure the right certificate is in the certificate store and associated with the trunk.
  8. SSL Network Tunnelling IP addresses will need to be added, if you are using this feature.
  9. Check the AD authentication service account password (and secret keys for RADIUS authentications, if being used) as these were removed from one restore, but not the other!
Hope that helps, if you have to do the same.

Wednesday 14 August 2013

UAG File Access Script Errors Post SP3...

Today, I was looking at UAG SP3 installation, where we were configuring OWA, CRM and SharePoint.

We encountered an issue with File Access, it was working prior to SP3, but since SP3, when you try to access the console, we were getting the following script error:

A bit of Googling, brought up this blog article that I know solved the issue with other UAG users: but it didn't resolve my issue.

I ended up doing the following to get it to work:
  • In the UAG Management Console, remove File Access from the UAG application list
  • Activated the UAG configuration without File Access
  • Rebooted the server
  • Installed UAG SP3 Rollup 1 (following this previous blog article:
  • Activate the UAG configuration
  • Reboot the server
  • In the UAG Management Console, on the toolbar click on "Admin", then "File Access..."
  • When prompted if you want to enable NETBIOS, agree to this
  • Log into the File Access console using your NETBIOS domain administrator credentials
  • I can now browse the File Access structure without the script error

Friday 26 July 2013

UAG SP3 install fails and rollsback...

On site again this week, with another UAG installation, but this one offered something different as we were creating a gateway for mobile devices.

We encountered some issues installing service packs on the Celestix WSA UAG appliance.

As my previous post shows how to install SP2 and SP3, I had a failed install of SP2 this week.  The issue was not permissions, but failed after 10 minutes, after which the service pack would roll back.  A bit of a search brought up this Microsoft article:

I followed Method 1, which meant opening Notepad as an Administrator, then editing the following file:

I added the following text, just before the </configuration> tag near the end of the file:
<machineSettings maxTimeout="01:00:00" />
This effectively increases the timeout from 10 minutes to 1 hour, which resolved the issue for us.

Thursday 4 July 2013

Service Packs on UAG...

In the past I've never encountered issues service packing the UAG software running on Celestix WSA appliances.  Recently I had a situation on site where the service packs would not apply by simply double clicking them, and after a bit of trial and error found the optimum way to get these installed.

I was using a Celestix WSA appliance, with build, which runs UAG 2010 SP1 Update 1.

I downloaded all the Windows and Celestix updates for the appliance, as well as TMG SP2, UAG SP2 and UAG SP3.

I found the best way to install the updates were as follows:
  • Run through the UAG quick start to get UAG online, but there is no need to create a portal (assuming this is a new install)
  • Apply the Windows updates and Celestix updates, then reboot
  • Apply TMG SP2, then reboot
  • Double clicking on UAG SP2 or SP3 will not install correctly, so follow the procedure in the point below.
  • Open up the Command Prompt as Administrator, then while holding down the shift key, right click on the UAG SP2 file, and select "Copy as path".  Right click on the command screen and paste this link in, then run it.  Follow the instructions to install UAG SP2 and reboot.
  • Open up UAG and check that the version number has changed from 4.0.1xxx.xxxxx to 4.0.2095.10000, then activate the UAG configuration.
  • Open up the Command Prompt as Administrator, then while holding down the shift key, right click on the UAG SP3 file, and select "Copy as path".  Right click on the command screen and paste this link in, then run it.  Follow the instructions to install UAG SP3 and reboot.
  • Open up UAG and check that the version number has changed from 4.0.2095.10000 to 4.0.3123.10000, then activate the UAG configuration.
You now have a UAG appliance up to service pack 3 ready for your portal.

Thursday 30 May 2013

Planning a wireless network?

Having worked in IT for a number of years, I remember planning wired networks, where we could work out easily how many points were needed for a network.  It was two network points per desk for the computer and telephone, and the odd point for printers and fax machines around the office.

Fast forward to the current day, and as well as the wired network, we have to consider what the wireless requirement is.  We are all aware of bad wireless deployments, where laptops revert to using a cable.  Some of the challenges were discussed in a previous blog post, "They even have wireless internet now!"

There are a number of considerations, challenges and questions that need to be addressed prior to tackling a wireless network project.

There is a need to understand what sort of access is required, and how you determine your policy and strategy can begin with the following questions:
  • What devices are you allowing to access the wireless network?
  • Will these devices be part of a BYOD (Bring Your Own Device) initiative, corporate devices supplied by the organisation or a mixture of the two?
  • Which parts of the network will these devices access, the corporate network or a guest network?
  • Will the devices be segmented by whether they fulfil a policy criteria, such as OS, AV, etc, using a NAC (Network Access Control) solution?
Understand the devices that will be access your network and determinerning whether these devices have a 5.0GHz AN wireless card, or a 2.4GHz BGN wireless card. Understand how many devices will be used, as some people carry three or four wireless enabled devices!

Understanding the number of devices and which frequency they can work in, means that channel conflicts can be dealt with at the planning stage, rather than trying to fix it post installation.

Sounds straight forward, but you'll need to know which areas will require wireless coverage.

Will your users need to roam with their devices?  Some wireless solutions deal better with roaming than others, so should a be a consideration when looking at the different vendor offerings.

Wireless networks can go beyond the confines of your building or coverage area.  With correct access point placement or signal manipulation, the wireless footprint can be made to fit the building, reducing the likelihood of access from outside the area of coverage.

Once you know which areas need wireless coverage, you'll need to understand the density requirements.  For example, a lecture theatre may have a requirement for up to 500 wireless devices connected at once, while the office down the hallway may have a requirement for one wireless device.  By understanding density, we can tackle how many radios are required in each area.

Another consideration is bandwidth, what do these devices need to do once they have access to the wireless network.  Do they need basic web access, streaming video, video conferencing or voice over wifi?  These all have differing demands on bandwidth, so it is essential the bandwidth requirements are met to give a good user experience.

It is shocking to see there are still a large number of unencrypted or open wireless networks out there.  We all know we should encrypted our networks, but depending on the solution this can cause large overheads on the network, especially with the traditional controller with controller-less access points, where the packets have to be sent back to the controller for decryption.  Open networks run quicker, but that doesn't mean we should configure them like that!  Protect that network, especially if it's offering corporate network access, and your footprint exceeds the building.

Is there a provision to the deal with the threat of rouge access points, which effectively extend your wired network via a wireless access point you are not aware of?  There are normally provisions for web filtering within an organisation, but what's to stop your corporate devices joining a neighbouring wireless network and getting unfiltered access (and the associated threats and malware) from the internet onto devices on your network?  How do you stop a device from becoming a wireless hotspot, even after they fulfil the policy laid down by your NAC solution?

The consideration with wireless is about access, but security comes a poor second when planning the network.  Ensure that there is a level of intrusion prevention on your wireless network, if you want to properly secure it.

(Can you spot the rogue access point here?)

To what end?
With a greater understanding of the various areas touched upon above, you can ensure you have a successful wireless deployment, that is secure, requiring little administration and exceeds the expectation of the user.

Thursday 23 May 2013

"They even have wireless internet now!"

The title is something a friend told me, about five years ago.  I tried to explain I'd had it for the previous three years, but it was lost on my non-technical friend!

Working in IT, I'm often asked if I can help with computer issues and more recently issues with wireless.  Fortunately wireless is something I have some understanding of, and have used it in a domestic environment for over eight years.

Without getting into too much detail, there are two frequencies that wireless devices will run on the very common 2.4GHz or the less common 5GHz.

Congested airwaves?

2.4GHz is commonly used within the domestic environment, so not only does wireless use this frequency, you also have the DECT telephones, wireless video senders, alarm system PIR sensors, wireless mice/keyboards, baby monitors, etc.  As you would expect, this can cause conflict and make your wireless network run slowly. 

How many times have you struggled with a poor wireless connection, but when you connect to the wired network it's fast?  You may have tried looking on your wireless router and see that there are channels 1 to 11 or 1 to 13, but changing them may make little difference.

Here is a diagram, I've borrowed from Xirrus:

As this diagram explains, there are three non-conflicting channels on the 2.4GHz frequency.  These are channels 1, 6 and 11.  As you can see, if you use channel 2, it will overlap with channel 1 and channel 6, causing issues for all.  Imagine a number of radio stations broadcasting on similar or close by frequencies, and the interference that this would cause.

As you can see from the diagram, you'd just use the 5GHz channel which will has 24 non-overlapping channels, rather than 2.4GHz with 3 non-overlapping channels.

So 5GHz is the answer?

This brings other challenges, not all hardware supports 5GHz, so if you have an iPad 2 or newer, an iPhone 4S or newer, many of the newer Android phones, some new laptops, or a MacBook, you probably don't have a client device which will support it.  That said, you wireless access point or wireless router will also need a 5GHz radio (which seems to be either rarer) and these are normally a premium over the 2.4GHz equivalent.

What frequency do your client devices support?

If like me you have a number of legacy devices, such as a Nintendo Wii, a PS3 or an older laptop/tablet/phone, then you will have 2.4GHz client devices on your network.  You probably also only have a 2.4GHz access point/wireless router, so unless you are investing a new hardware you need to optimise what you have.

I know my channel, what about my neighbours?

One of the biggest issues is knowing what wireless channel your neighbours are running.  There are a number of tools available and one of the best free ones I've seen is insider, and you can download the computer software here or download the app for your Android phone from Google Play.

Here is a capture I got when I was on a train to York from my Nexus 4:


You can see a majority of the networks are on channels 1, 6 and 11, but there are also a couple that span and will cause conflict.
Which channel to choose?
I would normally pick one that has the weakest signals on it, but also balance the number of the networks on that channel as well.  Remember to walk around your environment to check the signal strength in all the locations you would normally use the wireless network.
What about the other devices that can cause congestion?
I always use baby monitors as the example as when my daughter was born, she or rather her baby monitor broke my wireless network.
I bought a Wi-Spy to see what was going on in the air, so unlike the software above, which only shows wireless networks, the Wi-Spy shows the interference in the air from other devices running on the 2.4GHz frequency.
What else?
Test it to make sure it works, but more importantly secure your wireless network... but we'll discuss that another time!

Saturday 18 May 2013

Publishing Citrix XenApp 6.5 on UAG 2010

I'm not a fan of publishing XenApp on UAG.  Much as there is a wizard, it only works with older versions of XenApp, so you end up having to make a number of modifications to UAG whether it be coding or registry changes, which may end up breaking when you update to a new version of XenApp or apply UAG service packs.

Last week I had to publish Citrix XenApp 6.5, but on testing the main screen just loops.  So fortunately, Ben Ari came to my rescue via this blog post:

Another issue that pops-up with Citrix often, and has been reported to occur with Citrix 5.4 is a looping behavior, where trying to launch the application triggers the browser to loop through the login page repeatedly, ad infinitum. This is caused by a change to the way Citrix handles cookies. To fix it, one needs to configure UAG to treat the cookies a little differently, and that is done via a custom SRA and AppWrap configuration.

To resolve this, you will need to create two XML files on your server, and populate them with the content that I will include ahead. Be careful when copying the content, to preserve a good structure. If any of the XML tags gets broken, it cause UAG to produce a 500 error, so be prepared to back-out any changes if you run into issues. You may also contact me directly via the contact-me form to obtain the files directly from me. The 2nd file there is the more sensitive one, as it has a very long line of text that must be kept intact.

Here are the steps:

1. Copy the content of the first box below into a text file, and save it as “WhlFiltSecureRemote_HTTPS.XML” on your UAG server, under the folder <UAG Path>\Von\Conf\Websites\<Your Trunk>\Conf\CustomUpdate
2. Look at the path settings (highlighted below in green). Your actual path for the Citrix installation may differ (a common variation is /Citrix/XenApp/auth/). If so, change it in the file you create.
3. Copy the content of the second box below into a text file, and save it as “WhlFiltAppWrap_HTTPS.XML” on your UAG server, under the same folder
4. If there are files by those names in there already, STOP! The files CAN be combined, but it could be tricky to do, and I recommend opening a support case with Microsoft CSS to work-through that process.
5. Activate your UAG configuration
The code for the XML files are available from Ben's blog post.

I did encounter an issue though.  This works perfectly on UAG 2010 SP2, but as soon as I applied UAG 2010 SP3, it no longer worked.  Instead of taking you seamlessly into the XenApp application, it presented Windows 2008 R2 login screen.  If you enter your details it works, but if you try to start up another application it would prompt for a login again.  It seems that the SP3 update no longer passes the credentials for the XenApp SSO to work.  I'll update, if I can find out why.

Publishing Microsoft Lync 2010 using Microsoft UAG 2010

I've been working with Microsoft UAG since it's been available.  I had a head start as I was using and deploying IAG and Whale previously, which were the two predecessors to UAG.

I've published a few different applications, but a majority of the solutions will include Microsoft Exchange (whether it's OWA, full Outlook and/or ActiveSync), RDP connections (usually for administrators to access servers or to Terminal Servers), and some sort of Intranet or SharePoint site.  Some of the rarer occasions I've been asked to give terminal access to AS/400 solutions, publish VMware View, deliver the Neocoretech VDI solution using HTML 5 clients on iPads, etc, etc.

So when I was asked to deploy Lync 2010, I was pretty confident it would be straightforward.  I did some research to ensure I was following best practise, but ended up using a few documents to achieve a fully working solution.  Please note I wasn't doing this blind as I had deployed Lync in our office, but could make it work with UAG without real certificates (as is highlighted in the following instructions)

I was deploying an SSL-VPN portal as well as creating a Lync connection for the computers, which meant I modified some of the configurations given.

The first document I used was this one:

Ensure you have all the domain names for the various Lync components, but I used a different document for this.

As ever, I was deploying a Celestix WSA solution, which was straightforward.  I followed Georg Thomas' instructions, but did not follow the section on the "Additional Trunk Configuration" as this would impact my SSL-VPN portal.  I did create the registry key as described, but also follow Erez Ben Ari's blog here with the additional registry key:

I would typically use wildcard certificates, but as these do not work with Lync on UAG, we has to use a SAN (Subject Alternate Name) certificate.  As I have never done this before, I followed these comprehensive instructions:  The request of the certificate from the provider is the same as a "normal" or wildcard certificate, as is the installation.

Thanks the well written documents abover, the publishing of Lync 2010 was straightforward.

Friday 3 May 2013

Backups, a necessary evil?

It may be unfair of me to compare backups to car insurance, but here goes!
  • We all know we need it, but not everyone has it. 
  • We buy it, hoping to never have to use it.
  • We never know how effective it is until we have to use it.
  • We ignore the extra offerings, believing we can get it cheaper elsewhere.
  • Most people will buy on price, rather than looking at what it covers.
With most back up solutions there is a limitation with the platform on which the backup solutions runs.  Some are software only, some are appliance only, some only have agents and push to the internet, some only run in a virtual environment, and many vendors will only give one or two of these choices.

Looking at the agents and application support, some specialise with virtualised environments, some only with Windows servers, some have limited integration agents and therefore struggle to back up vital servers within your network.

Some have the ability to create bare metal backups in case of a disaster, but they can only restored on similar hardware.  Most people will struggle to find similar hardware, once it's over a year old, as the manufacturers are continuing to release new hardware.

Then there's the media it will back up to, some will only go to tape, disk, SAN, NAS, removable media, to the internet (cloud), or to a private network/cloud, but again some will only give limited choices.

We at e92plus, currently work with Unitrends, who can offer the following:
  • Choice of platform, supporting either a backup appliance or a virtual appliance for either Microsoft Hyper-V or VMware vSphere.
  • Backup a variety of operating systems, including Microsoft Windows, Linus, Apple Mac OS X, AIX and Solaris.
  • Integrates with Microsoft Hyper-V and VMware virtualisation environments, including instant recovery for VMware.
  • The ability to archive to Disk, tape, NAS and SAN.
  • The ability to replicate to another appliance, to another virtual appliance, to the Unitrends Cloud, or to a private cloud (hosted by either you or a trusted partner/supplier).
  • Utilising compression and de-duplication technologies to the reduce the size of the backups.
  • The ability to create bare metal backups, and restore to dissimilar hardware.
Unitrends sounds too good to be true, but a number of environments (have a look on Spiceworks) and I are currently using and very happy with the solution.

The pricing is very competitive as well, but you probably won't believe it until you try it, so have a look here to download your Free Edition, which will allow you to protect four virtual machines, forever, for free!

Wednesday 1 May 2013

Shoulder Surfing...

Working in IT security, I understand and advocate the importance of PINs and passwords, as well as explaining why they shouldn't be shared.  My 8 year old and 6 year old have computer lessons at school from which they understand the importance of keeping passwords secret. 

On our home PC, I've created profiles for them where they insisted on having passwords and even I as the administrator/father don't know their passwords.  It makes me proud when I try and trick the password out of the them, that they won't tell me.

Imagine my surprise when my wife recounts her day, where my 2 year old son was happily playing on the iPad and listening to iTunes.  I tell my wife that my iPad is PIN protected!  I've been "shoulder surfed" by my two year old son!

Not a major problem as I don't keep important information on it, but he can play Angry Birds whenever he wants (and pretty much does)...

What if this was a work environment, it would not be acceptable if this had happened.  In fact, I would suspect someone would get either a verbal or written warning for such a security lapse.  Maybe I have a certain amount of paranoia, but I don't check my email on my mobile when there are people close enough to shoulder surf me.  Not that I have anything that private or personal, but I don't know what's in that email until I open it.
The facts around visual security are pretty much as you expect:
  • 80% chance that you've already become a victim of others reading over your shoulder
  • £1.9 million is the average cost to businesses per incident of physical data theft
  • 96% of data breaches in 2010 were avoidable
  • 52% of laptop users in the UK are ignoring visual security issues
  • 67% of working professionals surveys in the US had worked on some type of sensitive data outside of the office.
Visual security of on-screen data can be a key part of the implementation of ISO 27001.  So if you excuse the reflection, you can see both my laptop and desktop screen when looking at them head on.
Here is my screen from an angle and slightly above to give the view of a shoulder surfer, you can see my 3M privacy filters working their magic.

When the view angle exceeds 30 degrees, the screen is protected.  You can also see a notch in the top right allowing these to be removed to give the normal visibility back.
e92plus have started distributing the 3M privacy filters and free samples can be requested from here: