18 Sep 2014

Windows Server VPN Authentication Protocols

Leave a Comment
VPN authentication Methods  VPN or Virtual Private Network is a technology that offers a secure way to establish communication channels between devices by using the public Internet. As a concept, VPN offers three main features: encapsulation, authentication and encryption. These features play an important role because they ensure data is not compromised by a potential attacker. A common VPN scenario would be something like in the following example: a client would try to connect to a VPN server or a dedicated VPN equipment to establish a secure tunnel with the destination network. Before the client can access network resources, the VPN server must first authenticate the connection. There are several authentication protocols supported by Windows Server 2012 or 2008. The Server will always try to use the strongest authentication method and then proceed with the others if the process is not successful. In this article I will try to create a summary of the authentication protocols used with Windows Server Editions and we'll see what are the differences between them. 

   EAP-TLS (Extensible Authentication Protocol - Transport Layer Security) - One of the most secured authentication protocols used today that takes advantage of TLS (Transport Layer Security). Can be implemented on a Windwos Server 2008 or 2012 that is part of an Active Directory Infrastructure. EAP-TLS can be used by VPN clients authenticating using either smart-cards or certificates. This technology offers a secure authentication protocol because each client must store a valid X.509 certificate. This means that besides the client's password, an attacker must get access to the private key of the certificate in order to infiltrate the network. If your company decides to store certificates within smart-cards, you increase network security even further because smart-cards can be compromised only by physical theft. Within the corporate network you would need to deploy a Certificate Authority to issue digitally signed certificates for VPN clients.

   MS-CHAP v2 (Microsoft Challenge Handshake Authentication Protocol version 2) - this authentication protocol is enabled by default on Windows Server Editions. MS-CHAP v2 offers a two-way authentication mechanism which verifies the identity of the VPN server and the VPN client. Both parties authenticate with each other by using two different  cryptographic keys. MS-CHAP v2 uses a unique session identifier and user credentials to generate encryption keys unlike EAP-TLS which takes advantage of digital certificates.

   CHAP (Challenge Handshake Authentication Protocol) - is an older authentication protocol that uses MD5 hash algorithms to send the authentication requests. The VPN Server sends a challenge to the VPN client which in turn responds with an MD5 hash result that is composed of the challenge and the user's password. The VPN Server calculates the user's hash locally and compares the result with the hash received from the VPN client. If these two hashes match, then the user is granted network access. You should use this authentication mechanism if EAP-TLS is not supported within your network.

   EAP-MD5 CHAP (EAP-Message Digest 5 Challenge Handshake Authentication Protocol) - a version of CHAP that takes advantage of EAP framework. Offers encryption of authentication data using MD5 hasing. It has a lot of weakness and it's known as being vulnerable to dictionary attacks. It offers authentication from client to server but not the other way around, this is why  EAP-MD5 CHAP is vulnerable to man-in-the-middle attacks. Was used with older Windows Server Editions and should not be used anymore.

   SPAP and PAP - two simple authentication protocols that are not widely used since they use basic authentication mechanisms and are susceptible to external attacks. PAP uses plain-text passwords that are sent to the server for authentication. With SPAP the password is encrypted before it's sent to the server. SPAP uses a two-way encryption algorithm, but it's not a secured authentication protocol. You should not use these two protocols for VPN authentication

These are the VPN authentication protocols that can be used with Windows Server Editions. Whenever possible choose the strongest algorithm to ensure data confidentiality against foreign attacks. Hope you'll find this article interesting and use it to enhance your Windows Server VPN knowledge. Wish you all the best and stay tuned for the following articles.
Read More
16 Sep 2014

Active Directory Forest Trust

Leave a Comment
Active Directory Forest Trust
  If you've been working with Active Directory for a while, you'd probably know most of the features that this technology supports. Large companies that span over multiple geographical areas implement domains and forests across their entire network for a centralized and manageable infrastructure. If your forests are part of the same network and you want to enable cross communication between them, you'll need to establish forest trusts. This feature was introduced with Windows Server 2003 and offers several trust mechanisms. You can configure one-way incoming, one-way outgoing and two-way trusts. I will try to cover them in this article so that you will be able to choose the right option for your network. But why you should opt for forest trusts instead of incorporating multiple domains and forests under the same AD infrastructure? One possibility may be that you want to have separate Active Directory infrastructures so you can manage your forests individually. Another aspect may be that your forests use different domain and forest functional levels and you cannot combine them or that your company acquired a new office recently and they were using different AD organization and you don't want to mix them.

   Note that you can create trusts at the domain or forest level. There are multiple trusts types that you can establish between forests and they include:
Shortcut trust - when you create a shortcut trust between two forests, any domain from one forest will trust any domain from the second one. You would choose this type of trust if resources from different domains must be accessed frequently. This trust may be implemented to improve logon times between two domains. Also note that response time may decrease if each forest includes several layers of child domains. The direction of trust can be one-way or two-way
External trust - you can implement this when you want to create a trust between a domain that's part of your forest and another external domain that's not part of any forest. "External trusts are sometimes necessary when users need access to resources located in a Windows NT 4.0 domain or in a domain located within a separate forest that is not joined by a forest trust". External trust direction can be one-way or two-way.
Forest trust - it's used to allow shared resources between multiple forests. The direction of forest trust can be either one-way or two-way so this really depends on the necessities of your network. "Forest trusts are useful for Application Service Providers, companies undergoing mergers or acquisitions, collaborative business extranets, and companies seeking a solution for administrative autonomy."
Realm trust - this type of trust is established between Windows forests and UNIX/Linux based systems. You'd need to use Kerberos V5 authentication to establish a ream trust between your Linux and Windows infrastructures. Realm trusts can be either one-way or two-way.

Trust direction 
To every trust created between multiple domains or forests, there is a trust direction assigned. The direction points out the path used to authenticate machines that are part of a trust relationship. A trust relationship is based on two entities: the trusted domain and the trusting domain. When a resource is accessed from the trusted domain in the direction of the trusting domain, the security systems on the local Domain Controllers will verify if there is a trust relationship between these two domains. To be able to access a specified resource, there must be a trust direction set from the trusting DCs to the trusted DCs. The following picture displays a trust relationship between two domains:
Trust Relationship

"One-way trust - A one-way trust is a unidirectional authentication path created between two domains. This means that in a one-way trust between Domain A and Domain B, users in Domain A (trusted domain) can access resources in Domain B (trusting domain). However, users in Domain B cannot access resources in Domain A. Some one-way trusts can be a nontransitive trust or a transitive trust depending on the type of trust being created. For more information about trust types, see Trust types.
Two-way trust - All domain trusts in a Windows Server 2003 forest are two-way, transitive trusts. When a new child domain is created, a two-way, transitive trust is automatically created between the new child domain and the parent domain. In a two-way trust, both domains that are involved in a trust relationship trust each other. This means that authentication requests can be passed between the two domains in both directions. Some two-way relationships can be nontransitive or transitive depending on the type of trust being created. For more information, see Trust types." (from here):

When discussing about Forest Trust we must also talk about trust transitivity. The term refers to the capability of extending an existing trust between two domains to other external entities. A transitive trust is used to extend the trust to other domains while a nontransitive trust is used to deny a trust relationship to external domains. Read more about trust transitivity here.
Hope you've read and enjoyed this article, if you think there are things left unclear on this topic, post a comment and I will try to respond as soon as possible. Wish you all the best and stay tuned for the following articles.
Read More
11 Sep 2014

How to use Microsoft Baseline Security Analyzer

Leave a Comment
Microsoft Baseline Security Analyzer or MBSA is a tool that System Administrators may use to detect possible security vulnerabilities on their workstations. MBSA works closely with WSUS or SCOM servers to detect missing updates on Windows Desktop computers. You can use this tool to manually create a health report for each of your network's devices. The tool offers a fast and reliable way to create system reports that can later be used to increase network security.
You can download the Microsoft Baseline Security Analyzer from Microsoft's website. The tool is easy to install and configure, just double click it and follow the Wizard instructions. Once the software has been installed, open it to check out its interface.
MBSA offers two ways to scan your devices: scan a computer using its name or IP address or scan multiple computers using a domain name or a range of IP addresses. For this demonstration I will use the first method so simply click on Scan a computer from the left side of the panel:
Baseline Security Analyzer

Simply type in the computer's name or its IP address and set the security report name. From the Options section you can choose what checks will be performed on the specified machine. Once all options have been checked, simply press the Start Scan button:
Baseline Security Analyzer tutorial

The report offers an overview of installed updates on your workstations.
Microsoft Baseline Security Analyzer

There are other tools that can be used to achieve similar results but, Microsoft Baseline Security Analyzer is fast and easy to use. That's about it for this article folks, wish you all the best and stay tuned for the following articles.
Read More
29 Aug 2014

How to install and configure Hyper-V on a Windows Server 2012 machine

Leave a Comment
Hyper-V installation
In today's article I will show you how to install and configure Hyper-V Server Role on a Windows Server 2012. Note that for this tutorial I will be using a Virtual Machine hosted on VMware. We've had a short introduction to Hyper-V in a past article and I think it's better if you read it before proceeding with this post.

Because Hyper-V ships as an inbuilt role into Windows Server 2012, it can easily installed using the Server Manger Console. Once you've opened the console, navigate to the Roles section and select Hyper-V from the list. Hyper-V Module for Powershell and Hyper-V GUI Management Tools features will be added during the installation process.
Hyper-V tutorial
The wizard prompts you to create a new virtual switch. This is a virtual device that binds to your physical interface and allows your Server to communicate with the rest of the network. From the available menu choose the interface used for this Hyper-V Server.

Hyper-V live migrationServer live migration can be enabled in the following section. For now, it's best not to enable this feature because this is a testing environment and we will not interact with this feature.
Hyper-V installation
We'll need to specify the location for our virtual hard disk and configuration files. It's best that you keep these files in separate folders this way you isolate any problem that may occur. I will leave the default locations and proceed with the Installation. You will need to be patience for a short period of time until the wizard is completed. Note that you will need to reboot the Server once the wizard is finished.

Hyper-V training
You can now open Hyper-V Manager console from Administrative Tools. Open Hyper-V Settings by right clicking on your Hyper-V mode. There are many configurable sections in this menu and you will need to access them when customizing your System. From this section you can configure the following: Virtual Hard Disks and Virtual Machines location, Physical GPU Settings, NUMA Spanning to allow non-uniform memory spanning, Live and Storage Migrations, Enhanced Session Mode Policy, Replica Configuration and User settings. Each option has a short description that will make you understand its basic role within Hyper-V. I like this menu because it's pretty intuitive and allows you to configure Hyper-V pretty easy:

Hyper-V Settings

Using the Hyper-V Manager Console we can also Create, Edit or Inspect Virtual Disks. I will show you how to deploy a new Virtual Machine with Hyper-V in a future article and we will see how to edit a virtual disk. From the upper menu in the Action section you can see all available actions:
Hyper-V console

In the Virtual Switch Manager we can add virtual network devices which can be used within our virtualization infrastructure. If you are familiar with other virtualization products then this section may sound familiar. Hyper-V offers three types of virtual network switch, as follows:
  • external - this virtual device binds to the physical network adapter. Used to allow connectivity between VMs and physical network
  • internal - can be used only between the physical server and its Virtual Machines. No external access can be provided using this network switch
  • private - can be used only between Virtual Machines that are part of the same Hyper-V server.
Virtual Switch Manager

You can create one external virtual switch per physical interface but, you can create unlimited internal or private virtual switch. Once the virtual devices have been added in your Hyper-V Server, they can be configured just as physical interfaces from Control Panel\Network and Internet\Network Connections
Hyper-V Virtual Switch

You can configure virtual devices just as physical interfaces, you should already be familiar with this operation:
Hyper-V Virtual devices

On the Virtual SAN Manager page, you can create virtual Fibre Channels for your SAN (Storage Area Network). I haven't got the oportunity to work with this feature since I don't have a testing storage device.

The Windows Service that manages Hyper-V is Hyper-V Virtual Machine Management and you can view its status using the Services Console or by using Server Manager in the Hyper-V section. Note that if this service crashes or is stopped, all Hyper-V dependencies and the whole virtualization platform will not work:
Hyper-V Service

Hyper-V offers a lot of features that can be used within your virtual environment and we haven't covered all aspects about this technology. This article should at least offer your some basic information on how to install and configure Hyper-V. In the next tutorial I will show you how to create a new VM using Hyper-V and we will later see how to use these machines to deploy new Windows Servers using WDS. Please use my comments section to post questions regarding this topic or if you think there are things that were not covered properly. Wish you all the best and don't forget to enjoy your day!
Read More
13 Aug 2014

How to create a persistent network configuration on a Linux machine

Leave a Comment
In this article I will show you how to configure a persistent network configuration on your Linux machine. Note that you will need to edit the network adapter configuration file. If you choose to configure your server using other methods (DHCP or bash commands), the network parameters will not persist upon reboot. You can also add those commands in one of the initialization files but, I prefer editing the network adapter configuration file directly.
The location of the network configuration file may differ from one Linux distribution to another. For the following example I will be using two virtual machines running CentOS named VM2 and VM3. The network configuration file on a CentOS Server, can be found in /etc/sysconfig/network-scripts/ifcfg-eth0. If you are using a machine with multiple interfaces, there will be several confg files in the same location so make sure to edit the right file. 
If you have downloaded the OS image from http://www.centos.org/, your Server will be configured to obtain it's IP configuration from a DHCP Server this is why, the following lines would normally appear:
DEVICE=eth0 
BOOTPROTO=dhcp 
ONBOOT=no
  • DEVICE=interface_name; - physical interface name
  • BOOTPROTO=protocol; - protocol used to obtain IP configuration

            the specified protocol can be one of the following:
                 none — no boot-time protocol will be used
                 bootp — BOOTP protocol will be used. 
                 dhcp — DHCP protocol will be used.
  • ONBOOT=yes/no - will enable the interface upon reboot.
I've opened the ifcfg-eth0 on VM2 using a text editor. You will need to add the following lines on your CentOS machine:
DEVICE=eth0
HWADDR=00:0C:29:A2:36:CD
TYPE=Ethernet
UUID=58fd1273-f989-4cd6-bf67-8e7fec7bd1a2
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
IPADDR=10.10.1.10
NETMASK=255.255.255.0
NETWORK=10.10.1.0
GATEWAY=10.10.1.1

Note that the HWADDR,TYPE,UUID and NM_CONTROLLED parameters are configured automatically by the System so, you will not need to worry about those. I've added the IP Address, Network Mask, Gateway and Network Address parameters. 
This is how your configuration file should look like:
Linux static IP configuration

Now we will make similar configurations on the second Server:
How to create persistent network configuration

The only thing left to do is to restart the network service on both Servers. To achieve this result, you must run the following command: service network restart
Linux service command

There are several ways to test the network connectivity between these two servers but, one of the most common methods is by using the ping command:
Linux ping command

Now it's time to test our persistent configuration by rebooting both machines. Simply type reboot on each server:
Linux reboot command

For verifying your IP configuration use ifconfig or ip addr show commands. Note that you can configure a static IP address using these two commands but, these will not persist upon reboot. The ouput of these commands are as follows:
                                          ifconfig
Linux Ifconfig command

                                          ip addr show
Linux IP command

As you can see these commands have similar output so choose whatever method you desire. For verifying the default gateway, use the route command:
Linux route command

That's it for this article folks, I hope you've understood how to configure a persistent IP configuration on your Linux machine. Note that I'm still in the process of learning Linux this is why there may be things that I cannot explain yet. Please feel free to post any question related on this topic and I will try to respond as soon as possible. Wish you all the best and stay tuned for the following articles from IT training day.
Read More
© 2014 All Rights Reserved.
IT training day & Powered By BloggerHero