sircles.net Computer Support The sircles.net IT support & solutions blog | Internet Security

Twitter Feed Popout byInfofru

The sircles.net IT support & solutions blog SEO, Copy Writing, Networking and Internet Safety & Security

How to be 100% sure you are not opening a dangerous attachment

  If you are in the market for some new employees then you may be receiving quite a few emails

How to be 100% sure you are not opening a dangerous attachment

 

If you are in the market for some new employees then you may be receiving quite a few emails daily on the subject, but here is one to avoid:

In this case the user is viewing email using Microsoft Outlook. If we have a closer look by clicking the attachment ONCE we can see that the document suggests us opening the document fully and enabling editing:

Anything that asks you to enable content or enable editing is likely containing trouble. Microsoft Office Word and other Office documents can contain code that can harm your computer and that should be avoided. The above is not a function of Microsoft Word it is simply the page they have created to try and persuade you to enable their code, but let us go over a few quick checks that we can use to decide if we like this or not anyway:

1. Before even thinking about the attachment, look at the sender address: Karen Baltzley <Dempsey@crediblesons.com> These addresses do not make any sense, as the spammer has not thought to align the email address with the display name of the sender - this is spam.

2. Look at the signing of the email - because these spammers send email by volume they do not want to enter any text by which your IT team can filter their messages out, and so they only want to use generic words. As a result they have not signed the email Karen Baltzley, they have just left it blank - this is spam.

3. Reply to the message instead of opening the attachment if you are in any doubt - this is a great way of being 100% sure. Spammers do not send email from proper addresses, this would open them to the risk of being traced or tracked down. So if they are a spammer, the email will just bounce back an error message. If you have any doubt at all reply to the email.

4. Lastly, the risk inherent in Microsoft Office documents, what with macros and other code, means that very few legitimate businesses send them unsolicited. Any invoice or quote in a Microsoft Office document format is questionable and you should reply to them asking for a PDF copy that cannot be so easily tampered with.

If you have satisfied yourself with all of the above then you can open an attachment feeling pretty safe, and believe me, it is worth the trouble. You do not want to find yourself buying Bitcoins in the middle of the night trying to decrypt yesterdays work before the boss gets back from their holiday.

Juniper SSG5 to DrayTek Vigor 2860 IPSec VPN

Juniper SSG5 to DrayTek Vigor 2860 IPSec VPN The DrayTek Vigor router range are very straightforward

Juniper SSG5 to DrayTek Vigor 2860 IPSec VPN

The DrayTek Vigor router range are very straightforward routers with which to configure a VPN and only get really complicated to work on when dealing with multiple firewall rules that may conflict or override each other. The Junipers are highly configurable in a a very ordered manner, but this does mean that there are extra considerations and stages to configuration when programming a VPN.

The Juniper needs to be told to allow traffic through a VPN and also needs a tunnel and an endpoint configured and so let us deal with that first.

We are assuming that you already have access to the Juniper via the web browser and can reach the configuration screens.

Go to the Network menu and select Interfaces and List.

Now with the drop down top right, choose Tunnel IF and then click New.

Set the Zone to be Untrust (trust-vr)

Check the bubble for Unumbered as this is a route-based VPN

Choose the interface to be the internet facing interface with the IP address that you will be pointing the DrayTek Vigor VPN at.

Now click the Tunnel link at the right of the links at the top of your configuration panel.

Once again the destination will be left as 0.0.0.0 as this is a route-based VPN and the Gateway we define in a minute will determine the endpoint for the VPN.

Now we have the tunnel configured we move on to configure the VPN:

Click Autokey IKE and then New:

Rather than configure a gateway in advance we will simply create one in this page. Click the bubble to Create a Simple Gateway and enter a name for the remote gateway. Leave IKE as ver.1 and choose Static IP and enter the Vigor WAN IP or hostname.

Now enter the pre-shared key which is a code that you will enter into the Vigor or share with the admin of the remote Vigor by some secure means. The Outgoing Interface will be the Juniper physical interface on which the WAN IP address resides to which you will be pointing the Vigor VPN.

Now click Advanced:

Here we are choosing the Phase 2 encryption proposal which is simply the encryption types - AES 256-bit in this case with DH Group 14 PFS (Perfect Forward Secrecy) and 3600 seconds time-out, but feel free to simply select a standard choice and simply make a note of the one you are choosing. Is it AES or 3DES or DES? What is the time-out, is it in seconds, minutes or hours? What is the PFS DH group? All of these should be noted as the Vigor must be configured to accept them.

Now enter the local and remote IP / Netmask where the local is the LAN address and teh subnet and the remote is the LAN which resides behind the Vigor which we are going to have remote access to once the VPN is established. In this case both subnets are set at /24 meaning 255.255.255.0 Class-C subnets but you must obviously enter your own details for each network.

Set service to Any which will allow all traffic to pass between the sites via our VPN.

Tick VPN Monitor, Optimised and Rekey  and leave the destination as default whilst choosing the external interface to which you will point the Vigor as the Source Interface.

Now click Return and OK. Now move on to configure the policies. The Gateway settings below are just for reference.

Here are the configurations for the Gateway but these two pages have been configured already when we configured the VPN but they are included as reference if you need to troubleshoot your Gateway settings:

 

Now click Advanced:

Now we must configure the policies to allow traffic between the sites. Go to Policy then Policies and at the top select from Trusted to Untrusted and click New.

Give the policy a name and enter the local subnet in the source and the remote subnet in the destination address boxes.

Choose the service type as Any and click OK. There is no need to configure advanced options in this instance.

Now at the top of the policy screen, select from Untrusted to Trusted and New and configure the settings as above but with the Vigor remote LAN subnet as the source and the local Juniper subnet as the destination with the service set as Any.

This completes the Juniper set-up and we can now configure the DrayTek Vigor 2860.

 Log into the admin web page of the DrayTek and go to the VPN and Remote Access section on the right-hand side. Click on LAN to LAN and then click an empty profile so that you can begin to populate the necessary information:

Name the VPN, indicating where it is connecting your local subnet to.

Tick to enable the profile.

Choose which WAN port/interface the VPN will be established through.

We are allowing NetBIOS naming packets as this will be for a Windows computer network and we may wish to enable inter-site computer browser functioning etc.

Multicast via VPN we will leave disabled.

Set the direction to be Both so that either site can initiate the connection.

Set the VPN type to be IPSec and enter the WAN IP or hostname of the Juniper we are connecting to.

Populate the bubble for Pre-Shared Key and click the IKE Pre-Shared Key button. Here you must enter the same key you entered into the Juniper and click OK.

Below that, choose the bubble for High(ESP) and set the dropdown box to be AES with Authentication. Then click the Advanced button:

Here we are selecting Main mode as we did on the Juniper and out phase 1 proposal as AES256_SHA1_G14

Our phase two proposal is set as AES256_SHA1

Timeouts are once again 28800 seconds and 3600 seconds for phase one and two respectively and the Perfect Forward Secret (PFS) is enabled. Now click OK.

Moving down the VPN LAN to LAN page we come to the Dial-In setings:

Tick IPSec Tunnel as the VPN type and untick the others.

Tick the box to Specify Remote VPN Gateway and enter the Juniper WAN IP once more.

Tick the box for the Pre-Share Key and enter it as before by pressing the appropriate button.

Tick the AES button for the IPSec Security Method.

Leave section 4 blank here as we are not using GRE in this example.

Finally section 5 we enter the Vigor WAN IP in My WAN IP. The Juniper WAN IP in Remote Gateway IP.

The Juniper LAN subnet in Remote Network IP such as 192.168.10.0 and the subnet mask below, in this case 255.255.255.0 rather than /24.

The local network IP is the LAN subnet being the Vigor such as 192.168.11.0 and the subnet for the Vigor below.

The RIP direction is set to both and the traversal method is set to Route.

Now click OK.

Go to VPN and Remote Access and Connection Management and see if the VPN is up:

DrayTek Vigor 2830 Dynamic IP to Vigor 3900

3. July 2017 16:11 by sirclesadmin in Internet, Internet Security, VPN
DrayTek Vigor 2830 Dynamic IP to 3900 Static IPSec VPN There are two main points to bear in mind whe

DrayTek Vigor 2830 Dynamic IP to 3900 Static IPSec VPN

There are two main points to bear in mind when configuring the dynamic IP address connections to a static Vigor. The first is that you need to configure the IPsec shared key in two places on the static host DrayTek Vigor VPN router. Firstly under IPSec General Set-up (which is the same place as you configure the IPSec key for L2TP) and then under the VPN Profiles (or LAN to LAN if it is an older model.)

Lets configure the 3900 static IP host router first:

Go to IPSec General Setup

Enter the IPSec shared key you are going to use for your VPN, or if you are already using that shared key for other connections, look up what you are using and make a not of it as we will need to enter that shared key again shortly.

Now go to VPN Profiles and we will configure the IPSec specifics for the host static end of the VPN. To continue, click Add to open a new profile window and choose an IPSec VPN. Leave the 'For remote dial-in user' selection at disabled.

So in the above we use the wan port that the external IP being targeted by the other VPN router.

The local IP/Subnet mask is the IP range used by the internal network of the 3900 with the static external IP. In this case we are using a class C subnet of 192.168.x.0

The local next hop is left as the default to use the wan1 default gateway (in the above we are using wan1 but as stated you must use the external IP that the 2830 is pointed towards)

The remote host remains at 0.0.0.0 as the remote Vigor 2830 is on a static IP

The remote network mask is the internal IP LAN subnet of the 2830 with a dynamic WAN address - in this case we are using another 192.168.x.0 address

For the IKE phase 1 we will stick with Main Mode

The authentication type we will leave as PSK - Pre-Shared Key

The pre-shared key we entered earlier we enter again here...

The security protocol we are choosing is encrypted and so we select ESP

Now we move onto the Advanced tab:

We are sticking with the default time-outs for DrayTek Routers.

We are selecting Perfect Forward Secrecy to be enabled (PFS)

Dead peer detection can be enabled to allow for VPNs to be picked up again quickly after a brief connectivity issue.

Route/NAT mode should be: Route

Apply NAT policy should be: Disable

NetBIOS naming packets in this case I am selecting: Enable as this will allow ICMP traffic for Windows client/server communications to behave as if on the same network. 

Multicast via VPN we will leave: Disabled

RIP via VPN we will leave: Disabled to simplify getting the VPN up and running - you may wish to enable this at each end afterwards for router discovery.

Now we proceed to the Proposal Tab as we are not enabling GRE in this example:

#

Now we configure the encryption methods:

We are using AES G5 (Group 5) and AES with authentication as above and leaving the other options as accept all to bring the VPN up reliably and quickly.

To enable compatibility with the 2830 we are sticking to Group 5 but if you are using a 2860 you can use Group 14 (G14) instead as long as you match both ends.

Once all of this has been entered we can click Apply and await the router to confirm that it has accepted our VPN details...

 

Now we configure the 2830

In this example we are going to stick with using the LAN to LAN or VPN profiles tab as not all models have the VPN client and server wizard options, but either method will work as long as you get all of the encryption, LAN and endpoint data correct:

Below we have already gone to VPN>LAN to LAN and clicked on a profile number to start entering the data:

Give your profile a name and tick the box to enable it.

On this router we are using WAN 2 as it is behind another router (and yes it will still work with or without passthru as this is a dial out only configuration from the dynamic end. There is no point trying to dial back to a router you do not know the WAN IP address of.)

We are selecting the VPN type as Dial-Out only. If you wish the VPN to allow for full time connection so that you can access the remote computers then be sure to tick 'Always On' and Enable Ping to Keep Alive and use the IP address of the remote router LAN port on the other internal network (in this case the LAN port IP of the Vigor 3900.) This will basically make the VPN permanent allowing you to easily administer the computers at the dynamic WAN IP site where the 2830 is located.

Once again we are enabling the NetBIOS packets tick box.

Multicast via VPN is disabled again.

We enter the Vigor 3900 WAN IP/Host name in the server IP/Host Name box.

Click the IKE Pre-Shared and enter the same Pre-Shared key as before and click OK

Leave the dial in boxes empty as nothing can dial into a dynamic WAN router.

Do not specify the other end of the VPN as it is a dynamic IP address.

Leave the IKE authentication box as it is as there is no dial in IKE

My WAN IP should remain 0.0.0.0

The remote VPN gateway is the WAN IP of the 3900 static IP router

The remote Network IP is the subnet of the remote 3900 static IP router, in this case 192.168.x.0 and the remote network mask is a class C of 255.255.255.0 in this case which is the LAN subnet of the 3900

The Local Network IP is the LAN subnet of the router you are configuring and the subnet is once again a class C of 255.255.255.0

We are leaving RIP as disabled and Route as the method of traversal between subnets.

Now we can click OK and go to the VPN connection management page to see how our VPN is getting on:

On the 2830 the HQ VPN has come up and will stay up as we have configured 'always on' and 'ping to remote IP' meaning that when the IP changes at the 2830 WAN it will pickup and stay up allowing us to configure the remote router and PCs securely if we wish.

Now on the 3900 status we see:

Where the VPN is showing happily at the other end also proving that the VPN is encrypting data and sending and receiving successfully.

 

 

 

DrayTek Vigor 2860 to 3900 IPSec VPN

18. May 2017 10:47 by sirclesadmin in Internet, Internet Security, VPN
DrayTek Vigor 2860 to 3900 IPSec VPN Connecting a VDSL/FTTC satellite office to a Dedicated Ethernet

DrayTek Vigor 2860 to 3900 IPSec VPN

Connecting a VDSL/FTTC satellite office to a Dedicated Ethernet Fibre Hub Office with DrayTek IPSec. Both offices have a static IP in this example.

Firstly we shall configure the hub Vigor 3900 endpoint. Login as normal to see the home screen:

 

 

Now go to VPN and Remote Access and choose VPN Server Wizard and select IPSec as your VPN type:

 

 

Click to select creating a new VPN profile, choose a name - I have called this one HubOffice -  and click next:

 

 

Now we are going to enter the VPN specific information to allow our satellite office to connect:

  • Tick the Enable box to enable the VPN
  • Choose the WAN port you are using for the internet connection that will carry the VPN and for which we will be using the external IP address of
  • Enter the local subnet - this is not provided automatically so enter your local subnet that the satellite office is being provided access to - this may well be the subnet you are using
  • Leave the next hop as 0.0.0.0
  • The remote host is the external WAN IP of the satellite office Vigor 2860
  • The remote host IP/subnet mask is the internal LAN subnet of the Vigor 2860 LAN
  • If there are any other subnets hung of the back of the Satellite office - if it is a hub in itself - then you can add the extra subnets here but this can often be a hinderence in getting the VPN to come up so we shall leave it blank for now.
  • Auth type is PSK for passphrase/shred secret that we will enter momentarily
  • Pre-shared key - enter a long string that you have made a note of, as it is to be entered in the 3900 router later
  • Security protocol - leave at ESP
  • We are leaving the DPD delay and timeout boxes as default

Click finish to complete the setup...

You will be asked if you wish to proceed to the VPN status page and that is what we shall do:

 

 

Now we shall proceed to configure the 2860 which has a pretty much identical interface:

 

 

We won't use the VPN Client Wizard so that you can see all of the steps, we will configure the VP manually, click VPN and Remote Access > LAN to LAN:

 

 

then select a number corresponding to the profile you wish to configure:

 

 

 

  • Fist tick the Enable box to enable the profile
  • Give the profile a name
  • Choose the WAN1 interface for the VDSL interface if that is what you are using for the VPN external WAN IP address
  • Click the pass NetBIOS box to allow ICMP traffic between the offices
  • Leave Multicast blocked
  • To the right of that leave the call direction as Both
  • Below to the left select IPSec as the VPN type
  • Below that, enter the IP address or A record host name of the hub office Vigor 3900 WAN
  • To the right, click on the IKE Pre-Shred Key button and enter the key as you entered it into the Vigor 3900:

  • Now below that enter the IPsec method as High(ESP) AES with Authentication, then click the advanced button
  • Click the option to enable PFS - perfect forward secrecy

 

 

  • Leave the other timeouts as they are and click OK
  • Tick the box Specify Remote VPN Gateway and enter the 3900 WAN IP address
  • Leave the GRE settings as blank and proceed to the bottom section 5.

 

 

  • Enter the 2860 WAN IP in the first box
  • Enter the 3900 WAN IP in the second box
  • Enter the 3900 LAN IP network address in the third box
  • Enter the 3900 LAN subnet in the fourth box
  • Enter the 2860 LAN network address in the fifth box
  • Enter the 2860 LAN subnet in the final box
  • Leave the RIP settings as they are.

Now you should be able to go to the connection status on either router and see that the connection is live and be able to ping the other office from each respectively...

 

eBay spam WARNING!! - watch out these ones look good...

So now we are looking at eBay scams that are interested in hacking your eBay account so that they ca

So now we are looking at eBay scams that are interested in hacking your eBay account so that they can get details or account information.

Here is a typical email - the first thing to do is notice that there is a big button with 'dispute this transaction' which is not normally present. Also notice that the email is originating from outlook.com which is unusual for an eBay email:

Also notice that that if we hover over the 'Dispute this transaction' button we see the following:

So the domain name, although having the rover.ebay.com part in, is actually pointing to t.co which is Twitters forwarding domain (Ooops, that's a bit embarrassing) which then forwards you to http://disputetransactionebaycommunicationreview.com/webapps/a3889/websrc 

This page shows up as PayPal:

You can still see the phantom domain at the top though. This is obviously where they are interested in grabbing your PayPal details so do not.

Report this website address as false as soon as you can.

Forward the email to your ISPs spam service email support.

It should be noted that Outlook.com and Twitter.com are both being hijacked for this so beware as it will more than likely pass your anti spam filters!

 

Watching for new roothints and adware

OK, so you have your new Computer and you are dying to get cracking on the Internet as your ISP has

OK, so you have your new Computer and you are dying to get cracking on the Internet as your ISP has just made live your new broadband connection. Your computer was pre-installed and appears to have everything that you need including your bonus installation of Norton Antivirus or similar and free downloads for a year. You install your modem and are ready to go so lets go...

Antivirus Questions?

But maybe we should hold on a second. Norton Antivirus wins a lot of awards etc but then it would. It is manufactured by Symantec and they are definitely a leader in corporate antivirus technology and a good supplier to deal with on that level but they will charge you for any support as a home user and charge you to update your signature files after your trial period. A better option is to lose the installed antivirus and get AVG Free Edition from Grisoft which picks up as many viruses as any other home edition antivirus package. Grisoft's solution is available from http://free.grisoft.com/doc/1 and I would urge you to pay for the full edition if you are a business as the extra functionality is worth it. Avast Antivir are also perfectly good examples and are also free. Whatever you do, make sure you have a suitable solution before just surfing unknown pages.

You should also equip yourself with a Firewall. Surfing the internet without a firewall is leaving yourself open to attacks so at the very least make sure you have either the Microsoft XPSP2 firewall or one of these free firewalls: Kerio, Sygate, ZoneAlarm

ALSO: Keep Windows Updated! Many Windows updates are to close holes exploited by malicious programs and simply staying updated will keep a lot of infections off your system.

But what about Spy-ware?

What antispyware system should I use? Well first of all, a lot of decent antivirus solutions get spy-ware as well as ad-ware and viruses as they are all basically the same thing. They are all darn annoying and the primary reason new internet users run into trouble. Most of the anti-spy-ware solutions these days use all of the spy-ware and virus hassles to try and sell themselves - I have people calling me asking how to get spy-axe and spy-ware-killer OFF of their machines. These are not solutions being sold to enrich computer use, they are immature, trip-you-up pieces of software designed for a quick buck and some new users will be caught out. In my experience there is no anti-spy-ware solution - even the ones from Microsoft and the like - that catch most of the ad-ware and irritations that can be removed simply by going into Control Panel in Windows and removing everything you do not use or recognise.

If you are determined to use other means or have tried all of the above you can also run these on-line scans. PandaActivescan Housecall Scan although they require an Active X download which your Firewall may object to.

The following examples are all free also, and can happily coexist on the same computer:
Free Anti-Spyware: MS Antispyware AdAwareSE SpybotSD SpywareBlaster
It is important that your computer is run at minimum functionality. Windows is like a pen-knife - it can do almost anything you need it to - but if you are not hosting a website then make sure that the Web-Hosting features are uninstalled. You can do this in Control Panel under add/remove programs and then by clicking add/remove windows components on the left (Windows XP - the others are similar.) Every bit of unnecessary functionality can be used against you so try and run a tight ship. Make sure you have a reason to keep everything you see in this screen. If you don't use network printing then get rid of it. If you don't use Fax services then get rid of them. Every one you can dump frees memory and so decreases the work your computer is doing to swap out the page-file which equals more speed.

Once you have spy-ware/ad-ware or a virus infesting your system it will be taking you to an undesirable website or you will be getting pop-ups of some kind or whatever. Do not go running to the first advert you see. Your friends are the other people who have had the problem. Do a search on the Internet for a description of the symptoms and have a read of some articles that do not get money off of you for your custom. Forums and the like. There will be instructions. If you cannot get to a website other than the one to which you are unwittingly directed, go into control panel and add/remove programs, and get rid of anything with an incomplete name (I mean uninstall it by get rid of) or anything that you do not knowingly use. If you are unsure, then have a look in the documentation for the software name in question. Do not just uninstall everything you do not recognise, check the system again at each uninstall to see if the problem is cured so you know for sure which application was causing the problem.

Many viruses and the like kick-off their processes at boot up. There are many places in the Registry (a set of files that do a lot to tell Windows how it should behave) that these processes can give themselves shortcuts to start-up. If you go to the start button on your task bar and choose run and then type regedit into the box which appears, you will be presented with the registry editor. Beware!!!! The Registry is critical to Windows and if you mess about with it you can stop Windows booting up altogether so do not change anything without verifying the information from at least two sources!!! If you look at HKey_Local_Machine -> Software -> Microsoft -> Windows -> CurrentVersion -> Run and Runonce etc. you will see something like that below:

 

Many of the processes aggravating you or your computer are to be found here or other similar places in the Windows Registry. Note that in a lot of articles it is common to substitute HKLM for HKey_Local_Machine and that there are as many trouble causers as do-gooders so try and find a good source of information and verify it. Once you have found a source to be good more than a few times you can start to trust the information you find there.

With issues like SpyAxe where the product repeats that you have a virus, remember a few things. If the product it is asking you to install is not already installed then how can the computer know it has a virus? 

Please feel free to submit any other spy-ware problems at http://forum.sircles.net for us to have a look at. If you wish to try an anti-spy-ware application to help clear up your PC, have a look at the anti-spy-ware review site for a decent opinion of which one works best as we prefer companies to be inspired to make a good product rather than just hard-selling via cheap viruses and ad-ware; if they keep trying to hard-sell you things, tell us, and we will find a better link.

The TCP/IP Protocol Microsoft DNS Microsoft Active Directory FSMO Roles

Windows Server Security Practices Your Windows network is reliant on a few basic elements that allow

Windows Server Security Practices

 

Elements Required for Active Directory

Microsoft DNS - This is a very different animal in Windows 2000/3 compared to NT4, not because of the way it does anything but because of what it is used for. Microsoft NT4, Windows 95/8 uses WINS - the Windows Internet Naming Service (rather confusingly named) to locate each other over inter-connecting LANs. The system basically works with DHCP, the Dynamic Host Configuration Protocol which ascribes an IP Address to your Network Interface Card and supplies the Default Gateway, DNS Server and WINS server and also registers you with WINS at the same time. One WINS server then replicates with another on another LAN and then the hosts can look up your workstation on their own LAN and the communication can be successfully routed between machines. DNS was simply for looking up domains on the Internet at this stage and had a 'Reverse WINS Lookup' feature for tracking down workstations from the DNS server. Microsoft DNS on Windows 2000 has the option of being entirely dynamic. It can be configured to live in Active Directory, has built in reverse lookup and is updatable just as WINS is from the DHCP server negotiation.- better!

TCP/IP - The Transport Control Protocol / Internet Protocol. This is just moving from it's fourth to sixth incarnation at present and it is a complicated protocol. It is routable in more ways than you can wave an Ethernet cable at and with version 6 supports IPSec as standard. It is the basis of nearly all inter communication of computers today, whether we are talking about Macintosh, Netware, Linux or Windows, they are most likely using TCP/IP to speak with their cohorts. Microsoft have favoured it for some time whilst Netware moved over at version 5. Macintosh jumped on the wagon (as opposed to leading the way as they normally do) and began dropping AppleTalk with the arrival of OSX. Although TCP/IP is referred to as a single protocol it is not. It is a standard set of amalgamated systems and the resultant protocol lives in layer 3 of the standard model. As with all other communications protocols, TCP/IP is composed of layers:
The Internet Protocol (IP) - is responsible for moving packets of data from one node to another. IP forwards each packet based on a four byte destination address (the IP address). The Internet authorities assign ranges of numbers to different organizations. The organizations assign groups of their numbers to departments. IP operates on gateway machines that move data from department to organization to region and then around the world. Each computer using the internet can do so because at some level it is using an IP address. Typically in most networks nowadays your LAN may have only one 'real' IP address at your router or firewall and your computer may use a 192.168.x.x or 10.1.x.x address. These are reserved address sets for computers in internal LANs and are assigned to no one. This is made possible by NAT and PAT which stand for Network Address Translation and Port Address Translation which is performed by your router or firewall so as to redirect any traffic your machine requested back to you.

The Transport Control Protocol (TCP)- is responsible for verifying the correct delivery of data from client to server. Data can be lost in the intermediate network. TCP adds support to detect errors or lost data and to trigger retransmission until the data is correctly and completely received. TCP makes TCP/IP a very robust system and allows different sections of the Internet to fall over and reroute data constantly and seamlessly.

Port Numbers - is a name given to packages of subroutines that provide access to TCP/IP on most systems. A socket is a combination of a port number and an IP Address and therefore uniquely identifies a network process on any individual network. There are many standardized port numbers such as 80 for HTTP and 25 for SMTP etc. A port number is basically a feature of a packet just like the routing header. It is a property that, instead of deciding where it is going, like the IP Address, it decides what it will do when it gets there and most likely whether it will be allowed to get there or not.

Microsoft Active Directory - Don't be put off by the way this is continuously described by Microsoft as all sorts of different things. The simple nuts and bolts of it are most easily described as follows. AD is a secured and replicated set of files shared around the domain or domains that allow all of the clients and servers to share and use information. For those of us familiar with the nuts and bolts of a Windows PC, it's like a replicated registry that is shared around the Domain Controllers. It sits in different files, just like the registry did, and it can be edited with a straightforward tool, just like the registry. It relies on five central roles for a forest to function. (A Forest is a collection of Domain Trees - yes I know very clever etc.) The replicated information that is shared to non DC clients is stored in the SYSVOL share on a DC and there will be a folder inside for each domain storing policies, scripts and other information. The old Netlogon share is now inside of the shared SYSVOL directory but is still shared as Netlogon for backwards compatibility. The Database of all DC only AD information is kept inside %systemroot%\SYSVOL - note that the SYSVOL folder shared to clients is inside of the first sysvol directory i.e. at %systemroot%\SYSVOL\SYSVOL. The database itself and the log files by default are kept in %systemroot%\WINDOWS\NTDS but the location can be specified when installing Active Directory to a server.

FSMO Roles - Flexible Single Master Operations (Pronounced by all the guys on the Microsoft Websites as Fuszmo.) So there you are, after all of the fuss Microsoft made about Windows 2000/3 no longer requiring a PDC or BDC it turns out that there are five different sorts of the darn things.
PDC Emulator - All Winnt fans know what this guy is bound to do. He emulated the old PDC on behalf of backwards compatibility. He also creates group policy objects and synchronizes the w32time service.
RID Master - Hands out the Global Unique Identifiers to each Domain Controller. Each object in Active Directory must have one to be indexed in the registry-like list. The RID hands out different sets to each DC for labelling all of the objects created on it.
Infrastructure Master - This guy is the Ambassador. He is monitoring everything to do with memberships of trusts and other domains. He checks that you are allowed into the country by having a good look at your passport- well you know the way things are these days.
Domain Naming Master - This ol' gal is the only central repository for child domain names. There is only one in an attempt to prevent duplicate domain names. Just as well, duplicate computer names are bad enough!
Schema Master - This fellow is responsible for changes to the Schema of Active Directory. In other words he is the man who alters the way in which data is stored inside of any types of object. If you want to add a field to the standard computer object then you've got to ask him.

OK so there we have it. It is worth remembering that Active Directory is dependant, not only on all of the FSMO bear roles but also on TCP/IP and Microsoft DNS because without either there is no transport with or from Active Directory.

So based on these observations we will start with a few pointers. When you are building or designing your new Windows Active Directory you will want to minimize network traffic and administration and to optimize ease of use. This may seem a confusing and daunting task but let us get things in perspective. Active Directory goes a long way to doing this itself and the design does not have to be completed before you begin your upgrades/installs. If it is not a huge network - i.e. less than 10 sites and 20 Domain Controllers - you are not going to notice a huge impact on how you do things anyhow, unless there are a lot of different bandwidth connections. Windows  Active Directory is based on replication and it can cause networking problems and bottlenecks when it gets itself confused and is using all of the available bandwidth, but these services can be stopped if they are bringing things to a halt whilst you work out what is going on. Active Directory does do some funny things just because of the order in which it is created so make sure you design your Upgrade path from the centre of your networks where the most bandwidth lies moving out gradually toward the more remote slower sites. But all of this is scare-mongering as much as anything else. If you are just upgrading or designing a single LAN network then the most important part is to choose the correct specification of servers and make sure you have checked with manufacturers and software designers that the upgrade paths have been tested and are supported. (This still doesn't guarantee anything so if you can, test it on a dummy example.) The worst kind of Microsoft designers are those who come to the job with all of the AD knowledge in the world but have neglected to think about where the servers will be plugged in. Try and effect a policy of security and robustness in where the servers are and how they are looked after as well as in how Windows is configured. Many server compromises are at source, remember that.

Some services work better together than others. The Domain Controllers should be DNS Servers, there is no point having a domain controller if it has no access to DNS and it forgoes the risk of losing communications during adding and removing Domain Controllers which can lead to catastrophic results. If there is a DNS server on board then you always at lease have a single copy of what is happening in the domain and it can be replicated once network communications have been restored. If there is only one DC in a site then they should be set as a Global Catalogue, a Global Catalogue keeps a copy of every object in the forest and if a site needs information on part of the forest it must be able to retrieve it without running home to momma down a slow connection. Sometimes replication must be set to copy to more remote sites when the office is out of use to retain bandwidth but replication can always be halted if a connection is beginning to feel the strain. Sites are important and define the replication characteristics of Active Directory. A site boundary should indicate where there is a connection to the main LAN over a lower bandwidth; just because you need a separate Windows site doesn't mean an separate Exchange site, Exchange is another animal when it comes to designing site boundaries.

A dedicated Domain Controller is always a good idea, a server that can deal with the FSMO roles which need not be distributed over different servers unless your domain exceeds 2000 clients. The FSMO roles are a difficult point because there are they are single entity for an entire domain. With enough changes being made to the domain the workload can become such that you will have to redistribute the roles to multiple servers, the name changing role and the schema and operations master are a good place to start. As a rule, if you are including Microsoft Exchange, the Domain Controllers should have the Active Directory Connector for Microsoft Exchange installed and it is also a good machine to have in charge of your antivirus and DHCP. WINS should be phased out once all clients and servers have been moved over to 8 or 10 and your network performance and reliability should start to increase as duplicate WINS entries and the need to replicate the WINS servers become things of the past.
 
Lastly always change the logon name for the Administrator account to something difficult to guess as a lot of the scripts that people run trying to compromise security rely on password lists which pre-supposes the administrator account login name.

Encryption and Security

8. January 2017 12:15 by sirclesadmin in Internet, Internet Security, VPN
Encryption and Security So what is a VPN and is it useful to me? What is encryption and how does it

Encryption and Security

 

So what is a VPN and is it useful to me? What is encryption and how does it work? Mystified? Well have a read on for some simple (ish) explanations of some of the more common security terms. A VPN is exactly what is being described. It is a virtually private network. In other words it is information that is sent between two parties who have a shared pre-requisite of knowledge that allows them to decode each others messages. This is referred to as a tunnel because no one on the outside of our pre-shared information can see what is within because the information is encrypted and authenticated, that is each party can be sure of the identity of the sender and that no one was able to understand or change the information since being sent.

A type of tunnelling is in evidence every time you purchase something online or log in to an account with a website such as eBay, and this is called public/private key encryption. In the case of eBay they do not know if the computer you are using is who it says it is - it has no certificate to authenticate with-. The only important thing is that your computer believes eBay are who they say they are and your computer verifies this because eBay use a certificate that is issued by a Certification Authority that Microsoft or Macintosh have verified as authentic, and so your computer trusts the certificate and encrypts the information using the private key included in it. eBay trust you because once the encrypted tunnel between you and eBay is working, they ask you for your password, which is sent as encrypted traffic using the authenticated certificate eBay supplied. This form of encryption is typically used by the Secure Sockets Layer or its successor TLS - Transport Layer Security.

In a VPN, both parties must know who the other is and this is usually achieved with a shared secret combined with a hash algorithm known as a keyed hash algorithm. A hash algorithm takes a message of any length and returns a fixed length hash which is very difficult to fake because it is very very infeasible that you could find two messages that would give the same result. The two parties add an incrementing number to transmissions so that someone trying to decode and fake messages will not be verified as they will not be including the incrementing number in subsequent messages. Once authenticated, further communication is made using symmetric ciphers which rely on encrypting information using a pre-shared secret. The disadvantages being that this means that the two parties must have previously exchanged secure information and that the secret must be constantly changed to prevent the encryption being compromised.

The main thing to bear in mind is that it is all the same. Sure there are different methods of encryption and different methods of authentication, but as long as both are ensured to a sensible level we are more or less talking about the same thing. In the main the difference between VPN and normal use of TLS or SSL communications is tied to the factor of Authentication. VPNs require valid hosts at both or all ends.

How does any of it work though? Lets take a look at Public Key Encryption. SSL and its successor TLS both use Public Key Encryption as does the new IP versions IPV6 which uses IPSEC - Internet Protocol Security to encode all traffic. I must take this opportunity now to warn you now that none of this is necessary knowledge to put a working VPN system in place so don't come back complaining it wasn't in your Microsoft exam.

I want to tell my friend Marc how many apples I have collected from the orchards where we work but I do not want Rob or his competitive friends to know so that they do not deliberately stay longer so as to collect just a few more. I therefore devise a simple coding in advance with Marc that I will give a sign when I am about to say my collected number of apples and that amount will be 'encoded.' For instance I might give a sign to Marc by climbing onto my bike and ringing the bell - a sign that can easily be mistaken by Rob and his friends as we are about to head off home anyway - and then Marc will know that the amount I say will be multiplied by five. Five in this example is sufficient because Rob and his friends will have to spend so long collecting apples to compete that they will give up virtually before they start and still have no real idea how many apples I may have collected. This amount is 'encoded' (in this example by private encryption) because both of us know my private key - that the amount is multiplied by 5 -.

So what we are in effect creating is a private key tunnel. A way of communicating securely as long as we have a secure way of exchanging our private key and we can recognise each other and our own pre-agreed method of encryption - i.e. we can successfully Authenticate and Encrypt. But what if matters were different. What if Marc and I were separated and had no secure means of exchanging our private keys. Well, a method which allows us to achieve this is a relatively simple mathematical function but it is fairly slow to encrypt. It is referred to as Public Key Encryption and was developed at GCHQ in Britain by three men called James Ellis, Clifford Cocks and Malcolm J. Williamson. James Ellis had come up with the idea of Public Key Encryption but had not conceived how to implement it. Clifford Cocks - who was also working at GCHQ - heard of the idea and was intrigued and went home and literally thought up the system in less than half an hour. Cock's system did however work with a specific value for the public exponent (see below) and in 1974 Malcolm J. Williamson proposed using a general public exponent. The system is known as the Diffie-Hellman key exchange because of one very important reason. GCHQ is the British equivalent of the NSA and is responsible for the encryption of secret messages on behalf of the MOD (Ministry of Defence) and also the decoding of any suspicious messages intercepted in the UK. The fact that this method had existed - at least in secret - since the early 1970s was not discovered until 1997 when Cocks was allowed to divulge the information relating to a technology which GCHQ had never found much use for. It was, however, of no consequence by this time as in 1976-7, Ronald Rivest, Adi Shamir and Leonard Adleman discovered and published the same system and soon a real use for the functionality would make RSA one of the most commonly-found pieces of software on the planet. It should be noted that the Military are not so interested in Public Key Cryptography, usually because a pre-shared code can be easily exchanged and the early computers at the time of invention could not perform the math.

So how does it work, how can there be a secure way of knowing that I am really talking to who they say they are and also knowing that no one else will know what we are saying? Firstly, it is not true to say that no one can know what we are saying, just that if we encrypt our messages with sufficiently large values for our formulae that the chance of knowing a single exchange before long after we have stopped talking is very slender.

The system works by the two parties choosing a prime number and a base to create a one way trap door effect. Let us go back to the orchard to see how myself and Marc can use these numbers now we are trying to communicate the totals of apples harvested that working day by email and are wary of Rob and his cohorts reading our clear-text emails. We must therefore exchange some kind of code that we will both know but that is not derivable from our exchanges.

Marc and I are going to choose prime number 11 as our prime so p=11, and our base as 3 so q=3

I am encoding my number of apples harvested for that day, and so I decide upon a secret integer to multiply again just as before and this time I choose S=9, so I encrypt the number as follows. I send Marc our base number qs mod p (q=3 so 3 to the power 9 and mod simply means the remainder left after you divide by, so 39 divided by 11 so 39=19683/11 = 1789.3636 recurring so we remove the integer to be left with 0.3636 recurring and re multiply by 11) which gives us our remainder as 4.

Marc chooses a secret integer too, M=8, and then sends me qm mod p or 38 mod 11 = 5

I compute (qm mod p)s mod p = 59 mod 11 =9

Marc computes (qs mod p)m mod p = 48 mod 11=9

We have both derived the same value because qsm and qms are equal, and bear in mind that m, s, qsm, and qms are the only values transmitted publicly, all of the other values are kept entirely private. Once this exchange has taken place we have arrived at a number (please bear in mind it only turned out to be the number Simon chose by chance and would normally be a number unknown by either party until the calculation was carried out) we can use this number to encrypt our apple harvest. As long as we use sufficiently large values for our secret and prime numbers - i.e. our prime was over 300 figures and our secret numbers for Simon and Marc over 100 figures, it would take even the most efficient algorithms known to humankind more than the lifetime of the universe to crack our system. Our new number derived from performing the above with properly large values becomes Marc and Mines Secret Shared Key and may be used to encrypt future messages.

In reality there are more factors that must be taken into account to verify Authentication so as to make sure that I am talking to Marc and not someone impersonating him, which incorporates assigned certificates and certificate authorities just as those that you use every time your browser tells you that you are entering a secure zone and the http:// at the front of the web address url you are visiting is replaced by https://. This is the most typical use of SSL or TLS - to secure web pages.

A Note on the Truth

There are other variants of encryption used with communicating across the Internet to form VPNs such as Block Ciphers like 3DES and AES/Rijndael which are very commonly used in tunnelling often in partnership with hash algorithms like SHA1 or MD5. In truth it is some or all of these security measures acting together that represents most modern VPN tunnelling systems used in equipment like the Checkpoint NG, Windows Server or Cisco PIX. 3DES is still typically the cipher even though it is 56 bit DES performed 3 times and SHA1 is used as a hash algorithm for authentication. Both of these technologies are being superseded by AES/Rijndael and SHA2.

Oi Windows 10, give me back my PC !!!!

If you are, like me, a very boring web user who doesn&#39;t go to many unknown websites or watch lots of

Oi Windows 10, give me back my PC !!!!

If you are, like me, a very boring web user who doesn't go to many unknown websites or watch lots of unsubscribed videos etc. then you might be feeling a little annoyed with the new 'compulsory real-time monitor' arrangement that Windows 10 suffers from. It is, of course, a sign that your computer hard disk drive is now performing two or three times the work for many operations compared to how it was functioning on Windows 7. Real-time scanning (as the word real-time is supposed to explain) means that every file your computer needs to open is examined in advance by a proprietary process before the system comes into contact with it. Now there are two reasons why I don't like this thinking. The first is the obvious performance problem (and whether that wastes more time, energy and money than all the viruses in the world put together is another question.) The second is that Windows 10 downloads so many updates of such unbelievable magnitude that they kill the performance of your machine and the internet and so what is the point of Windows Defender anyway? This is further compounded by the fact that Windows Update, like Windows Defender, now appears to be compulsory.

OK so let’ shave a look at all of the components and how we can disable them as Microsoft have recently started to run scheduled tasks to make sure that the most performance hungry Windows processes are restarted and re-enabled at regular intervals such as Sharepoint Sync in Microsoft Office and Defender in Windows 10.

So we will begin by using the simplest and safest way to disable the Windows Defender Components, using the registry editor.

If you press the Windows key and type 'regedit' and press enter you will be presented with the registry editor and you will need to navigate to the following area:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender

This means that under HKEY_LOCAL_MACHINE you expand the folders (called keys in registry editor, even though they lok the same - they are not folders, they are completely different - )

When you find the correct key, you highlight it on the left and then right click on the right hand side, below the (Default) value and select New > DWORD (32-bit) Value 

Give the DWORD the name DisableAntiSpyWare and once it has been created, double click the DWORD and enter the value '1' and press OK so that you have the below:

Now let's try restarting Windows 10....

OK so according to the above view from the taskbar, the Windows Defender application is not running. Let's have a check under the services running by clikcing the start buton and typing services.msc

OK excellent, the service has been stopped and is now set to manual. This is going to speed us up nicely. But now how do we stop the automatic updates from hogging all of the bandwidth and disk speed?

Well there are many sites telling me to use metered connections or policies to disable this function, but the Windows update feature can be disabled by opening up the services.msc applet and disabling the service by finding it as follows:

NB This service has already been disabled but your will not have been.

Now double-click the update service and choose the start-up type:

Once it is set to disabled then click OK to confirm.

Now we are back in control of our Windows 10 PC and our Ineternet connection, RAM, Hard Disk and CPU are all our own again.

Configure Outlook not to display autodiscover certificate errors for certain domains

8. September 2016 13:06 by sirclesadmin in Domain Names, Internet, Internet Security
Close Outlook. Start Registry Editor. To do this, use one of the following procedures, as appropriat
  1. Close Microsoft Outlook first.
  2. Start Registry Editor. To do this, use one of the following procedures, as appropriate for your version of Windows.
    • Windows 10, 8.1 & 8: Press [Windows Key + R] to open the 'Run' dialogue; type regedit and then click OK.
    • Windows 7: Click the Start button, then type regedit in the search box, and then press Enter.
  3. Locate and then highlight this subkey (yellow folder):
    HKEY_CURRENT_USER\Software\Microsoft\Office\xx.0\Outlook\AutoDiscover\RedirectServers |  xx.0  is your office version (2016 is 16.0 and 2013 is 15.0 etc.)
    You can use the following registry subkey instead if you wish:
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\xx.0\Outlook\AutoDiscover\RedirectServers
  4. Click the Edit menu, point to New, and then click String Value.
  5. Type the name of the HTTPS server to which AutoDiscover should connect without warning the user, and then click OK. To allow connection to https://*.sircles.net, the first String Value (REG_SZ) name would be as follows:
    sircles.net
  6. You should not add text to the Value data field. The data column must remain empty any string values you add.
  7. To add further HTTPS servers to which AutoDiscover can connect freely to, repeat steps 4 and 5 for the appropriate URLs.
  8. You can now exit Registry Editor.