WiFi Security at Home

Posted on December 20, 2012

Wireless networks (aka WiFi) are in pretty much every home out there. What most people aren’t aware of is how easy it is to inadvertently open them up to unauthorized access. By incorrectly configuring your wireless router you risk exposing your personal information, and having your internet service leveraged for illegal activities.

There are steps that can be taken to ensure that your home WiFi network is secure, such as:

  • Change the default admin username and password: All routers have a default password, and almost all of these passwords can be obtained by a simple internet search. Change the router’s username and password before making any other changes.
  • Disable WPS or WiFi Protected Setup: WPS is a less-secure way to connect to a WiFi network, and can be easier to crack. This can be disabled by logging into your router.
  • Change the WiFi SSID: The SSID is the name of your WiFi network. Change it to something unique that is not associated to you or your family.
  • Choose a strong encryption method: Do not leave your WiFi network unsecured or “open”. Select a strong encryption such as “WPA” or “WPA2”. DO NOT USE “WEP” encryption.
  • Choose a strong WiFi password/passphrase: Choose a passphrase that is unique, and difficult to guess. An example of a strong passphrase is: FG$$#gat1299MDB; more than 8 characters, alphanumeric with non-standard characters included, not a dictionary word.
  • Change your WiFi passphrase regularly:  Anyone you’ve given the password to will have access to your WiFi network, and you cannot always guarantee the secrecy of your passphrase in the hands of others. Changing your passphrase regularly will help protect you should your passphrase be obtained by an untrustworthy source.
  • Disable access when not in use: If you plan on leaving your home for a long period of time, for example while on vacation, power off your router. This will ensure that no one will be able to gain unauthorized access while you are away.
  • Enable MAC filtering: Every computer or device that connects to a WiFi network has its own unique identifier; a MAC address similar to the license plate on your vehicle. By enabling MAC filtering you can restrict access to the MAC addresses you pre-installed into your router. Every other address is rejected.

Many of these settings can be easily configured with the help of your router’s quick-start guide or user manual. If you have questions or would like assistance with your WiFi network, please contact our helpdesk for a consultation.

Securing your mailbox and other accounts

Posted on November 19, 2012

Creating a strong password is one of the most important steps for securing your computer, yet I run into weak or insecure passwords almost daily.

Here are a few guidelines I follow when creating a new, secure password:

  • Length: create a password longer than 12 characters
  • Complexity:
    • Create an alpha-numeric password; use both letters and numbers
    • Include non-standard characters. Examples are: ! @ # $ % ^ & *
    • Avoid using your name, birthday, company name, or other personal information that can be easily guessed; don’t use Sunfire in your password if you drive a Sunfire
    • Avoid using  common repeated characters such as ‘qwerty’, or ‘12345’
    • Try substituting letters for numbers, for example, 5 for S, 3 for E. An example would include ‘h3l10’ instead of ‘hello’
  • Avoid Similarity. Change your password every three months, and create a new password that is different from the old one. Do not change or just add one more character, change the whole password
  • Variation: Do not use the same password for everything. Create a completely different password for Windows, your email, your banking website. Your personal information will be more difficult to obtain if it is protected by multiple, complex passwords

It is important to keep in mind that your password is only secure as long as it remains a secret. Writing down your password can help in remembering it, however SIRKit strongly recommends that you do not keep your password written down, and do not keep your password on or in your desk, and do not place it on a sticky-note on your monitor or under your keyboard.

As well, do not share your password with anyone. If you do, while on vacation for example, ensure you change your password immediately.

Windows Domain DFS namespace – access is denied using domain FQDN, access allowed using server UNC paths directly

Posted on November 5, 2012

This was easily one of the most frustrating and ridiculous fun times I've had working with DFS.

The issue: At several client locations we run file server redundancy by offering (2) DFSR servers. A shared domain namespace with replicated folders to ensure they stay online if a server is offline for planned or unplanned good times. Within group-policy, we map folder redirection to a namespace path:

  • "documents" -> "\\domain.com\users\username\documents"
  • "desktop" -> "\\domain.com\users\username\desktop"
  • ......

By referencing the namespace, it will redirect when server A or B is offline. This should NOT be used in WAN deployments, LAN is fast and therefore replication is fast. Initially the DFS issue was identified when drives mapped to the namespace were missing. Within the client event logs, we saw "access denied" errors associated with these drive-letters.

What we checked and verified:

  • Problematic client stations could not connect to "\\domain.com\dfsroot"  (access denied)
  • Problematic client stations could not connect to "\\domain\dfsroot" (access denied)
  • Problematic client stations could connect to "\\serverA\dfsroot"
  • Problematic client stations could connect to "\\serverB\dfsroot"
  • Permissions on the shares for the DFS Root folder were correctly set to "everyone" with read/write
  • Each of these systems was removed and rejoined to the domain [no success]
  • The local profiles were completely removed from the local systems (file system and registry) and logged back in [no success]
  • Security suites were removed [no success]
  • Each user was tested on working machines and had no issues obtaining the right drives

The culprit: 

  • When we disabled the 'offline files' component and rebooted -> "\\domain.com\dfsroot" was immediately accessible
We ultimately came to this conclusion: 

The offline file cache was corrupt. When offline files are disabled, the system accesses the namespace location directly without issue. This confirms a reference to the namespace is clearly saved within offline file cache. If the cache is corrupt you end up with "Access is Denied". Another quick way to determine if the issue is corrupt cache is to simply try and access the DFS root UNC paths on each server. If you can browse the contents when bypassing the shared namespace path, and this user has no issues on other domain PCs, then it's not permissions.
...........
The Fix:
..........
1) Disable offline files

Control Panel -> Sync Center -> Manage Offline Files -> Disable Offline Files

2) Clear the offline file cache

This sets a temporary registry entry which is read on start-up and runs the cache wipe.
Elevated Command Prompt -> "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Csc\Parameters /v FormatDatabase /t REG_DWORD /d 1 /f "

3) Reboot

You must reboot to successfully wipe the offline file cache

4) Test the namespace path -> "\\domain.com\dfsroot"

If you can now browse the namespace contents, you can optionally re-enable Offline Files.
We understand the Offline Files component is critical to road warriors. You should be safe to re-enable it and reboot.

Control Panel -> Sync Center -> Manage Offline Files -> Enable Offline Files -> Reboot

After you log back in, check that you can still access the namespace path "\\domain.com\dfsroot" after you run a forced sync. If there are still issues, I recommend you follow the steps we initially took "What we checked and verified:" and repeat this fix.

Good luck!

Thumbnail previews not displayed in Windows Explorer

Posted on October 18, 2012

I recently ran into an issue with picture thumbnails not working; a preview of the picture would not display, only the picture icon would be shown.

This solution worked for me.

To enable the thumbnail view:

  1. Open My Computer
  2. Press the ALT button on your keyboard
  3. Select the Tools menu
  4. Select Folder Options
  5. Click the View tab.
  6. At the top, if it’s checked off, uncheck the following option: Always show icons, never thumbnails
  7. Click Apply
  8. Click OK

Your thumbnails should now be displayed.

Windows backed up failed with following error code ‘2155348129’ – Hyper-V VSS Writer – [5] Waiting For Completion – Unexpected Error

Posted on October 15, 2012

We've run into several instances where this error presents itself on Windows 2008R2 servers running Hyper-V. When you see this error in the event log around the time your backup fails, it will look similar to:

Event ID: 521
The backup operation that started at '‎2012‎-‎10‎-‎15T01:44:31.444000000Z' has failed because the Volume Shadow Copy Service operation to create a shadow copy of the volumes being backed up failed with following error code '2155348129'. Please review the event details for a solution, and then rerun the backup operation once the issue is resolved.

There are numerous issues that will cause this error. The most interesting was relating to virtual machine drive-space. In our case, we found a few virtual machines with little or no free drive space were the cause.

First determine if the issue is related to the Hyper-V Writer:

1) Load a command prompt
2) vssadmin list writers

look for the:

Writer name: 'Microsoft Hyper-V VSS Writer'
Writer Id: {66841cd4-6ded-4f4b-8f17-fd23f8ddc3de}
Writer Instance Id: {c73cdd59-f1d2-40be-b1b4-0c11449528a3}
State: [1] Stable
Last error: Unexpected Error

** Definitely related to the Hyper-V VSS writer ***

3) net stop vmms 
4) net start vmms
5) Check that the "last error:" has cleared itself:

vssadmin list writers

look for the:

Writer name: 'Microsoft Hyper-V VSS Writer'
Writer Id: {66841cd4-6ded-4f4b-8f17-fd23f8ddc3de}
Writer Instance Id: {c73cdd59-f1d2-40be-b1b4-0c11449528a3}
State: [1] Stable
Last error: No Error

6) Ensure you have at least 15% free diskspace on all Hyper-V Virtual Machines drives. 
7) Re-run your backup and monitor

If it repeats itself, I suggest looking at alternative solutions found online including resetting folder permissions.

Updating your iPhone to iOS 6

Posted on September 25, 2012

As part of SIRKit’s ongoing effort to provide the best email service available, we would like to inform you about the latest iPhone operating system offered by Apple.

Apple’s iOS 6 offers many new features, including a new maps program with GPS-style spoken turn-by-turn navigation, improvements to Siri allowing for searching in Canada, new phone call features such as the ability to reply with a preset message instead of answering, a new Do Not Disturb option, as well as feature improvements and security updates to almost every other iPhone function.

In order to ensure you have the latest and most secure email and iPhone experience, SIRKit highly recommends updating to iOS 6 immediately. iOS 6 is only available on the iPhone 3GS, 4, 4S, and 5; if you do not see iOS 6 update your phone may not be an iOS 6 supported device.

***Please note: iOS 6 can only be installed while connected to a WiFi network. Also, as iOS 6 is a large update, be aware that the update can take between 20 -60 minutes, depending on your internet connection speed ***

 

To update to iOS 6:

From your iPhone home screen, tap on SETTINGS:

 

Tap on GENERAL:

 

Tap on SOFTWARE UPDATE:

 

You should now see the iOS 6 update screen, tap DOWNLOAD AND INSTALL:

 

You should now see the download progress screen:

Once the download has finished, you will see your iPhone reboot and finish installing the iOS 6 update. Once the update has finished, you may see your iPhone reboot again.

Once your iPhone has finished rebooting, you may be asked a few iOS 6 setup questions, such as signing in with your Apple ID, enabling Location Services, and setting up iCloud services. Once these final options have been selected, your iPhone will be the most up-to-date iPhone on the block!

WiFi Protected Setup PIN vulnerability

Posted on September 5, 2012

In December of 2011, a team with the United States Department of Homeland Security released a document that detailed a critical security flaw with access points/routers that use WiFi Protected Setup (WPS).

WPS is a security option that allows an individual to use a PIN predefined by the access point/router, or create a new PIN that will be hard-coded to the access point/router, which will allow a user to connect a computer or other device to a wireless network.

The security flaw in WPS exists in how the PIN is transmitted to the client device when that device fails to authenticate to the access point/router. When authentication fails, a message is sent to the client device. This message includes the first half of the PIN, along with the last digit of the PIN, which is used as an error check digit for the PIN. This broadcasting of over half the PIN allows an attacker significantly less attempts to crack the PIN than would be needed if other methods of WiFi security were used; such as WiFi Protected Access (WPA, or WPA2).

A quick, but not necessarily definitive, way to identify if your access point/router has WPS capability will be to look for this symbol:

This is the WPS symbol, and will most likely be on the back of your access point/router.

SIRKit Ltd. highly recommends the following steps be taken to minimize the risk of being exploited by this flaw:

  1. Update your access point/router’s firmware. Most manufacturers are aware of this vulnerability, and have already released updates for their products to resolve this flaw.
  2. Disable WPS. If no firmware update exists to resolve this vulnerability, disabling WPS will prevent someone from taking advantage of this flaw.

A Few common access points/routers that have WPS capability are:

  • D-Link DIR-655 Xtreme N Gigabit Router
  • Linksys E2500 Advanced Dual-Band N Router

A few access points/routers that do not have WPS capability:

  • D-Link DIR-615 Wireless N 300 Router
  • D-Link WBR-2310 RangeBooster G Router

As always, SIRKit Ltd. will be more than happy to provide assistance updating your access point/router’s firmware, disabling WPS, as well as to source out access points or routers that do not have WPS capability.

Photograph by Andrew Binne

HP b110i Raid Controller installation on CentOS 6.x Linux

Posted on August 29, 2012

This installation process is specific to loading the driver during OS installation. The native driver source from CentOS 6.2 and 6.3 does not include support for the HP b110i raid card, you will need to load the appropriate driver during the installation process. This process DOES NOT work for an operating system that is already installed.

When choosing the right drivers from hp.com, you need to know a few things:

1) Ensure you choose Red Hat Enterprise Linux 6 Server (x86_64) 
2) Download the U1 version
3) The file must end with .dd.gz (.rpm will not work)

To save you some time, the current driver set as of today is here:

http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/psi/swdDetails/?javax.portlet.endCacheTok=com.vignette.cachetoken&sp4ts.oid=5075943&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.tpst=62d565a4b5634a4ab8c8fa22b053ce01&javax.portlet.prp_62d565a4b5634a4ab8c8fa22b053ce01=wsrp-navigationalState%3Dlang%253Den%257Ccc%253DCA%257CprodSeriesId%253D5075942%257CprodNameId%253D5075943%257CswEnvOID%253D4103%257CswLang%253D8%257CswItem%253DMTX-cd1cfd0e0713409e8c9537c566%257Caction%253DdriverDocument&ac.admitted=1346276186016.876444892.492883150

Download the first file hpahcisr-1.2.6-13.rhel6u1.x86_64.dd.gz (135 KB)

From a linux prompt, unzip the file with gunzip:
gunzip  hpahcisr-1.2.6-13.rhel6u1.x86_64.dd.gz

which gives you:

hpahcisr-1.2.6-13.rhel6u1.x86_64.dd
Copy this file to a USB stick (fat32 is fine)

Now that you have your driver ready to roll, we need to load it.

1) Boot off the DVD or CD you created after download the ISO from a mirror

I prefer to use the netinstall method.

http://centos.arcticnetwork.ca/6.3/isos/x86_64/CentOS-6.3-x86_64-netinstall.iso

2) When the initial CentOS window prompts you to choose install, upgrade, etc, hit ESC

3) You will be provided a command prompt, type in the following and hit enter:

boot: linux dd blacklist=ahci

4) You will provided an interface to browse for your driver on the USB stick.

Find the drive, hit enter on the "hpahcisr-1.2.6-13.rhel6u1.x86_64.dd"
It should quickly initialize and locate the raid controller and take you to the normal installation process.

That's it. 

Make sure you look at the available drives after the driver loads to ensure you see the RAID volume, and not the individual disks.  If you see the individual disks, something went down the pooper. Try another driver.

 

 

Why is w3wp.exe CPU utilization is high – Exchange is slow – Active-Sync 2010 and iOS diagnostic tools

Posted on August 28, 2012

Microsoft is aware and working on a known issue relating to iOS devices causing high CPU utilization on Exchange Servers. The exact cause seems to bounce all over the place, in general is related to Active-Sync and how the iPhone communicates with the Exchange Server. The issue is challenging. Their direct recommendation is to ensure all devices are up-to-date. A single remote active-sync device can each up 90+% of your system resources.

The good news is there are now scripts available to help you isolate the specific device(s) causing the issue.

I suggest you read this article thoroughly:
http://blogs.technet.com/b/exchange/archive/2012/01/31/a-script-to-troubleshoot-issues-with-exchange-activesync.aspx

To make life a bit easier, use the following steps.

1) If you find that your CPU utilization is rammed, verify that you see the following process causing the issue:

By default some of these columns are not shown.
To load them, head to the "View -> Select Columns"  

Make sure both items in RED match your own process list.
If they are not identical, you are not dealing with the same issue.

2) Download the PowersShell Script: http://gallery.technet.microsoft.com/scriptcenter/ActiveSyncReport-script-a2417a84

Save the script with your other exchange scripts located under "c:\program files\microsoft\exchange servers\v14\scripts" 

3) Download and Install the LogParser: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=24659

4) Load the Exchange Management Shell and change directory to "c:\program files\microsoft\exchange servers\v14\scripts" 

Now that you're in the scripts folder ([PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>), we can start hunting down the source of your issue. Before we do, you should be aware that the script you are about to run can take 2-5 minutes to complete (depending on the size of your IIS logs). It will count the number of 'hits' a device has sent to your server. Anything over 1000 hits is high, anything over 1500 is very high.

Let's start by checking EVERY log against every device. This should give us a general idea of those who have excessively high hits over a long period of time. The following line will save the report to "C:\EASReports", the minimum hits we are looking for is => 1000, and the result should be saved to and HTML viewable report.

.\ActiveSyncReport.ps1 -IISLog "C:\inetpub\logs\LogFiles\W3SVC1" -LogparserExec "C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" -ActiveSyncOutputFolder c:\EASReports -Minimum Hits 1000 -HTMLReport

Building Log Parser Query...

Found time-taken in the IIS Log, adding this column.
Gathering Statistical data
Running Log Parser Command against the IIS Log(s): C:\inetpub\logs\LogFiles\W3SVC1\*.log

Statistics:
-----------
Elements processed: 24083868
Elements output: 1342
Execution time: 402.31 seconds (00:06:42.31)

Generating the Minimum Hits Report.
Building Log Parser Query...
Running Log Parser Command against the CSV results to determine Minimum hits of 1000

Statistics:
-----------
Elements processed: 1342
Elements output: 566
Execution time: 0.02 seconds

LogParser Command finished CSV, File location: c:\EASReports\EASyncOutputReport-Multiple_Files_Minimum_Hits_of_1000.csv
Creating HTML Output...
HTML File location: c:\EASReports\EASyncOutputReport-Multiple_Files_Minimum_Hits_of_1000.html

 If you open this log for review (c:\EASReports\EASyncOutputReport-Multiple_Files_Minimum_Hits_of_1000.html) you will see something similar to:

Take note to the DeviceID and Hits columns. In this particular example, I see 5 very devices that are clearly communicating with the exchange server excessively. Using the device ID, we can drill down further into that specific device and find out how many hits per hour. Make sure to use the DeviceID from the table above in the line below.

.\ActiveSyncReport.ps1 -IISLog "C:\inetpub\logs\LogFiles\W3SVC1" -LogparserExec "C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" -ActiveSyncOutputFolder c:\EASReports -deviceID <DEVICEIDHERE> -hourly -htmlreport
Building Log Parser Query...
Found time-taken in the IIS Log, adding this column.
Gathering Statistical data for device: <DEVICEID>
On a per hourly basis.
Running Log Parser Command against the IIS Log(s): C:\inetpub\logs\LogFiles\W3SVC1\*.log

Statistics:
-----------
Elements processed: 24087512
Elements output: 3083
Execution time: 154.74 seconds (00:02:34.74)

LogParser Command finished CSV, File location: c:\EASReports\EASyncOutputReport-Multiple_Files_Hourly_<DEVICEID>.csv
Creating HTML Output...
HTML File location: c:\EASReports\EASyncOutputReport-Multiple_Files_Hourly_<DEVICEID>.html

If you open this log for review (c:\EASReports\EASyncOutputReport-Multiple_Files_Hourly_<DEVICEID>.html) you will see something similar to:

That's a lot of hits! This post was made on August 28th, and we can see on the 26th they were clearing 6000+ hits per day from this device. At this point, you should contact the user and update the iOS device to the latest version. After it's updated, watch it closely. Don't forget to check the other 5 devices on this list with high hits. It could be more than one device causing the issue.

5) The odd exception 

The first report we ran includes hits from all logs. What about recently added devices (say 1 week ago) that haven't had time to register huge numbers? For example, in the first report we saw 100,000+ hits on the first 6 devices. What if we added a new device 1 week ago that was registering 5,000 hits per day? It would only show up as 30,000-40,000 hits.

While checking the highest hits is always a good idea, you should also check the last few days individually. The example below includes a date variable (8-28-2012), modify as necessary.

.\ActiveSyncReport.ps1 -IISLog "C:\inetpub\logs\LogFiles\W3SVC1" -LogparserExec "C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" -ActiveSyncOutputFolder c:\EASReports -MinimumHits 1000 -date 8-28-2012 -HTMLReport

The resulting report will show you devices on the specified date that have hit over 1000 hits. This will help you isolate a more accurate daily breakdown.

 

Happy hunting!

Active Directory Login failure on Blackberry Administration Server (BAS) – The username, password, or domain is not correct. Please correct the entry.

Posted on July 24, 2012

Logging into BAS can fail if DNS records are incorrect or stale.
Before we get into that, I highly recommend you look through your BAS logs to analyse the error.

1) Try to login to the BAS admin service using your LDAP/Active-Directory credentials several times. This will register a few errors in your logs that you can track down.
2) Head to: C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\Logs\(TODAYS DATE)\
3) Open the log file that starts with "SERVERNAME_BBAS-AS-" (Make sure it's the most recently modified version!)
4) Scroll to the bottom and look for lines that start with "(XX/XX XX:XX:XX:XXX):{http-"

(XX/XX XX:XX:XX:XXX):{http-URL.COM%2F10.100.1.36-3443-5} [com.rim.bes.basplugin.activedirectory.LDAPSearch] [INFO] [ADAU-1001] {u=SystemUser, t=30847} performPagedLDAPSearch problem performing LDAP operation: url=ldap://ldapserver.domain.com:3268 base= filter=(&(objectClass=user)(objectCategory=person)(|(sAMAccountName=besadmin)(userPrincipalName=besadmin))) scope=2

If you see a message similar to this, BAS is trying to grab a Kerberos ticket and your DNS is causing errors.

Resolution:

1) Load your Active-Directory DNS management console.
2) Verify that you have reverse DNS setup for the entire domain. You require PTR records (reverse dns records) for each of your domain controllers. If you don't have them, FIX THIS!
3) Verify that you have no stale records pointed to decommissioned or retired domain controllers. Drill down into each DNS folder and confirm the hostname and IP match your current infrastructure. It's amazing how many stale records we find.
4) Once repairs are made to the DNS settings, right click the server name in the DNS management and "clear cache"

Reboot your BES server just for fun, and try to login.