TIFU: Things I Find Useful

Tuesday, March 7, 2017

Email reporting in pfsense

Pfsense has a great package called "mailreport" that allows an administrator to send information on a periodic basis. I'm using mailreport v3.1 on Pfsense v2.3.3 right now.

Configure notifications:
Menu: System > Advanced > Notifications (tab)
Look for the email section and configure > Save > Test SMTP Settings until you receive the test email. For me I use the same email address for To:, From:, and Auth:, and I use the PLAIN auth mechanism.

Configure mailport:
Once you've tested the notification feature you can use the mailreport package.
Go to Status > Email Reports to configure reports.
Options include the scheduling, included commands, and included logs.

Commands:
Anything you can run under command prompt (Diagnostics > Command Prompt) can be output to an email.

For instance, my external IP address is dynamic and though I do use a Dynamic-DNS tool to easily allow me to get to the external IP by name, sometimes DDNS doesn't work. Though there are several ways to do this, I use the simple command "ifconfig bge0 | grep 'inet '" to output the network interface information from Pfsense and send it to me via email. This gives me the ability to connect without functional DDNS.

"ifconfig" returns information for all of the interfaces.
"ifconfig bge0" returns information for the first interface (as opposed to bge1 which I use for my internal interface.)
"ifconfig bge0 | grep 'inet '" pipes the information from "ifconfig bge0" through grep and looks for the line containing "inet ". Remove the space and you'll also get the inet6 (IPV6) address.
It should return something like this (with the x's replaced with your actual IP address):

inet xxx.xxx.xxx.xxx netmask 0xffffff00 broadcast xxx.xxx.xxx.xxx

You could go further with grep and cut out everything else, but you get the gist.
Search for "FreeBSD command reference" for an exhaustive list of commands.

Logs:
Your email report can also include logs from services running on your Pfsense machine with as VPN, firewall, DHCP, captive portal, web server logs and more. The list includes a status update on pretty much anything you'd want to know and you can filter the logs to look for certain things and return a certain number of rows from the results. The filter works like grep.
For instance you can filter the DHCP log for only lines containing "DHCPREQUEST" which would show a line like this:

Mar  7 05:02:40 <Pfsense hostname> dhcpd: DHCPREQUEST for <requested IP> from <requesting MAC addr> (<hostname if avail.>) via <interface>

So you can see that there is a lot of information available to you.The easiest way to filter is to start with no filter and get the log and then see what it contains that you need to look at. In my case I use it to keep daily tabs on my external IP and make sure that what's happening on the system is kosher.

Wednesday, January 11, 2017

Encrypting sections of an ASP.NET web.config

I just want to give a shout out to johnnycode for this useful information:

If you need to encrypt a portion of a web.config file you will need basic instructions, and the stuff on technet isn't great, and I found it to be lacking in necessary detail.

A common use is encrypting database passwords in your configurationStrings sections, which is a good idea for the sake of security.

Add this line of asp code into one of your pages to get the site ID:

<%=Request.ServerVariables["INSTANCE_META_PATH"]%>

It will output something like "/LM/W3SVC/5" and the ID is "5"

http://johnnycode.com/2013/06/26/encrypting-sections-of-an-asp-net-web-config/

aspnet_regiis.exe -pa

aspnet_regiis.exe -pe

A configuration file cannot be created for the requested Configuration object.
Failed!

Thursday, November 3, 2016

Rebuilding Windows 7

After a few years of bloat I finally needed to rebuild my machine. I did research about the cost for Windows 10 and basically determined that it was not worth spending money on. As of now Windows 7 has about three more years until end of life and it is a really solid operating system.

Windows 8.1 and Windows 10 are okay, and I know they offer some real benefits, but I am not a fan of the forced update and privacy issues there. There will be a point when I must upgrade and I will do it when that time comes. For now, I am sticking with Windows 7 x64.

Starting over is really very easy because I do not keep user data on my OS drive.

What bit me this time was after installing SP1, I would check for updates and svchost.exe would use about 1.5GB of RAM and 1 core for hours and never produce a list of updates to download. I found that KB 3135445 is the solution.

https://support.microsoft.com/en-us/kb/3135445

This patch fixes the Windows Update client. After an install and reboot the update list showed. Of course there are a lot of reboots to come when installing almost 300 of them, but at least they flow and can be done over multiple days.

SoundSwitch
One of the apps I have gotten used to is SoundSwitch (https://github.com/Belphemur/SoundSwitch). I use either headphones or a receiver and SoundSwitch's customizable hotkey system, it takes the hassle out of switching outputs.

Cobian Backup
And backups. There is no end to the frustration of the basic Windows backup system. Do you want multiple backup schedules? No can do in Windows Backup. Want to be very picky about the files, location, encryption, compression, and a host of options? Try Cobian backup. It's free, stable, full of features, and amazing. I've been using it for years and have been very pleased by it.
http://www.cobiansoft.com/cobianbackup.htm

Tuesday, August 2, 2016

MagicJack IP address ranges

I recently got a complaint from one of the kids about the MagicJack dropping calls somewhere around the 1-3 minute mark.

I found that my Snort on pfSense was blocking some of the connections based on this SID (122:21 (portscan) UDP Filtered Portscan). I made a rule and it blocked some other connections so in the end I started looking for an ip range for the "talk4free.com" ip addresses that were showing up on my block list.

Most of them are someproxy.somecity.talk4free.com like this:
216.234.77.106 = wvms01.nashville.talk4free.com

On a side note, I could use something like this, where I choose a specific proxy, but that requires a USB connected MagicJack, and I am using a MagicJack GO which is directly connected to my router. I have no interest in turning my computer into my phone. If I did, I would just use Skype.

So back to the ip ranges.

I found that all of the connections by my MJ GO device were in these ranges:
216.234.64.0 - 216.234.79.255 (which matches the owned range for talk4free) and 207.155.161.0 - 207.155.164.255 which matches the owned range for XO Communications.

The caveats/warnings to this are:
A. the ranges may change (move, shrink, or grow) at any time without any warning.
B. I may have missed something because my device never tried to connect outside the ranges.
C. I did not check every address, but I did check a bunch of them using a script I wrote and determined that these really are talk4free.

Here is a sample of some of the addresses.
216.234.64.1.newyork.talk4free.com [216.234.64.1]
216.234.64.2.newyork.talk4free.com [216.234.64.2]
216.234.64.3.newyork.talk4free.com [216.234.64.3]
entice01.newyork.talk4free.com [216.234.64.4]
entice02.newyork.talk4free.com [216.234.64.5]
216.234.64.6.newyork.talk4free.com [216.234.64.6]
216.234.64.7.newyork.talk4free.com [216.234.64.7]
proxy01.newyork.talk4free.com [216.234.64.8]
proxy02.newyork.talk4free.com [216.234.64.9]
proxy03.newyork.talk4free.com [216.234.64.10]
proxy04.newyork.talk4free.com [216.234.64.11]
vms01.newyork.talk4free.com [216.234.64.12]
vms02.newyork.talk4free.com [216.234.64.13]
vms03.newyork.talk4free.com [216.234.64.14]
vms04.newyork.talk4free.com [216.234.64.15]
vms05.newyork.talk4free.com [216.234.64.16]
vms06.newyork.talk4free.com [216.234.64.17]
vms07.newyork.talk4free.com [216.234.64.18]
vms08.newyork.talk4free.com [216.234.64.19]
vms09.newyork.talk4free.com [216.234.64.20]
vms10.newyork.talk4free.com [216.234.64.21]
vms11.newyork.talk4free.com [216.234.64.22]
vms12.newyork.talk4free.com [216.234.64.23]
vms13.newyork.talk4free.com [216.234.64.24]
vms14.newyork.talk4free.com [216.234.64.25]
vms15.newyork.talk4free.com [216.234.64.26]
vms16.newyork.talk4free.com [216.234.64.27]
vms17.newyork.talk4free.com [216.234.64.28]
vms18.newyork.talk4free.com [216.234.64.29]
vms19.newyork.talk4free.com [216.234.64.30]
vms20.newyork.talk4free.com [216.234.64.31]
216.234.64.32.newyork.talk4free.com [216.234.64.32]
216.234.64.33.newyork.talk4free.com [216.234.64.33]
216.234.64.34
216.234.64.35
216.234.64.36.newyork.talk4free.com [216.234.64.36]
216.234.64.37.newyork.talk4free.com [216.234.64.37]
216.234.64.38.newyork.talk4free.com [216.234.64.38]
216.234.64.39.newyork.talk4free.com [216.234.64.39]
sigtran01.newyork.talk4free.com [216.234.64.40]
216.234.64.41.newyork.talk4free.com [216.234.64.41]
216.234.64.42.newyork.talk4free.com [216.234.64.42]
216.234.64.43.newyork.talk4free.com [216.234.64.43]
global01.newyork.talk4free.com [216.234.64.44]
sca1.newyork.talk4free.com [216.234.64.45]
scb1.newyork.talk4free.com [216.234.64.46]
tp03.newyork.talk4free.com [216.234.64.47]
tp04.newyork.talk4free.com [216.234.64.48]
tp05.newyork.talk4free.com [216.234.64.49]
tp06.newyork.talk4free.com [216.234.64.50]
tp07.newyork.talk4free.com [216.234.64.51]
tp08.newyork.talk4free.com [216.234.64.52]
tp09.newyork.talk4free.com [216.234.64.53]
tp10.newyork.talk4free.com [216.234.64.54]
tp11.newyork.talk4free.com [216.234.64.55]
tp12.newyork.talk4free.com [216.234.64.56]
tp13.newyork.talk4free.com [216.234.64.57]
tp14.newyork.talk4free.com [216.234.64.58]
tp15.newyork.talk4free.com [216.234.64.59]
tp16.newyork.talk4free.com [216.234.64.60]
tp17.newyork.talk4free.com [216.234.64.61]
tp18.newyork.talk4free.com [216.234.64.62]
tp19.newyork.talk4free.com [216.234.64.63]
216.234.64.64.newyork.talk4free.com [216.234.64.64]
216.234.64.65.newyork.talk4free.com [216.234.64.65]
216.234.64.66.newyork.talk4free.com [216.234.64.66]
216.234.64.67.newyork.talk4free.com [216.234.64.67]
216.234.64.68.newyork.talk4free.com [216.234.64.68]
216.234.64.69.newyork.talk4free.com [216.234.64.69]
216.234.64.70.newyork.talk4free.com [216.234.64.70]
216.234.64.71.newyork.talk4free.com [216.234.64.71]
216.234.64.72.newyork.talk4free.com [216.234.64.72]
216.234.64.73.newyork.talk4free.com [216.234.64.73]
216.234.64.74.newyork.talk4free.com [216.234.64.74]
216.234.64.75.newyork.talk4free.com [216.234.64.75]
216.234.64.76.newyork.talk4free.com [216.234.64.76]
216.234.64.77.newyork.talk4free.com [216.234.64.77]
216.234.64.78.newyork.talk4free.com [216.234.64.78]
mgc03.newyork.talk4free.com [216.234.64.79]
mgc04.newyork.talk4free.com [216.234.64.80]
mgc05.newyork.talk4free.com [216.234.64.81]
mgc06.newyork.talk4free.com [216.234.64.82]
mgc07.newyork.talk4free.com [216.234.64.83]
mgc08.newyork.talk4free.com [216.234.64.84]
mgc09.newyork.talk4free.com [216.234.64.85]
mgc10.newyork.talk4free.com [216.234.64.86]
mgc11.newyork.talk4free.com [216.234.64.87]
mgc12.newyork.talk4free.com [216.234.64.88]
mgc13.newyork.talk4free.com [216.234.64.89]
mgc14.newyork.talk4free.com [216.234.64.90]
mgc15.newyork.talk4free.com [216.234.64.91]
mgc16.newyork.talk4free.com [216.234.64.92]
mgc17.newyork.talk4free.com [216.234.64.93]
mgc18.newyork.talk4free.com [216.234.64.94]
mgc19.newyork.talk4free.com [216.234.64.95]
216.234.64.96.newyork.talk4free.com [216.234.64.96]
216.234.64.97.newyork.talk4free.com [216.234.64.97]
216.234.64.98.newyork.talk4free.com [216.234.64.98]
216.234.64.99.newyork.talk4free.com [216.234.64.99]
216.234.64.100.newyork.talk4free.com [216.234.64.100]
216.234.64.101.newyork.talk4free.com [216.234.64.101]
216.234.64.102.newyork.talk4free.com [216.234.64.102]
216.234.64.103.newyork.talk4free.com [216.234.64.103]
216.234.64.104.newyork.talk4free.com [216.234.64.104]
216.234.64.105.newyork.talk4free.com [216.234.64.105]
216.234.64.106.newyork.talk4free.com [216.234.64.106]
216.234.64.107.newyork.talk4free.com [216.234.64.107]
216.234.64.108.newyork.talk4free.com [216.234.64.108]
216.234.64.109.newyork.talk4free.com [216.234.64.109]
216.234.64.110.newyork.talk4free.com [216.234.64.110]
216.234.64.111.newyork.talk4free.com [216.234.64.111]
216.234.64.112.newyork.talk4free.com [216.234.64.112]
216.234.64.113.newyork.talk4free.com [216.234.64.113]
216.234.64.114.newyork.talk4free.com [216.234.64.114]
216.234.64.115.newyork.talk4free.com [216.234.64.115]
216.234.64.116.newyork.talk4free.com [216.234.64.116]
216.234.64.117.newyork.talk4free.com [216.234.64.117]
216.234.64.118.newyork.talk4free.com [216.234.64.118]
216.234.64.119.newyork.talk4free.com [216.234.64.119]
216.234.64.120.newyork.talk4free.com [216.234.64.120]
216.234.64.121.newyork.talk4free.com [216.234.64.121]
216.234.64.122.newyork.talk4free.com [216.234.64.122]
216.234.64.123.newyork.talk4free.com [216.234.64.123]
ivms02.newyork.talk4free.com [216.234.64.124]
ivms01.newyork.talk4free.com [216.234.64.125]
216.234.64.126
216.234.64.127
iproxy01.newyork.talk4free.com [216.234.64.128]
ientice01.newyork.talk4free.com [216.234.64.129]
isip02.newyork.talk4free.com [216.234.64.130]
216.234.64.131.newyork.talk4free.com [216.234.64.131]
216.234.64.132.newyork.talk4free.com [216.234.64.132]
216.234.64.133.newyork.talk4free.com [216.234.64.133]
216.234.64.134.newyork.talk4free.com [216.234.64.134]
216.234.64.135.newyork.talk4free.com [216.234.64.135]
216.234.64.136.newyork.talk4free.com [216.234.64.136]
216.234.64.137.newyork.talk4free.com [216.234.64.137]
216.234.64.138.newyork.talk4free.com [216.234.64.138]
216.234.64.139.newyork.talk4free.com [216.234.64.139]
216.234.64.140.newyork.talk4free.com [216.234.64.140]
216.234.64.141.newyork.talk4free.com [216.234.64.141]
216.234.64.142.newyork.talk4free.com [216.234.64.142]
216.234.64.143.newyork.talk4free.com [216.234.64.143]
216.234.64.144.newyork.talk4free.com [216.234.64.144]
216.234.64.145.newyork.talk4free.com [216.234.64.145]
216.234.64.146.newyork.talk4free.com [216.234.64.146]
216.234.64.147.newyork.talk4free.com [216.234.64.147]
216.234.64.148.newyork.talk4free.com [216.234.64.148]
216.234.64.149.newyork.talk4free.com [216.234.64.149]
216.234.64.150.newyork.talk4free.com [216.234.64.150]
216.234.64.151.newyork.talk4free.com [216.234.64.151]
216.234.64.152.newyork.talk4free.com [216.234.64.152]
216.234.64.153.newyork.talk4free.com [216.234.64.153]
216.234.64.154.newyork.talk4free.com [216.234.64.154]
216.234.64.155.newyork.talk4free.com [216.234.64.155]
216.234.64.156.newyork.talk4free.com [216.234.64.156]
216.234.64.157.newyork.talk4free.com [216.234.64.157]
216.234.64.158.newyork.talk4free.com [216.234.64.158]
216.234.64.159.newyork.talk4free.com [216.234.64.159]
216.234.64.160.newyork.talk4free.com [216.234.64.160]
216.234.64.161.newyork.talk4free.com [216.234.64.161]
216.234.64.162.newyork.talk4free.com [216.234.64.162]
216.234.64.163.newyork.talk4free.com [216.234.64.163]
216.234.64.164.newyork.talk4free.com [216.234.64.164]
216.234.64.165.newyork.talk4free.com [216.234.64.165]
216.234.64.166.newyork.talk4free.com [216.234.64.166]
216.234.64.167.newyork.talk4free.com [216.234.64.167]
216.234.64.168.newyork.talk4free.com [216.234.64.168]
216.234.64.169.newyork.talk4free.com [216.234.64.169]
216.234.64.170.newyork.talk4free.com [216.234.64.170]
216.234.64.171.newyork.talk4free.com [216.234.64.171]
216.234.64.172.newyork.talk4free.com [216.234.64.172]
216.234.64.173.newyork.talk4free.com [216.234.64.173]
216.234.64.174.newyork.talk4free.com [216.234.64.174]
216.234.64.175.newyork.talk4free.com [216.234.64.175]
216.234.64.176.newyork.talk4free.com [216.234.64.176]
216.234.64.177.newyork.talk4free.com [216.234.64.177]
216.234.64.178.newyork.talk4free.com [216.234.64.178]
216.234.64.179.newyork.talk4free.com [216.234.64.179]
216.234.64.180.newyork.talk4free.com [216.234.64.180]
216.234.64.181.newyork.talk4free.com [216.234.64.181]
216.234.64.182.newyork.talk4free.com [216.234.64.182]
216.234.64.183.newyork.talk4free.com [216.234.64.183]
216.234.64.184.newyork.talk4free.com [216.234.64.184]
216.234.64.185.newyork.talk4free.com [216.234.64.185]
216.234.64.186.newyork.talk4free.com [216.234.64.186]
216.234.64.187.newyork.talk4free.com [216.234.64.187]
216.234.64.188.newyork.talk4free.com [216.234.64.188]
216.234.64.189.newyork.talk4free.com [216.234.64.189]
216.234.64.190.newyork.talk4free.com [216.234.64.190]
216.234.64.191.newyork.talk4free.com [216.234.64.191]
216.234.64.192.newyork.talk4free.com [216.234.64.192]
216.234.64.193.newyork.talk4free.com [216.234.64.193]
216.234.64.194.newyork.talk4free.com [216.234.64.194]
216.234.64.195.newyork.talk4free.com [216.234.64.195]
216.234.64.196.newyork.talk4free.com [216.234.64.196]
216.234.64.197.newyork.talk4free.com [216.234.64.197]
216.234.64.198.newyork.talk4free.com [216.234.64.198]
216.234.64.199.newyork.talk4free.com [216.234.64.199]
216.234.64.200.newyork.talk4free.com [216.234.64.200]
216.234.64.201.newyork.talk4free.com [216.234.64.201]
216.234.64.202.newyork.talk4free.com [216.234.64.202]
216.234.64.203.newyork.talk4free.com [216.234.64.203]
216.234.64.204.newyork.talk4free.com [216.234.64.204]
216.234.64.205.newyork.talk4free.com [216.234.64.205]
216.234.64.206.newyork.talk4free.com [216.234.64.206]
216.234.64.207.newyork.talk4free.com [216.234.64.207]
216.234.64.208.newyork.talk4free.com [216.234.64.208]
216.234.64.209.newyork.talk4free.com [216.234.64.209]
216.234.64.210.newyork.talk4free.com [216.234.64.210]
216.234.64.211.newyork.talk4free.com [216.234.64.211]
216.234.64.212.newyork.talk4free.com [216.234.64.212]
216.234.64.213.newyork.talk4free.com [216.234.64.213]
216.234.64.214.newyork.talk4free.com [216.234.64.214]

Tuesday, February 9, 2016

Email encryption on iOS 8+: iPGMail

I use GnuPG and PGP, but I want the ability to read encrypted email on mobile without waiting to return to a workstation. I want the ability to reply encrypted as well.

So I found this app called iPGMail that works very well.

It integrates with iCloud and Dropbox in order to transfer data more securely (i.e. not email).

I was able to securely import an existing PGP private key and use it to decrypt emails sent to me. I was also able to import public keys for recipients and then use the app to send encrypted mail directly to them without using copy/paste or other tricks. The app works well and is integrated well enough that it only takes a couple more taps to open encrypted data. It works the same way for sending encrypted mail.

And it's only $2.

Bitlocker Basics

BitLocker is Microsoft's whole disk encryption software. It comes with Ultimate and Enterprise versions of Windows Vista and 7 and in the Pro and Enterprise versions of Windows 8 (and Server 2008) and later versions like Windows 8.1, 10, Server 2012, etc.

BitLocker is tied in with the TPM (Trusted Platform Module) system, which is a standard that uses hardware as part of the security scheme. TPM is not required for Bitlocker use at this time, but it is in most cases a default choice. But the purpose of this post isn't to get into TPM or any of the complaints or concerns about the system although those concerns are worth considering and reading about.

For anyone who has dealt with other encryption software, BitLocker comes across as very limited in nature. On a computer with the appropriate OS version, BitLocker will show up in a search or on the control panel. The BitLocker Drive Encryption screen is very simple and many of the features are not supported by a GUI. So for a simple user who just wants to encrypt a drive, BitLocker comes across as very basic but fairly simple to use. In other words, it should just work, but it is included with only the professional or high end consumer versions of Windows. That's a shame, but it was probably done to minimize support needs.

BitLocker Control Panel Screen on Windows 10 Enterprise

When enabled, BitLocker will turn on TPM if it is not already on (requiring a reboot in OS before Windows 10), prepare it for encryption, and then encrypt the drive. You can expect the computer to reboot at least once during this process. BitLocker requires another partition on the drive to boot from, so it will make one during the setup process.

Once the drive is ready, it allows you to save the recovery keys to a USB drive, a file, or to hard copy (Print).

BitLocker Recovery Key Screen on Windows 7 Enterprise

After saving the recovery keys, BitLocker will ask you to verify the keys. Of course, this is a smart thing to do, but it will require another reboot and then you'll have to test the recovery keys to make sure you can get in.

BitLocker System Check Screen on Windows 7 Enterprise

If you choose to encrypt without the system check, encryption will begin immediately.

At a base level, the newly encrypted OS drive will boot without entering any credentials. It does this by using TPM. How can you tell? How do you add a pre-boot authentication option? Open an administrator command prompt and type in "manage-bde -status" and then hit enter.

As you can see, the default "Key Protectors" are TPM and Numerical Password (recovery key).

From the command line you can add other protectors.

Password: Not supported on OS drive

TPM and PIN: (requires GPO changes) (PIN is 4-24 characters)

TPM and StartUpKey : (StartUpKey is a specific key on USB drive)
AD DS Account: (Data drives only)

I did research and testing and a smartcard cannot be used at pre-boot even after setting the certificate on the card to be used for BitLocker. The password method is for data drive only. So that leaves two options: PIN, USB key, and recovery key.

To set the Group Policy to allow PIN:

run the group policy manager (gpedit.msc)

Expand Computer Config>Administrative Templates>Windows Components>BitLocker Drive Encryption>Operating System Drives

Enable "Require additional authentication on setup"

Leave the settings on "allow..." or change them to "require..." to require that particular method.

There is a lot of depth in BitLocker, but it is targeted at Enterprises and not individuals. I would say to use it if an individual has the correct OS version and no fear of configuring. But if there is money outlay required, buying some other retail product will offer more features and less advanced configuration. What is troubling to me is that if a non-educated person uses BitLocker in its default TPM boot mode, they will probably assume that their data is secure. Disk encryption is just a small part of security, but the fact that a TPM-only secured drive will unlock without a password, PIN, smart card, or another factor is a problem. So instead of stealing the drive and finding it encrypted, the thief can merely steal the system and the drive will unlock itself based on the TPM. In a consumer setting this is no security at all.

There are methods to handle enterprise centralized key management and compliance reporting. Microsoft SCCM has a module to deploy and report but I have never used it. As well, recovery keys can be stored in Active Directory although I have personally never configured that. I do have colleagues who operate in that manner.

I have installed, tested, and maintained BitLocker managed by Microsoft BitLocker Administration and Monitoring (MBAM) and it works well. In this configuration the management is enforced by group policy using Advanced Group Policy Management (which comes with Microsoft Desktop Optimization Pack (MDOP)). The policy path does not exist by default and so the MDOP ADMX template(s) must be installed. This configuration also requires an MBAM server, a SQL instance with SQL Reporting Services, and the MBAM client installed on the endpoint.

With MDOP AGPM installed, BitLocker policy can be configured under the following path: \computer configuration\Administrative Templates\Windows Components\MDOP MBAM (BitLocker Management)\

When a group policy is enforced on an endpoint, the MBAM client software will encrypt the drive and store the recovery key on the network. If the policy requires a startup PIN, the client will prompt the user to choose one and begin encryption after that. PINs can be long and complex in the same way a standard password can be and the policy can enforce the PIN settings. The downside to a BitLocker PIN is that there is no synchronization or Single-Sign On of the PIN with Windows and the PIN is not unique to the user. This makes the user experience not much different than a HDD password, and the once the password is entered the user still has to sign-in to Windows.

If "TPM only" falls within the organization's risk profile, it can be a good option as encryption can be enforced without user interaction. The downside is that the disk is unlocked automatically and the attack surface switches from the encrypted disk to Windows itself. The only time the disk encryption comes into play is if the drive is removed or the TPM is locked out.

The centralized key management and report in MBAM is good enough. There are two key management tools: 1. Self-Service, and 2. Helpdesk. These would only be needed if the TPM was locked out or in the event a startup PIN is sued and the user has forgot the password. The group policy allows for a self-service URL to be displayed on the pre-boot recovery screen. That URL would allow the end user to recover and unlock the drive. The helpdesk feature provides similar functionality for a service desk.

Reporting is done through SQL Reporting Services and is basic. Reports show all machines with their domain, compliance status, last check in, etc. Machines can be drilled into to see the cipher strength, OS version, hardware manufacturer and model, device users, drive letter(s) encrypted, and more.

One last feature that would simplify on-premise BitLocker management is the Network Unlock feature. This uses a certificate hosted on the network and embedded in the client so that when there is a startup screen (startup requiring PIN, key, etc) the encryption can detect that it is at 'home' and bypass the manual startup factor. This feature would treat the trusted network as a second-factor. Despite my best efforts I have been unable to make this function, but I will update this or create a new post if I figure it out.

Compared to other encryption products I find that BitLocker very much has the standard Microsoft take. It lags behind in cutting edge features, but it is very stable. The lack of user specific PIN and SSO with Windows is a real downside because it ignores the common use-case in enterprises where any machine might be used by multiple personnel. Also, hardware drive encryption has been around for some time, but BitLocker is not guaranteed to be able to use it because though OPAL 2 is very common, Microsoft's requirements a little more stringent. That being said, the software encryption is not a big resource hog during initial encryption, and more organizations would encrypt the drive during build before the machine ever reached the end user.

Reading:

https://theintercept.com/2015/06/04/microsoft-disk-encryption/

https://docs.microsoft.com/en-us/windows/security/information-protection/encrypted-hard-drive

Wednesday, January 20, 2016

Why I switched from Windows Phone to iPhone

I bought a new Nokia Lumia 830 in November of 2014 when they first hit the market. After having other Windows phone with WP7, 7.5, and 8 I was really hooked on the Windows Phone OS. The Lumia 830 was a really solid device at the time. It had a quad-core 1.2Ghz snapdragon 400 chip, 16GB of storage, and 1GB of RAM. For Windows Phone 8 and 8.1 this provides really good speed and responsiveness. Even more important was the removable battery, nano-sim slot, and the microSD card slot.

This device did everything I needed it to do except for one thing. I am an IT professional and my employer uses Exchange behind an MDM (Mobile Device Management) gateway called MobileIron. MDM provides a standard way to let a person bring their own device (BYOD) to the workplace and access certain company assets. Most importantly, it gives the company a bit of control over the enrollment of devices, what they can do, security policy management, access to company apps on the device, etc. The main feature is security because a company can force drive encryption and force the password policy on a device that has access to their data.

When my company moved completely to the MDM solution, I had my device enrolled and it worked. MDM is built into the OS using the "workplace" feature in Windows Phone. Enrolling automatically downloads the workplace app and automatically creates the email account on the device. All that is required is to enter the account password on the email account and it's done.

I started with this device on Windows Phone 8. Periodically the MDM email account would lose it's "connection," and the only fix was to delete the email account on the device and refresh MDM. This would recreate the account and once I entered my account password, it would begin to function again. I had many other "regular" email accounts on the device and they always worked. Myself and another IT coworker had the same problem. His device was a Lumia 1028 (I think), and we noticed that the disconnection would most occur when we traveled in and out of range of a wifi AP that we auto-connected to.

There are a couple dozen Windows Phone devices in the firm and only we were having the issue, but more importantly, my coworker's device stopped having the issue once he stopped connecting to wifi at the office. It was a simple fix for him, but that solution had no effect for my device. He still connected at home and never had the issue again. But my device would require an email account reset randomly and often. Sometimes it would download email only once after the reset, ten times in a day if I chose. Sometimes it would last a week.

I updated the OS whenever I could, and I joined the Microsoft Developer program to get the "beta" OS updates. Nothing worked. I asked on the MS support forum and because I mentioned trying the dev program, they blew me off. I called MS mobile support, had a ticket created and played phone tag for a few weeks. Once I actually spoke with my tech, I was instructed to use the Windows Device Recovery Tool (ended up with v.3.1.5). I had already factory reset my phone about 20 times, but what the hell.

The recovery tool basically just downloads the latest OS and then pushes it to the device. It was a 1.7GB download and of course, it reset the device again. It ended up having the very latest WP 8.1 OS build which was previously on the device. Of course, there was no change in behavior. So the MS tech support person told me to call the MDM provider about the issue. It was the blow off that I was expecting. Maybe Microsoft's MDM implementation isn't as robust as others because MS has it's own competing product (InTune)? I don't know. I know that it's a complex issue, but tech support did the equivalent of "Did you turn it off and on again?"

My employer has other Windows Phone devices enrolled of varying models including the model I was using, and they all work. Only I was having this issue. I had my device enrolled on multiple versions of MobileIron including beta versions on a dev server. None of it had any effect on the stability of my MDM email. I could have burned a few hours of our enterprise support contract, but I really had lost the will to deal with it.

It started to look like it was simply my device, or a combination of the device plus the account and/or policy settings. So I gave up. I hate to say it, but I bought an iPhone. I was a die hard fan of the Windows Phone OS, but I'm done with it. Being on-call, I must get my email and contacts reliably.

I don't like some things about iOS. Some things I like better. I guess this is the world of compromise. Once thing is true though. I don't have to worry about getting my email.