Showing posts from 2021

pfSense and Sensibility

Upon reading my last piece , my partner here at the 'secc informed me that my post, while interesting, had pretty much nothing to do with infosec. Lol ... I hate when she's objectively correct. But, as I reasoned, this is the only blog to which I contribute, and my brain dump had to go somewhere! And it was technical, at least! Here's hoping I can redeem myself with this more bite-sized post about the latest project upon which I've embarked. Networking! Routing! Is there a piece of infrastructure more important to the security of your network than your firewall? I'd say no (unless Clyde from accounting who will click on literally  ANYTHING  is classified as infrastructure). As an enthusiastic aficionado of open source software, I'd been hearing about pfSense for quite some time, but up until recently I have never been curious enough to find out what the fuss was all about. I'd been using dd-wrt and Tomato as edge devices at home and SonicWall at work. The

Say No to Sh!tty Passwords

A couple of months ago, I shared some password policy advice as one of my Five Easy Security Wins in Windows . Changing your password policy to a 365-day expiration and 15-character minimum is easy and far more secure than shorter password requirements, but it isn't impossible for people to still set bad passwords. Without a password checker in place, users can still set truly terrible passwords for their Windows logins. I needed to change that in my environment, and in my search for just the right tool, I found Lithnet Password Protection (LPP) for Active Directory . I'll share some background info about why implementing LPP was necessary, and give a quick run-down on how to set it up on Domain Controllers.   Shitty Passwords Everywhere I have seen no shortage of truly awful passwords in my career as a sysadmin. For whatever reason, end users seem convinced that they need to tell IT what their passwords are if they need assistance. I have never really wanted to know people'

PowerShell and ...Web Development?

Being on a team of two responsible for anything even tangentially related to technology, I've ended up wearing more hats than I ever expected I would. Thankfully, my career has been pretty consistently Windows-centric so I have had opportunity to learn and fall in love with PowerShell as a scripting and automation language... which, side note, is why I use cmdlette as my online moniker on GitHub, Twitter, etc. PowerShell scripts I've written have performed all sorts of tasks from making full vhd backups of virtual machines on Hyper-V servers to scraping event logs for security events. Recently, I've been using PowerShell as a pocket-sized web developer. Sure when all you have is a hammer everything looks like a nail, but PowerShell is much more like a hammer with a multitool built into the handle. PowerShell and HTML One hat I've had to wear being on a tiny team now is that of web developer. Thankfully, I wasn't tasked with anything too complex--just a basic, lightw

FrankenCode: Parsing Email Data Elements into a Database

It's not gonna be pretty, but I'm gonna stitch together some Python code components to make a functional thing. [ maniacal laughter!!! ] The business problem to solve I get daily grain market emails from which I need to extract prices, and drop into a database. This should be automated but I've been either paying for this data or performing manual data entry. I've been putting it off for a few years but it's time to tackle this project and make life easier for present and future me. I'm going to be using a combination of Python tools I've used before and tools I haven't used, and monstrously stitching them together to accomplish the thing I set out to accomplish. First let me farmsplain the commodity grain markets. The market price of a bushel of corn can be found on Barchart . When a farmer brings their corn to the elevator, they will not simply receive the market price, they will collect the market price +/- the  basis  charged by the elevator. The b

Digital Decluttering: Passwords

One of my ongoing projects is to make sure that all of the accounts I use are as secure as they possibly can be. I'm going to echo the sentiments of a digital decluttering post from my other blog to share my experience of the process of hardening account security. I am not a fan of clutter anywhere, which I have expressed pretty much everywhere. I'm an unapologetic, unabashed minimalist, and that extends into my online presence. For me, it's helped the most to treat online accounts the same way I treat physical objects--if I don't want or need something, I get rid of it; if I don't want something but need it, I store it somewhere safe. Without further ado, let's jump in to my process: Set up a second password manager ... assuming you have one already. In my case, I started with Google's password manager and wanted to switch to Bitwarden . You'll only have two password vaults until you finish cleaning up the original one. Some things get worse before the

Dear Fax Machines, Go Fax Yourself

I don't think I'm alone in my hatred for faxes, and I am 100% willing to be the face of the anti-faxxing movement. The facsimile is a relic of a bygone era. It should have died a graceful death, and been given a respectful "thanks for your service, and farewell" a few hours after Tim Berners-Lee revved up the World Wide Web in 1989. By now you've probably already seen the meme: But alas, here we are in the year 2021, still shoehorning faxes into the digital world. The reason they're still around, I suppose, is their simplicity. Feed the paper into a hungry machine, out it spits somewhere else, hopefully to its intended recipient.* Unfortunately for U.S.-based Healthcare IT professionals, the Centers for Medicare & Medicaid Services have been permissive of faxing for the transmission of protected health information. I, uh, have a bone to pick with this generally-accepted standard operating procedure, but I don't have the political power to persuade CMS

Running LAPS: No Blood, No Sweat, No Tears

If the title scared you, don't let it. There's no physical effort to put forth in this hardening exercise, so you can safely continue to enjoy crunching down on Doritos dipped in peanut butter. (What? Just me on that one? Oof.) Anyway, to follow up on my Five Easy Security Wins in Windows post, I wanted to write about running LAPS. Because I'm not good at all with sport metaphors, let's just dive in. What is LAPS? LAPS stands for Local Administrator Password Solution, and it basically does what it says on the tin . As long as you use the same local administrator account name on your Windows endpoints, you'll be able to get LAPS set up in a matter of minutes. LAPS is a major and easy security win for Windows admins because it gives every endpoint a unique, randomized local administrator password. The passwords change as often as you tell them to, use whichever character sets you tell them to, and you can see what they are in the computer object's attributes in

To Yeet is 1337, and We Recycle More than Old Jokes

I think I'm up to three times mentioning that I'm a minimalist now. Constantly assessing my need for all sorts of items has naturally spilled from my own house into my office... and Justin's office... and the server room... and the IT storage closets... and and and . I tackle clutter at home and at work, and I'd argue that it's especially necessary at work. Having a clean, clutter-free workspace makes life at work easier... and it allows for old materials to become new through e-waste recycling. Chucking all the old hardware (old as in it hasn't been in service since dinosaurs roamed the earth) into a giant pallet box is the easy part. Disposing of electronic waste like you would do with regular trash is generally ill-advised, if it isn't outright illegal where you live. What do you do next? Well, if you're a responsible denizen of the planet, you'll want to recycle as much of the old equipment as possible. If you've got a full pallet box of e-w

Using *Nix Makes Me a Better Windows Sysadmin

Yes, you read the title correctly. Using *nix operating systems has indeed made me a better Windows sysadmin. It shouldn't be all too surprising, especially since the proclamation years ago that Microsoft <3s Linux , and I don't think systems administration should be played as an either/or game between Windows and Linux environments. There is so much that we Windows sysadmins can gain by taking deep dives into *nix operating systems as part of a healthy production environment. My experience with Ubuntu Server has made the biggest impact to me as a Windows sysadmin. In Windows environments, I'd grown accustomed to having the desktop experience (GUI) as the primary mode of getting everything done. Need to run an application? Click around. Need to set up a service to start automatically? Click around. Granted, with Windows Server OSes there is a headless (Core) option, but let's be honest and admit that probably none of us use it because it feels weird. In Ubuntu Server

Organization: It's Not Just for Infomercials Anymore Again

If you walk into my family's home, you may find it cluttered with toys and books and other miscellaneous messes created by our four children, but what you will not find are scattered bills laying about. For that, and other paper-centric processes, I have a system which has evolved over the years, to the point I'm actually pretty happy with it. The small apartment we occupied in the mid 2000s was right-sized for our dog, cat, my wife and me. To ensure we didn't accumulate paper clutter, I began the process of scanning any bill or receipt that ended up on the counter, and tossing it right away. It was at this point I became enamored with the YYYY-MM-DD naming convention for dates, as it made things easily sort-able in a directory. Each file I dumped on my PC was backed up to DropBox . This system was okay, but not particularly useful when it came time to try to find something. In 2010 or so, I started dumping everything into  Evernote . Receipt? Evernote. Bill? Evernote. Bank

Five Easy Security Wins in Windows

Every communication medium we've ever invented as humans has, at some point, been pressed into service as a malicious tool. A lot of us do what we can to use such tools for good, or at least for benign purposes. The worse-but-not-quite-worst of us humans love to hack, scam, and swindle others to get what they want. With Microsoft Windows having such a huge marketshare versus 9,001 flavors of Linux and Apple's Mac OS, MS's operating systems and programs are huge targets for malicious actors. As a Windows sysadmin first and foremost, I feel that pain and do what I can to keep my users safe. (Side note: I also love to waste scammers' time--if they're talking to or emailing me, they're not using that time to take advantage of someone more trusting and/or gullible.) And despite being primarily a Windows sysadmin, I'm also a lover of open-source-everything, ESPECIALLY knowledge. Below, I'm going to share five easy(ish) things you can implement to beef up your

Small Team Dynamics: How and Why We're Awesome

Justin and I are an amazing team. Then again, we kind of have to be as a two-person team. Before Justin decided I was worthy of being his insubordinate subordinate, I had always worked on fairly large teams--12 or so people in small companies. I have to say that not a day has gone by since I left my last job that I've missed having a larger team. With it being just the two of us, we get a much higher volume of work done faster and better than I've ever seen happen on larger teams. The benefits: We don't have to: run our ideas by a room full of people to reach a consensus wait for internal bureaucracy to approve every last little project or purchase waste time having meetings waste even more time having meetings about other meetings spend a chunk of the day responding to emails from other team members work around each other's in/out time to work on a group project send emails back and forth to keep everyone in IT in the loop stay locked in to vendor relationships set up

The Best Tool isn't Always the Right Tool

When Monica and I talked about doing a blog, we knew there would be no shortage of ideas for posts. But before we could start churning out amazing content, we had to decide on a platform. I had an idea. I'm by no means a Django expert but it's a great tool, and I have a tendency to reach for it when I need to do a web thing. Django, a postgres db, maybe sprinkle in a rest API... perfection. The best tool; perhaps not the right tool Monica did not share this wholesome, perfect vision. She reasoned that we are already, and will continue to be, plenty busy, and do we really need to spin up our own thing when there are perfectly viable drop-in options available on the web without us needing to worry about hosting a thing and dealing with the security risks, backup strategies, etc.? Wordpress or Blogger would do just fine. Damn. Well, she'll come around. I pursued Wagtail and was in the process of going through a tutorial and, I was loving the freedom and openness of the platf

Our Hypervisors are Singles Bars (Why I Love Single-Purpose Servers)

Single-purpose servers are my hot mashed fruit. As a minimalist, I don't like clutter, and that extends into computing environments. Although it might sound kind of crazy to spin up a new server for every little thing, I promise it will make sense by the end of this post. From a management perspective, having single-purpose servers makes it so much easier to know which services are running where. Basically think of this like delegating tasks among team members to get projects done quickly and efficiently. I'm a documentation junkie, and it drives me bonkers when I see a server that's just got too much on its plate--we're not running a steakhouse here--keeping things simple keeps them running smoother. As a result of not cluttering servers with every possible service to run, my documentation stays clean and readable. Single-purpose setup also means that I can set the less mission-critical services and devices to update and restart in the middle of the day and have little