archiveren

Tagarchief: windows

I hate backups, I really do… Even more than I hate printers 🙂

But, as recent happenings proved again, you definitely need one… Either being it for a virus or ransomware, or a failing hard disk, or even if you just delete something (why would you delete something?)

I’ve been looking around for a good off-site backup for ages, but never found a “good” (read: cheap) one… If you look at cloud-hosted backup solutions such as backblaze, crashplan, …, you’re always going to spend more than $50 yearly… (http://www.pcmag.com/article2/0,2817,2288745,00.asp)
I always figured, yeah, that’s the price of a physical disk you can keep forever…

Anyway, next issue, backup software… If someone can give me a tool that just actually works… PLEASE be my guest…
In the past I’ve used the build-in Windows one… But that one failed terrible resulting in me losing a lot of pictures… 😦

One of my last interests was backup up to Amazon’s Glacier service… But never took the actual step.

 

Last week, I took two steps!

 

Azure Simple File

https://azure.microsoft.com/en-us/services/storage/files/

A couple of months ago, a new “feature” was made available on Azure. Basically it’s just an oldskool file server in an Azure datacenter… Meaning: accessible over smb 🙂

\\fileserver.onmicrosoft and you’re good to go!
Jieehaa!
No shitty REST-interfaces! 🙂

It’s SMB 3.0, so authentication, encryption and data integrity are handled by the protocol 🙂 (hey, you’re communicating over a public network, of-course you’ll need that!)

Having a “regular” interface to the cloud opens possibilities… But, bringing me back to my earlier point of having the right tool for the job…
I don’t trust the file-history any more, so I’m looking around for other tools…

Currently running Iperius -> http://www.iperiusbackup.com/
Curious how that’s going to turn out…
It doesn’t have a restore option? WTF?

backupazure

Azure Backup

https://azure.microsoft.com/en-us/services/backup/

Another service I’m testing on Azure is the Backup functionality.

It comes with a client application. Install, configure, select data and you’re good to go! This app definitely impressed me!

azurebackupI know it says “failed”, one of the big issues with cloud storage is your upload speed… As I’m only a Belgian internet user, I’m stuck with a 5 mbit upload rate over adsl… So uploading 120GB takes forever… (forever being 2.5 days). So, on a daily schedule, after a day, the previous backup hasn’t finished yet 🙂
http://beta.speedtest.net/result/4976075067

Big plus, I crossed my “downloadlimit” uploading 650GB on backup data 😦
JEEEEJ CLOUD

Did I tell you it’s slow as hell?
And you have to pay extra for outbound network traffic, aka: to restore data you have to pay more…

I’m even considering installing this on all computers from my family!

Advertenties

A cool trick that was shown a couple of years ago, called BadUSB, turns random USB devices into possible snooping devices.

What if you plugin a USB-stick you found on the street and it turns out to open up an Internet Browser and steers you into a specific website, downloading and launching an application? USB has many profiles, so instead of a “mass storage device” (what you would expect from a USB drive that looks like an mass storage device) it imitates a HID device such as a keyboard or mouse… So your “drive” becomes a keyboard!
Automate some pre-defined keystrokes that randomly start after plugging in the USB device, like windows-logo+r, type https://mendelonline.be/temp/runme.exe, press enter a couple of times, and then run the same with %userprofile%\downloads\runme.exe and you’ll be pretty close running your executable without any user interaction!

Edit 26/05/2016: Exactly like this: https://www.informationsecurity.ws/2016/01/pwning-windows-7-with-avg-av/

Not that many technologies exist to prevent this from happening on Windows though… But I found some document on irongeek explaining how to block USB devices using Group :Policy. (local policy can also be used, you don’t need to have a domainjoined computer): http://www.irongeek.com/i.php?page=security/locking-down-windows-vista-and-windows-7-against-malicious-usb-devices

Open your local policy editor, open up “Computer Configuration->Administrative Templates->System->Device Installation->Device Installation Restrictions”, and start messing around 🙂

Capture

local group policy settings

I started with checking which USB devices were already known on my computer… You can use, always awesome, nirsoft’s “USBDevview” to have a look at your USB history.

So, I deleted all history, with the idea to start clean.
After deleting everything, I let Windows re-discover all devices default to my laptop.
Next, I started plugging some USB devices I owned and let it register and install.

Then, the actual blocking policy was enabled.

Another USB-device I didn’t install for testing purposes was plugged into my computer. And nothing happened.
Perfect 😎

I still needed to install that device anyway, but starting device manager with administrative credentials, allowed me to overrule the blocking policy, and to install the USB device for future use…
(Note: once a USB device is “installed”/”registered” into windows, it can be plugged in an used anytime in the future without the admin-overrule technique…)
Or you can start defining classes of usb devices, manufacturers, etc… Just check irongeek’s page 🙂

computermanagement

unrecognized

usbdevview

datatraveler not being used

computer

update driver as administrator

cptmgmtinstalled

good to go

installed

datatraveler active!

All official Belgium eID applications are eventually wrappers around the by FedICT provided eid-sdk, which on its turn is a Java applet… This Java applet has the possibility to authenticate any known Belgium eID against FedICT’s database. Even FedICT’s FAS service can be used as a saml-compatible authententication provider (adfs!)… But you don’t always want to use Java, or FAS…

Did you know, you can fully integrate the Belgium eID in a Windows environment?

Yes, ADFS, yes RDP, yes Windows logons, yes IIS… The fun part, it’s all built-in and you don’t need Java, and you don’t need FAS! ❤
Downside: you’ll need to do some user mapping yourself: your servers still need to map you to an account, and it still needs to authorize that account… So a little administrative overhead here (with FAS FedICT does this for you)

There are some other tricks needed, as for example to enable your client to read both certificates on the smartcard, and to map your eid to a “Windows” user account, but when that’s set-up, you’re good to go!

certlogon

The key to all this is the implicit certificate mapping feature of Active Directory Certificate Services working together with an enterprise PKI.

RDP/Windows

1

IIS

For IIS, the “SSLVerifyClient require” http specification is used to leverage cert-based client authentication. This should even work in other HTTP-servers, and in all major browsers.

http://wiki.cacert.org/ApacheServerClientCertificateAuthentication

Local auth

For the tricks above, you’ll need a functional Active Directory including integrated enterprise PKI environment.

Thanks to Vincent of mysmartcardlogon you can also run it stand-alone on your computer!
Unless you’re running Windows Enterprise, like me 😦
Plus, my laptop doesn’t has a built-in cardreader, so it’s ugly having to take an USB-cardreader to logon at mornings 🙂

The why?

Strong “Multi-factor” authentication is strong.
A certificate in either a virtual or a physical smartcard is always a bunch more secure than a password you’ll have to remember as a simple human being.

And an eID is obligatory in Belgium, you have to buy it anyway, so why buy yet another token for Multifactor AuthN from a 3th party provider instead of the one you already have?

It’s not confidential or secret technology, so if you’re interested in the exact how and what, just leave a comment 🙂

Quick version to improve client-side browser behaviour… (client-side best effort, so nothing is enforced…)

  • remove asp info
  • enforce https
  • specify thumbprint of known expected certificates and intermediate, and root for website
  • whitelist content security sources
  • set x-frame, aka preventing your site can be used in an iframe
  • enable xss protection
  • disable content type niffing

Add the following to your website’s web.config
(yes, web.config needs that ‘"’ around the thumbprints…)


 <httpProtocol>
  <customHeaders>
   <remove name="X-Powered-By" />
   <add name="Strict-Transport-Security" value="max-age=31536000" />
   <add name="Public-Key-Pins" value="pin-sha256=&quot;thumbprintofcertificate1&quot;; pin-sha256=&quot;thumbprintofcertificate2-intermediate&quot;; pin-sha256=&quot;thumbprintofcertificate3-rootcert&quot;; max-age=31536000" />
   <add name="Content-Security-Policy" value="default-src https: data: 'unsafe-inline' 'unsafe-eval'" />
   <add name="X-Frame-Options" value="DENY" />
   <add name="X-Xss-Protection" value="1; mode=block" />
   <add name="X-Content-Type-Options" value="nosniff" />
   </customHeaders>
  </httpProtocol>
 

Long version: https://scotthelme.co.uk/hardening-your-http-response-headers/

Check via https://securityheaders.io/?q=https%3A%2F%2Fhome.mendelonline.be&hide=on

 

 

Get yourself a cheap cloud host running Windows Server.
Add ssl based SSTP vpn
Add ssl based Remote Desktop Gateway.
Put let’s encrypt on all of it.

For quick access to blocked url’s, put a glype php proxy somewhere (maybe on that same iis)

 

My current setup, a host in azure running vpn and rdp-gateway, mostely connecting to rdpgateway on home server connecting to vm-guest… You know… RDP-ception!

Now you can go everywhere!

 

There are really some huge flaws in this system…

To bad actually, because it’s a nice thing!

Let’s show you my setup:

exe rules script rules

So everyone can run executables and scripts signed by my selfsigned codesigning certificate and the juniper ones.
Everyone can execute from %programfiles% and %windows (default rule) and Everyone from a safe directory called “epic tools” on my skydrive.
And 2 file-path exceptions for keepass and onecal…

Almost the same for powershell, with specific hash-rule for my powershellprofile (which can go now because it’s signed by the selfsigned cert)

Anyway, %desktop% is blocked for all normal users.

Bypass Applocker’s PowerShell policy

Let’s try to run a ps1 file located on the desktop.

weird
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\mendel\Desktop\applockertest\helloworld.ps1'"

I noticed this one when running a powershell script and invoking it from rightmouseclick (run with powershell) and used procmon to find the exact launch command…

(The rightmouseclick “run with powershell” is only available in the context menu if you have the “.ps1” extension associated with notepad… WTF)

And of course there are more: http://www.wilderssecurity.com/threads/windows-7-applocker-can-be-bypassed.321479/ , https://www.mountknowledge.nl/2011/01/28/bypassing-windows-applocker-using-vb-script-in-word-and-excel/ .
This one is also nice! http://baileysoriginalirishtech.blogspot.be/2015/06/applocker-schmapplocker.html

Bypass Applocker’s exe policy

Multiple bugs/exploits for this are known. As for example the ones from Casey Smith https://twitter.com/subtee/status/627904214451138560

CaptureI just used Case’s code to PoC this 🙂 https://github.com/subTee/ShmooCon-2015/blob/master/POC.cs

Basically, just block everything!

Device Guard

A new feature in Windows 10 might be a solution for all of this 🙂 http://www.malwaretech.com/2015/09/device-guard-beginning-of-end-for.html?m=1

We’ll see, we’ll see…