Keith Smith - Think Ahead. Learn More. Solve Now!

Keith Smith - Think Ahead. Learn More. Solve Now!


August Cumulative updates for Windows 10 (1607 and 1703) Dell machines

Friday, August 18, 2017 - Posted by Keith A. Smith, in Microsoft

Just wanted to leave a little note that the August Cumulative updates for Windows 10 (1607 and 1703) caused us to experience BSOD on our Dell AIO 9030 machines.

Using WinDbg I was able to identify that the Intel Wireless 7260 driver was responsible for the crashes.

The only thing I can think is that there were some security updates to the KMDF included in the August updates. Pair that with the fact that the Driver Catalog CAB provided by Dell included a really old wireless driver (from 2015) and the result was BSOD reporting:
BAD_POOL_HEADER (19)
Upgrading to the latest wireless driver directly from Intel version:
18.33.7.2 https://www.intel.com/content/www/us/en/support/network-and-i-o/wireless-networking/000006024.html

Resolved the issues.

Hope this saves someone some time.

-End
View Comments 0 Comments
Share Post   


WatchGuard Wireless, AP320 Access Points Review

Thursday, June 15, 2017 - Posted by Keith A. Smith, in Network

I’m a big fan of WatchGuard, and I’ve been using their appliances for some time now. Some other people I know have had concerns about the quality of the firmware or WatchGuard Fireware OS, and I can say that this was an issue in the earlier versions (pre-2014) when the UI was flash based. Since 2014 the UI has significantly improved, I generally get the kit with five years’ live security, knowing at the end of that five years, the kit is probably going to be obsolete and a refresh will be required anyway.

I had never used the WatchGuard Ap's before this deployment, after doing some research I saw that they integrate very tightly with the firewalls and the Dimension products, so I decided to give them a shot.  I think personally the units look great, they’re very discreet and very powerful.




They have 2 Radio’s (5GHz and 2.4GHz), 6 antennas, Up to 1.3 Gbps for 11ac Up to 450 Mbps for 11n, up to 8 SSID’s per radio, PoE, support for all the wireless standards (802.11 a/b/g/n/ac) and Fast Roaming and Band Steering.


The Wi-Fi AP's also comes boxed with a ceiling mount kit and even more useful an T-rail ceiling mounting kit which is nice for most commercial offices.



In my case, I had to "macgyver" a mounting solution for our AP’s using L shelf brackets + chrome head screws + automotive fasteners that I purchased from a local ACE hardware store shown below since none of our locations have T-rail ceiling or anything close to it.

 
                       

The Wi-Fi AP's also run PoE and I’m currently using a few HP 3500 Series PoE switches to provide power to them. By using PoE to power, the Access Points which great because I can also reboot any AP by turning off the PoE for that port should any of the AP's have issues down the line.

I have configured a few VLAN’s with each AP320 broadcasting wireless networks. I currently have the AP320’s set to auto regarding the channels and so it does a lot of the work in working out which channel to run on for me to ease wireless congestion. They were very easy to deploy, and wireless SSID configuration was deployed very quickly thanks to the firewall acting as the wireless controller. I've also found the updates for the AP's to be basic and can be done from the firewall (acting as the wireless controller) in a few clicks.

When you have multiple WatchGuard firewalls and WatchGuard access points it's best to use the WatchGuard System Manager  for managing all of this. The monitoring of this is also great, I can see at any point any wireless device, which AP it is connected to, the traffic volume and also its signal strength etc.

One of the issues that I ran into was a few of the AP’s rebooting during of the work hours, which as you can imagine was somewhat annoying. Initially, I though this issue was caused by HP 3500 PoE switches, but after directly connecting in a 12v 1.25A PSU it kept happening. The HP switch firmware did have a defect (PoE CR_0000207335) in the version that was running on the switches at the time of the AP deployment, however I was able to resolve that by contacting HPE support and applying the supplied software update. After the software updates for the HP PoE switches had been applied, I opened a case with WatchGuard support about the AP320's randomly crashing and restarting. I had all the latest firmware installed for the AP's at the time I  submitted the fault reports to WatchGuard, after the support person investigated the fault reports they agreed was a newly discovered bug (bug "AP-17"), which as of right now is still being worked on.

Technical Details
This bug
(bug "AP-17") is related to the DFS channels being used and the scan interval. At this time the bug isn't resolved, but the workaround to this was to set the wireless scan interval to 24 hours in the Gateway Wireless Controller Settings. Here is a link on how to do this http://www.watchguard.com/help/docs/fireware/11/en-US/Content/en-US/wireless/ap_global_settings_c.html

You can also configure the channels manually to further reduce this issue. Be sure to select non-DFS channels. DFS channels are 50 through 144.


All in all, I’m very happy with the AP’s and the support has always been great from WatchGuard which is one of the many reasons I like company. Once the bug above is resolved, I will call this a successful deployment. I found the WatchGuard AP's to be easily scalable and easy to manage, these devices are built with quality can fit any long-term wireless solution.



-End


View Comments 0 Comments
Share Post   


Applying a “Defense-in-Depth” Strategy

Monday, May 22, 2017 - Posted by Keith A. Smith, in Network, VMware, Microsoft, Linux, Security

IT Teams and Staff can effectively maintain physical and information security with a “defense-in-depth” approach that addresses both internal and external threats. Defense-in-depth is based on the idea that any one point of protection may, and probably will, be defeated. This approach uses three different types of layers (physical, electronic, and procedural) and applies appropriate controls to address different risks that might arise in each.
 
The same concept works for both physical and network security. Multiple layers of network security can protect networked assets, data and end points, just as multiple layers of physical security can protect high-value physical assets. With a defense-in-depth approach:  

System security is purposely designed into the infrastructure from the beginning. Attackers are faced with multiple hurdles to overcome if they want to successfully break through or bypass the entire system. 
A weakness or flaw in one layer can be protected by strength, capabilities or new variable introduced through other security layers. 

Typical defense-in-depth approaches involve six areas: physical, network, computer, application, device and staff education.

1. Physical Security – It seems obvious that physical security would be an important layer in a defense-in-depth strategy, but don’t take it for granted. Guards, gates, locks, port block-outs, and key cards all help keep people away from systems that shouldn’t touch or alter. In addition, the lines between the physical security systems and information systems are blurring as physical access can be tied to information access. 

2. Network Security – An essential part of information fabric is network security and should be equipped with firewalls, intrusion detection and prevention systems (IDS/IPS), and general networking equipment such as switches and routers configured with their security features enabled. Zones establish domains of trust for security access and smaller virtual local area networks (VLANs) to shape and manage network traffic. A demilitarized zone between public resources and the internal or trusted resources allows data and services to be shared securely. 

3. Computer Hardening – Well known (and published) software vulnerabilities are the number one way that intruders gain access to automation systems. Examples of Computer Hardening include the use of: 
Antivirus software
Application whitelisting
Host intrusion-detection systems (HIDS) and other endpoint security solutions
Removal of unused applications, protocols and services
Closing unnecessary ports

Software patching practices can work in concert with these hardening techniques to help further address computer risks that are susceptible to malware cyber risks including viruses and Trojans etc.

Follow these guidelines to help reduce risk:
Disable software automatic updating services on PCs
Inventory target computers for applications, and software versions and revisions
Subscribe to and monitor vendor patch qualification services for patch compatibility
Obtain product patches and software upgrades directly from the vendor
Pre-test all patches on non-operational, non-mission critical systems
Schedule the application of patches and upgrades and plan for contingencies 

4. Application Security  – This refers infusing system applications with good security practices, such as a Role Based Access Control System,Multi-factor authentication (MFA) also known as (also known as 2FA) where ever possible which locks down access to critical process functions, force username/password logins, combinations, Multi-factor authentication (MFA) also known as (also known as 2FA) where ever possible and etc. 

5. Device Hardening – Changing the default configuration of an embedded device out-of-the-box can make it more secure. The default security settings of PLCs, PACs, routers, switches, firewalls and other embedded devices will differ based on class and type, which subsequently changes the amount of work required to harden a particular device. But remember, a chain is only as strong as its weakest link. 

6. Staff Education - Last but not least it’s important to talk to staff about keeping clean machine, the organization should have clear rules for what employees can install and keep on their work computers.  Make sure they understand and abide by these rules. Following good password practices is important a strong password is a phrase that is at least 12 characters long. Employees should be encouraged to keep an eye out and say something if they notice strange happenings on their computer.  


Educating Employees at least once a year is important
Training employees is a critical element of security. They need to understand the value of protecting customer and colleague information and their role in keeping it safe. They also need a basic grounding in other risks and how to make good judgments online.

Most importantly, they need to know the policies and practices you expect them to follow in the workplace regarding Internet safety.


-End

View Comments 1 Comments
Share Post   


Cloud Services for the enterprise

Monday, May 08, 2017 - Posted by Keith A. Smith, in Journal of thoughts

Most IT staff balance building out more internal and robust IT infrastructure versus utilizing cloud services to fulfill those needs. More infrastructure sometimes means more personnel and overhead if processes aren't efficient and automation of repetitive task are missing, this causes decision makers to weigh that against the cost to determine the value of cloud services to an organization. To balance whether or not the IT service we are thinking of moving to the cloud is a core or unique service to our business versus merely a commodity. Moving commodity services to the cloud, particularly to those providers with highly evolved and transparent security models, are particularly attractive. Most technologist believes that this provides freedom to focus on the technologies that are core business enablers while receiving top-tier service from cloud providers makes the business more sustainable.


Still, not everything with cloud services is perfect. I find that small interruptions in service do happen, and the reason(s) these disruptions occur can be difficult to pinpoint. We as IT Pro's are unable to control the issue or have any real impact on the issue’s resolution. Those experiences can be frustrating as the end-users usually can’t tell the difference between an IT-supplied service and a cloud-supplied service; but they do understand that what they need doesn’t work, that IT gave it to them, and that they want it fixed immediately.


And of course, cloud applications are not maintenance free. We still utilize our resources to manage the applications, including user provisioning, permission management, configuration, and enabling new features for end-users.


I also find those technologies that allow organizations to bridge traditional infrastructure and cloud infrastructure can be troublesome seamlessly. For example, a cloud identity provider that provisions access to multiple cloud applications sounds like a fantastic tool until that provider has a day-long outage, resulting in a very unproductive day for our end-users. These end-users also need to exercise caution when considering what providers will do about backing up data. Most providers will keep the service running at a 99.99% rate, but if a document gets corrupted or deleted and forgotten about within normal operation of the application, there can be no recourse if you haven’t taken additional steps to plan for those possibilities. Numerous organizations that I have consulted with weren’t prepared for that possibility, lost data with cloud providers, and promptly retreated to on-premise solutions.


With the speed of provisioning, the general reliability of services, and the enhanced security benefits offered by the top cloud providers, it’s hard to ignore the benefits that these cloud services can provide. However, it is important to understand limitations and take those into account when determining the right course of action for your organization.


-End

View Comments 0 Comments
Share Post   


fix for pdf and browser - run from SharePoint Management Shell

Wednesday, April 19, 2017 - Posted by Keith A. Smith, in Sharepoint

Need to run PDF in the browser? Run the following in the sharepoint powershell

$webApp = Get-SPWebApplication http://host.domain.org
If ($webApp.AllowedInlineDownloadedMimeTypes -notcontains "application/pdf")
{
  Write-Host -ForegroundColor White "Adding Pdf MIME Type..."
  $webApp.AllowedInlineDownloadedMimeTypes.Add("application/pdf")
  $webApp.Update()
  Write-Host -ForegroundColor White "Added and saved."
} Else {
  Write-Host -ForegroundColor White "Pdf MIME type is already added."
}


Other commands that may fix it if the above doesn’t :

Web Application level setting: Method 2
$webApp = Get-SPWebApplication http://intranet.domain
$webApp.BrowserFileHandling = "permissive"
$webApp.update()


Site Collection level
$site = get-spsite "http://intranet.domain/sites/somesite"
foreach ( $subsite in $site.allwebs )
{
 foreach ($list in $subsite.Lists)
 {
  if($list.browserfilehandling -eq "Strict")
  {
   $list.browserfilehandling = "Permissive";
   $list.update();
  }
 }
}


Site level ( SPWeb )
$web = Get-SPWeb "http://intranet.domain/sites/somesite/someweb"
foreach ($list in $web.Lists)
{
 if($list.browserfilehandling -eq "Strict")
 {
  $list.browserfilehandling = "Permissive";
  $list.update();
 }
}

List Level
$web= Get-SPWeb "http://intranet.domain/sites/somesite/someweb"
$list = $web.Lists["MyList"]
if($list.browserfilehandling -eq "Strict")
{
 $list.browserfilehandling = "Permissive";
 $list.update();
}

-End
View Comments 0 Comments
Share Post   


Page  <1234...12>