cisco anyconnect logo

Connecting to Corporate Resources via Cisco AnyConnect using FreeRadius and Google Authenticator

Connecting to corporate resources via Cisco AnyConnect using FreeRadius and Google Authenticator has its pros and cons.

One noteworthy advantage is the cost: it’s free.

Disadvantages include the following:

  • Integration with AD. Of course, you can integrate FreeRadius with AD via LDAP, but this solution’s architecture requires storing user profiles locally on the FreeRadius server.
  • Only one type of authentication – Time-Based One-Time Password (TOTP).
  • Non-obviousness of the need to use the second factor (as explained in this article).

Installation of Components

In this case, we will install FreeRaduis using Debian Jessie 8.0 on a virtual machine.

Due to the fact that TOTP will be used for authorization, the server time must be correct. The best way to synchronize time is to install NTP.

sudo apt-get update
sudo apt-get install ntp

Next, install FreeRadius and other necessary modules:

sudo apt-get install build-essential libpam0g-dev freeradius 
libqrencode3 git

Download and install Google Authenticator:

cd ~
git clone https://code.google.com/p/google-authenticator/
cd google-authenticator/libpam/
make
make install

You will also need a group for users who we do not need to authenticate

addgroup radius-off

FreeRadius Setup

Since FreeRadius must have access to .google_authenticator tokens in all user directories, it must have root-a rights. To provide these rights, edit the /etc/freeradius/radusd.conf file.

Find the following lines:

user = freerad
group = freerad

And change them to:

user = root
group = root

Save changes at this point and throughout the process.

Now edit /etc/freeradius/users. Add the previously created “radius-off” group to the “Deny access for a group of users” section. After the following lines:

# Deny access for a group of users.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.

Add:

DEFAULT         Group == "radius-disabled", Auth-Type := Reject
Reply-Message = "Your account has been disabled."
DEFAULT        Auth-Type := PAM

Now edit /etc/freeradius/sites-enabled/default.
Locate:

#  Pluggable Authentication Modules.
#  pam

And uncomment the line with “pam”.

Edit /etc/pam.d/radiusd. Tell FreeRadius to authenticate users using a local Unix password and a Google Authenticator code.

Erase all the lines beginning with @:

#@include common-auth
#@include common-account
#@include common-password
#@include common-session

And add:

auth requisite pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass

Now we need to add the client’s Radius so FreeRadius processes requests from CISCO ASA. Add the following to the /etc/freeradius/clients.conf file:

Client 192.168.110.6 {
secret = Password
shortname = ASA
}

User setup

Create a user:

adduser mfatest

Create google-authenticator for the user:

cd /home/mfatest/
su mfatest
google-authenticator

You should see a QR code in response:

qr code

Afterwards, restart the FreeRadius service:

sudo service freeradius restart

Your mobile device must have the Google Authenticator app installed (links for iOS and Android).

Scan the QR code using the Google Authenticator app. This will link the “mfatest” account to your mobile device.

google authenticator app

Now test authentication:

radtest   localhost 18120 testing123

Where:

  • is a Unix password + the code from the app, in a single string. In this case, the password is Pass_123 and the code is 731923.
  • localhost 18120 testing123 are the parameters for the standard local Radius client.

You should see the following as a result:

radtest mfatest Pass_123731923 localhost 18120 testing123

authentication test

Configuring CISCO ASA

For ASA, the best option is to configure the AnyConnect VPN gateway with local authentication. Make sure that the connection works. Then proceed to configuring authentication through Radius.

Configure RADIUS:

1. Go to Configuration / Remote Access VPN / AAA/Local Users / AAA Server Groups and create a group:

edit aaa server groups

2. Add the server to the group:

edit aaa server

“Server Name or IP Address” is the address of our FreeRadius server. “Server Secret Key” is the key we have configured for the client.

3. Test the connection with the RADIUS server:

test AAA server

“Password” is the user’s password + the code from Google Authenticator.

After a successful test, on the previously configured “AnyConnect Connection Profile”, change authentication from the local server group to the FreeRad group:

edit AnyConnect Connection Profile

This completes the configuration process. To make sure that everything works properly, initiate a test connection.

test connection

Here we encounter the non-obviousness mentioned earlier. FreeRadius does not use step-by-step authentication. It cannot request a code for Google Authentication separately. Therefore, to authenticate successfully, enter password + code in the Password field, just as in the tests. For the inexperienced user, this may become a barrier to using the service.

This setup is universal and can be implemented for any service that supports authentication via the Radius protocol.

Skype Cloud Connector Edition

Skype Cloud Connector Edition: The way to Integrate Corporate PBX and Setup PSTN Calls with Skype for Business Online (Office 365)

Skype for Business Cloud Connector Edition (CCE) is a hybrid solution that allows integrating the corporate PBX with the Office 365. CCE offers a set of components offering organizations to connect to the corporate PBX or PSTN, organize the SIP trunk from your Office 365 (Skype for Business Online).

This service gives you a turnkey Cloud Connector Edition (CCE) infrastructure setup.

We will deploy the necessary topology in a virtual environment. Users from your organization will be able to place / receive calls from landline and mobile phones through any existing voice infrastructure, for example through the corporate PBX or SIP trunk of a VOIP provider. If your corporate PBX does not support SIP protocol over TCP, we’ll set up an additional gateway for connection.

Work performed during deployment of Cloud Connector Edition (CCE) for Skype for Business Online:

  1. Set up of the required package of Virtual Machines:
  • Domain Controller
  • Central Management Server (CMS)
  • Mediation Server
  • Edge Server
  1. Configuration of the above-mentioned VMs.
  2. Setup of VOIP gateway for connection with the corporate PBX or PSTN.
  3. Testing of the functionality.

For the companies that require High Availability, we offer to deploy 2 CCE packages (2 x 4 Virtual Machines, i.e. 8 virtual machines in total).

Infrastructure Requirements:

Minimum CCE solution (up to 50 simultaneous calls) – 64-bit 4-core processor/ 32 GB RAM/ 200Gb HDD) / 2 NIC.

Standard CCE solution – 64-bit 6-core processor/ 64 GB RAM / 400Gb HDD) / 2 NIC.

Example topology of the deployed infrastructure of Cloud Connector Edition (CCE) for Skype for Business Online:

CCE img

Service price: €990

Please contact us for any question you may have.

More articles about Skype for Business

Skype for business CCE

Skype for Business – Cloud Connector Edition (CCE)

Cloud Connector Edition1

A couple of days ago Microsoft released the Cloud Connector Edition (CCE) for Skype for Business Online, a hybrid solution that enables integrating your corporate PBX with the Office 365. CCE includes a set of components allowing organizations to connect to the PSTN, or organize the SIP trunk from Office 365 (Skype for Business Online). This solution is useful for countries in which there is no possibility of using the telephone connection directly in Office 365 Enterprise E5, since the feature is currently available only in the United States.

What is Skype for Business CCE?

Skype for Business Cloud Connector Edition (CCE) is a hybrid solution that consists of multiple Virtual Machines (VMs) implementing local connectivity with the Cloud PBX.

Deploying the minimal Skype Business Server topology in a virtualized environment (whether it’s cloud or on-premise solution), users in the organization are able to send and receive calls from landline and mobile phones via any existing voice infrastructure, for example through the corporate PBX or SIP trunk of you VOIP provider.

The structure of CCE includes a package of four Virtual Machines that should be deployed and configured using the setup wizard. Here is the list of virtual machines:

  1. Domain Controller
  2. Central Management Server (CMS)
  3. Mediation Server
  4. Edge Server

In this case, there is no dependency on the existing Active Directory infrastructure during the deployment phase, as it creates its own forest independently. It’s recommended to place the CCE Virtual Machines in the DMZ. Companies that need High Availability can deploy 2 CCE packages (2 x 4 VMs, that is 8 VMs in total).

Licensing

There is no need to purchase licenses for virtual servers included in the Cloud Connector Edition (CCE). However, Office 365 users using a hybrid configuration require licenses, and need to purchase E5 enterprise plan.

CCE deployment service.

Cloud Connector Documentation:

Planning: https://technet.microsoft.com/en-us/library/mt605227.aspx

Setup: https://technet.microsoft.com/EN-US/library/mt605228.aspx

Follow the link to download Cloud Connector Edition: http://aka.ms/getcce

More articles about Skype for Business

windows 10 logo

HOW TO DISABLE TELEMETRY ON WINDOWS 10

With Solitaire, Microsoft taught users how to use the mouse. Now with Windows 10 they are teaching us to read the license agreement.

After the launch of Windows 10 the internet was flooded with messages about the collection of users’ personal data followed by multiple discussions about how to tackle the issue. The user community instantly came up with a list of major servers that collect data and tried to block them via the HOSTS file. However, the OS ignores all those lines and it was revealed the list of servers was hardcoded into system files. To further complicate matters, Microsoft can always update its IP addresses through Windows Update making the whole procedure useless.

In this post, we would like to share our experience in disabling telemetry through built-in Windows Firewall. This is an alternative approach that has been proven to be effective.

The Test

To perform the procedure, we assembled a simple test:

Two laptops. One with Windows 10 connected to the internet through another laptop using internet sharing. The second laptop was acting as a NAT router with Wireshark installed allowing us to track outgoing traffic from the first machine.

The Outcome:

Yes. Windows 10 DOES collect and send your data.

The list of telemetry IP addresses almost coincides with the ones mentioned here: https://forum.unsystem.net/t/microsoft-windows-10-spy-infraestructure/561 and here forums.untangle.com/web-filter/35894-blocking-windows-10-spying-telemetry.html;

Built-in Windows Firewall allows for the blocking of data transmission to these servers.

Firewall Rules

  • After the acquisition of IP addresses and checking the effectiveness of blocking them, you can include them into the settings using Powershell script. To add a rule into Firewall, it is necessary to run the following command (let’s take watson.telemetry.microsoft.com server as an example):

netsh advfirewall firewall add rule name="telemetry_watson.telemetry.microsoft.com" dir=out action=block remoteip=65.55.252.43 enable=yes
  • Where:
    name – the name of the rule and concurrently the name of Microsoft server.
    dir = out – parameter indicating that the rule only applies to the outgoing traffic.
    action=block – network packets indicated in this rule will be blocked by Firewall.
    remoteip – IP address of the receiver of the outgoing network packets.
    enable=yes – indicates that the rule is being enabled at the moment.

Eventually the script will look like this:


Set-NetFirewallProfile -all

netsh advfirewall firewall add rule name="telemetry_vortex.data.microsoft.com" dir=out action=block remoteip=191.232.139.254 enable=yes
netsh advfirewall firewall add rule name="telemetry_telecommand.telemetry.microsoft.com" dir=out action=block remoteip=65.55.252.92 enable=yes
netsh advfirewall firewall add rule name="telemetry_oca.telemetry.microsoft.com" dir=out action=block remoteip=65.55.252.63 enable=yes
netsh advfirewall firewall add rule name="telemetry_sqm.telemetry.microsoft.com" dir=out action=block remoteip=65.55.252.93 enable=yes
netsh advfirewall firewall add rule name="telemetry_watson.telemetry.microsoft.com" dir=out action=block remoteip=65.55.252.43 enable=yes
netsh advfirewall firewall add rule name="telemetry_watson2.telemetry.microsoft.com" dir=out action=block remoteip=65.52.108.29 enable=yes
netsh advfirewall firewall add rule name="telemetry_redir.metaservices.microsoft.com" dir=out action=block remoteip=194.44.4.200 enable=yes
netsh advfirewall firewall add rule name="telemetry_redir2.metaservices.microsoft.com" dir=out action=block remoteip=194.44.4.208 enable=yes
netsh advfirewall firewall add rule name="telemetry_choice.microsoft.com" dir=out action=block remoteip=157.56.91.77 enable=yes
netsh advfirewall firewall add rule name="telemetry_df.telemetry.microsoft.com" dir=out action=block remoteip=65.52.100.7 enable=yes
netsh advfirewall firewall add rule name="telemetry_reports.wes.df.telemetry.microsoft.com" dir=out action=block remoteip=65.52.100.91 enable=yes
netsh advfirewall firewall add rule name="telemetry_wes.df.telemetry.microsoft.com" dir=out action=block remoteip=65.52.100.93 enable=yes
netsh advfirewall firewall add rule name="telemetry_services.wes.df.telemetry.microsoft.com" dir=out action=block remoteip=65.52.100.92 enable=yes
netsh advfirewall firewall add rule name="telemetry_sqm.df.telemetry.microsoft.com" dir=out action=block remoteip=65.52.100.94 enable=yes
netsh advfirewall firewall add rule name="telemetry_telemetry.microsoft.com" dir=out action=block remoteip=65.52.100.9 enable=yes
netsh advfirewall firewall add rule name="telemetry_watson.ppe.telemetry.microsoft.com" dir=out action=block remoteip=65.52.100.11 enable=yes
netsh advfirewall firewall add rule name="telemetry_telemetry.appex.bing.net" dir=out action=block remoteip=168.63.108.233 enable=yes
netsh advfirewall firewall add rule name="telemetry_telemetry.urs.microsoft.com" dir=out action=block remoteip=157.56.74.250 enable=yes
netsh advfirewall firewall add rule name="telemetry_settings-sandbox.data.microsoft.com" dir=out action=block remoteip=111.221.29.177 enable=yes
netsh advfirewall firewall add rule name="telemetry_vortex-sandbox.data.microsoft.com" dir=out action=block remoteip=64.4.54.32 enable=yes
netsh advfirewall firewall add rule name="telemetry_survey.watson.microsoft.com" dir=out action=block remoteip=207.68.166.254 enable=yes
netsh advfirewall firewall add rule name="telemetry_watson.live.com" dir=out action=block remoteip=207.46.223.94 enable=yes
netsh advfirewall firewall add rule name="telemetry_watson.microsoft.com" dir=out action=block remoteip=65.55.252.71 enable=yes
netsh advfirewall firewall add rule name="telemetry_statsfe2.ws.microsoft.com" dir=out action=block remoteip=64.4.54.22 enable=yes
netsh advfirewall firewall add rule name="telemetry_corpext.msitadfs.glbdns2.microsoft.com" dir=out action=block remoteip=131.107.113.238 enable=yes
netsh advfirewall firewall add rule name="telemetry_compatexchange.cloudapp.net" dir=out action=block remoteip=23.99.10.11 enable=yes
netsh advfirewall firewall add rule name="telemetry_sls.update.microsoft.com.akadns.net" dir=out action=block remoteip=157.56.77.139 enable=yes
netsh advfirewall firewall add rule name="telemetry_fe2.update.microsoft.com.akadns.net" dir=out action=block remoteip=134.170.58.121 enable=yes
netsh advfirewall firewall add rule name="telemetry_fe23.update.microsoft.com.akadns.net" dir=out action=block remoteip=134.170.58.123 enable=yes
netsh advfirewall firewall add rule name="telemetry_fe24.update.microsoft.com.akadns.net" dir=out action=block remoteip=134.170.53.29 enable=yes
netsh advfirewall firewall add rule name="telemetry_fe25.update.microsoft.com.akadns.net" dir=out action=block remoteip=66.119.144.190 enable=yes
netsh advfirewall firewall add rule name="telemetry_fe26.update.microsoft.com.akadns.net" dir=out action=block remoteip=134.170.58.189 enable=yes
netsh advfirewall firewall add rule name="telemetry_fe27.update.microsoft.com.akadns.net" dir=out action=block remoteip=134.170.58.118 enable=yes
netsh advfirewall firewall add rule name="telemetry_fe28.update.microsoft.com.akadns.net" dir=out action=block remoteip=134.170.53.30 enable=yes
netsh advfirewall firewall add rule name="telemetry_fe29.update.microsoft.com.akadns.net" dir=out action=block remoteip=134.170.51.190 enable=yes
netsh advfirewall firewall add rule name="telemetry_diagnostics.support.microsoft.com" dir=out action=block remoteip=157.56.121.89 enable=yes
netsh advfirewall firewall add rule name="telemetry_statsfe1.ws.microsoft.com" dir=out action=block remoteip=134.170.115.60 enable=yes
netsh advfirewall firewall add rule name="telemetry_i1.services.social.microsoft.com" dir=out action=block remoteip=104.82.22.249 enable=yes
netsh advfirewall firewall add rule name="telemetry_feedback.windows.com" dir=out action=block remoteip=134.170.185.70 enable=yes
netsh advfirewall firewall add rule name="telemetry_feedback.microsoft-hohm.com" dir=out action=block remoteip=64.4.6.100 enable=yes
netsh advfirewall firewall add rule name="telemetry_feedback2.microsoft-hohm.com" dir=out action=block remoteip=65.55.39.10 enable=yes
netsh advfirewall firewall add rule name="telemetry_feedback.search.microsoft.com" dir=out action=block remoteip=157.55.129.21 enable=yes
netsh advfirewall firewall add rule name="telemetry_rad.msn.com" dir=out action=block remoteip=207.46.194.25 enable=yes
netsh advfirewall firewall add rule name="telemetry_preview.msn.com" dir=out action=block remoteip=23.102.21.4 enable=yes
netsh advfirewall firewall add rule name="telemetry_dart.l.doubleclick.net" dir=out action=block remoteip=173.194.113.220 enable=yes
netsh advfirewall firewall add rule name="telemetry_dart2.l.doubleclick.net" dir=out action=block remoteip=173.194.113.219 enable=yes
netsh advfirewall firewall add rule name="telemetry_dart3.l.doubleclick.net" dir=out action=block remoteip=216.58.209.166 enable=yes
netsh advfirewall firewall add rule name="telemetry_ads.msn.com" dir=out action=block remoteip=157.56.91.82 enable=yes
netsh advfirewall firewall add rule name="telemetry_ads2.msn.com" dir=out action=block remoteip=157.56.23.91 enable=yes
netsh advfirewall firewall add rule name="telemetry_ads3.msn.com" dir=out action=block remoteip=104.82.14.146 enable=yes
netsh advfirewall firewall add rule name="telemetry_ads6.msn.com" dir=out action=block remoteip=8.254.209.254 enable=yes
netsh advfirewall firewall add rule name="telemetry_a.ads1.msn.com" dir=out action=block remoteip=198.78.208.254 enable=yes
netsh advfirewall firewall add rule name="telemetry_a.ads1.msn.com" dir=out action=block remoteip=185.13.160.61 enable=yes
netsh advfirewall firewall add rule name="telemetry_global.msads.net.c.footprint.net" dir=out action=block remoteip=207.123.56.252 enable=yes
netsh advfirewall firewall add rule name="telemetry_ssw.live.com" dir=out action=block remoteip=207.46.101.29 enable=yes
netsh advfirewall firewall add rule name="telemetry_msnbot-65-55-108-23.search.msn.com" dir=out action=block remoteip=65.55.108.23 enable=yes
netsh advfirewall firewall add rule name="telemetry_a23-218-212-69.deploy.static.akamaitechnologies.com" dir=out action=block remoteip=23.218.212.69 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft.com" dir=out action=block remoteip=104.96.147.3 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft01.com" dir=out action=block remoteip=11.221.29.253 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft02.com" dir=out action=block remoteip=111.221.64.0-111.221.127.255 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft03.com" dir=out action=block remoteip=131.253.40.37 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft04.com" dir=out action=block remoteip=134.170.165.248 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft05.com" dir=out action=block remoteip=134.170.165.253 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft06.com" dir=out action=block remoteip=134.170.30.202 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft07.com" dir=out action=block remoteip=137.116.81.24 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft08.com" dir=out action=block remoteip=137.117.235.16 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft09.com" dir=out action=block remoteip=157.55.130.0-157.55.130.255 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft10.com" dir=out action=block remoteip=157.55.133.204 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft11.com" dir=out action=block remoteip=157.55.235.0-157.55.235.255 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft12.com" dir=out action=block remoteip=157.55.236.0-157.55.236.255 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft13.com" dir=out action=block remoteip=157.55.52.0-157.55.52.255 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft14.com" dir=out action=block remoteip=157.55.56.0-157.55.56.255 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft15.com" dir=out action=block remoteip=157.56.106.189 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft16.com" dir=out action=block remoteip=157.56.124.87 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft17.com" dir=out action=block remoteip=191.232.139.2 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft18.com" dir=out action=block remoteip=191.232.80.58 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft19.com" dir=out action=block remoteip=191.232.80.62 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft20.com" dir=out action=block remoteip=191.237.208.126 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft21.com" dir=out action=block remoteip=195.138.255.0-195.138.255.255 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft22.com" dir=out action=block remoteip=2.22.61.43 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft23.com" dir=out action=block remoteip=2.22.61.66 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft24.com" dir=out action=block remoteip=207.46.114.58 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft25.com" dir=out action=block remoteip=212.30.134.204 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft26.com" dir=out action=block remoteip=212.30.134.205 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft27.com" dir=out action=block remoteip=213.199.179.0-213.199.179.255 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft28.com" dir=out action=block remoteip=23.223.20.82 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft29.com" dir=out action=block remoteip=23.57.101.163 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft30.com" dir=out action=block remoteip=23.57.107.163 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft31.com" dir=out action=block remoteip=23.57.107.27 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft32.com" dir=out action=block remoteip=64.4.23.0-64.4.23.255 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft33.com" dir=out action=block remoteip=65.39.117.230 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft34.com" dir=out action=block remoteip=65.52.108.33 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft35.com" dir=out action=block remoteip=65.55.138.114 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft36.com" dir=out action=block remoteip=65.55.138.126 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft37.com" dir=out action=block remoteip=65.55.223.0-65.55.223.255 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft38.com" dir=out action=block remoteip=65.55.138.186 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft39.com" dir=out action=block remoteip=65.55.29.238 enable=yes
netsh advfirewall firewall add rule name="telemetry_microsoft40.com" dir=out action=block remoteip=77.67.29.176 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_1-a.ads1.msn.com" dir=out action=block remoteip=206.33.58.254 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_2-a.ads1.msn.com" dir=out action=block remoteip=8.12.207.125 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_3-a.ads1.msn.com" dir=out action=block remoteip=8.253.37.126 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_a-0002.a-msedge.net" dir=out action=block remoteip=204.79.197.201 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_a-0004.a-msedge.net" dir=out action=block remoteip=204.79.197.206 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_a-0005.a-msedge.net" dir=out action=block remoteip=204.79.197.204 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_a-0006.a-msedge.net" dir=out action=block remoteip=204.79.197.208 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_a-0007.a-msedge.net" dir=out action=block remoteip=204.79.197.209 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_a-0008.a-msedge.net" dir=out action=block remoteip=204.79.197.210 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_a-0009.a-msedge.net" dir=out action=block remoteip=204.79.197.211 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_ac3.msn.com" dir=out action=block remoteip=131.253.14.76 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_ad.doubleclick.net" dir=out action=block remoteip=172.217.20.230 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_adnexus.net" dir=out action=block remoteip=37.252.169.43 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_01.auth.nym2.appnexus.net" dir=out action=block remoteip=68.67.155.138 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_01.auth.lax1.appnexus.net" dir=out action=block remoteip=68.67.133.169 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_01.auth.ams1.appnexus.net" dir=out action=block remoteip=37.252.164.5 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_ns1.gslb.com" dir=out action=block remoteip=8.19.31.10 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_ns2.gslb.com" dir=out action=block remoteip=8.19.31.11 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_ads.msn.com" dir=out action=block remoteip=65.55.128.80 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_ads1.msn.com" dir=out action=block remoteip=192.221.106.126 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_de-1.ns.nsatc.net" dir=out action=block remoteip=198.78.208.155 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_es-1.ns.nsatc.net" dir=out action=block remoteip=8.254.34.155 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_b.ns.nsatc.net" dir=out action=block remoteip=8.254.92.155 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_nl-1.ns.nsatc.net" dir=out action=block remoteip=4.23.39.155 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_uk-1.ns.nsatc.net" dir=out action=block remoteip=8.254.119.155 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_aidps.msn.com.nsatc.net" dir=out action=block remoteip=131.253.14.121 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_ns1.a-msedge.net" dir=out action=block remoteip=204.79.197.1 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_ns2.a-msedge.net" dir=out action=block remoteip=204.79.197.2 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_ns3.a-msedge.net" dir=out action=block remoteip=131.253.21.1 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_apps.skype.com" dir=out action=block remoteip=95.100.177.217 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_az512334.vo.msecnd.net" dir=out action=block remoteip=50.63.202.65 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_bs.serving-sys.com" dir=out action=block remoteip=82.199.80.141 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_65choice.microsoft.com" dir=out action=block remoteip=65.55.128.81 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_db3aqu.atdmt.com" dir=out action=block remoteip=94.245.121.176 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_choice.microsoft.com.nsatc.net" dir=out action=block remoteip=94.245.121.177 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_c.msn.com" dir=out action=block remoteip=94.245.121.178 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_c2.msn.com" dir=out action=block remoteip=94.245.121.179 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_diagnostics.support.microsoft.com" dir=out action=block remoteip=134.170.52.151 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_fe2.update.microsoft.com.akadns.net" dir=out action=block remoteip=134.10.58.118 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_ns1.msft.net" dir=out action=block remoteip=208.84.0.53 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_ns3.msft.net" dir=out action=block remoteip=192.221.113.53 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_ns4.msft.net" dir=out action=block remoteip=208.76.45.53 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_flex.msn.com" dir=out action=block remoteip=207.46.194.8 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_g.msn.com" dir=out action=block remoteip=207.46.194.14 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_i1.services.social.microsoft.com" dir=out action=block remoteip=23.74.190.252 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_lb1.www.ms.akadns.net" dir=out action=block remoteip=65.55.57.27 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_live.rads.msn.com" dir=out action=block remoteip=40.127.139.224 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_m.adnxs.com" dir=out action=block remoteip=37.252.170.82 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_m1.adnxs.com" dir=out action=block remoteip=37.252.170.81 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_m2.adnxs.com" dir=out action=block remoteip=37.252.170.141 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_m3.adnxs.com" dir=out action=block remoteip=37.252.170.142 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_m4.adnxs.com" dir=out action=block remoteip=37.252.170.80 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_m5.adnxs.com" dir=out action=block remoteip=37.252.170.140 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_m6.adnxs.com" dir=out action=block remoteip=37.252.170.1 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_m.hotmail.com" dir=out action=block remoteip=134.170.3.199 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_msedge.net" dir=out action=block remoteip=204.79.19.197 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_msntest.serving-sys.com" dir=out action=block remoteip=2.21.246.8 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_msnbot-65-55-108-23.search.msn.com" dir=out action=block remoteip=2.21.246.10 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_redir.metaservices.microsoft.com" dir=out action=block remoteip=2.21.246.42 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_redir2.metaservices.microsoft.com" dir=out action=block remoteip=2.21.246.58 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_s0.2mdn.net" dir=out action=block remoteip=172.217.21.166 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_db5.skype.msnmessenger.msn.com.akadns.net" dir=out action=block remoteip=191.232.139.13 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_schemas.microsoft.akadns.net" dir=out action=block remoteip=65.54.226.187 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_secure.adnxs.com" dir=out action=block remoteip=37.252.163.207 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_secure1.adnxs.com" dir=out action=block remoteip=37.252.163.3 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_secure2.adnxs.com" dir=out action=block remoteip=37.252.163.244 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_secure3.adnxs.com" dir=out action=block remoteip=37.252.162.216 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_secure4.adnxs.com" dir=out action=block remoteip=37.252.163.215 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_secure5.adnxs.com" dir=out action=block remoteip=37.252.162.228 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_secure6.adnxs.com" dir=out action=block remoteip=37.252.163.106 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_secure7.adnxs.com" dir=out action=block remoteip=37.252.163.88 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_secure.flashtalking.com" dir=out action=block remoteip=95.101.244.134 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_settings-sandbox.data.microsoft.com" dir=out action=block remoteip=191.232.140.76 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_sls.update.microsoft.com.akadns.net" dir=out action=block remoteip=157.56.96.58 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_statsfe1.ws.microsoft.com" dir=out action=block remoteip=207.46.114.61 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_statsfe2.ws.microsoft.com" dir=out action=block remoteip=65.52.108.153 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_telemetry.appex.bing.net" dir=out action=block remoteip=168.61.24.141 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_telemetry.urs.microsoft.com" dir=out action=block remoteip=65.55.44.85 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_view.atdmt.com" dir=out action=block remoteip=179.60.192.10 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_www.msftncsi.com" dir=out action=block remoteip=2.21.246.26 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_www.msftncsi2.com" dir=out action=block remoteip=2.21.246.24 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_a-0003.a-msedge.net" dir=out action=block remoteip=204.79.197.203 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_cs697.wac.thetacdn.net" dir=out action=block remoteip=192.229.233.249 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_db5.settings.data.microsoft.com.akadns.net" dir=out action=block remoteip=191.232.139.253 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_co4.telecommand.telemetry.microsoft.com.akadns.net" dir=out action=block remoteip=65.55.252.190 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_oca.telemetry.microsoft.com.nsatc.net" dir=out action=block remoteip=64.4.54.153 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_telemetry.appex.search.prod.ms.akadns.net" dir=out action=block remoteip=65.52.161.64 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_t.urs.microsoft.com.nsatc.net" dir=out action=block remoteip=64.4.54.167 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_watson.microsoft.com.nsatc.net" dir=out action=block remoteip=65.52.108.154 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_statsfe2.ws.microsoft.com.nsatc.net" dir=out action=block remoteip=131.253.14.153 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_sls.update.microsoft.com.akadns.net" dir=out action=block remoteip=157.56.77.138 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_dart.l.doubleclick.net" dir=out action=block remoteip=172.217.20.134 enable=yes
netsh advfirewall firewall add rule name="telemetry_ssw.live.com.nsatc.net" dir=out action=block remoteip=207.46.7.252 enable=yes
netsh advfirewall firewall add rule name="telemetry_urs.microsoft.com.nsatc.net" dir=out action=block remoteip=192.232.139.180 enable=yes
netsh advfirewall firewall add rule name="telemetry_urs.microsoft.com.nsatc.net" dir=out action=block remoteip=157.55.233.125 enable=yes
netsh advfirewall firewall add rule name="telemetry_geo-prod.dodsp.mp.microsoft.com.nsatc.net" dir=out action=block remoteip=191.232.139.212 enable=yes
netsh advfirewall firewall add rule name="telemetry_new_c.microsoft.akadns.net" dir=out action=block remoteip=134.170.188.139 enable=yes

Running the Created Script

To avoid this long path of running the power shell script with admin rights, it is easier to create a .bat file and run it. Then UAC itself will request admin rights approval.


@echo off

cls

echo Telemetry

echo Rules of Firewall

echo.

echo press any key to continue...

pause > NUL

echo Rules of Firewall

echo.

PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""%~dp0.\script-new.ps1""' -Verb RunAs}"

echo Rules included in Firewall...

echo.

pause

Where script-new.ps1 – is the name of the .ps1 file you created that contains the PowerShell commands.

Download power shell script

Download .bat file

After that is completed, the added rules will be displayed in Windows Firewall as it is shown in the screenshot below:

skreen1

Here is additional information not directly related to firewall but related to telemetry and data collection.

It is worth noting that users of Windows 7 /8 / 8.1 received updates that extend the capabilities of the system to collect and send telemetry data. Accordingly, these users can also apply the recommendations provided in this article or simply remove the updates.

Keylogger

Disable Diag Track (collection of data in Windows components) and dmwappushservice (push messages routing service). To do this, run the command prompt as administrator and disable the service:


sc stop DiagTrack

sc stop dmwappushservice

Or do they remove:


sc delete DiagTrack

sc delete dmwappushservice

Task Scheduler

In the console Taskschd.msc necessary to prohibit the following tasks:


REM *** Task that collects data for SmartScreen in Windows ***

schtasks /Change /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /Disable

REM *** Collects program telemetry information if opted-in to the Microsoft Customer Experience Improvement Program ***

schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable

REM *** Collects program telemetry information if opted-in to the Microsoft Customer Experience Improvement Program ***

schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable

REM *** Aggregates and uploads Application Telemetry information if opted-in to the Microsoft Customer Experience Improvement Program ***

schtasks /Change /TN "Microsoft\Windows\Application Experience\AitAgent" /Disable

REM *** This task collects and uploads autochk SQM data if opted-in to the Microsoft Customer Experience Improvement Program ***

schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable

REM *** If the user has consented to participate in the Windows Customer Experience Improvement Program, this job collects and sends usage data to Microsoft ***

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable

REM *** The Kernel CEIP (Customer Experience Improvement Program) task collects additional information about the system and sends this data to Microsoft. ***

REM *** If the user has not consented to participate in Windows CEIP, this task does nothing ***

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /Disable

REM *** The Bluetooth CEIP (Customer Experience Improvement Program) task collects Bluetooth related statistics and information about your machine and sends it to Microsoft ***

REM *** The information received is used to help improve the reliability, stability, and overall functionality of Bluetooth in Windows ***

REM *** If the user has not consented to participate in Windows CEIP, this task does not do anything.***

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /Disable

REM *** Create Object Task ***

schtasks /Change /TN "Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /Disable

REM *** The Windows Disk Diagnostic reports general disk and system information to Microsoft for users participating in the Customer Experience Program ***

schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable

REM *** Measures a system's performance and capabilities ***

schtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable

REM *** Network information collector ***

schtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable

REM *** Initializes Family Safety monitoring and enforcement ***

schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyMonitor" /Disable

REM *** Synchronizes the latest settings with the Family Safety website ***

schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyRefresh" /Disable

REM *** SQM (Software Quality Management) ***

schtasks /Change /TN "Microsoft\Windows\IME\SQM data sender" /Disable

REM *** This task initiates the background task for Office Telemetry Agent, which scans and uploads usage and error information for Office solutions ***

schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack" /Disable

REM *** This task initiates Office Telemetry Agent, which scans and uploads usage and error information for Office solutions when a user logs on to the computer ***

schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn" /Disable

We also recommend switching off all suspicious tasks in the Planner:


REM *** Scans startup entries and raises notification to the user if there are too many startup entries ***

schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable

REM *** Protects user files from accidental loss by copying them to a backup location when the system is unattended 
***

schtasks /Change /TN "Microsoft\Windows\FileHistory\File History (maintenance mode)" /Disable

REM *** This task gathers information about the Trusted Platform Module (TPM), Secure Boot, and Measured Boot ***

schtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /Disable

REM *** This task analyzes the system looking for conditions that may cause high energy use ***

schtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable

The above mentioned method cannot be classified as a 100% perfect solution but should be considered an alternative method to turn off telemetry in your Windows system and protect your sensitive information.

Please note that the list of IP addresses has been updated. The updated script version is available for download.

More articles about OS WINDOWS 10

Two Factor Authentication

TWO-FACTOR AUTHENTICATION FOR TERMINAL SERVERS

The competent approach to IT security in terms of server authorization, both inside and outside the company premises, implies a number of important measures. They include providing a unique user name and meeting password complexity requirements, as well as conducting the planned password change and non-disclosure of credentials to third parties, etc. However, many users quickly forget about these policies. For easy reference, they hang a piece of paper with their username and password in a prominent place, such as their monitor. That can be quite convenient for an attacker wishing to gain access to their sensitive data.Laptop-with-Password-Post-it-768x585

Used products

As an example, let’s consider implementation of OTP password based on multiOTP  project – open source PHP software, capable of working on standard algorithms which are well proven in the industry of multi-factor authentication (HOTP, TOTP, OCRA).

To provide additional input fields for OTP, we will be using the MultiOneTimePassword-CredentialProvider

The user will generate one-time passwords on their mobile device using Google Authenticator.

MultiOTP installation

Download  the multiOTP product and place the contents of the Windows folder from the downloaded directory into the root of the system drive: C:\multiotp.

All configuration is done through the command line. Run CMD as an Administrator and go to our directory:

cmd-help

The following is a list of commands needed to configure and sync the multiOTP service with the Active Directory:

  1. C:\multiotp>multiotp -config default-request-prefix-pin=0

Enter the PIN code by default when you create new users (1 | 0)

  1. C:\multiotp>multiotp -config default-request-ldap-pwd=0

Use Active Directory password instead of the PIN code by default (1 | 0)

  1. C:\multiotp>multiotp -config ldap-server-type=1

Select the AD/LDAP server (1 = Active Directory | 2 = standard LDAP)

  1. C:\multiotp>multiotp -config ldap-cn-identifier=”sAMAccountName”

Set the CN user identifier (sAMAccountName, eventually userPrincipalName)

  1. C:\multiotp>multiotp -config ldap-group-cn-identifier=”sAMAccountName”

Set the group CN identifier (sAMAccountName for Active Directory)

  1. C:\multiotp>multiotp -config ldap-group-attribute=”memberOf”

Set the attribute that determines group membership

  1. C:\multiotp>multiotp -config ldap-ssl=0

Set an SSL connection to be used by default (0 | 1)

  1. C:\multiotp>multiotp -config ldap-port=389

Set the connection port (389 = standard | 636 = SSL connection)

  1. C:\multiotp>multiotp -config ldap-domain-controllers=servilon.com,ldaps://192.168.254.10:389

Set the Active Directory server(s)

  1. C:\multiotp>multiotp -config ldap-base-dn=”DC=SERVILON,DC=COM”

Specify the domain suffix

  1. C:\multiotp>multiotp -config ldap-bind-dn=”CN=Administrator,CN=Users,DC=servilon,DC=com”

Set the account used to connect to AD DS.

  1. C:\multiotp>multiotp -config ldap-server-password=”P@$$w0rd”

Set the password used to connect to AD DS

  1. C:\multiotp>multiotp -config ldap-in-group=”OTP”

Set group in which users must use the OTP to access the server

  1. C:\multiotp>multiotp -config ldap-network-timeout=10

Synchronization timeout – set in seconds

  1. C:\multiotp>multiotp -config ldap-time-limit=30

Set the timeout for the OTP password reset

  1. C:\multiotp>multiotp -config ldap-activated=1

Enable the AD/LDAP multiOTP server

  1. C:\multiotp>multiotp -debug -display-log -ldap-users-sync

Synchronization of users with AD/LDAP. This last command must be run each time you add a new user or configure a scheduled run of the script.

If all commands were entered correctly and the AD/LDAP server is available, running the last command should result in synchronization and creation of a new user for the multiOTP service:

cmd-sync

Setting up Google Authenticator

Now you need to transfer the unique user key on the user’s device. The most convenient way to do so is to use a QR code. We need to establish a web server which will help us view and register users. Just go to the multiotp folder and run webservice_install.cmd. A browser with a multiOTP web administration console should appear. After entering it, we can create a new local user, or view a list of existing users, which is very useful:

web-console-350x329

But most importantly, the web console will help us register a user on a mobile device. Click “Print” in the chosen user line and you will we see a QR code generated for the user in a new tab:

web-console-user-1024x862

Scan the generated QR code with the help of Google Authenticator. The registration process is complete.

As you can see, everything is quite simple. It is also possible to send a QR code to the user by email and the user will do the registration himself. If all goes well, there will be an available OTP password updated on your mobile device every 30 seconds:

Screenshot_2016-02-12-14-12-52-197x350

Installing MultiOneTime Password Credential Provider

Now we need to tell our Terminal server to use an additional OTP password upon user authentication. To do this, run the previously downloaded MultiOneTimePassword-CredentialProvider installer, where we only need to specify the Default Provider installation and the folder with multiotp service:

provider

provider-conf

Important! After installing Credential Provider, users without OTP installed will not be able to access the server. Therefore, you must take care to set up OTP password on the Administrator’s account.

login-1024x601

Results

Now our Terminal server has received an additional level of security in the form of an OTP password based on a free solution multiOTP-Credential Provider.

This solution can be deployed entirely on the user’s PC and build a barrier against an attacker trying to log on to the employee’s office PC.

More articles about two-factor authentication

maleware

FIGHT MALWARE WITH BUILT-IN WINDOWS TOOLS QUICKLY, EFFECTIVELY, AND FREE

Know your enemy

Malware, or malicious software, stands for a broad range of applications designed to harm your computer or use it to do damage elsewhere. Malware comes in different shapes and sizes including viruses, Trojan horses, spyware, and others, all of which most users try to avoid like the plague, especially if they store work or private information on their PCs. Some malware applications encrypt your files and demand payment before decrypting them back; some send copies of your desktop files or screen captures to other destinations; yet others use your machine to circulate unauthorized or illicit information or launch attacks on other networks. None of these spell anything good for you.

In the pre-Internet era, malware was distributed mainly via physical storage containing all the code needed to do the bad deed. Modern malware, however, uses a two-stage process to infect your computer. First, you are tricked into downloading a small and virtually harmless downloader application; for example, by clicking on a legitimate-looking link from your email. This downloader is what downloads and installs one, two, or a hundred real malware programs from the Internet, which then cause the real harm.

While this working method is effective, it is malware’s soft spot at the same time. As both stages of the process require an Internet connection, appropriate Internet access administration is a potent way to fight malware. You can dramatically enhance the security of your PC simply by allowing Internet access only for applications that you trust and actually need to work with. How do you do that? That’s what we’re going to talk about in this post.

What weapons to choose?

Before going any further, let’s check to see if you actually need to do anything. Are you lucky enough to be working in a highly-regulated company network, where all traffic is monitored by professional security software utilizing the latest virus definitions from well-known vendors, where Internet access is granted only to a strictly maintained list of client applications? Then you have nothing to worry about. However, if your employer has not implemented robust security procedures, or if you’re on your own, then PC security is a concern for you.

The easiest and most effective method of protection is a local firewall—a security system that monitors and controls traffic. There are quite a few firewall solutions available on the market today, which vary greatly in functionality, user-friendliness, and pricing. While the price tag may be a deterrent for some users, there’s a more pressing concern: that some of these applications may actually function like spyware themselves.

This applies particularly to free software, though you can never be a 100% sure even with paid products. For example, see Bloomberg on Kaspersky products. Technically, this should not be all that surprising. Antivirus and firewall software enjoys the most extensive access privileges on your PC; it can freely transfer your data to the software vendor’s servers, download any updates, and access user files, Internet traffic, and RAM and video memory. Its job is not that different from spying to begin with. So, if some security software serves some harmful purposes under the counter, you cannot really tell.

So what’s your best course of action? If you’re using Microsoft Windows, the answer is pretty straightforward. All instances of Windows come with a built-in local firewall which is free and fairly easy to configure.

It’s true that we cannot be absolutely sure that Windows Firewall does not spy on its users. But hey, you’ve already installed Windows, so you’re pretty much 100% committed to Microsoft. If the corporation is spying on you already, using one more application will not make a huge difference. This is why we’ll focus on how Windows Firewall works and how you can get the most out of it.

Disable & Enable

By default, Windows Firewall allows Internet access for all outbound traffic. This means that any software installed on your machine can transfer and receive data over the Internet. Your first order of business then is to disable Internet access for all applications except for those you trust.

Windows Firewall may be configured either via its GUI (Graphical User Interface) or from the command line. The latter is especially useful for creating distributable batch files designed to apply predefined settings on multiple computers. (This works for networks where all PCs are connected to a domain; there are more efficient ways to distribute policies, but that’s beyond the scope of this post.) We’ll cover both methods.

First, you’ll need to create a rule that will disable Internet access for all software. To do this via the Firewall GUI:

  • Open Windows Firewall snap-in with Advanced Security and select the active profile on the main screen:

Windows Firewall

  • Select ‘Actions’ and then click ‘Properties’:

actions

  • In the dialog that opens, for both ‘Inbound connections’ and ‘Outbound connections,’ select ‘Block’ from the drop-down list:

Inbound connections

To set up a rule that disables traffic from the command line, run the following command:


Set-NetFirewallProfile -all -DefaultInboundAction Block -DefaultOutboundAction Block

After applying this rather harsh rule, you will need to make certain exceptions: first for applications that need to access the Internet, and then for shared folders on your PC.
Software that needs to access the Internet includes web browsers such as Internet Explorer, Google Chrome, or Mozilla Firefox. Let’s set up at a Firewall exception for Internet Explorer as an example.

  • In the Windows Firewall snap-in, right-click on ‘Outbound Rules’ (we’ll be working with outbound traffic from now on) and then click ‘New Rule’:

createnewrule

  • On the next screen, click the ‘Program’ radio button:

programbutton

  • Provide a path to the executable, which in our example is the Internet Explorer executable:

pathto

  • Select ‘Allow the connection’:

allowconnection

  • Select the profile(s) to which this rule will apply. All network profiles are selected by default:

selectprofile

  • Enter a name for this rule:

enternameforrule

To enable outbound traffic for Internet Explorer from the command line, run the following commands:


netsh advfirewall firewall add rule name="Internet Explorer" dir=out action=allow program="%ProgramFiles% (x86)\Internet Explorer\iexplore.exe" enable=yes

You can follow a similar process to enable outbound traffic for other browsers like Chrome or Firefox, and for other applications such as Skype (see the script at the end of this post).

Since web browsers also need to stay updated to work in a stable manner, we also need to create separate exceptions for browser update processes. If you use the Windows Firewall GUI, simply rinse-and-repeat as above. If using the command line, sample commands are given below:


netsh advfirewall firewall add rule name="Chrome Update" dir=out action=allow program="%ProgramFiles% (x86)\Google\Update\GoogleUpdate.exe" enable=yes 

netsh advfirewall firewall add rule name="Mozilla Firefox Updater" dir=out action=allow program="%ProgramFiles% (x86)\Mozilla Firefox\updater.exe" enable=yes

As Internet Explorer ships with Windows, you should also allow Internet access to Windows updates, by running the following commands:


netsh advfirewall firewall add rule name="SVCHOST" dir=out action=allow program="%SystemRoot%\System32\svchost.exe" enable=yes

netsh advfirewall firewall add rule name="WUAC" dir=out action=allow program="%SystemRoot%\System32\wuauclt.exe" enable=yes 

Now let’s talk about enabling access to shared folders. To do so via the GUI:

  • Create a new rule:

createnewrule

  • Click the ‘Predefined’ rule type and select ‘File and Printer Sharing’ from the drop-down list:

predefinedrule

  • Select the check-boxes ‘File and Printer Sharing (SMB-Out)’ and ‘File and Printer Sharing (NB-Session-Out)’:

printershare

  • Allow the connection and then click Finish:

allowconnectfinish

To do the same from the command line, run this:


netsh advfirewall firewall add rule name="File and Printer Sharing (NB-Session-Out)" new dir=out profile=any action=allow enable=yes remoteip=any remoteport=139 protocol=TCP program="System"

netsh advfirewall firewall add rule name="File and Printer Sharing (SMB-Out)" new dir=out profile=any action=allow enable=yes remoteip=any remoteport=445 protocol=TCP program="System"

Transferring settings from one PC to another

Now you know enough to put all these settings in a PowerShell script that can be copied from one computer to another and applied instantly. Here’s a typical script that configures everything we’ve covered above, and a few other useful things:


Set-NetFirewallProfile -all -DefaultInboundAction Block -DefaultOutboundAction Block

netsh advfirewall firewall set rule all new enable=no

netsh advfirewall firewall add rule name="All ICMP V4 - OUT" protocol=icmpv4 action=allow dir=out

netsh advfirewall firewall add rule name="Chrome" dir=out action=allow program="%ProgramFiles% (x86)\Google\Chrome\Application\chrome.exe" enable=yes

netsh advfirewall firewall add rule name="Chrome Update" dir=out action=allow program="%ProgramFiles% (x86)\Google\Update\GoogleUpdate.exe" enable=yes

netsh advfirewall firewall add rule name="Explorer" dir=out action=allow program="%SystemRoot%\explorer.exe" enable=yes

netsh advfirewall firewall add rule name="Internet Explorer86" dir=out action=allow program="%ProgramFiles% (x86)\Internet Explorer\iexplore.exe" enable=yes

netsh advfirewall firewall add rule name="Internet Explorer64" dir=out action=allow program="%ProgramFiles%\Internet Explorer\iexplore.exe" enable=yes

netsh advfirewall firewall add rule name="Java Web" dir=out action=allow program="%ProgramFiles% (x86)\Java\jre1.8.0_25\bin\javaw.exe" enable=yes

netsh advfirewall firewall add rule name="Mozilla Firefox" dir=out action=allow program="%ProgramFiles% (x86)\Mozilla Firefox\firefox.exe" enable=yes

netsh advfirewall firewall add rule name="Mozilla Firefox Updater" dir=out action=allow program="%ProgramFiles% (x86)\Mozilla Firefox\updater.exe" enable=yes

netsh advfirewall firewall add rule name="MSTSC" dir=out action=allow program="%SystemRoot%\system32\mstsc.exe" enable=yes

netsh advfirewall firewall add rule name="Outlook" dir=out action=allow program="%ProgramFiles%\Microsoft Office\Office15\OUTLOOK.EXE" enable=yes

netsh advfirewall firewall add rule name="Skype" dir=out action=allow program="%ProgramFiles% (x86)\Skype\Phone\Skype.exe" enable=yes

netsh advfirewall firewall add rule name="SVCHOST" dir=out action=allow program="%SystemRoot%\System32\svchost.exe" enable=yes

netsh advfirewall firewall add rule name="TeamViewer" dir=out action=allow program="%ProgramFiles% (x86)\TeamViewer\TeamViewer.exe" enable=yes

netsh advfirewall firewall add rule name="File and Printer Sharing (NB-Session-Out)" new dir=out profile=any action=allow enable=yes remoteip=any remoteport=139 protocol=TCP program="System"

netsh advfirewall firewall add rule name="File and Printer Sharing (SMB-Out)" new dir=out profile=any action=allow enable=yes remoteip=any remoteport=445 protocol=TCP program="System"

netsh advfirewall firewall add rule name="Edge22" dir=out action=allow program="%SystemRoot%\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" enable=yes

netsh advfirewall firewall add rule name="Edge11" dir=out action=allow program="%SystemRoot%\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" enable=yes

netsh advfirewall firewall add rule name="Outlook16" dir=out action=allow program="%ProgramFiles%\Microsoft Office\root\Office16\OUTLOOK.EXE " enable=yes

netsh advfirewall firewall add rule name="lync16" dir=out action=allow program="%ProgramFiles%\Microsoft Office\root\Office16\lync.exe" enable=yes

A script like that can be written in any word-processing software and saved as a .ps1 file. Running a PowerShell script is a bit trickier though, as it requires Administrator permissions. For this reason it’s easier to create and run a batch (.bat) file instead. UAC will automatically prompt you to confirm these permissions. Here’s what your .bat file should look like:


@echo off
cls
echo Rules of Firewall
echo.
echo press any key to continue...
pause > NUL
echo Rules of Firewall 
echo.
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""%~dp0.\firewall.ps1""' -Verb RunAs}"
echo Rules included in Firewall...
echo.
pause

where firewall.ps1 – is the name of the .ps1 file you created that contains the PowerShell commands.

Download PowerShell script

Download .bat file

After the script runs and finishes successfully, the added rules will be displayed in Windows Firewall looking something like this:

scriptcopy

Is it really that simple?

Well, not quite. Raising the security level may lead to issues such as the following:

1. If there are any other existing rules in your system, running this script will disable them.

2. Not all services have an easily identifiable executable file. In fact, some executables run others in chain order, making it difficult to determine which one you need to specify in your rule. This may turn out to be quite complicated, even if you use special-purpose utilities like Process Explorer or Network Monitor. A good example is the Windows SmartScreen service whose operation involves running both Windows Explorer and a web browser.

3. By enabling access to specific applications, we’re not making exceptions for any given protocol, but instead allowing unrestricted access for that particular executable. This would limit the operation of service protocols, forcing us to create special additional rules for them.

To successfully resolve these issues and ensure all-around security, you may need to delve deeper into how various applications work on your PC. There are quite a few resources on the Internet that you can consult in this effort (unless you’ve disabled that in your Firewall!). By all means, try to do so and educate yourself—more power at your fingertips! If at any point you don’t feel like it, you’re welcome to contact us for help with your PC security.

Skype for bisuness

MICROSOFT SKYPE FOR BUSINESS SERVER START SERVICE

What is Skype for Business Server?

Until recently, “public” communication tools (such as Skype, Telegram, WhatsApp) and corporate communication tools (Lync, Sametime, etc.) were separated by a difficult-to-penetrate wall. Corporate messengers have well-developed security and auditing features. They integrate well with the corporate IT infrastructure and are mostly administered by the customer.  The main shortcoming of corporate messengers is their inability to include those outside of the “secure perimeter” (customers, partners, and subcontractors) in the conversation. The public tools allow anybody anywhere on the earth to easily communicate, but their utter lack of control over information streams creates serious problems for corporate IT and security departments. As a result, building a full-fledged communication environment, whether inside or outside of a company, amounts to a set of technological and organizational compromises and introduces significant risks.

Given this situation,  Skype for Business Server represents a new turn in the development of corporate communication tools, bringing together two previously incompatible worlds. On the one hand, this is the corporate version of Skype (previously better known as Microsoft Lync) with all of its advantages – secure channels, centralized management, Active Directory integration, Microsoft Office integration, and integration with the corporate phone system. On the other hand, it’s an opportunity to bring any Skype user – no matter where – into this “convenient” and fully manageable communication system. Moreover, thanks to Skype for Business Server’s complete integration, connecting these external users entails no risk and is fully manageable.

Why is a Microsoft Skype for Business Server Launch Service necessary?

When deciding whether to deploy new technology such as Skype for Business Server (Microsoft announced it in spring of 2015), IT- and business managers regularly have questions like these:

– Will Skype for Business Server work for us? Does the product include everything we need (functionality and security)? Will the product integrate well with our corporate environment (both organizationally and technologically)?

– Are the expenses for Skype for Business Server excessive? How much does it cost and how can we optimize our expenses?

To make this barrier easier to overcome, Microsoft invites customers to use its Microsoft Skype for Business Server Launch Service – an authorized service to deploy Microsoft Skype for Business Server 2015 Standard Edition on the Customer’s premises and provide practical training to the Customer’s IT specialists.

The Skype for Business Server 2015 Launch Service was created with the following objectives:

  • To improve the Customer’s effectiveness and reduce risks when deploying Skype for Business Server 2015;
  • To give the Customer’s IT specialists practical experience managing and supporting Skype for Business Server 2015;
  • To give the ability to assess the full functionality of Skype for Business Server 2015 and facilitate making a decision about the need for full deployment of the product.

The service is offered by official Microsoft partners and makes it possible, with minimum expenditures, to start trial (or regular) use of Skype for Business in just 3 days.

How is the service provided and what do I get out of it?

The service assumes the following schedule:

Day 1
  • Review Skype for Business Server 2015’s capabilities and architecture;
  • Design the server infrastructure;
  • System requirements;
  • Deploy server components.
Day 2
  • Review and deploy Skype for Business Server 2015’s client components;
  • Integrate Skype for Business Server 2015 client tools with the company’s work environment;
  • Integrate with Microsoft Office and Microsoft SharePoint;
  • Review and conduct a web conference.
Day 3
  • Review Skype for Business Server 2015’s capabilities when integrating with a traditional telephone system;
  • Set up the ability to work remotely and from mobile devices;
  • Review additional features regarding message archiving and system monitoring.

The service produces the following:

  • A server with Skype for Business Server 2015 Standard Edition installed, which provides the following capabilities:
    • Instant messaging;
    • Audio- and video calls and conference calls between users;
    • Schedule and conduct a web conference;
  • 5-10 workstations with deployed client software to interact with Skype for Business Server 2015;
  • Training for 5 of your company’s IT specialists. (We propose 2 groups of IT specialists: administrators and technical support specialists);
  • Your company’s specialists learn the theory and gain practical skills managing and supporting the solution, and also receive recommendations from an experienced consultant.

Skype for Business Server can be deployed both using permanent licenses (in which case a Microsoft partner will help you choose the best mix of licenses and subscriptions) as well as trial licenses from Microsoft, which are valid for up to 120 days – a period that is entirely sufficient for making a decision.

First, Servilon is an authorized Microsoft partner, which automatically guarantees the quality of our service.

Second, Servilon is a team of IT professionals, which will support you not only while providing the launch service but also during large-scale deployment of Skype for Business, and will resolve any problems that may arise in this process.

Third, Servilon offers this service at one of the lowest prices on the market – only 1400 Euro.

If our offer interests you, call us now and your Microsoft Skype for Business Server deployment project can begin as early as tomorrow.

More articles about Skype for Business

it outsoursing logo

Your IT Outsourcing Provider Under Control

Security measures to take when outsourcing IT services.

Don’t worry, take control!

Outsourcing IT infrastructure services is a logical step for a growing business. When a qualified contractor is selected, it allows an organization to optimize IT costs and improve quality of service. IT outsourcing also creates the flexibility to regulate the volume of services delivered. If a company’s needs change rapidly, contractors can promptly ramp up or down the volume of IT services.

IT outsourcing requires that a company review its organizational processes to properly establish cooperation with IT service providers. In addition, the company should consider the risks associated with transferring infrastructure control (network and server administration, all key account data, etc) to a third-party provider and its employees. In other words, the company provides a significant management leverage over their business to an outside company, which can never be 100% reliable.

So how do you minimize the risks? This issue has been explored more extensively than you might expect at first glance. To minimize potential risks, you can use organizational and technical control measures.
Organizational measures include the creation of an “IT Government” unit within the organization – a sort of “government” along with its competencies, such as coordinating and supervising contractors, and influencing their actions, including limiting their access or blocking them.

Available technical measures include software and hardware products that provide accurate control over outsourced IT employees by auditing and recording all actions performed by a remote administrator.

Below is a list of the industry’s most popular products, along with URLs so you can evaluate these solutions yourself:

Company Website Products
TSFactory (USA) https://www.tsfactory.com/ RecordTS – terminal session audit and recording (Terminal Services, Citrix, vWorkSpace)
ObserveIT (USA-Israel) http://www.observeit.com/ Visual session recording – audit, alerting and user session recording on Windows and Unix servers.
СensorNET (UK-USA) https://www.censornet.com/ Desktop Monitoring – online monitoring, audit and recording user actions.
BalaBit (USA-Hungary) https://www.balabit.com/ Shell Control Box – software and hardware complex for control, audit and recording remote sessions.

BalaBit Shell Control Box as a possible solution

Let us take a closer look at what we believe is the most interesting solution, BalaBit Shell Control Box.

Shell Control Box (SCB) stands out from the crowd, because it is not just a set of agents for client and server machines. It is an independent device that controls, monitors and audits remote administrators’ access to servers, providing full transparency and independence from clients and servers.

SCB is a tool for supervising server administrators and administration processes by managing the encrypted connections used in server administration. SCB fully controls connections made via SSH, RDP, Telnet, TN3270, Citrix ICA and VNC, creating a clear set of functions and a controlled access level for administrators.

Among SCB’s most significant features are the following:

  • Ability to disable unwanted channels and features (for example, TCP port redirection, file transfer, VPN, etc.);
  • Control over selected authentication methods;
  • Required external authentication on the SCB gateway;
  • Implementation of authorization with the ability to monitor and audit in real time;
  • Encrypted auditing of selected channels; time-tagged and digitally signed audit trails;
  • Information about user group membership through the LDAP database;
  • Keys and server host certificates with SCB access can be checked, configured, and managed using any modern web browser.

Let’s take a look at a potential plan for incorporating SCB into the company’s IT infrastructure:

scb schema

(In this scenario, the company uses one server (Server 1) for SCB monitoring to decrease the number of hosts under a paid license. The admin connects to the other servers (Servers 2-4) via Server 1).

Our SCB server is configured as a remote desktop gateway. When accessing the server, the administrator authenticates on the SCB server. Upon successful authentication, an additional check is performed on the server. Next, the administrator establishes various connections to other servers, which are also monitored by the SCB server, from the controlled server.

Shell Control Box admin and control functionality are available via a web interface:

After the SCB server is configured, all traffic passing through it is automatically recorded. SCB has a single interface to view and change the configuration, reports, audit trails.

Shell Control Box admin and control

SCB provides the ability to view audits of past connections, quickly terminate current connections to servers, and observe the actions of remote administrators online.

Shell Control Box admin and control

To replay audit trails, the computer has Audit Player, which allows previously saved video connections to be replayed. The screenshot below illustrates using Audit Player to replay a video from when a remote administrator performed an RDP session from a monitored server to another server in the network:

Shell Control Box admin and control

Let’s take a look at an example. Suppose a business-critical service unexpected does down on a business day. We know the time when it happened and which server is responsible for this service, so we go to the search option in the web interface. We input the date, time, type of protocol:

Shell Control Box admin and control

We need to find the corresponding session.

We can perform a quick replay after rendering and, if necessary, download a video of the RDP connection.

The video of the RDP connection to the server will show the work of the remote administrator who performed the unscheduled restart of the service. This audit video is great proof when resolving any claims with the IT outsourcing provider.

Conclusions

We have tried to use the functionality in BalaBit Shell Control Box to demonstrate how to create additional security that provides full control and auditing of IT companies performing server maintenance, with the ability to replay the actions performed on the servers.

Such strict auditing of IT contractors may seem to destroy trusting relationships. In fact, the situation is exactly the opposite: trust must be accompanied by transparency and the ability to verify. High-quality IT outsourcing companies should welcome such an option for client oversight, because it is a chance for the contractor to demonstrate the quality of their services and solidify the customer relationship. As an IT outsourcing company, we have a vested interest in making our customer feel safe when working with us. Moreover, we are ready to deploy such products for our customers.

As a result, we can say that the days of outsources’ uncontrolled access to customers’ IT infrastructure, and all the accompanying fears, are over. The provider’s actions can be monitored, negligence can be proved, and unauthorized actions can be tracked and prevented. The only factor is the cost, but this is largely compensated by the benefits received.

If you have any organizational or technical questions, please contact us and we will be happy to provide a consultation.

More articles about it-outsourcing

two factor authentification logo

Protect Your Emails with Two-Factor Authentication

The large number of hacks of celebrities’ email accounts reported by the media and widely discussed by the general public cause users to be greatly concerned about the safety of their data. So that’s what we are going to address in this article.

What is two-factor authentication and how can it help?

Two-factor authentication is a method of establishing identity using two different types of information. The first type is usually a user name and password, while the second type is provided in an SMS, smartphone app, OTP device or certificate.

SMS

There is a lot of information on the Internet on how two-factor authentication works via SMS.

In my opinion, if the potential monetization of hacking your account does not exceed $1000, this type of protection is acceptable. If you want to protect more valuable data, SMS is not quite the right approach. Your mobile phone could be stolen or your SIM card could be replaced. By the time you notice, the hacker will have already downloaded all your correspondence from the server. For example, the Gmail account of the Russian political activist Navalny was hacked and years of private email correspondence went public. His account was protected using SMS-based two-factor authentication. The recent attack on users of mobile banking clients also demonstrates the vulnerability of this method.

Significant disadvantages of this method include extreme inconvenience in protecting email, and problems for travelers and those frequently changing their SIM cards.

Mobile app

Authentication through a mobile application solves the problem of protecting the SIM card against copying or theft, and is more convenient for traveling. But the other problems remain.

OTP

OTP (One Time Password) devices probably provide the highest level of protection among all the methods. Devices that require you to enter a PIN code before use are particularly effective. No wonder every bank that cares about its reputation uses OTPs for clients’ financial transactions.

The main disadvantage is that they are not very convenient to use for email protection.

Protection with a certificate

This technology lets you restrict access to email using only user credentials on authorized devices by installing a special certificate on the device.

Unfortunately, this technology does not solve the protection problem that arises if a laptop or phone is stolen. However, disk encryption in combination with a fingerprint sensor completely solves the problem of protecting the laptop, and if an attacker manages to gain access to the email on a mobile phone, the damage is incomparably smaller than when all email is downloaded from servers. Of course, encrypting and protecting mobile devices can reduce the damage caused by this threat to zero.

The main advantage of this technology is its transparency for the user. After installing the certificate on the device, the user can work as usual without entering any codes. Even if the password is compromised, it can only be used on authorized devices.

Certificates can be either associated with a USB token (a popular solution among Russian banks) or a user device. In our opinion, this solution is more suitable for corporate users.

Of course, this technology only applies to corporate emails and introduces just one component to a system of data security measures.

We can protect mail on MS Exchange Server and clients using Exchange through ActiveSync and OWA. Unfortunately, the current version of MS Outlook does not support this solution.

In technical terms, two-factor authentication using a certificate is based on the corporate public key infrastructure (PKI). To grant access to a device, the system administrator installs a user certificate that contains a private key without the ability to export. The user can then use the Exchange Web Interface (OWA). By clicking on a corresponding link, the user receives a certificate request as the first authentication factor, and then enters his or her credentials in the web form as the second factor.

To use two-factor authentication, mobile devices must support ActiveSync version 12.0+. At present, it is supported by the following devices:

  • Apple iPhone / iPad with iOS 6.x and higher;
  • Smartphones and tablets with Android version 4.1.2 and higher;
  • Devices with Windows Phone 7 and higher.

An enterprise IT administrator uses the iPhone Configuration Utility (iPCU) to install an Apple devices profile with all necessary account information, user certificates, and the certification authority.

On devices running Android and Windows Phone, the administrator installs the created certificate chains and configures the user account, indicating which certificate to use for login. For large organizations, the process can be automated using dedicated Mobile Device Management (MDM) software which manages devices on various platforms (for example, on BES 12).

More articles about two-factor authentication

bitlocker

How to Install Bitlocker with TPM on Hyper-V 2012 R2

In this article we will review the installation of Bitlocker with the TPM module on the Hyper-V Server 2012 R2 Core.

Bitlocker is a built-in Windows utility that allows you to protect data with encryption. Bitlocker uses the AES algorithm with 128-bit keys. To achieve greater data security, the key length can be increased to 256 bits. By default, the TPM stores and ensures the integrity of the encryption key. This module is a chip built into the PC motherboard that checks running code when the OS is loaded, calculates the hash value, and stores the result in special registers called PCRs (Platform Configuration Registers). More information on TPM and Bitlocker is available on Microsoft’s official website

Preparing the Hyper-V Server 2012 R2, Server Core

Typically, TPM support in Windows is turned off. It must be enabled in the BIOS settings. In our case, we are using the Core version of the operating system, and therefore will not be able to check the standard Device Manager to determine whether the TPM is on. Instead, we will use a PowerShell module developed in the Microsoft Partner & Customer Solutions Blog:

Install the module with the following command:

Ipmo .\ScriptName.psd1 –Verbose

PS C:\> Ipmo .\DeviceManagement.psd1 -Verbose

VERBOSE: Loading module from path

'C:\DeviceManagement.psd1'.

VERBOSE: Importing cmdlet 'Disable-Device'.

VERBOSE: Importing cmdlet 'Enable-Device'.

VERBOSE: Importing cmdlet 'Get-Device'.

VERBOSE: Importing cmdlet 'Get-Driver'.

VERBOSE: Importing cmdlet 'Get-NUMA'.

VERBOSE: Importing cmdlet 'Install-DeviceDriver'.

To view all devices in the system, use this command:

Get-Device | Sort-Object -Property Name | ft Name, DriverVersion

If the TPM is enabled, it will appear in the list of devices:

PS C:\> Get-Device | Sort-Object -Property Name | ft Name, DriverVersion

…

Trusted Platform Module 1.2             6.3.9600.16384

The TPM is configured in the Hyper-V 2012 R2 Server Core operating system using special cmdlets activated by the following command:

dism /online /enable-feature /FeatureName:tpm-psh-cmdlets

PS C:\> dism /online /enable-feature /FeatureName:tpm-psh-cmdlets

Deployment Image Servicing and Management tool

Version: 6.3.9600.16384

Image Version: 6.3.9600.16384

Enabling feature(s)

[==========================100.0%==========================]

The operation completed successfully.

A detailed description of all TPM-cmdlets — http://blogs.technet.com/b/wincat/archive/2012/09/06/device-management-powershell-cmdlets-sample-an-introduction.aspx

To view the TPM settings, use this command:

PS C:\ > Get-TPM

Protector configuration

For disk encryption, you need to specify where to store the encryption key. In our case, we will specify the TPM and the recovery password as key protectors, which will help us to decrypt the drive.

To configure the protectors, we will use the system utility: manage-bde

Add the TPM module as the protector:

manage-bde –protectors –add C: -tpm

PS C:\Users\Administrator> manage-bde -protectors -add G: -tpm

BitLocker Drive Encryption: Configuration Tool version 6.3.9600

Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Key Protectors Added:

TPM:

ID: {BC0479C0-96DB-42D4-8C28-957385B9D8D9}

PCR Validation Profile:

0, 2, 4, 8, 9, 10, 11

After the key protector has been added, we initiate the encryption process with the following command:

manage-bde –on –recoverypassword C:

Following the instructions, save the auto-generated password and complete the procedure as described in the figure below.

To view the drive encryption process after you restart the server, use this command:

manage-bde.exe -status C:

PS C:\> manage-bde.exe -status C:

BitLocker Drive Encryption: Configuration Tool version 6.3.9600

Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume C: []

[OS Volume]

Size:                 464.44 GB

BitLocker Version:   2.0

Conversion Status:   Fully Encrypted

Percentage Encrypted: 100.0%

Encryption Method:   AES 128

Protection Status:   Protection On

Lock Status:         Unlocked

Identification Field: Unknown

Key Protectors:

TPM

Numerical Password

More articles about BitLocker