Dexter – Page 3

Ubuntu Chrome Remote Desktop configuration

Posted on September 18, 2020 by Dexter

The Setup

Host: Ubuntu 18.04 “Bionic Beaver” release
Software: Google Chrome

I thought this was weird: I couldn’t actually download the Chrome browser. Couldn’t do it from firefox (the Ubuntu default), or chromium (the open-source O.G Chrome package). I thought that was sort of weird. Like Ubuntu linux didn’t support it or something. This means it’s simply not available in the Ubuntu software repository.

There are lots of guides of “how to install chrome” onto Ubuntu. I’ve compiled that here, as well as how to install and configure Chrome Remote Desktop.

Install Google Chrome From SSH shell:

wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb

Once installed, own the CHROME browser directly to https://remotedesktop.google.com. This will add the Chrome Remote Desktop Extension directly to Chrome for you.
Install the Extension
When asked, choose a PIN for your desktop

This is the part of the blog where you think everything works. Not in this case. I kept getting this error:

I thought, maybe it’s because I didn’t add myself to the chrome remote desktop users group.

$ sudo usermod -a -G chrome-remote-desktop my_user_name

At this point, I decided to reboot for good measure.

After reboot, the Chrome Remote desktop was now in the applications

Although I still couldn’t connect from another host, still times out. Kept giving me errors that the startdaemon wasn’t starting properly.

With some help from monkey patching, I eventually got it working. Here’s the steps broken down:

Stop Chrome Remote Desktop

$ /opt/google/chrome-remote-desktop/chrome-remote-desktop --stop

Backup the original configuration

$ sudo cp /opt/google/chrome-remote-desktop/chrome-remote-desktop /opt/google/chrome-remote-desktop/chrome-remote-desktop.orig

Edit the config file with nano (or whatever editor you prefer)

$ nano /opt/google/chrome-remote-desktop/chrome-remote-desktop

Find DEFAULT_SIZES and amend to the remote desktop resolution. For Example:

DEFAULT_SIZES = "1920x1080"

In my case, I set it to “1920×1200,3840×2400” since the desktop had dual-monitors.

Set the X display number to the current display number (obtain it with echo $DISPLAY from any terminal). On Ubuntu 17.10 and lower, this is usually 0, and on Ubuntu 18.04, this is usually 1:

FIRST_X_DISPLAY_NUMBER = 1

Change it to “20”.

FIRST_X_DISPLAY_NUMBER = 20.

In my case, it happened to be 1.

Comment out sections that look for additional displays:

#while os.path.exists(X_LOCK_FILE_TEMPLATE % display):
<p><code># display += 1

Reuse the existing X session instead of launching a new one. Alter launch_session() by commenting out launch_x_server() and launch_x_session() and instead setting the display environment variable, so that the function definition ultimately looks like the following:

def launch_session(self, x_args):
self._init_child_env()
self._setup_pulseaudio()
self._setup_gnubby()
#self._launch_x_server(x_args)
#self._launch_x_session()
display = self.get_unused_display_number()
self.child_env[“DISPLAY”] = “:%d” % display

Save and exit the editor. Start Chrome Remote Desktop:

Sudo /opt/google/chrome-remote-desktop/chrome-remote-desktop --start

On a VM, this seems to fail. BUT on a physical box, i’m connected to it even as I write this without any issues.

Just have to get used to picking what session you want, Xsession, and I think the other was was regular ‘ubuntu’ session or something. Has to do with the different environments, one environment is strictly for when you’re sitting physically in front of the computer, the other is the remote session stuff over things like VNC.

Remoting in from external shows this on first boot up:

Once you select the session, that’s the same session you connect in with every time.

I’ve been using the 2nd option – “Ubuntu”

Breakdown of each option:

(default) – launch the default Xsession. This looks the same as “ubuntu” session. All the windows look the same, and the same settings seem to apply.

Ubuntu – I use this most often, looks like VNC ties to this instance too. Actually, I think the above selection (default) is just whatever you pick between ‘ubuntu’ session and ‘unity’ session.

Unity – looks like a completely different OS. The icons are different, the experience, everything. This appears to be a graphical interface of sorts, sort of like the flavors of KDE or GNOME.

There you have it, you now have a functioning Chrome Remote Desktop to your Ubuntu Box.

[ivory-search 404 "The search form 3350 does not exist"]

Oracle VirtualBox – Configure Guest-VM network to communicate with Host network

Posted on September 18, 2020 by Dexter

This is going to focus on configuring an Oracle Virtualbox VM to do a few things:
-make it so the host, and local host network can see, ping, remote and use fileshares to the Oracle Box guest VM
-Enable the Oracle box VM to still use it’s own built in DHCP (in case you have your own domain)

*I take no liabilities in configuring any of this, I had to figure this all out with trial and error!

The Setup

Host: Ubuntu 18.04 “Bionic Beaver” release
Software: Oracle VirtualBox (version 5.2.42-dfsg-0-ubuntu 1.18.04.1)
VM: Microsoft Server 2016 Domain Controller

For the purpose of this entry, I’m skipping over the creation of a VM, domain configuration and DHCP. All that’s configured within the Guest-VM Operating System. I won’t go into that, but what I will provide is a problem, and solution.

Problem
How can we get a already existing VM running MS domain services, to use it’s already pre-configured DHCP Scope, and yet allow it to talk with the rest of the host network?

Solution (short explanation):
Create a second network adapter in ‘bridged mode’, keep the primary network adapter in ‘NAT’ mode. Configure firewall rules on the Guest-OS to allow access.

Solution (long, and drawn out):
To preface this problem, I had a pre-existing domain controller with it’s own DHCP server. DHCP itself was handing out a 10.0.150.1/24 series of IP’s.

My VM Host however is on my home network, we’ll say that’s a 10.0.0.1/24 network. So how do we configure our VM to have access to our home resources?

First, turn off your VM.

1.Create a second Network adapter! From VirtualBox Manager goto Settings…

2.Goto Network.

For this VM, I put in a NAT network. There’s dozens of different ways to do this, but for this example, I created a NAT with a specific scope to isolate my domain for testing purposes. Here’s the Oracle VirtualBox documentation.

DOI settings
Network
Adapter 1 Adapter 2
@ gnable Network
(2
General
System
Dtsplay
Storage
Audio
Network
Serial Ports
Shared Folders
user Interface
Attached to:
Name:
v Advanced
Promiscuous Mode:
MAC Address:
NAT Network
VNATOI 100150.0/24
Deny
@ Cable Connected
Port rorwaldirg

3.Create a New Network Adapter. Configure as ‘Bridged Adapter‘. In layman’s terms, a Bridged Adapter just means it’s using the physical connection from your host, and the VM is filtering data from the host.

General
System
Dtsplay
Storage
Audio
Netvvork
Serial Ports
(2
Shared Folders
user Interface
DOI settings
Network
Adapter 1 Adapter
@ gnable Network
Attached to:
Name:
v Advanced
Promiscuous Mode:
Address.
Bridged Adapter
enp0s25
MT Oes«oø
Deny
@ Cable Connected
Port rorwaldirg

4.From the Guest-VM, configure the networking to the same as the Host. You will need a static address from your DHCP – likely your home router or otherwise.

5.Configure the Guest-VM firewall rules to allow traffic from that specific subnet.

Goto Firewall settings (depending on your flavor of VM, this is a Windows VM so your mileage may differ), advanced settings -> Inbound rules.
Scope (local IP addresses): the IP of your Guest-VM
Scope (remote IP addresses): the IP, or range of your management workstations on your Host subnet

allow all 10.0.0.1/24 traffic Properties
Programs and Services
Remote Computers
Protocols and Ports Scope Advanced local Principals Remote users
Local IP address
C) Any IP address
VM-Guest Sample Rules
@ These I P addresses
1000101
Ram ove
Remote IP address
@ Any IP address
O These IP addresses

Protocols and Ports: I set mine to ANY. It’s up to you what you want to expose from your Guest-VM to your Host.

allow all 10.0.0.1/24 traffic Properties
Programs and Services
Remote Computers
Protocols and Ports Scope Advanced local Principals Remote
Protocols and ports
Protocol type
Protocol number
local port
Remote port
VM-Guest Sample Rules
Example 80. 443.
Example 80. 443. 5000-5010
Intemet Control Message Protocol
(ICM P) settings
Customize ..

Programs and Services: ALL. Again, it’s up to you what you want to expose.

allow all 10.0.0.1/24 traffic Properties
Protocols and Ports Scope Advanced local Principals Remote Ll sem
Programs and Services
Remote Computers
Guest-VM Sample Rules
@ All meet the specified conditions
C) This program
Application P ackages
Specify tha application packages to which
this rule applies
Specify the services to which this rule
applies

6.Now Test the configuration from your Host or a management computer on the same Host subnet:

test-netconnection -ComputerName 10.0.0.101 -Port 3389 -InformationLevel Detailed

(you can use ping test too, but I like to see the specific port)

ComputerName
. 10.0.0.101
RemoteAddress
. 10.0.0.101
Remoteport
. 3389
. 10.0.0.101
Matchi I es
Networklsol ationcontext :
Internet
IsAdmi n
False
InterfaceAI as
Sour ceAddress
. 10.0.0.36
NetRoute (NextHop)
. o.o.o.o
TcpTestSucceeded
. True

Success! Connection to the RDP port 3389 works!

Now you can remote desktop to your VirtualBox Guest-VM from within your network. Also means you can continue deploying VM’s to that Virtual Domain Controller’s DHCP. Hope this helps the next person.

[ivory-search 404 "The search form 3350 does not exist"]

Disable .exe’s from running inside any user %appdata% directory – GPO

Posted on June 1, 2014 by Dexter

The Cryptolocker virus out there in the wild and I’ve seen it happen on a few computers and it’s certainly not pretty. The details are sorrid, but in a nutshell what happens is a crytolocker virus gets onto your computer, locks all your pertinent files and demands a ransom amount so you can get your files back. Those who pay the ones delivering the virus will become more bold and will start demanding more money.

What can you do to protect your company?
Create some Group Policies to lock down likely places for Malware / Spyware / Grayware / Cryptodefense and other likely .exe programs from running:

– Open up Group Policy and create new GPO
– Title this policy Disable .exe from %appdata% and click OK
– Right click on this policy and select Edit
– Navigate to Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Software Restriction Policies
– Right click on Software Restriction Policies and click on ‘New Software Restriction Policies’
– Right click on Additional Rules and click on ‘New Path rule’ and then enter the following
information and then click OK

Path: %localAppData%\*.exe
Security Level: Disallowed
Description: Don’t allow executables from AppData (Win 7)

Path: %localAppData%\*\*.exe
Security Level: Disallowed
Description: Don’t allow executables from AppData subfolders (Win 7)

Path: %localAppData%\Temp\*.zip\*.exe
Security Level: Disallowed
Description: Prevent unarchived executables in email attachments from running in the user space (Win 7)

Path: %localAppData%\Temp\7z*\*.exe
Security Level: Disallowed
Description: Prevent 7zipped executables in email attachments from running in the user space (Win 7)

Path: %localAppData%\Temp\Rar*\*.exe
Security Level: Disallowed
Description: Prevent Rar executables in email attachments from running in the user space (Win 7)

Path: %localAppData%\Temp\wz*\*.exe
Security Level: Disallowed
Description: Prevent Winzip executables in email attachments from running in the user space (Win 7)

The following paths are for Windows XP machines (if you still have them; I put these in just in case with the same disallow security settings)
%AppData%\*.exe
%AppData%*\*\*.exe

Create your new path rules as seen above

GPO Selections — Your final selections should look like the above. Make sure to apply the GPO to the proper OU once done.

*Update Feb 02, 2016*

I spent some time on a conference call with some Malwarebytes reps, I’ve been test driving a beta version that’s now available to the public.

Introducing Malwarebytes Anti-Ransomware

As I understand, the good folks at MalwareBytes will be conglomerating all their products: Anti-Malware, Anti-Ransomware, Anti-Malware, and Anti-Exploit into one nice big runtime. (date not yet announced).

Editing Office 2013 installs via Group Policy

Posted on March 12, 2014 by Dexter

With the new Office getting pushed out, I was running into problems with PST files, namely I didn’t want them in my environment cluttering things up and causing a ruckus on local computers. After a bit of research I found a way to use Group Policy to change this, and multitude of different options within the MS Office Suite.

First, you’ll need the MS Office 2013 administrative template (you are given a choice between 32bit and 64bit. Do keep in mind that as of this writing, Adobe Reader hasn’t gotten around to creating a 64bit reader plugin, so I’m sticking with 32bit installs).

Once downloaded, extract somewhere and copy the *.admx files and EN-US directory to:

%SYSVOL%/domain/Policies/PolicyDefinitions

Otherwise you can go into

\\DOMAIN\SYSVOL\DOMAIN\Policies\PolicyDefinitions

I didn’t actually have a PolicyDefinitions directory so I manually created one and raised my domain functional level up to 2008 due to one pesky 2003 server in the environment that’s since been phased out.

Copy these files to your \\Sysvol\ directory where the rest of the domain policies exist

once done copying, goto your Group Policy and create a new object (something relevant to your office suite) and take a look under
User Configuration -> Administrative Templates:

MS Office 2013 GPO Admin Template expanded

You now have a large grouping of new Office objects you can manipulate.

Create a new Group Policy (name it something relevant) and look at the Administrative Templates.

The settings I was looking for were:

User Configuration->Policies->Administrative Templates: Policy definition->MS Outlook 2013->Miscellaneous->PST Settings

Now you can add all PST files to the network instead of bogging down a local PC as potential pain point in case of a local computer crash.

Otherwise, you can take PST’s right out of the picture by Disabling the AutoArchive Settings:

User Configuration->Policies->Administrative Templates: Policy definition->MS Outlook 2013->Outlook Options->Other->AutoArchive

Lastly, apply to the proper OU’s and do a GPUpdate /force on the domain controller and the client machine.

These screencaps were done within a Server 2008 R2 environment with a fresh deployment of Office 2013 Professional. The same steps can be applied for Office 2007, and Office 2010.

How to get Green ticks on Google Drive back

Posted on January 3, 2014 by Dexter

I’ve been using Google Drive to sync files for some time now, because it’s great having 15GB of storage sitting in the cloud that I can access anytime. I’m not here to point out the merits of having a google account that needlessly and continually asks me to come back to my google+ account, and yes I find it annoying that gmail now separates my mail into confusing tabs that really don’t have any meaning to me. That little rant is for another article. Today, I’m going to show you how to get the green tick marks back on your google drive to show that all your files are syncing.

When I had google drive, I found I needed more cloud storage, so I installed Skydrive and most recently installed the Synology Cloud Station product. What this does is make my bottom toolbar look like it threw up as I have close to 20 icons sitting in the corner. Call me OCD, but I need to see all my icons and having them hidden drives me bananas. The problem with Windows Explorer is that it only allows for 15 slots for icon overlays. What does this mean? When you put more changing icons (such as the aforementioned skydrive, google drive that requires icons change to green for synced, red for unsyncable, or yellow or whatever color) you’re using up that 15 slot overlay. In my case, my Google Drive puked and turned all the folders and files inside into normal looking icons – which normally wouldn’t be a problem, but I couldn’t see if any files had problems getting up to the cloud. Here, I’ve compiled an easy to follow fix should you encounter the same situation.

These instructions are for Windows 7, and I’ve heard they work on Windows 8 as well.

1. Run Regedit and navigate to HKEY\LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\

2. Find these 3 entries: ‘GDriveSharedOverlay’, ‘GDriveSyncedOverlay’ and ‘GDriveSyncingOverlay’

3. Add a prefix ahead of them: ‘0GDriveSharedOverlay’, ‘1GDriveSyncingOverlay’ and ‘2GDriveSyncedOverlay’, so it should look like this now:

4. Reboot your PC and take a look at your google drive icons – they should all re-appear with the green ticks:

You will have to repeat these steps over time, or whenever you overfill the 15 icon buffer limit on your Windows machine -so keep that in mind.

Handy App of the Day: SearchMyFiles

Posted on October 25, 2013 by Dexter

The other day I was tasked with finding all the duplicates in a large network share. Large as in: 2TB worth of company data. The previous IT company wasn’t so good at house cleaning so I was given the assignment of finding all the duplicate data that existed and archiving or deleting it to save space on backups. After a little research, I found my answer in Nirsoft’s SearchMyFiles.

I’ve mentioned Nirsoft in the past with their export text software, and the SearchMyFiles app is another impressive tool they offer for free.

My first searches were for duplication software, it was only by pure luck that I stumbled across this gem as it was named a ‘search’ utility, and not a ‘duplicate’ utilty. The functionality is right in the dropdown!

SearchMyFiles with Duplicates finder. No frills here, options are simple and easy to configure

While the software isn’t the prettiest, it is by far the most powerful and menu friendly. No need to look and bump around with file and options as it’s all laid out to see. There’s no installer either, so it’s a small footprint and can be run directly from a USB stick.

After about an hour, I had search results I could export into a spreadsheet and pour over with a fine tooth comb.

As you would imagine, the regular search utility works awesomely fast as well – going through a network share was a breeze, and you can specify how many folders deep you can go (infinite is an option).

Well done NirSoft, you’ve saved my bacon again!

-Dexter

Configuring NPS on Server 2012 with Cisco WLC: Part 2

Posted on October 25, 2013 by Dexter

In part 1 of this tutorial, I stepped through configuration of the Cisco Equipment and configuration of the Network Policy Server with Certificate. In this tutorial, I’ll show you how to tie it all up in Group Policy.

This tutorial already assumes you have the following:
*Group Policy objects SPECIFICALLY for laptop computers
*CA certificate created

Group Policy can make your life easier especially if you have a large environment. It’s important to have a good, CLEAN Active Directory free of clutter or orphaned objects (re: objects you don’t know about). I suggest separating your computer accounts by PC and Laptop, laptops will get the wireless group policy while the PC’s won’t as they are typically hard lined into a RJ45 Jack.

First, create a new GPO: give it a meaningful name

Once created, drill down into Computer Configuration->Windows Settings->Wireless Network (802.11) Policies and create a new Windows Vista (AKA Windows 7-8) Policy. Tailor this to your needs, you can easily create a Windows XP Policy as the screens are very similar.

Create a Policy Name, I gave mine simply ‘Corporate Wifi’. I also used the Windows WLAN configuration utility. This means if you’re using the Dell connect utility or the HP connection manager this Group Policy will not work. Again, depending on the laptops you’re configuring you’ll have to make adjustments. This guide assumes you’re formatting laptops with standard Windows Operating Systems with no additional bloatware.

After giving it a policy name, add an Infrastructure network (on the bottom).

The Profile Name will be what shows the client is connected to – this means you have the opportunity to give your SSID another name to your internal employees. For this example, I have an SSID of ‘Super-Secret-Wireless’, but the Profile name is simply ‘Wifi profile’. When your users connect to wireless, they will only see they are connected to ‘Wifi profile’.

Click the Security Tab to change your SSID’s security settings. I’m using WP2-Enterprise authentication with PEAP and a certificate. To choose the certificate, click on Properties beside your authentication method.

Ensure you’re validating the Server Certificate, then put a checkmark on the certificate you created in the first part of this tutorial. To ensure you clients have the certificate, you can use a GPO to install the certificate for you automatically.

Once you’ve added the profile, you’ll see it as one of the SSID’s in your associated Vista wireless policy

That’s about it. As long as your client has the certificate, and you force a GPUPDATE they should be connected to your new wireless without your need to touch every laptop.

The last tutorial was done on Server 2012, these screen caps were done from a 2008 server. Don’t worry, most of the content is still the same across both operating systems.

Configuring NPS on Server 2012 with Cisco WLC: Part 1

Posted on September 23, 2013 by Dexter

This How-to article is meant to configure Windows Server 2012 Network Policy Server, Certificate Authority with a Cisco WLC 2504 series (with Software version 7.4.100.0)

As specific as that list is, much of what Cisco offers with older IOS versions still holds true. The authentication model still works, particularly the 802.1x configurations. From the get go, you will have to create a new certificate if it’s not a Domain Controller. This link explains in depth creation of a Certificate for use on a PEAP authentication model. If you do have a domain controller, you can use the domain certificate for this purpose.

I recommend creation of a an RAS-IAS certificate and pushing the certificate via GPO, namely as you can change the expiration date of the certificate (like 10 years in the future if you really want).

First, configure the NPS:

You’ll need the IP address of the WLAN controller (this example is 192.168.50.250) , configure the shared secret as you’ll need it for the Cisco WLAN.

For the properties portion, use RADIUS Standard. You can choose a specific Cisco device – but for this example and setup the RADIUS Standard works.

Next, click on Connection Request Policy, we’re going to create a new policy to use this server as the RADIUS authentication server

Give your Policy a meaningful name and make sure it’s enabled

For the Overview, make sure you check “Grant Access”, otherwise your clients will not connect. You don’t have to specify the network access server for this example.

Under Conditions, enter the IP of the Cisco WLC as an NAS IPv4 Address type. When IPv6 becomes available, you’ll see how this will change.

For Constraints, choose Authentication Methods, and add in Microsoft: Protected EAP (PEAP). Make sure it has the same checkmarks as the ones below:

Highlight and click Edit… on the PEAP properties. Here is where you want to ensure you have the proper Certificate. Earlier in this tutorial, I mentioned using an RAS-IAS certificate over a domain issued certficate as the expiry date can be lengthened by a wider margin. In your dropdowns, you should see this one, and your domain certificate (if this is a domain server). If you’re having trouble deciding which certificate is which, Run the Windows Certification Authority and look at your issued certificates, the Certification path shows the name. Use the appropriate one you want. You should have only 1 option for EAP type: MSCHAP-V2.

Next, log into your Wireless Lan Controller to do additional configuration. For this example, I’ve already created by Wireless network and given it an SSID (longer steps are involved for that of course). From the WLC main page, navigate to the Security Tab, and along the left hand side choose RADIUS->Authentication. Add a new Server Address, here I’ve plugged in the IP of my Windows NPS. Keep the default port 1812.

For my Cisco IOS version, I had to change my Session Time out value to 24 hours (86400 Seconds) as it was dropping every few minutes. Older Cisco IOS versions don’t have this issue- could be something to do with Server 2012 polling. Your mileage may vary.

After adding in the IP of your NPS server, click on the SSID you want to use authentication, and choose the ‘Security’ Tab, in the sub tabs choose ‘Layer 2’, choose WPA+WPA2 for the type of security.

Next, choose ‘AAA Servers’. For the first server, it should populate to the IP of our NPS server we did in a previous step. The port will show up as 1812 (the default value) as well. Make sure to use LDAP authentication to the same server, or the IP address of your domain controller if your NPS lives elsewhere. Note the port changes for LDAP versus RADIUS NPS.

Save your changes and you should now have a functioning WPA wireless using RADIUS for authentication. There are a few caveats here; you need to EXPORT the certificate used for authentication from the NPS server, and IMPORT into your Windows Laptop, then configure wireless to use said certificate and Windows domain.

Part 2 will cover adding the certificate and wireless network via Group Policy.