Wednesday, August 9, 2017

Strong Indicator of Mental Illness Identified

I have thought this for some time, but Sebastian Gorka's pronouncement that the Minnesota mosque attack may have been "The Left" trying to make "The Right" look bad, compelled me to type... He even claims that there has been a series of these attacks by the left in the last six months. A claim that I can't substantiate with news reports and he does not back.

For those who don't know the term, because you don't read spy novels or aren't mentally ill, this is called a "False Flag Operation". This is when you blow up a day care center and blame it on your enemy.  Maybe you use their IED of choice to sell the scenario. Yes, IED of choice is something the right learns from watching too much 24. I am talking to you Justice Scalia.

There are two vital things to know about FFOs:

  • To commit such an act is beyond morally reprehensible. It makes you far worse then your enemy.
  • If you see an event and your first thought is "This may be an FFO", this is due to the availability error. It means that you are so morally reprehensible, that it is something you'd consider doing to promote your cause.  
FFOs are a common conspiracy theory of the right and... wait for it, they strongly correlate with mental illness

Please do NOT Google false flag. It will lead you to terrible places on the web. FFO is the go to explanation given by nearly every alt-right, white supremacist, "patriot" group, etc., if something bad happens in the world.

This is just my opinion, so you can't sue me. I mean, the links are legit and the science is, but I don't even play a doctor on TV.

Monday, August 7, 2017

Copying the NTAuth Enterprise store certificates from one Forest to another

The enterprise NTAuth store is a key Active Directory configuration item. It is key to allowing user to login with smartcards. When using PKI cross forest, we usually use the PKISync.ps1 script to lihnk the two forests PKI configurations. This script is designed to allow cross forest certificate enrollment, wich it does well.  It does not cover the NTAuth config for smartcards.  This seems to get missed a lot. 

Below is a two liner to copy the NTAuth in one forest to another, assuming the NTAuth object exists and just needs to be populated. 

$caLIst = (Get-ADObject -SearchBase "CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain1,DC=com" -SearchScope Base -Filter * -Properties * -Server

foreach($ca in $caLIst) {Set-ADObject "CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain2,DC=com" -add @{cacertificate=$ca}}

Thursday, July 20, 2017

Fake News Explained in Three Pictures

As I read this story about one of failed businessman Donald Trump's lawyers telling complete and utter lies on on ABC News, it occurred to me why these lies are working.  The Secret Service is known for working hard to be non-partisan. When they are forced to call one of Trump's lawyers a liar, you know something is amiss.

Here is why it works on his supporters.

Friday, March 24, 2017

I Just Saved $121!!

I'm not one to pimp products unless they are really good and I understand them, but today is an exception.

I have NO IDEA how GoodRX works, but I do know it saved me $121.11 on a single prescription.  Usually, when you install an app that get's you something for free, you are the commodity.  Most apps want all sorts of crazy access to your phone.  GoodRX wanted pretty basic access and gave me s super coupon.

Drug cost was $221.  My insurance only covered $48.  I was going to pay $173.  Enter the GoodRX coupon and I saved $121.  I only paid $52!!!!


Thursday, March 16, 2017

The Tyranny of Network Level Authentication and CredSSP

The Tyranny of Network Level Authentication and CredSSP

“My password is expired so I can’t login, but I need to RDP in to change my password!”, is the cry we constantly hear.

This happens when your users login to their local machine using one account, but need to RDP into to a machine using another account in a different domain.  This is often because the systems they need to work on are in a different domain in order to segment access.  Think Corp creds for email and HR vs prod creds for the company’s web sites.

NLA is not really a security control, it simply changes when you authenticate.  With NLA on, you authenticate (using CredSSP) before getting the remote session and GUI. This is designed to reduce the load on the server.  This however removes a user’s access to the login GUI where then can change their password at login.

Everything you are likely to find on this issue will tell you that the issue in Network Level Access (NLA) being required for RDP. NLA is not supposed to be required by default, but I have seen and heard that it often turns on on domain join.  I have seen this even though there was no GPO setting it. (We are both wrong, but I’ll get back to that later) This could be related to all sorts of build and domain join automation. If you have the issue, why is not particularly important. You will just need to go and set the GPO or edit the registry on the machine or via GUI.  

“Mark, I made the change, but I still can’t get in!!”  That’s right, you can’t. NLA probably wasn’t even turned on.  As I mentioned above, we were wrong. So why can’t we login and change our passwords‽  We can’t change our passwords because most RDP clients, such as mstsc.exe or rdcman.exe, just assume NLA is on and try to authenticate you first anyway.  This fails and you are kept out.

You need to tell your client not to use CredSSP for your connection. If you are implementing your own RDP client via the activeX library MsTscAx.dll, set EnableCredSspSupport to false.

One caveat is that there is no way to send the password anymore, say from your local cred manager or a password management tool.  You will have to type the old password once and the new password twice, so it’s a bit of a pain. 

Don’t let your password expire…

The Tyranny of Network Level Authentication and CredSSP


Friday, February 10, 2017

PowerShell Module for Reading Group Managed Service Account Passwords

I recently covered the topic of Active Directory Group Managed Service Accounts. They are the new hotness from Microsoft.  I also offed up some code snippets for interacting with them.

Now I offer up a PowersShell module that also exposes .NET classes and methods for reading gMSA passwords. 

This module has a couple of great uses.  First of all, not all services and applications can leverage a gMSA natively. The dll lets you try and fit in a gMSA to your system. Second, the module uses calls diretly to Actdive Diretory via LDAP rather than via the Active Directory Web Service.  In some cases, you may not have the firewall rules set up to allow access to the ADWS, but all clients will have access to AD over TCP 389, as it is required.


Friday, January 27, 2017

Trump Admits that US Citizens Will Pay for the Wall

Failed businessman and reality TV personality Donald Trump  admitted today that US consumers will pay for his wall between the US and Mexico. White House press secretary Sean Spicer explained that Trump plans a 20% tax on goods imported from Mexico in order to pay for the wall.

Like many failed businessmen, Trump is unaware that the cost of goods will be passed on to the American consumers. Mexican goods already have a low profit margin for their manufacturers, so they will not be able to absorb the costs and will instead go pass the cost along to us or go out of business.
Inputting falsified referrals to this site violates the terms of service of this site and is considered unauthorized access (hacking).