Monday, June 10, 2013

Bitlocker on the Surface Pro

I've had my Surface Pro now for a number of months and have to say that it's one of the best portable devices I have ever used. I'd rank it up there to the first time I purchased the iPhone 3G back in 2008.

Bitlocker and Pre-Boot Authentication


When enabling Bitlocker on the Surface Pro, you'll find that it is impossible to set a PIN under the default configuration.

I can't believe I overlooked the GPO setting that lets you do this!

The GPO setting is as below:

 
 
Once you configure this, enabling Bitlocker will let you use a PIN for your Surface Pro!
 
 
Note: You must have your keyboard attached or a USB keyboard when you boot the system for this to work.

Saturday, April 13, 2013

Webserver Security Model

Hey all!

Over the course of the week I had thought long and hard about how I wanted to rebuild my Linode VM to accommodate some of the changing realities of what I want out of my hosted Linux solution. One of the key changes I wanted to make was to try and use NGINX over Apache for the webserver due to the reputation it has gained for resource utilization in virtualized environments. And I'm always up for playing with new things...

Then it got me thinking about the security model of virtual hosted sites in Apache. One of the things I've always disliked is that under a default LAMP stack installation, documented on a Server Guide on Ubuntu's site, that all shared websites are run under the security context OF THE SAME USER ACCOUNT ON THE SYSTEM.

What this essentially implies is that code executed under one site could potentially impact all other hosted sites on this Apache server. I'm not a huge fan of this model, and it's not a model that IIS follows when running ASP.NET-powered websites.

I'm going to try and demonstrate this using some charts I made for this blog post to kind of provide a visualization to this issue. I'm not all that great at chart making so I hope this helps. Just remember--the colors imply separation of security contexts. Also, assume all security permissions are set for RW for the owner, and R for everything else.

libapache2-mod-php5 Problem


The underlying problem to this issue is that when Apache loads, it will launch the root process which handles incoming requests and controls the worker processes. The worker processes are the ones that actually carry the workload of a particular request. These worker processes are spawned under a limited user, usually www-data in Debian-based distributions, and http or apache in others.

Each worker process has also loaded the PHP library, which executes dynamic code located in the .php files in your website. All of this code is run under the context of the worker process, which in this case is shared across all of your virtually-hosted websites.

Under this security model, a website that is vulnerable to attack on www.domainA.com could potentially write code to another website on the same server, www.domainB.com.

This is visually demonstrated below:


If someone were to exploit exploit-me.php, they could write some extra dynamic code in index.php on the other site.

The Solution

Obviously there are many potential solutions to this problem, but I'm going to try and stick as closely to the original configuration as possible--that is, a single VM node running multiple shared hosted websites.

The proper way to solve this particular issue is to leverage FastCGI, or more specifically, PHP-FPM, to handle the execution of dynamic code for you. You can use PHP-FPM even with Apache. A guide of which can be found on the Apache Wiki.

Application Pools

A model that IIS has used for a while is the concept of an Application Pool. This model is also adhered to by PHP-FPM, and I'd highly recommend you familiarize yourself with its proper configuration.

When configured properly, dynamically executed code is run under independent processes and security contexts. This essentially means that code on domainA could not write to files hosted on domainB. In the TechNet link above, Microsoft has outlined a few additional benefits of operating under different processes. If ProcessA hangs, ProcessB can still execute code. Obviously you are bound to within hardware and threading limits, but the point still stands.

Below is a diagram outlining how this model differs from the one above:

As you can see above, DomainA.com and DomainB.com now have their own independent user accounts along with their own independent processes. In the NGINX/PHP-FPM model, the communication between the webserver process and the PHP-FPM process is done with Unix Sockets. Each PHP-FPM Pool is listening on its own unique socket. The socket to use is defined in NGINX's configuration under the server (vhost) configuration.

Even more importantly, you can use this process model to implement Mandatory Access Control with something like SELinux, the details of which are far beyond the scope of this document.

Thursday, March 21, 2013

Adobe Reader Deployment - Derp

One of the most important aspects of software security these days is ensuring that you keep your applications updated. But as a matter of some environmental policy, you often times have to modify the installers to conform to your system usage policy. For example, to turn off automatic updates, to enable Protected View, etc.

I downloaded the Adobe Reader 11.0.02 executable installer which gives you some minor command line options. But to really get to the down and dirty, you need to use the Adobe Customization Wizard XI.

Steps
  1. Download Adobe Reader 11.0.02 executable.
  2. Use 7-Zip to extract the file.
  3. Run the Adobe Customization Wizard on the AdbeRdr.msi.
  4. Create an MST including your changes.
  5. The wizard also modifies setup.ini
  6. Add the TRANSFORMS="mytransform.mst" to the setup.ini CmdLine option.
  7. Run "setup.exe"
Here's the fun part...

The above process installs Adobe Reader 11.0.00!

Yes. When you use the 11.0.02 installer, extract it, modify it, and install it, it installs 11.0.00! Nowhere in the MSI nor the setup.ini file does it state that it's doing a patch update from Adobe during the install process.

So you have to download the 11.0.01 and 11.0.02 MSP files, put those into the same folder, and then modify your setup.ini to include the following:

PATCH=AdbeRdrUpd11001.msp;AdbeRdrUpdSec11002.msp under the Product section.

* Note, the file names might not be exact.

Saturday, February 23, 2013

Microsoft's uphill battle in the public perception of Windows 8

If you haven't been living under a rock for the past 6 months you would know that Microsoft recently released a new operating system. Windows 8 came out nearly 3 years after Windows 7 and brings with it a massive overhaul in how users interact with their PC. The change, formerly called "Metro", essentially layers a touch-designed interface and tablet-style application model as part of the core Windows 8 experience. This design has had its naysayers.

This OS has been called the "Vista" of its generation. Many people consider Microsoft to be under a "tick tock" style of OS design. For every bad tick, there is a good "tock". They see this as the following:
  • Win98 = Good
  • WinMe = Bad
  • WinXP = Good
  • Win Vista = Bad
  • Win 7 = Good
  • Win 8 = Bad!!!
Never mind the fact that Microsoft had the NT-style OS' in use early on with Win98 and Me, NT4 and Windows 2000. And many of these users have been latching on to any straw they can to validate their fears of the OS. Perhaps one of the most interesting complaints is the lack of the once-beloved "Start Menu".

The Start Menu, introduced in Windows 95, at the time was designed as a gateway to your applications. The design of which was very different from Microsoft's previously released "Program Manager". Under the Program Manager environment, which existed in Windows 3.1; applications would "minimize" to icons on the desktop behind the core Program Manager window. Program Manager itself had little folder icons, grouped together, such as "Accessories", "Games", which you would double click to open and find your applications. For Windows 95, all of this functionality had been moved to the "Taskbar and Start Menu". The folders became folders in the Start Menu list, and running applications would display in the Taskbar.

Even this change was not well-received amongst the computing world of the time. Unfortunately, I cannot find the recent blog post by Raymond at Microsoft on "The Old New Thing" which detailed this hate affair with the Start Menu at its introduction.

Moving forward to Windows 8, the "Start Menu" as we once knew it is gone. In its stead remains the Start Screen, which provides a touch-friendly interface to your applications. Applications that formerly installed icons to the Start Menu will now install them to the Start Screen. And applications downloaded from the Windows Store will also display as "Live Tiles" on this same screen.

The perception of Windows 8 has also not been helped by the views of people whom are considered to be industry leaders in the enthusiast and gaming community. Mojang's own Notch (Markus Perrson), creator of Minecraft, tweeted his concerns about the operating system when Microsoft approached him to bring Minecraft to the forefront of the platform.

Even Valve's own Gabe Newell has slammed Microsoft's decision to release Windows 8 with its own Windows Store.

Most people fail to understand one thing about Gabe's opposition. His opposition has nothing to do with the "closed" nature of the Windows Store, but rather that it is a direct competitor to Valve's Steam delivery system. Interestingly, even I consider his fears to be unfounded. The Windows Store, while bringing a basic application delivery system to the Windows platform (something that has long existed in other OS', with the iTunes store in iOS and OSX, the Google Play Store with Android), is not quite a drop-in replacement for Steam. For example, the Steam overlay system provides an extremely convenient way for you to communicate with your friends that are not playing the game with you. Steam itself also has tight integration with its games for network play, where you can invite your friends to jump into the game with you through Steam. While Microsoft has similar functionality with the Xbox platform, they've had a decade to integrate this into Windows in a usable manner and they have shown they seemingly have no interest to do so.

The Good Things About Windows 8

Having used Windows 8 now for a number of months on my primary desktop and gaming laptop machines, I have personally come to the conclusion that the Start Screen isn't really as big of a deal as most people make it out to be. I click on the Desktop icon, and I'm now using the Windows desktop as I have always done so. I hadn't used the Start Menu since Windows XP came out with Quick Launch, of which I was a heavy user, so it never really bothered me to see it go away. The desktop operates pretty much the same it always has for years.

However, when I purchased my Surface Pro tablet (which I am using to write this post!), I have come to navigate Windows 8 in a very different manner than I do on the desktop. I make heavy use of the Start Screen and the "Metro" applications. I have become extremely fond of the Bing News app, I use the Mail App regularly, and I shift to the desktop only to run desktop-oriented applications. I have become a HUGE fan of the swiping functionality. I commonly cycle between my applications with a flick of a finger on the left edge of the screen. I push buttons with my fingers on websites. I tap between my conversations in the people app. I search the web and all of my applications with the awesome Search function on the Charm Menu. (To bring up Charms, put the mouse cursor in the bottom right corner and move it upwards; or on touch, simply swipe on the right edge)

The security model of Windows 8 has been improved dramatically. And while I won't go into it on this blog, this PDF (it's legit, I swear! but update your Adobe Reader anyway) into the impressive internal improvements. While no security is 100% perfect, it is nice to see the defensive strategies continue to evolve.

After seeing the Surface Pro devices that myself and a coworker recently purchased, our colleagues at work have now decided they want one. We are also in the process of validating Windows 8 for our secure environment with our IT staff.

Wednesday, February 13, 2013

More Deployment Tidbits!

One of the other challenges that IT Administrators face is that there are many applications out there that do not conform to operating system standards when being installed. This lack of conformity is usually the result of a few things:
  • The cost of 'doing it right' is too high for most development teams. People who know the underlying operating system cost more than your average code monkey. Most development processes (such as AGILE) encourage functionality and features over sound application design.
  • Developer ego. "I know better than Microsoft." "The registry sucks!"
As a great example, Java and Firefox do not lend themselves well to corporate deployment and management. Java, for example, uses a configuration file that is searched for under C:\Windows\Sun\. Not every option in the Java Control Panel is configurable through these configuration files, either.

So to you, I present the following guide:
  • Use the registry, religiously. I don't care if you think you're better than Microsoft. If you don't want to write a Windows application, then don't create one. But when you write for the Windows environment, USE THE REGISTRY. You wouldn't use $HOME/ to store application-level (system-wide) configurations in Linux, why would you not use Microsoft's conventions?
  • In Windows (Vista and above), system-wide application configuration and log files should go in C:\ProgramData\YourApplication. This location becomes your scratch space, and most importantly, C:\ProgramData is a high integrity location, which means it can only be accessed by users who are Administrators. (However, your subfolder is RW to your application).
  • HKEY_LOCAL_MACHINE\SOFTWARE is the place to store your application's system-wide preferences.
  • HKEY_CURRENT_USER\SOFTWARE is where you store configuration for the user installing the tool.
  • %USERPROFILE%\AppData\ is where you store user-specific things such as user-specific logs, user-specific downloads, and so forth.
  • %USERPROFILE%\AppData\Roaming is what you use if you wish to allow these things to be replicated with Windows Roaming User Profiles.
  • %USERPROFILE%\AppData\Local is the location you use when you do not wish for your application's data to be replicated, or it's not necessary to be replicated. For example, user-specific log data might not need to be replicated from machine to machine.
  • %USERPROFILE%\AppData\LocalLow is the location to be used when you run your application with a low integrity level (read: reduced system privilege). I encourage you to build your applications to run in this mode.

Java Deployment Woes

With the recent back-to-back, off-hours, and off-schedule security updates from Oracle and Adobe, Systems Administrators have never before been more in a bind than they are today with needing centralized software management tools in their environment.

Us IT Administrators have significant challenges to address with the ever evolving Information Security landscape which will require a regular security maintenance plan. Some of these challenges are inherent to the operating systems, some are also inherent to the applications that are used day-to-day.

I have searched online for answers to my questions with regards to Java deployment and have usually turned up empty-handed. Java itself has the following challenges:

  • It does not like being deployed in-use. The JRE Executable installer forces you to close all applications that have Java loaded before it will let you continue with the upgrade.
  • Many different applications often come with their own versions of Java installers. For example, some applications include JRE 5.0, and now your systems may potentially be vulnerable to attack. (Eclipse IDE come to mind, and any web application built on Tomcat).
  • Java Auto Updater can cause deployment challenges for centralized administration tools. For example, the Dell KACE management appliance uses "Assignments" for application installs. If you "Assign" Java 6u39 (Java 1.6.0.39), and someone updates to Java 6u41; Kace will attempt to reinstall the earlier version.
  • We have political battles with users who will often ignore the Java Update utility and leave the icon sitting in their task tray. We have a class of users who protest up the management chain every time IT does a deployment of Java, swearing that their particular application cannot be upgraded.
  • The Java Executable installer does not allow for ALL of the MSIEXEC properties to be specified on the command line.
  • Leveraging MSI for Java is an 'afterthought' to Oracle, who provides specific instructions to dig within your Application Data folder after launching the EXE to find the extracted MSI and CAB files.
So how do we address these issues? There are a few different answers with different solutions.
  • You can deploy at startup. The challenge here is that with the ever increasing "BYOD" style devices and ultra mobility, network connections are often not made until after the user has logged in to the machine. In this manner, application installs will not work from most centralized tools because they require this connectivity to download and execute their installers.
  • Microsoft, as an OS vendor, should encourage and enforce developers to use all of the platform's tools. MSI installers should be the rule, not the exception, for all Windows applications.
  • Changes should be made to the underlying OS to allow for upgrade-in-place of applications.
  • Microsoft should encourage developers to use their "Update" process that exists in Windows (You know, the one that says PLEASE DO NOT SHUT OFF YOUR COMPUTER while it installs updates). Interfacing with this functionality should be encouraged at both an IT and Developer level.
In the mean time, one of the tricks I have used for deployment is the following:
  • Download the Windows SDK to obtain a utility called Orca. Orca will allow you to modify the MSI file properties and save MST (Transform) files to use for installation.
  • Within your MST, set JAVAUPDATE=0, AUTOUPDATE=0,MOZILLA=1,IEXPLORER=1.
  • Deploy at bootup, login, or prompt users to close applications using the Java Runtime.
  • msiexec.exe /qn /i "jre_installer.msi" TRANSFORMS="mytransform.mst"

Wednesday, August 1, 2012

IPv6 Musings

Those who know me know that I sound the IPv6 siren loudly and proudly.. This blog is no different and is part of my ongoing effort to help other technologists understand this monumental shift in how the Internet functions. I'll begin here by highlighting some of the most visible changes and how they impact your network designs. Future updates will include some more detailed technical information on each area.

Change #1: Address space increase

The address space in IPv6 has drastically increased to accommodate 2^128 unique addresses instead of the aging 2^32 addresses. This results in addresses that are 16 bytes long, separated into 16-bit chunks by a colon.

Typical IPv4 Address: 192.168.0.5
Typical IPv6 Address: 2001:db8:abcd:1234:5fcd:cdba:5892:5efb

As many users often now have multiple devices that require connectivity to the Internet this increase in address space provides much needed breathing room.


Change #2: NAT (Network Address Translation)


One of the ways we avoided the move to IPv6 a decade ago was the introduction of Network Address Translation technologies that allowed multiple networks and devices to use local-only IP addressing connected to one publicly visible IP address. This allowed you to connect a near limitless amount of devices to a single internet connection without consuming address space.

However, all has not been rosy in the world of NAT. NAT introduces problems with end-to-end connectivity which require extremely manual intervention to allow inbound communication to happen. Device performance lowers as each connection requires storing a record so communication can pass through freely. This often results in increased memory usage and decreased performance on lower end consumer hardware when flooded with lots of connections, such as P2P technologies.

Since a vast majority of networks use 192.168.0.0/24 and 192.168.1.0/24, connecting these networks during VPN sessions and company mergers can cause address space collisions and prevent end to end connectivity. Connecting these sites often requires NAT rules at the edge to allow communication to occur.

The increase in IPv6 address space, as well as the "globally unique" aspect of the assigned networks all but guarantees that the preceding problems are no longer an issue. No two globally connected networks should ever share the same address space. When you need to establish a VPN you merely connect the two sites together and add routes to direct the traffic to go over the encrypted tunnel. This vastly simplifies management and creation of site-to-site VPNs resulting in an overall reduction in the cost of planning these sorts of site mergers.