A file server by any other name: Errors when using a DNS Alias in a UNC Path.

Computers are mean. Here’s a robot.

You’re using a DNS Alias to access an SMB network share on a Windows 2003 server, and you get the following error:

“System error 52 has occurred.
A duplicate name exists on the network.”

This is a known issue with Windows 2000 and Windows 2003 based servers. If a DNS alias is created for a server, the server doesn’t know to listen for connections from computers that are trying to access it’s file shares. This issue has been fixed in later versions of Windows but if you’re dealing with say a Windows 2003 server, you’re going to have to make a change to the registry of the server that the alias was created for and then reboot it. You may also have to set the SPN (Service Principal Name) of the server to match the alias.

 

Further info and instructions can be found in the link below.

http://support.microsoft.com/kb/281308

Lorrie Faith Cranor: What’s wrong with your pa$$w0rd?

I saw this TED talk today and thought it would compliment my previous article series quite nicely. Lorrie Faith Cranor provides a more academic perspective to the issue of password complexity and challenges conventional wisdom. Follow the link below to view a video of her talk.

 

http://www.ted.com/talks/lorrie_faith_cranor_what_s_wrong_with_your_pa_w0rd?language=en

The Password Conundrum – Part 3

This is the last part in a series on password management. Read on to learn about the strategy I employed to improve my personal password security.

Security is best employed in layers. That is to say, that using one method of security such as a single password on it’s own is not as secure as using multiple methods together. If one method fails such as your password gets guessed or cracked then requiring a second factor to log in, like a Yubikey or a finger print can help prevent unauthorized people from breaking into your accounts even if they’ve figured out what your password is.

Yubikey – A second factor of authentication

YubiKey
Yes, this is my actual YubiKey. Still working after a year of continual abuse.

I’ve used a YubiKey  for over a year now and it’s survived remarkably well. The Yubikey  is a small USB device that attaches to my key chain and acts as a second factor of authentication. Whenever I need to log in to a service (like LastPass) that supports two factor authentication, I plug my Yubikey into the USB port of the computer I’m using and when I touch the green dot in the midle of the YubiKey, a code is automatically entered into the computer that allows me to then enter my user name and password, to log into the service or web page. Without the YubiKey, no one can log into my accounts. It’s not foolproof, but it is an added layer of security which makes it a lot harder for my accounts to be broken into.

LastPass – A password manager for everyone

The LastPass service and it’s software works very well for my purposes. LastPass is not the only game in town when it comes to password managers but I found it to be the one that fits my needs and has the features I require. In particular, the ability to work with my YubiKey as a second factor of authentication was one of the deciding factors in my choice. The service also has plug-ins for most major browsers which makes logging in to sites that I have saved credentials (user names and passwords) for simple and fast.

It seems that websites and services are getting hacked on a monthly if not weekly basis and the need to change my password on those sites is a regular occurrence. LastPass makes it easy to generate a new random password that is ridiculously long and then save it in an encrypted database that requires both my super secret credentials and my personal YubiKey to access it.

Passphrases – Extra long passwords for the win

Its really important to pick passwords that are not only complex, but long. I like to use strings of esoteric words together or words that I don’t know how to spell very well, together with unusual spacing (yes spaces can be considered special characters). The passphrase becomes memorable because I have to think extra hard about what I am entering when I have to type in a password.  An example of this might be “ReprehensibleHirsuteHair Suit9” or “LachrymoseMoos3 Pouts”. You can probably think of something better but I’ve found that this works pretty well for me.

A great benefit of having a password manager like LastPass, is that you can generate really long, random passwords that you don’t have to remember. The password manager takes care of generating passwords and also allows you to create new, random passwords easily if you have to set a new one on the spot.

 

Conclusion

I’ve found that the strategy I outlined above works really well for my purposes and needs but of course, your mileage may vary. I hope that what you get from this series of articles is a better understanding of what options and tools are available to you to help you enhance and maintain your own personal security.

 

Further reading:

http://arstechnica.com/information-technology/2013/06/the-secret-to-online-safety-lies-random-characters-and-a-password-manager/3/
http://passwordsafe.sourceforge.net/
https://xkcd.com/936/
http://www.howtogeek.com/141500/why-you-should-use-a-password-manager-and-how-to-get-started/
http://lifehacker.com/5966214/how-often-should-i-change-my-passwords
http://lifehacker.com/5938565/heres-everywhere-you-should-enable-two+factor-authentication-right-now
http://lifehacker.com/5937303/your-clever-password-tricks-arent-protecting-you-from-todays-hackers
http://lifehacker.com/5962026/use-a-unique-secure-email-address-solely-for-password-recovery
http://lifehacker.com/5949165/the-four-tiers-of-password-security-what-works-what-doesnt-and-whats-best-for-you
https://www.eff.org/deeplinks/2013/05/howto-two-factor-authentication-twitter-and-around-web
https://lastpass.com/
https://agilebits.com/onepassword
http://keepass.info/features.html

The Password Conundrum – Part 2

BluePadLock
Another picture of a padlock because… passwords?

This is the second part of a three part article on password and account management. In this part, I’ll be going over password manager programs, using strong passwords, and multi-factor authentication.

Password Managers

Password managers are programs that allow people to store all of their usernames and passwords in an encrypted database. This allows people who use password managers to remember just one password – the master password to the password manager program. When the user of a password manager wants to log into a site or service, the user fills in their master password and the password manager software makes their user name and password for that site available to them. This also means that users can make their passwords ridiculously long, random, and complex because they don’t have to remember them. The features and capabilities of password managers vary from program to program. Here are a few options that I considered for my own use:

KeePass

KeePass is a free, open source password manager. User’s log in information is stored in a local database that is secured using the very strong AES and Twofish encryption algorithms. This means that it would be very difficult for an attacker to steal your usernames and passwords, even if the attacker was able to pilfer a copy of the database file that contained them.

There are several free mobile apps that access your KeePass database using Dropbox. The advantage to keeping your KeePass database in Dropbox is that you can then use KeePass on any computer or mobile device that you have a Dropbox synch folder set up on. There is a portable version of KeePass  that can be loaded on to a USB thumb drive which would allow you to use KeePass on a computer running most versions of Windows. KeePass is available for most Windows, Linux, and Mac operating systems.

Please keep in mind that KeePass is free, so there is no support number to call if something doesn’t work right. If your database file becomes corrupted, or you lose your master password, you’re on your own.

1Password

1Password is a password manager that costs about $50. There are versions available for Mac, Windows, IOS, and Android. Like KeePass, 1Password allows you to make your password database available to multiple computers by placing it in a Dropbox sync folder.

There’s a really neat feature that 1Password users who are using 1Password in conjunction with Dropbox can take advantage of. If you are using a computer that is not your own and you need to access a password stored in 1Password, you can do so by logging into your Dropbox account and browsing to your 1Password folder. The 1Password folder contains an HTML file that you can open and once you supply your master password, you can access your log in information saved in 1Password.

There are browser extensions for most popular browsers (Chrome, FireFox, Safari, etc..) which allows users to automatically fill in user names and passwords and other information for sites, so that users don’t have to copy and paste that information from the 1Password program.

LastPass

LastPass is a full featured password manager. There is a free version and a premium version. Both versions use 256-bit AES (currently very strong) encryption to encrypt your user names and passwords. LastPass uses it’s own service, instead of Dropbox to make your user names and passwords available to you over multiple computers and mobile devices. LastPass uses your computer or mobile device to perform the encryption so the password database that gets saved on LastPass’ servers cannot be read by anyone else – not even LastPass employees.

There are versions of LastPass available for Windows, Mac, and most popular Linux distributions. It’s also available for most mobile devices including IOS, Android, Blackberry, and even *shudder* Windows phones.  There is also a version of LastPass that works on a USB thumb drive. I should mention here that one of the major differences between the free and premium versions of LastPass is that you have to have the premium subscription (a whopping 1$ per month) to use LastPass with most mobile devices.

Another thing that really stands out to me is that LastPass works well with multi-factor authentication, which is something I’ll be covering in more detail later. LastPass works with the Yubikey and with Google Authenticator.

Strong Passwords

ComplexPWPassword strength or complexity describes the quality of a password based on how long it is and how many different types of characters are in it. For many years, popular wisdom was that a good password was at least eight characters long and as long as there were symbols, upper, ans lower case letters and numbers.

Turns out that a person doesn’t have to use a password that contains numbers, symbols, and other assorted characters in order for it to be “secure”; the password just has to be long enough. As a password increases in length, the time and processing power required to crack or guess it, increases exponentially. This is where a pass-phrase comes in. A pass-phrase is basically just a password that is made up of multiple different words. For instance, a good pass-phrase would be “Cannon poke monkey eyes”. The folks over at XKCD explained it very well in this comic: http://xkcd.com/936/

“Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes.” – Jesse McGrew www.schneierfacts.com

Multi-factor Authentication

A factor of authentication is something unique that a person knows, possesses, or is. Factors of authentication are used to confirm that a person is who they claim to be and are commonly used when a person logs into a computer or website. An example of single-factor authentication would be a password. The problem with having a password as a single-factor of authentication is that a password can be guessed, or stolen, or cracked (un-encrypted).

Introducing another factor of authentication (in addition to a password) such as a user’s fingerprint makes it much more difficult for another person to access your accounts and services without your permission. When Twitter’s multi-factor authentication option is turned on, a user must supply a user name and password to log in as well as a code that Twitter sends in a text message to the user’s phone. More and more, websites like Twitter are embracing multi-factor authentication.

Some security-minded folks over at http://twofactorauth.org have compiled a list of websites and services that work with multi-factor authentication. Multi-factor authentication isn’t infallible but it is generally much more secure than just using a password. I highly recommend considering taking advantage of multi-factor authentication to further secure your accounts.

 

Okay, if I haven’t totally lost your attention yet, we’re in good shape. This part of the article was by far the largest and most in-depth part of the series. Next up, the third and final part of the series in which I talk about how I used each of the concepts discussed above to improve my own security practices.

The Password Conundrum – Part 1

PadlockOpenMasterKey
Obligatory password-blog-post lock picture. We can all breathe easy now that the status quo has been upheld.

Introduction

This is the first part of a three-part article in which I’ll discuss managing online accounts and password security. In this first part, I’ll talk about the embarrassing state of my own account management – or lack thereof, what prompted me to get my act together and form a realistic account management strategy, and a brief note on what my personal needs for account and password management entail.

In the second part of this article, I’ll go over some of the tools and strategies that I researched while I was figuring out how I was going to manage my accounts. I’ll cover password managers, using complex passwords, and multi-factor authentication.

In the third part of this article, I’ll discuss my overall account management strategy: what I did and didn’t do, and also my rationale behind each choice. I hope that by the end of this article, you’ll have a good idea of what is available to help you get your accounts under control and to also make informed choices regarding what methods and technologies that you want to use to help keep your accounts and personal information secured.

A shameful tale of woe and regret

I’ve been an Internet user for about half my life now. That’s been enough time to collect many, many accounts. I have at least 3 email accounts, accounts on the usual social networking sites, and a slew of random accounts for online stores and services. I figure that I have somewhere around 30 personal accounts that I’ve set up over the years. There are many others that I’ve lost track of, consigned to the briny depths of the web to be forever forgotten.

It’s time for a confession dear readers: I have committed a grievous evil. I have re-used passwords for multiple personal accounts with wild abandon. On top of that, before this article, I had not changed passwords on some accounts for years. What’s worse is I know better than this; I follow best practices for passwords in my professional life obsessively. Seriously, there was an intervention and everything. I guess it would be at this point where I’d say something about the cobbler’s son having no shoes.

passwords
This was pretty much the extent of my super sophisticated personal password scheme. Luckily, I kept the post-it note under my keyboard where no one would ever find it.

Continuing down this cliche’d path, I’ve heard that people don’t change until the pain of staying the same is greater than the pain of changing. For me, the pain came just a few days ago when I received an email from UbuntuForums.org. The email stated that they’d been compromised and that the attacker had gained access to their database of usernames and encrypted passwords.

I have an account on Ubuntuforums.org. Had I used the same username and password on Ubuntuforums.org that I used on other sites? I couldn’t remember. *CRAP*! Time to put my big boy pants on and get this password mess sorted out.

First, I had to figure out what sites I had accounts on. I started a list of all of the sites I could immediately recall, then I went through my archived emails and found several more sites. I have A LOT of accounts.

Over the years I had halfheartedly skimmed many articles (like this one) that provided advice on proper account and password management. All these questions started popping into my brains: Should I set up a password manager? Which password manager should I use? How complex does my password need to be? How can I set up multi-factor authentication and how well does it work?

It was about this time that I started to become overwhelmed. I needed to do some reading. I researched and read way too many articles and blog posts and here is the strategy that I found would work for me. Others may not have the same security needs, so, as always keep in mind that YMMV.

Requirements

I spent some time thinking about what my needs were and how I access my accounts. I use a variety of computers and devices. I have multiple beat up, old computers running Windows and Linux based OSes in varying stages of obsolescence, an iPhone, and a broken iPad which I may replace in the distant future. I access email and other accounts from my own, trusted systems and other’s that I don’t trust.

It would be nice to be able to access my various accounts easily and securely, regardless of the computer or device I am using. I need to be able to remember my passwords. At the very least, the passwords for my most important accounts – Email, banking, etc. need to be different from each other. Services like Linkedin, Dropbox, and Twitter get “hacked” with some regularity, so being able to easily come up with secure, memorable passwords without repeating old ones is a necessity too.

So this concludes the first part of my three-part password conundrum saga. Check back soon for part two where we dive into the tools, methods, and concepts behind building a solid account/password management strategy.

Exchange Management Console Initialization Failed Logon failure Error

I ran into this issue a week or two ago when launching he Exchange Management Console (ESM) for Exchange 2010. As a work-around, I would connect directly to an Exchange server and access ESM from there but given how regularly I do administration work in Exchange I got fed up with the constant logging in and finally fixed the issue.

ESMError
The following error occurred while attempting to connect to the specified Exchange server ‘exchangeserver.domain.com’
The attempt to connect to http://exchangeserver.domain.com/PowerShell using “Kerberos” authentication failed: Connecting to the remote server failed with the following error message: Logon failure: unknown username or bad password. for more information, see the about_Remote_Troubleshooting Help topic.

I did some googling and found a blog that advised me to remove a specific registry entry.

Specifically, this one:

HKCU\Software\Microsoft\ExchangeServer\v14\AdminTools\NodeStructureS

It worked perfectly, so, many thanks to J.W. Koebel for the info found here:  http://blog.kf7lze.net/2012/09/21/exchange-server-2010-management-console-cant-connect/.

If you’ve stumbled upon my blog and found that the above advice did not resolve your problem, you might want to try some of the things suggested here: http://terenceluk.blogspot.com/2011/08/unable-to-open-exchange-server-2010s.html

Exchange user mailbox permissions issues

An IT infrastructure so organic, sometimes I feel like this guy.
An IT infrastructure so organic, sometimes I feel like this guy.

I work for a company who’s network and server environment represent a fairly common scenario in the corporate IT world. They had moved to Active Directory and Exchange about a decade ago and continued to upgrade and grow based off of a general configuration or structure that had been established when those services (AD, Exchange, etc.) were first set up.

Over time, various administrators made changes to these systems to accommodate new services, programs, and initiatives. These changes, being completely necessary and reasonable caused the IT infrastructure to grow and change in a somewhat organic fashion. When I use the word organic in this case, I mean it in the sense that servers and the network were configured around the changing needs of the company, bit by bit. Consequently, I occasionally run into quirks or issues like the one I’ll be discussing below. I like to think these quirks give the infrastructure character. It keeps me on my toes.

I was changing an Exchange user’s mailbox properties the other day to remove a quota that had been set. When I clicked the OK button to apply the new settings to the mailbox, I received the following error:

ExchangePermissionsErrorThe error message is as follows:

“Error: Active Directory operation failed on emailserver.organization.com. This error is not retriable. Additional information: insufficient access rights to perform the operation. Active directory response: 00002098: SecErr: DSID-03150E8A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
The user has insufficient access rights. “
 

After some moderate googling, I came across some blog and support forum posts by others who had encountered this error. The general consensus was to check the user’s AD security settings to ensure that the “Exchange Enterprise Servers” group had appropriate permissions. Permissions could be fixed by ensuring that inheritance was applied to the user.

ExchangePermissionsError1

I confirmed that the user object had inheritance enabled but I was still unable to apply the changes to the mailbox. I had gone back to skimming the blogs again when I noticed a suggestion in a post to check the inheritance settings for the OU that the user account was in. It turns out that the OU’s inheritance setting had been disabled.

ExchangePermissionsError2

The story goes as follows:

At some point before we had upgraded to Exchange 2010, we had delegated some permissions for the Help Desk so that they could reset user’s passwords. There were some users, people in Accounting, HR, and Executives who’s passwords we felt the Help Desk should not be able to reset. The delegated permissions had been set on an OU that the user’s department OUs were sub-OUs of. In the above example, the North America OU would be where the delegated permissions for the Help Desk had been set. The sub-OU’s (Executives, Marketing, IT, Etc.) would inherit those permissions unless inheritance was disabled in their security settings.

In the end, I concluded that disabling inheritance to the affected user’s OU, prevented the application of new permissions to that user’s account that would have been set when we updated to Exchange 2010. To resolve the issue, I had to go ahead and re-enable inheritance on the department OU of the user who’s mailbox quota I couldn’t change. This caused the necessary permissions which had changed or been added with the upgrade to Exchange 2010, to be applied to the user’s account.

I still wanted to prevent the Help Desk from being able to reset the user’s passwords, so I disabled inheritance on the OU in question and manually removed the permissions that I didn’t want applied to the users. I think that the delegation of rights to the Help Desk maybe should have been applied differently but that’s the moral of this story: The reality of IT is that very rarely if ever,  is any configuration ideal for all uses and situations. Tread carefully, it’s a jungle out there.

Further reading:
Technet 

Why you should care about The EFF

Join EFF!

 

 

 

EFF stands for the Electronic Frontier Foundation. The Electronic Frontier Foundation is a non-profit organization that works mostly in the legal system to fight corporate and government infringement of people’s rights, especially where technology is concerned. Think Atticus Finch meets the kids from Hackers and you’re kinda, sorta, not really there but you get where I’m going with this, right?

Anyway, the EFF has guts. Their first legal battle was to help a small roll playing game developer (Steve Jackson Games) who had been illegally raided and nearly financially ruined by the United States Freakin’ Secret Service. The EFF then went on to square off against many more bullies; defending the privacy, rights, and values of people who like freedom. You can check out a list of their exploits here: https://www.eff.org/cases

The EFF also works to raise awareness about privacy, fair use, and freedom of speech issues through whitepapers. They have a wonderful Bloggers’ Rights section on their website with tons of information including a legal guide for bloggers.

My point here is, the EFF is working hard to keep The Internet free and user’s privacy and rights intact; if you value those things, you should probably support them by donating.

You can donate to the EFF by going here: https://supporters.eff.org/donate.

Oh yeah, and Adam Savage of Mythbusters fame thinks they’re cool too.