Group Policy Search Tool

I just wanted to share this tool I tend to use when I can’t find a group policy setting that I know exists.  It’s run by the MSDN folks, hosted in Azure, and has been updated with Windows 10 settings already.

0 Comments
March 11, 2015

Azure RemoteApp Now Supports Custom Apps

0 Comments
Tags:
July 16, 2014

Local Administrator Password Management Solution

Solution for management of built-in Administrator account's password via GPO

Sweet logo, too.

I had a client that was dinged on a penetration test by having one communal password for the local administrator account on all machines.  This is convenient for help desk, but is obviously very insecure.  In the case of this client, the local admin password was commonly known, so they ran some sort of linuxsuperhacker utility from a central location with those credentials and found a laptop with a cached domain administrator account.  This particular domain admin had chosen the option to store their password in clear text in RDCMan.  Why the hell is that option even there?  Anyways, from there it was over, and the first thing that would’ve prevented it all is securing the local admin password on each machine.

 

So, how do you do this?  ::shrug::  Microsoft doesn’t have a solution.  They just recommend disabling the account.  But sometimes things get funky and you can’t log in with a domain account (cough.TrustRelationshipFailure.cough), and the help desk folks really need that account to make the world right again.  Enter Jiri Formacek and his “Solution for management of built-in Administrator account’s password via GPO”.  He saw the issue and he knew Active Directory schema extension, GPO, and apparently enough C# and C++ to make his dream a reality.  If you’ve done any AD schema extension (say to store BitLocker Keys in AD), this isn’t scary, and it is very handy.  Plus all settings are done via GPO and they’re nice and easy.  But wait, there’s more – you can have the password expire itself and autogenerate a new one every XX amount of days.

 

This is a perfect fit, and something that should become an official Microsoft-supported solution.  In the meantime, cheers to Jiri.

Password Retrieval UI

This tiny UI can retrieve and expire the local admin passwords.

0 Comments
Tags:
July 16, 2014

Sending via SMTP in Azure WordPress

I can’t take credit for this one, but I wanted to share the solution to sending SMTP e-mail on an Azure WordPress site.  Our company has a simple contact form on our website that relies on SMTP.  When built in a non-Azure environment, all was well.  When we migrated to Azure for webhosting, this was the only thing that mysteriously broke.  A quick Google search turned up Dave Isbitski’s blog with a full walkthrough of the process.  Check it out for full screenshots and details, but the jist is that you add SendGrid’s free service as an add-on in the Azure management portal.  Then install and configure the WP-Mail-SMTP within WordPress, and you’re just about done.  We use the ContactForm7 plugin for our form, but this should work for anything relying on SMTP.

“How do I send Email with WordPress hosted on Azure Websites?” on davedev.net

0 Comments
July 15, 2014

The Curse of the Infineon TPM Driver and BitLocker

During a recent BitLocker and MBAM implementation, I came across a curious issue: a sizeable percentage of the client’s computers used an Infineon driver for the TPM.  This doesn’t outwardly seem to be a concern, but BitLocker requires the built-in Windows TPM driver.

In researching the issue, I found another blog that gave me the answer to Why this happened, and one way to resolve the issue.  While I didn’t use their solution to the problem, I appreciated the insight.  Basically some drivers live on when a computer is upgraded from Windows XP to 7.  These zombie drivers will ruin your BitLocking adventures.

I found that the Infineon drivers consistently existed in the same locations, only dependent on x32/x64 OS architecture:

  • X86 - C:\Windows\System32\DriverStore\FileRepository\ifxtpm.inf_x86_neutral_816932fd6cc123d1\IFXTPM.INF
  • X64 - C:\Windows\System32\DriverStore\FileRepository\tpm.inf_amd64_neutral_d5bb6575cf91cd73\tpm.inf

So, I used pnputil.exe to remove IFXTPM.INF from my life.  This isn’t as simple as it sounds, since removing the driver with pnputil requires you to define the name the driver has within the driver store, not the path to the INF.  To determine that, I ran pnputil.exe -e > c:\GimmeTheDamnName.txt and then reviewed the output in my txt file.  I found that on all of the machines, even regardless of OS architecture, the driver was listed as oem186.inf in the driver store.  This is convenient, as I can use the same command to remove the driver on all systems that suffer from it.  One command to rule them all: pnputil.exe -f -d oem186.inf

Now, this only removes the driver from the store, leaving our TPM feeling sad, alone, and driverless.  Unfortunately, there is no easy way to script or remotely start a “Scan for Hardware Changes” the way you can just by clicking through the Device Manager GUI.  While that is not hard to do on one system, I didn’t want to do it 1200+ times.  So, I decided to dust off the archaic DevCon.exe, which is still available as part of the Windows Driver Kit.  Now I’ll need separate commands to update the driver for each OS architecture:

  • X86 - devcon.exe update C:\Windows\System32\DriverStore\FileRepository\tpm.inf_x86_neutral_8d77c50b5c066979\tpm.inf *PNP0C31
  • X64 - devcon.exe update C:\Windows\System32\DriverStore\FileRepository\tpm.inf_amd64_neutral_d5bb6575cf91cd73\tpm.inf *PNP0C31

With those commands the TPM finds its driver soulmate, BitLocker can go about its encryption business, and everyone can live happily ever after.

June 25, 2014

How to Configure DNS for Azure Web Hosting

There are a few hoops to jump through to get your BrandNewShiny.com to point to your Azure website.  You will have to configure a few records in DNS for Azure Web Hosting.  I went through Host Gator, since I’ve had my other hosting account there for years, but any DNS provider will be similar.

Also note that for custom domains, your Azure hosting plan will have to be Shared or above – the free plan doesn’t accommodate custom domains.  Luckily the Shared plan is supposedly only about $10/month per hosted site (depending on usage, of course).

DNS Configuration

DNS Records for Azure

Functional DNS records as configured for this site

You will need to configure three CNAME records, and one A record.  These will be:

  • CNAME: www.YourDomain.com to YourSiteName.azurewebsites.net
  • CNAME: awverify.www.YourDomain.com to awverify.YourSiteName.azurewebsites.net
  • CNAME: awverify.YourDomain.com to awverify.YourSiteName.azurewebsites.net
  • A: YourSiteName.com to <IP Address given to you in Azure>

Azure Configuration

Azure Website dashboard

The Azure Website dashboard in all its glory. Note the “Manage Domains” button.

Browse to your Web Site Dashboard, and click on the Manage Domains button on the bottom bar.  From there you can add your domains.  I added both www.TheBillableLife.com and TheBillableLife.com.  If everything is correct with your DNS configuration, Azure will accept the domain.  If DNS needs fixing, it will pop up a small but informative error message letting you know what to do.

Notes

I tried adding *.thebillablelife.com as the A record on Host Gator, and that was a miserable failure.  Go without the wildcard.

If you neglect to add both CNAME records (awverify.www.YourDomain.com and awverify.YourDomain.com) like I originally did, you will only access your site via the one you added.  In my case I’d only added awverify.www.TheBillableLife.com, which left me only able to successfully browse to the site at www.TheBillableLife.com, while going to the naked domain name of TheBillableLife.com left me lost in The Series of Tubes.

customdomains

Note the instructions given in this dialog, and the functional domains as added for this site.

0 Comments
June 14, 2014

Azure RemoteApp

Azure RemoteApp Client UI

The Azure RemoteApp Client UI

I just got approved for Azure RemoteApp Preview! It has promise, though the demo will do little more than let me run just a few pre-populated in the cloud.  Alas, it is just a demo.  It took about 10 days from the time I signed up until I actually got access, so the sooner the better.

  1. Sign up for the demo.
  2. Then download the client.

Currently Available Apps:

  • Adobe Reader XI
  • Calculator
  • Excel
  • IE
  • OneNote
  • Outlook
  • Paint
  • Powerpoint
  • Project
  • Visio
  • Word

Azure RemoteApp Preview Terms:

  • Microsoft is offering the Azure RemoteApp free during preview.
  • With your preview service, you are allowed to build two instances and 10 users for each instance.
  • Your Azure RemoteApp preview service will be cancelled if it is unused for 7 consecutive days.
  • You will be notified two business days prior to any action taken on your account.
  • You can contact Microsoft to request an increase in your quotas, which they will consider on a case-by-case basis.

Current Limitations:

Azure RemoteApp

This message details the demo’s restrictions upon opening a RemoteApp.

Azure RemoteApp

As of today, it seems Azure RemoteApp doesn’t support Windows Phone 8.1.

1 Comments
June 10, 2014

Azure Websites

This website is hosted in Azure via WordPress.  If you haven’t messed with Azure at all, you should.  They offer a free 30 day trial, and MS is more than happy to guide you through anything you might want to do in the cloud via a plethora of articles and guides.  The web hosting aspect is extremely easy to use, and competitively cheap.  Not to mention the whole jumble of other cloud services for developers and IT operations folks alike.  Check out the free trial and get your feet wet.

0 Comments
June 7, 2014

Outline of Microsoft’s VDI Solutions

Here is a great TechNet article explaining the various options for Microsoft’s VDI offerings. It’s good to see them put their VDI architecture into a coherent guide with all of the available options – including new Azure options.

Desktop virtualization deployment overview

0 Comments
June 6, 2014

My Spiceworks Article about BitLocker

This is a brief overview-ish article I wrote after I’d completed a few BitLocker and MBAM projects.  It was published as part of the Spiceworks’ Spotlight on IT series.  Even in just the few months since then, I’ve tackled more complex MBAM deployments than I’d imagined at the time that I wrote it.  At some point I’d like to make a more comprehensive deep-dive into MBAM deployments.  Until then, enjoy the intro.  🙂

Recovery Keys to the Kingdom

0 Comments
June 5, 2014