Today I had the pleasure of presenting at the Oxford ICTF Conference on Multi-Factor Authentication and Password Stores with Smart Cards and YubiKeys, the video recording is online now here – https://youtu.be/WGtCxS2YFNA and the presentation can be downloaded through the link below.
Presentation.pdf (5.5 MiB, 48 hits)
As some readers may know I currently work in Higher Education and while all of the business data is trivial to backup providing any level of backup service to students and academics is significantly harder. The challenges faced include the myriad of Operating Systems in use (Windows/OSX/Linux), the fact that the devices being backed up are inherently ‘untrusted’ (i.e. owned by the individual) and that they are often on networks (be it eduroam/public/home) that have no direct connectivity back to the internal trusted network.
Most enterprise class backup systems just aren’t suited to this kind of environment in that they cannot be securely published through a firewall or have exorbitant licencing costs for the number of devices to be protected (a few file servers vs 500+ student owned laptops).
One solution to this issue cropped up at a recent trade show where Synology were demonstrating their Synology DiskStation Manager NAS software which set itself apart from the traditional enterprise backup solutions with…
- Support up to 16,000 users on high end models (and 2048 on the kind of model that we would consider using) with no extra licencing costs, users can have storage quotas set either by group or per user
- Secure remote access (simply publish a single port which can be protected by HTTPS for encryption in transit)
- Home grown backup clients for modern versions of Windows, OSX/macOS and Linux
- On the point of OSX/macOS the backup client for Synology does not rely on Time Machine and so overcomes the issues associated with having to be on the same network as your backup device
- Home grown Btrfs file system which auto detects (and fixes) corrupted files through metadata along with extensive snapshot support
- Up to 32 recovery points and real-time file protection (when connected to the DiskStation)
So time for some screenshots! Below we have the initial setup of the Disk Station Manager and the installation of the client on a Windows PC.
- A business needs to provide backup to remote workers
- Those remote workers do not connect to the trusted network often
- Perhaps they don’t like VPNs/DirectAccess (and so rules out using Offline Files)
- and those remote workers do not use a commercial ‘cloud’ service to protect their data with
- Perhaps trusting a 3rd party to host the data is not an option
- The remote workers use OSX/macOS
- Those remote workers do not connect to the trusted network often
…then using a Synology DiskStation should be a serious consideration for that business.
Looking for some fun ways to get more out of your your Smart Card deployment? If so have you tried……?
- Use Smart Cards to login to your Servers via Remote Desktop
- Use Smart Cards with the PowerShell Get-Credential Commandlet
- Use Smart Cards with your Firewall for single sign on
- Use Smart Cards to login to IIS Web Applications (just a box to tick and a radio option to select)
- Store multiple identities on your Smart Card and assign different (and perhaps more complex) PINs to the identities
Have a look at the screen shots below for some more details…
If you are looking for a free tool to manage some of the more intricate features of the Gemalto IDPrime .NET and MD cards then the Mini-Driver Manager (downloadable from http://www.gemalto.com/products/dotnet_card/resources/development.html) may well fit the bill. However it has one small downfall in that out of the box it only allows you to manage cards with the Admin Key set to 48 0s or 48 Fs with neither option being much use to anyone once they have changed the Admin PIN.
Luckily these values are only set in a INI file so its pretty easy to change them to anything else.
Please note that this guide uses a feature in Notepad++ to elevate an application to have local Admin access, you can download Notepad++ from https://notepad-plus-plus.org however you could also use plain old Notepad you’ll just need to launch it as an Administrator and browse to the INI file within Notepad.
On with the guide!!
So after meaning to play with Smart Cards in greater detail for some time we’ve just received a set of cards and accessories from Smartcard Focus (http://www.smartcardfocus.com/) including….
- Gemalto GemPC Shell Token V2 (IDBridge K30) (a USB dongle style Smart Card reader which you can see in the screen shot sequence below)
- Gemalto IDPrime .NET smartcard – SIM cut (to go in the IDBridge K30)
- Gemalto IDPrime .NET card – just your standard Smart Card
- Omnikey 3121 – just your standard Smart Card reader
One of the first things I wanted to do was get PIN complexity and policy defined; the chaps over at Gemalto provide a number of tools which can be used to manage the cards which can be downloaded from the links below…
So time to get on with the guide (which also shows you which downloads are needed from the links)!
48 0s typed out… 🙂
Is the desktop dead yet? Well with the 4th Gen Lenovo X1 Carbon (i5-6300U/8GB/256GB) and the ThinkPad OneLink+ Dock it might as well be! This powerful little dock has just a single cable to plug into your laptop which provides power and connectivity to the dock.
For connectivity the dock includes
- On the front…
- Stereo/microphone audio combo port on the front
- 2x USB 3.0 ports on the front one of which is ‘always on’ powered – great for charging up your phone
- On the back…
- 2x USB 2.0 ports (or as I now call them ‘Keyboard and Mouse ports’)
- 2x USB 3.0 ports
- 1x Gig Ethernet port
- 1x VGA port
- 2x (full sized) Display Port 1.2 ports
- Cable to your laptop
- On the side…
- Kensington cable lock
Going by the Lenovo website (Super long Lenovo link) this dock will work with the ThinkPad X1 Tablet, ThinkPad P40 Yoga, ThinkPad Yoga 14, ThinkPad Yoga 260, ThinkPad Yoga 460, X1 Carbon (4th gen), X1 Yoga.
Some super awesome little features that have really helped
- Power on button for the laptop on the dock – even with the screen closed it’ll power on your laptop (just too bad with the screen closed I can’t get to the fingerprint reader!)
- With the Ethernet cable plugged into the docking station the laptop will turn off its WiFi
- The docking station comes with a power cable (thus you don’t have to sacrifice your laptops power cable or buy an additional one!)
- Even though only one of the front ports is ‘always on’ powered the second port has no issues in powering up and running a 500GB Freecom USB Hard Disk Drive.
So as you will have seen from the photos this screen has no issue in running 3x screens; but what about 3x screens while running a video on each screen, hammering the USB 3.0 port on the front running Crystal Disk Mark to a USB HDD, with audio streaming and my phone on charge? I certainly couldn’t notice any issue and the CPU on the X1 stayed below 22% through the test.
In the past I’ve seen docks like these kick out a fair amount of heat (when under load in particular) and while you can feel some heat from the OneLink+ dock it really isn’t much at all (only a few more degrees Celsius above its ‘off state’). In addition some laptops seem to ramp up their internal fan when attached to a dock – in this case the X1 Carbon behaves and under ‘productivity tasks’ I couldn’t notice the fan noise at all.
I would prefer to see the VGA port replaced with a further display port (on high resolution screens VGA really does not work well) the Lenovo ThinkPad OneLink+ Dock really is an excellent bit of kit; not once have I looked back on my desktop and having extra desk space is just an added bonus.
Its been a day or so since buying a Microsoft Band 2 (took a while to find a high street shop that had one to try on in the first place!) and its proving rather useful to me as a person who rarely has his phone turned on loud and really never notices the little vibrations from it. My most recent application of Band 2 has been using it to receive push notifications from PRTG via my Windows Phone.
In all truth if you already have push notifications setup then you are probably already getting the notifications however if you are not keep reading to find out where to check for the right settings…
On the Microsoft Health App/Band Tiles
On the PRTG App
On your PRTG Console
On your Notification Settings
After giving the Customer/Technical previews of Windows 10 a wide berth (just haven’t had the time to play with them) I’m now finding I quite like Windows 10 on my Surface Pro 3 (i5 128GB); an interesting issue though – whenever I launched the new Mail app I found I was presented with the error message-
Your Outlook account settings are out of date.
Clicking the Fix account button didn’t seem to do anything…
However I then realised since the upgrade to Windows 10 I had only been using the PIN I defined back on Windows 8.1 to login (and as such had not yet provided Windows 10 with my Microsoft account password).
So after logging out and then logging back in again this time clicking the Sign-in options and then the full password option (as seen below) I found that clicking the Fix account button did actually this time fix the account.
An interesting quirk of running Virtual Machines for this post… the background is my ‘main work PC’ is currently running Windows 7; in order to remotely manage a Hyper-V Server 2012 R2 machine I had installed Oracle VirtualBox onto my main PC and inside that had setup a Windows 8.1 VM to remotely manage the Hyper-V Server instance.
However after setting up remote management I found that I could connect to all of the remote management tools on my Hyper-V machine with the exception of Disk Management and Hyper-V Manager with the following error message generated in Hyper-V Manager.
RPC Server unavailable. Unable to establish connection between <Hyper-V Host> and <Client PC>.
After much investigation into this issue (and after following a number of dead ends relating to firewall settings, the hosts file and COM security) it transpires that the issue was related to the way that I had setup the network adapter within VirtualBox.
In particular the adapter had been set to NAT mode, now given the properties of NAT it seems plausible that some vital information might have been mangled in the process – if anyone feels like doing some Wireshark on this to discover the cause then please do!
The resolution was simple – setting the adapter to bridged mode instead which allowed the traffic to pass through the virtual adapter just fine.
One of the holy grails of Moodle is having it such that students are added to the right courses in an automated way. This becomes particularly true if you have individual courses for each and every class each of which could have up to 30 enrolments to go through (just far to many to do using manual methods).
Moodle has a number of ways to automate the process out of the box and my favourite way at the moment is using an external database…
So in this post I will show how to use SIMS reports (generated using CommandReporter.exe) to populate student and teacher enrolments in courses as part of a Moodle install using the External database enrolment plugin (more on this here – https://docs.moodle.org/27/en/External_database_enrolment).
- First up you will need to know your way around Capita SIMS (in particular creating custom reports) as well as the basics of SQL server management (in particular adding a database to an instance) and Microsoft SQL Server Integration Services (there is a great video series on SSIS here – https://www.youtube.com/playlist?list=PLNIs-AWhQzcmPg_uV2BZi_KRG4LKs6cRs).
- Next you will need a SQL server running Standard edition or higher (this gives you access to SSIS as per http://msdn.microsoft.com/en-gb/library/cc645993.aspx), if you only have Express edition installs in your environment then there isn’t much point in following this guide until you do.
- This guide also assumes that you are using LDAP authentication in your Moodle site and that you have your course lists already populated with the course shortname the same as the course name as it appears in SIMS (it is possible to generate courses using the Database Enrolment method but that’s something for another guide).
- Finally you must have the SIMS.net client (which includes CommandReporter.exe) installed on the SQL server from which you will be running the job to get the class lists into Moodle (more on this a little later).
Capita SIMS setup
For best results create a new SIMS user that will be used exclusively for your Moodle Reports, then login with that user and follow the instructions below.