Latest posts

Log PuTTY Output

I use PuTTY a lot and sometimes I want to log my changes as I make them or I want a quick and dirty way to get a config file off a device. In this post, I will show step-by-step how to log the PuTTY output to a log file.

  • Open PuTTY
  • Click on Session > Logging
Selecting Logging
  • Select Printable output
Selecting Printable output
  • Select the location where you want the log file to be saved. I’m going to save mine in C:\temp
Set the save location for the log file

Intune Deploy Default Taskbar

Deploying the same taskbar to all users is a very nice quality of life improvement, as it can help eliminate the problems of users using Windows Mail instead of the already installed Microsoft Outlook.

I opted to deploy a standard default taskbar using Microsoft Intune as Microsoft Office is a required application on all Intune systems in my setup so I didn’t need to worry about a system trying to pin Microsoft Outlook when it wasn’t installed.

In this post, I’ll show you step-by-step how to create the taskbar XML file and how to deploy it using Microsoft Intune.

Create the XML

<?xml version="1.0" encoding="utf-8"?>
<LayoutModificationTemplate
    xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
    xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
    xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
    xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
    Version="1">
  <CustomTaskbarLayoutCollection>
    <defaultlayout:TaskbarLayout>
      <taskbar:TaskbarPinList>
        <taskbar:UWA AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
        <taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk" />
      </taskbar:TaskbarPinList>
    </defaultlayout:TaskbarLayout>
 </CustomTaskbarLayoutCollection>
</LayoutModificationTemplate>
Code language: HTML, XML (xml)

We will need to make some changes as it isn’t perfect. We will start by telling Windows to unpin all the default pinned apps.

  • To remove all the default pinned apps we need to change <CustomTaskbarLayoutCollection> to be   <CustomTaskbarLayoutCollection PinListPlacement="Replace">

Even though we configure the taskbar XML to replace the default pinned apps this has no impact on the apps the user has pinned, it may move the items to the start of the taskbar if they have them pinned further down but that’s it.

Now we can start adding the pinned apps we want. I like to set them in the following order Microsoft Edge, File Explorer, then Microsoft Outlook.

  • To pin Microsoft Edge I’m going to replace<taskbar:UWA AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" /> with <taskbar:DesktopApp DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk"/> As I didn’t want to use the UWA method as I tend to trust file paths more but in theory you could skip this part.

Microsoft 365 Exchange Online 150 MB Message Size

Back in 2015, Microsoft enabled all Microsoft 365 (aka Office 365) Exchange Online tenants the ability to change their message sizes to a maximum size of 150 MB. Originally the default size was 25 MB and previously Microsoft increased that to 35 MB, your tenant will likely be set to one of those values.

The new 150 MB message size limit is not enabled by default you must enable it. In this post, I will detail step-by-step how to change the message size limit in Exchange Online for all existing mailboxes and all new mailboxes.

Prerequisites

The Process

  • Connect to Exchange Online with PowerShell
  • Run the following PowerShell command to see what the current message size limit is Get-Mailbox -Resultsize Unlimited | Format-List displayname,MaxSendSize,MaxReceiveSize
Checking the current message size limit
  • Run the following PowerShell command to set all existing mailboxes to 150 MB Get-Mailbox -Resultsize Unlimited | Set-Mailbox -MaxReceiveSize 150MB -MaxSendSize 150MB
Increasing the message size limit

Aruba Access Point Firmware Upgrade

I’m a fan of doing as much as possible with CLI. It always feels more complete and can sometimes be automated. In this post, I will detail step-by-step how to upgrade the firmware image on an Aruba AP (Access Point) with CLI.

ArubaOS is also called Aruba Instant and has nothing to do with Aruba Instant On as that is another product line that is cloud-managed but not cloud-managed with Aruba Central. I’ll be using the term ArubaOS (AOS) in this post to try and keep things as clear as possible.

If you upgrade to AOS 10 you will need to manage the APs with Aruba Central. AOS 8 is the last and still currently developed version that does not require Aruba Central. You can confirm that AOS 8 is still being developed and maintained by checking the Aruba End of Life page for AOS 8.

The Process

  • Review the release notes for the version of AOS you want to upgrade to. Specifically the section Supported Hardware Platforms as that will help you determine your upgrade path.
  • SSH into the Virtual Controller

If you have more than on AP in your VC (Virtual Controller) you need to define one of them as the preferred conductor. When a preferred conductor is set that will always be the AP running the VC.

  • Run the command show ap-env to see if you have preferred conductor.

If the output doesn’t show iap_conductor:1 then you currently don’t have a preferred conductor. (If your firmware is really old it might show up as iap_master:1 as that was the old name for it.)

VC with no preferred conductor
  • Run the command iap-conductor to set the AP that is currently running the VC to be the preferred conductor. (If your firmware is really old the command won’t be recognized and you’ll need to run the command iap-master instead.)
Running the iap-conductor command

VMware Horizon GPO Templates

In this post, I will detail step-by-step how to install the VMware Horizon GPO templates.

Technically speaking you can fully use VMware Horizon without any of the GPO templates however there are a lot of useful settings in them that you can configure.

Before installing the Horizon GPO templates I recommend you create a Central Store. Here’s how to Create Active Directory Central Store.

I recommend making a note that you’ve added an extra GPO template to the Central Store.

The Process

  • Download the Horizon GPO Bundle from VMware.
Horizon GPO Bundle Download
  • Extract the contents of the VMware Horizon Extra Bundle zip file.
Extracting Horizon GPO Bundle

Base64

Base64 is a form of binary-to-text encoding that is very widely used, you can encode almost anything into Base64. Learning how to leverage Base64 has been a major eye-opener for me.

I’ve seen Base64 used in countless places such as SSL certificates. Ransomware loves to use it, as a lot of basic Antivirus don’t check to see what’s happening in a Base64 string and ignores it. You can encode an entire PowerShell command with Base64 and just run PowerShell with the -EncodedCommand option to run something that a basic Antivirus might not notice.

Base64 is also widely used in phishing emails, be it the URL or even the username or the entire phishing page being an HTML attachment in an email and everything is in Base64.

Even though there are malicious things that can be done when using Base64 to obfuscate or even double obfuscate things, there are genuine day-to-day use cases.

Let’s say you need to install a program but you need to use a transform file. The vendor might host the installer publicly but what do you do about the transform file? You could host it somewhere but maybe the transform file has specific information that shouldn’t be public like the SKEY and IKEY for a Duo install.

A solution could be to take the transform file and encode it with Base64 and put that in an install script. Now everything is self-contained. Yes if someone gets ahold of the install script they also have the transform file info. However, I feel like the risk for that is less than publicly publishing the transform file be it an obscure URL or not.

ONIE and Onyx (MLNX-OS) Install

Switches that support ONIE (Open Network Install Environment) are amazing switches because you can just change which NOS (Network Operating System) you are running relatively easily.

ONIE was created by Cumulus Networks in 2012. In 2020 Nvidia bought Cumulus just after purchasing Mellanox the year before.

I will detail step-by-step how to install ONIE and how to install the Onyx (MLNX-OS) NOS on the SN2410 switch. The process for other NOS and other switches should be similar.

Prerequisites

  • Compiled ONIE recovery image for your switch.

I need the one for Mellanox/Nvidia that file will have a name similar to this onie-recovery-x86_64-mlnx_x86-r0.iso

  • The NOS install file.

I’ll be installing Onyx, the Onyx install file will have a name similar to this one X86_64-3.9.3202-installer.bin if you google around you should be able to find it.

  • Console connection to the switch
  • USB drive
  • Network cable plugged into mgmt0 on a network with DHCP.
  • BIOS password if one is applied. Here’s how to reset the BIOS password for Onyx (MLNX-OS) switches. If the SSD in the switch has nothing on it then you can get by without the BIOS password.

Installing ONIE

  • Download the most recent version of Rufus.
  • Write the ONIE recovery image to the USB drive.

The default settings should be fine. This is what I used.

Rufus Settings

VMware Tech Showcase

Today at VMware Explore, VMware announced the Tech Showcase program created by the VMware xLabs team part of the VMware Office of the CTO (OCTO) team. Tech Showcase is a free program that will give you early access to products before they are fully released to the public.

It’s similar to VMware Flings, what sets it apart is that the feedback you provide will go directly to the teams working on the product, this allow for collaborations with you that will help shape the future of that product.

A good way to think of it is if you had access to VMware Tanzu before Tanzu existed and you could provide feedback to the teams building Tanzu to help shape what Tanzu is today.

The two Showcase Services that are being offered at launch are Project Keswick and Project Trinidad. VMware plans to add more in the future.

Project Keswick is like a Windows PE (Preinstallation Environment) but it runs ESXi and the PE is actually an optimized version of Kubernetes that you can use to deploy your edge workload. I’m very curious about how this will evolve. You can read more about Project Keswick in VMware’s documentation here or you can read the original announcement on the OCTO blog here.

Deploying Windows LAPS

I’ve been a fan of LAPS for a while and in 2023 Microsoft made LAPS even better by introducing a new version called Windows LAPS. Windows LAPS (Local Administrator Password Solution) is a great tool for managing your local admin passwords.

You might be thinking it’s ok I use one complicated password for my local admin accounts, it does not matter in fact it’s worse because if that local admin password hash is obtained then techniques such as pass-the-hash could be used or the password could be cracked and then all systems are compromised, it also sticks out on a penetration test.

Let’s be real, how often are you really changing those passwords even if they are all unique? Well, it doesn’t matter now because Microsoft has made managing all of it much simpler.

LAPS is not new, it has been around for years. In the past to use LAPS you needed to install a small client on the systems you wanted to manage with LAPS. You also needed to install the LAPS UI to retrieve the password or go digging in the AD attributes for the password.

After April 2023 all of that has changed as with the April 2023 security update systems running Windows 10 or newer and servers running Windows Server 2019 or newer now support Windows LAPS natively. No more extra programs are needed. There’s really no excuse for not using Windows LAPS.

The old way of doing Microsoft LAPS with the small client and LAPS UI is now called Legacy LAPS.

Here is step-by-step how to deploy Windows LAPS after the April 2023 update in on-premises Active Directory setup.

Prerequisites

  • All domain controllers and systems managed by LAPS must have the April 2023 update or newer.
  • An AD group for the users who can view LAPS passwords.
  • An AD group for the users who can reset the current LAPS password. (You can use the same group for both if you want.)
  • An Admin account that is a member of Schema Admins and Domain Admins.
  • Domain Functional Level of Windows Server 2016 or higher.

Initial Configuration

  • Login to a domain controller with an account that is a member of schema admins and domain admins
  • Open PowerShell as admin
  • Confirm you have the LAPS PowerShell module by running the following command get-command -module LAPS

FortiGate Policy Mode vs Profile Mode

By default all Fortinet FortiGates are in Profile-based NGFW mode. There is nothing wrong with the default mode. However, I personally prefer policy mode more.

Profile mode works like most firewalls like SonicWall, pfSense and UniFi for example. All your rules are based on ports.

Policy mode works like Palo Alto Networks firewalls. All your rules are only based on ports if you define them but where the real power comes in is application based rules.

To better show the differences here’s an example. I am using Central SNAT in profile mode to keep it as similar as possible to Policy mode.

The Setup

  • VLAN for the Guests network and the IoT network and they are on a tagged interface.
  • The Corp network is untagged on interface x1.
  • An object exists for the entire Guest LAN and the entire IoT LAN. I’ve colored them blue.
  • An object exists for the DHCP server on the Corp network. I’ve colored it green.
  • I will make a rule to allow the Guest and IoT network to talk to the DHCP server on the Corp network to get a DHCP address.

Profile Mode

In profile mode I will build the Firewall Policy rule like this.

  • Name: Allow DHCP
  • Incoming Interface: Guests and IoT
  • Outgoing Interface: Corp
  • Source: Object for the Guest LAN and IoT LAN
  • Destination: Object for the DHCP server on the Corp LAN
  • Service: DHCP and DHCP6

Here is what that rule looks like.