Recently, while working with a customer, there was the need to install a multi-factor authentication system for PCI-DSS compliance (8.3 in DSS 2.0 and 8.3a in DSS 3.0). The customer liked WiKID and had used it internally for a number of years. So after some grumbling from our service delivery due to the complexity of the WiKiD install, I researched other multi-factor solutions.
Besides security compliance, any use case where the disclosure of credentials could have a financial, operational, or even personal impact can be a good case for MFA. This could be protecting an online banking site (financial), API or account that provisions cloud resources (operational and financial), or your World of Warcraft account (personal). Companies have created methods for implementing two-factor authentication to address these risks, so we want to create a similar service that can be used for internal and federated services.
Enter OpenOTP from RCDevs. It offers a comprehensive one-time password solution that supports mobile devices, hardware tokens, software tokens, and alternate methods (SMS, Yubikeys, etc.). In other words, pretty damn comprehensive and free for up to 35 users. It’s also a great solution for testing different uses of MFA. Read more ›
By default, the dig command, used for DNS lookups and troubleshooting, is not installed with the standard cygwin installation. It is part of the bind-utils though, and is easily added.
- First download the cygwin installer for 32 or 64 bit, depending upon your local installation
- Run the installer and walk through the locations and mirrors to use
- At the Select Packages page, enter bind-util in the search field
- Expand the selection and select the checkbox for “binary?”
- Select Next and allow it to install
At this point the bind-util tools, including dig, will be installed. You can launch a command prompt or shell to verify, like below:
After that, have at it.
Posted in Cygwin
, Tech Tips
Tagged with: cygwin
Helping out a relative to install Windows 8. Couldn’t for the life of me figure out the Phoenix SecureCore BIOS to get a USB flash drive to be detected. Had to upgrade the BIOS first, then disable the “Fast BIOS Mode”. At that point the Windows 8 media was viewable.
Kudos to this post for the details. Linux users always come through
There is a lot of talk recently about cloud services and the data they keep. Personally, after starting to use Dropbox years ago over a home-grown Unison install, I’m a big proponent of cloud services. They provide the functionality I need without my need to keep systems and applications running.
Over the past few years I have migrated from a combination of colocation and home network of my own services to using Google Apps for mail; Dropbox and Skydrive for synced storage; Evernote for synced notes and data; Amazon AWS for DNS; Internap for CDN; and vCloud resources. The last because having access to server resources is always a good thing. Okay, you take services from the servers to the cloud, but you can’t the sysadmin from wanting servers.
To keep control over data, and in the event that one service is not available, I like to “spread the wealth” concerning where my data is stored. Although I pay for Google Apps, I would hate to not have access for a significant period of time while Google sorts out an issue. So, I wanted an archive of Gmail, “just in case.”
Read more ›
A client makes extensive use of the The Cisco Network Access Control (NAC), a.k.a. Clean Access solution for their wi-fi enabled laptops. These systems are Active Directory domain members and prior to an AD upgrade, would boot and have a user logged in within 2-3 minutes.
After the domain controllers were upgrades to Windows 2008 R2, the bootup process went from 2-3 minutes to 10-20 minutes, with the delays showing up on the “applying computer settings” and “applying user settings” notices (Windows XP clients). Event logs would show errors indicating DNS resolution had failed and similar things.
Read more ›
SSL server certificates are mandatory for finance, e-commerce, and any site that wishes to protect data in transit. Tied to a fully qualified domain name, they also provide a level of non-repudiation. SSL in its more modern incarnation, transport layer security (TLS), is a very effective layer of security.
A quick Google search for “web server certificate” or “ssl certificate” returns companies that sell basic level certificates from USD$50 (GoDaddy) to USD$700 (rest of prices in the article are in USD) for a standard single domain and single server two year certificate. Granted, these are retail prices, but most systems engineers or security staff only deal with obtaining these certificates once every couple of years.
Read more ›
For a very low cost, it’s easy to use StartSSL (Startcom) certificates on the Citrix NetScaler product line. This is includes the free NetScaler VPX Express edition. A lot of problems I see with others configuring the NetScaler is related to either self-signed certificates or the use of intermediate (e.g., chained) certificates.
Using a Startcom certificate allows for a trusted CA (no certificate errors) and the NetScaler makes it easy to configure intermediate certificates. We’ll go through the entire process of creating a certificate usable on the NetScaler. The process is also the same for any chained certificate.
Read more ›
XenDesktop 4 has raised the bar for virtual desktop (VDI) solutions. It’s now easier to provide a virtual desktop to users on differing operation systems and platforms. And having Citrix on the iPhone / iPad is just amazing eye candy too.
By default, all the tutorials for installing XenDesktop use the defaults. This means that under Windows, using a browser to connect and launch a session from web interface uses the online plug-in module. It works, provides multi-monitor capability, but has display artifacts and no nifty bar to manage USB connection and such. Besides this client, the Desktop Viewer can also be used as the default (if installed).
Read more ›
Posted in XenDesktop
Tagged with: Citrix
Recently I did a “few” upgrades to the home lab. Besides an upgrade to enhance shared storage for vSphere (my old NAS was at 502 days uptime), I took the opportunity to enable jumbo packets on my Dell PowerConnect 5324 and the new fire-and-forget Thecus N7700PRO NAS. As the basis for new lab infrastructure to test VMware, Hyper-V and Xen, it’s a good improvement.
Since the first use was to test some of the new features of vSphere / vCenter 4.1, I also took the opportunity to change over to ESXi from ESX. According to VMware, 4.1 is the last release of ESX, so time to get cracking with ESXi, vMA, and the differences in managing the hosts.
I wanted to take advantage of jumbo frames on my ESXi systems. However, I didn’t decide this until I’d already installed the hosts (and didn’t see an advanced option to set the management interface MTU).
Read more ›