Blog

Microsoft: SysInternals Suite PS Exec Command Usage

by Samuel Mitchell, posted in Microsoft, Uncategorized, windows, Windows server

I was given a task to install a agent on computers and servers using command line as during my research I discovered this tool calls PSExec from the SysInternals Suite tools.

You may ask what is PSExec? According to Microsoft, it launches interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems. In other words, PSExec tool allows the execution of commands on a system remotely as if it is on the direct system console.

There are a number of features that I love about the PSExec tool which are as follows:

  1. It can run the command as another user remotely on the local system using user interaction
  2. It allows the execution of the command on multiple computers from a list in a text file

I was given the task to install the SAP Single Sign On add-in and it was difficult because it required that it is run under a network user locally in an interactive mode.

The PSExec tool gave me the power to overcome this difficulty.

Here is the syntax of the command and the parameters I used:

psexec.exe @[file-name.txt] -u [domain\username] -p -i -h [\\server\path\batch-files.bat]

explaining each switch:

@   execute the command on each computer in the file. Each computer must be in a new line

-u   username

-p  prompt for password

-i  run command in interactive mode

-h run the command with account elevated privilege

This command will execute the script on each computer return the result as it is completed.

Please ensure it is executed on a computer that is running since it cannot be execute without the computer being on.

Microsoft: Active Directory Domain Service Security Group

by Samuel Mitchell, posted in Microsoft, windows, Windows server

Security group scope

1. Universal

  • Forest users accessing its own Forest resources. (FF)
  • It can contain a combination of Global and Domain Local group

E.g. Enterprise Admins, Schema Admins (in the Users container)

2. Global

  • Domain users accessing its own Forest resources. (DF)

E.g. Domain Users, Domain Admins (in the Users container)

3. Domain Local

  • Forest users accessing Domain resources. (FD)
  • This is only group that can have members from an external forest

E.g. Administrators, Account Operators, Backup Operators, Print Operators (in the Builtin container)

Group Policy Object Processing And Precedence

by Samuel Mitchell, posted in Microsoft, windows, Windows server

This article is about the order of processing and precedence of the Group Policy Object (GPO).

There is a acronym used to remember the order of processing:

LSDOU – Local, Site, Domain, OU.

Local GPO

Site linked GPO

Domain linked GPO

Organizational Unit linked GPO

The rule of thumb with precedence for the LSDOU order of processing is that the last GPO applied takes precedence which will be the OU linked GPO. There are additional rules to consider such as when multiple GPOs are applied to an object (e.g. Domain), the GPO are process according to order from top to bottom (1 to …) and the top GPO takes precedence.

Inheriting Parent GPO

In some case there make be nested OUs or Parent and Child domains in which GPOs are inherited from the Parent automatically. The inherited GPOs has the least precedence by default on the child node which can be changed by rearranging the link order.

Enforcing GPO

The precedence of the GPO can change by Enforcing it which will allow it to move to the top (become number 1).

 

Setting up a Cisco AP using the command line

by Samuel Mitchell, posted in Cisco, Network Virtualization, Uncategorized, Wireless

This article is to document the CLI commands used to configure an Autonomous Cisco Access Point.

To configure the AP management IP address use the following command:

Interface BVI1

ip address [ip] [subnetmask]

no shutdown

Next, define the SSID properties including Name, Key method and password.

This particular configuration is using WPA2 to authenticate the users.

dot11 ssid [SSIDName]

authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii [password]

Next you will push this SSID on the 2.4 Ghz which is on interface dot1Radio 0 and if you want it to be available on 5 Ghz band as well, you will configure it on dot1Radio 1. The radio will be using the AES-CCM encryption mode.

interface dot1radio0

encryption mode ciphers aes-ccm

ssid [SSID-name]

no shutdown

Once you are done, you can save the configuration and test you wireless device.

Common Switch Commands for the HP FlexNetwork

by Samuel Mitchell, posted in HP, Routing & Switching, Uncategorized

I have recently had to interact with an HP FlexNetwork 5510 switches and the command syntax was totally different from the HP-Aruba 2530. This article is to document the common switch commands that I use on a daily basis.

  • Show (Display) the list of interfaces and their status

display interfaces brief

  • list the directly connected devices using LLDP

display lldp neighbor-information list

  • Enter enable mode or exec privilege mode

system-view

  • Save switch startup configuration

write

  • Show the running configuration

display current-configuration

  • Configure IP helper on an interface

interface [interface_type]

dhcp select relay

dhcp relay server-address [dhcp_ip_address]

  • Configure NTP Service

ntp-service enable
ntp-service unicast-server 10.71.152.229
ntp-service unicast-server 10.220.0.35

  • Configure SSH

ssh server enable

ssh client source interface [interface]

service-type ssh terminal

  • Configure the default gateway

ip route-static 0.0.0.0 [gateway_ipaddress]

  • Configure interface as layer 2

port link-mode bridge

  • Configure interface as layer 3

port link-mode route

  •  Configure the interface as a trunk

port link-type trunk

port trunk permit vlan [vlan-id]

  • Configure the local user account to manage the switch

local-user [username] class manage
password simple [password]
service-type [options: ssh telnet terminal]
authorization-attribute user-role [role-name]

I will be adding more command as time goes by and I get familiar with the CLI.

Cisco: Converting an Cisco AP 2600 from Lightweight AP to Autonomous mode

by Samuel Mitchell, posted in Cisco, Routing & Switching, Uncategorized, Wireless

This article is about converting a Cisco AP version CAP2602E from a lightweight to Autonomous. (This can apply to other APs of similar models)

The tools that you will need to do the job:

  1. A TFTP server application…I am using Pumpkin (link here)
  2. Telnet tool…I am using Putty (link here)
  3. The Autonomous image for the Cisco AP (note: that the image file name will contain “k9w7“)
  4. Console cable
  5. Network cable
  6. Power adapter for the AP. (If you have a PoE switch to power the AP, then you can skip the adapter)

Now let us begin the process:

  1. Install the TFTP server application and start it up
  2. Install the PUTTY telnet tool
  3. Copy the image to the tftp folder path set in the TFTP server application. The image required for my Cisco AP CAP2602E is “ap3g2-k9w7-tar.153-3.JAB.tar”. Note when you get the image, it will need to be renamed from the image type “.tar” to “.default“. Example in my case, it will be ap3g2-k9w7-tar.default. Please ensure to follow this same syntax.
  4. Connect your AP directly to your computer.
  5. The static IP address of the computer on which your TFTP server software runs should be between 10.0.0.2 and 10.0.0.30.
  6.  Disconnect power from the access point.
  7. Press and hold MODE while you reconnect power to the access point.
  8. Hold the MODE button until the status LED turns red (approximately 20 to 30 seconds) and then release.
  9. The AP will start to broadcast to the tftp server for the image file. When the tftp server get a prompt from the AP, select Grant Access. (Note if the another image is requested, make a note of the image and try to get it.
  10. Once the image is correct, it will start to pull the image from the TFTP server and it takes about 10 minutes to load.
  11. Once the image has loaded, the AP will reboot.
  12. Then you can use the PUTTY to connect to the console and configure the AP as desired by assigning an IP address to the BVI interface. (default password Cisco/Cisco)
  13. Once the IP address is set, you can access it using the Web GUI.

I hope this article was helpful.

 

reference: https://community.cisco.com/t5/wireless-security-and-network/converting-the-air-lap1242ag-e-k9-from-lightweight-to-autonomous/td-p/632837

 

 

Configuring AWS CLI using Python and pip on Windows

by Samuel Mitchell, posted in AWS, Uncategorized, windows

This article was created to document the steps to configure and utilize the AWS CLI on a Windows machine.

There are multiple ways of installing the AWS CLI but I choose the method of using the Python with pip3 since I already have the tool install on my Windows 10 machine.

  1. After you install the python on your windows system from python.org

2.  You will run the following command to ensure it is working from the command prompt

python –version

3. You will then use the python utility pip3 and check if it is installed using the following command:

pip3 –version

4. Once the version is displayed without any errors, you can proceed to installing the AWS CLI using pip3. You will do this by using the command below:

pip3 install awscli

5. After the installation is complete. proceed to test that the AWS CLI is working:

where aws

Once the folder path of the AWS CLI is shown, then you have successfully installed the CLI.

Now the next step is to configure it for use with your AWS service. This can be done by running the following aws command:

aws configure

It will prompt you for the AWS Access key ID, Secret Access Key,  default Region and default output format. This allows you to connect to the AWS without authenticating each time. I would recommend that you setup an IAM user account to authenticate with the AWS CLI and limit the access to only the features that will be accessed using this method.

For further details, please consult the AWS CLI documentation here.

Securing the Web management for the HP 2530 switch

by Samuel Mitchell, posted in HP, Routing & Switching, Security

Whenever you get a HP/Aruba 2530 switch out of the box, it comes default with web management enabled using http. You can easily go to the IP address of the switch to view the switch details. To secure the web portal of the switch, do the following:

  1. Log into the switch
  2. Go into configuration mode
  3. Create a self-signed certificate for secure http access

    1. crypto pki enroll-self-signed certificate-name [SWITCHNAME] subject

    2. Enter each information requested
  4. To enable secure http, use command

    1. web-management ssl

  5. To disable http for web management, use command
    1. no web-management plaintext
  6. To added a login for the web portal, use the command:

    1. password manager user-name [loginname] plaintext [loginpassword]

I hope this was useful.

Microsoft: Enabling Recycle Bin feature in Windows Server 2016 Active Directory Domain Services

by Samuel Mitchell, posted in Microsoft, windows, Windows server

There is a new feature available in Active Directory Administrative Center (ADAC) in the Windows Server 2016 that allows you restore deleted AD objects from the Recycle Bin (although it could be activated from Windows server 2008 R2 using Powershell). It allows you to enable it at the Domain or Forest level. The only caveat is once it is enabled, it cannot be disabled. The default lifetime for a deleted object to remain in the AD Recycle Bin is 180 days.

To enable the feature using Powershell:

Enable-ADOptionalFeatureIdentity ‘Recycle Bin Feature’Scope ForestOrConfigurationSetTarget ‘domain.com’Server DC1

To enable the feature in Active Directory Administrative Center:

Go to Server Manager –> Tools –> Active Directory Administrative Center

servermgr_Adac

Highlight the domain or forest on the left pane and then under the Task pane on the right under the domain, select Enable Recycle Bin.

Enable_recycleBin_ADAC

You will get the warning that once it is enabled it cannot be disabled, select Ok.

rc_warn

Fortinet: Publishing a Server access to the Internet via HTTP

by Samuel Mitchell, posted in Routing & Switching, Security, Uncategorized

This article is providing instructions on how to public a server/device to the internet using http. This article will go through the basic configuration.

After logging into to the Fortinet portal, got to Firewall Objects –> Virtual IP –> Virtual IP, select Create New

create_virtual_ip

There are number of parameters:

Name: Short description of services e.g. DVR HTTP-80

External Interface: this is the port connected to the internet link with the public IP address.

External IP Address/Range: this use only need if you have more that one IP address configured on the port. If not, you can leave the default 0.0.0.0

Mapped IP Address/Range: Enter the internal server IP address of device. e.g. our DVR 192.168.0.12

Port Forwarding: tick this option if you are using custom ports from the default e.g. external service port is 5000 from the outside connecting to (map to) port 80 on the internal server.

virtual_ip_info

Go to Policy –>Policy –> Create New

create_policy

Select the Source Interface/Zone to external port.

Select destination Address to the Virtual IP created earlier and select Service to HTTP since we are using port 80. If the service is not list add it with the custom ports. Select Enable NAT to allow external IP address to access the internal device through the fortinet.

policy_settings

Once save by clicking ok, it will be listed under the external port source port column in the Policy section.

policy_listed