Setting up Laravel on Dreamhost VPS.

     

I inevitably google these things in advance so here’s my chance to pay it forward. The good news is it’s incredibly easy. Set up PHP 7.1 as the command-line binary: Create a fully-hosted, choosing your VPS as the destination server. By default it’s going to set the web directory to /home/username/{domain} and you’ll want to append /public to the end of that. Use (or create) a user with shell access, the default is SFTP only.


The most important piece to getting hired isn't the certs or the degree. It's the interview.

     

It’s an unfortunate reality that you can be, and maybe already have been, rejected for a position you applied for. Certifications in the relevant fields in hand, a degree to your name…would you be gutted to know that “warm and fuzzies” carries equal weight to the other two? Improving your warmth and fuzziness is key not only to getting a foot in the door, but advancement in your career. This is one of a few things that go into the nebulous area of “soft skills,” and I have passed on a lot of candidates because the soft skills aren’t there, and it takes a long, long time to train.


Use nested traversal groups to allow access to ABE-enabled grandchild folders.

     

Say you have the following structure: \\DOMAIN\DFS\Folder1\ <– UserA can access this folder. \\DOMAIN\DFS\Folder1\Folder2 <– UserA has no privileges on this folder. \\DOMAIN\DFS\Folder1\Folder2\Folder3 <– UserA has modify access to this folder, subfolders and files. \\DOMAIN\DFS\Folder1\Folder2\Folder4 <– UserA has no privileges on this folder. With ABE, the UserA will not see Folder2 even though Folder3 is something they do have access to. So permissions are added for UserA, but because they were done incorrectly, they can now also enumerate Folder4 which they should not even have been aware of.


Use GPO to change the default behavior of potentially malicious file extensions.

     

If you’re like me and don’t have direct control of your own email filtering, or want to go a step beyond, you’re going to want a way to prevent non-PE viruses from running. Software Restriction Policies are good for this if you’re using them in a whitelist capacity, provided that you’ve also added the extension to the Designated File Types. From a blacklist standpoint it’s tougher. Another way to approach the problem is to change the default program to open a particular file extension, and if nothing else it’s another layer of security.


DangItBobby.ps1 – Remotely disable a NIC given only a username.

     

So I have a code offering today, which I’m calling DangItBobby.ps1. It lets you remotely disable the NIC of a computer given only the username that is logged in. In essence, when in the middle of a ransomware infection, and you see that the owner of all the files is changing to Bobby, you run the script and provide credentials of a local admin account. Then you tell it you’re looking for Bobby, it’ll check AD to make sure that’s a valid account, then check with WMI to see if there’s an explorer.


Quick Tips: Programmatically emptying the Temp folder for all user profiles in a terminal server.

     

I ended up needing to do this last week, we have a LOB application that people access via Terminal Services, and it doesn’t clean up after itself in the Temp folder, which causes the application to act up. Can’t get the developers to fix the problem so it’s on us. The existing fix was one batch file, tied to one scheduled task, for every user (50+) of the terminal server. Nightmare to keep maintained.


Quick Tips: Share Permissions do more than you think.

     

While rebuilding a piece of my lab for file server and DFS services, I had an odd set of symptoms. I had a user in a security group that was not set to be able to change permissions, and no ability to take ownership, in the NTFS permissions. Yet they were able to add permissions to give others elevated access, or even elevate their own access. It turns out I’d forgotten the share permission side, where this still had some debug settings; in particular, that “Authenticated Users” had full control.


Ransomware is the future.

     

When I first started fighting ransomware in late 2013, I had a premonition that this was something serious. While CryptoLocker was rather easily defeated in the enterprise and ultimately killed by killing the botnet, media outlets and tech sites ran with the story. It showed this small group making millions and millions of dollars. Guess what? More people started writing ransomware. Cut to now. Ransomware-as-a-service is a real thing you can buy, some variants have live chat support to receive payment, and we routinely see new versions with bugfixes and feature-adds.


Setting up secure Home Folders without touching AD.

     

In preparing for a new file server schema, I’ve been playing with home folders and quotas. I wanted to come up with a “home folder” solution that met a couple needs: Worked well with Windows 7 through 10 Did not involve the client support team having to set the home folder in each user’s AD profile Did not rely on folder redirection or roaming profiles Set-and-forget implementation and minimal headache to manage in the event of data going missing out of a directory Secure with no ability for users to see other users shares or even be aware of them, or to delegate permissions to other users Does not use a mapped drive, to mitigate against current ransomware trends Can be managed with File Server Resource Manager for quotas and file screening.


About Me

Aren’t you that guy from..? Maybe.


Recent blog posts