Net | Brain

We’ve come a long way from hand-drawn network diagrams. Advancements in diagramming software have allowed engineers to spend less time documenting their network and more time performing important network management tasks. Unfortunately, too many networks are still documented with outdated techniques.

Three Generations of Diagramming Software

1st

Static Diagrams with Visio Neatly drawn but cumbersome to create and update.

2nd

Static Diagrams with Auto-Discovery Difficult to scale and overly complex to setup.

3rd

Dynamic Diagrams Highly scalable, built on-demand, and always Up-to-date.

Dynamic Network Diagrams

Dynamic network diagram technology was designed to overcome the challenges of previous diagramming software. Dynamic diagrams are created on-demand, instantly. Because they are data-driven from the live network, they are always up-to-date. Through this approach, there’s no need to create and maintain a database of drawings.

http://www.netbraintech.com/

Don't run around naked on the Internet. Use Signal and TOR.

We should be using software that we can rely on. This doesn’t need to be an big change. It doesn’t have to be disruptive. It should be invisible, it should be something that happens effortlessly. I like apps like Signal, because they don’t require you to change your method of communications. You can use it right now. I also like TOR for a browser..

• The first step that anyone could take is to encrypt their phone calls and their text messages. You can do that through the smartphone app Signal, by Open Whisper Systems. It’s free, and you can just download it immediately. And anybody you’re talking to now, their communications, if it’s intercepted, can’t be read by adversaries. [Signal is available for iOS andAndroid, and, unlike a lot of security tools, is very easy to use.]
• You should encrypt your hard disk, so that if your computer is stolen the information isn’t obtainable to an adversary — pictures, where you live, where you work, where your kids are, where you go to school. [Here is a guide to encrypting your disk on Windows, Mac, and Linux.]
• Use a password manager. One of the main things that gets people’s private information exposed, not necessarily to the most powerful adversaries, but to the most common ones, are data dumps. Your credentials may be revealed because some service you stopped using in 2007 gets hacked, and your password that you were using for that one site also works for your Gmail account. A password manager allows you to create unique passwords for every site that are unbreakable, but you don’t have the burden of memorizing them. [The password manager KeePassX is free, open source, cross-platform, and never stores anything in the cloud.]
• The other thing there is two-factor authentication. The value of this is if someone does steal your password, or it’s left or exposed somewhere … [two-factor authentication] allows the provider to send you a secondary means of authentication — a text message or something like that. [If you enable two-factor authentication, an attacker needs both your password as the first factor and a physical device, like your phone, as your second factor, to login to your account. Gmail, Facebook, Twitter, Dropbox, GitHub, Battle.net, and tons of other services all support two-factor authentication.]

Facebook face a daily fine of $269,000 for cookies that track users.

BRUSSELS —  A Brussels court had ruled that Facebook must stop within 48 hours the collection of data on users’ Internet browsing when they are not logged in. If they didn’t stop, then Facebook would face a daily fine of $269,000.

Facebook has acknowledged that it collects data on users’ Internet browsing even when they aren’t logged in, through a cookie that it places within an user's Web browser if they have visited the Facebook website. That cookie reports back to Facebook whenever that browser accesses a Web page with an active social plug-in, such as a “like” button.

Facebook says the process is necessary for security purposes to protect people from spam, malware and other attacks. The firm says it uses the information from that cookie only to weed out browsers being piloted by a machine rather than a human, and discards the browsing data after 10 days. Machine-driven browsers are often used to hack into users’ Facebook pages, the company says.

Installing Windows Server 2012 R2 in VirtualBox

I received a call from a client that had an old server running a mission-critical database application on Windows Server 2003 that has to be replaced. Microsoft has announced end of support for Windows Server 2003 and all updates. Windows Server 2003 is at it's end-of-life. We discussed upgrading to Windows Server 2012 R2, and running the database application in a VM until we can migrate it to Windows Server 2012 R2. New hardware was purchased for this and I set about to kick Windows Server 2012 R2 around in a VM on VirtualBox. Here is a bit of what I found.

First, I download the ISO file from Microsoft and created a new VM in Oracle VirtualBox.  I added the ISO image as a second controller and let it boot from there. I selected Windows 2012 as the intended OS and left the defaults alone. It allocated 2 Gb of RAM, 2 CPU's, and a dynamic 25 Gb Virtual Disk. Video RAM was left at 128 Mb. VT-x/ AMD-V was enabled by default as well.

Windows Server 2012 R2 provides new features and capabilities: server virtualization, software-defined networking, server management and automation, web and application platform, access and information protection, virtual desktop infrastructure, and more. Windows 2012 R2 is released as several different editions for different needs. Windows Server 2012 R2 supports enterprise-grade storage, identity, networking, virtualization, and more. Windows Server 2012 R2 provides 5x more logical processor support, 4x more physical memory and 16x more memory support per virtual machine than Windows Server 2008. Microsoft includes IP Address Management (IPAM), Software Defined Networks (SDNs) o allow virtualization and network management teams to allocate network bandwidth as needed.

Windows 2012 R2 Server Essentials Edition is limited to 25 users, 50 devices, and a total of 2 VMs. Windows Server 2012 R2 Essentials Edition  (formerly Windows Small Business Server) is a server designed for small businesses. Windows Server 2012 Essentials is an ideal first server, and it can also be used as the primary server in a multi-server environment.

Microsoft adds System Center 2012 R2 with versions of Operations Manager, Virtual Machine Manager, and Configuration Manager to the standard edition of Server 2012 R2.

Microsoft has made it easy to join Windows 2012 R2 to Azure Clouds. Microsoft is supporting commonly used Linux distros as manageable guests within the Hyper-V virtualization and Azure cloud infrastructure. If organizations want a control panel, Microsoft attaches System Center Ops Manager, Virtual Machine Manager, and Configuration Manager that are deeply intertwined into the depths of Server 2012 R2 and Hyper-V. Hyper-V boots UEFI, rather than traditional BIOS. There is the capacity to move virtual machines from host to host using compression, and where hardware is available to support it, very fast transports -- 10GBE, Infiniband, and other connections. The high-speed connections are crucial to VM movements among hosts in hypervisor fabrics.

 The table below gives an overview of the features available in the different versions of Windows Server 2013 R2.

@ Microsofts web site here is what is new about Windows Server 2012 R2

• What's New in 802.1X Authenticated Wired Access
  This topic provides information about the new features for 802.1X Authenticated Wired Access in Windows Server 2012 R2 and Windows 8.1.
• What's New in 802.1X Authenticated Wireless Access
  This topic provides information about the new features for 802.1X Authenticated Wireless Access in Windows Server 2012 R2 and Windows 8.1, including Miracast Wireless Display and faster Wi-Fi with 802.11ac.
• What's New in Active Directory in Windows Server
  You can leverage new features in Active Directory to enable employees and partners to access protected corporate data from their personal devices and at the same time manage risk and govern the use of corporate resources.
• What's New in Active Directory Domain Services (AD DS)
  Active Directory Domain Services (AD DS) in Windows Server 2012 includes new features that make it simpler and faster to deploy domain controllers (both on-premises and in the cloud), more flexible and easier to both audit and authorize access to files with Dynamic Access Control, and easier to perform administrative tasks at scale, either locally or remotely, through consistent graphical and scripted management experiences.
• What's New in Active Directory Rights Management Services (AD RMS)
  Active Directory Rights Management Services (AD RMS) is the server role that provides you with management and development tools that work with industry security technologies—including encryption, certificates, and authentication—to help organizations create reliable information protection solutions.
• What's New in BitLocker
  BitLocker now provides support for device encryption on x86-based and x64-based computers with a Trusted Platform Module that supports connected standby. This topic describes the new functionality. BitLocker encrypts the hard drives on your computer to provide enhanced protection against data theft or exposure on computers and removable drives that are lost or stolen.
• What's New in BranchCache
  BranchCache in Windows Server 2012 and Windows 8 provides substantial performance, manageability, scalability, and availability improvements.
• What's New in Certificate Services in Windows Server
  Active Directory Certificate Services in Windows Server 2012 R2 supports a policy module for the Network Device Enrollment Service, TPM key attestation, and new Windows PowerShell cmdlets for backup and restore. AD CS in Windows Server 2012 provides multiple new features and capabilities over previous versions, including new deployment, manageability, and capabilities added to AD CS in Windows Server 2012.
• What's New in Data Deduplication in Windows Server
  Data Deduplication can now be installed on a scale-out file share and used to optimize live virtual hard disks (VHDs) for Virtual Desktop Infrastructure (VDI) workloads. This topic describes this and other new functionality.
• What's New in DFS Replication and DFS Namespaces in Windows Server
  This topic describes the features that were added to DFS Replication (DFSR or DFS-R) in Windows Server 2012 R2. DFS Namespaces and DFS Replication in Windows Server 2012 provide new management functionality as well as interoperability with DirectAccess and Data Deduplication.
• What's New in DHCP
  Dynamic Host Configuration Protocol (DHCP) in Windows Server 2012 R2 provides new features and capabilities over previous versions. This document describes new deployment, manageability, and capabilities added to the DHCP Server role in Windows Server 2012 R2. Dynamic Host Configuration Protocol (DHCP) is an Internet Engineering Task Force (IETF) standard designed to reduce the administration burden and complexity of configuring hosts on a TCP/IP-based network, such as a private intranet.
• What's New in DNS Server
  This topic provides information about new and changed functionality in the DNS Server service in Windows Server 2012 R2. Domain Name System (DNS) services are used in TCP/IP networks for naming computers and network services. DNS naming locates computers and services through user-friendly names.
• What's New in DNS Client
  This topic provides information about new and changed functionality in the DNS Client service in Windows 8.1 and Windows 8.
• What's New in Failover Clustering in Windows Server
  This topic describes the Failover Clustering functionality that is new or changed in Windows Server 2012 R2. Failover clusters provide high availability and scalability to many server workloads. These include file share storage for server applications such as Hyper-V and Microsoft SQL Server, and server applications that run on physical servers or virtual machines.
• New and Changed Functionality in File and Storage Services
  File and Storage Services provides a number of new management, scalability, and functionality improvements in Windows Server 2012 R2 and Windows Server 2012.
• What's New in File Server Resource Manager in Windows Server
  This topic summarizes the File Server Resource Manager functionality in Windows Server 2012 R2 that is new or changed since Windows Server 2012. File Server Resource Manager provides a set of features that allow you to manage and classify data that is stored on file servers.
• What's New in Group Policy in Windows Server
  This topic describes the new and changed functionality of the Group Policy feature in Windows Server 2012 R2 and Windows Server 2012. Group Policy is an infrastructure that enables you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences.
• What’s New in Hyper-V for Windows Server 2012 R2
  This topic describes the new and changed functionality of the Hyper-V role in Windows Server 2012 R2. The Hyper-V role enables you to create and manage a virtualized computing environment by using virtualization technology that is built in to Windows Server 2012. Hyper-V virtualizes hardware to provide an environment in which you can run multiple operating systems at the same time on one physical computer, by running each operating system in its own virtual machine.
• What's New in Hyper-V Network Virtualization
  This topic describes the new or changed features and functionality in Hyper-V Network Virtualization in Windows Server 2012 R2.
• What's New in Hyper-V Virtual Switch in Windows Server 2012 R2
  This topic provides information about the new features in Hyper-V Virtual Switch in Windows Server 2012 R2.
• What's New in IPAM
  IP Address Management (IPAM) is a feature that was first introduced in Windows Server 2012 that provides highly customizable administrative and monitoring capabilities for the IP address infrastructure on a corporate network. IPAM in Windows Server 2012 R2 includes many enhancements.
• What's New in iSCSI Target Server in Windows Server
  This topic describes the new and changed functionality of iSCSI Target Server in Windows Server 2012 R2.
• What's New in Kerberos Authentication
  The Microsoft Windows Server operating systems implement the Kerberos version 5 authentication protocol and extensions for public key and password-based authentication. The Kerberos authentication client is implemented as a security support provider (SSP) and can be accessed through the Security Support Provider Interface (SSPI).
• What's New for Managed Service Accounts
  Standalone Managed Service Accounts, which were introduced in Windows Server 2008 R2 and Windows 7, are managed domain accounts that provide automatic password management and simplified SPN management, including delegation of management to other administrators.
• What's New in Networking
  This topic describes the new and changed functionality of networking in Windows Server 2012 R2. Discover new networking technologies and new features for existing technologies in Windows Server 2012. Technologies covered include BranchCache, Data Center Bridging, NIC Teaming, and more.
• What's New in Print and Document Services in Windows Server
  This topic describes the new and changed functionality of Print and Document Services in Windows Server 2012 R2.
• What's New in Remote Access
  A number of new Remote Access server and client features are included in Windows Server 2012 R2 and Windows 8.1.
• What's New in Remote Desktop Services in Windows Server
  This topic describes the Remote Desktop Services functionality that is new or changed in Windows Server 2012 R2 and Windows Server 2012. The Remote Desktop Services server role provides technologies that enable users to connect to virtual desktops, RemoteApp programs, and session-based desktops. With Remote Desktop Services, users can access remote connections from within a corporate network or from the Internet.
• Security and Protection
  This topic describes the significant changes to security technologies in Windows Server 2012 R2 and Windows Server 2012 and how those changes impact Windows 8.1.
• What’s new in Server Manager
  In this blog post, senior Server Manager program manager Wale Martins describes the innovations and value of the new Server Manager. Server Manager in Windows Server 2012 lets administrators manage multiple, remote servers that are running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003.
• What's New in Smart Cards
  Smart cards and their associated personal identification numbers (PINs) are an increasingly popular, reliable, and cost-effective form of two-factor authentication. With the right controls in place, a user must have the smart card and know the PIN to gain access to network resources.
• What's New in SMB in Windows Server
  This topic introduces the new features and functionality for Server Message Block (SMB) in Windows Server 2012 R2.
• What's New in Storage Spaces in Windows Server
  This topic describes the features that were added to Storage Spaces in Windows Server 2012 R2, including storage tiers, write-back cache, and dual parity.
• What's New in TLS/SSL (Schannel SSP)
  Schannel is a Security Support Provider (SSP) that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Internet standard authentication protocols. The Security Support Provider Interface (SSPI) is an API used by Windows systems to perform security-related functions including authentication.
• What's New in Windows Deployment Services in Windows Server
  A Windows Deployment Services (WDS) server running Windows Server 2012 R2 can be managed using the Windows PowerShell cmdlets for WDS. Using Windows PowerShell cmdlets, you can add driver packages, add client images, enable and disable boot and install images, and do many other common WDS tasks. For a full reference, see Windows PowerShell Support for Windows Server. Windows Deployment Services is a server role that enables you to remotely deploy Windows operating systems. You can use it to set up new computers by using a network-based installation.
• What’s New in Windows PowerShell
  Windows PowerShell includes several significant features that extend its use, improve its usability, and allow you to control and manage Windows-based environments more easily and comprehensively.
• What's New in Windows Server 2012 R2 Essentials
  This topic describes what's new and changed in Windows Server 2012 R2 Essentials. 

• Active Directory Certificate Services Overview
  This content provides an overview of Active Directory Certificate Services (AD CS) in Windows Server 2012. AD CS is the server role that allows you to build a public key infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities for your organization.
• Active Directory Domain Services Overview
  By using the Active Directory Domain Services (AD DS) server role, you can create a scalable, secure, and manageable infrastructure for user and resource management, and provide support for directory-enabled applications such as Microsoft Exchange Server.
• Active Directory Federation Services Overview
  This topic provides an overview of Active Directory Federation Services (AD FS) in Windows Server 2012.
• Active Directory Lightweight Directory Services Overview
  Active Directory Lightweight Directory Services (AD LDS) is a Lightweight Directory Access Protocol (LDAP) directory service that provides flexible support for directory-enabled applications, without the dependencies and domain-related restrictions of AD DS.
• Active Directory Rights Management Services Overview
  This document provides an overview of Active Directory Rights Management Services (AD RMS) in Windows Server 2012. AD RMS is the server role that provides you with management and development tools that work with industry security technologies—including encryption, certificates, and authentication—to help organizations create reliable information protection solutions.
• Application Server Overview
  Application Server provides an integrated environment for deploying and running custom, server-based business applications.
• Desktop Experience Overview
  This topic includes information about Graphical Management Tools and Infrastructure, Server Graphical Shell, Desktop Experience, and Media Foundation.
• Failover Clustering Overview
  This topic describes the Failover Clustering feature and provides links to additional guidance about creating, configuring, and managing failover clusters on up to 4,000 virtual machines or up to 64 physical nodes.
• File and Storage Services Overview
  This topic discusses the File and Storage Services server role in Windows Server 2012, including what’s new, a list of role services, and where to find evaluation and deployment information.
• Group Policy Overview
  This topic describes the Group Policy feature in Windows Server 2012 and Windows 8. Use this topic to find the documentation resources and other technical information you need to accomplish key Group Policy tasks, new or updated functionality in this version compared to previous versions of Group Policy, and ways to automate common Group Policy tasks using Windows PowerShell.
• Hyper-V Overview
  This topic describes the Hyper-V role in Windows Server 2012—practical uses for the role, the most significant new or updated functionality in this version compared to previous versions of Hyper-V, hardware requirements, and a list of operating systems (known as guest operating systems) supported for use in a Hyper-V virtual machine.
• Networking Overview
  This section contains detailed information about networking products and features for the IT professional to design, deploy, and maintain Windows Server 2012.
• Network Load Balancing Overview
  By managing two or more servers as a single virtual cluster, Network Load Balancing (NLB) enhances the availability and scalability of Internet server applications such as those used on web, FTP, firewall, proxy, virtual private network (VPN), and other mission-critical servers. This topic describes the NLB feature and provides links to additional guidance about creating, configuring, and managing NLB clusters.
• Network Policy and Access Services Overview
  This topic provides an overview of Network Policy and Access Services in Windows Server 2012, including the specific role services of Network Policy Server (NPS), Health Registration Authority (HRA), and Host Credential Authorization Protocol (HCAP). Use the Network Policy and Access Services server role to deploy and configure Network Access Protection (NAP), secure wired and wireless access points, and RADIUS servers and proxies.
• Print and Document Services Overview
  This is an overview of Print and Document Services, including Print Server, Distributed Scan Server, and Fax Server in Windows Server 2012.
• Remote Desktop Services Overview
  Remote Desktop Services accelerates and extends desktop and application deployments to any device, improving remote worker efficiency, while helping to keep critical intellectual property secure and simplify regulatory compliance. Remote Desktop Services enables both a virtual desktop infrastructure (VDI) and session-based desktops, allowing users to work anywhere.
• Security and Protection
  The table on this page provides links to available information for the IT pro about security technologies and features for Windows Server 2012 and Windows 8.
• Telemetry Overview
  Find out about Windows Feedback Forwarder—a service that enables you to automatically send feedback to Microsoft by deploying a Group Policy setting to one or more organizational units. Windows Feedback Forwarder is available on all editions of Windows Server 2012.
• Volume Activation Overview
  This technical overview for the IT pro describes the volume activation technologies in Windows Server 2012 and how your organization can benefit from using these technologies to deploy and manage volume licenses for a medium to large number of computers.
• Web Server (IIS) Overview
  This document introduces the Web Server (IIS) role of Windows Server 2012, describes new IIS 8 features, and links to additional Microsoft and community information about IIS.
• Windows Deployment Services Overview
  Windows Deployment Services enables you to deploy Windows operating systems over the network, which means that you do not have to install each operating system directly from a CD or DVD.
• Windows Server Backup Feature Overview
  This section provides an overview of the Windows Server Backup feature and lists the new features in Windows Server 2012.
• Windows Server Essentials Experience Overview
  With the Windows Server Essentials Experience role, you can take advantage of Windows Server 2012 R2 Essentials features such as simplified management using the server dashboard, data protection, Remote Web Access, and integration with Microsoft online services—all without enforcement of the Windows Server 2012 R2 Essentials locks and limits.
• Windows Server Update Services Overview
  Windows Server Update Services (WSUS) enables information technology administrators to deploy the latest Microsoft product updates. By using WSUS, administrators can fully manage the distribution of updates that are released through Microsoft Update to computers in their network. In Windows Server 2012, this feature is integrated with the operating system as a server role. This topic provides an overview of this server role and more information about how to deploy and maintain WSUS.
• Windows System Resource Manager Overview
  With Windows System Resource Manager for the Windows Server 2012 operating system, you can manage server processor and memory usage with standard or custom resource policies. Managing your resources can help ensure that all the services provided by a single server are available on an equal basis or that your resources will always be available to high-priority applications, services, or users.

Don't freak out over FREAK attacks.

Don't freak out over FREAK attacks. 

On Tuesday, March 3, 2015, researchers announced a new SSL/TLS vulnerability called a FREAK attack. It allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data. Everyone thought FREAK was “only” a problem for Android, iOS and OS X users, but not current Windows OS. Microsoft on Thursday issued a security advisory acknowledging a vulnerability in all versions of Windows that could allow FREAK exploits. "The vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system. The vulnerability facilitates exploitation of the publicly disclosed FREAK technique." Windows systems previously were thought to be immune to FREAK attacks.   With this latest addition of Windows, the list of phones, tablets and other devices whose security is vulnerable to FREAK now includes almost all of them. These sites can help web site sysops test whether they’re vulnerable.

https://freakattack.com/

https://tools.keycdn.com/freak

https://www.ssllabs.com/ssltest/

Don't freak out over FREAK attacks. Chrome for Windows and all versions of Firefox are safe. Browsers are vulnerable to the FREAK attack because of a bug that allows an attacker to force them to use weak encryption. More browsers are vulnerable to the FREAK attack than was initially thought when the attack was announced, including:
Internet Explorer
Chrome on Mac OS (Patch available now)
Chrome on Android
Safari on Mac OS (Patch expected next week)
Safari on iOS  (Patch expected next week)
Stock Android Browser
Blackberry Browser
Opera on Mac OS
Opera on Linux

You can test your browser here:
https://freakattack.com/clienttest.html

The designers of SSL created a negotiation mechanism that would identify the best cipher both parties could support, according to cryptographer Matthew Green.

Most modern clients, such as Web browsers, won't offer the export grade cipher suites, and it was believed that few servers offered those weak suites.

However, some modern TLS clients such as Apple's SecureTransport and OpenSSL have a bug that lets them accept RSA export-grade keys whether or not the client asks for them.

"The FREAK flaw allows for feasible decryption of SSL keys in hours using a man-in-the-middle proxy to trick a Web server to use weak encryption rather than the strongest available for the client browser. The attack "could be used to decrypt users' names and passwords as well as other sensitive data that users think is protected by SSL."  according to Philip Lieberman of Lieberman Software.

Mozilla.org has a configuration guide for TLS on web servers here:

https://wiki.mozilla.org/Security/Server_Side_TLS

Mozilla.org also has a SSL Configuration Generator here:

https://mozilla.github.io/server-side-tls/ssl-config-generator/

GodMode in Windows

Here is a neat trick I found today for Windows 7 / 8. Create a folder anywhere and name it this:

GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}

This folder will have all available options for configuring your Windoze. Kewl!