Thursday, 22 October 2020

Hiding folders on a windows share that users dont have access to (Access Based Enumeration)

A useful thing when it comes to Windows file shares is enabling Access Based Enumeration. When a user doesn't have security permissions to access a folder within a share, the folder is not visible to them.


To enable this, run the powershell command Set-SmbShare -Name Shares -FolderEnumerationMode AccessBased 

You can acheive the same thing on the AWS FSx Managed Windows file share by first entering a powershell session to FSx using the command enter-pssession -ComputerName fsxPowershellEndpoint -ConfigurationName FsxRemoteAdmin then the command Set-FSxSmbShare -Name ShareName -FolderEnumerationMode AccessBased. 

Thursday, 10 September 2020

Setting up trust between on premise domain and AWS Managed Active Directory

 On Premise domain prerequisites:

You must configure your on-premises firewall so that the ports below are open to the CIDRs for all subnets used by the VPC that contains your AWS Managed Microsoft AD

  • TCP/UDP 53 - DNS

  • TCP/UDP 88 - Kerberos authentication

  • TCP/UDP 389 - LDAP

  • TCP 445 - SMB

Wednesday, 9 September 2020

Raspberry Pi 4 Configuration for Web Page Display and VNC remote management

 Initial Pi Setup:

  1. Download the Raspberry Pi Imager for your OS from https://www.raspberrypi.org/downloads/
  2. Plug your SD card into your computer/card reader (not the Pi) 
  3. Run the installer. This will ask you to select the OS you want to install and the card you want to install it on 
  4. Once completed, insert the card into the Pi.
  5. Ensure your HDMI lead is plugged into slot 1 (the closest to the power cable and boot the Pi.
  6. Follow the startup wizard to set a password, sync time and update the Pi
  7. Setup a static IP
    1. Open the terminal from the icon on the top bar
    2. Run the command sudo cp /etc/dhcpcd.conf /etc/dhcpcd.conf.bak to take a backup before making any changes to the file
    3. Run the command sudo nano /etc/dhcpcd.conf to edit the configuration
    4. Find the section # Example static IP configuration:
      #interface eth0
      #static ip_address=192.168.0.10/24
      #static ip6_address=fd51:42f8:caae:d92e::ff/64
      #static routers=192.168.0.1
      #static domain_name_servers=192.168.0.1 8.8.8.8 fd51:42f8:caae:d92e::1
    5. Delete the # before interface eth0
    6. Delete the # before static ip_address=192.168.0.10/24 and change the IP to the one you want to give it. The /24 should be the subnet mask (/16 for 255.255.0.0, /24 for 255.255.255.0)
    7. Delete the # before static routers and change the IP to that of your router
    8. Delete the # before static domain_name_servers and everything after the =. After the = enter your DNS server addresses (domain controllers or router. You can enter multiple by leaving a space in between each
    9. Press ctrl+x to save. Press Y to save changes in the buffer then enter to confirm the file name to save it as.
  8. Reboot the Pi by running the command Reboot

VNC Setup:

  1. From the GUI, click the Pi icon in the top left and go to Preferences > Raspberry Pi Configuration
  2. Go to the Interfaces tab and tick enabled next to VNC. This will enable to the RealVNC server that comes as part of the recommended Raspberry Pi OS build
  3. Download the RealVNC viewer client for your OS from https://www.realvnc.com/en/connect/download/viewer/
  4. In the VNC Viewer software, click File > New Connection and enter the IP address you configured in step 7f above. Click OK and it should connect and prompt you for the username and password for the machine set during the initial setup wizard in step 6 above (default is pi and raspberry).

Disable sleep mode

  1. First off, to disable sleep mode by opening the terminal and running the command sudo raspi-config
  2. Go down to option 7 - Advanced Options and press enter
  3. Go down to option A6 - Screen Blanking and press enter
  4. When prompted with the "Would you lke to enable screen blanking" option, Highlight <No> and press enter
  5. You should now see the message "Screen blanking is disabled". Press enter then tab twice to highlight <Finish>. When asked if you would like to reboot now, choose Yes and press enter

Auto load web page in full screen mode on boot

  1. Enable auto login by opening the terminal and running the command sudo raspi-config
  2. Go to option 3 - Boot Options
  3. Select option B1 Desktop / CLI
  4. Select option B4 Desktop Autologin
  5. Back in the terminal run the command sudo nano /etc/xdg/lxsession/LXDE-pi/autostart
  6. Arrow down to the end of the file and copy/paste this in - /usr/bin/chromium-browser --kiosk --disable-restore-session-state https://www.yourwebsitehere.com 
  7. Press ctrl+x to save. Press Y to save changes in the buffer then enter to confirm the file name to save it as.
  8. Reboot the Pi by running the command Reboot and you should find the page loads in full screen when you sign in. 

Auto refreshing the page 

  1. There is a chromium extension that works well for this here - https://chrome.google.com/webstore/detail/easy-auto-refresh/aabcgdmkeabbnleenpncegpcngjpnjkc
  2. Install this and click the 'refresh' symbol which is added to the address bar. This will allow you to set a timer to refresh the page every 'X' seconds

Monday, 7 September 2020

Giving full mailbox access with auto mapping Exchange 365

 Firstly, launch an Exchange 365 powershell and connect to your tenant using connect-exopssession


FULL ACCESS (without AutoMapping): Add-MailboxPermission -Identity emailladdress@domain.co.uk -User emailladdress@domain.co.uk -AccessRights FullAccess -InheritanceType All -AutoMapping $false


SEND AS PERMISSION: Add-RecipientPermission emailladdress@domain.co.uk -AccessRights SendAs -Trustee emailladdress@domain.co.uk


Where -Identity is the account you want access to and -User / -Trustee is the account you want to allow access to it

Thursday, 16 January 2020

Configuring Cloudflare Access App Launch with ADFS Integration

  1. Download the federation metadata XML file from the ADFS server by browsing to https://myserver.domain.com/FederationMetadata/2007-06/FederationMetadata.xml 
  2. Launch Cloudflare Access
    1. Add a login method and select SAML
    2. Drag the XML from step 1 into the 'Drop or select ldP metadata file to upload' box at the top of the form
    3. Change the idP Entity ID or Issuer URL box to the callback address for the domain for example https://yourdomain.cloudflareaccess.com/cdn-cgi/access/callback
    4. In the list of SAML attributes, the first one should be something like http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress. Copy this into the Email attribute name field
    5. Save and close this
    6. Scroll down to Access App Launch and go into 'Edit Access App Launch'. Configure the criteria for who should be allowed access for example 'Emails Ending In' then put the domain names you want to allow
  3. Browse to https://yourdomain.cloudflareaccess.com/cdn-cgi/access/saml-metadata. The link will return a web page with your SAML SP data in XML format. Save the file as an XML document.
  4. Launch ADFS Management on the ADFS server
    1. Open Relying Party Trusts
    2. Add Relying Party Trust
    3. Select Claims Aware
    4. Select Import data about the relying party from a file and browse to the XML file from step 3 
    5. Give it a name
    6. Select 'Permit everyone' 
    7. Click next and finish
    8. Check in 'Edit Claim Issuance Policy'. This should have 2 entries: Send Email and Create NameID. If these aren't here, follow step 2 from https://developers.cloudflare.com/access/configuring-identity-providers/adfs/
  5. Launch Powershell as an administrator on the ADFS server
    1. Run this command - Set-ADFSRelyingPartyTrust -TargetName "Name of RPT Display Name" -SamlResponseSignature "MessageAndAssertion"
  6. Now test by browsing to https://yourdomain.cloudflareaccess.com and selecting the SAML login method