How to report in Active Directory all protected users

March 28, 2020 by Munkhtuvshin Baatar
No comments

If you use ManageEngine ADmanager Plus then some your manual operations or automations can fail due to the “Protect from accidental deletion”. In this case it’s very useful to determine who has already this attribute enabled:

Get-ADuser -Filter * -Properties * | select-object name, samaccountname,enabled, ProtectedFromAccidentalDeletion | export-csv -path c:\temp\protection-status.csv -NoTypeInformation

if you need to disable this attribute pls visit my other post

 … Read the rest

How to configure safe vpn for free and easy

March 28, 2020 by Munkhtuvshin Baatar
No comments

Coronavirus forced many people, companies to move to teleworking. The banks and large corporations surely have enough budget to buy enterprise vpn boxes and solutions. My post is only for small companies which need free/cheap solution to access own small office infrastructure during coronavirus pandemia from home, remote offices and at the same time to avoid directly openning RDP access from the internet (which is not safe at all even with DUO 2fa and so on)

It’s assumed that the small company has at least

  1. router which can port forward (even tplink and dlink can do it;  if you have
Read the rest

SNMP and PRTG

December 23, 2018 by Munkhtuvshin Baatar
No comments

The common mistake is to configure snmpd for v3 and forget to disable snmp v1/v2.

go to /etc/snmp/snmpd.conf and comment line with

“com2sec notConfigUser  default       public”

So full net-snmp installation and configuration should be something like:

  1. yum install -y net-snmp-utils net-snmp net-snmp-libs
  2. service snmpd status
  3. service snmpd stop
  4. net-snmp-create-v3-user -ro -A [password] -a MD5 -X snmpv3encPass -x DES snmpv3user
  5. comment line with “com2sec notConfigUser  default       public”
  6. service snmpd start
  7. configure PRTG or other monitoring tool
  8. chkconfig snmpd on
  9. snmptable -v 3 -u snmpv3user -l auth  -a MD5 -A [password] localhost usmUsertable
  10. snmpwalk -u snmpv3user -A [password] -a MD5 -l authnoPriv
Read the rest

How to create site to site vpn from pfsense to openvpn server.part3

July 22, 2017 by Munkhtuvshin Baatar
2 comments
  1. How to create site to site VPN for SMB with low IT budget. part1
  2. How to setup OpenVPN server on debian? part2
  3. How to create site to site vpn from pfsense to openvpn server.part3

OK, we already have Openvpn server at central office. Now our task is to configure branch office pfsenses (why pfsense) to connect central office Openvpn server:

  1. create Hyperv VM for pfsense at branch office 01:
    • mount pfsense iso to the pfsense VM
    • create fixed size virtual disk, 5gb is enough. if you use dynamic disk – pfsense freebsd installer can fail
    • before pfsense installation
Read the rest

How to setup OpenVPN server on debian? part2

July 22, 2017 by Munkhtuvshin Baatar
2 comments

We continue previous post about creation of site to site vpn between multiple branch offices and central office of company.

  1. Install latest Debian Linux (better from network installer). During the installation choose:
    • ssh server
    • std system utilities
  2. Configure IP address for the server. For example nano /etc/network/interfaces:
iface eth0 inet static
address 192.168.0.2 # it is considered that 192.168.0.1 is used as dgw in central
Read the rest

How to create site to site VPN for SMB with low IT budget. part1

July 19, 2017 by Munkhtuvshin Baatar
2 comments

It’s commonplace to connect multiple company branches and central office by VPN. For my customers for example it’s needed to :

  1. implement Active Directory (for small companies with single IT team – only one AD domain and multiple AD sites, everywhere if possible one AD DC)
  2. integrate into one DB all Time Attendance machines – one Zkteco application for accountant at central office connects thru vpn
Read the rest

If you need temporary VPS hosting (for testing, for development and so on)

May 6, 2017 by Munkhtuvshin Baatar
No comments

Sometimes temporary, moreover free VPS hosing for 1 year is great and generous opportunity. Usually it’s very handy for testing (for example to install linux, configure lamp, wordpress, 2fa, freeSSL, plugins and so on ), web development, personal blogs, short-term projects like election events and so on.

Amazon Web service suggests it for whole 1 year. Just be VERY careful to not trespass limits of free tier (for example AWS automatically has done EBS snapshots during import of my vmware ova to AWS AMI and later on to free tier instance — although 09 cents were generously forgiven by AWS … Read the rest

Free ComodoSSL, free “Let’s encrypt” certificates

May 6, 2017 by Munkhtuvshin Baatar
One comment

Strange that the main national domain registrar (http://manage.datacom.mn) yet don’t use SSL for own management console. Mobinet, national cloud provider even don’t have DNS registration for own services asking to create hosts file records for vps-mgnt.mobinet.mn. Mobinet who resells Comodo SSL doesn’t have valid SSL for https://vps-mgnt.mobinet.mn/ (and looks like self-signed SSL is created to conflict with vmware cert namespace).

SSL providers suggest DNS (email) validation for certificate CSR, so vulnerable web DNS manager (not protected by SSL) can compromise issued SSL certs and finally web sites with online banking, payment systems and so on. I suggest for

Read the rest