How to configure safe vpn for free and easy

March 28, 2020 by Munkhtuvshin Baatar
No comments

Coronavirus forced many people, companies to move to teleworking. The banks and large corporations surely have enough budget to buy enterprise vpn boxes and solutions. My post is only for small companies which need free/cheap solution to access own small office infrastructure during coronavirus pandemia from home, remote offices and at the same time to avoid directly openning RDP access from the internet (which is not safe at all even with DUO 2fa and so on)

It’s assumed that the small company has at least

  1. router which can port forward (even tplink and dlink can do it;  if you have
Read the rest

again about wsus

December 2, 2017 by Munkhtuvshin Baatar
No comments

Everybody knows about free Windows System Update Service/WSUS. But i feel this service needs some extra explanations, recommendations for newbie sysadmins.

At first why do you need it? – briefly: for security and to fix software glitches. Proper and in time hotfixing/patching has paramount importance for security (maybe even more important than to have weak antivirus, IDS/IPS, firewall and other standard protection measures, which also should be regularly updated) If your health is bad or even if you are close to die then just screening from hackers will not help you. The weaker you are the more expensive protection, … Read the rest

How to enable for vPro/AMT computers mutual authentication using certificates.

November 19, 2017 by Munkhtuvshin Baatar
3 comments

In May 2017 Intel publicly confirmed the vulnerability in own firmware for vPro/AMT.

To download and patch such computers from Dell use links inside the PDF file from following link.

But as i mentioned in my linkedin post it’s possible to protect even noname computers (without updated BIOS) with compromised ME firmware — implementing SSL/TLS certificates for mutual authentication. In this post i will show how it can be done.

At first let’s consider that

  • you know that your computer supports vPro/AMT, ME version, you know AMT type (ISM or full AMT and so on)
  • you already use intel
Read the rest

How manually enable Let’s encrypt SSL for Windows IIS server.

November 16, 2017 by Munkhtuvshin Baatar
No comments

Let’s Encrypt free certificates are very useful for Microsoft web servers, MS Dynamics Nav web client access, Exchange and Lync/Skype for business external accesses and so on (better to use it with windows ACME clients for auto prolongation of certificate)

But if you have problems with publishing 80/443 port of your web server (conflict with router admin port, or maybe even server is not in public Internet access and so on, maybe you should configure manually Let’s encrypt SSL for your testing environment)

1. go to https://zerossl.com

2.

3.

Certbot/ACME clients use “HTTP verification”. We will in this post use … Read the rest

How to auto renew “Let’s encrypt” free certificate extending 90 days limit.

June 13, 2017 by Munkhtuvshin Baatar
One comment

In the previous post i recommended for non-critical web services to start using free certificates from “Let’s encrypt”.

Many people refuse to use this kind of certificates thinking that it’s not good enough and moreover it’s only for 3 months and that it would be annoying to prolong it manually each 3 months and not forget about it. As for “not good enough” – even if you don’t trust free SSL certificates for web server authentication it’s always better to have enabled SSL than to go without SSL – at least channel will be encrypted (unlike free self-signed certs which … Read the rest

WannaCry and XP

May 15, 2017 by Munkhtuvshin Baatar
No comments

Microsoft stopped the support for XP, but for WannaCry attack they made exclusion:

 

If you have too many XP as a pos stations you can use registry hack to enable again Windows Update for extra 5 years.

 

 … Read the rest

If you need temporary VPS hosting (for testing, for development and so on)

May 6, 2017 by Munkhtuvshin Baatar
No comments

Sometimes temporary, moreover free VPS hosing for 1 year is great and generous opportunity. Usually it’s very handy for testing (for example to install linux, configure lamp, wordpress, 2fa, freeSSL, plugins and so on ), web development, personal blogs, short-term projects like election events and so on.

Amazon Web service suggests it for whole 1 year. Just be VERY careful to not trespass limits of free tier (for example AWS automatically has done EBS snapshots during import of my vmware ova to AWS AMI and later on to free tier instance — although 09 cents were generously forgiven by AWS … Read the rest

Free ComodoSSL, free “Let’s encrypt” certificates

May 6, 2017 by Munkhtuvshin Baatar
One comment

Strange that the main national domain registrar (http://manage.datacom.mn) yet don’t use SSL for own management console. Mobinet, national cloud provider even don’t have DNS registration for own services asking to create hosts file records for vps-mgnt.mobinet.mn. Mobinet who resells Comodo SSL doesn’t have valid SSL for https://vps-mgnt.mobinet.mn/ (and looks like self-signed SSL is created to conflict with vmware cert namespace).

SSL providers suggest DNS (email) validation for certificate CSR, so vulnerable web DNS manager (not protected by SSL) can compromise issued SSL certs and finally web sites with online banking, payment systems and so on. I suggest for

Read the rest

Facts about Active Directory to help understand it and properly use.

March 6, 2017 by Munkhtuvshin Baatar
No comments
  1. AD is the basement/heart/glue for all Microsoft (and not only Microsoft) server products. Almost any Microsoft solution is based on AD as a prerequisite. Therefore it’s common misunderstanding and misuse that AD is considered only as side effect (or even as lesser unavoidable evil :)) of implementation of other Microsoft systems like MS Dynamics NAV, Exchange, Lync, Sharepoint. It means you cannot install Exchange without pre-installation and pre-configuration of AD. As a result of a such wrong approach to AD many companies don’t use Active Directory appropriately, some of them completely don’t understand what is the main role of AD
Read the rest