Archive for the ‘Security’ Category

1st Nov. I will be speaking on #NSX #micro-segmentation in practice at the Infosecurity Expo #vexpert

Thursday, October 26th, 2017

1st of November at 13:00 I will be speaking at the SecurityInfo / Data & Cloud Expo about our experiences with NSX micro-segmentation

In this 45 min talk I will discuss  the details of managing micro-segmentation with the VMware NSX Distributed Firewall function.
Does it live up to the promise, what are the pitfalls and benefits, and what should you consider in regards to your planning and process? 2017 in combination with Data & Cloud Expo 2017 will be held on 1 & 2 November in the Jaarbeurs in Utrecht (The Netherlands). In the past years, proved to be the online meeting place and exhibition for IT managers and IT professionals in the field of IT security. In 2017 forms a new combination with the new event Data & Cloud Expo. 



vCenter rights needed for Docker-Machine vSphere Driver

Sunday, April 30th, 2017

There are many ways to quickly provision docker hosts to cloud infrastructures. Dockers own native way is to use docker-machine. Being a vSphere admin I was of course interested in the VMware vSphere driver for docker-machine.

The starting resources for this are:

While I got this working, one of the issues I struggled with was vCenter rights. The driver wants to do a bit more than just create a new VM. For instance it needs to upload an ISO to the datastore to role the VM, and it needs to be able to manage the VM in different ways. And remove it.

I created a custom vcenter role for this purpose, but as the exact permissions where not listed anywhere, it was process of trail and error.

The debug switch -d is very useful during a ‘docker-machine create’ to identify which steps its going through exactly.

Replicating the steps in the vSphere flex client also helps, as that UI will usually give you a good indication what rights you are missing, either via a warning text, or a grayed option.  (remember log out and back in every time)

The vpxd log on the vcenter might help you see what is being tried, but I find it only partially helpful.

One issue that really killed me for a while, is that the account used by the docker-machine driver, requires not just ‘browse datastore’ and ‘allocate space’ permissions, but also ‘low level file operations’

This is needed in order to upload (and delete) the boot2docker.iso

But it is not enough to apply these permissions only to the datastore, they must be applied to the entire vCenter scope, as per KB027743 , which frankly, is ridiculous. But that is an issue with vCenter rights model, not with the driver perse.

This takes are of vcenter rights overall. At least its better than applying full admin rights to the account you are using.

Down at resource level, in my case a specific cluster of 2 esx hosts, but it might also be a resource pool, I have applied full admin rights for the account.  This may be overkill, but it as far as I have gotten right now. I will update this post if I discover more nuance, or find some way to exactly inventory what rights its actually using the manage the VMs it spawns.

Slow boot time on Veracrypt

Thursday, September 22nd, 2016

Re-encrypting my work laptop harddrive.
Veracrypt is the successor to Truecrypt and its code has been community-vetted to insure there are no ‘back doors’ in it (and its security can be independently verified).

The only downside it has is that by default, it uses a rather high header key derivation iteration value (a lot higher than truecrypt). Meaning that it can take several minutes to boot your laptop. This is a frequent complaint by new Veracrypt users.

The workaround is simple. As long as you use a password that is longer than 20 characters, you are allowed to reduce the amount of iterations substantially by using a lower multiplier value (called a PIM), that you type in at boot time after your password. The multiplayer may be as low as 1, which will more or less instantly mount your boot partition.

For the purposes of theft-risk-reduction by common criminals, this is probably more than enough protection. However, if you are seeking to thwart the NSA which may try to brute-force your password using a server farm for 5 years, it may not be 😉

Scheduled reboot batch job, unexpected “access denied” and how to handle security

Friday, May 16th, 2008

So here is something silly I was running up against. In the end its super simple, but its not obvious, and not easy to google for.

I want to equip the new servers are are installing with a standard weekly reboot schedule.

I created a batch file that launched shutdown.exe with some fancy parameters, and set this up as a scheduled task for each server.
I created a special domain account called sa-scheduledreboot with normal user rights, and rights to access the share, and of course the famous “log on as a batch job” privilege, granted to each server via Group Policy.

But dispite this, rather textbook, rights scenario,  I was continuously getting “Could not Start”

However, if I ran the command using Runas, using the credentials of the sa-scheduledreboot account, it would work fine.

The Scheduled Task eventlog showed the following:

“Task Scheduler Service”
5.2.3790.3959 (srv03_sp2_rtm.070216-1710)
“Sheduled Reboot.job” (Reboot.cmd) 5/13/2008 5:43:54 PM ** ERROR **
Unable to start task.
The specific error is:
0x80070005: Access is denied.
Try using the Task page Browse button to locate the application.

I spent all several hours trying to find out where the “access denied” came from. Eventually, I stumbled apon this:

as it turns out:

In Windows Server 2003, the Users group does not have Read and Execute permissions to the command processor (Cmd.exe). By default, the Cmd.exe program has the following permissions settings:
•    The Interactive implicit group and the Service implicit group have Read and Execute permissions.

Note On a member server, the TelnetClients group also has Read and Execute permissions. On a domain controller, the Batch implicit group also has Read and Execute permissions.
•    The Administrators group and the System implicit group have Full Control permissions.

One of those quirky things you just have to know.

The way I have solved this, is that I have created a special Domain Local security group called RG_command_processor_execute  (RG stands for Resource Group)

This group will allow me to control this specific privilege, and assign it to accounts, usually service accounts, that require the access to cmd.exe to run batch files.

I have added sa-scheduledreboot to this group.

I dont want to mess around on each individual server, so I have made it standard that -all- security settings, including changes to default ACL’s, should happen via Group Policy.

For this we use the File System section of the Security Settings part of a Group Policy Object.
We can add files and folders here, and define how their ACL should look.

The tricky bit is that you have to remember that this Group Policy setting overrides and replaces the original ACL on the object.

Thats a bit annoying, cause it means I have to replicate its current ACL’s, including any special permissions assigned to implicit security groups.

The KB article shows two ways to do this.
The first is to add the account or group directly to cmd.exe. ACL
the second is to add the BATCH group to the cmd.exe ACL

The second option is interesting, because the BATCH built-in group implicitly includes all batch files that run on the system.

The way that would go would be:

sa-scheduledreboot –>member of–> RG_command_processor_execute –>member of–> %hostname%/BATCH –>applied to–> (ACL of) cmd.exe

This looked like a good option for a while, until I realized it was perhaps a bit broad. (all batch files, including those run by rogue processes? )

And since it only applies to batch files, if I ever needed to grant anything other than a batch file (say, a resident program or agent), that right, I would have to assign the group directly anyway.

So I decided to add the group directly to the resource, which also makes it easier to see what the ACL change is for, for anyone examining the GPO.

sa-scheduledreboot –>member of–> RG_command_processor_execute –>applied to–> (ACL of) cmd.exe

The scheduled reboot command works fine now. And I am confident I did not assign any more rights that I absolutely needed to to get it to work. (In contrast, the previous reboot account had domain admin rights).

The only thing I need to do now, is to remove many other rights from the sa-scheduledreboot service account.
Its currently a member of Domain Users, and that grants a load of rights this account certainly does not need. I will look more closely into that at a later time, as my solution will have to cover many service accounts, not just this one.

By giving out the exact rights needed in a very granular way for each service account I need, I can far more easily restrict ALL service accounts in other ways, all at once, making them useless to use for any other purpose than what they where intended for.

Documenting this is gong to be a challenge.

I need to document exactly what I am doing in the GPO that assigns the rights to these servers, and why each option was chosen the way it was.

I need to document the exact rights of the sa-scheduledreboot

And if I develop a blanket method to restrict ALL servuice accounts in other, general ways, I need to document that too!

I better get to it!

Worms, Virusses and Botnet animated movie

Thursday, September 22nd, 2005

The Dutch site “” (Warningservice) (A part of the Dutch ministry of Economics) has made this animated movie in both Dutch and English. It shows, in an entertaining way, what the threat is from Virusses, Worms, Bots, and how your pc can be turned into a zombie pc.

Its a great effort on their part to get the message across to ordinary people, and I highly recommend sending this to, for instance, your mother 😉