Hard Drive Encryption

I have an old desktop at home that my wife and I use. It’s going on 5 years and it does everything we need from photo editing and gaming. But one of the things that bothered me is that my hard drive isn’t encrypted. As a cyber security professional it bugged the hell out of me. Over the past few weeks I had to buy a TPM (Trusted Platform Module) chip that was compatible with my old motherboard. For those tech nerds, I know I don’t need one, but I wanted to use Bit Locker encryption without using a USB stick and PIN every time I boot up my computer. Anyhow, I bought one on Amazon, and I spent 4 hours trying to get it to work, but it turned out to be incompatible even though the manufacture stated it would work. So I ended up returning it. After some Googling efforts I learned that I needed a TPM module with a specific firmware version that worked with my motherboard. So I scoured eBay and found a seller who had one in stock. After a week-long wait I got my TPM chip and now my desktop hard drive is encrypted.

For those who aren’t familiar with hard drive encryption I’ll try to break it down as simple as I can.

For people who have a desktop computer it tends to be their primary computer where they store everything on it from personal family photos to work related documents. Most desktops don’t have encrypted hard drives as most manufacturer don’t believes it’s a necessary feature. This means that, for some unfortunate reason, if someone stole your desktop all the information on the hard drive on that computer is easily accessible. Even if you have a 25 character password for your Windows login. If a thief was interested in the contents of your drive they can pull out the hard drive and plug it into a different computer system and read all the files stored on it. This can be scary if you store sensitive information on it such as your social security number, credit card information, and other personal information.

Most modern laptops today have encrypted hard drives as they’re more mobile and easier targets of theft compared to desktops. Thieves will have a very hard time accessing the information of your laptop due to it’s encryption. Unlike desktops, the hard drive is bound to the motherboard. So if a thief pulls the hard drive and plugs it into another computer they wouldn’t be able to access any information on it. They would need to have special encryption key stored within the original motherboard. There’s a special chip call a TPM where that key would be stored.

Again, I don’t want to get too much in the details but having encrypted hard drives is critical in keeping your information secure even if it’s a desktop computer. If you have a Windows computer and your C drive has a padlock image that looks like the one below it means your drive is encrypted. If not, then it’s no encrypted.

Go ahead, and check on your Windows laptop or desktop computer. Is it encrypted?

Tech Tip – AT&T Uverse Internet

 

I’m a current AT&T Uverse TV and Internet subscriber. Their TV service is fantastic, but their internet connection was always shoddy. My wireless connection was finicky and even my wired connections, such as my desktop, were suffering from low speeds and timeouts. For the past several months I blamed everything from my home network setup, to AT&T themselves.

It turns out that I wasn’t the only person having the same problems. It looks like Uverse subscribers who have multiple devices on their network were having problems. If you’re a Uverse TV and Internet subscriber and the only network device you have is the Residental Gateway (RG, AT&T supplied modem/router) and your Set-top-boxes (STB) then you probably aren’t having any issues. But if you’re using additional switches, routers, and access points then you probably understand what I’m going through.

Unlike the traditional cable which usually runs through coax by radio frequency or by satellite broadcast,  AT&T Uverse TV runs on an IPTV system. TV content is delivered via a method of the Internet Protocol Suite.  Basically, the same mechanism of how you access the internet.  When the STB is turned on for viewing the device calls the RG and it delivers the content via IP multicast stream. So megabits of data are streamed from the RG to your STB while you watch TV, and the same goes for households with multiple STBs.

If you’re like me where the four ports on the RG doesn’t meet your network needs you’re likely to add a network switch, router or an access point to expand your home network.  The most common method of expanding your home network is adding a switch which in turn can connect additional devices such as an Xbox, Blu-ray player, NAS, in addition to the STB. Now this is where the problem starts to happen. On that switch when the STB is turned on for TV viewing the switch will get flooded with multicast packets from the RG. Other devices will also be hit with those multicast packets and this causes those network connection issues. If you’re using a wireless router instead of a switch you’re likely to have wifi connection issues as the router is bombarded with those multicast packets.

So how can you expand your network without running into these issues?

Luckily, the AT&T RG is smart enough to know if there is an active STB attached to its ports and only stream to those ports. So a possible solution is to isolate your STBs on one port of the RG and the non-STBs devices on another port by using two switches or routers. If you’re network savvy you can buy a managed switch or a smart switch and use multiple VLANs to separate your devices.

FAQs:

Q: Can’t I just use an IGMP Snooping supported switch instead?
A: In theory IGMPv3 support switches should be able to prevent those unnecessary multicast packets on other ports like what the RG currently does, but from experience many of those switches work for about 10 seconds before your TV or internet stops or freezes. It seems that AT&T uses some sort of proprietary stream that can’t be captured by the IGMP Snooping, or the switches I used were too weak or dumb to handle the large amount of multicast data.

Q: I’m using my spare wireless router and I get internet access, but my TV access won’t work.
A: You probably have your wireless router connected to the RG through the WAN port. Doing this segments your home network. The router separates all devices connected to it onto a different network. The router also acts like a firewall and will allow typical internet access, but will block the multicast stream from the RG. You’ll need to set up your router to act as an access point instead.

Q: What’s the current setup are you using?
A: I have two VLANs. One of my VLANs connects a NAS, Desktop, and an access point for wifi. The other VLAN connects the STBs in my house. I’m using a Netgear GS108e with 802.1q VLANs.  Port-based VLAN doesn’t seem to work.

Tech Tip: Smartphone contacts and calendar syncing

One of the more daunting task of getting a new cellphone is having to transfer all your contact information from your old one to your new phone. The contact info can be stored and transfered  in several ways; on a SIM card (For GSM phones), or it can be stored on your provider’s server, or have it backed up on a computer. For those smartphone users out there, there is a much easier and more efficient way of transferring your contact information or even your calendar entries to your new phone. You’ll only need one thing; get a Google Gmail account.

If you already have one then you’re set. In your Gmail account you’ll need to have or add all your contact information. If you have only a few contacts you can manually enter them in, but if you’re like me with over 300 contacts I recommend exporting your contacts from your phone then import them into your Gmail account. One way of exporting your contacts is to sync your info with Microsoft Outlook or any email client that your phone supports. Then use that email client to export the contact info into a CSV file. From there, you can import that CSV file into your Gmail account.

Smartphones today such as the iPhone, Blackberry, Android, and Nokia have the ability to sync their contacts directly with Google. Some phones can even sync with other services such as Yahoo or Hotmail. Setting up Google Sync is easy as downloading an App or change some settings on your phone.

Having your contact info sync with services like Google is great because it’s free. And if you ever lose your phone or get a new one you can easily restore your info without needing to tether it to a computer.

Tech Tip: Wifi Roaming

Many homes nowadays have a Wifi network setup. For smaller homes, apartments, and condos a single Wifi access point would provide full coverage. But in other cases such a homes with multiple floors, a large house, or a business would require multiple wireless access points to provide complete coverage of their home or business. For those using multiple access points some users have separate SSID names for each of their Wifi connections. The more access points you add the more SSIDs you’ll have to manage.

There is an option to consolidate all your Wifi access point to use a single SSID this is calling Wifi Roaming. All your access points in your home or business are named with one SSID. As you move through your home or business your device automatically connects to the closes access point. If you have a new device or computer that needs a Wifi connection you would only have to enter that one SSID and password for it to work throughout your wireless network coverage.  Previously, if you had multiple SSIDs your device would have to remember all your wireless network names for it to work in a similar fashion. If you have guest that needs Wifi access their devices would also need to remember all the Wifi SSIDs to have seamless network coverage. So it depends on your preference if you want to manage your Wifi network with different names or have it all run on one SSID both will work just fine.

Set up Wifi roaming is simple. There are two things you’ll need to do. First login to each of your Wifi routers /access points and name all the SSID to the same name. Second you’ll need to set each of your Wifi routers / access points to use a different wireless channel.  Some of these wireless access point have a limited number of channels it  and it can range from 6 – 11 channels. If you have different models of access points be sure the frequency of each are unique. That’s it. If you have completed those steps then you now have a roaming Wifi network.

Keep in mind that not all Wifi access points work well together in this roaming set up. I’ve ran into a couple of problems due to using different types of Wifi routers and access points but not many. For the most part it’ll just work, but if you run into connectivity issues it might be caused by having different models of access points.

Tech Tip: The IT Tool kit

Many users look to their IT Guy to solve their computer problems, and some think that we’re miracle workers of some sort. But the truth is just like a professional tradesmen they have a certain set of tools that they use to get the job done. The tools we use are simple and can help fix the majority of the issues that many people face.

Here are some of the popular tools I use in my line of work:

A set of screw drivers for electronics: I use these tools mainly on laptop computers that need servicing such as replacing a keyboards, LCD screens, or adding more memory or a new hard drive. The difference between these screw drivers and the ones found in your garage is that these are much smaller. They are made to fit the tiny screws that holds your computer together.

Can of compressed air: A blast of compressed air can really clean the inside of a computer. The amount of dust collected inside a computer is ridiculous. The cleaner the inside of your computer the easier the computer can breath (increased air flow), and it can increase the longevity of its components such as CPU or case fans. Avoid using vacuums. They can build up static electricity and it can shock you or a computer component.

Hard drive adapters: These are a life saver. They come in different varieties, but they essentially do the same thing. They take a standard hard drive and make it capable of being connected via a USB port. I use these when I’m upgrading to a new hard drive or when I’m recovering files from a non-bootable system.

USB Flash drive: This also falls in the category of must-haves. I have 32GB USB Flash drive that I use to store application, patches, updates, and documents. Not only do I use it to carry software it’s also useful for transferring data from a networked computer to a non-networked one, so keep a few GBs of free space can come in handy.

Working spare parts: I just want to emphasize the ‘working’ part. There have been a few times where I carried bad spare parts and didn’t know about it until I tried to use it. Carrying spare parts is great for troubleshooting. It can eliminate many of the variables that can cause an issue. A good example would be when I was working on a user’s computer that couldn’t boot. It kept restarting over and over. I went through all my usual steps to troubleshoot but couldn’t figure out what was causing it. The hard drive was working fine, CPU worked, power supply and motherboard were all functioning. But the only thing I didn’t check was the RAM. Luckily for me I had a spare RAM stick in my car that I was able to test, and sure enough that was the cause. A bad memory module. So keep in mind that when you get rid of your old computer don’t forget that the working parts of it can come in handy one day.

These are some of the things that an average user would probably have, and I’m sure there are a ton of stuff other IT guys have in their arsenal that they use. But there’s one thing that can’t be replaced or given as a tool is years of IT experience. Having these tools is a great start, but having the knowledge to know when and how to use them is key to solving your computer issues. You can ask any IT tech guy and they will tell you that they learn something new everyday in their job and that’s what makes it exciting. If you every run into any problems best thing to do is ask someone who knows something about computers and if that doesn’t work Google is your friend.

Tech Tip: Offline files as a Backup Solution

One of the most important things I tell my users is to always backup their data because they never know. Sometimes people forget to run the backup process or copy the files and folder to a backup drive. Most people buy thumb drives or external hard drives and manually copy their files over to it. Sometimes those backup devices come with cumbersome software where you have to schedule a task to run your backup.  But there is a simple and relatively inexpensive solution that can can keep your files backed up and do so automatically.

This solution will require a few things. In addition to your personal computer you will need a Network Attach Storage Devices (NAS), or a spare computer with enough space to backup your files. And I’m assuming you have a home network through a wired LAN or wireless.

1. If you’re using a NAS, create a mapped drive on your computer (pointing to the NAS or a directory on the NAS).

2. (If you use Windows Vista or 7 skip to step 4) On your computer, enabled Offline Files. To do that on a Windows XP system you will need to disable Fast User Switching in the User Accounts settings in the Control Panel (this process is required to enabled Offline files).

3. Then go to Folder Options in the Control Panel then to the Offline Files tab and enable the Offline File by selecting the check box.

4. Finally, go to your mapped drive, right click it, and click Make Drive Available Offline. Then copy all the files you want backed up into that drive. That’s it. You’re all set.

If you’re using the spare computer make sure you create a directory and share it. Be sure to give that shared folder read and write access. The rest of the process is exactly the same as described above.

When the files are copied to that drive you actually have two copies. One on that network drive and one stored locally on your computer. Even when you’re disconnected from your network you’ll still have access to your files. If you edit or add new files  it will sync with the network once you do connect back to it. You can always force it to sync or it’ll sync by itself at its default schedule of 1 hour intervals. Also, the sync process will automatically run when you log off or turn off your computer.

Note: I recommend you work directly off that mapped drive or link it your Documents folder.

Tech Tip: Sharing printers on Windows Server 2008

Sharing printers on a Windows Server 2003 is easy. Windows 2008 Server has increased security and sharing printers may require an additional step. Computers and users on the same domain or has an NTLM user account on the server will have no problems accessing shared printers. It’s the computers and users who are not on the domain or have an NTLM user account that sometimes have problems accessing the shared printers such as non-members or guests.

In Windows 2003 server and prior, if the user’s computer did not have the correct drivers the server would push the drivers to that computer to print. In Windows 2008 server, an additional explicit permission will have to be given for the server to give access to those drivers.

To give non-member or guest users access to those drivers you’ll need to access the folder: C:\Windows\System32\spool\driver and give that folder Read permissions to the Guest account.

Tech Tip: Wireless Configuration and Security

There have been countless amount of times where I would scan a neighborhood and see a few unsecured wireless network. Most people who buy wireless routers simply forget to modify their security settings. Here are some suggestions you can do to increase security and protect your wireless access from prying eyes.

  • Enabled the wireless security and use WPA Personal or WPA2 Personal. Avoid using WEP as it has been proven to not be as secure.
  • Change the SSID to something that you can easily recognize as your own, but different enough where no one can pinpoint where it’s from. Better yet disable the broadcast of your SSID. The latter will provide better security, but when you want allow other devices to to  your wifi you’ll have to manually add the wireless network to it.
  • Change the admin login of the wireless device. This one is obvious but people tend to forget to change this sometimes.
  • Place the wireless router somewhere in the middle of your home.  This will give you maximum coverage for you and minimizes the range for access outside your home.
  • If your wireless router manages your internet connection make sure you do not have any unused ports enabled in your Port Forwarding settings. Most newly purchased wireless routers comes with all their ports disabled in Port Forwarding, but it doesn’t hurt to double check.

Tech Tip: Transferring the Schema Master Role

Transferring the Schema master role to another Domain Controller is not something any administrator does on a regular basis. But when they do, the steps can be easily forgotten.

The option to transfer the schema role is not readily available in the Administrator Tool’s list. You’ll have to utilize the Microsoft Management Console (MMC).  But before you access the MMC you’ll need to install the Schema snap-in. To install you’ll just have to register an existing dll.

First, log in to the DC that you’ll want to transfer the Scheme Role to.  Then, open up the command prompt and type in regsvr32 schmmgmt.dll

To access your MMC type in mmc in the Run box or search (for Windows Server 2008 and up). Once the console is opened you can now add the Scheme snap-in and change the Schema role.

Tech Tip: PHP on IIS 7

The following post is for anyone running Windows Server 2008 and wants to host dynamic webpages using PHP scripting.

A couple of years ago I wrote a step by step process of installing PHP on IIS 6 on a Windows Server 2003. I wrote it because many of the steps they had online were sometimes incorrect, had gaps, missed steps that were crucial in setting up PHP. With the release of Windows Server 2008 Microsoft also updated it’s Internet Information Services to version 7. IIS7 has lots of new features and one of the in nicest addition is its ability to easily install PHP, compared to installing it on Windows Server 2003.

I wrote the following steps a year ago for documentation purposes. It should be the same process for Windows Server 2008 R2. I didn’t add screenshots because I’m assuming you’re familiar with Windows Server 2008’s GUI.

-Add the IIS Web Server role.  Be sure CGI feature is installed.

-Download the PHP binary for Windows at http://windows.php.net/download/

-You will need to download and install Microsoft 2008 C++ Runtime (x86) if your OS is 64-bit

In this tuturial we’ll be using the zipped package rather than the installer.

-Unzip the contents to C:\php

-In C:\php directory rename one of the php.ini-xxxx to just php.ini

-In the php.ini file uncomment and set the vaule of the string to:
(To uncomment a line you just delete the semi-colon at the beginning of of line of code)

upload_tmp_dir = C:\Inetpub\wwwroot\uploads (you will need to manually create this ‘uploads’ folder)
date.timezone = america/tijuana     (be sure to select your correct time zone. You can look up your time zones here: http://us3.php.net/manual/en/timezones.php)

If you plan to use extensions you will need to uncomment the line corresponding to the extension you want to use.

-Open your IIS Manager

-Select your host and click on Handler Mappings

-Add module mapping

-Fill out the Module mapping info

Request path:   *.php
Module:   FastCGIModule
Executable:   C:\php\php-cgi.exe
Name:   php fastcgi

Make sure your php fastcgi is “enabled”

To test your php open up notepad and type in  <? php phpinfo(); ?>
Now save the file as info.php. Place the file in C:\inetpub\wwwroot\
Open up your browser and point it to your info.php file  (C:\inetpub\wwwroot\info.php
If all is successful you should see your PHP info and it’s configuration for your server.