Archive for June, 2010

OFF TOPIC – Surprise tetris

June 29, 2010 Leave a comment

I must share this surprising tetris game I saw here:

Domain Admin removal from Local Administrators

June 23, 2010 Leave a comment

I was working on a lab as I do daily on my new job training. We used the “You break it, I fix it” method and for me it is the best way to go – when I fix something I remember it.

We worked on some access denied scenarios and one of them involved the removal of the Domain Administrator account from the Local Administrators group on a 2003 Server. By removing the Domain Admin credentials from the Local Administrators group we expected our application to fail access to shares as we also removed the Everyone share permission.

The trick worked as planed but the guy who broke my lab forgot one little details – My RDP session used the same Domain Admin account and I lost the ability to get on that server. Lucky enough he did remember to get a local Administrator account ready to use and though I failed fixing the lab (due to lack of access) we could log in and roll back the changes.

If you asked yourself why the removal of Domain Admin account from the local Administrators group broke my RDP, you should dive into the default permissions (Windows 2003 Server in this case but all across the board). By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the DCs. The removal of this group either manually or via Group Policy will also remove the automatic remote access permissions. Make sure you remember this chain reaction before you implement such policy in your production environment 🙂


June 18, 2010 Leave a comment

Squeezed between my new job and the World Cup I hardly got on-line this week.

One cool thing I did see is a web site that offer a notepad platform that you can save and even password protect it. This is a great way to share ideas with friends and co-workers and even better, keep personal notes that would be available anywhere, anytime.

Check out this example:

Last day – new beginning

June 11, 2010 3 comments

Four weeks ago I wrote about the end of an era in my career. After eight years with my company I found a new job with a great start-up, leaving the financial industry.

So today, after a long 4 weeks wait my last day finally arrived and this whole thing become reality. After a small cake party (Chocolate Mousse Cake & Fraisier from my favorite Patisserie) I left the office for the last time and it didn’t go as I expected. Leaving the office that I built from scratch few years ago was weird and I must admit it was overwhelming, more than I could imagine.

Coming Monday I start my new job and I cannot be more excited. I’ll use the weekend to relax and watch as much soccer as possible and join the World Cup fever that even here in the US get to a surprising level.

I want to thank my amazing wife for her support. I couldn’t get to this day without her!

ASA RADIUS authentication

RADIUS authentication is a good easy way to integrate Cisco login with AD credentials.

I had to configure a new RADIUS server today and it is a great opportunity to go over the commands, in my case it is done on ASA 5505.

This is all you have to configure on the Cisco side:

aaa-server vpn protocol radius
aaa-server vpn (inside) host
key password

Let’s break down the commands:
aaa-server vpn -> vpn is the group name (will be used later as a tunnel-group attribute)
protocol radius -> set authentication type to RADIUS
aaa-server vpn (inside) -> describe the interface that connect to RADIUS. inside in this case is the firewall LAN
host -> IP address and of the RADIUS server
key password -> set a password. RADIUS password must match between the router and the RADIUS server.

Applying this to a tunnel group is also very simple:

tunnel-group Web_Users general-attributes
authentication-server-group vpn LOCAL

The RADIUS side is almost as easy as the Cisco side. I’m using Microsoft IAS on one of my management 2003 servers. I had to hide some of the parameters but the idea is clearly presented:

And the properties of my ASA connection – this is where you use the password we typed on the router: