A lot of organisations set up security policies so that users will be locked out if they enter the wrong password too many times. The idea is to prevent brute force attacks, where an attacker could sit there all day running through the dictionary until they guess the correct password. The downside is that this can lead to Denial of Service attacks, i.e. someone could deliberately enter the wrong password in order to stop other people from logging in. A better solution is to have a throttle, e.g. if you enter the wrong password then you have to wait 30 seconds until your next attempt. That would slow down an attacker without being a major inconvenience to legitimate users. Unfortunately, Windows domain controllers don’t support this natively, and I haven’t come across any third party software that does the same thing.
Leaving aside deliberate attacks, sometimes this can happen by accident. A common cause is that someone changes their password, but their mobile device still has the old password (to access email), and it automatically makes enough attempts to lock the account. There are some other common causes linked to a recent password change, e.g. if there is a scheduled task or a service running under a user’s account, or if they have mapped drives or cached credentials for websites.
A while back, I came across a case that was a bit more interesting. The root cause turned out to be a mismatch in authentication protocols, so the error messages were misleading: there was never actually an incorrect password! Read on for the technical details.
Continue reading “Active Directory lockouts”
I’ve recently had a few conversations with recruitment agencies, where they’ve asked me to rate my IT skills from 1-5. However, I’m reluctant to answer, because I think the concept is flawed.
Continue reading “Assessing ability”
I recently earned the ITIL Foundation Certificate in IT Service Management, after about a week of study. I’m currently job hunting, and I’ve noticed that a lot of adverts list this as essential. It won’t get you a job on its own, but not having the qualification might exclude you from certain jobs, if the employer treats this as a deal breaker.
My exam was based on version 3 of the syllabus (updated in 2011), but Axelos have announced that they will release version 4 next year. Quoting from that page:
“The first release of ITIL 4 will be the Foundation level, currently scheduled to be launched in Q1 2019, with the following levels due for release in H2 2019.
If a candidate has taken ITIL v3 Foundation, then the recommended approach is to take ITIL 4 Foundation in order to be able to transition to the new scheme. There is a large amount of new material in ITIL 4 Foundation therefore a new single exam is required to assess end-learner’s knowledge of the new ITIL 4 Foundation guidance.”
Based on that, if you haven’t started studying for ITIL yet then I recommend waiting a few months. However, circumstances forced my hand. Based on that, I looked for training that’s specifically focussed on this exam, rather than going into more depth.
Continue reading “ITIL Foundation (2011)”
When you set up a wired network using Ethernet cables (e.g. Cat5e or Cat6), there are 2 types: solid and stranded. The rule of thumb is that you use solid cables when they’re not going to move, e.g. between a wall socket and a patch panel. You use stranded cables when they will move, e.g. between a desktop PC and a wall socket. Solid cables are better over long distances, while stranded cables are a bit more flexible and they’ll probably survive being run over by an office chair.
However, what’s the actual difference between those types? In a way, they’re both solid, in the sense that they’re not liquid or gas. They also both contain thinner wires inside (twisted pairs). The difference applies to the copper wire once you remove all the plastic sheaths.
Continue reading “Ethernet cables: solid vs. stranded”
I recently came across an odd situation involving Windows Server 2016 and WSUS updates.
On the WSUS server, I typically see several new Definition Updates for Windows Defender (KB2267602) every day. E.g. on 2017-11-26, Microsoft released:
The update with the highest number will supersede the others, so I only approve that one. I then install this update on my other servers, and verify that they’re all up to date with patches (0 needed).
NB Windows Defender only runs on Windows Server 2016, not Windows Server 2012 R2 (or older). I’ve only tested this on core server, not the GUI edition.
Continue reading “Definition Update for Windows Defender – infinite loop”
I’ve recently been setting up a new FTP server, and I wanted it to support FTPS. However, I ran into a few problems when I tested it, which turned out to be partly due to the client software I was using. I’ve been using CuteFTP for several years: I registered for version 1.0 back in 2001, and I’ve been using version 8 since 2007. However, I’m now abandoning that in favour of FileZilla.
Continue reading “Windows FTP clients”
I recently upgraded an NME-CUE (Cisco Unity Express Enhanced Network Module) from version 3.2.1 to 8.6.7. This module was moving from a 3845 router (running CUCME 7.1) to a 3945 router (running CUCME 10.5), so these versions match the compatibility matrix. On the whole, this went fairly smoothly, but there are a couple of issues to be aware of.
In brief, there were 4 main steps:
- Backup the current configuration and data.
- Download and install the upgrade package.
- Migrate licences to CSL.
- Sort out the Message Waiting Indicator (MWI).
Continue reading “Upgrading Cisco Unity Express”
As I mentioned in a previous post, I installed dd-wrt (kernel 2.6, VOIP, build 14896) on my wireless router (Linksys WRT320N), which connected to a VDSL modem using PPPoE. After that, it worked fine for IPv4, so I had the same functionality as the original Linksys firmware. However, the purpose of the exercise was to get IPv6 support: this turned out to be easier said than done. I was eventually able to get it working, so if you only want the short answer and aren’t interested in all the troubleshooting steps that I went through, scroll down to the Conclusion section at the bottom of this post.
Please refer to my IPv6 router post to get an overview of what I’m trying to achieve here. Most of the documentation that I’ve found assumes that you’re using a tunnel: this is similar to a proxy server, where you have an IPv4 connection to a machine on the internet, then that machine connects to your real destination using IPv6. However, I have native IPv6 connectivity from my ISP.
Continue reading “Native IPv6 in dd-wrt”
As I’ve mentioned before, I switched my home ISP to A&A so that I could get IPv6 on my internet connection. That gave me 2 pieces of the puzzle (OS support and internet connection), but I still needed to sort out my network infrastructure, specifically my router. This post says what I’m trying to achieve, and it would apply to any router, regardless of the hardware/software involved. I’ll save the details of how I actually went about it for other posts, which are specific to the particular equipment.
On the client side, this should all be invisible. Someone should be able to turn up with a suitable device (e.g. an iPad or a laptop running Windows) and automatically get IPv6 internet access without having to do anything extra. They may have to type in the key for the wireless network, but that’s the same for IPv4 and IPv6. Similarly, they shouldn’t notice whether they’re accessing a particular site (e.g. Facebook) over IPv4 or IPv6; the only visible difference should be that IPv6-only sites (e.g. Loops of Zen) are now available, whereas they weren’t before. I’ve bought an iPad app to help me with my testing (IPv6 Toolkit) but that’s just a diagnostic tool and you don’t need it to actually use IPv6. In fact, as of IOS 9, it’s a requirement for all iPad apps to support IPv6.
On the router side, I want feature parity between IPv4 and IPv6 (where it makes sense). For instance, NAT (Network Address Translation) is a necessary evil in IPv4 and I’ll be glad to see the back of it, so I don’t want an IPv6 equivalent (NAT66). However, if a router says that it supports IPv6 and PPPoE then I expect it to support IPv6 over PPPoE. I also expect to be able to ping IPv6 addresses; I’d prefer to use the same command (ping) for both IPv4 and IPv6, but I don’t mind if I have to use separate commands (e.g. ping6 in Red Hat Enterprise Linux 5) as long as the functionality is built in.
I would like to have some kind of firewall built into the router (e.g. ip6tables), but that’s not essential; if necessary, I’m willing to use a separate device for that.
When I set up a router for an IPv4 xDSL (ADSL/VDSL) internet connection, I don’t have to type in the public IPv4 address: that comes from the ISP. In a similar way, I would like an IPv6 router to pick up the equivalent IPv6 address range automatically. However, if I have to type in the router’s IPv6 address manually then I can live with that; this is just a one-off job until I change my internet connection, rather than something I’d have to do on a daily basis.
Continue reading “IPv6 router”
Back in 2011, I had VDSL installed in my flat. As part of the installation, the BT engineer replaced the faceplate on my master phone socket and also supplied me with a new modem:
Earlier this year, the modem developed a fault and I couldn’t get online. Annoyingly, this happened on a Friday evening, so A&A’s tech support had closed for the weekend. I got in touch with them on Monday morning, then BT sent someone out on Tuesday morning and I was back online by 09:30. So, I didn’t have internet access for 3½ days, but if the same problem happened midweek then presumably it would be resolved more quickly.
Continue reading “VDSL modem”