A user whos laptop was joined to Azure AD was suddenly not being able to connect to Teams due to caa70004 error and Onedrive was bringing up 0x8004de40. WebApp worked fine , password had not been reset.

Rejoining the PC Azure AD didn’t resolve , and that Windows Profile could not join to any other Microsoft Account. Signing into the PC with a Local Username and password it could open and sign into Microsoft Apps

Our organization whitelists the 2fa prompt on trusted IP’s , so we changed the machine to connect to a non trusted IP 4g Hot Spot , which allowed the user to enter in the 2fa code and re-sign the Authentication Token

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Fortigate Logging

Flow Trace

Now I will show a flow trace from my computer to 4.2.2.2

diagnose debug reset 
diagnose debug flow filter saddr 10.22.22.122 
diagnose debug flow filter daddr 10.100.1.1 
diagnose debug flow show function-name enable
diagnose debug enable 
diagnose debug flow trace start 100  #display the next 100 packets, after that, disable the flow: 

When complete, you can disable manually with

diagnose debug disable

2020-04-23_12-14-48

 

The output, it will show you what interface the connection came in on, because of the function-name enable you will see NAT, Routing, etc, IPS, offloading to NPU and SPUs, etc.

Sessions

You can also see the sessions using the following commands

diagnose sys session filter clear
diagnose sys session filter dst 4.2.2.2
diagnose sys session filter dport 53
diagnose sys session list           #show the session table with the filter just set

Use the filter that work for you from a source or destination as well as ports

2020-04-23_12-22-53

 

With this filter, you can clear the sessions based on the filter you created by issuing the diagnose sys session clear NOTE: Without the filter in place, you will clear ALL sessions on the FortiGate.  It is always a good habit to run diag sys session filter ? to list the filter you have configured.

Packet Capture

You can either use the GUI or the CLI to run packet captures.

diagnose sniffer packet any 'host 8.8.8.8' 4 4 l 
diagnose sniffer packet any 'host 8.8.8.8 and dst port 53' 4 10 a 
diagnose sniffer packet wan1 'dst port (80 or 443)' 2 50 l 

The verbosity is controlled by the following:

verbose:
1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name
count: number of packets
time-format:
a: UTC time
l: local time

You can use the GUI by going to Network then Packet Capture then Create

2020-04-23_12-36-04

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Speeds

Disable low Data Rates

To turn off rates 1, 2, 5.5, and 11, you go into the CLI on the FortiGate and use the following:

config wireless-controller vap
      edit <vap_name>
              set rates-11a 12-basic 18 24 36 48 54
             set rates-11bg 12-basic 18 24 36 48 54
       end

Channels

Avoid 80+ MHz wide channels in 5GHz and only use 20 MHz channels in 2.4GHz. There are use cases for wider channels, but there is not enough spectrum available today for proper channel reuse in an enterprise deployment or a multitenant environment. You will end up with CCI and ACI (co-channel and adjacent channel interference).

Use the Widest Channel Available

Check your counteries DFS Channels – That means these have special rules and have to coexist with things like weather radar and military functions. When an AP detects a “hit” on DFS it has to change to a non-DFS channel for a specified time in order to free up that spectrum. In some places DFS is nearly unusable because of so many DFS hits. In many cases DFS is usable and frees up spectrum. This allows more channels which also means the potential for using 40 MHz wide channels because you have less chance of CCI and ACI.

 No 802.11b Devices = SGI (Short Guard Interval) On , otherwise Off. Use of 11b clients necessitates use of low (non-OFDM) data rates, which forces the use and ripple of protection mechanisms (e.g. RTS/CTS and CTS-to-Self)

Reduce SSID’s and Split Networks using Authentication methods ( Radius -> Corporate , Guest to Guest )

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

As Google is decommissioning their Google Play Music service you have to transfer to YouTubeMusic

Upon selecting the Transfer link I got 

YouTube channel you’re currently using isn’t supported for the Google Play Music transfer.

This is because my Youtube was a brand account

You can move your Brand account to a Google account so that all your music history data is there: https://support.google.com/youtube/answer/3056283?hl=en

if you go to your advanced account settings: http://youtube.com/account_advanced

And choose

After this it will let you transfer

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Trying to deploy a MAM policy and the Teams app asked to sign into the Intune Portal App which would not let the user.

  1. Uninstall Intune app (Company Policy)
  2. Clear Android Settings | Accounts of all work accounts, including any reference to my personal MS account
  3. When opening Teams, rather than saying “switch accounts”, I just logged in using my personal account (the username for which was pre-filled)
  4. I added the Teams account to the Teams app – prompting the flow of:
    1. Installing the Intune app
    2. Granting device administrator privileges (including giving access to Contacts!)
    3. Getting the message that there is no administrator policy (or some such thing)
    4. Adding a PIN to Teams
  5. Getting back to Teams and signing out of my personal account

This seemed to have worked. I went on to test whether the security worked.

  1. Anything I downloaded to my device I couldn’t open (format incorrect)
  2. I could view stuff in Teams but I couldn’t open it on a native app.

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Recently got a second-hand washing machine, upon running through a test wash, the Hot water ran , but never shut off which could have flooded the area.

A washing machine has two inlet valves, one for the hot water and one for cold water. The water inlets on this obviously fails to closed position when shut off ( or it would of started to fill up when I turned the tap on ) but the electronics could not shut the valve to off when needed to only let a certain amount of water in. 

You can swap inlet valves yourself with a screwdriver and pliers and they cost around 20USD delivered, you can find them on eBay for the right model Make sure you get the right one , hot and cold water inlets are different

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

SSL 64-bit Block Size Cipher Suites Supported ( 3DES -CBCSHA Ciphers, RC4-MD5, RC4-SHA ) 

Legacy block ciphers having a block size of 64 bits are affected by a vulnerability, known as SWEET32. A man-in-the-middle attacker who has sufficient resources can exploit this
vulnerability via “birthday” attack By misusing the SWEET32 vulnerability, an attacker can send in a large volume of dummy data and get blocks of ciphertext that matches
that of the organisation.
Attack Process
1. The attacker sniffs all data sent to your customer (external user).
2. The attacker sends dummy data to your server until a key used for a customer matches the attacker’ssession key.
3. Once there’s a match, sensitive data can be decrypted by determining how the key was chosen.

Fix

 https://gallery.technet.microsoft.com/Solve-SWEET32-Birthday-d2df9cf1

And

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56

“Enabled”=dword:00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168

“Enabled”=dword:00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128

“Enabled”=dword:00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128

“Enabled”=dword:00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128

“Enabled”=dword:00000000

Server Version Disclosure

Default or misconfigured web servers often disclose the version at multiple locations like HTTP response headers, and at error pages. Attackers can perform banner-grabbing against the webserver by using netcat or telnet, which reveals the webserver, version, and operating system.

On IIS 7

Using the Registry key.

Create a DWORD entry called DisableServerHeader in the following Registry key and set the value to 1.

HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters

On IIS 6 

2) 1. Install URLScan (this is a free tool available from Microsoft)
2. Open the URLScan.ini file with a text editor. The file is usually located in the
%WINDIR%System32InetsrvURLscan directory.
3. Search for the key RemoveServerHeader, which by default, is set to 0. Set the value to 1 in order to
remove the Server header.

SSLv3, TLS 1.0 protocols

If Poodle SSLv3 is enabled on any website, then it is vulnerable to a poodlebleed attack. The remote service accepts connections encrypted using SSL 3.0. These versions of SSL reportedly suffer from several cryptographic flaws.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server]
“Enabled”=dword:00000000

Disable SSL V2

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server]
“Enabled”=dword:00000000

Webserver HTTP Header Internal IP Disclosure

A string matching an internal IPv4 address was found on this page. This may disclose information about the IP addressing scheme of the internal network. This information can be used to conduct further targeted attacks. Internal IP addresses are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server. This may also affect other web servers, web applications, web proxies, load balancers, and a variety of misconfigurations related to redirection.

IIS 7.0

appcmd.exe set config -section:system.webServer/serverRuntime /alternateHostName:”remote.server.domain.com”  /commit:apphost

IIS 6.0

To prevent internal IP address disclosure, take the following steps.
1. Open a command prompt and change the current directory to c:\inetpub\adminscripts or to where the adminscripts can be found.
2. Run the commands
adsutil set w3svc/UseHostName True
net stop iisadmin /y
net start w3svc
This will cause the IIS server to use the machine’s hostname rather than its IP address.

If running the above on IIS 7 you will get : 

ErrNumber: -2147463162 (0x80005006)
Error Trying To SET the Property: UseHostName

SSL/TLS DiffieHellman Modulus <=1024 Bits (Logjam)

Diffie-Hellman key exchange is a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols, including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS. The current Modulus being used is a weak one and can be exploited by a determined hacker. Update to DHE-2048 Bits

Fix
Make sure that you have KB 3174644 installed on the affected server.
Run Regedit on the affected server
Navigate to the following Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SChannel\KeyExchangeAlgorithms
Create a new sub key named Diffie-Hellman (if it didn´t already exists)
Inside that create a new DWORD called “ServerMinKeyBitLength” with the value “00000800” (for 2048 bit)

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Problem Description:

  1. [FSM:FAILED]: Cap the power consumption of chassis 1(FSM:sam:dme:EquipmentChassisPowerCap). Remote-Invocation-Error: Error in setting power cap budget-MC Error(-5): Error Executing Command
  2. Warning: there are pending management I/O errors on one or more devices, failover may not complete.

UCS-FI-M-6324

UCSM:Package-Vers: 3.1(3a)A

Action Taken:

+ Tried changing the power cap policy from Chassis level to blade level and back to chassis level, fault did not clear.

 

Rebooted FI-IOM B, all faults are cleared.

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Server 2008 and prior domain controllers create two Domain Admin accounts with permissions on the GPOs.  We could not see both in the GUI but when we ran icacls {GPO UID} on the Server 2008 domain controller you see both Domain Admin accounts.

Server 2012 and newer domain controllers only create a single Domain Admin account with access.  In the 2018.6C (June 21 Rollup, links below) patch for 2016 and 2012R2, a new function was introduced to remove duplicate ACEs in order to reduce the NTFS Security Descriptor stream size. Machines with this patch will no longer write that duplicate ACE, thereby making them inconsistent with the unpatched ones.

To fix we logged into the Server 2008 domain controller and ran the following command against all the GPOs to remove both domain admin account

icacls “{GPO UID}” /remove:g “<localdomain>\Domain Admins”

Then the following command to add a single Domain Admin account back to the GPO

icacls “{GPO UID}” /grant “<localdomain>\Domain Admins”:(OI)(CI)(F)

We then we forced replication again with these two commands

repadmin /syncall

repadmin /syncall /AdePq

After that we re-ran the Detect Now on the server 2016 and all servers were green.

IMPORTANT NOTE:

If you create a new policy on Server 2008 it will get the second domain admin account again.  So to prevent it from happening going forward you should create the GPOs on Server 2016.

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)