O365 with Duo MFA (Without a P1 License?)
KB ID 0001737 Problem Working for a cloud service provider, (and a Duo partner). I get a lot of queries about Duo MFA for Office 365. Typically (I think) the best solution is to enable Azure Conditional Access and couple that with Trusted sites, so clients get challenged when out on the road, but not in the office. The drawback of this is Azure Conditional Access requires a P1 License, at time of writing that’s about $6 a month...
Free Certificate for IIS with Let’s Encrypt
KB ID 0001736 Problem I’ve been aware of Let’s Encrypt for a while, they are a non profit Certification Authority, who will provide you with a free certificate, and you can use them for most things you want to secure with a digital certificate. The only reason I’ve never used them in the past is, their certificates have a short (3 month) lifespan, and I see enough things breaking when people forget to renew 12 month...
Outlook URL Shortening?
KB ID 0001735 Problem Outlook URL: I first noticed this a few weeks ago, When copying and pasting a URL into an email it shortens the URL and gives it the pages title. At first i thought my firms Devs had changed the way our CRM works, but then I noticed it happening with SharePoint URLs as well, this is what I mean; I don’t have a problem with it, in fact I much prefer it! However I got an email this morning from someone...
FortiGate Securing Remote Administration
KB ID 0001734 Problem When considering Securing FortiGate remote administration, I’ve written about changing the https management port to something other than TCP 443 before, I suppose that’s security by obfuscation (though even a script kiddy with one hours experience, will be able to spot an html responses). Typically with other vendors you limit remote administration access, to specific IP addresses (or ranges). So...
FortiGate LDAPS Authentication Failure
KB ID 0001733 Problem Here’s a brief one that tripped me up a couple of weeks ago, I was deploying FortiGate LDAPS authentication for some FortiClient SSL VPN connections into a FortiGate firewall like so; Despite my best efforts I was getting authentication failures? If I tested the username and password in the GUI web management portal, that worked fine? Testing FortiGate LDAPS First step is to test authentication at command...
Windows File Server Migration (Maintain Share & NTFS Permissions)
KB ID 0001201 Problem When attempting a File Server Migration why isn’t this better publicised? Did you know Microsoft have a set of Migration tools, and one of them is for file servers? Now traditionally I’d use RoboCopy or XCopy to migrate files and folders, and for ‘User Profiles’ I would normally back them up, and restore them to the new server. This is because the file permissions on ‘correctly...
Domain Join SID Error
KB ID 0001732 Problem Thankfully I don’t see a SID error very often these days; The following error occurred when attempting to join the domain ‘{domain-name} The domain join cannot be completed because the SID of the domain you attempted to join was identical to the SID of this machine. This is a symptom of an improperly cloned operating system install. You should run Sysprep on this machine in order to generate a new...
Migrate From Server 2012 to Server 2019 Domain Controllers
Server 2012 DC to Server 2019 DC KB ID 0001731 Problem I get asked about this quite a lot. In the past most of the queries were about moving from Server 2008 to Server 2019, if that’s what you are after then simply go here. This article is purely for the introduction of, and migration to Windows Server 2019 Domain Controllers. And it assumes your current domain controllers are Windows server 2012 (or 2012 R2). Adding a Server...
FortiGate High Availability (Active / Passive)
KB ID 0001730 So my aim was to setup FortiGate High Availability failover in Active / Passive mode. I’m setting this up in EVE-NG and here’s what my lab looks like; Note: Im using TWO connections for Heartbeat/Failover, you can simply use one if you prefer. FortiGate High Availability (Pre-Requisites) Obviously the firewalls need to be the same! For physical firewalls that’s straightforward, but be careful if you are...
FortiGate: SSL Inspection (HTTPS Inspection)
KB ID 0001729 Problem Do you inspect the traffic on your network? You have a firewall? Maybe an IDS appliance? That’s good news, do you inspect HTTPS traffic? In most cases the answer is no. Because either you do not have the capability, or enabling SSL Inspection will degrade the firewall’s performance so much that you accept the risk. At time of writing (Early 2021) it’s estimated that 85% of all web traffic is now...