Don’t store service account passwords in Active Directory attributes

A predecessor of mine decided to store service account passwords in the description attribute of the account. I’m somewhat grateful that he at least documented them, but further investigation showed just how negligent this is—especially given that many service accounts have escalated privileges.

I’m not super familiar with the gory details of how AD implements LDAP, but suffice it to say: it appears that any domain account may bind LDAP and query any other object’s properties—even totally unprivileged accounts within subdomains.

Continue reading Don’t store service account passwords in Active Directory attributes

A slightly better way to filter wireless multicast on DD-WRT

Wi-Fi is a shared, half-duplex medium. Furthermore, every unicast frame must be acknowledged by the receiver. Combine these facts with a crowded spectrum in most areas, and we have every reason we need to keep unnecessary traffic off the airwaves.

Continue reading A slightly better way to filter wireless multicast on DD-WRT

Wi-Fi Security: Attack and Defense

Originally appeared in 2600 Magazine issue 30:4

This article seeks to examine the current state of Wi-Fi security, with a practical emphasis on attack and defense methodology. The proliferation of mobile devices, decreasing cost of deployment, increasing speed, and overall convenience, likely all play huge roles in the snowballing popularity of wireless networking. These benefits do not come without drawbacks, however; it seems convenience and security are inversely related. As we gain one, we lose the other. Wi-Fi security has matured significantly since its birth around the turn of the millennium, starting with open networks and WEP encryption. With insecure networks declining along with the ratification of WPA2 in 2004, it would seem we are moving toward a more secure wireless world. Experience, however, tells a different story.

Continue reading Wi-Fi Security: Attack and Defense

Turning old computers into Chrome web kiosks with LTSP

Background

The school districts I support have tens of thousands of dollars invested in student workstations, many of which are well beyond their refresh cycle. Funding trickles in, but well behind the 1:1 student computing initiatives that administrators push for.

The aging machines still physically work, but most of them:

  • Run end-of-life Windows XP, and are not ready for Windows 8.1;
  • Cost more to maintain than the cost of replacement;
  • Don’t need to run local software the way they did in mid-2000s.

Students these days, more often than not, just need a way to get online. Most curriculum and learning apps are web-based, and with Google Apps or Office 365, even productivity comes through a browser. The era of myriad local client software has ended, and those use cases which require specialized software have become the exception instead of the rule. This brings a lot of attractiveness to a simple way to turn these older computers into lean web kiosks. Enter LTSP.

Continue reading Turning old computers into Chrome web kiosks with LTSP

Setting up AirPrint on Windows Server 2012 R2

The Problem

I recently replaced SBS 2003 with Server 2012 R2 for file and print services at a client site. One of the few hiccups was that the AirPrint service kept crashing after successfully spooling a single job.

The only traces in the event log were Event ID 1000 from source Application Error, and Event ID 7034 from Service Control Manager stating that the AirPrint service terminated unexpectedly.

Continue reading Setting up AirPrint on Windows Server 2012 R2