Category Archives: Security

Unified Extensible Firmware Interface (UEFI)

Posted on by
Reply

Unified Extensible Firmware Interface

For many years BIOS has been the industry standard for booting a PC. BIOS has served us well, but it is time to replace it with something better. UEFI is the replacement for BIOS, so it is important to understand the differences between BIOS and UEFI. In this section, you learn the major differences between the two and how they affect operating system deployment.

Introduction to UEFI

BIOS has been in use for approximately 30 years. Even though it clearly has proven to work, it has some limitations, including:

  • 16-bit code
  • 1 MB address space
  • Poor performance on ROM initialization
  • MBR maximum bootable disk size of 2.2 TB

As the replacement to BIOS, UEFI has many features that Windows can and will use.

With UEFI, you can benefit from:

  • Support for large disks. UEFI requires a GUID Partition Table (GPT) based disk, which means a limitation of roughly 16.8 million TB in disk size and more than 100 primary disks.
  • Faster boot time. UEFI does not use INT 13, and that improves boot time, especially when it comes to resuming from hibernate.
  • Multicast deployment. UEFI firmware can use multicast directly when it boots up. In WDS, MDT, and Configuration Manager scenarios, you need to first boot up a normal Windows PE in unicast and then switch into multicast. With UEFI, you can run multicast from the start.
  • Compatibility with earlier BIOS. Most of the UEFI implementations include a compatibility support module (CSM) that emulates BIOS.
  • CPU-independent architecture. Even if BIOS can run both 32- and 64-bit versions of firmware, all firmware device drivers on BIOS systems must also be 16-bit, and this affects performance. One of the reasons is the limitation in addressable memory, which is only 64 KB with BIOS.
  • CPU-independent drivers. On BIOS systems, PCI add-on cards must include a ROM that contains a separate driver for all supported CPU architectures. That is not needed for UEFI because UEFI has the ability to use EFI Byte Code (EBC) images, which allow for a processor-independent device driver environment.
  • Flexible pre-operating system environment. UEFI can perform many functions for you. You just need an UEFI application, and you can perform diagnostics and automatic repairs, and call home to report errors.
  • Secure boot. Windows 8 and later can use the UEFI firmware validation process, called secure boot, which is defined in UEFI 2.3.1. Using this process, you can ensure that UEFI launches only a verified operating system loader and that malware cannot switch the boot loader.

Versions

UEFI Version 2.3.1B is the version required for Windows 8 and later logo compliance. Later versions have been released to address issues; a small number of machines may need to upgrade their firmware to fully support the UEFI implementation in Windows 8 and later.

Hardware support for UEFI

In regard to UEFI, hardware is divided into four device classes:

  • Class 0 devices. This is the UEFI definition for a BIOS, or non-UEFI, device.
  • Class 1 devices. These devices behave like a standard BIOS machine, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS. These older devices are no longer manufactured.
  • Class 2 devices. These devices have the capability to behave as a BIOS- or a UEFI-based machine, and the boot process or the configuration in the firmware/BIOS determines the mode. Class 2 devices use a CSM to emulate BIOS. These are the most common type of devices currently available.
  • Class 3 devices. These are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 is not supported on these class 3 devices. Class 3 devices do not have a CSM to emulate BIOS.

Windows support for UEFI

Microsoft started with support for EFI 1.10 on servers and then added support for UEFI on both clients and servers.

With UEFI 2.3.1, there are both x86 and x64 versions of UEFI. Windows 10 supports both. However, UEFI does not support cross-platform boot. This means that a computer that has UEFI x64 can run only a 64-bit operating system, and a computer that has UEFI x86 can run only a 32-bit operating system.

How UEFI is changing operating system deployment

There are many things that affect operating system deployment as soon as you run on UEFI/EFI-based hardware. Here are considerations to keep in mind when working with UEFI devices:

  • Switching from BIOS to UEFI in the hardware is easy, but you also need to reinstall the operating system because you need to switch from MBR/NTFS to GPT/FAT32 and NTFS.
  • When you deploy to a Class 2 device, make sure the boot option you select matches the setting you want to have. It is common for old machines to have several boot options for BIOS but only a few for UEFI, or vice versa.
  • When deploying from media, remember the media has to be FAT32 for UEFI, and FAT32 has a file-size limitation of 4GB.
  • UEFI does not support cross-platform booting; therefore, you need to have the correct boot media (32- or 64-bit).

Synology NAS Recovery password (telnet)

Posted on by
1

Synology’s “secret” telnet password….

If you ever had to recover a Synology nas box in recovery-mode, pre DiskStation installation or after a failed DiskStation install….. Then you would need the “secret” telnet password for admin (or in some cases root)

In case you don’t want to contact Synology here is how it’s generated

  • 1st character = month in hexadecimal, lower case (1=Jan, … , a=Oct, b=Nov, c=Dec)
  • 2-3 = month in decimal, zero padded and starting in 1 (01, 02, 03, …, 11, 12)
  • 4 = dash
  • 5-6 = day of the month in hex (01, 02 .., 0A, .., 1F)
  • 7-8 = greatest common divisor between month and day, zero padded. This is always a number between 01 and 12.

So, let’s say today is October 15, the password would be: a10-0f05 (a = month in hex, 10 = month in dec, 0f = day in hex, 05 = greatest divisor between 10 and 15).

In some cases the clock is also set to factory default… then try the password: 101-0101

Based on the original correct_password.c source,here is a short snippet to generate the daily password.

 

#include <stdlib.h> 
#include <time.h> 
#include <stdio.h> 

void main()
{
    struct timeval tvTime;
    struct tm tmOutput;

    gettimeofday(&tvTime, 0);
    localtime_r(&(tvTime.tv_sec), &tmOutput);

    tmOutput.tm_mon += 1;
    printf("password for today is: %x%02d-%02x%02d\n\n",
        tmOutput.tm_mon, tmOutput.tm_mon, tmOutput.tm_mday,
        gcd(tmOutput.tm_mon, tmOutput.tm_mday));
}

int gcd(int a, int b)
{
    return (b?gcd(b,a%b):a);
}

 

Access Director 3.0 Released

Posted on by
Reply

The future of Windows is coming on July 29

To make your next Windows experience even better – We have just released the next version of Access Director.                                                                                               Using Access Director you will be able to secure your desktop, simple and easy!

– Run your desktop in a non-elevated user context
– Elevate only needed applications with a single click
– Elevate in your current user-context without affecting other unsecured applications like IE or Office

What’s in Access Director 3.0 ?

– Updates to support the next Windows experience (10)
– Support for integration modules
– Minor bug fixes

Get it from the Download Center

Direct Download Link

Poweshell under the security context of another user (RunAs)

Posted on by
Reply

Recently i needed to run some powershell scripts under multiple security context’s – the main reason for this was my client’s strict delegation model.

We ended up with multiple service account with rights only to the needed systems (Its not such a bad thing!)

The result was this powershell script to change security context

$SPAccountName = “<username>”;
$AccountPassword = “<password>”;
$AccountPasswordAsSecureString = $AccountPassword | ConvertTo-SecureString -Force -AsPlainText
$credential = New-Object System.Management.Automation.PsCredential(“$env:userdomain\$SPAccountName”,$AccountPasswordAsSecureString)
$SvcAccSession = New-PSSession -Credential $credential;
Invoke-Command -Session $SvcAccSession -Script { Import-Module ActiveDirectory }
Invoke-Command -Session $SvcAccSession -Script { Get-AdGroupMember “Some-group”}

In the above example we just get the member of some application group – but really, you can do whatever you like.

If you need it to query a specific server you can use -Computername <servername> right after New-PSSession.

This method also came in rather handy when running service-side powershell execution invoked by a webservice.. but more on that later

 

Access Director 2.4.0.2 released!

Posted on by
Reply

It’s been some time since our last update, but here we go again

Access Director has been updated and released

This is a major upgrade, all previous versions should be uninstalled prior to installing the new versions

Short list of changes

  • Its now possbile to use localized balloon notification (or your own)
  • Language default is en-us
    • valid values are auto, or specific lananuge files e.g. de-de.lng (must reside in existing languages folder)
  • Localized menu options (remember du save lng files as unicode)
  • Registry modifications now resides in HKLMSoftwareNoLightPeopleAccess Director
  • as per request the MSI, and application itself is now signed
  • Removed the need for any registry keys needed for the service to start (will run with default values if no other is present
  • Updated Policy Prefences template included in zip file

Direct Download Link: http://tinyurl.com/mtc4pzo

let me know of bugs and feature requests 🙂 @MarcussenThomas

 

 

Admin Rights: The Root Of Many Vulnerabilities

Posted on by
Reply

A recent survey conducted by BeyondTrust (www.beyondtrust.com), a developer and marketer of least privilege management software, reveals that 92% of critical vulnerabilities reported by Microsoft could have been prevented simply by removing administrator rights from Windows users. Also, the survey points out, removing administrator rights helps companies protect themselves and their computers against 94% of Microsoft Office, 89% of Microsoft Internet Explorer, and 53% of Windows vulnerabilities. Given the prevalence of Microsoft software in today’s corporate environment, these numbers should give any administrator pause.

Get a head start removing Admin Rights – by using Access Director from Basic Bytes

Essentials – Access Director

Posted on by
Reply

Allowing a known user to elevate specific applications or tasks on demand

http://www.youtube.com/watch?v=-ZrL_rbqYlI

In the video we are logged on a workstation with the TestUser
TestUser is not member of the Local Administrators group
TestUser is member of the custom created local group Access Director

When requesting local administrators access using the tray icon, it will verify that we are a know user that is a member of the local group Access Director. If we are member of the local group we will be elevated for a predefined number of minutes (2 minutes in the example)

When elevated, we can click on any application and RunAs Administrator – we will as always be prompted for our logged on credentials, but this time the application is running with local administration privileges.

When the timer hits 2 minutes, our administration privileges are expired.

This will make it possible ONLY to elevated, when needed and not having to load the full profile with administrative privileges

The tray icon does not require additional rights to run
A local system service will handle all requests
All options are configurable through gpo and/or registry

Read more about latest additions at https://basic-bytes.com