Blog – Page 6 – Binary Recon

October 4, 2021

BitLocker – AD setup for BitLocker Recovery Key Management

Like most other posts in this blog, this is pieced together to make sense to me.

Especially in older domains, verify that the AD schema has the appropriate attributes using PowerShell window as administrator:

Get-ADObject -SearchBase ((GET-ADRootDSE).SchemaNamingContext) -Filter {name -like 'ms-FVE-*'}

On a domain controller, install the BitLocker Feature to display the BitLocker recovery information:

Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart

To see the BitLocker tab containing the BitLocker recovery key from an admin workstation, the RSAT “BitLocker Drive Encryption Administration Utilities” needs to be installed on the workstation.

GPO Settings

On a domain controller: Server Manger>Tools>Group Policy Management

Edit the following:

Computer Configuration>Policies>Administrative Templates>Windows Components>BitLocker Drive Encryption

"Store BitLocker recovery information in Active Directory":
	Select "Enabled"
	Check "Require BitLocker backup to AD DS"
	Select "Recovery passwords and key packages"

NOTE – At the bottom of the GPO “Help” it states that the TPM information also needs to be backed up. This, however, no longer appears to be the case after Windows 10 version 1607.

"Choose how users can recover BitLocker-protected drives":
        Select "Enabled"

Select “Operating System Drives”

"Choose how BitLocker-protected operating system drives can be recovered":
	Select "Enabled"

        Check "Save BitLocker recovery information to AD DS for operating system drives"
        Select "Store Recovery passwords and key packages"

        Check "Do not enable BitLocker until recovery information is stored to AD DS for operating system drives"

Select “Fixed Data Drives”

"Choose how BitLocker-protected fixed data drives can be recovered":
        Select "Enabled"

        Check "Save BitLocker recovery information to AD DS for fixed data drives"
	Select "Backup recovery passwords and key packages"

        Check "Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives"

September 27, 2021January 12, 2022

IIS SSL/TLS Certificate Setup – External CA

Simplistic, works for me, in my given scenario.

Create Certificate Request:

From the IIS server needing the new certificate, open IIS Manager:

- In the left window pane, select the server.
- In the center window pane, select "Server Certificates".
- In the right window pane, select "Create Certificate Request".
- Enter the information in the pop up window.
- Cryptographic Service Provider:
	"Microsoft RSA SChannel Cryptographic Provider"
- Bit Length:
	2048
- Provide a path and a name for the request certificate:
	C:\Users\Me\Desktop\csr.txt

The copy/paste the csr.txt text in the request form in the certificate authority’s web interface, or submit the request file to the certificate authority.

Install the SSL Certificate:

Once the certificate authority has provided you with the new certificate, log back onto the IIS server that you created the request on and open IIS Manager:

- In the left window pane, select the server.
- In the center window pane, select "Server Certificates".
- In the right window pane, select "Complete Certificate Request…".
- In the pop up window:
	Select the new certificate.
	Add a friendly name to help ID it.
	Select "Web Hosting".

Bind to the new certificate to the web site:

- In the left window pane, select the web site 
	Possibly "Default Web Site", or maybe not.
- In the right window pane, select "Bindings…".
- In the "Site Bindings:" pop up, choose add or edit.  I'm doing edit here.
- Select "HTTPS" and click the "Edit" button.
- Select the new certificate.
- In the right window pane, restart the service.

Use a web browser to check the site and the new certificate expiration date.

July 13, 2021

VNC Server Setup on Rocky Linux 8.4 (Red Hat 8.4 Variants)

These instructions worked for me on Rocky Linux 8.4. The configuration instructions for various Red Hat 8.X VNC server setups have varied substantially over the 8.X versions.

These instructions do not involve setting up an encrypted data channel. Only use this setup on a known secure local network or consider using a SSH tunnel between the client and server.

The graphical system needs to be running at bootup:

systemctl set-default graphical.target

Install the VNC server binaries:

dnf install tigervnc-server

Configure the firewall to accept connections to the port:

Note: The following steps are done per user changing the port number for each user: ‘1’ = port 5901, ‘2’ = port 5902, etc.

 firewall-cmd --get-default-zone
 firewall-cmd --permanent --zone=public --add-port 5901/tcp
 firewall-cmd --reload

Create the VNC user password:

 su - <username>
 vncpassword   
     Note: View Only = "n"

Create a port mapping per user:

 echo ':1=<username>' >> /etc/tigervnc/vncserver.users

Create a systemd unit file:

 cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@:1.service

Enable and start the VNC service:

 systemctl enable vncserver@:1.service
 systemctl start vncserver@:1.service

Get server status:

 systemctl status vncserver@:1.service