Monday, August 6, 2012

BitLocker to the rescue?

I have a Lenovo T410s laptop with Windows 7 Enterprise installed. Since it was issued to me by my company its initial configurations were performed by others. To protect sensitive data in the event of physical loss my company enabled BitLocker and the on-board Trusted Platform Module (TPM). Not sure what a TPM does? From Microsoft's website:

"A Trusted Platform Module (TPM) is a microchip that is built into a computer. It is used to store cryptographic information, such as encryption keys. Information stored on the TPM can be more secure from external software attacks and physical theft."

"BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen."

Couple of things to keep in mind when a TPM is used with BitLocker. If you start changing BIOS settings like boot order, e.g., boot to CD first or add a hard drive via the option bay and move it up within the boot order, you could be faced with a scary black screen like the following:


Now what you say? Well, if you have printed out your BitLocker recovery key prior to seeing the BitLocker Recovery Key screen, then you can just type it in. If this is an Enterprise managed deployment, then your Recovery Key may be escrowed in Active Directory as well. I try and make a habit of never calling technical support so I escrowed my key using the method below.

If you want to print your BitLocker Recovery Key do the following:

Right click on the logical Drive Letter where the O/S is stored, usually the C:\ drive (should have a padlock with key icon next to it if BitLocker is enabled for the drive. From the resulting menu select "Manage BitLocker", then select "Save or Print Recovery Key Again". I printed mine and kept it with me, but separate from my laptop at all times, i.e., don't keep the printed version in your laptop bag.

There's another issue with BitLocker which might surface depending on the type of changes you performed to your system. If you just changed the boot order that should be an easy fix, just reinstate the original boot order after using the BitLocker Recovery key to boot Windows. If you performed another type of change, you might continue to see the BitLocker Recovery Key screen on every subsequent reboot. The following is what happened to me.

Symantec EndPoint Protection is installed on my laptop and it does a scan every Friday. Although usually uneventful, this time it found something suspect and recommended I install the Symantec Endpoint Protection Support Tool. I downloaded and installed the tool and because of my extreme paranoia, I selected the check box next to the Symantec Power Eraser, including the check box next to "Add bootlog rootkit analysis", just to be sure. It took sometime to complete and when I rebooted I was met with the BitLocker Recovery Key screen containing the following text:

"The boot configuration Data (BCD) settings for the following boot application have changed since Bitlocker was enabled
boot appplication: \windows\system32\winload.exe
change settings: 0x26000090

You must supply a bitlocker recovery key to start this system.

Confirm that the changes to the BCD settings are trusted.

If the changes are trusted then suspend and resume bitlocker. This will reset bitlocker to use the new BCD settings.

Otherwise restore the original BCD settings"


Well, that's not good. So I entered my BitLocker Recovery Key and Windows booted fine, but on every subsequent reboot it kept asking for the Recovery Key, not good.

After reading the message above more closely I began looking for a way to suspend and resume BitLocker. Most of the methods I found relied upon the BitLocker management app within the Control Panel, unfortunately my company's great technology support group used Group Policy Objects (GPOs) to remove it. So I searched for an alternative method. I found several articles which confused "Pausing" BitLocker with "Suspending" BitLocker. Pause is related to pausing an ongoing BitLocker encryption process, like when it's first enabled. What I needed to do was "Suspend" and then "Resume" Bitlocker.

Here's what worked for me:

Search for cmd.exe, right click on it and select "Run as Administrator". Next, run the following commands:

Manage-bde.exe –protectors –disable c:

Manage-bde.exe –protectors –enable c:


After the commands completed, I rebooted and no more BitLocker Recovery Key screen on subsequent reboots.

Monday, April 23, 2012

System Time Issue on Dual Boot Win7 and BT5R2

I've been running a dual boot setup of Window 7 and BT5R2 and noticed the system time on each kept changing. I'd boot into Windows from BT5R2 and the system time would be way off. Did a little research and found the fix.

Open the /etc/default/rcS file:

nano /etc/default/rcS (file name is case-sensitive as usual under Linux)

Make sure the line containing UTC is set to no:

UTC=no

Save the file and exit.

Now make sure to set the correct time zone/clock settings for you location and when you reboot each operating system should reflect the correct time.

Time zone can be changed with the following command:

dpkg-reconfigure tzdata

You'll need to use sudo -i or just sudo in order to execute the command.

Saturday, April 7, 2012

BACKTRACK 5 R2 or BT5R2 Blank Screen Issue

I've been working with BackTrack for a bit and needed to install the BT5R2 variant on a Lenovo T410s. What I found is that it boots fine, but once I tried to load the GUI or xwindows I was greeted with a blank or black screen and a blinking caps lock; strange. Here's what I did to get BT5R2 installed:

Boot normally and login as the root user.

DO NOT execute the startx command yet.

Execute the following command below exactly as listed:

modprobe i915 modeset=1

The modprobe command will load the Intel video drivers and allow xwindows to load.

Now you can use the startx command to load the GUI or xwindows, whatever you want to call it.

Once in the GUI you can run the Install BackTrack script to load BT5R2 on to the hard drive.

Once BT5R2 is installed you'll need to make the following modifications to GRUB so the Intel video drivers will load on each subsequent reboot.

Execute the following command:

nano /etc/default/grub

Once the file is open, search for the following line:

GRUB_CMDLINE_LINUX_DEFAULT="text splash vga=791"

Change the above line to the following:

GRUB_CMDLINE_LINUX_DEFAULT="text splash vga=791 i915.modeset=1"

Now save and close the grub config file. Should be Ctrl + O, then Ctrl + X

Now execute the following command:

update-grub

Reboot and startx should work fine.

The solutions above were discovered/developed by others, although, in some cases, the direct solution path was not always obvious. If anything, I organized a collection of solutions and they worked for me. I hope this helps someone out.

Tuesday, March 27, 2012

Cisco Zone-Based Firewall

Here's a Zone-Based Firewall configuration proof-of-concept I put together for one of my clients. They needed to segment their PCI environment from their non-PCI environment with existing Cisco 2821 routers. This configuration requires the router to have an IOS with the firewall feature set included.

!BEGIN CONFIG

access-list 100 permit icmp any any
access-list 100 permit tcp host 10.0.4.132 host 10.0.2.132 eq www
access-list 100 permit udp host 10.0.4.132 host 10.0.2.132 eq tftp
access-list 100 permit tcp host 10.0.4.132 host 10.0.5.132 eq 139
access-list 100 permit tcp host 10.0.4.132 host 10.0.5.132 eq 445
access-list 100 permit tcp host 10.0.4.132 host 10.0.5.132 eq ftp

access-list 101 permit icmp any any
access-list 101 permit tcp host 10.0.5.132 host 10.0.4.132 eq 139
access-list 101 permit tcp host 10.0.5.132 host 10.0.4.132 eq 445
access-list 101 permit tcp host 10.0.2.132 host 10.0.4.132 eq 139
access-list 101 permit tcp host 10.0.2.132 host 10.0.4.132 eq 445


zone security pci_zone
description pci_network

zone security non_pci_zone
description non_pci_network

int fa0/1
zone-member security pci_zone

int fa0/0
zone-member security non_pci_zone

int s0/0/0
zone-member security non_pci_zone

class-map type inspect match-any store-protocols-class
match protocol ftp
match protocol dns
match protocol http
match protocol tcp
match protocol udp
match protocol icmp

class-map type inspect match-all store-protocols-acl-outbound-class
match class-map store-protocols-class
match access-group 100

class-map type inspect match-all store-protocols-acl-inbound-class
match class-map store-protocols-class
match access-group 101

policy-map type inspect store-outbound-policy
class type inspect store-protocols-acl-outbound-class
inspect

policy-map type inspect store-inbound-policy
class type inspect store-protocols-acl-inbound-class
inspect

zone-pair security pci-non_pci source pci_zone destination non_pci_zone
service-policy type inspect store-outbound-policy

zone-pair security non_pci-pci source non_pci_zone destination pci_zone
service-policy type inspect store-inbound-policy

!END CONFIG

Hope this helps someone out when trying to segment their PCI environments.

Friday, November 4, 2011

Cisco Router IOS Upgrade

I know the process for upgrading a Cisco router is very well documented, so this is just so I can find it next time without having to search the Internet.

From the router type:

config t

copy tftp: flash:

Then, enter the tftp server's IP Address when requested [10.0.0.1] without brackets

Enter the IOS binary name when requested [c3640-ik9o3s-mz.124-25d.bin] without brackets

File will copy and will probably ask to erase flash. I say ok, with the knowledge the existing image will be deleted. I'm ok with that, so I confirm it.

The image is copied to the router's flash memory.

Now I want to verify the image's integrity so I type the following command:

verify flash:c3640-ik9o3s-mz.124-25d.bin

As long as the image is ok, then I set the router system boot:

boot system flash:c3640-ik9o3s-mz.124-25d.bin

Then I save the configuration:

wr mem

Finally, I reload the router:

reload

Finished.