I recently had to replace my router and got fed up with the SSL certificate warnings (from the self-issued/self-signed certificates) I received when I visited the HTTPS interface while I was configuring it. I also got fed up with constantly dismissing the RDP security warning every time I connected to my Windows servers. I decided to secure my TomatoUSB router administration page with a properly issued/trusted SSL certificate, and secure my RDP connections as well.

(Note: If your workstation(s) are a member of the domain that the server(s) are on, the locally self-issued certificates should already be trusted. I have a few boxes that are not a member of an Active Directory domain, that I wanted to secure.)

Assuming you're Class 2 verified, you can generate a certificate on startssl.com for no additional fee. They will issue certificates for any domains you own, with as many SANs as you need.

You can generate your private key locally, or just use the in-browser generation. Ensure the SAN references your remote DNS address (i.e. server.domain.com as well as domain.com) you plan to access your server(s) with.

1. Save your.key file
2. Save your.crt file
3. Save intermediate CA cert/pem (Class 2, likely). You can find this in Control Panel, Startcom CA Certificates.
4. Embed the CA cert into yours
   cat Class2CAcert.crt >> your.crt
   (i.e. this will overwrite your.crt)
5. Store these. The private key is still encrypted with the password, but be careful with it, and back it up.

Install the certificate onto your TomatoUSB router to secure the remote administration interface [1]. Ensure HTTPS is already enabled and that it's saved in NVRAM. (If you ever click "regenerate" on the admin page and click save, you'll need to do this again.)

1. SSH into the router
2. Transfer your.key and your.crt, and decrypt the your.key file.
   openssl rsa -in your.key -out your.key
   (your.key is now decrypted -- destroy this file after use.)
3. Replace "/etc/cert.pem" and "/etc/key.pem" files by your own cert files (your.crt and your.key, respectively)
   mv your.crt /etc/cert.pem
   mv your.key /etc/key.pem
4. Tar up the keys and commit to nvram
   tar -C / -czf /tmp/cert.tgz etc/cert.pem etc/key.pem
   nvram setfb64 https_crt_file /tmp/cert.tgz
   nvram commit
5. Restart the httpd service so the new keys are used
   service httpd restart
   (You may need to close your browser and reopen it; simply refreshing may cause it to use some cached, non HTTPS resources, resulting in a security warning.)
6. Restart the router and confirm things are working when you access the admin interface, and hopefully flush out the decrypted private key from memory =).

Import the private key to your Windows machine.

1. You'll need openssl to convert the .pem files to a .pfx for Windows. Your tomato router may be a reasonable place to do this if you don't have a reasonably secure machine with openssl installed.
   openssl pkcs12 -export -out your.pfx -inkey your.key -in your.crt -certfile Class2CAcert.crt
2. Secure the pfx with a strong password.
3. Transfer the pfx to your Windows machine.
4. Open mmc.exe, File, Add/Remove Snap-in, add Certificates, pick Computer Account, Local computer
5. Go into the Personal store, right click, All Tasks, Import
6. Feed it the pfx file, type in the password, and the certificate and private key will be imported. Ideally, DO NOT allow the private key to be exported.
7. Delete the pfx file locally.

Now, get your Windows box to use this certificate to secure RDP communications [2]:

1. Double click on the public/private-keys we imported above via the pfx. Select the Details tab.
2. Scroll down to the Thumbprint field and copy the space delimited hex string, and remove all the spaces from the string.
3. Double check the first character of the string -- sometimes, a non-visible character is included there. Trim it out.
4. In a Command prompt, set the RDP listener to use the thumbrint/hash: (replace THUMBPRINT with the value you got from the certificate)
   wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="THUMBPRINT"
   
   You can also accompllish this via PowerShell, which I've never tried:
   $path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path
   Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="THUMBPRINT"}

Securing your connections with a properly issued certificate is ideal, particularly if you access these resources on public connections (WiFi hotspots, etc.) as it ensures you're communicating securely with only the device you intend to.

(Additional) Resources, further reading, etc.:

[1] TomatoUSB - use SSL certificates for WAN admin
http://tomatousb.org/tut:use-ssl-certificate-for-wan-admin

[2] Serverfault - Configure custom SSL certificate for RDP on Windows Server 2012
http://serverfault.com/questions/444286/configure-custom-ssl-certificate-for-rdp-on-windows-server-2012-in-remote-admini

Problem:
Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any powered on machine you have physical access to. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces.

Inception aims to provide a stable and easy way of performing intrusive and non-intrusive memory hacks on live computers using FireWire SBP-2 DMA. It is primarily intended to do its magic against computers that utilize full disk encryption such as BitLocker, FileVault, TrueCrypt or Pointsec. There are plenty of other ways to hack a machine that doesn’t pack encryption. Inception is also useful for incident response teams and digital forensics experts when faced with live machines.

Windows/Bitlocker Mitigation:

Deploy the following GPOs via Group Policy in Computer Configuration (applies to all machines, regardless of user logged in) > Policies > Administrative Templates > System > Device Installation > Device Installation Restrictions.

"Prevent installation of drivers matching these device setup classes"
The following is the Plug and Play device setup class GUID for an SBP-2 drive:
d48179be-ec20-11d1-b6b8-00c04fa372a7

Prevent installation of devices that match these device IDs (Windows 8/Server 2012 only)
The following is the Plug and Play compatible ID for a Thunderbolt controller:
PCI\CC_0C0A

via http://support.microsoft.com/kb/2516445

Caveats of Inception:
Inception may not work reliably against machines with more than 4 GiB RAM
You may have trouble reading above 2 GiB on targets with more than 2 GiB RAM

Further reading:
http://www.breaknenter.org/projects/inception/?mwh=1
https://github.com/carmaa/inception

• Get Explorer thumbnails to appear http://support.d-imaging.sony.co.jp/www/download/vista_raw/index.html

I needed to refresh some server hardware, so I decided to get a (lower end) 1U server with enough storage to run VMs, and with enough NIC ports to run pfSense and TMG in Hyper-V. This allows me to shut down my IBM xSeries 226 (8648) and further reduce electricity consumption (2.8GHz Xeon Nocona is 103w TDP!) I can use any additional memory and CPU to run VMs via iSCSI.

I settled on:

• Supermicro 5017C-MF LGA 1155 Intel C202 DDR3 1333/1066/800 (X9SCL-F board)
• Intel Xeon Quad-Core Processor E3-1230V2 3.3GHz 5.0GT/s 8MB LGA1155 CPU (69w TDP)
• 4x Samsung DDR3-1600 8GB/1Gx72 ECC Samsung Chip Server Memory - M391B1G73BH0-CK0
• Intel G2 160GB SSD for host, WD Velociraptor 1TB WD1000DHTZ for some local VMs
• Intel 2 port gigabit server adapter (E1G42ET)

Comments:

• As before, I installed the IPMIView utility and performed the OS install over the network.
• Fans are nice and quiet once it's started. Board only has SATA II ports, so I put in a G2 SSD.

Problem:

 I have some domain policies (2008R2 Domain Controller) in place that grant specific domain accounts permission to logon as a service.

After joining my Server 2012 machine to the domain, I noticed that my Hyper-V machines were no longer starting:

“An error occurred while attempting to start the selected virtual machine(s)… failed to start worker process: Logon failure: the user has not been granted the requested logon type at this computer. (0x80070569).”

In Event Log, Event ID 4625 is logged against SYSTEM / NULL SID / NT VIRTUAL MACHINE, claiming The user has not been granted the requested logon type at this machine for vmms.exe.

Workaround (2012-AUG-19):

No time to actually figure out what changed, so I opened up the policy where I add these domain accounts and added SYSTEM, LOCAL SERVICE, NETWORK SERVICE to the list, and ran a gpupdate /force so it would pick up the new values.

Better workaround (2012-NOV-15):

Install Group Policy Management (feature) on Hyper-V host, login as domain admin, and add "NT Virtual Machine\Virtual Machines" to the policy where the "Logon as a service" values are defined. See http://support.microsoft.com/kb/2779204

Note that on my Server 2008R2 Domain Controller, it seems to imply that these 3 accounts have a built in right to logon as a service.

I only have 2 physical servers that run most of my internal infrastructure so I didn't need to automated the installation process. Instead, I needed to do it remotely, since I'm not in the same city as my servers!

Things worked well.

• Before: note MAC addresses of adapters connected to various networks on the physical host.
• Before: Detatch VHDs from VMs, export configuration. This eliminates the need to reactivate your KMS.
• Updated IPMI firmware to latest via SuperMicro's site -- but Java still kept crashing when I attempted to mount the ISO from my other physical host.
• Solution: I installed IPMIView on my 2nd Hyper-V host and used it to install Server 2012 on my 1st Hyper-V host. Available here: ftp://ftp.supermicro.com/utility/IPMIView/Windows/
• I turned down the color depth.
• I updated my Adaptec 5805 firmware, from 17899 to 18948. Took a look at http://ask.adaptec.com/app/answers/detail/a_id/16914 but it didn't apply to me.
• With this done, I mounted the image over USB, rebooted the system, waited for Adaptec BIOS to POST, then entered SuperMicro BIOS and ensured the USB CD/DVD ROM device was set first in boot order.
• It took about a minute for the installation dialog to appear -- just sat at the screen with a mouse cursor.
• The 100MB bootloader partition is now 300MB. I had allocated 80.1GB before for my physical system -- if I were starting fresh, I'd do 80.4GB just to be safe.

After a fresh format, I usually restore my Outlook OST file to avoid syncing it again -- but it still takes an eternity for the search index to rebuild. I decided to disable the backoff behaviour that causes it not to index while there's user activity; Outlook was done indexing in about an hour.

This is the registry key/value you want:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gathering Manager
     DisableBackoff = 1

Problem:

Two Finger Scroll doesn't work. I get error message Class not registered, ClassID: {9C042297-D1CD-4F0D-B1AB-9F48AD6A6DFF} even with the Lenovo Win8 Synaptics driver installed.

Solution:

From an elevated command window:

• c:\windows\syswow64\regsvr32.exe c:\windows\system32\syncom.dll
• c:\windows\syswow64\regsvr32.exe c:\windows\system32\synctrl.dll

Configuration

• Adaptec 6805 v5.2.0.19076 (firmware, driver, etc.)
• Windows Server 2012 Release Candidate
• SuperMicro 846E26-R1200B (24 drive bay w/SAS expander) -- 1 single SFF-8087 connected to Adaptec for all 24 drives
• Supermicro X9DRI-LN4F+-O w/Dynatron R8 heatsink under shroud, Xeon E5-2620, 2x16GB ECC/REG HMT42GR7MFR4C-PB

Anecdotal, unscientific ATTO performance numbers

• Configuration
• RAID5, 256kb stripe on all volumes
• BBU installed, write/read cache enabled

4x7K3000

4xHD203UI

5x5K3000

I've been running an X201 (latest BIOS, etc.) on Windows 7 SP1 with a Crucial M4 256GB SSD.

These are only two random data points (hardly conclusive) but I won't be updating firmware on this drive for the next little while... 000F is apparently only relevant if you're attaching it to a SAS backplane.

• December 20 2011 -- RMAed
  Latest BIOS - 1.37, Latest SATA drivers, X201
  2 identical systems -- moved this SSD to other system and causes the same problem
  HDD diag: Pass Controller diag
  Error code 0000: Read verification failed
  Firmware 0009
  P/N CT256M4SSD2
• May 30 2012 -- RMAed again
  Flashed to firmware 000F, hit the same problem. Started getting BSOD in Windows, even after SSD power cycle