krypted.com

Tiny Deathstars of Foulness

I’m not sure this format is working for me, but I’m still doing my initial series of articles for Inc. The latest is tips on employee retention, available at http://www.inc.com/charles-edge/how-to-keep-your-best-employees-from-walking-out-the-door.html

February 4th, 2017

Posted In: Articles and Books

Tags: , ,

Leave a Comment

Well, I guess we interviewed Joel again. And then again! Have a listen!

Oh, and <3 Franton: https://www.youtube.com/watch?v=t8HTWZgd_UM

February 3rd, 2017

Posted In: MacAdmins Podcast

Tags: , , ,

Leave a Comment

When you’re regression testing, you frequently just don’t want any delays for scripts unless you intentionally sleep your scripts. By default Safari has an internal delay that I’d totally forgotten about. So if your GUI scripts (yes, I know, yuck) are taking too long to run, check this out and see if it helps:

defaults write com.apple.Safari WebKitInitialTimedLayoutDelay 0

With a script I was recently working on, this made the thing take about an hour less. Might help for your stuffs, might not.

If not, to undo:

defaults delete com.apple.Safari WebKitInitialTimedLayoutDelay

Enjoy.

February 1st, 2017

Posted In: Mac OS X Server, Mac Security

Tags: , , , , , , , ,

Leave a Comment

IIS Express is a simple web server that can run on Windows with a couple of easy features for developers of Windows applications. This includes things like, webhooks, a modern way of accepting POST requests and responding to them. Each IIS Express site is managed on a user basis, as it’s written as a tool to assist with development.

Many web applications will attempt to communicate with one another via a specific port. And when you’re using IIS Express, you’ll need to create a socket binding to that port and allow external users to connect (again, by default, IIS Express is configured for developers to test code on their own machines). To do so, open the IIS Express config file at %userprofile%\documents\iisexpress\config\applicationhost.config (note that the userprofile is here as it’s again, per user). By default, bindings will restrict to localhost as you can see below:

<binding protocol="http" bindingInformation="*:8443:localhost" />

Copy this line and paste it below the first instance, replacing the localhost with * (make sure to leave the first line or your dev tools can’t connect to the server):

<binding protocol="http" bindingInformation="*:8443:*" />

Again, make sure to leave the first binding in place. Then restart the server and you’re good.

January 28th, 2017

Posted In: Windows Server

Tags: , , , , ,

Here ya’ go!

netsh advfirewall firewall add rule name=”KryptedWebhook” dir=in protocol=tcp localport=8443 profile=private remoteip=any action=allow

Wait, what’s that?!?! Let’s break down the options I used here:

  • advfirewall: Yup, it’s the new firewall.
  • firewall: Yup, it’s a firewall.
  • add: I’m adding a new rule. I also could have used delete along with the rule name and removed one. Or show to see one. Or set to augment one.
  • rule: It’s all about rules. Each rule allows for a port and/or an action.
  • name: Every rule needs a unique name. Namespace conflicts will result in errors. If programmatically creating rules, I’ve found it undesirable to use a counter and instead moved to using GUIDs and a hash table.
  • dir: The direction traffic is flowing. In is for incoming traffic or out would be to block outgoing traffic.
  • protocol: Use the protocol, typically tcp or ump, but if pings, might be one of the icmps.
  • localport: The port that is being used (there’s also a remoteport operator for reflections).
  • profile: I mostly use profile of private.
  • remoteip: Set to any but could be set to a given IP for increased security (yes, I know people can spoof these – so your version of the word might be different.
  • action: I used allow, but could have been block (which denies traffic) or bypass.

For further security, I might add a security operator, to allow for an authentication string. You can

You might also need to allow traffic for a given app. To do so, let’s add a rule that does so, the only option for which not mentioned above is program, which is the path to the binary we’re allowing:

netsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\kryptedscripts\kryptedcompiledwebapp.exe" enable=yes

To then see the rules and validate that your rules were indeed installed, use:

netsh advfirewall firewall show rule name=all

The reason I call this quick and dirty is that I’m really only covering a small subset of options. Additionally, it would be a bit more modern to do this via powershell using New-NetFirewallRule or one of the many, many other commandlets, such as Copy-NetFirewallRule, Enable-NetFirewallRule, Disable-NetFirewallRule, Get-NetFirewallAddressFilter, Get-NetFirewallApplicationFilter, Get-NetFirewallInterfaceFilter, Get-NetFirewallInterfaceTypeFilter, Get-NetFirewallPortFilter, Get-NetFirewallRule, Get-NetFirewallSecurityFilter, New-NetFirewallRule, Open-NetGPO (cause you can configure the firewall through a GPO), Remove-NetFirewallRule, Rename-NetFirewallRule, Save-NetGPO, Set-NetFirewallRule, Set-NetFirewallSetting, and Show-NetFirewallRule.

January 27th, 2017

Posted In: Windows Server, Windows XP

Tags: , ,

My latest Inc article is up. It’s some tips for people just moving into management. Hope you find it helpful in some way shape or form:

You’re a manager now. Congratulations!

Now what?

First-time managers often face a challenge in developing the unique skills needed to lead people. It’s a journey that can seem daunting at first and is filled with traps.

To read more, check out http://www.inc.com/charles-edge/youre-the-boss-now-here-are-10-things-you-should-do.html

January 26th, 2017

Posted In: Uncategorized

The “What’s New in macOS” page for Sierra (10.12) lays out a little known change that a colleague at Jamf was working on the other day (hat tip to Brock):

Starting in macOS 10.12, you can no longer provide external code or data alongside your code-signed app in a zip archive or unsigned disk image. An app distributed outside the Mac App Store runs from a randomized path when it is launched and so cannot access such external resources. To provide secure execution, code sign your disk image itself using the codesign tool, or distribute your app through the Mac App Store. For more information, see the updated revision to macOS Code Signing In Depth.

This is further explained in the equally misnamed “OS X Code Signing In Depth“:

If using a disk image to ship an app, users should drag the app from the image to its desired installation location (usually /Applications) before launching it. This also applies to apps installed via ZIP or other archive formats or apps downloaded to the Downloads directory: ask the user to drag the app to /Applications and launch it from there.

This practice avoids an attack where a validly signed app launched from a disk image, ZIP archive, or ISO (CD/DVD) image can load malicious code or content from untrusted locations on the same image or archive. Starting with macOS Sierra, running a newly-downloaded app from a disk image, archive, or the Downloads directory will cause Gatekeeper to isolate that app at a unspecified read-only location in the filesystem. This will prevent the app from accessing code or content using relative paths.

The gist is, if an app isn’t signed via the Mac App Store, Gatekeeper is going to limit the ability of the app to launch via “Gatekeeper Path Randomization.” Basically, treat an app from a mounted drive as if it were coming from a Safari download. There are a few ways to distribute app bundles or binaries that do not violate this. One is to sign a disk image that contains such an app:

spctl -a -t open --context context:primary-signature -v /Volumes/MyApp/MyApp.dmg

If spctl runs properly, you should see the following:

/Volumes/MyApp/MyAppImage.dmg: accepted source=mydeveloperid

In the above spctl command, we use the following options:

  • -a assesses the file you indicate (basically required for this operation)
  • -t allows me to specify a type of execution to allow, in this case it’s ‘open’
  • –context
  • -v run verbosely so I can build error correction into any scripts
  • –status while I don’t use status, I could do a second operation to validate that the first worked and use the status option to check it
  • –remove I also don’t use remove, but I could undo what I just did by doing so (or just deleting the dmg

For more on managing Gatekeeper from the command line, see http://krypted.com/mac-security/manage-gatekeeper-from-the-command-line-in-mountain-lion/.

Another method is to remove the lsquarantine attribute, which is automagically applied, using xattr as follows:

xattr -r -d com.apple.quarantine /Volumes/MyApp/MyAppImage.app

The options in the above use of the xattr command:

  • -r run recursively so we catch binaries inside the app bundle
  • -d delete the com.apple.quarantine bit

Xattr has a lot of different uses; you can programmatically manage Finder tags with it, http://krypted.com/mac-os-x/command-line-finder-tags/. To see the full xattr dump on a given file, use the -l option as follows:

xattr -l com.apple.quarantine MyAppImage.dmg

The output is as follows:

xattr: No such file: com.apple.quarantine
MyAppImage.dmg: com.apple.metadata:kMDItemDownloadedDate:
00000000 62 70 6C 69 73 74 30 30 A1 01 33 41 BE 31 0B A5 |bplist00..3A.1..|
00000010 70 D4 56 08 0A 00 00 00 00 00 00 01 01 00 00 00 |p.V………….|
00000020 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 |…………….|
00000030 00 00 00 00 13 |…..|
00000035
MyAppImage.dmg: com.apple.metadata:kMDItemWhereFroms:
00000000 62 70 6C 69 73 74 30 30 A1 01 5F 10 22 63 69 64 |bplist00.._.”cid|
00000010 3A 69 6D 61 67 65 30 30 31 2E 70 6E 67 40 30 31 |:myappimage.dmg@01|
00000020 44 32 36 46 46 44 2E 35 37 31 30 37 30 46 30 08 |D26FFD.571070F0.|
00000030 0A 00 00 00 00 00 00 01 01 00 00 00 00 00 00 00 |…………….|
00000040 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…………….|
00000050 2F |/|
00000051

This could be helpful when troubleshooting and/or scripting (or just way too much informations!).

Finally, if you’re an application developer, check out new API for App Translocation in the 10.12 SDK for <Security/SecTranslocate.h>  I guess one way to think of this is… Apple doesn’t want you running software this way any more. And traditionally they lock things down further, not less, so probably best to find alternatives to running apps out of images, from a strategy standpoint.

January 25th, 2017

Posted In: Mac OS X, Mac Security

Tags: , , , , ,

The latest Huffington Post article starts out a little like this:

A great idea, hard work, good counsel, research, and inspiration from others are great ways to find success in business. But sometimes, try as we might, we just seem… blocked… Energy flows through a business, much as it flows through a body. And things like momentum need that energy to ignite into tornadoes of business.

To read the rest, check out http://www.huffingtonpost.com/entry/5886cdfee4b08f5134b62434

January 24th, 2017

Posted In: Articles and Books

January 23rd, 2017

Posted In: MacAdmins Podcast

Built a quick extension attribute for Jamf Pro environments to check if TouchID is enabled and report back a string in $result – this could easily be modified and so I commented a few pointers for environments that might need to modify it (e.g. to check for user-level as it’s currently system-level). To see/have the code, check https://github.com/krypted/TouchID_check.

January 18th, 2017

Posted In: JAMF, Mac Security

Tags: , , , , , , ,

« Previous PageNext Page »