Jared Heinrichs

You are here: Home / 2010 / Archives for September 2010

Archives for September 2010

By Leave a Comment

How to give a tune-up to your Active Directory Database

This post will go over tuning up your Active Directory Database. I will specifically going over Active Directory in a Windows 2008 Server environment.

Why would you want to do this?

  1. Running regular maintenance on the Active Directory Database recaptures disk space, makes the database file more efficient (faster) and checks for any weirdness.
  2. When stuff gets deleted out of your active directory database, the file does not get any smaller.

*NOTE* – These items will be done using “NTDSUTIL” under the “Files” context. Three items this post will go over will be “Compact”, “Integrity” as well as “Semantic" Database Analysis”.

Getting ready to type the commands

Go and Open command prompt.

  1. Type. “ntdsutil”.
  2. Type “Activate Instance NTDS”

How to Defrag / Compact the Active Directory Database

* NOTE * You can’t compact the actual Active Directory Database! You will have to compact it to another location. Then copy the new file over the old version manually. This is the #1 concept issue I see people have. Most of the time they think just by running the command the database is defragged. Unfortunately this is not the case.

  1. You need to “STOP” the “NTDS Service” before binding to the Active Directory database".
  2. Go to “Administrator Tools” and select “Services”.
  3. Right click “Active Directory Domain Services” and tell it to “Stop”. Windows will prompt you to tell you there are other services that will be stopped as well.
  4. Go back to the command prompt that you opened at the beginning of the how to video. You might get an error about not being able to stop it. This is because replication is going on. You will just have to try stopping it again in a few seconds until it stops.
  5. Type “Files”. IF you didn’t stop the NTDS Service in step 3 you will be alerted here with an error.
  6. Type “compact to C:\” or where ever you want to create a copy of the compacted Active Directory Database.
  7. Verify that a copy copy of the Active Directory Database file has been created @ “C:\ntds.dit”
  8. Type “Quit” and “Quit”. This will get you back to the command prompt.
  9. Type: copy “C:\ntds.dit” “C:\Windows\NTDS\ntds.dit”
  10. Type: del “C:\Windows\NTDS\*.log”

How to Check the Active Directory Database Integrity

* NOTE * – After compacting the database you should always check the Integrity of the database. If you don’t still have the command prompt window go back to “Getting ready to type the commands section”.

  1. Type “Files”
  2. Type “Integrity”
  3. This will make sure there is no issues with the with the compacting of the Active Directory Database
  4. Once this command completes there will be a message recommending to you to run the “Semantic database consistency” check as well.

How to run the Semantic Database Consistency util

Still in the NTDS util run:

  1. Type "quit” to go up one level in the NTDSutil instance structure.
  2. Type “semantic database analysis”
  3. Type “Verbose on”
  4. Type “Go Fixup”

Remember to restart “Active Directory Domain Services”. All those services that were also stopped during the process of stopping the service will also be started.

By Leave a Comment

How to setup Active Directory auditing

There are many reasons to setup Active Directory Auditing. The most common reason is to track changes to user/computer accounts in Active Directory. There are two things you have to do in order to setup Active Directory auditing.

  1. You have to enable Auditing Policy (specifically Audit Directory Service) on either the domain Controller Policy or the Default Domain Policy. I recommend the Domain Controller Policy.
  2. You have to turn on Auditing component on the Object(s) you want to audit.

How to setup/Enable Audit Directory Service

Here are the steps to Enable the Audit Directory Service.

  1. Right click the Domain Controller Policy. Select. “Edit…”
  2. Go to “Computer Configuration” – “Windows Settings” – “Security Settings” – “Local Policies” – “Audit Policy”
  3. Double click “Audit Directory Service Access”
  4. All the boxes should be selected. ie. “Define these policy settins”. Audit These attempts “Success” & “Failure”.

How to turn on Auditing on specific Active Directory Objects

Here are the steps to turn on Auditing on AD obejcts:

  1. Open Active Directory Users and Computers
  2. Go to View and make sure “Show advance features” is enabled.
  3. Right click “Base OU” where you want to audit and hit Properties.
  4. Click on Security Tab”. (If you don’t see this go back to step #2)
  5. Click “Advanced” button near the bottom of the Window.
  6. Click on “Auditing” tab in the new Window.
  7. Click on “Add..” button
  8. Select “Authenticated Users” group
  9. Check off Successful and Failed for the Write all Properties. Make sure that “This object and all descendant objects” is selected.
  10. Click “Ok”
  11. Click “Ok”

How to View Active Directory Auditing Logs

Now that you’ve set this up you might be wondering “Where do I go to see all this auditing now? If you did you would have asked a really good question.

To view the Active Directory Auditing logs you need to open “Server Manager” – “Diagnostics” – “Windows Logs” – “Security”

  • 4726 Message – This code is for deleting a user account. The user who did it will also be logged.
  • 4720 Message – This code is for creating a user account. The user who did it will also be logged.

You might want to try and filter the events based on these messages.

By Leave a Comment

Ford first with Assembly line Wi-Fi capability for delivery of software to vehicles via sync

After hearing about this news I was really excited and worried about the technology. I knew that if they didn’t do it correctly there would be all sorts of issues. I was able to ask several interview type questions and post them here on my blog. I’ve included some links for more information at the bottom of the page.

clip_image002

What steps has Ford done to prevent drive by hackers to prevent further uploading of software on the road?

There are multiple measures in place to prevent any type of hacking:

  1. Only Ford approved (signed through encryption) software can be installed at any point using this process.
  2. This functionality is disabled once the vehicle leaves the factory.
  3. A physical controller area network (CAN) connection or user initiated button press starts the process in the factory.  It cannot be initiated remotely and no WiFi connection is formed until the process is started locally.
  4. Standard Wireless security mechanisms are in use (e.g. WPA2) even in the factory.
  5. A network firewall is in place to prevent outside connections.

 

Here are the protections when the vehicle is out on the road:

  1. There are two firewalls present on SYNC.
  2. A network firewall similar to your home WiFi router that limits inbound network connection attempts from public networks.
  3. A separate vehicle CPU that prevents unauthorized messages from being sent to other modules within the vehicle.
  4. All software on SYNC requires a Ford digital signature to be installed

 

Specific controls around the WiFi "Hot Spot" Feature (where we share out a USB Broadband or other connection)

  • WPA2 WiFi security mode
  • a unique SSID
  • secure passphrase of 10-15 characters
  • Consumer can override and degrade these settings, but can never completely disable security.
  • Uses the network firewall mentioned above to limit connections inbound

How does Ford install the SYNC software for the vehicles? Is it through PXE?

  • We have a basic http download of signed installation components.  The components are very similar to what the consumer or dealer would install via USB today. We don’t use PXE.

If they used a technology like PXE to install software and Ford were to disable PXE before the car gets sold to the consumer, could a mechanic turn it on without a driver’s knowledge? If so, is there something a person could do to check to see if they susceptible to this kind of attack? If not, are there any plans to allow security conscious consumers to check for this kind of thing?

  • See answer above. The ability to modify the car’s software  is disabled once it leaves the factory .  But, just as we have on the current generation of SYNC, we have the ability to add new features through USB download.

Are there any plans for making SYNC a SaS (Software as a Service) type model? For example, if SYNC gets updates would it be possible to upgrade to the newest version of the software to older vehicles because they have been paying the service fee?

  • No. The software between SYNC generation 1 and generation 2 (MyFord Touch) are not compatible.

Does each car have a static IP address? Could this be ever traced by a rouge Ford employee. For example, if each car has a static IP address, could that IP address be tied to car/person and then tied to their personal information?

  • No,

Any plans for SYNC to have a wirelessly capability to have an onboard internet connection or to use a tether cell phone to get a data line?

  • Connectivity, MyFord Touch provides in-vehicle Internet access through wireless data providers, using broadband modem via the media hub, which turns the vehicle into a mobile hot spot for passengers while the vehicle is in motion.

If they used a technology like PXE to install software and Ford were to disable PXE before the car gets sold to the consumer, could a mechanic turn it on without a driver’s knowledge? If so, is there something a person could do to check to see if they susceptible to this kind of attack? If not, are there any plans to allow security conscious consumers to check for this kind of thing?

  • The dealer does not have access to re-enter the factory provisioning mode once it has been exited.
  • While in this factory mode, the normal 4-corners screen is not shown and a simplified GUI is shown (that makes it pretty obvious that it is in a special mode).

Does SYNC update itself? Is there any way of updating SYNC wirelessly after a person buys car to enable more features?

  • No, SYNC does not update automatically. Yes, it is possible due to the factory-installed WiFi capability, but we’ve not implemented the infrastructure or process to do so yet.

Does SYNC ever “call home”?

  • Today the Vehicle Health Report feature does call home, but only when requested by the user. ( In the US only- we don’t have this feature available in Canada)
  • In general Ford is committed to protecting consumer privacy and generally would inform consumers if any data is transferred from Sync back to Ford.
  • We also work to protect private information via the Master Reset feature which will purge all consumer-level data.

Are there any plans for making SYNC a SaS (Software as a Service) type model? For example, if SYNC gets updates would it be possible to upgrade to the newest version of the software to older vehicles because they have been paying the service fee?

  • That is not currently supported, but we wouldn’t rule anything out on the consumer side.

I noticed the IP address on the screen in the car is blurred. While I am assuming Ford just doesn’t want people to know their internal IP address scheme, I was wondering if the IP addresses given to the cars are static or dynamic.

  • The IP addresses are dynamically assigned (via DHCP within the plant).

What kind of steps has Ford taken to ensure a person’s identity remains their own? When I say identity, I mean personal information like home address, phone number, etc. SYNC has the ability to get information on the driver like cell phones for hands free calling.

  • Ford takes security issues very seriously as we add and improve connectivity features. As customers expect to be connected, but secure, when home or in the office, there should be no difference when in the car. SYNC does not require access to personal information for functionality. There are several precautions that we take to protect information, as well as advise owners on several steps to take of their own. Please see the press release for more information:http://media.ford.com/article_display.cfm?article_id=32181

Any plans for SYNC to have a wirelessly capability to have an onboard internet connection or to use a tether cell phone to get a data line?

  • Our strategy from the beginning with SYNC has been about “bringing your own device” and making it work seamlessly in the car, thus extending the capability of those devices when inside the car. With MyFord Touch, with the factory WiFi chip, you can create a mobile hotspot using an owner-supplied USB broadband modem, turning a single access point into a broadcast that up to 5 people can access. Tethering a phone is possible with MyFord Touch, but will be a future capability.

If so, the next most logical question to me would be is there any thoughts of being able to tie SYNC to say Microsoft Live services?

  • It’s possible, but not in the plans currently.

Since Microsoft allows you to save files like MP3’s to the cloud, any word/thought on if we’ll be able stream MP3’s that way we don’t even then need to plug in an MP3 device in our cars?

  • Sure, that’s another possibility. We already have Bluetooth streaming capability, so internet radio can be played in the car, such as Pandora

Well there you have it. As promised I am going to include some other really good info about relating to these subjects:

Ford’s Wifi Software delivery process.

Try searching this site!