A Technology Journey
I use a YubiKey 5Ci (by Yubico) in my lab. This allows me to log in with a smart card interface. If you are looking for information on how to configure smart card access in your lab, please reference the following post: MyLab: Smart Card Authentication
Continue reading “Configuring Smart Card | Common Access Card (CAC) | Personal Identity Verification (PIV) in VMware vSphere and VMware Horizon”I use a YubiKey 5 Series security key (from Yubico) in my lab. This allows me to use strong authentication and test out security scenarios that I usually find myself in while on the job. I did use the reference material from Yubico to get this working, but am going to transcribe and document this for future use for myself.
Continue reading “MyLab: Smart Card Authentication”Alert Symptoms and Definitions can be set up in Aria Operations, but they will not truly monitor the the virtual machine accurately unless the virtual machines have already been secured!
A lot of the settings in the STIG do not exist by default and therefore cannot be monitored with confidence. It is very important to use a hardened template to save a lot of work. If virtual machines already exist, but have not been secured, you can use the following script (PowerCLI: Multiple Virtual Machines Script) to cut down on the level of effort by tackling more than one virtual machine at a time.
VMware Aria Operations (formerly vRealize Operations) can be used to monitor and alert on VMware vSphere 7.0 STIG compliance. This is helpful for when the environment has already been secured, but during troubleshooting, or other maintenance, the security standards were relaxed and never re-applied. Compliance drifts from the baseline are common and hard to detect without some sort of monitoring system. VMware Aria Operations can alert staff and remind them to button up the security compliance.
Continue reading “VMware Aria Operations to Monitor VMware vSphere 7.0 STIG”I am a strong proponent to securing an infrastructure with customer-signed Transport Layer Security (TLS) certificates internally and only using third party certificates where absolutely necessary for external services.
For this service, I am going to build a two-tier Microsoft certificate authority (CA) using Windows Server 2022. One virtual machine will be a root authority and the other will be an intermediate CA where the certificates will actually be provisioned from. It is recommended to shut down and remove the Root CA, but I am only going to shut down (and not remove) the Root CA virtual machine in my lab.
Continue reading “MyLab: The Certificates”I am going to install VMware Horizon Connection Server 2303 (current at the time of writing) on Windows Server 2022. The only modification to the hardware is to increase the Memory to 12 GB. This will provide the connection server with ample memory for the operating system as well as the VMware Horizon Connection Server application.
Continue reading “MyLab: VMware Horizon Connection Server”Copy the file(s) to a system that has OpenSSL. If you are on a Windows machine, the easiest way to do this is to use Git for Windows (https://git-scm.com/download/win). Once installed, you can run Git Bash and will have access to OpenSSL. Linux and macOS will likely already have OpenSSL support in Terminal. If you are in a VMware environment, the ESXi hosts also have OpenSSL support.
It is highly likely the .pfx file will contain a password to protect the file. This password is required for the conversion process.
PEM files may have either a cer, crt, or pem file extension. These should be interchangeable, but some vendors are very particular about the file extension. Like anything, check the applicable documentation for recommendations.
Most vendors will require three files. Commonly I see the folllowing:
To get the machine certificate and signing certificates, run the following command:
openssl pkcs12 -in certificate-name.pfx -out machine.pem -nodes -nokeys
To get the encrypted private key, run the following command:
openssl pkcs12 -in certificate-name.pfx -out machine.key -nocerts
If you view the file, you will see that it is encrypted. Most systems will not take an encrypted key and will require an RSA Private Key.
openssl rsa -in machine.key -out machine-rsa.key
Now if you view the new file, you will see it is an RSA Private Key.
This is my attempt to keep track of various ports, protocols, and services for successful deployments of solutions.
| Port Number | TCP/UDP | IANA Service Name | IANA Description | Common Use |
|---|---|---|---|---|
| 135 | TCP | epmap | DCE endpoint resolution | RPC Endpoint Mapper |
| 389 | TCP/UDP | ldap | Lightweight Directory Access Protocol | LDAP |
| 636 | TCP | ldaps | ldap protocol over TLS/SSL (was sldap) | LDAP SSL |
| 3268 | TCP | msft-gc | Microsoft Global Catalog | LDAP GC |
| 3269 | TCP | msft-gc-ssl | Microsoft Global Catalog with LDAP/SSL | LDAP GC SSL |
| 53 | TCP/UDP | domain | Domain Name Server | DNS |
| 88 | TCP/UDP | kerberos | Kerberos | Kerberos |
| 445 | TCP | microsoft-ds | Microsoft-DS | SMB |
| 464 | TCP/UDP | kpasswd | kpasswd | Kerberos Password V5 |
| Port Number | TCP/UDP | IANA Service Name | IANA Description | Common Use |
|---|---|---|---|---|
| 67 | UDP | bootps | Bootstrap Protocol Server | DHCP (Server) |
| 68 | UDP | bootpc | Bootstrap Protocol Client | DHCP (Client) |
TCP/UDP: 53 domain Domain Name Server DNS
| Port Number | TCP/UDP | IANA Service Name | IANA Description | Common Use |
|---|---|---|---|---|
| 53 | TCP/UDP | domain | Domain Name Server | DNS |
| Port Number | TCP/UDP | IANA Service Name | IANA Description | Common Use |
|---|---|---|---|---|
| 123 | TCP/UDP | ntp | Network Time Protocol | NTP |
| Port Number | TCP/UDP | IANA Service Name | IANA Description | Common Use |
|---|---|---|---|---|
| 139 | TCP | netbios-ssn | NETBIOS Session Service | SMB |
| 445 | TCP | microsoft-ds | Microsoft-DS | SMB |
| Port Number | TCP/UDP | IANA Service Name | IANA Decription | Common Use |
|---|---|---|---|---|
| 1433 | TCP | ms-sql-s | Microsoft-SQL-Server | Microsoft SQL |
| Port Number | TCP/UDP | IANA Service Name | IANA Description | Common Use |
|---|---|---|---|---|
| 443 | TCP | https | http protocol over TLS/SSL | HTTP/S |
| 22 | TCP | ssh | The Secure Shell (SSH) Protocol | SSH |
| 5480 | TCP | – | – | VMware Appliance Management Interface (VAMI) |
| 9543 | TCP | – | – | |
| 902 | TCP | – | – | |
| 514 | TCP | shell | – | Syslog |
| Port Number | TCP/UDP | IANA Service Name | IANA Description | Common Use |
|---|---|---|---|---|
| 8443 | TCP | pcsync-https | PCsync HTTPS | Blast Extreme traffic |
| 443 | TCP | https | http protocol over TLS/SSL | Authentication |
| 22443 | TCP/UDP | – | – | Blast Extreme traffic |
| 3389 | TCP | ms-wbt-server | MS WBT Server | Remote Desktop Protocol (RDP) |