Security – 10 Tipps zu sicheren Passwörtern

  1. Das Sicherste Kennwort benötigen Sie für Ihren Mailaccount da dort alle anderen Services zurückgesetzt werden können.
  2. Nutzen Sie “sinnlose” Zeichenfolgen (Hacker nutzen gerne existierende Worte bei Attacken)
  3. Passwörter länger 16 Zeichen erhöhen die Sicherheit dieser enorm.
  4. Verwende keine logischen Zeichenketten wie z.B. 1234567890 oder Geburtsdaten.
  5. Sonderzeichen erhöhen die Sicherheit z.B. 03’10#19?90 – Ein Datum mit Sonderzeichen einfach zu merken.
  6. Grundsaetzlich sind Passwörter nur so lange Sicher bis Sie es jemandem sagen.
  7. Glauben Sie nicht das Ihre Konten/Accounts nicht für andere Personen uninteressant sind. 
  8. Verwenden Sie JEDES PASSWORT nur ein mal pro DIENST
  9. Nutzen Sie keine Worte aus Ihrem direkten Umfeld oder besser gar keine Worte.
  10. Nutzen Sie Password Safes und vorgeschlagene kryptische Passwörter

Mac OS – Repair volume and disks via command line (terminal app)

To Repair the volumes and disks via command line there are a few easy to use commands:
Open the Terminal App.

  1. Volumes
    1. Verify volumes
      1. check all volumes: diskutil verifyvolume / 
      2. check a specific volume: diskutil verifyvolume /volumes/[volume name]   example diskutil verifyvolume /volumes/macos
    2. repair disks
      1. repair all volumes: diskutil repairvolume /
      2. repair a specific volume: diskutil repairvolume /volumes/[volume name] example diskutil repairvolume /volumes/macos
  2. Disks
    1. Verify the disks
      1. check all disks: diskutil verifydisk /
      2. check a specific disk: diskutil verifydisk /dev/[disk number] example diskutil verifydisk /dev/disk0
    2. Repair disks
      1. repair all disks: diskutil repairdisk /
      2. repair a specific disk: diskutil repairdisk /dev/[disk number] example diskutil repairdisk /dev/disk0

With these simple commands you can check the health status of your volumes and disks and if needed repair them.
These commands also work in the recovery mode.
But you have to use sudo in front of it to get access to the disks or volumes

Windows – Supportscript for needed IT infos

For my job its important to get fast informations from users.
Most of them are always the same.
What is your actual IP address, whats your Hostname, do you have local admin rights, which networkprinters are connected and so on.
To get these Information fast and without explain the user every time how to get these Informations, I build a script for it.
This script will be added via GPO to every user’s startmenu.
This should work on all clients with PowerShell 3 installed.
This is what I build with Powershell.
First I added some variables for the actual date:
$vdate = get-date -Format d
After that I added a varibale for the path of the logfile and check if the file exists and if it exists to telete it:
$FileName = "C:\Users\" + [Environment]::UserName + "\Desktop\" + [Environment]::UserName +"_" + $vdate + ".txt"
if (Test-Path $FileName) {
Remove-Item $FileName

If you use DELL devices in your company, it’s important to have the Serial (ServiceTag) and the Express Service Code.
To get the Express Service Code (will be calculated from the Service Tag Value) I added a function to my script:
Function Get-ExpressServiceCode {
Param
(
$ServiceTag = (Get-WMIObject -Class Win32_Bios).serialnumber
)
$Base = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
$Length = $ServiceTag.Length
For ($CurrentChar = $Length; $CurrentChar -ge 0; $CurrentChar--) {
$Out = $Out + [int64](([Math]::Pow(36, ($CurrentChar - 1)))*($Base.IndexOf($ServiceTag[($Length - $CurrentChar)])))
}
$Out
}

Now I added the Powershell command to receive the Hostname and write it to the Logfile:
$CN = "01. Hostname: "
$CN += get-content env:computername
$CN >> $FileName

Next, I added a script to check the local active IPv4 addresses and check if one of these is an IP out of our VPN range (change xxx.xxx to your IP Range):
$ip=get-WmiObject Win32_NetworkAdapterConfiguration|Where {$_.Ipaddress.length -gt 1}
$d = $ip.ipaddress[0]
$ip |foreach {
if($ip.VALUE -like "xxx.xxx*")
{ $d = $ip.VALUE}
}
$ip = "02. IP-Address: "
$ip += $d
$ip >> $FileName

Now I added a script that checks if the User which is logged on have local admin rights and write the result in the logfile:
$LA ="03. Local Adminrights: no"
if(([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))
{$LA ="03. Local Adminrights: yes"}
$LA >> $FileName

Next step is to check the Vendor, the Model, ServiceTag and Express Service Code of your Client:
$vendor = "04. Vendor: "
$vendor += (Get-WMIObject -Class Win32_Bios).Manufacturer
$vendor >> $FileName
$vModel = "05. Model: "
$vModel += (Get-WmiObject -Class:Win32_ComputerSystem).Model
$vModel >> $FileName
$Service = "06. Service tag: "
$Service += (Get-WMIObject -Class Win32_Bios).serialnumber
$Service >> $FileName
$vESCode = "07. Express Service Code: "
$vESCode += (Get-ExpressServiceCode)
$vESCode >> $FileName

After that we add some code to get our actual BIOS Version:
$Bios = "08. Bios Version: "
$Bios += (Get-WMIObject -Class Win32_Bios).SMBIOSBIOSVersion
$Bios >> $FileName

The next Script will show the connected Printers including the Servername and the UNC Path of the Printer:
"09. connected network printers" >> $FileName
$Printer = Get-WMIObject -Class Win32_Printer| where {$_.Location.length -gt 1}
$Printer |foreach {
$prnName = "Name: "
$prnName += $_.ShareName
$prnName >> $FileName
$prnServer = "Printserver: "
$prnServer += $_.SystemName
$prnServer >> $FileName
$linkprn = "Link: "
$linkprn += $_.SystemName + "\" + $_.ShareName
$linkprn >> $FileName
" " >> $FileName
}

Now we have to theck the connected network shares:
"10. connected networkshares" >> $FileName
$vitns = Get-WmiObject -class "Win32_MappedLogicalDisk"
$vitns | foreach {
$vitnsnp = $_.Name + " " + $_.ProviderName
$vitnsnp >> $FileName
}
" " >> $FileName

The last script we add is a list of users and groups who are members of the local admin Group.
I added this one because I want to see all members too and a separate entry for the local user.
"11. members of local administrators group" >> $FileName
net localgroup administrators | where {$_ -AND $_ -notmatch "command completed successfully"} | select -skip 4 >> $FileName
$Delete = Get-Content $Filename
$del = "Der Befehl wurde erfolgreich ausgefhrt."
$Delete = $Delete | Where {$_ -ne $del}
$Delete | Out-File $FileName -Force

To Open the file, we just add the invoke-item command to the script:
Invoke-Item $FileName
Youre done.
The Result of this is good for our support.
Maybe you can use some of these scripts for yours 🙂

01. Hostname: NB0815
02. IP-Address: 10.xxx.xxx.xxx
03. Local Adminrights: yes
04. Vendor: Dell Inc.
05. Model: Latitude E7440
06. Service tag: xxxx
07. Express Service Code: 123456789
08. Bios Version: A10
09. connected network printers
Name: PRN1234
Printserver: \\SRV0001
Link: \\SRV0001\PRN1234
Name: PRN456
Printserver: \\SRV0001
Link: \\SRV0001\PRN456
10. connected networkshares
H: \\Domain.local\dfs$\Data
U: \\Domain.local\dfs$\home\username
11. members of local administrators group
Administrator
domain.local\Domain Admins
domain.local\SysAdmins

I think I will add some more options for this in the future.
Have fun with it…

OSX – Force shutdown of a MacBook Air or Retina

To force shutdown a MacBook without the eject Key, you can use the following keys:
Command + Control + Option + Power button
After a few seconds, your MacBook will shutdown and you can restart it with pressing the power button.
A force shutdown could be helpful if your MacBook won’t work after falling into sleepmode.
Before you do this, you should try to force quit applications by pushing this keys:
Command + Option + Esc

Windows – Permission commands

Here are a few useful commands to setup Windows file permissions.
take ownership of a folder(including files and subfolders)
Takeown /f foldername /r /d y
reset permission of folder (including all files and subfolders) to inherit
Icacls folder /reset /T
disable inheritance for a folder
icacls Folder/inheritance:d
Set read permission for AD group on folder and subfolder
Icalcs Folder /grant domain\Groupname:(OI)(CI)RX /T
Set modify permission for AD group on folder and subfolder
Icalcs Folder /grant domain\Groupname:(OI)(CI)M /T
Set listing permission for AD group to this folder only
Icacls Folder /grant domain\group:(X,RD)
Remove Permission from Folder and subfolder
Icacls folder /remove domain\group

OSX – OSX Installation on USB Device

If your OSX Installation won’t  start it may be important to have an USB Stick with a full installation of OSX.
Its easy to create one.
You will need an USB Device with more than 16 GB storage and an IntelMac with OSX 10.7 and newer.
After you achieve all requirements you  have to follow a few steps.
First you will have to format your USB Device.
Insert the USB flash drive into your Mac.
Launch Disk Utility, located at /Applications/Utilities/.
Select the USB flash drive device.
Click the Partition tab.
Select 1 Partition from the Volume drop down list.
Enter a name for your USB Device.
Select Mac OS X Extended (Journaled) from the dropdown menu.
Click on Options.
Choose  GUID Partition Table from the list of available partition types and click OK.

If you’re sure to delete all Data please click Apply.
A message box opens and want that you will erase all data from the device.
After this click on Partition.
Quit Disk Utility.
Now you have to enable Ownership of your USB Device.
To do this you will have to open the Finder select the USB Device on the left site.
Now open the Information Windows of the Device by selecting it and press CMD + I

Now click on the icon in the right bottom corner in the Sharing and Permissions section and enter your admin password.
osxownership
Now remove the check mark from Ignore ownership on this volume.
Close the Information Windows.
Now the USB Device will be listed as a volume in the Installation Window.
Reboot your Mac, press the Option Key after you hear the start sound and choose your Recovery Partition to install OSX on your USB Device.

Synology – PXE Boot

[vc_row][vc_column][vc_column_text disable_pattern=”true” align=”left” margin_bottom=”0″]Um die PXE Option einer Synology nutzen zu können müss man folgende Schritte durchühren.
Melden Sie sich an der Synology an und befolgen die folgende Anleitung.
1. Ein neuen gemeinsamen Ordner erstellen.
Dazu öffnet man die Systemsteuerung der Synology und klickt auf gemeinsame Ordner.
Anschliessend klickt man auf erstellen.
1_shares
Share
2. Nun gibt man dem Ordner einen Namen (hier PXEBoot).
2_share_naming
3. Anschliessend setzt man die Berechtigungen des Verzeichnisses.
Dem Admin gibt man Full Control und dem Guest – Read Only damit der PXE Client zugreifen kann.
3_share_permission
4. Nun setzt man noch die NFS Permissions des neu erstellten Verzeichnisses.
Dazu wählt man den gerade erstellten Ordner aus und klickt auf Berechtigungen und dann NFS-Berechtigungen
4_share_nfs_permission
Im nun geöffnetem Fenster klicken Sie auf Erstellen.
41_NFS
Bei den NFS Regeln stellt man folgende Optionen ein:
Hostename oder IP: die IP Range und das Netz (192.168.178.0/24)
Privileg: Nur Lesen
Root Squash: Keine Zuordnung
Sicherheit: sys
Anschliessend aktiviert man noch die Checkboxen der folgenden Funktionen:
Asynchron aktivieren
Verbindungen von nicht-privilegierten Ports (Ports über 1024) zulassen
41_NFS_2
5. Jetzt laden Sie bitte folgendes File runter und entpacken den Inhalt in den neu erstellten gemeinsamen Ordner.
Nun sollten im Verzeichnis PXEBoot (falls Sie dies so genannt haben) folgende Dateien und Verzeichnisse liegen:
chain.c32
images
initrd.lz
mboot.c32
memdisk
menu.c32
pxelinux.0
pxelinux.cfg
default
graphics.conf
README.md
vmlinuz
6. Nun wechselt man zurück in die Systemsteuerung der Synology und wählt dort FTP aus.
5_ftppxe
Dort wechselt man auf den Reiter TFTP / PXE.
In diesem aktiviert man die Checkbox bei TFTP-Dienst aktivieren, wählt den TFTP Root-Ordner (der gerade erstellte gemeinsame Ordner) aus, aktiviert die Checkbox für DHCP-Dienst auf diesem Server für PXE einrichten, trägt den Bootloader üher Auswählen (die gerade entpackten Dateien im TFTP Root – pxelinux.0) aus und konfiguriert die DHCP Settings mit DNS Server, Start- und End IP, der Netzwerkmaske und dem Gateway.
51_tftp
Anschliessend klickt man auf die Erweiterte Einstellungen.
Dort wählen Sie die folgenden Optionen:
TFTP Client Berechtigung: Nur Lesen
Erlaubte Clients: Nur den folgenden IP-Adressbereich erlauben (Dort muss die Range des DHCP Servers eingetragen werden)
51_advanced[/vc_column_text][/vc_column][/vc_row]

OSX 10.9 – Character Viewer

With OSX Mavericks Apple completely redesigned the character viewer.
You now can open it in every APP with the Keyboard Shortcut CMD + Control + Space
character_viewer