Wednesday, May 26, 2010

LastPass Enterprise

The Environment

computer securityImage by justonlysteve via Flickr

I work in an industry that deals with Protected Health Information (PHI). According to the Health Insurance Portability and Accountability Act (HIPAA) we need to apply certain measures to protect this information, and continue to improve those measures.

Over time our company has increasingly found itself turning to the Internet to retrieve information regarding patient visits, explanation of benefits, remittance advise, bank statements, etc. The list grows daily.

The Problem

As this list grows, so do the accounts (username & password, and sometimes a challenge question). Keeping track of these is becoming a daunting task, and an even greater one is maintaining standards on password strength.

In the IT support world, it is common to find weak passwords and poor account management practices:

The Solution

Let's face it. Most of us are lazy when it comes to security and creating meaningful passwords. In defence of "us" I'll be the first to say it is a PITA to remember a litany of passwords, let alone having to mentally dig up or create one that is actually complex.

LastPass is a giant step forward to solving this part of "The Problem". It is quite literally one of the slickest ideas I've come across to solve this issue for our environment.

It's got many things going for it:

It's CHEAP. Free for web and browser plugin version. $12 Per year to add the Mobile version to your phone. $24 Per year per person for the Enterprise version.

Customer Service is superb.

Features for the free version:

  • ONE MASTER PASSWORD. Of course, you will want this password to be VERY STRONG.
  • Automatic Form Filling.
  • One Click Login.
  • Synchronize across browsers.
  • Secure ANY type of text data.
  • Share your passwords with friends.
  • Export/Import from many different password repositories (Firefox, IE, KeyPass, etc.)
  • Generate more secure passwords.
  • Backup your passwords.
  • Identities separate personal from others (like work).
  • Screen keyboard to further protect your master password from keyloggers.

As noted above, if you purchase LastPass, you also get LastPass Sesame to turn your thumb drive into a MultiFactor device, and the Mobile version.

Enterprise Implementation

I have a rather ordinary Windows Domain, with a Terminal Server and a number of XP workstations. I wanted to enable the automated login process noted on their Enterprise pages.

What I had to do was add this line to a batch script that was added to a Group Policy that applied to a group of target computers. Specifically in Computer Configuration -> Windows Settings -> Scripts -> Startup :

lastpassfull.exe --userinstallie --userinstallff --userinstallchrome  --installforallusers -j "%PROGRAMFILES%\LastPass"

The next step was to get the user logged in automatically, and have no knowledge of the master password. The reason for this is to keep them out of these accounts when not on site, protecting as best we can the PHI. This is achieved by the following line run by the users login script, which runs under their security context :

"%PROGRAMFILES%\LastPass\lastpass.exe" -dl=ihbsonline.com -cid=12345678

For those in management that needed access outside the building, I simply didn't add this line which forces them to log in manually.

Reblog this post [with Zemanta]

Monday, May 10, 2010

freeFTPD

File Transfer GraffitiImage by Micah68 via Flickr

I've been using FileZilla FTP server for some time now and have been happy for the performance.

Recently, we needed the ability to expose the FTP service to another client, and the documents that we'd be receiving would be arriving in an un-encrypted form, unlike our other clients.

I decided I could simply enable FTPS, the SSL enabled FTP protocol and open a port to 990 on my ASA 5525 Security Appliance and NAT traffic to our server. Unfortunately I quickly found out that a passive FTPS server behind my firewall won't work without some specific configuration changes as discussed in this article.

With all that fussing around, I decided to check out freeFTPd, a single deamon that offers both FTP and SFTP, not to be confused with FTPS, but the secure file transfer protocol that is common to the SSH (secure shell) protocol.

It's fairly straight forward, but is a bit quirky and the documentation is non-existent. Follow some of my tips below to ensure a good working server, with the freeFTPd starting reliably as a service.

GUI vs Service

  • The SERVER is the state used when starting FTP and SFTP via the GUI.
  • The SERVICE is when FTP and SFTP is started as a Windows Service.

The GUI does not reflect the current state of the service. It will only correctly report the state of the server if you used the GUI to start it. Your best bet is to use cmd, and netstat -an to check the state.

Apply Configuration Changes Often

The best tip is while you are using the GUI to configure the service, click Apply often, and ESPECIALLY after you start the service.

Evidently the last state the server was in is the one the service will restore it to. So if you had the FTP service stopped, configured home dir's for users, etc, etc, and clicked APPLY and THEN started the service, do not expect your FTP server to be started for you when your server reboots.

Don't Rely on Windows Service

For some reason unknown to me or others, the freeFTPd service doesn't start reliably upon windows restart for some of us.

Instead, set this service to start Manually instead of Automatic, and use something like the following in a batch file to start your service a bit late, and let you know if it failed if you've got IIS SMTP service installed somewhere.

@ECHO OFF

:: //////////////////////////////////////////////
::
:: Set the log file location
@SET _LOG="C:\Program Files\freeFTPd\ftpstartup.log"

ECHO ------------------------------------------------ >> %_LOG%
ECHO -- START %DATE% - %TIME% -- >> %_LOG%
ECHO ------------------------------------------------ >> %_LOG%

:: //////////////////////////////////////////////
::
:: Write the sleep operation to the log and sleep
ECHO Sleeping 30 seconds >> %_LOG%
SLEEP 30

:: //////////////////////////////////////////////
::
:: Start the service and log it
ECHO Starting service >> %_LOG%
NET START freeFTPDService >> %_LOG%

:: //////////////////////////////////////////////
::
:: Look for the services listening on our ports
ECHO Looking for FTP Listener... >> %_LOG%

netstat -anp TCP | findstr /R /C:"[ ]*TCP[ ]*10.0.0.12:21[ ]*"
IF %ERRORLEVEL% NEQ 0 (@SET _ERR=%ERRORLEVEL% & @SET _MSG=FTP SERVICE NOT LISTENING ON PORT 21. & GOTO FAILED) ELSE (ECHO FTP Operational. >> %_LOG%)

netstat -anp TCP | findstr /R /C:"[ ]*TCP[ ]*10.0.0.12:22[ ]*"
IF %ERRORLEVEL% NEQ 0 (@SET _ERR=%ERRORLEVEL% & @SET _MSG=SFTP SERVICE NOT LISTENING ON PORT 22. & GOTO FAILED) ELSE (ECHO SFTP Operational. >> %_LOG%)
GOTO END

:: //////////////////////////////////////////////
::
:: If this fails, log it and send a notification
:FAILED
ECHO #### %_MSG% >> %_LOG%
GOTO SENDMAIL

:SENDMAIL
:: //////////////////////////////////////////////
::
:: Set the temp file location
SET _TEMPMAIL=%TEMP%\TEMPMAIL.%RANDOM%.TXT

:: //////////////////////////////////////////////
::
:: Echo the basic headers to the temp file

ECHO TO: "Croson, John" ^<mine@DOMAIN.COM^> > %_TEMPMAIL%
ECHO CC: "Demarais, David" ^<his@DOMAIN.COM^>,"Hayssen, Jill" ^<hers@DOMAIN.COM^> >> %_TEMPMAIL%
ECHO FROM: "IHBS Administrator" ^<ADMIN@DOMAIN.TLD^> >> %_TEMPMAIL%
ECHO SUBJECT: SERVICE FAILURE >> %_TEMPMAIL%

:: //////////////////////////////////////////////
::
:: Echo the blank line that separates the header from the body text

ECHO.>>%_TEMPMAIL%

:: //////////////////////////////////////////////
::
:: Echo the body text to the temp file

ECHO %_MSG% >> %_TEMPMAIL%
ECHO Check %_LOG% for details.>> %_TEMPMAIL%

:: //////////////////////////////////////////////
::
:: Move the temp file to the mail pickup directory

MOVE %_TEMPMAIL% C:\INETPUB\MAILROOT\PICKUP
EXIT

:END

From start run, open mmc, add/remove snap-in, and add the Group Policy Object Editor for the local computer. Go to Local Computer Policy --> Computer Configuration --> Windows Settings --> Scripts (Startup/Shutdown). Open the startup script and add the file you saved above. Apply the setting.

Keep an eye on this log to make sure your service starts. You may have to tweak the sleep time to get this to work. This works well for me on a Windows 2000 Server SP4.

Mapped Drives

I've configured two users. One I can get to use a mapped drive on the server (H), and the other I cannot (Z). Might be the letter, but I was able to work around that by using UNC (\\server\folder). Your mileage WILL vary.

Hope this helps someone else scratching their head as hard as I was!

Reblog this post [with Zemanta]