Author: David Florey

About David Florey

Website::Subscribe Feeds

The “Strict-Transport-Security” HTTP header is not set to at least “15552000”

Posted on by David Florey

The “Strict-Transport-Security” HTTP header is not set to at least “15552000” seconds. For enhanced security, it is recommended to enable HSTS

Edit your Apache vHost file configuration for NextCloud. If you have two (one for port 80, the other for port 443), then edit both

Right under the first block that contains the ServerAdmin, DocumentRoot, ServerName, and ServerAlias details, add another line with the below:

Header always set Strict-Transport-Security “max-age=63072000; includeSubDomains”

Save and close the configuration files

Restart the Apache web server

sudo systemctl restart apache2

Refresh the settings page in NextCloud and that alert message should now be removed.

3CX v16 Not Updating

Posted on by David Florey

This document applies to 3CX v16 instances hosted in AWS or running on Debian 9 (Stretch) that are stuck on older versions of 3CX v16 and seemingly just will not update.

SSH or web-console into the Debian instance

Edit the file /etc/apt/sources.list.d/saltstack.list

sudo nano /etc/apt/sources.list.d/saltstack.list

If the one line in this file reads: deb http://repo.saltstack.com/apt/debian/9/amd64/archive/2019.2.0/ stretch main
Then add # in front of it and add an extra line below that reads: deb http://repo.saltstack.com/apt/debian/9/amd64/latest stretch main

Your file should now read:

#deb http://repo.saltstack.com/apt/debian/9/amd64/archive/2019.2.0/ stretch main
deb http://repo.saltstack.com/apt/debian/9/amd64/latest stretch main


Save and close the file
CTRL+O
CTRL+X

Now manually update and upgrade the packages:

sudo apt-get update
sudo apt-get upgrade

Answer Y when prompted to proceed
If prompted about updating the configuration of the Minion package, say Y and press enter

Once the upgrades are completed, you can now go through the 3CX web console and start installing all the pending updates – note, there will be quite a few.

Note: Changes as of December 2021:

I had to update a 3CX instance tonight that refused to update using the 3CX console or the above.

In the end, I had to edit the file:

/etc/apt/sources.list.d/saltstack.list

and enter in the line:

deb https://repo.saltproject.io/py3/debian/9/amd64/latest/ stretch main

Next, you’ll need to install APT’s secure transport module using:

sudo apt-get install apt-transport-https

Now do the update:

sudo apt-get update
sudo apt-get upgrade

Now head back the 3CX Admin Console and continue upgrades from there…

Enable External Boot Media on T2 Security Chip-Enabled Macs

Posted on by David Florey

This guide covers the process to enabling a T2 security enabled Mac to boot from external media such as USB drives for purposes of reinstall or data recovery & diagnostics.

Applies to:

T2 security enabled Macs include macs below and newer versions thereof:

  • iMac (Retina 5K, 27-inch, 2020)
  • iMac Pro
  • Mac Pro (2019)
  • Mac Pro (Rack, 2019)
  • Mac mini (2018)
  • MacBook Air (Retina, 13-inch, 2020)
  • MacBook Air (Retina, 13-inch, 2019)
  • MacBook Air (Retina, 13-inch, 2018)
  • MacBook Pro (13-inch, 2020, Two Thunderbolt 3 ports)
  • MacBook Pro (13-inch, 2020, Four Thunderbolt 3 ports)
  • MacBook Pro (16-inch, 2019)
  • MacBook Pro (13-inch, 2019, Two Thunderbolt 3 ports)
  • MacBook Pro (15-inch, 2019)
  • MacBook Pro (13-inch, 2019, Four Thunderbolt 3 ports)
  • MacBook Pro (15-inch, 2018)
  • MacBook Pro (13-inch, 2018, Four Thunderbolt 3 ports)

How to confirm if the Mac you’re working on is T2-enabled:

Click the Apple logo top-left > About This Mac > System Information / System Report…

What does T2 actually do?

In short, it provides additional security at a hardware level for the Mac. It provides additional security encryption levels for the OS Disk reducing CPU resources required for the same tasks, helps to prevent malicious code from being injected into the OS core, enhances secure boot, and provides certification of the OS at boot time.

Preparation:

Time required to perform steps outlined: 10-30 mins depending on the Mac and internet speed.

If the Mac already has a firmware password enabled, you will need to know what this is in order to boot into recovery mode & access system utilities.

You will also need to know the password to at least one admin level user account on the system

Steps to complete:

Shutdown the Mac

Power on the Mac holding down the left Alt/Option key

If successful and no firmware password present, you should see a screen similar to the boot screen below:

Image result for apple boot menu

If prompted for a password first, then this will be the firmware password.

At the boot selector screen, hold down the Command key and press R

This will start to boot into recovery mode. If the recovery mode OS is on the local disk, it will verify & boot from here, if not, it will download a copy from the Internet.

Once you reach the recovery environment, select the language, and then you should reach the recovery mode screen

Image result for apple booting recovery mode

From the Utilities menu at the top of the screen, select Startup Security (or similar, depending on OS / recovery mode version).

You should reach the below screen:

Startup Security Utility on Mac with Apple T2 Security Chip

Under External Boot, select the radio option for Allow booting from external media

Use Command+Q to quit back to the main screen

Use Command+Q to quit recovery mode, select reboot

Now when you boot up the Mac holding down the Alt/Option key to access the boot menu, inserting external bootable media will show up in the boot menu and allow the Mac to be booted from it.

Additional info:

If these steps still prevent booting from external media, you may need to go back into Startup Security and change the Secure Boot from: Full Security to: Medium Security – especially if the OS wasn’t recently signed by Apple on this Mac.

Configure Firmware Password to better protect Mac

Posted on by David Florey

The Firmware password for a Mac is primarily used to protect a Mac from being booted into recovery mode or from external boot media should the Mac fall into the wrong hands.

Think of it like a PC BIOS password that prevents anyone from accessing the BIOS settings or boot menu.

Typically, short of flashing the firmware using a hardware firmware flash tool, it provides excellent protection for portables against theft & resale should they be stolen.

Prerequisites:

If the Mac already has a firmware password enabled, and you need to remove or change it, you will need to know the current firmware password.

Forgotten firmware passwords require a support ticket with Apple along with proof of purchase.

Steps:

Shutdown the Mac

Power on the Mac – holding down the left Alt/Option key until the boot menu is displayed

Image result for apple boot menu

Once here, hold down the Command key and press R

The Mac will now boot into recovery mode

Once booted into recovery mode, select the language and you will then be at the recovery mode home screen

Image result for apple booting recovery mode

In the Utilities menu at the top, select Startup Security (for T2-enable Macs) or Firmware Password Utility (for older Macs)

If no password is currently set, you should have the option to Set Firmware Password…

Startup Security Utility on Mac with Apple T2 Security Chip

Once you have set the password, use Command+Q to exit back to the recovery mode home screen, use Command+Q to quit – selecting Reboot or Restart Mac.

Now whenever you boot the Mac holding down the Alt/Option key or any other startup interactive modes, you will be prompted for the firmware password you have set.

To remove the password, you will need to boot back into recovery mode and turn off the firmware password.

Notes:

As previously stated, it is highly recommended this is configured for all portable Macs where possible. Ideally, the client / user should know & document their firmware password – along with being it documented in both the Autotask configuration item and the ticket as an internal note.

Ticket should have “Firmware Password” in the description area or title for ease of search if its not being done in the initial setup ticket.

Failure to document & recall the password when required will require a password removal via Apple support, which will require the Mac, proof of purchase and the Mac will be out for service for a period of time while Apple technicians re-flash the firmware.

Hyper-V 2019 only using every second CPU Core or Thread

Posted on by David Florey

Issue: Hyper-V on Windows Server 2019 only using half the available CPU threads, and VM’s with larger CPU core counts often perform very poorly

image

Windows Server 2019, Hyper-V now defaults to a more secure “core scheduler” where previous versions used “classic scheduler” for CPU scheduling and isolation. What this means, is that when you migrate a VM over to Hyper-V on WS2019, you need to update the VM configuration and change some settings, or it will only use a single hardware thread per core, exhibiting the behavior you see above.

In Hyper-V on WS2016, the default setting for number of Hardware Threads per Core is “1”. What we want is to set this to “0” which will inherit the Host’s default configuration for this.

The below PowerShell commands will list all VM’s on the host, list their configuration versions, list the threads count per core, then set the new defaults to inherit settings from Hyper-V

Note: For the last command to work – setting the new defaults, affected VM’s need to be powered off.

#Get your Host supported VM guest configuration versions
Get-VMHostSupportedVersion
#Get your VM guest configuration versions
Get-VM | FT Name, Version
#Update all VMs configuration versions
Get-VM | Update-VMVersion
#Get the VM thread count per core setting
Get-VM | Get-VMProcessor | FT VMName,HwThreadCountPerCore
#Set the VM thread count per core setting
Get-VM | Set-VMProcessor -HwThreadCountPerCore 0

Now that the changes have been applied, here’s the task manager screen shot:

image

Note – this only impacts migrated VM’s. When a VM is created on Windows Server 2019 Hyper-V, this is not an issue as the VM’s inherits the default setting of the Host.

Join Mac to Active Directory – the Right way!

Posted on by David Florey

This guide will assist you to joining a Mac to AD. There are plenty of guides online, but many of them leave out certain key aspects that lead to issues when not performed properly.

First step, check AD for the next available computer name and create the computer AD entity in the correct OU.

Document the AD computer description field with useful information such as ticket number, model, user, serial number, etc

Identify & note down any users / groups that should have local administrative rights on the Mac

Setting the local workstation host name:

Apple Menu > System Preferences > Sharing > Computer Name

Now let’s get get domain joined:

System Preferences > Users & Groups > Login Options

Click the  to gain admin access using the local administrator account

Change Display login window as: Name and password

Change Show fast user switching menu as: Full Name

Click the Join… button

Click Open Directory Utility…

Click the  and authenticate to unlock

Highlight Active Directory

Click the pencil  button to edit

Populate the Active Directory Domain field with the AD name

Click the  icon to expand the options

Place a tick next to Create mobile account at login – this tells the Mac to create a local user profile for the AD account so a) the user has somewhere to store data, and b) the user can login when away from the AD network.

Click the Administrative Button

Place a tick next to: Allow administration by:

By default, it will have domain admins and enterprise admins pre-populated.

Use the + button to add in the additional resource users & groups noted earlier that will require local admin rights

Click Bind…

This will first prompt for the local admin password

Then it will prompt for the domain administrator username & password.

If all details are correct and DNS is working, the Mac will be joined to the directory.

If you followed the earlier instructions to pre-create the computer in AD, it will advise you that the computer account exists, and ask you if you want to use the existing computer account – say Yes.

Domain Join over a VPN:

If you need to join over a VPN connection, but the VPN connection is disconnected when switching user accounts, you can cache an AD account from the local admin account when still connected to the VPN post domain join using the below terminal commands:

sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n [AD_username]

Once this passes, you will need to cache the login credentials

login

When prompted, login using the user’s username and password.

Note: the password entering will not provide any feedback on-screen.

Ideally, if the Mac is being domain joined over the VPN, you would also cache the domain admin account using this method also.

A Mac already directory bound that isn’t configured to create mobile account at login:

Using terminal, issue the below commands:

sudo dsconfigad -mobile enable

sudo dsconfigad -mobileconfirm disable

The first command forces the system to create mobile (cached) accounts when the user logs in, the second command suppresses the confirmation prompt when creating the account.

A little Terminal bonus:

You can do a quick & dirty AD join from the terminal using the below command:

dsconfigad -prefered yourserver.YOURDOMAIN.SOMETHING -a nameOfYourDevice -domain YOURDOMAIN.SOMETHING -u DomainAdministratorAccount -p 'DomainAdministratorPassword'

Of course doing this, will not set the Mac to create a mobile account at login, won’t configure local admin users…

Sophos SG UTM – Enable & Configure Let’s Encrypt for SSL Certificate services

Posted on by David Florey

This post briefly describes the process to enable & configure the Let’s Encrypt SSL Certificate certbot functionality built into the Sophos SG / UTM firewall.

 

Country Blocking:

If you have Country Blocking enabled & configured in the firewall, you will need to add some exclusions for Let’s Encrypt services to pass through

There will need to be three exclusions added for Let’s Encrypt services:

First exclusion will be setup with:

  • No countries selected
  • For all requests going to (any WAN interfaces that will be used for Let’s Encrypt and / or will have SSL protected services behind them)
  • Using services: HTTP

 

The next exclusion:

  • No countries selected
  • For all requests coming from:
    • Create a new Network Group and add in the following DNS Hosts:
      • acme-staging-v02.api.letsencrypt.org
      • acme-staging.api.letsencrypt.org
      • acme-v01.api.letsencrypt.org
      • acme-v02.api.letsencrypt.org
      • outbound1.letsencrypt.org
      • outbound2.letsencrypt.org
  • Using these services: Any

 

The final country blocking exception:

  • No countries selected
  • For all requests coming from: use the same Network Group you created in the previous rule
  • Using these services: Any

 

Finally, ensure all three new rules are switched on.

 

Certbot:

Now we need to configure & enable the Let’s Encrypt certbot built into Sophos UTM.

Head to Webserver Protection > Certificate Management

Click on the Advanced tab

Ensure the four fields in the Regerate Signing CA box are filled in and click Apply

Click to place a check in the Allow Let’s Encrypt certificates checkbox and click Apply

This process will take a minute or two as the account is setup with Let’s Encrypt…

Click the Advanced tab a couple of times until the status changes from:

to:

 

Generate New Certificates:

Now for each certificate you want to create with Let’s Encrypt, you will need to ensure that the FQDN is pointing to the public IP address of the Sophos WAN connection, as this is how the certificates are validated & authorised by LE’s servers and the Sophos certbot.

Once this is done, click on the Certificates tab

Click on the New Certificate button

Change the method from Generate to Let’s Encrypt

  • Set the Name to match the FQDN (this makes it easier to identify later on)
  • Set the Interface to the WAN interface that the required FQDN resolves to
  • Add the FQDN to the domains list
  • Click save

This process can take 2-5 mins. Click the Certificates tab to refresh to get the status of the certificate.

Once the certificate is green and has a valid expiry date, that certificate can now be used for services as required (such as WebAdmin, User Portal, or services in the Webserver Protection).

 

Troubleshooting:

If you get an error regarding Let’s Encrypt failed to retrieve the current terms of service link, then there are a couple of possibilities:

Ensure you’re running the latest or very recent build of the UTM – update if not

Check the Certificate Authorities tab for anything expired, invalid, etc. and remove them.

Delete the ISRG X1-Root CA (so that only the current R3 certificate is present).

Temporarily turn off country blocking

Ensure DNS resolution on the Sophos is working

Ensure that port 80 isn’t blocked by something else – especially in a double NAT scenario

Enable the SSH access, and execute:

 /var/mdw/scripts/httpproxy restart

 

Active Directory – Missing Attribute Editor in User editor

Posted on by David Florey

Issue:

Can’t access the Attribute Editor tab in users and groups

 

Scope:

Active Directory in Windows Server versions: 2008 R2, 2012, 2012 R2, 2016, 2019, and 2022.

 

Solutions:

First and foremost, ensure in AD Users and Computers, you have enabled the Advanced Features in the View menu:

For 99% of the issue occurances, this will fix the issue. You may need to close and re-launch the ADUC console.

If the above has been done and you still don’t see the Attribute Editor tab after enabling Advanced Features, first off, log out of the DC or management system from the account you are logged in with. Log back in and try again.

If after logging out and back in the issue persists, then there are some changes that may need to be made by performing the following steps:

Open ADSIedit.msc

Right-click the upper left most item in the left tree pane and click Connect to

Click the radio button in the Connection point for Select a well known Naming Context, and select Configuration from the drop down list

Now drill down through: CN=Configuration > CN=DisplaySpecifiers > CN=409 (409 is for US English, pick the language appropriate to your profile)

Double-click on CN=user-Display

Double-click on adminPropertyPages

Add in the missing value:

11,{c7436f12-a27f-4cab-aaca-2bd27ed1b773}

 

Once done, OK twice out and re-launch ADUC.

Now the Attribute Editor tab should be availble.

 

Extra Notes:

This is a common occurence for AD Domains that have been previously migrated from Windows Server 2003 (or older) into newer Windows server versions, and the functional levels raised. Unfortunately raising the domain functional levels doesn’t seem to add in these missing values.

If this is the case for your environment, you may also need to add in other missing values such as:

In the CN=computer-Display > adminPropertyPages

12,{c7436f12-a27f-4cab-aaca-2bd27ed1b773}

In the CN=default-Display > adminPropertyPages

4,{c7436f12-a27f-4cab-aaca-2bd27ed1b773}

 

 

Installing & Configuring IP Networked Printers in Windows

Posted on by David Florey

Update History:

  • 2017-Feb-09: Initial publication
  • 2019-Mar-12: Include mentions for coverage of Windows Server 2019 and ARM64 architectures
  • 2022-Feb-09: Include mentions for coverage of Windows Server 2022 and Windows 11

This guide applies to:

  • Windows Desktop / Workstation Editions 7, 8, 81, 10, and 11
  • Windows Server Editions 2008 R2, 2012, 2012 R2, 2016, 2019, and 2022

It is intended for environments where the printer is connected to the network, has either a fixed LAN IP address or a DHCP reservation, and is accessible by the target Windows systems. It is assumed that the printer has been freshly setup on the network but not yet installed or configured on any target workstation or servers.

Download and install drivers:

Identify and download the correct drivers for your make & model of printer. Ideally, you want to download the basic / standard drivers and not the full driver package installers. The ideal drivers may be identified as PCL, PS (PostScript), or WHQL drivers.

Typically, there will be multiple drivers – a listed set of drivers for multiple versions of Windows. Typically, most manufacturers will have the exact same driver files that cover many generations of Windows – eg: a driver written for Windows 7 will almost always work on Windows 10, or Server 2019, and Server 2008 R2.

Typically, the only differences in the drivers are:

  • Architecture (as in Windows 32-bit, Windows 64-bit, Windows Itanium, and more recently, ARM64.
  • The drivers communication protocol when communicating with the printer – this is how the computer talks to the printer, so PCL, PS, KX, etc…

You need to be aware of what communication protocol is supported by the printer. By default, FujiXerox DocuCentre machines don’t support PostScript (PS) out of the box, and require installation of additional optional hardware. If you’re looking to set one of these machines up on any Macs, get the PostScript card when ordering (cheaper at time of order than it is after the fact). Most printers will happily work using standard PCL drivers. Note: If you’re deploying Kyocera ECOSYS machines, aim for their KX drivers.

When downloading the drivers for deployment on a Windows server for sharing out to the networked Windows clients, opt to download both the 64bit and 32bit drivers of the same version number or release date, and if available, also the ARM64 drivers. When they are installed and made available to client systems using these different architectures, the user won’t have to go hunting to find drivers, as Windows will supply them to the connecting client during the printer installation.

Note here, we are downloading both the Windows 7 64 bit and Windows 7 (aka 32 bit) drivers for deployment:

Windows 7 (32 bit):

Once the drivers have been downloaded, extract them into their own sub folders. The may come as a ZIP file or as a self-extracting application. If the latter, when prompted to commence installation, cancel these operations – you just want the extracted driver files. Take note of where you have extracted them to. Pro-tip: place them in a ClientApps share so they can be accessed over the network at a later date it required.

Open the Control Panel (not Settings) and change the view mode from Category to Small Icons (or Large Icons if your eyes don’t work).

Click on Devices and Printers

Click on Add Printer in the toolbar

When Windows is scanning for printers, click on “The printer that I want isn’t listed

When prompted, select the option to Add a local or network printer with manual settings:

When choosing a printer port, select Create a new port and change the drop down list to Standard TCP/IP Port, click Next

Enter in the fixed or reserved IP address of the printer, and un-tick the Query the printer for automatic installation

Windows will now check to see if it can communicate with the printer’s network stack and determine the available network protocols (SNMP, HP Discovery, etc).

Now we need to install the actual drivers, click Have Disk

Click Browse and locate the folder where the 64 bit drivers were extracted to

You may need to drill down into a fairly deep folder structure, like in this example to locate the valid driver information (INF) file. Click Open

You will return here, where you can see the file path. Click OK

Typically, manufacturers will bundle drivers & support for multiple models of their printer for ease of production, so you will need to select the correct model & revision from the list to ensure you get all the correct features & settings available to your printer. Once selected, click Next

Give the printer a valid & meaningful name. If prompted to Share the printer to the network, un-tick this option as we’re not yet ready for this

Windows will now install the drivers and add the new printer

From here, click to Print a test page if there’s not many options on the printer, otherwise, click Finish.

 

Returning to the Control Panel > Devices and Printers, you will now see the newly installed printer.

 

Now we want to install support for 32 bit Windows (and ARM64 if applicable / available). This is to ensure Windows 32 bit systems connecting to our server to access the printer will also receive automatic driver installation. Although 32 bit Windows is becoming far less common these days, doing this ensures in the long term, there’s little or no poor user experience or frustration when adding shared printers to their systems. It also helps when deploying printers via Group Policy that 32 bit Windows users don’t get prompted to install drivers on every logon until installed.

Right-click on the newly installed printer

Select Printer Properties from the contextual menu.

Many networked printers offer automatic device configuration in the form of two-way communication between the printer driver and the printer’s network stack. If this is an option, enable it and click the button appropriate to update the printer options.

In our FujiXerox example, this is called Bi-Directional setup – which is off by default, so turn this on, then click Get Information from Printer.

What this does: Tells the driver to communicate with the printer, requesting information such as: how many trays, what paper is in each tray, are their side car options or ‘finishers’, staplers, binders, folders, etc. The printer will respond to the driver and tell it what options are installed & available, and also consumable information such as paper & toner levels, etc. Once done, click Apply to save changes and update the configuration.

You can verify this worked by clicking Advanced, and Printing Defaults

You’ll see tray options, paper sizes, color options, output options, etc.

Now, head to the Sharing tab, click Additional Drivers.

Place a tick next to the additional drivers that you have downloaded (such as 32 bit) and click OK

This will prompt you to install them, like at the beginning, click browse to locate and install the appropriate drivers

Once located and selected, click OK

Finally, now you can Share out the printer. If the Windows PC or server sharing the printer is a member of Active Directory (or is the domain controller), tick the option to List in the directory – this will make is easier later in Group Policy to deploy.

Windows PC’s on the network (either AD authenticated, or pre-authenticated locally) can now browse the network share of this Windows Server and install the shared printer by simply double-clicking on it.

 

Windows 10 Start Menu Not Working

Posted on by David Florey

Forward:

Initial releases of Windows 10 seems to be plagued with an issue where the start menu and / or the search box fail to function. Users cannot click on the start menu, and the search box disappears or becomes unusable. Seems that a couple of build releases re-introduced this issue for many users.

Fix the issues using PowerShell:

Ensure the Windows Firewall Service is running – there are numerous instances where the Firewall service being stopped or disabled has prevented the Start menu from working. Use the services.msc admin tool to achieve this.

Right-click on the Start menu and select Powershell (admin) – if this isn’t present, choose Command Prompt (admin), then in the CMD window, enter in powershell – which will bring up an admin level Powershell window.

In the admin Powershell window, enter in the command:

Get-AppXPackage -AllUsers | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}

Wait until the processing has competed. Now try to access the start menu. If it still isn’t working, you may have to reboot. Also, if the search box is still missing, but the start menu is working, right click on an empty part of the task bar and in the context menu, select Search, and add it to the task bar.

In some instances, a reboot was necessary after this was completed.