DGhost's Blog

A sysadmin thoughts about the Internet and technologies…

April 26, 2024
by DGhost
0 comments

Securing Active Directory

This is a short guide on how to create and configure some essentials GPO (and other stuff) to secure an Active Directory domain from the inside. This has become one of my basic setup when I start working on an AD domain. Most of the time, all of these GPO won’t disrupt anything but it’s always important to understand the environment and what the AD domain is hosting for the organization with all the softwares, to make sure that those security setting won’t break any old legacy applications. As always, do your homework before doing any changes in a production env.

This is not a complete guide by itself. It’s a quick and dirty patched up documentation for setting up basic security for an Active Directory domain. If you are into this kind of subject, look into Ping Castle or Purple Knight as a start, these are very usefull tools to help you make your AD more secure. There are so much more available for free!

Continue Reading →

April 14, 2024
by DGhost
0 comments

My Journey in Search of Windows Hello (for Business) – Part 2/3

Alright, part 2 is now available for my journey in Search of Windows Hello (for Business). Read part 1 here if you haven’t already done so. The second part of this journey will be much shorter compare to the first one but it’s still an important step before proceeding further on our quest. In this scenario, we are going with the setup of “Hybrid Key Trust Deployment”

Continue Reading →

April 13, 2024
by DGhost
0 comments

My Journey in Search of Windows Hello (for Business) – Part 1/3

A couple of months ago I had to setup and enable MFA in a hybrid environment of Active Directory on-prem with MS365 and Entra ID (formely named Azure AD). This is my personnal experience on how I was able to accomplish all of this. It was quite a journey because of the complexity and the upgrade path I had to take in order to make all of this works seamlessly.

Continue Reading →

February 27, 2017
by DGhost
0 comments

Les signes d’un routeur de qualité

Il y a plusieurs mois de ça, mon routeur principale, un ubiquiti Edgepro Lite 3 ports a sauté. C’est arrivé durant une panne de courant, bien sûr, mon système de télécom est branché sur un UPS mais ca n’envoie pas le signal de faire un shutdown clean comme je le fais pour mes serveurs. Bref, lors du retour du courant électrique, mon routeur démarre mais ne fonctionne plus. Les lumières allumes mais rien ne route et je ne suis même pas en mesure de communiquer avec, que ce soit par l’interface web ou un simple ping.  Le temps étant une donnée trop précieuse pour moi, au lieu de vérifier quel était le problème, je décide simplement d’utiliser mon autre vieux router, un cisco RV042G, qui fonctionne très bien et qui surtout à encore en mémoire mon paquet de règle de firewall qui est long a reconfigurer…

Continue Reading →

October 20, 2015
by DGhost
1 Comment

Active Directory ; Having problem raising forest level functionality?

I gotta say I’m having a hard time giving a good title for this post. This article is mostly a small reminder for myself after encountering small problems when I wanted to add a new Windows 2012 Server DC to an existing Active Directory domain infrastructure. I have a domain with 2 Windows Server 2008 acting as the domain controller and my main objective was to add a new DC running on Windows Server 2012 for replacing one of the old Windows 2008 server before it dies.
Continue Reading →

September 13, 2015
by DGhost
33 Comments

Banning an entire country with IPTables/IPSet

A couple of years ago I would have been shocked with this simple idea. To ban an entire country from ever using the service of one of my public hosted server. I would have never proposed or even agreed to an idea like this. This was a longtime ago and now the landscape of the Internet has changed so much that I’ve been resolved to use this simple, yet so effective, solution. I mean, this goes against the basic nature of the existence of the Internet; Information wants to be free and it should be available to anyone who wants to access it, anywhere on this world. And yet, here I am today, banning whole countries forever reaching the services of web and email services on some of the servers that I managed. Why? Because I’m tired of some organizations abusing servers. I am tired of constantly checking the status of the networks I must look after. I am tired of seeing that almost 99% of time, the attacks are always coming from the same countries. So after many years of consideration, in the autumn of 2013, I finally gave in and I’ve started banning entire countries with iptables. After many months of using it, the only conclusion that I have is, why I haven’t done that before?

Continue Reading →

August 6, 2014
by DGhost
2 Comments

Centralizing and simplifying your SVN administration

As a follow-up to my popular post on how to setup Subversion with SASL authentication against an Active Directory Windows Server, I’ve decided to push this further and share how I manage a high number of repositories with SVN on Linux. There are many different solutions for achieving that, everyone has their own custom solution for doing so. Mine was developed after trying some different tools and choosing the ones that did exactly what I wanted. I also had to speak with the management of the development to have their approval for putting in place a standardized way on how to manage the repositories by the leader of each development team. So that solution had some technical setup to do but it was mostly a political challenge because I was now sharing the administration of the repositories with different people. I empowered them with the tools and the rights to create and manage their own repositories. The final result of this was, of course, to have more security and more options for managing all the different projects under Subversion and less job for me. Hooray! Continue Reading →

July 15, 2014
by DGhost
0 comments

Why should I switch to MariaDB?

Why indeed? That is the question I’ve been wondering myself for the past weeks. I recently had to update some MySQL servers running on Linux, these installations were an old version and I had to bring it up to one of the latest, stable version with PHP for some custom web applications. While doing this operation some weeks ago, I remembered that there was this hot new thing (released in 2009, already) called MariaDB that was created by the original author of MySQL – Michael “Monty” Widenius – who abandoned the ship when MySQL was bought from Oracle (inserting the obligatory Star Wars theme, the Imperial March here). The acquisition from MySQL to Oracle is a little bit more complicated than this resume. So while doing the upgrade, I remembered that I had on my – never ending – to do list, try this thing called MariaDB. Not on a production system, but on a less mission critical server for a starting point to see, what was the big fuzz about this… thing… Continue Reading →