LedHed's Wiki - New pages [en]

ADCS HTTP CDP

2025-09-25T03:57:17Z

Ledhed:

== Overview ==
CRL Distribution Point (CDP) must be published in a certificate to that the client can verify whether a certificate has been revoked. By default Active Directory Certificate Services (ADCS) publishes these in LDAP and adds them to the CDP/AIA settings of the certificate template. This is less than ideal because not all devices on the network have access to query LDAP (at least they shouldn't if you have your LDAP to require authentication). The solution to this is to publish CDP/AIA information on a web/http server that all devices on the network can access.

== Quick -n- Dirty ==
* Create DNS entries (pki.yourdomain.tld or crl.yourdomain.tld, etc...)
* Install IIS (not on the server hosting ADCS)
* Create a directory named (CRL, CDP, PKI, etc...)
* Share that directory (hide it with a trailing $, PKI$), granting the 'CertPublishers' AD group read/write access (this should grant the ADCS Root CA access to publish the CRL file)
* Create virtual directory pointing to the directory you just created (PKI)
* Add the following entries to the Certificate Template's CDP settings under the Extensions tab
<pre>
file:\\pki.yourdomain.tld\CDP$\<CaName><CRLNameSuffix>.crl
http://pki.yourdomain.tld/<CaName><CRLNameSuffix>.crl
</pre>
* The file:// entry will cause the CA to publish the CRL to this path any time a new CRL is generated
* The http:// entry will tell the client where to find the CRL via the http protocol
* Add the following entry to the Certificate Template's AIA settings under the Extensions tab
<pre>
http://pki.yourdomain.tld/<CaName><CRLNameSuffix>.crl
</pre>

== Reference ==
https://security.stackexchange.com/questions/206243/how-to-automate-publication-of-crl-and-crt-files-to-cdp-and-aia-location 
https://www.youtube.com/watch?v=U9gDL4GsJxs

[[Category:Windows]]
[[Category:Active Directory]]
[[Category:PKI]]

MacOS Create Bootable USB

2025-01-07T09:06:16Z

Ledhed: Created page with "== Overview == This article will provide steps on how to create a bootable USB stick for bare metal installations of MacOS. == Download OS == === Browser/App Store === From..."

== Overview ==
This article will provide steps on how to create a bootable USB stick for bare metal installations of MacOS.

== Download OS ==
=== Browser/App Store ===
From a Mac, open Safari and browse to
https://support.apple.com/en-us/102662#appstore
Click the link for the OS version supported by your hardware.
This will likely open the App Store, click [Get] and you'll be presented with an option to download (or possibly upgrade).

=== Terminal ===
Open a terminal and navigate to your Downloads folder.
Show available installers for your hardware:
softwareupdate --list-full-installer
You'll see a list of installers, make note of the version number you'd like to download.
Finding available software
Software Update found the following full installers:
* Title: macOS Monterey, Version: 12.7.4, Size: 12117810KiB, Build: 21H1123
* Title: macOS Big Sur, Version: 11.7.10, Size: 12125478KiB, Build: 20G1427
* Title: macOS Catalina, Version: 10.15.7, Size: 8055650KiB, Build: 19H15

Grab the version number and run this command:
softwareupdate --fetch-full-installer --full-installer-version 12.7.4

== Create Media ==

== Command Line Tools ==
softwareupdate --list-full-installer

softwareupdate --fetch-full-installer

== Reference ==
https://geekschalk.com/how-to-download-macos-installers-for-new-old-versions/

https://support.apple.com/en-us/102662

https://support.apple.com/en-us/101578

[[Category:MacOS]]

Windows Service Permissions

2024-04-04T07:06:31Z

Ledhed:

== Overview ==
Sometimes you need to grant a non-administrative user or group access to manage the state of a Windows service.

== DISCLAIMER ==

This article uses some advanced administration steps. Any mistakes could put your service or system in an inoperable state. 
Sanity check the steps below, I tend to paraphrase so use your best judgment. If you're unsure of what this article is doing, DON'T DO IT! 
'' '''I AM NOT RESPONSIBLE FOR ANY DAMAGE YOU MAY CAUSE BY FOLLOWING THIS ARTICLE!''' ''


== Security Templates Snap-In ==
* Open MMC.exe as administrator
* Add Snap-In 'Security Templates'
* Right click -> 'New Template'
* Expand the tree and click 'System Services'

Find the service(s) you want to modify permissions on edit. Check [X] Define this policy in the template. Then click the 'Edit Security' button. Add permissions to your liking, click ok when finished.
Right click the Template and click 'Save'

'''''CAUTION: Make sure your permissions at minimum have one account that has 'Full Control', otherwise you'll make it difficult to regain access to the service.'''''

== Security Configuration and Analysis Snap-In ==
While in the elevated MMC.
* Add Snap-In 'Security Configuration and Analysis'
* Right click -> 'Open Database'
* In the file dialog, navigate to the path you'd like to save your new security database, enter a name in the 'File name:' field and click 'Open'
* You should be prompted to select a Security Template to associate to the new DB, select the .inf file from the previous step.
* Right click -> 'Analyze Computer Now...'
* Expand the tree and click 'System Services', you should see a list of services with a red circle in the icon, this indicates deviations form the security template.
* Right click -> 'Configure Computer Now...'
At this point your service permissions should be set. Have the non-admin user test out their new access. If there are any errors, check the Security Configuration logs (probably saved in a log folder in the parent folder of where you saved the Template)

'''''NOTE: When I checked the 'System Services' I got an error saying something to the effect that it couldn't read the template. Fortunately, I did this on a test server so I ignored the error and the service permissions applied just fine. It also pays to have a current backup/snapshot.'''''

== Suggestions ==
* I highly advise using a group for permissions, especially in this scenario. It may be that you only need to grant one user access to restart a service, but if you have to add another (say because the previous user got hit by a bus), you just need to add the new user to the group rather than jump through all the MMC/Security Template nonsense all over again. Spend the extra 30 seconds and do your future self a huge favor.
* Managing permissions on Windows Services are a major pain. I don't know why MS didn't add a security tab to the Services MMC. That said, you should absolutely take a backup/snapshot of the system before making changes to services. If you lock yourself out of a service, reverting a snapshot is way faster than trying to figure out how to re-apply default permissions to a service.

== Reference ==
https://www.scriptinghouse.com/2017/04/set-windows-service-permission-to-non-administrator-accounts.html

[[category:Windows]]

Kerberos and CNAMEs

2023-06-30T04:57:58Z

Ledhed:

== Overview ==
By default Kerberos authentication will fail when accessing a server using a DNS Alias / CNAME.

== Solution ==
Create an alias for the host in Active Directory using the 'netdom' command:
netdom computername <FQDN> /Add:<ALIAS>

Example: 
Server's FQDN = FileServer-01.domain.tld 
CNAME/Alias = FS1.domain.tld 
netdom computername FileServer-01.domain.tld /Add:FS1.domain.tld

The netdom command registers a SPN for the server using the provided alias.

== References ==
https://serverfault.com/questions/481289/will-kerberos-work-with-cnames-if-i-have-the-spn-created-for-the-a-record-as-wel

[[Category:Active Directory]]

Ubuntu Resize Disk

2023-02-14T09:11:11Z

Ledhed: Created page with "== Overview == Sometimes you have to resize a VMs disk. This is a fairly trivial process, open the VMs settings, increase the disks size. Go to guest and resize the partition..."

== Overview ==
Sometimes you have to resize a VMs disk. This is a fairly trivial process, open the VMs settings, increase the disks size. Go to guest and resize the partition and filesystem, done! 
What happens if your VM doesn't see the increase in disk size?

== Ubuntu (and probably other flavors of Linux) ==
As root run the following command to initiate a rescan of the disk.
echo 1 >/sys/class/block/sdb/device/rescan

You can verify the size changes by running:
fdisk -l /dev/sdb

You can also grow the partition by running:
growpart /dev/sdb 1
This will grow the first partition to fill the disk

You can also resize the filesystem by running:
resize2fs /dev/sdb1

== Reference ==
https://kerneltalks.com/disk-management/how-to-rescan-disk-in-linux-after-extending-vmware-disk/

[[category:Ubuntu]][[category:Linux]][[category:ESXi]]

Ubuntu 22.04 Autoinstall

2022-08-24T15:01:53Z

Ledhed: Created page with "== Overview == This article will explain how to create a custom USB Boot disk for automatic installation of Ubuntu 22.04 including an answer file. == Quick-n-Dirty == === In..."

== Overview ==
This article will explain how to create a custom USB Boot disk for automatic installation of Ubuntu 22.04 including an answer file.

== Quick-n-Dirty ==
=== Installation Media ===
Partition USB stick into 2 pieces 
Partition 1 = 16M, EFI, Format FAT32 
Partition 2 = 4G, MS Dos, Format FAT32 

'''Mount Partition 2''' (make sure to use the right device, you can check with lsblk)
mount /dev/sdb2 /mnt

'''Extract ISO to Partition 2'''
7z -y x ubuntu-22.04.1-live-server-amd64.iso -o/mnt

'''Edit /mnt/boot/grub/grub.cfg'''
Add these lines after the end of the first 'menuentry'
menuentry "Auto Install Ubuntu Server" {
set gfxpayload=keep
linux /casper/vmlinuz autoinstall quiet ---
initrd /casper/initrd
}

'''Update /mnt/md5sum.txt'''
cd /mnt
md5sum ./boot/grub/grub.cfg >> /mnt/md5sum.txt
Remember to delete the old grub.cfg line.

'''Create an efi directory under /mnt/boot/''':
mkdir /mnt/boot/efi

'''Mount Partition 1'''
mount /dev/sdb1 /mnt/boot/efi

'''Install grub on Partition 2''' (this assumes the system is x64 UEFI):
grub-install --boot-directory=/mnt/boot /dev/sdb2

'''Unmount Partition 1, then Partition 2'''
umount /mnt/boot/efi
umount /mnt

=== Answer File Media ===
'''Generate a user-data file''', this is most easily done by copying one from a manual installation. This file can be found at:
/var/log/install/autoinstall-user-data

'''Generate a meta-data file''', this file is typically empty.
touch meta-data

'''Create the answer-file.iso'''
cloud-localds ./answer_file.iso user-data meta-data

'''Burn answer-file.iso to a USB stick.'''

''' Unmount the Answer File USB stick'''

=== Boot it! ===
Insert the newly created Installation USB stick and invoke your system's boot menu (F11 perhaps).
* Highlight Partition 2
* Insert the Answer File Media
* Press [Enter]
The system should install unattended including the network settings, user credentials, and packages you selected when generating the user-data file on the manual installation.

== Reference ==
https://ubuntu.com/server/docs/install/autoinstall
 
https://cloudinit.readthedocs.io/en/latest/topics/datasources/nocloud.html
 
https://github.com/covertsh/ubuntu-autoinstall-generator/blob/main/ubuntu-autoinstall-generator.sh#L249
 
https://linuxconfig.org/ubuntu-autoinstall-example
 
https://gist.github.com/jamiekurtz/26c46b3e594f8cdd453a

[[Category:Ubuntu]]

Regex Examples

2022-07-14T11:21:30Z

Ledhed: Created page with "== Overview == Here are some common examples of Regex used for form validation. == Phone Numbers == == Email Addresses == == IP Address Validation == === IPv4 Address ===..."

== Overview ==
Here are some common examples of Regex used for form validation.

== Phone Numbers ==

== Email Addresses ==

== IP Address Validation ==
=== IPv4 Address ===
^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$

=== IPv4 Subnet in CIDR Notation ===
^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)($|/([0-9]|[12][0-9]|3[0-2]))$

== References ==
https://www.regextester.com/

https://www.regextutorial.org/regex-for-ip-address-match.php

https://stackoverflow.com/questions/12141206/ipaddress-or-cidr-block-matching-regex

[[Category:Regular_Expression]]