Removing PGP WDE from the command line in OS X or Linux.

Removing PGP Whole Disk Encryption from the command line in OS X or Linux.
These steps were performed on OS X 10.7 * 10.8 but should on other versions also.

First Verify that the drive is encrypted and get the disk number
1. Go to command line and type "sudo pgpwde --status"
2. You should see a response saying either the "Encryption Process is running in the background." or something stating the drive is fully encrypted.

Steps to decrypt
1. Open the command line and type "sudo pgpwde --decrypt --disk # --passphrase ''
2. type "sudo pgpwde --status" and you should see "Encryption removal process is running in the background"
3. Continue to monitor the "sudo pgpwde --status" command until the decryption is complete.

If you reboot and notice that the PGP BootGuard is still showing even after decrypting run the following command.
1. Go to command line and type "sudo pgpwde --unstrument --disk 0"

Removing PGP from command line in Windows

First Verify that the drive is encrypted and get the disk number
1. Go to command line and type "sudo pgpwde --status"
2. You should see a response saying either the "Disk 0 is Encrypted" or "Encryption Process is running in the background."
3. Make a note of the disk number

Steps to decrypt
1. Open the command line and type and navigate to the pgp folder inside of Program Files(x86)
2. Type the following command "pgpwde --decrypt --disk #  --passphrase "universalpassword"
3. Type "pgpwde --status" and you should see "Encryption removal process is running in the background"

3. Continue to monitor the "sudo pgpwde --status" command until the decryption is complete.

Embedding Encrypted Passwords in Powershell Scripts

Description: Use the following steps to convert a password into an encrypted string that can be embeded in a powershell script.

1. Use the following commands to create the encrypted string. Note: the encrypted string output is based on the user that is logged in so you will have to run these commands as the service account you are using if the service account is going to be running your script.

• $password = ""
• $secure = ConvertTo-SecureString $password -force -asPlainText
• $encrypted = ConvertFrom-SecureString $secure
• write-host $encrypted

2. Copy the encrypted string above into your powershell script. 

• $encrypted = "01000000d08c9ddf0115d1118c7a00c04fc2......................................"

3. Now convert that string to a secure string in your powershell script

• $password = ConvertTo-SecureString -String $encrypted

4. Create a new credential object

• $cred = New-Object System.Management.Automation.PSCredential $username, $password

5. Now you can use the new credential object in your script.

example:  Invoke-Command -credential $cred -computername "" -scriptblock {get-host}

Enabling LDAP over SSL with AD LDS

Enabling LDAP over SSL with AD LDS

1. Create a new server authentication/Web server certificate. LINK
2. Import the certificate into the Certificates store for the local service of the instance. LINK
3. Grant Read permission on the server authentication certificate to the same account that the LDS service is running as typically "Network Service" account
4. Open the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder and verify that "Network Service", "Administrators" & "System" have read access to all of the certs.
5. Verify SSL is required on the LDS instance:

• Open ADSI Edit and connect to the configuration partition of the LDS instance
• Navigate to CN=Directory Service,CN=Windows NT, CN=Services
• Right click on CN=Directory Service and select properties
• Click the msDS-Other-Settings attribute and select edit
• Verify this value is set to 1 RequireSecureProxyBind

  6.   Restart the LDS Instance.
  7.   Use LDP.exe to test SSL

• Open ldp.exe
• Click connection -> Connect
• Enter the FQDN of the server
• Change the port. (Default is 636)
• Check the box for SSL
• Click ok to connect.

Configuring AD LDS to sync with Multiple AD Domains

Problem

- You have user accounts in two domains that you would like to be able to authenticate from an application that can only look at one LDAP server at a time.

Prerequisites
- Windows 2008 R2
- 2 Active Directory Domains with a trust between the two

Solution:

Installing OS X Applications from the command line

1. SSH to the workstation
2. Mount the disk image (.dmg) file by using the hdiutil
     "hdiutil mount application.dmg"
3. Navigate to the folder that was mounted in the previous command. (Should be inside /Volumes)
     "cd /Volumes/application/"
4. Use the installer application to install the package
     "sudo installer -pkg application.pkg -target LocalSystem"
5. Unmount the disk image

     "hdiutil umount "/Volumes/application/"

Advanced Google Search Tips

Google is an indispensable tool for IT professionals looking for assistance troubleshooting tech issues. Below are a few handy google search techniques i use on a regular basis to help find relevant search results quickly.


1. Search for keywords within a specific site.
Google: dog site:www.animals.com

2. Search based on File Type
Google: linux introduction filetype:ppt

3. Exclude a word from searches by adding a dash (-) before a word
Google: jaguar speed -car

4. Include similar words by adding a tilde sign (~)
Google: ~food facts

5. Search for website title
Google: intitle: jaguar

6. Access Blocked or Unavailable websites using Google Cache
Google: cache:www.tmz.com

7. Search within a range of numbers
Google: cars 30..50 mpg

Connecting to a wireless network from OS X command line.

Connecting to a wireless network from OS X command line.

The 'networksetup' utility is very powerful for making network changes to an OS X workstation. Below is the syntax for connecting a machine to a wireless network from the command line.

$networksetup -setairportnetwork Airport [router SSID] [password]



Additional Resources:
https://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man8/networksetup.8.html

Take photos with FaceTime Camera from command line in OS X

Take photos with FaceTime Camera from command line in OS X


Have you ever wanted to snap a photo with your FaceTime camera from the command line in OS X? Now with the help of a small program called ImageSnap you can.

1. Download ImageSnap LINK
2. unzip the file using tar -xvf imagesnap.tar
3. run the imagesnap 
4. It will create a file called snapshot.jpg

Hide or UnHide files or folders from OS X Finder

Hide or UnHide files or folders from OS X Finder


You can use the chflags command to make a file or folder invisible to the OS X GUI


To hide a file:
$ chflags hidden file.txt


To unhide a file
$ chflags nohidden file.txt

Use caffeinate to prevent OS X from sleeping

Use caffeinate to prevent OS X from sleeping

OS X Mountain Lion includes a new tool called Caffeinate to allow you to to prevent a machine from going to sleep.

To temporarily disable sleep:
 $caffeinate

To prevent the machine from sleeping for 4 hours
$caffeinate -t 144000


Additional Resources:
https://developer.apple.com/library/mac/#documentation/Darwin/Reference/Manpages/man8/caffeinate.8.html

Installing PGP Whole Disk Encryption on Linux Workstations

Note: This installation was tested on Ubuntu 10.04 64bit with PGP WDE Version, 10.2.0 Build 2233.

Installation

1. Open the terminal and issue the following command:

                - "chmod +x pgp_desktop_10.2.0.2233_linux_ub10.04_x86_64.bsx"

2. Open the terminal and issue the following command:

                - "sudo ./ pgp_desktop_10.2.0.2233_linux_ub10.04_x86_64.bsx "

3. Press enter to read the license

4. Type "y" to agree to the terms of the license.

5. Reboot the workstation

Configuring Whole Disk Encryption

1. Make sure the username of the logged in linux user is the exact same as the domain username.

2. Open a terminal
3  Issue the following command to configure PGP to point to your PGP Universal Server

            - sudo pgpconfigure "ovid=&mail=*&admin=1"

4. Reboot the workstation

5. Login as the user that needs to enroll and issue the following command.
           - pgpenroll --enroll (Note: Do not use sudo)

6. When prompted for a username type you Domain credentials

7. And you should see output similar to the screen below.

8. Now reboot the workstation and you should be presented with the grey bootguard.
9. Type your password and hit enter.

10. Once you load the desktop open the terminal
11. To verify whole disk encryption is enabled run the following commands.

                "pgpwde --status"

12. The output should confirm that the disk is either encrypted or in process of encrypting.

Modifying Login Screen Options on Ubuntu 12

Below are tips to modifying the login screen on ubuntu

Tip 1: Enable the "other" user option on login screen
1. Open /etc/lightdm/lightdm.conf
2. Add the following line to the file
     "greeter-show-manual-login=true"
3. Restart the lightdm service or reboot the machine
     "sudo service lightdm restart"

Tip 2: Hide all user accounts on login screen
1. Open /etc/lightdm/lightdm.conf
2. Add the following line to the file
     greeter-hide-users=true
3. Restart the lightdm service or reboot the machine
     "sudo service lightdm restart"

Tip 3: Disable Guest login
1. Open /etc/lightdm/lightdm.conf
2. Add the following line to the file
     allow-guest=false
3. Restart the lightdm service or reboot the machine
     "sudo service lightdm restart"

Tip 4: You can script changes to this config file by using the following command
     /usr/lib/lightdm/lidghtdm-set-defaults

Securing Linux Workstations from Data Leakage

If you have linux workstations in your corporate environment you should be addressing the issues regarding data leakage. Below are the steps i have taken to block writing to usb storage devices.


Disabling USB storage devices

Linux uses a module called "usb_storage" to mount external usb storage devices. If you are interested in stopping a user from mounting external usb storage follow the steps below.

1. Create a file called "usb_storage.conf" in the /etc/modprobe.d/ directory.
2. Open the file and enter "blacklist usb_storage.conf" in the file and then close and save the file.
3. Reboot the workstation
4. Plug in a USB storage device and you should see that the device does not get auto mounted

Additional Tips

lsmod - shows what modules are currently loaded

modinfo - shows information about module

modprobe -r usb_storage - Can be used to unload the usb_storage module