|
Thanks, I will give it a try.
Opacity, the new Transparency.
|
|
|
|
|
hi,
I got a problem with browser credential forwarder. In my network I have ISA server 2004 which configure to control internet access of client machine. The rule that I configure is allow all user to access internet. the only setting that I set is allow user must be authenticate. All of my user are logon using domain credential.
The problem occur because sometime user A could access to website but sometime could not. As I check with the ISA log, I found that the browser did not forward user credential by default. that is why my firewall ISA do not allow the traffic.
so, how could i changed any setting to allow the browser always send credential forwarder to my ISA server to avoid any problem of accessing the internet?
thank,
|
|
|
|
|
Make sure they have "Automatic logon with current username and password" is enabled. To find this open Internet Options, Security, Custom Level, Scroll down to the bottom, and there it shall be.
Another spot to check would be to change "automatically detect settings" in LAN connections in Internet Options. This has caused me grief in the past.
Something worth reading, albeit it's invincible!
|
|
|
|
|
So, I've got a system equipped with a card reader (that I can boot from), a solid-state drive, and 2 conventional hard drives. I want to install Ubuntu on it and have all of it (except the boot partition because it can't) be fully encrypted.
Just so there's no confusion here:
- Full disk encryption: the use of disk encryption software or hardware to ensure that every (or almost every) bit persisted in storage is encrypted and unreadable to unauthorized users. That means anything on the disk that can be covered by encryption will be covered by encryption.
- Linux newbie: Yes. That's me.
- The setup I'm trying to achieve: (Click to see the diagram. [^])
I've already done this successfully using Windows BitLocker on the same system (though I had to apply some blunt-force trauma to get it to do what I want, and it boots without prompting for a password). The same seems to take a bit more work under Ubuntu since the official installers won't perform full-disk encryption without forcing me to type the same passphrase for every partition that needs to be decrypted.
From what I've read elsewhere, I've got a general idea what I have to do (install normally, move directories, change mount points, modify fstab and cryptab), but nothing concrete.
My GUID: ca2262a7-0026-4830-a0b3-fe5d66c4eb1d 
Now I can Google this value and find all my Code Project posts!
|
|
|
|
|
|
I've read the first two before posting, but the third one pretty much describes the same thing. The problem I have with the official installer's behavior is that it requires typing in a password for every single encrypted device even and doesn't give the option to use a single password to decrypt all of them—hence my desire to introduce a "key partition" in a removable medium to handle automatically decrypting them; I would only have to type in the password for the key partition achieving a convenient 2-factor authentication setup.
My GUID: ca2262a7-0026-4830-a0b3-fe5d66c4eb1d
Now I can Google this value and find all my Code Project posts!
|
|
|
|
|
There are systems (like MobileArmor/DataArmor, which I used previously) that encrypt under the OS. My company uses one by McAffee that is smart enough to log me into Win7 without a 2 password requirement, though Win7 handles login from locked system.
I'd google FIPS 140-2 and linux.
Here is an open source system that rides under linux[^]
I suspect there are others. FIPS 140-2 is one of the NIST certifications for encryption sw. It was the standard a DoD project I worked on used. Good luck.
Opacity, the new Transparency.
|
|
|
|
|
Lee, Gun-Woon,
Just to pitch in my two cents... You may not be able to achieve what you want with a solution other than TrueCrypt. The only reason I say that is because you made it very clear that you want...
Lee, Gun-Woon wrote: "...every (or almost every) bit persisted in storage is encrypted and unreadable to unauthorized users."
However, you very likely already know that there are elements on the disk that cannot be encrypted (ie: boot partition). There is one additional element that cannot be encrypted using any FDE software that boots from the same disk (or any that I am aware of) - the partition definitions (ie: start and stop LBAs).
The reason TrueCrypt is excellent in a situation like this is because it can create an altogether hidden operating system[^]. Their methods are rather tactful and if your situation requires security that can thwart others' attempts at getting to your data *even after you give them the pre-boot authentication password*, than this is what you want.
Now, about your BitLocker setup. The reason BitLocker isn't requesting a password for it's pre-boot authentication is because your motherboard has something called a Trusted Platform Module (TPM) installed on it. You probably already know that since you likely had to activate the thing before the encryption process could start. Anyway, the TPM holds the en/decryption keys to your encrypted partition. When the system boots, the system partition (Windows' 100MB boot partition) authenticates with the TPM, exchanges keys, and boots the encrypted partition by decrypting it on-the-fly. When the TPM is locked or the disk configuration changed, or the disk is booted on a different system, or any number of things - this will cause Windows to start the BitLocker bootloader in a recovery mode. You will be prompted for a password if and when this occurs.
I'm also new to Linux myself (I've been aspiring to the genius required to understand Unix's simplicity[<ahref="http: en.wikipedia.org="" wiki="" unix_philosophy"="" target="_blank" title="New Window">^] for some time now...). Anyway, I think you'll be hard pressed to find an Open Source Software (OSS) implementation of a FDE package that supports hardware en/decryption components. The only one I've seen that can use a TPM is TpmCrypt[^] (which, ironically, seems to have an invalid certificate for their website!).
Moving along to your specific desired setup - the partitioning scheme you have illustrated is possible with TrueCrypt. Now, there is the normal way of doing things - then there is tuning the system for every last drop of performance possible. Here's a quick exit - if you'll be installing the entire system to the SSD, don't bother with tuning the partitions. It won't gain you anything.
If you'll be using any portion of the ATA/SATA disks, then you'd do well to put the swap partition on the SSD. This is important with any non-hardware en/decryption solution because all of the data must be en/decrypted either in RAM or in swap space (even if the encryption software pushes all of the normal memory functions to swap and reserves the physical RAM for itself, you'll still want to make sure that your swap disk is fast enough to keep up). Anyway, I'll let you figure out the rest of the partitioning.
Let me know what you end up doing, I'm interested to find out what route you take!! I just recently made the switch to Linux on my personal computer and am currently trying to get my way through some of the rough spots associated with the switch. Three main areas that are giving me nightmares are GRUB, RAID, and FDE.
|
|
|
|
|
I actually have TrueCrypt working on my other Ubuntu installations, but they just protect the files and not the entire system[^]. It's one reason TrueCrypt isn't an option.
For my Windows BitLocker setup, I built the entire system myself. I couldn't find any motherboard with a TPM, so I had to make a few group policy changes as an administrator to force BitLocker to work without it. Using the command line tools for managing BitLocker, I made it deposit the boot key in the 100MiB system partition; since the system partition resides on a removable medium there's nothing an attacker can tamper with on the hard drives but pure "random" bits.
As for the setup I'm trying to achieve, Linux's dm-crypt is pretty much the only free and flexible solution that I know of that allows for it. In fact, I've gotten as far as make it work like in the diagram[^] (2-factor authentication and all) except it asks for the password 4 times (once for each partition). It's quite annoying and an issue that I'm willing to investigate how to eliminate in an otherwise perfect setup.
My GUID: ca2262a7-0026-4830-a0b3-fe5d66c4eb1d
Now I can Google this value and find all my Code Project posts!
|
|
|
|
|
|
Why must you "do away" with "My Documents?"
Why don't you simply not store anything there?
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
I'd use "Map Network Drive" rather than UNC; and set sharing options.
|
|
|
|
|
As I recall in XP you can right click on 'My documents', go to properties and move where it lives.
I'm not sure if that's what you need but that might help you.
I don't know if the others have the same method.
Why are you running any windows before xp? And why Vista at all?
I'm curious, I can imagine a few reasons but they have to do with specialized hardware/software.
_____________________________
Give a man a mug, he drinks for a day. Teach a man to mug...
The difference between an ostrich and the average voter is where they stick their heads.
|
|
|
|
|
Hi, Thanks
A Very Helpfull Hint. I will work on that to start cleaning up my own shop.
smcnulty2000 wrote: Why are you running any windows before xp? And why Vista at all?
I'm
curious, I can imagine a few reasons but they have to do with specialized
hardware/software.
Well, I developed a package to run Laundrettes and Drycleaners. The Latest Upgrade will run on Win98. It runs more reliable on Win XP. However, that's no longer for sale. We offer Win XP Computers for sale, but they are recycled. The day of having those available will run to an end Some Day.
In the near future, we will have to start recycling Vista Computers.
There are only a few of our customers that have more than One terminal. The main support concern has actually nothing to do with us, but, they are still our customers, and we try to help.
Everybody on Every Terminal is signed on as Administrator. (Do not lecture me on how bad an Idea that is, I've written several GigaByte of messages on this forum about why this is required, and Very Safe in the Environment used.)
It works all very fine for our own software, but, when a User saves say a Letter from MSWord under My Documents\Letters\Company, it is Everybody's guess where it is being Stored.
The bottom line is, we need a Single 'My Documents' Folder, which always points to a Single Folder on One Single Computer.
Regards,
Bram van Kampen
|
|
|
|
|
I believe they call that a network share...
As someone stated above, map a drive on each PC...you can edit the default location of the My Documents in Regedit as well.
Something worth reading, albeit it's invincible!
|
|
|
|
|
Not sure if this is the correct forum but didn't know where else to put it.
I have a few (actually a lot) of clients still on XP SP3 using various versions of Internet Explorer. They download files from a particular Web site where the files have non-standard file extensions like .2345 or .522AB. On a couple of systems the Save Type As defaults to Text and then appends a .TXT extension to the file. I need the files to have the original extensions.
I've tried adding the extensions to Registered File Types and I've looked everywhere for a default download file type, but can't find anything. Also searched the Web (honest) but am stumped and it's driving me crazy.
It’s not because things are difficult that we do not dare, it’s because we do not dare that things are difficult. ~Seneca
|
|
|
|
|
[Probably lives in web dev forum, but I'll answer here.]
If you have control/influence over the server, check and adjust the Content-type and Content-Disposition HTML meta headers. If the browser they use has a single brain cell left, you should be able to tell it (a) that the file is plain text and (b) [edit] where (i.e. the filename) [/edit] to save it by default.
hth
Peter
[edit] clarified use of disposition as marked. [/edit]
Software rusts. Simon Stephenson, ca 1994.
modified 15-Dec-11 19:06pm.
|
|
|
|
|
Thanks for the reponse but this isn't a programming question. What I can't figure out is how IE should be configured so that there is no default file type when downloading files for extensions it doesn't recognize.
It is an absolute certainty that there are no certainties. ~ Christopher Hitchens 1949-2011
|
|
|
|
|
|
AnnieMacD,
It sounds to me as if the Systems Administrator may have enabled MIME Sniffing Safety which essentially causes Internet Explorer to inspect the first N-Bytes of the file and attempt to automatically determine the MIME type and disregard the file extension. This is generally desirable on a high-security network... where EvilHackerX wants you to download EvilPayload.txt but it is actually an executable... the MIME Sniffing Safety feature would read the first few bytes and see that it is actually an executable and correctly rename it to EvilPayload.txt.exe
Check those workstations by going into the group policy editor (gpedit.exe) and navigate to:
\\Administrative Templates\Windows Components\Internet Explorer\Security Features\MIME Sniffing Safety Feature
Check to see if disabling this feature fixes the issue you are describing.
Best Wishes,
-David Delaune
|
|
|
|
|
Thanks, I think this is what I was looking for. I'll try it out at the beginning of the week - hopefully that will do it.
It is an absolute certainty that there are no certainties. ~ Christopher Hitchens 1949-2011
|
|
|
|
|
AnnieMacD wrote: Thanks, I think this is what I was looking for.
Well let me know how it turns out. Keep in mind that even if the domain/workgroup policy is 'Not Configured' that the user may have enabled this feature in the browser itself. You can view this by opening Internet Explorer 'Internet Options' and navigating to the 'Security' tab and pressing the 'Custom Level' button... scroll through the settings until you find 'Enable MIME Sniffing'. It it possible that the users have enabled it here.
You could force the policy of 'Disabled' upon your subordinates through the group policy editor.
Btw... I am serious about letting me know if this was the cause of the problem. I am somewhat making an educated guess at what causes the issue you describe.
Best Wishes,
-David Delaune
|
|
|
|
|
David, I really appreciate your help/advice. I can't check my clients' machine until Monday but I still have one computer here with XP SP3 and IE7. It would appear that the option in IE7 is "Open files based on content, not file extension". I have mine set to 'enabled' and I don't have the problem. But I will set theirs to 'disable'.
BTW I assume you are working on Windows 7. Under XP (at least on my local machine), the Group Policy Editor does not have an Internet Explorer option under \\Administrative Templates\Windows Components.
Even if this doesn't work you have helped me a lot in that I wasn't aware of the MIME Sniffing Safety feature. Funny thing is my app does a similar thing with these crazy-named files that the users download - it opens them up and then acts on them depending on the first few characters. Trouble is, I have no interest in .TXT files!
I will most definitely let you know how it gets resolved.
It is an absolute certainty that there are no certainties. ~ Christopher Hitchens 1949-2011
|
|
|
|
|
AnnieMacD wrote: It would appear that the option in IE7 is "Open files based on content, not file extension".
I just checked and you are correct... on Windows XP this IE8 security feature is called 'Open Files based on content, not file extension'.
AnnieMacD wrote: BTW I assume you are working on Windows 7.
Yep, your psychic abilities are working very well.
AnnieMacD wrote: Under XP (at least on my local machine), the Group Policy Editor does not have an Internet Explorer option under \\Administrative Templates\Windows Components.
Interesting... all 13 XP-Sp3 workstations here in my lab have \\Administrative Templates\Windows Components\Internet Explorer in the group policy editor. I guess the IE8 and IE9 installers adds this. I would suggest that you install:
Administrative Templates for Internet Explorer 7 for Windows[^]
I highly recommend that you upgrade all workstations under your control to IE8 or IE9.
Best Wishes,
-David Delaune
|
|
|
|
|
Thanks again, David, for your help. The Administrative Templates are for XP SP2 but I downloaded them anyway but made no difference - still not there.
I'm afraid I'm in the unfortunate situation of not having much influence on what my clients have on their machines. It took me a long time to convince the non-Win7 ones to upgrade to SP3 of XP - I'm developing in .NET 4 and the Client will not install on SP2. I only keep XP and IE7 for support purposes but can't have every combination!
Monday I'll change the "Open files based on content, not file extension" option and that may fix it, and I'll let you know if it works.
It is an absolute certainty that there are no certainties. ~ Christopher Hitchens 1949-2011
|
|
|
|
|
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
