How to Secure a Windows VPN with PEAP

Authentication Methods page in the RRAS Remote Access Policy Wizard
Setting up PEAP

In light of last month’s announcement by Moxie Marlinspike and David Hulton that they developed a method for decrypting Windows VPN traffic in under 24 hours, it is now important to stop using MS-CHAPv2 as a means of authenticating VPN passwords.

There is a relatively simple fix for this.  Microsoft VPN servers have the ability to authenticate passwords using another protocol called PEAP, also known as PEAP-EAP-MSCHAPv2.  The only reason one might avoid using PEAP in the first place is that the Microsoft documentation is confusing and describes a requirement for Public Key Infrastructure (PKI) deployment.  The PKI as described in Deploying Remote Access VPNs requires anywhere from one to three servers just to issue certificates.  However, it only specifies the PKI requirement for a slightly different protocol called EAP-TLS.

To be clear, PEAP does not require a full-blown PKI or even an internal Certificate Authority.  You can, in fact, use the same certificate that has been, or would be, issued to a web server for SSL encryption.  There is no reason to add a second certificate just for a VPN server.  This also means there is no investment required in PKI if a free certificate issuer is used, such as startssl.com.

Below is a brief tutorial for configuring an existing RRAS installation with PEAP-MS-CHAPv2.

Continue reading How to Secure a Windows VPN with PEAP

White Templates for GoodNotes

Screen shot of the template import screen in GoodNotes.
Template Import

I’m playing with a note taking application for iPad called GoodNotes. It has a lot of potential to help replace notebooks for homework. It requires some customization because the default templates have a beige background. Beige is easier to look at on a bright computer screen, but it is impractical when printing. The built-in solution seems to be to export “notes only”. However, I have mixed feelings about printing handwritten notes from lined paper that has no lines.

Here are my customized templates, based on the built-in options, with the background color removed for better printing.

iPad-Size Templates

Portrait Landscape
PDFRuled (lined paper) PDFLandscape Ruled
PDFSquared (graph paper) PDFLandscape Squared
PDFMusic (staff paper) PDFLandscape Music
PDFBlank PDFLandscape Blank
PDFWide Ruled PDFManuscript Ruled
PDFDouble Ruled

Continue reading White Templates for GoodNotes

XMB Forum Offline

XMB Logo
XMB

The open source community website for eXtreme Message Board forum software went down Friday afternoon.  It is now going on two days of down time, and has been replaced by an “Apache 2 Test Page.”

I wanted to share the news and offer a place for comments.  I am one of the more active members of the community and already received some inquiries about this.

My position as a volunteer developer actually does not include administration of the xmbforum.com server computer.  I was informed yesterday that the server was no longer running and would be restored from a backup copy.  However, there is no current estimate for when the restoration will be done.

Update: A new server has been established at www.xmbforum2.com

Photo Privacy Broken on Facebook Timeline

Have you ever added one of your photos to a Facebook group?  If yes, you might want to delete your photo albums right now.  I discovered today that the Facebook privacy settings for photos do not work.

Inspired by a discussion about social media I heard on NPR, I went into Facebook to do a thorough check and re-check of all of my privacy settings.  Guess what?

Dozens of photos I have on my Timeline are now publicly available.  >:{  Every one of those photos is set to “Friends” only privacy.  When I click the “View As…” option and then “Public”, all of those photos are now appearing on my public Timeline profile.

To confirm this, I registered a fake account that has no friends.  I viewed my own profile using that new account and a different web browser.  When I scrolled down far enough on the Timeline, my old photos started showing up to this newly registered user!

The fake user gets nothing by clicking on the “Photos” section near the top, suggesting this bug is specific to the new Timeline profile feature.

In an unsuccessful attempt to hide the photos, I used my real account to reset the album privacy to “Only Me”.  At this point, the photos were still appearing in the public preview as well as the fake account viewing my real profile.

Continue reading Photo Privacy Broken on Facebook Timeline

Server Monitoring Through DD-WRT

DD-WRT Commands screen with a server monitoring script.
Powerful Little Script

Happy New Year!  I’m kicking off my 2012 blog entries with a fun little hack for Linksys routers.

There are plenty of articles on the web about using DD-WRT to enable router monitoring.  I decided to turn this idea on its head and use my router for server monitoring!  When I realized DD-WRT comes with a sendmail command, I knew this was going to be quick and easy to set up.

This is great for anyone who would like their celly to light up as soon as something goes wrong with an important computer or website.  All of the needed software is already built in to compatible routers, so there is no need to purchase or install a dedicated monitoring system on a separate computer.

By following these easy steps, you can create your own reliable monitoring service.

Continue reading Server Monitoring Through DD-WRT

PERT Chart With Nodes

PERT chart with nodes and a single task
PERT Chart

Visio 2010 is a great tool for designing PERT charts.  Since it lacks some of the shapes needed to easily add and connect nodes with other PERT items, I came up with a few tools to make it easier.

My step-by-step tutorial explains how to create nodes and connections that work seamlessly.  After completing these steps, you will have three new shapes to work with:

PERT Node, PERT Connector, and PERT Task.

Continue reading PERT Chart With Nodes

Windows VPN Keep Alive

Batch file properties window.
Batch Shortcut

I enjoy the one-click facility for connecting to my VPN in Windows XP.  It gets the job done, but I sometimes struggle with the famous dead connection bug.  This is a very common problem in Windows that causes the VPN to become unresponsive after two to five minutes of inactivity, even though the status still says “Connected.”

I created a one-click solution for both connecting and maintaining a VPN.  Setting it up is simple.  It involves just these steps, which I will explain below:

  1. Set the VPN “idle time before hanging up” period to “5 minutes” instead of “never.”  This forces Windows to properly reflect any disconnection.
  2. Create a new batch file, which I have provided below.
  3. Edit the batch file to match the name and address of your connection.
  4. Create a desktop shortcut to the batch file.
  5. Edit the shortcut properties so that the batch automatically runs minimized with a nice icon.

Continue reading Windows VPN Keep Alive

Visio Shapes and Dashed Lines

Navigating the options: More Shapes > Visio Extras > Callouts
Shapes Menus

My Flight Operations professor would like his students to create procedural flow diagrams in Visio 2010 using comment boxes with both solid lines and dashed connectors.  This turns out to be easier said than done because the latest version of Visio has line style “effects” that globally override any dashed connectors.  We can create the comment boxes easily, but how do we get them to automatically show up with specific connector formats?

The answer is to create a custom shape using a connector that is not styled.

My step-by-step instructions will guide you through a procedure to achieve that outcome.  I am providing screen shots as a visual aid, though a corresponding flow chart can be provided as needed.

Continue reading Visio Shapes and Dashed Lines

Windows VPN Requires NTLMv1

LAN Manager authentication level set to Send NTLMv2 response onlyrefuse LM
Solution Screenshot

I’ve stumbled upon a seemingly undocumented authentication error in the Windows VPN system.

Error 691: Access was denied because the username and/or password was invalid on the domain.

This can be caused simply by elevating the VPN server’s LM authentication level to 5, which refuses the NTLM protocol.  According to KB823659 requiring NTLMv2 should not break Windows XP connections unless older systems are involved.  However, this configuration does cause client and server authentication errors.

Continue reading Windows VPN Requires NTLMv1

Installing APCUPSD for Windows

Apcupsd Setup wizard, Choose Components dialog
The Setup Wizard

What’s big and slow and rarely ever useful?  For one thing, the software that comes with every desktop-grade Uninterruptible Power Supply (UPS) made by APC.  This isn’t news.  I know APC would like nothing more than to have me buy a more expensive piece of hardware that I don’t need, just to get the useful software that I do need.

Enter APCUPSD with USB support for Windows.  It’s free.  It’s open source.  It’s probably not supported by APC, but if you’ve ever tried to get tech support for a desktop-grade APC unit that was connected to a server, you already know APC isn’t going to help you with computer problems.  This free piece of software makes my UPS more useful than just a battery with a power switch.  Now I can have my server send a text message to my mobile phone whenever a blackout strikes my area.  I can see live power management statistics from any web browser in the world, including the one on my phone.  I have fewer things to monitor with regard to uptime, and I love it.

Continue reading Installing APCUPSD for Windows