VMware View Single Sign On Timeout -1

Note:  Please do not confuse VMware View SSO with VCenter SS0, they are not the same.

VMware View single sign on (SSo) is enabled by default which is excellent.  The bad thing is that the default timeout setting is set to infinite which is very insecure.  Not having a timeout setting by default means a bad guy could go behind you while you’re taking a bathroom break and back out to “Desktop Library” and choose a different vm that you are entitled and SSO will take the bad guy in without prompting for credential.

The fix is documented since 4.6 release http://pubs.vmware.com/view-50/index.jsp?topic=/com.vmware.view.administration.doc/GUID-DB5C245D-AD48-4598-A7C6-C8FC75FC3339.html

Multiple site shows you how to use Windows built in tools ADSI EDIT but I could see why few folks still gets lost using the instruction.  If you follow this instruction, I can guarantee success.

1. Open ADSI EDIT from one of the clustered View Connection Server.    Tip: c:\windows\system32\adsiedit.msc

Without any spaces type “cn:common,ou=global, ou=properties,dc=vdi,dc=vmware,dc=int” to connect to “localhost”

adsiedit 1

2.  Right click the “Common” folder and change the value of “pae-SSOCredentialCacheTimeout” from “-1” to whatever value you want in minutes (mine is 5 minutes).  Hit apply.

adsiedit 2

This will replicate to all the View Connection Server replicas.  I hope you take the time to close this neglected security hole.  I wish VMware have chosen a more secure default value or include this  on the Web Interface but no big deal.  

Cisco Archive command vise AAA accounting for configuration and change management

I have spent my time  for the past few weeks configuring Cisco Secure ACS  Tacacs+ for  Active Directory authentication and authorization.  The AAA accounting for change management however prove to be difficult.   I have used and setup the “Archive” feature for years now, however I did not know that I can send this to a syslog using “notify syslog”.  I actually prefer the “Archive” than the AAA accounting, it is so much simple to setup.

Switch#config term
Switch(config-archive)#log config
Switch(config-archive-log-cfg)#logging enable
Switch(config-archive-log-cfg)#logging size 500
Switch(config-archive-log-cfg)#notify syslog


Switch#sh archive log config all

The configuration I have above will track the user and all the command he/she issues  and store in on the local switch as well as send it to syslog.  May be next article I can do Cisco Secure ACS, but there’s really nothing special there, although I am using the vm version of ACS v5.3 which is probably worth mentioning.

Powershell DOD CRLAutoCache

Certificate Revocation List (CRL) are important for smartcard authentication architecture.  I have mine configured just in case our web connection goes down, user’s will still be able to login using smartcard.  This is ever more important for DoD networks since it is mandated to use smartcard for Windows authentication.  The other alternative for CRL is OCSP, which is the preferred protocol since it uses so much less network resource but does not offer protection when internet connection goes down.  I’m not going to do an in depth explanation of the two since that is not my intention for this blog.

DOD has a nifty tool called CRLAutoCache for automated downloading of CRL.  Unfortunately there is no place to specify a web proxy.  Modern networks utilize webproxy for security purpose so I created a powershell that will download the ALLCRLZIP.ZIP and unzip it to an IIS server.  FYI, this IIS server is also my WSUS so I did not introduce another IIS instance.   You can just copy and paste the code and give it a .ps1 extension (mine is CRL_DOWNLOAD.ps1)

Here it is:

#Create by Totie Bash
#This part will download the zip
$wc = new-object System.Net.WebClient
$webproxy = new-object System.Net.Webproxy(“http://proxy:80”,$true)
$source = “http://crl.disa.mil/getcrlzip?ALL+CRL+ZIP”
$destination = “C:\inetpub\wwwroot\CRL\ALLCRLZIP.ZIP”
$wc.Proxy = $WebProxy
$wc.DownloadFile($source, $destination)

#This part unzips all
$shell = new-object -com shell.application
$zip = $shell.NameSpace(“C:\inetpub\wwwroot\CRL\ALLCRLZIP.ZIP”)
$destination = $shell.namespace(“C:\inetpub\wwwroot\CRL”)
$destination.copyhere($zip.items(), 0x14)

Note:  Sorry about this:

Line 4- proxy:80&#8243  should read just “proxy:80” take off “&#8243
Line 5 – crl.disa.mil/getcrlzip?ALL+CRL+ZIP&#8221 should just read “crl.disa.mil/getcrlzip?ALL+CRL+ZIP” take off “&#8221

– I then created a scheduled task to run every every 4 in the morning to execurte the CRL_DOWNLOAD.ps1 powershell.  Note: I had to change the user that runs this process to “System” and checked “Run with highest privileges”

POWERSHELL -executionpolicy bypass “C:\WINDOWS\CRL_DOWNLOAD.ps1”

– After that I then point my Tumbleweed Desktop Validator (or any DV software) to the interal CRL address as my primary validation and push the config through GPO.