Technology Solutions for Everyday Folks

Tagged with 'security'

Removing Staples: Moving Away From Let's Encrypt OSCP Stapling

Screen snip of the summary/output of an SSL Server Test report, indicating a strong "A+" rating for the server/certificate configuration.

Last summer, Let's Encrypt announced their intent to end their OCSP service, and this was formalized in December with key dates related to the change. Near the end of January, I also received a direct email from Let's Encrypt detailing certificates of mine that had been configured with the "Must Staple" property.

Read More

Exporting Full MySQL Database Tables on Ubuntu

...or, How I Suffered Through an 'If it Can Go Wrong, it Will Go Wrong' Scenario for a One-Off Export of Database Tables

This is one of those posts I'm writing up because in the moment I was so incredibly frustrated about how unnecessarily complex this action was, and I still have the various browser tabs that ultimately provided me the necessary bits open. I write this mostly for Future Me should I need to do something like this again.

Read More

Setting Up SSH Key Authentication: 2024 Edition

A recent project I worked on required setting up more SSH key authentication, and seeing as how I'd not written about it for two years since the last iteration, it seems fitting to do another quick primer on setting that up for SSH...the 2024 edition.

Read More

Addressing Firmware Updates for Dell Latitude 54X0 in a Task Sequence

Screenshot of a child task sequence for updating firmware in Full OS mode, with a Run PowerShell Script step highlighted with package and script information.

For about two years we fought with getting firmware (BIOS) updates to install on our Dell Latitude 54X0 models during their build/rebuild using a MEMCM task sequence. No matter what random trick I tried or thing I read, I just couldn't get the update executable to successfully apply the update in our primary build/refresh task sequence. Our techs (self included) would have to apply the update manually after devices were [re]built.

Read More

Semi-Automatically Offering Dell BIOS/Firmware Updates

Photo of Dell firmware update in progress instructing a user not to power down the system and showing a progress bar with basic status information.

Several years ago I implemented a mechanism in our primary [re]build [Configuration Manager/MEMCM/SCCM] task sequence to address upgrades of our fleet's firmware (BIOS). On the whole, the process has worked very well and definitely helped keep things updated. However, this process only upgraded device firmware during a [re]build cycle which works great for our multi-user devices receiving an annual refresh; for high-affinity devices a rebuild happens once every 3-5 years and is usually associated with some form of attrition or replacement.

Read More

Upgrading All The Things to Ubuntu 22.04

One of my "winter break" projects this year was to get all of my disparate Ubuntu server instances upgraded and into parity. Last year I wrote about my adventure moving WSL Ubuntu from 18.04 to 20.04, which happened before 22.04 was officially released. In that process I noted the longer-term target of moving to 22.04 which brings us to the here and now!

Read More

DMARC: Moving to a Monitor-As-Necessary State

After a year-and-a-half of implementation (mostly monitoring), it is time to switch to a 'steady' or 'monitor-as-necessary state' for all of my things DMARC. I've written about this journey before, with the last major summary in November, 2021.

Read More

Upgrading an Old Application to 21st Century Passwords

I have a confession to make: I've ignored a Really Bad Password Form on an inherited web application for about at least a decade too long.

I'm not proud, but every time I considered changing the password mechanism to something more modern (and more secure), decision paralysis would set in...in great part due to the design challenges I anticipated in quietly upgrading this for users of the app in question.

Read More

In-Place Upgrade of WSL Ubuntu 18.04 to 20.04

About two months back (early March to be exact), I had the opportunity to finally deprecate some old versions of applications and packages due to planned retirements and upgrades. Most specifically a full-on move to PHP 7.4 was in sight, though there were other bits. I run and have access to a bunch of different environments so it felt right to get environments back to a standard (or at least closer) base configuration.

Read More

Improving DMARC Compliance: Authenticated SMTP Relay

I've done a lot of server migrations for very unrelated reasons over the last six months or so. Many of these host applications that send emails, and I've implemented the basics to get them sending DMARC-compliant messages. This has generally been limited to DNS SPF records for each host configuration. Generally speaking, having SPF or DKIM compliance is 'enough' to get your messages not flagged as spam, though it can depend on the DMARC policy configuration.

Read More

Certbot on Windows: Automation Is Possible

A recent project gave me an opportunity to try out Certbot on Windows. As I've written about before, I've had an extensive journey with Certbot, at times in fairly 'non-standard' configurations, and Certbot on Windows is no different.

Read More

Revisiting Key Authentication Setups

Nearly 18 months ago I wrote about setting up and using key authentication to connect between hosts. I use it all the time and it's a major timesaver on all sorts of levels.

Read More

Moving a Legacy Drupal Stack to a New Server Host

One of my "end of 2021 break" projects was a planned "lift and shift" of my primary Drupal instance to a fresh, sparkly new web host stack. The stack on which it resided was reaching end of life and for a few other reasons it was time to make the change. In preparation, over the last year or so I've been de-coupling and untangling some of the baggage that had accumulated on the old server and its structure over time. Relatively simple things like straightening out, consolidating, or consistently applying vhost configurations.

Read More

DMARC: Time to Evaluate Reports

Almost exactly a year ago, I wrote about my first foray into implementing DMARC controls. Specific to domains through which email was not intended to be sent, it was the beginning of my DMARC adventure and expansion into some 35-ish domains.

This became its own series of posts with time:

Read More

Implementing Certificate Authority Authorization

During the foray into fixing up the Let's Encrypt root certificate expiration bits for my affected bot host, while using the helpful SSL Server Test tool, I discovered the "new" (not really new) Certificate Authority Authorization (CAA) DNS record.

Read More

Breaking the Chain: An Edge Case of Let's Encrypt Root Certificate Expiration

It's been written about and announced for some time—the forthcoming expiration of the DST Root CA X3 certificate. The good news for most folks is that it's not a big deal. And that, I thought, also included me. For the most part, this has panned out to be true.

Read More

A DMARC Follow-Up: Nine Months In

It's been a full nine months since I first wrote about implementing DMARC controls, and over six months since I last wrote about fiddling with DMARC settings, so it's time to provide another quick update.

Read More

Reinstalling reCAPTCHA

In the last post I wrote about finally cutting off the comments feature due to an abundance of spam.

For about two days, this was successful...

Read More

Cleaning Up Old Mistakes Part Deux: Leveraging Includes

This post is the second of a two-part miniseries identifying and correcting old mistakes. Part one discusses cleaning up Git repos based on permissions faux pas.

Today's atonement for old mistakes: Using centralized/standard "includes" for path variables and eliminating passwords from committed code.

Read More

Implementing DMARC: Adjusting SPF Records

It's been a couple of months since I last wrote about implementing DMARC and what comes next (review and adjustment). So I figured this would be a good time to document a few changes I've made based on the reporting data received so far.

Read More

My Incremental Certbot Panacea

I've written about Certbot more than any other topic in the last 24 months or so, in part because it's been an interesting adventure for me both in helping to demystify SSL certificates, but also because it's been an evolving and incremental process to Make It Better. The first post I'd written in February of 2019 talked about using a web service to generate a Let's Encrypt certificate...good for 90 days...for free.

Read More

Implementing DMARC for Active Domains: Policy & Review

This is the second post in a two-part series to implement DMARC controls for actively-used domains, where this post focuses on creating and reviewing/adjusting your DMARC policy and controls. Part one reviewed proper DMARC prerequisites and contains information you will need to have in place before creating your DMARC policy.

Read More

Implementing DMARC for Active Domains: Configuring Prerequisites

As a follow-up from my previous post about implementing DMARC controls for unused/alias domains (those not used for actively sending messages), I wanted to write a bit about how to implement basic DMARC controls for those domains actively used to send emails.

Read More

Implementing DMARC on Alias Domains

A few weeks ago I crossed a tweet with some simple instructions for securing your "unused" email domains, specifically the few bits required to implement DMARC controls to prevent Bad Folks from using your domains to send spam emails. The short thread led to an awesome reference by the UK Government on the same process.

Read More

Automating Certbot: A Recap of My Journey

Long winding road

Over the last two months, I've shared what amounts to a four-part "series" of posts walking through my journey of using Certbot for SSL certificate management, with the primary challenge being not having the traditional root-level access on the web server. Those posts are, in order:

Read More

Certbot in Manual Mode with Script Hooks

If you've been following along in the mini series, I've gone over the details of using Certbot in manual mode, then bolting some simple scripts together to improve the process of generating and managing certs, all done with a bit of magic thanks to our old friend key authenti

Read More

Improving Manual Certbot Domain Validation

In my second post about using Certbot in manual mode, I address some of the 'pain points' from the first post: namely the process of scripting together some of the bits to create/renew a certificate and otherwise requiring fewer individual commands be entered (or remembered).

Read More

Moving to Certbot with Let's Encrypt

This is the first post in a short series of posts about automating what one can in an environment that might not support full-automation with Certbot and Let's Encrypt. Technically it's the second post as the first was geared toward setting up key authentication between systems, something that's leveraged significantly in this series.

Read More

Setting Up Key Authentication

Hands playing with a set of keys on a ring.

While I was preparing to write an upcoming post about moving directly to certbot from SSLForFree now that they've merged with ZeroSSL, I realized that I'd not actually ever written a post about one of the components I use all the time, including for my new certbot process: public key authentication.

Read More

Let's Expand Encryption!

Gif of lock tumbler mechanism

This weekend I performed the quarterly actions to update my various letsencrypt certificates, which I've not written about since early May when I'd performed the first set of renewals. Let's Encrypt and SSL For Free are still outstanding services, and I'm super happy with them!

Read More

MMS: Drinking From the Fire Hose

Drinking from the fire hose

I spent last week at MMSMOA, a conference I cannot recommend enough for anyone working in the Microsoft/Windows/Systems Management space. The main event, held at the Radisson Blu Mall of America, is a solid four-and-a-half days of deep technical material, networking, sharing, and more!

Read More

Hey, Let's Re-Encrypt!

HTTP vs. HTTPS

The time has come...to renew some Let's Encrypt SSL certificates! Doesn't seem like 90 days has passed since I originally wrote about trying out Let's Encrypt as a service to generate free, trusted SSL certificates with a limited lifespan (90 days versus the more commercially-focused 1-3 years).

Read More

Hey, Let's Encrypt!

As I'd mentioned in the past, one of the key reasons for changing up my personal hosting plan was to support Let's Encrypt, the free and open Certificate Authority. In 2019, there is absolutely no need for a regular old website or service to pay some exorbitant rate for an SSL certificate. The premium options (extended validation and such) are an entirely different arena--think banking and other services--but those are out of scope for everyday Joe.

Read More

Speaker @ BrainStorm

I am speaking at BrainStorm K20 Wisconsin Dells, March 9-11, 2025!

Logo for BrainStorm EdTech Conference

Speaker @ MMS

I am speaking at MMSMOA, May 4-8, 2025!

MMS Logo

Past Speaking Engagements

I was a speaker at MMS Flamingo Edition, October 20-23, 2024!

MMS Flamingo Logo

I was a speaker at TCSMUG OSD Day, July 31, 2024!

Twin Cities Systems Management User Group (TCSMUG) Logo

I was a speaker at NWSCUG, July 19, 2024!

Northwest System Center User Group (NWSCUG) Logo

I was a speaker at MMSMOA, May 5-9, 2024!

MMS Logo

I was a speaker at BrainStorm K20 Wisconsin Dells, March 10-12, 2024!

Logo for BrainStorm EdTech Conference

I was a speaker at MMS Miami Beach, October 29-November 1, 2023

Image advertising MMS Miami Beach Edition