Thursday, 27 February 2020

What is ADV190023 and how does it affect NetApp CIFS Configuration?

ADV190023 essentially relates to two security settings changing via a March (?) 2020 Windows update.

As per this post:


If we don’t want to wait for the March 2020 update:

1) Enable LdapEnforceChannelBinding = 1 (must have CVE-2017-8563)
2) Enable LDAP Server Signing 
DCs = policy "Domain controller: LDAP server signing requirements" = Require Signing
Servers/Clients = policy "Network security: LDAP client signing requirements = Require Signing


Question: How does this affect the standard NetApp CIFS configuration?

The answer is not much.

1) All LdapEnforceChannelBinding = 1 means is best described by this post:


- DWORD value: 0 indicates disabled. No channel binding validation is performed. This is the behavior of all servers that have not been updated.
- DWORD value: 1 indicates enabled, when supported. All clients that are running on a version of Windows that has been updated to support channel binding tokens (CBT) must provide channel binding information to the server. Clients that are running a version of Windows that has not been updated to support CBT do not have to do so. This is an intermediate option that allows for application compatibility.
- DWORD value: 2 indicates enabled, always. All clients must provide channel binding information. The server rejects authentication requests from clients that do not do so.


ONTAP currently does not support LDAP Channel Binding - see:
- so, nothing to do here (as above “DWORD value: 1 indicates enabled, when supported.”)

2) Enable LDAP Server Signing: DCs = policy "Domain controller: LDAP server signing requirements" = Require Signing
All that’s required is:


cifs security modify -vserver SVMNAME -session-security-for-ad-ldap sign


LDAP connectivity will now utilize LDAP signing, no other changes are required.

Image: Enabling Client Session Security

Further Reading

Questions about NetApp impact related to released LDAP signing and channel binding security advisories published Microsoft:

NetApp customer facing KB:

Related Microsoft URLs:

Also see:
“What about ONTAP and LDAPS?
How do we do (configure) it?
- Change the port in the ldap config to port 636.
- Make sure -use-start-tls is turned to false
- And the enterprise root cert is installed into ONTAP.”

NetApp CIFS Server and LDAPS for Active Directory with port 636

When you set -use-ldaps-for-ad-ldap true - for example:


cluster1::> cifs security modify -vserver SVM1 -use-ldaps-for-ad-ldap true


- it is setting the communication to use port 636 as per the man page description:


[-use-ldaps-for-ad-ldap {true|false}] - Use LDAPS for Secure Active Directory LDAP Connections
This parameter specifies whether to use LDAPS over AD LDAP connections. When enabled, the communication between the Data ONTAP LDAP Client and the LDAP Server will be encrypted using LDAPS and port 636 will be used. LDAPS is a mechanism to provide secure communication by using the TLS/SSL protocols and port 636. If you do not specify this parameter, the default is false.


Wednesday, 26 February 2020

Do you need a TPM License Key to Enable NVE?

Question: Do you need a Trusted Platform Module (TPM) license key to enable NetApp Volume Encryption?
Answer: No. TPM is not required for NVE.

It’s easy to prove this. I have an ONTAP 9.5 system which only has the VE (Volume Encryption Key).


cluster1::> license show -package TPM,VE

Owner: cluster1-01
Package Type     Description
------- -------- ---------------------
VE      license  Volume Encryption License

Owner: cluster1-02
Package Type     Description
------- -------- ---------------------
VE      license  Volume Encryption License


And I created an NVE enabled volume without issue:


cluster1::> volume create -vserver SVM1 -aggregate cluster1_01_SSD_1 -volume NVE_TESTVOL -size 10G -encrypt true
[Job 183] Job succeeded: Successful


And view the encryption status and key:


cluster1::> volume show -encrypt true -fields encrypt,encryption-state,key-id
vserver volume   encrypt encryption-state key-id
------- -------- ------- ---------------- --------------------------------------------------------------------------------
SVM1    NVE_TESTVOL true    full             0000000000000000020000000000050072c1f19f51ae07aacfb40ee8ca9a2f2e0000000000000000


Image: Proving NVE without TPM

Further Information

NetApp Volume Encryption, The Nitty Gritty

TRUSTED PLATFORM MODULE (TPM) SUPPORTED PLATFORMS
Only these and newer ONTAP platforms have TPM modules integrated:
AFF A200, AFF A300, AFF A700, AFF A700s, FAS2620, FAS2650, FAS8200, FAS9000

In hwu.netapp.com you’ll see some of the older platforms without the TPM module do support NVE. Also, check out the KB below:


Tuesday, 25 February 2020

Proving UNIX-WIN (Default) Name Mapping Works

Continuing from the previous post - Proving WIN-UNIX (Default) Name Mapping Works -  here we prove UNIX-WIN name mapping works.

I have a UNIX user called user2, and I want it to map to the windows user DEMO\user2. Without doing anything more than we’ve done in the previous post, this is how it maps.


cluster1::*> secd name-mapping show -node cluster1-01 -vserver SVM1 -direction unix-win -name user2

'user2' maps to 'DEMO\user2'

cluster1::*> unix-user show -vserver SVM1
               User            User   Group  Full
Vserver        Name            ID     ID     Name
-------------- --------------- ------ ------ --------------------------------
SVM1           nobody          65535  65535
SVM1           pcuser          65534  65534
SVM1           root            0      1
SVM1           user1           1001   1001
4 entries were displayed.


We did nothing and the default mapping works out-of-the box!

Image: Proof of successful user2 to DEMO\user2 mapping

If you wanted something other than default name-mapping, you’d need to specify the name-mapping.

BONUS Information

What happens if we tried to map UNIX user user22 to DEMO\user22, and DEMO\user22 does not exist.


cluster1::*> secd name-mapping show -node cluster1-01 -vserver SVM1 -direction unix-win -name user22

Vserver: SVM1 (internal ID: 4)

Error: RPC map name request procedure failed
  [0ms] Trying to map 'user22' to Windows user 'user22' usingimplicit mapping
  [  2] Successfully connected to ip 192.168.0.253, port 445 using TCP
  [  5] Unknown error: 12
  [  5] Failed to initiate Kerberos authentication. Trying NTLM.
  [  5] Encountered NT error (NT_STATUS_MORE_PROCESSING_REQUIRED)
        for SMB command SessionSetup
  [  7] Successfully authenticated with DC dc1.demo.corp.com
  [ 12] Could not find Windows name 'user22'
  [ 12] Unable to map 'user22'. No default Windows user defined.
**[ 12] FAILURE: Name mapping for UNIX user 'user22' failed. No mapping found

Error: command failed: Failed to find mapping for the user. Reason: "SecD Error: Name mapping does not exist".

To be expected, the name-mapping fails.

Proving WIN-UNIX (Default) Name Mapping Works

In this following post, I prove WIN-UNIX Name Mapping works via a simple illustration that initially shows it not working. The ONTAP version here is 9.5.

We start off by creating a data SVM, with data LIFs, DNS, cifs server, and NFS server.


vserver create -vserver SVM1 -aggregate cluster1_01_SSD_1 -rootvolume SVM1_root -rootvolume-security-style UNIX

net int create -vserver SVM1 -data-protocol nfs,cifs -lif SVM1_CIFS1 -role data -address 192.168.0.11 -netmask 255.255.255.0 -home-node cluster1-01 -home-port e0c
net int create -vserver SVM1 -data-protocol nfs,cifs -lif SVM1_CIFS2 -role data -address 192.168.0.12 -netmask 255.255.255.0 -home-node cluster1-02 -home-port e0c

dns create -vserver SVM1 -domains demo.corp.com -name-servers 192.168.0.253

cifs server create -cifs-server SVM1 -vserver SVM1 -domain demo.corp.com
nfs server create -vserver SVM1


I have a user in my domain DEMO\user1 and I want it to map to the UNIX user user1. Without doing any more than the above, thet’s see what it maps to.


cluster1::> set d
cluster1::*> secd name-mapping show -node cluster1-01 -vserver SVM1 -direction win-unix -name DEMO\user1

'DEMO\user1' maps to 'pcuser'


DEMO\user1 maps to pcuser. Which is to be expected so far and comes from the default-unix-user setting.


cluster1::*> cifs options show -vserver SVM1 -fields default-unix-user
vserver default-unix-user
------- -----------------
SVM1    pcuser


If I create a unix-user called user1, does it map automatically?

cluster1::*> unix-user create -vserver SVM1 -user user1 -id 1001 -primary-gid 1001
cluster1::*> secd cache clear -node cluster1-01 -vserver SVM1 -cache-name name-mapping-windows-to-unix
cluster1::*> secd cache clear -node cluster1-02 -vserver SVM1 -cache-name name-mapping-windows-to-unix
cluster1::*> secd name-mapping show -node cluster1-01 -vserver SVM1 -direction win-unix -name DEMO\user1

'DEMO\user1' maps to 'user1'


Yes it does map!

Image: Proof of successful DEMO\user1 to user1 mapping

You don’t need to specify the default name-mapping - which is below - all we did was create a UNIX user:


vserver name-mapping create -vserver SVM1 -direction win-unix -position 1 -pattern DEMO\\(.+) -replacement \1
vserver name-mapping create -vserver SVM1 -direction unix-win -position 1 -pattern (.+) -replacement DEMO\\\1


Of course, in an enterprise environment you’re unlikely to want to have to create a UNIX user for every user you want mapped. Instead of using files, LDAP is going to be the solution. See the following NetApp KB: KB1030851: How to set up Windows to UNIX user mapping over LDAP

In this lab we were using files:

cluster1::*> ns-switch show -vserver SVM1
                               Source
Vserver         Database       Order
--------------- ------------   ---------
SVM1            hosts          files,
                               dns
SVM1            group          files
SVM1            passwd         files
SVM1            netgroup       files
SVM1            namemap        files
5 entries were displayed.


BONUS Information

You might be thinking, what happens if the default-unix-user is not pcuser. Say we set it to “-“. Here’s what happens:


cluster1::*> cifs options modify -vserver SVM1 -default-unix-user "-"
cluster1::*> secd name-mapping show -node cluster1-01 -vserver SVM1 -direction win-unix -name DEMO\user3

ATTENTION: Mapping of Data ONTAP "admin" users to UNIX user "root" is enabled, but the following information does not reflect this mapping.

Vserver: SVM1 (internal ID: 4)

Error: RPC map name request procedure failed
  [0ms] Trying to map 'DEMO\user3' to UNIX user 'user3' using implicit mapping
  [  2] Entry for user-name: user3 not found in the current source: FILES
        Entry for user-name: user3 not found in any of the available sources
  [  3] Trying to map user to the default UNIX name '-'
  [  5] Entry for user-name: - not found in the current source: FILES
        Entry for user-name: - not found in any of the available sources
**[  6] FAILURE: Name mapping for Windows user 'DEMO\user3' failed. Mapped UNIX user '-' does not exist

Error: command failed: Failed to find mapping for the user. Reason: "SecD Error: The mapped user does not exist".


Also see the following post:

Sunday, 23 February 2020

Tech Roundup - 23rd February 2020

Some stuff collated/new/learnt since Tech Roundup - 31st December 2019 with headings:
AWS, Certificates (SSL), Cisco, FlexPod, Google Cloud, HP, IT Industry News/Commentary, Kubernetes, Microsoft, NetApp, pfSense, RedHat, Security, Tech Field Day, Veeam, Zone to Win

AWS

AWS Build a Winning Pitch Deck Workshop ... | Mar.10.2020 | London, England
... is designed to help pre-seed startups develop a fundraising narrative and build a pitch deck that serves as their tool to getting funded.

AWS Summit London | ExCel London | April 29, 2020

AWS Powers Guinness Six Nations Rugby Stats

Guinness Six Nations Matchstats

Certificates (SSL)

Microsoft Teams goes down after Microsoft forgot to renew a certificate

Summary of Windows Azure Service Disruption on Feb 29th, 2012

Let’s Encrypt: Why ninety-day lifetimes for certificates?

Certbot
Certbot is a free, open source software tool for automatically using Let’s Encrypt certificates on manually-administrated websites to enable HTTPS.

Cisco

“The gateway in a Cisco ACI stretched layer 2 network can only reside on one site and has no capability to fail over to another site in case of a site loss.”

UCS Platform Emulator Downloads: UCSPE 4.0(4ePE1) / UCSPE 3.2(3ePE1)

Armis has discovered five critical, zero-day vulnerabilities in various implementations of the Cisco Discovery Protocol (CDP) that can allow remote attackers to completely take over devices without any user interaction.

FlexPod

FlexPod Datacenter for AI/ML with Cisco UCS 480 ML for Deep Learning - Design Guide

FlexPod Datacenter for AI/ML with Cisco UCS 480 ML for Deep Learning - Deployment

Google Cloud

File storage made easier with NetApp Cloud Volumes, now GA

NetApp Cloud Volumes Service for Google Cloud
HP

“Cartridge cannot be used until printer is enrolled in HP Instant Ink”

HP Instant Ink
Save up to 50% on ink!
Monthly printing plans based on the number of pages you print not the amount of ink you use!

“By the way, did you know that printer ink is actually the most expensive liquid on this planet?”
HP explains why printer ink is so expensive

IT Industry News/Commentary

Jan 3, 2020: Blockchain 2020 – thoughts, comments and the future

Kubernetes

Container, Kubernetes & Microservices – how NetApp can help

“You will find this presentation a valuable trove of useful tricks. Enjoy.”

Microsoft


How to revert to an earlier version of Office
Applies to: Office 2019, Office 2016, Office 2013
Note: This article doesn’t apply to MSI versions of Office.
And if that doesn’t work...
1. Start the elevated command prompt (START > CMD > right-click and select "Run as administrator")
2. Paste and run "C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe" /update user updatetoversion=16.0.11328.20512
3. Once the older version is installed, open any Office app, go to File > Office Account and select Disable updates (under Product Information)

Links for:
Event Properties - Event 2020, MSMQ: “The Message Queuing service cannot start”
Tip: If you want the Message Queuing service to start automatically, having it on a VMDK works, but in-guest iSCSI does not (since the iSCSI storage isn’t immediately available to the O/S when it boots.)

NetApp

IDC PERSPECTIVE: A New NetApp Is on the Rise

On-Demand Webinars:


NetApp Blog (blog.netapp.com):


NetApp Cloud (cloud.netapp.com):



Image: Windows Virtual Desktop (and Citrix) on Azure - Optimize End User Experience with Azure NetApp Files (ANF)

NetApp Cloud Manager and Cloud Compliance:

Cloud Manager
FlexCache with Cloud Volumes ONTAP: https://youtu.be/PBNPVRUeT1o

Cloud Compliance

NetApp HCI:

How a Disaggregated Architecture Can Lower HCI Total Cost of Ownership:

[Impact: High] NetApp H-Series BIOS update to reduce memory and machine check errors
Recommend updating the BIOS as part of the HCI Installation.

HOW TO: Reduce the wear on the boot drive of a NetApp HCI compute node
Recommend doing this as part of the HCI Installation.

Where vCenter was deployed using IP address, not FQDN...
...to rename to FQDN, it can only be done from vCenter 6.7U3 as per this article:

H410 Protection Domains
Extending storage availability across chassis.
- Node/chassis location awareness data layout
- Automatically detects H410 chassis and node configuration
- Double-helix data layout ensure that primary and secondary data blocks span domains
- Domain level capacity monitoring
- Minimum of three chassis required for domain level resiliency

Image: H410 Protection Domains

NetApp HCI Return to Factory Image (RTFI)
By Allen Johnson | January 25, 2020

NetApp Miscellaneous:



NetApp.io (NetApp DevOps Community):


NetApp TechONTAP Podcast:


NetApp NVAs:

NVA-1143: NetApp HCI - NIST Security Controls for FISMA with HyTrust for Multitenant Infrastructure
NVA Design and Deployment

NetApp TRs:


NetApp-ONTAP Python SDK:

... authoring some Python code using the newly released netapp-ontap Python SDK?
To find help for export policies:
Module netapp_ontap.resources.export_policy

NetApp ONTAP LUN rename:

Easy to do and non-disruptive, just needs:
lun move-in-volume -vserver SVM_NAME -path CURRENT_PATH -new-path NEW_PATH

Questions about NetApp impact related to released LDAP signing and channel binding security advisories published Microsoft:

NetApp customer facing KB:

Also see:
“What about ONTAP and LDAPS?
How do we do (configure) it?
- Change the port in the ldap config to port 636.
- Make sure -use-start-tls is turned to false
- And the enterprise root cert is installed into ONTAP.”

Related Microsoft URLs:

pfSense

Netgate pfSense Security Gateway Appliances for the public cloud (Amazon AWS and Microsoft Azure), and private cloud (hardware appliances):

Download the Community Edition appliance for VMware vSphere, Microsoft Hyper-V and Proxmox:

RedHat

Disaster Recovery Strategies for Applications Running on OpenShift

Image: OpenShift deployment topologies

Security

NetApp is on the DoDIN (Department of Defence Information Network) Approved Products List.
Search for:
Device Type = “Data Storage Controller”
Vendor = “NetApp, Inc.”
For ONTAP 9.6 and 9.7, all these controllers are certified:
FAS8040, FAS2520, FAS2552, FAS2554, FAS2620, FAS2650, FAS2720, FAS2750, FAS8020, FAS8060, FAS8080EX, FAS8200, FAS9000, AFF A200, AFF A220, AFF A300, AFF A700, AFF A700s, AFF A800, AFF8020, AFF8040, AFF8060, AFF8080EX, FAS8300, FAS8700, AFF A400

Tech Field Day [Videos]

NetApp Introduction to Active IQ

NetApp Active IQ Platform Architecture

NetApp AIOps

NetApp The New Active IQ Experience Demo

NetApp StorageGRID - Object Storage for What's Next

Veeam


NetApp primary storage users:
New versions of Universal Storage API plug-ins for:
NetApp Element Plug-in 1.0.10 (with a couple of enhancements around our SolidFire integration)
Also, an important note regarding NetApp ONTAP 9.7 support: this was found to be a "breaking" release due to an API change, so it will require v10. The RTM build does NOT support ONTAP 9.7 yet, as we finished testing after it was already shipped. However, we managed to include the required change into the GA build.

Veeam Snapshot Hunter is awesome!

Veeam: V10: Better Backup: Faster. Stronger. Smarter.
Watch the recording of the Feb. 18 launch event and find out what’s new in Veeam Availability Suite.

Veeam Availability Suite 10 unattended installation [with Ansible]

Veeam Backup & Replication Chocolatey packages

Veeam NAS and File Share Backups
From Gostev’s Veeam Community Forums Digest:

January 27 - February 2, 2020
“... it appears Microsoft Azure had a critical vulnerability (CVSS score of 10.0) last year, which allowed the attacker to escape the Sandbox of a cloud VM, overtaking the host and so other VMs running on it. I always thought of public cloud as of subway in that sense – if you take one, you have to watch your pockets, and have a copy of your documents at home (or in the hotel). But, do you keep a copy of your cloud VMs backups at ‘home’ (your on-prem datacenter in this case) though? Because we'll for sure keep seeing such vulnerabilities in future with all hyperscalers, and their primary "use case" will be to delete VM snapshots and deploy ransomware > Perfect 10.0: This Is a Cloud Security Nightmare

January 27 - February 2, 2020
“... one of the participants performed a live demo of BitLocker encryption bypass via TPM module sniffing. The key take away here is that the "default" BitLocker setups without pre-boot authentication can be more or less easily bypassed! So I'm now wondering how many BitLocker-enabled laptops carrying sensitive data were lost with IT thinking the data is safe, when it was not.”

February 10 - February 16, 2020
“How you prevent BitLocker encryption bypass attack via TPM module sniffing with pre-boot authentication. It assumes you have BitLocker already enabled, otherwise there's nothing to bypass!
1. Logon to Windows with an administrator account.
2. Open the Group Policy Editor (click Start, type "gpedit.msc").
3. Select Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives folder, and double-click the "Require Additional Authentication at Startup" option.
4. In the dialog that opens, select "Enabled" radio button at the top left.
5. In the "Configure TPM Startup PIN" drop-down list below, select "Require Startup PIN With TPM" option, and click OK to save changes.
6. Launch elevated command prompt (click Start, type "cmd", right-click and select "Run as administrator").
7. Run "manage-bde -protectors -add c: -TPMAndPIN" and set PIN (minimum length is 6 digits).
You're done! Other useful commands include "manage-bde -status" to check your protection status, and "manage-bde -changepin c:" to change PIN. Also, keep in mind that BIOS and TPM firmware updates require suspending BitLocker using the Manage BitLocker snap-in.”

Zone to Win

[Video] Zone to Win - Organizing to Compete in an Age of Disruption, by Geoffrey Moore