Tuesday, September 28, 2021

Changing email setting for users in google group workspaces

Logged into google workspaces. You can control how you get emails from specific google groups however sometimes users may or may not get emails from groups. Here is how to fix it.

1. Go to groups.google.com. It should automatically take you to "My Groups" if not select "My Groups"




2. Go to People -> Members

You can change subscription and posting settings here.







Under subscriptions change subscription to Each Email if you want to get the emails for all emails.



This will change or reset the email settings for the user on the google group.

Monday, September 27, 2021

"LbShrMem.FindName: invalid 'shared memory' pointer" Error when Launching Reports in Horizon on Windows 10

There is a bug in the ILS system for Horizon by SirsiDynix where for what ever reason, reports are not accessible and you get the following errors.





You will need a SirsiDynix account to view the KB https://support.sirsidynix.com/kb/164380 but essentially when you go to run reports the ILS system errors out with a LBShrMem pointer error. In the past, by that I mean going back to Windows Vista putting in a global system variable for the ILS application resolves the error.

Variable name: HzShrMemBase
Variable value: 1912602624

However under windows 10 this prevents access to the ILS application but adding and removing the variable fixes it as does running the app in legacy mode for Windows XP SP2 but this is temporary. After a reboot the issue remains persistent. Doing file system scans (SFC) and check disk also occasionally resolves the issue, but the issue remains persistent and comes back after a couple shutdown and restarts.

After doing some intense investigation into this matter it appears to be related to security and application permissions.  Unfortunately thus far the only resolution I could find had to do with running the ILS application as an administrator and for staff convivence disabling UAC.

Step 1.  - Make the user using the application a local admin as shown below.

Make use a local admin



Step 2. - Set the app to run as administrator



Step 3. - Change UAC (Reason for this is to prevent the popup prompt)



After running the ILS application like this for 3 weeks I am confident that the issue has been mitigated.  Do I recommend running an application like this?  No.  However it was consuming IT resources having to go back and disk scanning, adding/removing system variables to get the report to run.  There is extra security precautions put on to the system for monitoring and firewall blocking.  For now that is all that can be done until an application update.

Tuesday, September 14, 2021

Allowing iframes from a shared hosting server

Shared Hosting Providers

Website security is a very important thing these days.  There are lots of reasons to refuse sites from embedding your site via iframe or embed tag.  However if you have or are purchasing a paid for services like an intranet and you don't want to re-write everything to work with that services JavaScript library and security policy, an embed or iframe may just be what you need to use.  

By default, most of the shared webhosts I've used allow configuration with a .htaccess file.  Now I do recommend going though and assessing what you need to setup for your site to get done what you need to get done security wise; but in this case I need to allow for iframes from an igloo intranet site.

Typically if you have experience in setting up something like apache, you would use the x-frame header to do this; however this has changed for modern browsers, and while you may still need to add the x-frame for some legacy browsers, I'm going to be focusing on edge, chrome and firefox.

On igloo I have a embed tag, with the source going to a website which I have on a shared host.  I have a sample that can be seen below.  By default the shared hosting provider refuses the iframe connection by default.

<embed type="text/html" src="https://websiteIcontrol.ca" width="500" height="200">

On your host, edit your .htaccess file and find your mod_headers.c by default it should be something link this below.

## Suppress mime type detection in browsers for unknown types
<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
</IfModule>

We want to add the following (the one highlighted in green).

## Suppress mime type detection in browsers for unknown types
<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
Header set Content-Security-Policy: frame-ancestors 'self' https://websiteIcontrol.ca
</IfModule>

Once you add that and save the .htaccess file and when you refresh you page on igloo your iframe/embed will show up in igloo. as shown below.

For more information please refer to the links below for more information about .htaccess, x-frames and content-security policy.

https://htaccessbook.com/

https://htaccessbook.com/important-security-headers/#xframe


Friday, September 10, 2021

How to deploy a printer with zero (no) touch though Active Directory


What is zero touch or no touch deployment?  Well it is the process of configuring devices and pushing updates out to the network from a central location. As the term implies, zero-touch configuration enables IT teams to configure, or modify, hundreds or even thousands of devices remotely.  In this case a zero touch deployment of a printer to a half dozen workstations.  Now I understand there are many different ways of doing it and Microsoft has allowed this pretty far back and was mostly done with bat files and scripts.  In an effort to modernize things here is how you can do it using just your active directory.  I do have some caveats that will need to be in place first.  Also be aware that this is what Print Nightmare exploits, I will go though some mitigation things that can be done; however as always you have convince vs security.

Here are some mitigation links you can read about for the Print nightmare exploits.


  1. You will need a print server and it will have to be connected to your AD
  2. You will need properly setup security groups in your ad
  3. You will need your print servers setup with drivers installed and drivers setup for deployment.
On the print server I have everything patched as much as I can; and I have employed all the print nightmare mitigations, besides disabling the print spooler for obvious reasons.  So on your print server you should have your printer shared with proper permissions.  Here is where you set all your printer defaults for your clients, like the default paper tray, duplex, etc.



So in this case I have the administrators group for the domain, the local admin, and the organizational group that needs to print to the printer.


As you can see if it is deployed with group policy, the shows up in the "Deploy with group policy" menu item


Then in deployed printers it will show how you have the printer deployed.


Now on your active directory controller, go to the group policy object you deployed the printer to in this case "Group That needs printer"


Edit the Group policy "Group that needs printer" which we deployed our printers on from the print server.  In the Policies settings we should see the deployed printers for both users and computers because that is where we deployed them.


Now it's up to you how to want to install the printer.  You can deploy it by user or computer, in this case I am deploying it by user, if you want things to be a bit more restrictive deploying by location based computer would definitely be the way to go as the use will still have the printer if they use say a remote desktop server to connect occasionally.  In this case I do want that functionality as it was requested and approved.  In group policy go to User Configuration or Computer Configuration -> Preferences -> Control Panel Settings -> Printers


To add a printer; right click in printers -> select shared printer (which is what I want in my case you can also select an ip printer or a local printer)


Select your share path and fill out any options you need.  Such as update, create, remove, etc.  In this case I used create, and set as default printer.  



The printer should automatically deploy though group policy.  In this case, I had users already logged in get the printer with the defaults.  In this case Tray 2's uptake was not working so I disabled it in the driver and had setup tray 3 to be the default.  The deployment went quickly and easily; granted print nightmare is still a problem but we still need to use these printers, and we have all the print nightmare fixes in that we can have, so users can still use their printers.

How to migrate PFSense Over to KEA DHCP Server from ISC DHCP Server

I am a PFSENSE User and I manage PFSENSE for some other organizations and the time has come to make the switch for the DHCP Server over to K...