Monthly Archives: October 2014

Dreaming about QR Codes

Fun fact: QR Codes have been around more than 17 years.

I knew of its existence but lately they seem to be popping up all over the place! I started thinking about the possibilities of using QR Codes.

I like the idea of having a QR Code specifically tailored for my eyes only. Smartphones are mainstream so let’s take from there shall we? Here’s a list of a few ideas I came up with…

Central at all these ideas is tailoring QR Codes just for you! At the heart of it all is your smartphone. So what makes your smartphone unique? Mobile nr, IMEI nr and GEOLocation information at any given time! So here are some ideas that came to me, maybe they’re out there already, maybe not! 😉

QR Code as two step authentication

What if you could use a QR Code at the ATM as added security? Yes, you’d still logon at the terminal. The ATM knows who you are. The next step would be to generate a QR Code that only you can decrypt! The advantage? Well if you card and code falls into the wrong hands, they’d also need access to your smartphone.  And if you add the GEOLocation and a time window to the equation, I’d say that’s a tough nut to crack!!!

QR Codes as BGInfo

Any sysadmin worth his salt has used BGInfo. What if you could generate QR Codes dynamically of the system that only you (and your fellow sysadmins) could read. Imagine reading your QR Codes using Google goggles. Finally a valid reason for using Google goggles!!! Actually that is possible here’s the link to prove it.

QR Codes in Data Centers

With Multi-tenant DataCenters there’s always the need of keeping tenants server racks private. Having QR Codes that can only be decrypted by the intended person is a plus. Also see BGInfo idea… 😉

QR Codes for receiving UPS packages

Say you’re expecting a package from UPS. You want to make sure that you and only you can take the package in acceptance. You tell UPS where you want the package delivered (For GEOLocation purposes) add some personal info for verification and you’re good to go! When delivering the package, only if you can decrypt the QR Code (Based on GEOLocation and SmartPhone info) will the UPS guy hand you the package.

So there’s a whole QR Codes world out there to discover! Is there a reason NOT to use QR Codes? I came across a book by Scott Stratten – QR Codes Kill Kittens: How to Alienate Customers, Dishearten Employees, and Drive Your Business into the Ground Scott isn’t against QR Codes, he’s just seen many wrong implementations. If you’re using QR Codes just to come over Tech savvy, then you’re swinging a miss!!!  The title “QR Codes kills Kittens” made me giggle just a bit… “Every time someone uses Write-Host a puppy dies…” I still got a PowerShell reference in… 😉

I guess like everything, QR Codes can add value, only if used correctly. By all means look into it…

Ttyl,

Urv

 

Advertisements

It dawned on me that my previous blog was all about QR Code encryption. Yes it is possible to create QR codes encrypted. But can you create QR Codes in PowerShell?

As always Google is your friend. Let’s just Google “qr codes generate PowerShell”. Turns out there is a PowerShell script created by Matthew Painter.  Believe it or not the script is 3 years old! It worked like a charm!

Matthew uses Google apis to generate QR Codes (free of charge 😉 ) Best part, you can also do batch processing. Nice!

Here’s the tinyurl to Matthew’s code : http://tinyurl.com/kplw7rm

NEW-QR-psh

And in QR Code… 😉

Matthew sums it up nicely in his Description. There’s just something magical about QR Codes. Kinda like using a metal detector, only you’re hunting for QR Codes.

Have a look at Google apis for more information on QR Code:

Google-API

I think QR Codes could be interesting when it comes to two step verification. And if you could encrypt your QR code… Imagine the possibilities…

Oh I almost forgot, here’s the PowerShell code you can use to generate tinyurls: http://tinyurl.com/khbptb9

Courtesy of PowerShell.com PowerTips.

QR-PowerShellTips-TinyUrl 

Couldn’t help myself…

 Ttyl,

 Urv

 

 

 

 

Back on the password wagon again. Having the password there in plain sight, is kinda annoying to say the least. Sure the user login ID wasn’t printed (that would have been something right?) still it’s just there in plain sight!!!

In this day and era with all the smartphones around, do we really need to print passwords and hand them out? Then it hit me… “Hey what about QR Codes?” QR (Quick Response) Codes are those squares that have been popping up all over the place, I’m sure you’ve seen them around… Go on… give it a try… You know you wanna… 😉

qrcode.LinkedInURL

Here’s the idea, instead of printing passwords why not use QR code to keep the password from plain view?

“Well that’s all good and well Urv, but anyone with a QR code scanner could still read it…”

True true… Hmmm… Say… wouldn’t it be great if you could somehow encrypt the QR Code in such a way that only the specified smartphone could read it? Go on… I’m listening…

Now QR Codes are public by nature. Still I could imagine there would be times that you only want to give access to few. Imagine having a QR Code in plain view that only you could decrypt!

So I googled ‘encrypted QR Code’ and sure enough a hit! So encrypted QR Code exist? Why isn’t this mainstream???

“Say Urv what does any of this have to do with PowerShell or Passwords?”

I’m getting there… Now ideally I’d like to have the possibility to encrypt / decrypt anything specifically for a smart device. Turns out most apps aren’t that sophisticated… yet or maybe at a price… Somebody makes this happen!

I’ve found some cool QR Code stuff at qrstuff.com. Password QR Code encryption is only for subscribers, but hey it is a possibility!!!

Ok now for the PowerShell part.

Here’s the idea, Now I’ve talked about generating random complex passwords. I can also Validate the credentials. Now all I need is some logistics in place to get the password to the user, ideally encrypted, at the very least obfuscated.

Ok back to the smartphone. What if I generated a random four digit code used to generate a four digit decrypting code from the user’s mobile nr? The logic? The random code is the position of the decrypted code from the mobile nr.

Something like this:

Decode rule

Say the random nr is 6132. The user’s mobile nr is (keep in mind that here in the Netherlands all nr’s start with 06 and are 10 digit in total) 0612345678. The code to decrypt the message would be 5621.

Full disclosure: Why start counting at zero? Just happens I got lucky with the fact that mobile nr start with zero here. The random code is four digits derived from a subset ranging from 1..9. It fits nicely so I’m sticking with it! If anybody asks it was by design.. 😉

So I’d give the user a QR Code with the random code. The user knows his mobile nr. All the user has to do now is decrypt using our “secret rule”. Kinda reminds me of the secret decoder ring toy… Never loose your inner child 🙂

So here’s the PowerShell code

$csvUserInfo = @'
samACCountName,MobileNr
user1,0612345678
user2,0613246587
user3,0618723145
user4,0687654321
'@ | ConvertFrom-Csv -Delimiter ','

$arrUserCodes = @()

$hshASCIIINTValue = @{
    49 = 1
    50 = 2
    51 = 3
    52 = 4
    53 = 5
    54 = 6
    55 = 7
    56 = 8
    57 = 9
}

Function random-passcode {
    param(
        $length = 4
    )
    $digits = 49..57

    $passcode = get-random -count ($length) `
        -input ($digits) |
        % -begin { $aa = $null } `
        -process {$aa += [char]$_} `
        -end {$aa}

    return $passcode
}

$hshUserCode = @{
    SamAccountName = ''
    MobileNr = ''
    PassCode = ''
    DecryptCode = ''
    Shortlink= 'http://<link to QR code>'
}

foreach ($user in $csvUserInfo) {
    $hshUserCode.SamAccountName = $user.samACCountName
    $hshUserCode.MobileNr = $($user.MobileNr).ToString()
    $hshUserCode.PassCode = random-passcode
    $DecryptCode = ''

    #Convert Passcode to charArray get the INT value for the hashtable and get the index on MobileNr
    foreach($char in $hshUserCode.PassCode.ToString().ToCharArray()) {
        $index = [INT]$char
        $DecryptCode += $($hshUserCode.MobileNr[$hshASCIIINTValue[$index]]).ToString()
    }

    $hshUserCode.DecryptCode = $DecryptCode
    $arrUserCodes += New-Object PSObject -Property $hshUserCode
}

$arrUserCodes | select SamAccountName,MobileNr, PassCode, DecryptCode,ShortLink |  Out-GridView -Title "QR code encryption - $(Get-Date)"

Now you can give the user the four digit random code and a shortlink to the QR Code. Use the DecryptCode to encrypt the QR Code. Only someone with knowledge of the ‘secret rule’ AND the mobile nr will be able to decrypt the QR Code.

At first I thought shortlinks were the way to go just incase the user doesn’t have a smartphone with barcode scanner… Or just do both.

  • http://”ShortLink to QR Code”
  • “Image of Encrypted QR Code”
  • Four digit code to decrypt QR Code

No barcode scanner? Use the shortlink, otherwise just scan and decrypt. Just remember encrypted QR codes aren’t mainstream yet (But it is possible at a price), so maybe just having a QR Code instead of plain text in sight is a better option for now.

Ok that’s it for now… Hope this inspires you to think about some more uses for QR Codes…

Ttyl,

Urv

DSC vs GPO, can they play nicely together?

I have no doubt in my mind that DSC is going to be a private/public cloud infrastructure designer’s best friend.

What makes DSC a necessity? Haven’t we been doing well so far? Steven Murawski does a far better job of explaining this (just gonna paraphrase here for a minute…)

“The reason DSC is important is because the more steps involving human interaction, allows for more potential failure points.”

So minimizing human interaction is essential to minimizing failure points. That’s always a good thing. The lesser the failure points the better the process. Makes sense.

Now Group Policy has been around for quite some time. When it comes to troubleshooting and editing, gpmc.msc is your go-to tool. With Group Policies its all about managing Domains. If you’re not part of a domain, well then you’re out of luck… that is until DSC.

Ok, I’m new to blogging game so I need to be careful posting information from other sources. The DSC Resource book at powershell.org explains the DSC vs GPO quite well. Have at it 🙂

My first thought on DSC in an environment using GPO’s is… Will they get in each others way? and if so who has the last say in the matter? Troubleshooting just got a whole lot complicated! All of a sudden, I’m starting to think about refresh intervals of both GPO & DSC and how or if I should think about manipulating them… What happens if my GPO settings resets my DSC settings? Or vice versa? This is madness!!! Ok Urv, take a deep breath… Whooozaaa…

I guess DSC isn’t going to replace GPO any time soon. I found a link from Darren Mar-Elia on the subject. He made some very valid points concerning the strength and weakness of both products. DSC is excellent as a configuration management platform for Windows Servers. DSC will also work for Workstation, but Servers are the obvious target here.

So let’s not abandon the old for the shiny just yet shall we? Remember “use the right tool for the right job”

I will say this in DSC’s defense, it got me thinking about the life cycle of resources. It’s one thing to have a resource in a desired state, disposing of them also needs to be handled properly.

I guess time will tell if DSC will be the ultimate configuration tool… Learning DSC will be a good investment, Microsoft is betting everything on it…

Ttyl,

Urv

I had the privilege of attending the first European PowerShell Summit!!!

When I first heard that Don Jones & Richard Siddaway would be here in Amsterdam I just knew I had to be there! I’m still riding that high!!!

I tried explaining to friends on Facebook who these guys are. They couldn’t understand my enthusiasm. Imagine hanging out with Michael Jackson, Prince, Miles Davis & Rick James all at the same time!!!

Just plain awesome!!!

Jeffrey Snover!!! How cool is that???

Jeffrey Snover!!! The mastermind behind PowerShell!!! How cool is that???

Dan Harman! Know evrything there is to know about OneGet & PowerShellGet

Dan Harman! Knows everything there is to know about OneGet & PowerShellGet

Tobias Weltner (in the middle). This guy is a genius!!! He stole the show with ISESteroids 2.0

Tobias Weltner (in the middle). This guy is a genius!!! He stole the show with ISESteroids 2.0

Jim Truher If you don't test your code he will lookfor  you, he will find you and make you create Test cases!!!

Jim Truher!!! If you don’t test your code, he will look for you, he will find you and make you create Test cases!!!

Lee Holmes!!! Windows PowerShell Cookbook anybody???

Lee Holmes!!! Windows PowerShell Cookbook anybody???

Don Jones & Richard Siddaway - Legends!!!

Don Jones & Richard Siddaway – Legends!!!

I didn’t get Mike Pfeiffer, Bartosz Bielawski & Steve Murawaski on pic, they left early…

So now I know what it feels like to meet my PowerShell heroes!!!

Ttyl,

Urv

Validating a user’s password

I blogged about Random Complex passwords in the past, here’s a follow up.

The first time around I only needed to generate a random password. Now I was also in charge of setting the password as well. Let’s just say I was in for a little surprise… 🙂 Generating the passwords wasn’t the issue. I noticed that when applying the password, I got errors about the complexity. Here’s where color coding can be your friend.

Just a quick refresh:

Complexity Password Dictates that it must:

Contain characters from three of the following four categories:
1: English uppercase characters (A through Z)
2: English lowercase characters (a through z)
3: Base 10 digits (0 through 9)
4: Non-alphabetic characters (for example, !, $, #, %)

Did you see it? No? In the Non-alphabetic  category, characters $ and # are valid Password characters but in PowerShell they’re reserved.

So a random password like JikLO$02 is valid, however $02 could be misinterpreted depending on how it’s called. Same goes for MnqTy#98.

I generated random plaintext (Yeah I know right? Shame on me… But that’s another discussion) saved the UserName and Password in a csv file for later use.

Now all I need to do is loop through my csv file do a

get-user -id $username | Set-ADAccountPassword -reset -NewPassword (ConvertTo-SecureString -AsPlainText $Password -force)

and I’m good to go right? Well if your password has a # or $ it will generate an error.

So at this point I had a few options:

Option 1
Get rid of $ and #, so no Non-alphabetical category . To be a valid Complex password I only need three out of the four categories. It will still be random but as a scripter my  honor is at stake here… 🙂

Option 2
Make the string literal! Until recently I’d never given it much thought when it comes to single or double quotation strings. At the time I was under pressure, so I went with Excel and did a concatenate to get the single quote around the $Password value.

"`'$Password`'"

I know…

So that was how I ended up solving that issue. It worked. I had a few users that locked out because they didn’t know if it was a zero or the letter O (Yes I told them that could be an issue) Mission accomplished! Still, I had my reservations, I need to be certain in the future that the username-password pair is accurate & valid.

Now the easiest way to verify this is by logging on. As a test, not a problem for one account. All accounts isn’t an option. Besides we also flagged the accounts to change the password at logon, so there’s that as well.

I found some nifty stuff in the DSC Resoucekit wave 6 MSFT_xADUser.psm1 script.

It turns out you can validate credentials without having to logon! Say what now? Yup!
So no more wondering if the username-password pair matches? Yes indeed!!!

So here’s the code to verify for just one but you get the idea…

$DomainNETBIOSName = '<YourNETBIOSDOMAINNAME>'
$Password = '<VALIDPASSWORD_OR_NOT>' | ConvertTo-SecureString -AsPlainText -Force
$UserName = "$DomainNETBIOSName\<VALIDUSERACCOUNT>"

#It's possible to change your AD Context

$DomainAdministratorCredential = Get-Credential

Add-Type -AssemblyName 'System.DirectoryServices.AccountManagement'

$credential = New-Object System.Management.Automation.PSCredential($UserName,$password)

$prnContext = new-object System.DirectoryServices.AccountManagement.PrincipalContext(
'Domain', $DomainNETBIOSName, $DomainAdministratorCredential.UserName, `
$DomainAdministratorCredential.GetNetworkCredential().Password)

#Validate user password. this will return a $true if valid or $false if not

$prnContext.ValidateCredentials($UserName,$credential.GetNetworkCredential().Password)

Bonus: It doesn’t change the “User must set password at next logon” flag

So there you have it. Setting Complex Random passwords and confirming it!!!

Gotta love PowerShell… So much to explore…

Ttyl,

Urv

DSC, the right tool for…

So I just got back from the very first European PowerShell Summit, Just one word to describe it… AWESOME!!!

We had a DSC (Desired State Configuration) hackathon Monday evening of the  Summit. It was just really cool interacting with Lee Holmes ,Steve Murawski, Don Jones & Richard Siddaway.

The main take away from the Summit is that DSC is going to change how we design, deploy and administer Infrastructures, in the cloud or private. DSC was THE recurring theme every day of the Summit.

Now as a PowerShell enthusiast you could easily get carried away with DSC. While I do understand and appreciate the added value DSC will give us, it’s not a wildcard for every problem/issue in your Infrastructure… Yet! :-).

“if all you have is a hammer, everything looks like a nail”

So I asked Richard Siddaway what his take on DSC is. Richard’s advice is simple: “Make sure you understand and use the right tool for the right job”. I couldn’t agree more!

DSC is the next step in the evolution of IT Administration. DSC is also going to thin out the IT admin crowd considerably. The “click generation” admins is coming to an end.

When you think DSC, think of Infrastructure components that need to stay the same indefinitely. Routers & Switches? Definitely!!! Web Server / Citrix / Hyper-V farms ? Oh yeah!!!
Now I’m all excited, what’s next (I got my hammer ready!!!)?

Basically anything you can or want to configure on a system/component/node, you can do so with DSC, but should you?

Let’s consider something as trivial as getting an IP address. With DSC you could deploy NIC configurations right? No more dynamic IP Addresses, it’s static all the way!!! Sure you could do that, but would you want to? Of course not. Having said that, DSC is really interesting when it comes to DHCP Server Options, Scopes & Reservations. How often do you redesign your network? Not very often I hope… Here’s where DSC will shine.

When it comes to configuring anything ask yourself: “will this state stay so indefinitely?” If the answer is yes then you should be thinking of DSC.

It’s good to embrace new technology as DSC, just don’t throw the old out yet. Every new version of PowerShell is an improvement on the former and one day it will be the only tool you’ll ever need. But until that time “Make sure use the right tool for the right job…”

HTH

Ttyl,

Urv

PS. Be sure to get a copy of the DSC Resource Book at powershell.org. It’ll give you a better understanding about DSC and how to get started… It’s something you need to learn!