Two-Factor Authentication Comes of Age

by Ed Sparks

Two-factor Authentication - "something you know, and something you have" - is the number one thing you can do to protect yourself online.  While this used to be a complex and difficult process to setup and utilize, it has now become a relatively common and simple affair thanks to the ubiquity of smartphones and "authenticator apps".  

Lifehacker has just updated their excellent article titled "Here's Everywhere You Should Enable Two-Factor Authentication Right Now"

Check it out, then immediately go and turn on two-factor everywhere you can!  You'll be thankful when the next huge security breach of a major website happens.

Changing your Windows Password over RDP

by Ed Sparks

Windows Server 2003/2008:
Click Start  - Windows Security - Change Password.  Update password.  
Continue on with your day, safe and secure.

Windows Server 2012:
Click Star...oh wait, there's no start menu.
Hmm, attempt to hit the edge of the screen to find the 'charms' and click Settings, then Change PC Setti.  Oh wait, that doesn't exist on 2012, even though it's on Windows 8.
Go to the vast empty void that is the 2012 Start Screen and click, umm,  hmm.
Back to the Desktop, Right Click on the "empty spot that should be the start menu" for the secret "Power Users" menu.  Nope.  Apparently Power Users don't change their passwords.
Bang head against wall.
Google "remote desktop keyboard shortcuts"
Press CTRL-ALT-END, then Change Password. Update password.
Continue on with your day frustrated and annoyed that Microsoft glued this ridiculous interface onto Windows Server.  Really guys, do you actually USE this thing?

 </rant>

Compelling!

Compelling!

Blackberry 10 and Windows Phone 8 Password Prompts

by Ed Sparks

Now that more BB10 and WP8 devices are out in the wild, there are a few issues coming to light in regards to the connection to Exchange ActiveSync.

The most common is that users are periodically prompted for their password after having successfully synced with the server for some time.  In many cases (particularly BB 10) this results in an account lockout if the user simply cancels the prompt, or doesn't enter the password successfully.

The same issues do not seem to appear when using any iOS, Android or Windows Phone 7.x device against the same servers.  It's not yet clear why the implementation is different on these other platforms.

The solution - adjust the timeout settings on your Exchange server, or ISA/TMG or ASA gateways, so that the connections are held open for longer than the heartbeat interval of the ActiveSync device.

Exchange
Follow the steps in this article to ensure the correct configuration is in place for both Exchange (2003/2007/2010) and your ISA/TMG.

ISA/TM
Under the Web Listener
 for the EAS/OWA Rule - uncheck the "Apply session timeout to non-browser clients" setting as per this article.

Cisco ASA
Ensure any NAT rules that pass traffic to Exchange on HTTP/HTTPS have no timeouts, or very long timeout values.

Curious how all this fits together? Here's a great backgrounder on how EAS Direct Push works, heartbeat intervals, firewalls and more.  
http://technet.microsoft.com/en-us/library/cc182270.aspx