Unflappings

Recently pfSense 2.0 was released into beta stages, and as an avid 1.2.x line user, I was eager to check it out. I did still want the ability to rollback to a previous version if things were too unstable, so I configured dual booting the stable 1.2.x line with the experimental 2.0 build. Note this should also work for any other versions in the future, but these two are just used as an example.

• Back up current configuration of stable system. Make sure you have the config.xml file handy to upload since you will actually need to re-install the system if you do not already have correctly sized slices.
• Boot stable pfSense media. It actually does not matter which is used, but for the sake of example stable comes first.
• Select to (i) install to the local hard disk.
• Select < Custom Install > as shown below after configuring keyboard and display.

• Next select the hard disk you would like to use to install the system. You may install over several drives if you wish using the same general idea, the only difference is where you place partitions. I am using a single drive setup here for simplicity and commonality.

Continue Reading »

This guide is mainly helpful for when you need to lock down a computer using GPO’s and Active Directory. The situation here is a group of users which need to be locked down to the bare minimum usability features. In addition, the computers in which these users sign on are in highly sensitive areas, requiring only certain user’s access to log in.  For example: You have 10 computers in an area in which you only want certain lucked down accounts access to log in. If an account is compromised that has greater privileges such as a more powerful user, they will not be able to log into the restricted machines.

• Create an Organizational Unit which holds all of the machines that need to be restricted. Mine is named ‘Lockdown Computers’
• Create a GPO and link it to the ‘Lockdown Computers’ OU.  This can be done by right clicking OU in Group Policy Management and selecting “Create and Link a GPO Here….”
• Right click on the newly created GPO and select “Edit…..”
  

  

  

  
  
• Under Computer Configuration, navigate to  Windows Settings –> Security Settings –> Local Policies –>User Rights Assignment
• In the Right Pane, find the policy that says “Allow Log on Locally” and “Allow Log on Through Terminal Services”
• In each Policy, under the “Security Policy Setting” tab, click on Add User or Group.
• The easiest method is to create a user group in Active Directory which contains the users you want to be able to log into the given machine. It usually is best to only select the accounts which will be working on the computer in the future, as well as the limited user log in. In addition, for both the policies, the Administrators group for the Domain Controller must be selected. Be careful which users  you select, you do not want to lock yourself out of a machine completely.
• Close out the Group Policy Editor, and navigate to the GPO which was just edited.
• Right click the GPO, and select “Enable”
• Next, open a command prompt on the server and enter “gpupdate /force”