Ubuntu Chrome Remote Desktop configuration

by on September 18, 2020 at 15:58
Posted In: IT Blog

The Setup

Host: Ubuntu 18.04 “Bionic Beaver” release
Software: Google Chrome

I thought this was weird: I couldn’t actually download the Chrome browser. Couldn’t do it from firefox (the Ubuntu default), or chromium (the open-source O.G Chrome package). I thought that was sort of weird. Like Ubuntu linux didn’t support it or something. This means it’s simply not available in the Ubuntu software repository.

There are lots of guides of “how to install chrome” onto Ubuntu. I’ve compiled that here, as well as how to install and configure Chrome Remote Desktop.

  1. Install Google Chrome From SSH shell: 
wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
  1. Once installed, own the CHROME browser directly to https://remotedesktop.google.com. This will add the Chrome Remote Desktop Extension directly to Chrome for you.
  2. Install the Extension
  3. When asked, choose a PIN for your desktop

This is the part of the blog where you think everything works. Not in this case. I kept getting this error:

I thought, maybe it’s because I didn’t add myself to the chrome remote desktop users group.

$ sudo usermod -a -G chrome-remote-desktop my_user_name

At this point, I decided to reboot for good measure.

After reboot, the Chrome Remote desktop was now in the applications

Although I still couldn’t connect from another host, still times out. Kept giving me errors that the startdaemon wasn’t starting properly.

With some help from monkey patching, I eventually got it working. Here’s the steps broken down:

  1. Stop Chrome Remote Desktop 
$ /opt/google/chrome-remote-desktop/chrome-remote-desktop --stop
  1. Backup the original configuration 
$ sudo cp /opt/google/chrome-remote-desktop/chrome-remote-desktop /opt/google/chrome-remote-desktop/chrome-remote-desktop.orig
  1. Edit the config file with nano (or whatever editor you prefer) 
$ nano /opt/google/chrome-remote-desktop/chrome-remote-desktop
  1. Find DEFAULT_SIZES and amend to the remote desktop resolution. For Example: 
DEFAULT_SIZES = "1920x1080"

In my case, I set it to “1920×1200,3840×2400” since the desktop had dual-monitors.

Set the X display number to the current display number (obtain it with echo $DISPLAY from any terminal). On Ubuntu 17.10 and lower, this is usually 0, and on Ubuntu 18.04, this is usually 1:

FIRST_X_DISPLAY_NUMBER = 1

Change it to “20”.

FIRST_X_DISPLAY_NUMBER = 20.

In my case, it happened to be 1.

Comment out sections that look for additional displays:

#while os.path.exists(X_LOCK_FILE_TEMPLATE % display):
<p><code># display += 1

Reuse the existing X session instead of launching a new one. Alter launch_session() by commenting out launch_x_server() and launch_x_session() and instead setting the display environment variable, so that the function definition ultimately looks like the following:

def launch_session(self, x_args):
self._init_child_env()
self._setup_pulseaudio()
self._setup_gnubby()
#self._launch_x_server(x_args)
#self._launch_x_session()
display = self.get_unused_display_number()
self.child_env[“DISPLAY”] = “:%d” % display

Save and exit the editor. Start Chrome Remote Desktop:

Sudo /opt/google/chrome-remote-desktop/chrome-remote-desktop --start

On a VM, this seems to fail. BUT on a physical box, i’m connected to it even as I write this without any issues.

Just have to get used to picking what session you want, Xsession, and I think the other was was regular ‘ubuntu’ session or something. Has to do with the different environments, one environment is strictly for when you’re sitting physically in front of the computer, the other is the remote session stuff over things like VNC.

Remoting in from external shows this on first boot up:

Once you select the session, that’s the same session you connect in with every time.

I’ve been using the 2nd option – “Ubuntu”

Breakdown of each option:

(default) – launch the default Xsession. This looks the same as “ubuntu” session. All the windows look the same, and the same settings seem to apply.

Ubuntu – I use this most often, looks like VNC ties to this instance too. Actually, I think the above selection (default) is just whatever you pick between ‘ubuntu’ session and ‘unity’ session.

Unity – looks like a completely different OS. The icons are different, the experience, everything. This appears to be a graphical interface of sorts, sort of like the flavors of KDE or GNOME.

There you have it, you now have a functioning Chrome Remote Desktop to your Ubuntu Box.


└ Tags: , , ,
 Comment 

Oracle VirtualBox – Configure Guest-VM network to communicate with Host network

by on September 18, 2020 at 11:59
Posted In: IT Blog

This is going to focus on configuring an Oracle Virtualbox VM to do a few things:
-make it so the host, and local host network can see, ping, remote and use fileshares to the Oracle Box guest VM
-Enable the Oracle box VM to still use it’s own built in DHCP (in case you have your own domain)

*I take no liabilities in configuring any of this, I had to figure this all out with trial and error!

The Setup

Host: Ubuntu 18.04 “Bionic Beaver” release
Software: Oracle VirtualBox (version 5.2.42-dfsg-0-ubuntu 1.18.04.1)
VM: Microsoft Server 2016 Domain Controller

For the purpose of this entry, I’m skipping over the creation of a VM, domain configuration and DHCP. All that’s configured within the Guest-VM Operating System. I won’t go into that, but what I will provide is a problem, and solution.

Problem
How can we get a already existing VM running MS domain services, to use it’s already pre-configured DHCP Scope, and yet allow it to talk with the rest of the host network?

Solution (short explanation):
Create a second network adapter in ‘bridged mode’, keep the primary network adapter in ‘NAT’ mode. Configure firewall rules on the Guest-OS to allow access.

Solution (long, and drawn out):
To preface this problem, I had a pre-existing domain controller with it’s own DHCP server. DHCP itself was handing out a 10.0.150.1/24 series of IP’s.

My VM Host however is on my home network, we’ll say that’s a 10.0.0.1/24 network. So how do we configure our VM to have access to our home resources?

First, turn off your VM.

1.Create a second Network adapter! From VirtualBox Manager goto Settings…

Orade VM Virtu•IBox M •na%r New Settings DC01 Running Show >ettings...<br /> Clone.<br /> denove„<br /> Show<br /> Eause<br /> Machine Tools<br /> Global Tools<br /> Ctrl•S<br /> ctrl-o<br /> lists all virtual machines and virtual<br /> mputer.<br /> represents a set Of tools Which<br /> n be opened) for the currently<br /> Of currently available tools check the<br /> right side Of the main tool bar<br /> indow. This list Will be extended With

2.Goto Network.

For this VM, I put in a NAT network. There’s dozens of different ways to do this, but for this example, I created a NAT with a specific scope to isolate my domain for testing purposes. Here’s the Oracle VirtualBox documentation.

DOI settings Network Adapter 1 Adapter 2 @ gnable Network (2 General System Dtsplay Storage Audio Network Serial Ports Shared Folders user Interface Attached to: Name: v Advanced Promiscuous Mode: MAC Address: NAT Network VNATOI 100150.0/24 Deny @ Cable Connected Port rorwaldirg

3.Create a New Network Adapter. Configure as ‘Bridged Adapter‘. In layman’s terms, a Bridged Adapter just means it’s using the physical connection from your host, and the VM is filtering data from the host.

General System Dtsplay Storage Audio Netvvork Serial Ports (2 Shared Folders user Interface DOI settings Network Adapter 1 Adapter @ gnable Network Attached to: Name: v Advanced Promiscuous Mode: Address. Bridged Adapter enp0s25 MT Oes«oø Deny @ Cable Connected Port rorwaldirg

4.From the Guest-VM, configure the networking to the same as the Host. You will need a static address from your DHCP – likely your home router or otherwise.

Internet Protocol Version 4 (TCP/IPv4) Properties Guest VM properties You can get [P settngs assigned automatcally if pur neb,Nork supguyrts this capability. Otherwise, you need to ask your neb,Nork administrator for the appropriate [P settngs. C) Obtain an [P address automabcally Example IP config • use the following [P address: [P addr ass: Subnet mask: Default gateway: 101 255 255 255 Obtain DNS server address automatcally • use the following DNS server addresses: Preferred DNS server: Alternate DNS server: [3 Validate settings upon exit

5.Configure the Guest-VM firewall rules to allow traffic from that specific subnet.

  • Goto Firewall settings (depending on your flavor of VM, this is a Windows VM so your mileage may differ), advanced settings -> Inbound rules.
  • Scope (local IP addresses): the IP of your Guest-VM
  • Scope (remote IP addresses): the IP, or range of your management workstations on your Host subnet

allow all 10.0.0.1/24 traffic Properties Programs and Services Remote Computers Protocols and Ports Scope Advanced local Principals Remote users Local IP address C) Any IP address VM-Guest Sample Rules @ These I P addresses 1000101 Ram ove Remote IP address @ Any IP address O These IP addresses

  • Protocols and Ports: I set mine to ANY. It’s up to you what you want to expose from your Guest-VM to your Host.

allow all 10.0.0.1/24 traffic Properties Programs and Services Remote Computers Protocols and Ports Scope Advanced local Principals Remote Protocols and ports Protocol type Protocol number local port Remote port VM-Guest Sample Rules Example 80. 443. Example 80. 443. 5000-5010 Intemet Control Message Protocol (ICM P) settings Customize ..

Programs and Services: ALL. Again, it’s up to you what you want to expose.

allow all 10.0.0.1/24 traffic Properties Protocols and Ports Scope Advanced local Principals Remote Ll sem Programs and Services Remote Computers Guest-VM Sample Rules @ All meet the specified conditions C) This program Application P ackages Specify tha application packages to which this rule applies Specify the services to which this rule applies

6.Now Test the configuration from your Host or a management computer on the same Host subnet:

test-netconnection -ComputerName 10.0.0.101 -Port 3389 -InformationLevel Detailed

 

(you can use ping test too, but I like to see the specific port)

ComputerName . 10.0.0.101 RemoteAddress . 10.0.0.101 Remoteport . 3389 . 10.0.0.101 Matchi I es Networklsol ationcontext : Internet IsAdmi n False InterfaceAI as Sour ceAddress . 10.0.0.36 NetRoute (NextHop) . o.o.o.o TcpTestSucceeded . True

Success! Connection to the RDP port 3389 works!

Now you can remote desktop to your VirtualBox Guest-VM from within your network. Also means you can continue deploying VM’s to that Virtual Domain Controller’s DHCP. Hope this helps the next person.

└ Tags: , , , , ,
 Comment 

GPO enable VSS in Win 7

by on June 5, 2014 at 12:38
Posted In: IT Blog

GPO VSS 1

Volume Shadow copy has saved my butt on file, exchange, and SQL servers.  Typically, IT departments discourage previous versions on desktops mainly because it opens up issues with disk space and if it’s really worth saving or rescuing an MP3 or AVI.

Of course, if you have the space on your client machines to do it, you can enable VSS and grant users the chance to recover files right from their own desktop machines.

First, create a new GPO and give a give it an appropriate name.
1. Enable the Volume Shadow Copy Service (VSS):

Computer Configuration->Windows Settings->Security Settings->System Services->Volume Shadow Copy and set to Automatic.

GPO VSS 3

2. Now give your users the ability to restore the files on their local PC’s:
User Configuration->Policies->Administrative Templates->Windows Components->Windows Explorer->Previous Versions->

Prevent restoring previous versions from backups  – disabled
Prevent restoring local previous versions – disabled

See the Previous Versions setting

See the Previous Versions setting

└ Tags: , , , ,

GPO add corporate picture to your AD logon account

by on June 4, 2014 at 12:09
Posted In: IT Blog

Win 7 default picture

The default windows logon picture, while very stock is a bit boring. If you’re in the corporate environment where a more suitable logon picture is preferred, here are your steps to adding a default picture to all user’s profiles.

First, pick a picture and make your edits to make it EXACTLY 128 x 128 pixels (you can use the picture in this post as a guide). Make your edits accordingly and make sure to save it with a .BMP extension.

Create a new GPO, name it ‘Default Win7 logon picture’. Goto
User Configuration -> Preferences -> Windows Settings -> Files and create a new file

Preferences->Windows Settings->Files->New” width=”280″ height=”390″> Create a new file in User Configuration->Preferences->Windows Settings->Files->New

Set Action to Replace
For Source file, place your newly created .BMP in the GPO unique ID path: (you can find it by going to the details tab of the newly created group policy)

note your unique ID here

The resulting path in the source file should look like:
\\domain\SYSVOL\domain\Policies\{really-long-unique-gpo-identifier}\User\Preferences\Files\User.BMP

For Destination File, enter:
C:\ProgramData\Microsoft\User Account Pictures\user.bmp
(to change the local windows 7 .BMP picture)

It should look like the above, be sure to be wary of the direction of your slashes "\"

It should look like the above, be sure to be wary of the direction of your slashes “\”

Lastly, apply the GPO to the proper User OU and make sure to do a Gpupdate /force.

*Alternatively, you can place your .BMP in a separate share on your network, ideally a DFS model will do as a general share requires full permissions.  The size of this particular .BMP was only 100KB, so Active Directory replication will be minimal.

└ Tags: , , ,

Disable .exe’s from running inside any user %appdata% directory – GPO

by on June 1, 2014 at 22:00
Posted In: IT Blog

The Cryptolocker virus out there in the wild and I’ve seen it happen on a few computers and it’s certainly not pretty. The details are sorrid, but in a nutshell what happens is a crytolocker virus gets onto your computer, locks all your pertinent files and demands a ransom amount so you can get your files back. Those who pay the ones delivering the virus will become more bold and will start demanding more money.

What can you do to protect your company?
Create some Group Policies to lock down likely places for Malware / Spyware / Grayware / Cryptodefense and other likely .exe programs from running:

– Open up Group Policy and create new GPO
– Title this policy Disable .exe from %appdata% and click OK
– Right click on this policy and select Edit
– Navigate to Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Software Restriction Policies
– Right click on Software Restriction Policies and click on ‘New Software Restriction Policies’
– Right click on Additional Rules and click on ‘New Path rule’ and then enter the following
information and then click OK

Path: %localAppData%\*.exe
Security Level: Disallowed
Description: Don’t allow executables from AppData (Win 7)

Path: %localAppData%\*\*.exe
Security Level: Disallowed
Description: Don’t allow executables from AppData subfolders (Win 7)

Path: %localAppData%\Temp\*.zip\*.exe
Security Level: Disallowed
Description: Prevent unarchived executables in email attachments from running in the user space (Win 7)

Path: %localAppData%\Temp\7z*\*.exe
Security Level: Disallowed
Description: Prevent 7zipped executables in email attachments from running in the user space (Win 7)

Path: %localAppData%\Temp\Rar*\*.exe
Security Level: Disallowed
Description: Prevent Rar executables in email attachments from running in the user space (Win 7)

Path: %localAppData%\Temp\wz*\*.exe
Security Level: Disallowed
Description: Prevent Winzip executables in email attachments from running in the user space (Win 7)

The following paths are for Windows XP machines (if you still have them; I put these in just in case with the same disallow security settings)
%AppData%\*.exe
%AppData%*\*\*.exe

Create your new path rules as seen above

Create your new path rules as seen above

GPO Selections

Your final selections should look like the above. Make sure to apply the GPO to the proper OU once done.

 

 

*Update Feb 02, 2016*

I spent some time on a conference call with some Malwarebytes reps, I’ve been test driving a beta version that’s now available to the public.

Introducing Malwarebytes Anti-Ransomware

As I understand, the good folks at MalwareBytes will be conglomerating all their products: Anti-Malware, Anti-Ransomware, Anti-Malware, and Anti-Exploit into one nice big runtime. (date not yet announced).

 

└ Tags: , , , , ,