I'm working on a tool that generates .rdp files and then invokes them using Microsoft RDP Client. This tool is running on Mac OS.
Everything works well, the only problem is that I can't figure out of how I can generate 'password 51:b' field properly. On Windows this can be done easily by using CryptProtectData method from Crypt32.dll library. How can I do the same on Mac.
Another option could be to use "rdp://" URL scheme, but it doesn't seem allow to pass password this way.
So the question is how can I implement auto-login on Mac if I use third-party RDP client.
As far as i know you can't. You can however create a "User Account" and a Server configuration and add both to the client. The connection will then be visible on the main window and you just need to double click it.
To do so, you need to add the password to the Keychain, use /usr/bin/security to do so from a script. It needs to be a generic-password and saved in com.microsoft.rdc.macos. Also be sure to generate an ID according to the RDP Clients scheme, like BFF77777-7777-7777-7777-777777777777.
You may also set the permissions to read that key using /usr/bin/security and set-generic-password-partition-list specifying the right teamid (UBF8T346G9) and again com.microsoft.rdc.macos. You need the admin password to do this step.
Then you can alter the RDP Clients config file, which is a .sqlite file located at /Users/$(whoami)/Library/Containers/com.microsoft.rdc.macos/Data/Library/Application Support/com.microsoft.rdc.macos/com.microsoft.rdc.application-data.sqlite. Add the user configuration in the ZCREDENTIALENTITY table and make sure the ZID matches the one added to the keychain.
To add a server configuration you need to alter the ZBOOKMARKENTITY table. Just add a configuration by hand using the UI and look at the table to get a feeling of how it needs to be setup. Basically you link your user configuration with the server configuratio by making sure that ZCREDENTIAL in ZBOOKMARKENTITY matches Z_PK in ZCREDENTIALENTITY of your user configuration.
I know the answer is a bit late, but it may give you a starting point. This will however not fully automate the process, you will still need to go to the UI and double click the connection you want to use.
Related
We have a standard config (tunnel.conf) for Wireguard that we want to push to clients (via JAMF Pro).
We do not want the end user to have to open the Wireguard UI to import the config, we want to do this via scripting.
Given I can place the tunnel.conf file anywhere on the end user's system, where do I have to place it, and what command do I need to run to import it?
And conversely, how can I delete a tunnel config from Wireguard, via scripting?
So, as it turns out, Wireguard has a unique key-pair per tunnel - which means each user has their own keys.
Managing that via JAMF sounds like a nightmare, and it'll be easier to point users at their accounts in the VPN to pull down their config, than to manage it for them. Documentation and handholding time!
But it seems to be possible to manage applying a profile via automation. The kind support people at my VPN provider pointed me to this article on JAMF community board:
https://community.jamf.com/t5/jamf-pro/wireguard-configuration-file-distribution/m-p/264747
There's a related page on the wireguard-apple repository:
https://github.com/WireGuard/wireguard-apple/blob/master/MOBILECONFIG.md
If we do end up trying to manage the users configs, I'll update here.
I haven't logged on to my EC2 recently in a few months. Last time I did, it seems like the RDP file that I downloaded had the password in it. That laptop died.
Today, it seems like AWS/EC2 has changed how things work. I'm able to download the RDP file, but it is prompting for a password. When I try to decrypt the password, it wants me to paste or browse to a file on my disk, which I don't have.
Is there a way to re-download my key info? On security then "Key Pairs", I see the key for this server. Can I download that to my disk, or open it somehow?
I see these steps, but they look overwhelming, i.e. I don't have time for that now; I have real work to do:
https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ResettingAdminPassword_EC2Config.html
I was able to create a new key pair, but not sure if I can associate it with the instance.
When I click "Get Password" this screen appears:
UPDATE 1: I did find my .pem file, so I was able to use that to logon.
Had I not found it, what would I do?
UPDATE 1: I did find my .pem file, so I was able to use that to logon. Had I not found it, what would I do?
Not much really! This is by design. AWS doesn't store your encryption key, and this prevents AWS personnel to access your instance. That's why you get such an ominous warning when pem file is generated: this is your one and only opportunity to see it - don't lose it.
That said, there are several however.
If you changed your Windows password in windows, or created a new AMI and launched a new instance from it - the pem file won't really help. You can probably create 2 administrator accounts; so if one forgets their password, you can reset it with another one.
Second - if your EBS is not encrypted, you can detach it, launch another instance, and attach EBS to new instance. You won't get your instance back, but you will get the data from that drive.
Finally, the "overwhelming" steps from the link that you posted. Follow good security posture, and you won't need them. But if you get sloppy, it may become your real work... better than polishing a resume...
We have a windows application which is written by electron and SQLite as database, the problem is we want our application to secure the database file after its first authentication with database, and only have the application itself can modify the file, while preventing the windows standard user from modifying or deleting the file manually. What are the options here?
You can use third-party applications like https://robotronic.de/runasspcen.html
Run application as another user or start program as administrator from a limited account like the command runas, but without to enter login information on each start.
All,
I have no idea how Windows service works, just curious when we register a windows service(such as auto run a server after reboot), if it requires a user profile to load info(such as pulling data from somewhere else), what user profile does it load?
Thanks,
You can select what user run each service registered and the system comes with users assigned per service. The most used by the system is SYSTEM.
To check this you have to:
Go to services.
Right click on the desired service and properties.
Go to the Log on tab and check.
If the Local System account is selected the username is SYSTEM which has special permissions on almost all folder and Windows sections including users' profiles data.
By the other hand if you would like to do something special with an specific account you can tell the system the service will start with the account specified. Just make sure to update the password information every time the user change it.
Regards,
Luis
I have already found out, how I create my own protocol for windows (LINK).
Now I have tried to create such an entry with my QT application, but I have some problems:
I'm not able to write in HKEY_CLASSES_ROOT. I think, I need administrator privileges, but how do I achieve that? I don't want, that my app is always running in Admin-mode.
I don't know, how to write the "(Standard)"-Entries. If I create this entries manually and export them as a reg-file this "(Standard)"-Entries look like
[HKEY_CLASSES_ROOT\myprotocol]
#="URL:SomeDescription"
Is there any possibility to create these entries with Qt's QSettings?
For the QSettings try this.
For the admin rights, NO, admin rights are needed to create the registry entries.