Anduin Xue
Anduin Xue

Anduin's Tech Blog

Security


Manually Enable Windows RE in an independent partition

This blog post provides a comprehensive guide on how to manually enable Windows RE (Recovery Environment) in an independent partition. It starts by highlighting the importance of having Windows RE enabled, which includes fixing boot-related issues, providing access to the command prompt for troubleshooting, facilitating a clean install of Windows, and reducing the risk of data loss or corruption. The blog then outlines the steps to automatically and manually enable Windows RE, including dealing with potential error messages related to BitLocker Drive Encryption. It also provides a guide on debugging RE and a checklist of other security measures to ensure the reliability of Windows. These include enabling virtualization technology, secure boot, TPM chip, BitLocker, firewall, and UAC. The blog also discusses the optional use of the Unified Write Filter. Will you be able to enable Windows RE manually after reading this? What other measures do you take to ensure the security and reliabilit...--GPT 4

Windows 10 PowerShell Security Windows 11 Bcdedit Windows RE Recovery reagentc Diskpart

Automatically Unlocking LUKS2 Encrypted System Partition Using Clevis and TPM2

This blog post delves into the process of automatically unlocking a LUKS2 encrypted system partition using Clevis and TPM2. To start with, you need to ensure that Secure Boot and TPM are enabled in your BIOS settings. For Secure Boot, you may need to configure your system to trust third-party certificates, which could involve generating a new key pair and certificate for your system, signing your boot loader and kernel with the new key, and enrolling the key in your system's Secure Boot database. The blog proceeds to guide you through the installation of the necessary packages for Clevis, using the command `sudo dnf install clevis clevis-luks clevis-dracut clevis-udisks2 clevis-systemd`. Once installed, the TPM2 key has to be bound to Clevis, which creates a key on the TPM2 chip and binds it to the LUKS2 encrypted system partition. You will be prompted to enter your passkey. The final step involves updating the system files to use Clevis to automatically unlock the system partition...--GPT 4

bash Linux Security LUKS2 Clevis TPM2 TPM

Best practice after installing Windows Server | Why you should NEVER use 'Administrator' user?

本篇博客介绍了在安装Windows Server之后的一些最佳实践,特别强调了为什么不应该使用默认的“Administrator”用户。首先,为服务器命名并加入Active Directory域(如果有的话)。接着,创建一个新用户并将其添加到管理员组中,然后使用新用户登录。为了提高安全性,禁用默认的“Administrator”用户,并更改默认的RDP端口以防止暴力破解。 在完成以上设置后,可以根据需要安装一些额外的软件。博客中推荐了一系列实用工具,如IIS Crypto、CPUZ、WinDirStat、NSSM、FRP、7zip、FastCopy、Win-ACME、Visual Studio Code、AdoptOpenJDK、.NET Windows Server hosting bundle、Git/Git-Bash、Aria2、Winget和Windows Terminal等。这些工具可以帮助您更好地管理服务器、提高工作效率和安全性。 在阅读完整篇博客后,您是否会对Windows Server的安全性和管理有更深入的了解?这些最佳实践是否会对您的服务器管理产生积极影响?如何根据自己的需求选择合适的工具?请阅读全文以获得更多详细信息和操作指南。--GPT 4

Security Windows Server Cloud Configuration

Use Azure Key Vault to store connection strings for App Service.

This blog post discusses the use of Azure Key Vault to store connection strings for App Service, providing a secure way to manage sensitive information without compromising access control. Azure Key Vault is a tool designed to safeguard cryptographic keys and other secrets used by cloud apps and services. The article guides you through the process of creating a new Azure Key Vault, adding yourself as an administrator, and storing the production connection string. Once the secret is created, the reference URL is copied and wrapped using the @Microsoft.KeyVault() function. This wrapped URL is then pasted into the app service, replacing the real password. After saving the new value and restarting the app service, an identity is added to allow the app service to access the key vault. By using Azure Key Vault, you can manage your app service without touching confidential values and invite others to help manage it without revealing sensitive information, such as database passwords. This se...--GPT 4

Azure App Service Azure Security Key vault

在前端哈希密码是否是个不错的方案?

在这篇博客中,作者探讨了在前端哈希密码是否是一个不错的方案。文章首先指出,将密码哈希后存入数据库是为了防止运维人员直接查看密码,但如果将哈希过程放在前端完成,则对服务器来说,它实际上只是做了一次明文比较,这样运维人员仍然可以直接调用登录API获取账号权限。 文章接着讲述了腾讯公司的QQ在十几年前曾采用两趟哈希的做法来解决密码明文传输和运维人员登录问题。然而,这种做法实际上对防范中间人攻击并没有帮助,因为只要能抓到的包,就是能伪造的包。 作者回顾了当时网络安全状况较差的年代,例如ARP欺骗和中间人攻击等手段容易实现。然而,在RSA算法普及后,中间人攻击几乎不可能成功。如今,开发Web应用只需借助TLS,将密码原文直接发送给服务器就已经相当安全。 然而,我们仍然不能完全信任HTTPS,因为除了通信层面的防窃取,还存在许多其他攻击手段,例如浏览器插件可以直接阅读网页表单,以及假冒网页诱导用户输入密码等。文章最后指出,要真正解决这些问题,仅靠安全措施和算法远远不够,还需要提高普通用户的警觉性和判断能力,以及对基础安全领域的常识。 在这个背景下,我们不禁要思考:前端哈希密码真的是一个好的解决方案吗?如何在保护用户隐私的同时,确保网络安全?这些问题值得我们深入探讨。--GPT 4

Security Password Hash

  • 1