Security | Tom's Notes

Fixing permissions for EC2 private key file

By Tomica Kaniski in Other 10/06/2022 0 Comment

This time, I was playing around with AWS and created some EC2 instances.

When you are creating and working with your instances, you will need to take care of the authentication – you would usually import or create new key pair and use private key on your machine to connect via SSH to the EC2 instance in AWS. The whole process of creating a key pair and downloading the private key is pretty simple – on the page below, you select name, type and format of your key pair and, when created, private key begins automatic download to your PC:

Now you can create your instance and select the created key pair for authentication:

If you have your private key ready and the instance is up and accessible to you, you can use (for example) SSH to connect to it:

So… we have a challenge! Looks like our private key is not secured enough and others may have access to it!

If we look at the permissions, we can see that all of them are actually inherited… so, we’ll need to remove the inheritance/inherited permissions and give them only to the account that needs it:

And after some “tweaking”:

If we retry the connection, this happens:

Excellent!

And if you’re not a fan of clicking through the permissions dialog, here are scripts that can help you with this – they basically remove the inheritance and add full access permissions to the owner of the file (needs path to your private key file as a parameter!):

the “PowerShell” flavour:

# script fixes permissions for a private key (PEM) file used to connect to EC2 instance
param (
    [Parameter(Mandatory)]
    [String] $file
)

$acl = Get-Acl -Path $file
$acl.SetAccessRuleProtection($true, $false) # disable inheritance, don't preserve existing rules
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($acl.Owner, "FullControl", "None", "None", "Allow") # allow only Full access for the file owner
$acl.SetAccessRule($rule)
Set-Acl -Path $file -AclObject $acl

# script fixes permissions for a private key (PEM) file used to connect to EC2 instance

param (

[Parameter(Mandatory)]

[String] $file

)

$acl = Get-Acl -Path $file

$acl.SetAccessRuleProtection($true, $false) # disable inheritance, don't preserve existing rules

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($acl.Owner, "FullControl", "None", "None", "Allow") # allow only Full access for the file owner

$acl.SetAccessRule($rule)

Set-Acl -Path $file -AclObject $acl

the “CMD” flavour:

@ECHO OFF
REM Script fixes permissions for a private key (PEM) file used to connect to EC2 instance
icacls.exe %1 /grant:r *S-1-3-0:(F) /inheritance:r

@ECHO OFF

REM Script fixes permissions for a private key (PEM) file used to connect to EC2 instance

icacls.exe %1 /grant:r *S-1-3-0:(F) /inheritance:r

Hope it helps!

Cheers!

P.S. Scripts are also available at my GitHub (https://github.com/TomicaKaniski/toms-notes-code/).

P.P.S. There’s also a script that restores inheritance and inherited permissions… in case you… mess something up. ?

Microsoft AZ-500 down, more to go

By Tomica Kaniski in Other 01/08/2019 0 Comment

Another month, another Azure cert! 🙂

So, for the last couple of weeks, I was reading about, learning and playing around with Azure security technologies, mainly as a preparation for AZ-500 (Microsoft Azure Security Technologies) exam.

And then… today I took the exam and… PASSED!

I must say, with a few certificates under my sleeve, this exam was not the easiest I took. I was feeling prepared and still – passing it demanded concentration on the details and a bit of thinking! Nonetheless, it’s over now – one down, more to go!

Note that… by passing this exam, I’m not automatically an Azure security guru (!) – it just means that I know a thing or two about what Azure offers in terms of security and how it works. 🙂

What did I use to prepare?

There is a great book about Azure governance called Pro Azure Governance and Security, written by my MVP colleagues Peter De Tender, David Rendon and Samuel Erskine. It’s purpose is not to be an exam prep guide, but to tackle into the world of governance and security features available within Microsoft Azure (which are part of the exam, who would know).

There is also a great post, containing a bunch of helpful AZ-500 material from Stanislas Quastana, located here, and Thomas provided some useful links in his post here and even did a webinar on Azure Security Center (hosted by Altaro) the other day – you can find the recording here.

Of course, there is also the official exam page with skills measured and docs.com.

And… don’t forget to try things out yourself! There is also a free Azure subscription, you know?! 🙂

If you’ll be taking this exam – good luck, hope this resources help you!

Cheers!

Windows Firewall blocking pings

By Tomica Kaniski in Other 01/11/2014 0 Comment

A short one this time… Smile

Have you ever had an issue with Windows Firewall blocking your pings on a network using Public profile, although the “File and Printer Sharing” exception is enabled for this profile?
(oh, yes, and don’t you dare to say that Windows Firewall should be disabled by default! Smile )

So, this is what I’m talking about:

As you see in the previous picture, the exception is enabled for both profiles (this PC is not domain-joined, but it would be the same with domain-joined PC on a network which is using the Public profile). When I try to ping it, I’m getting the standard “Request timed out.” message. Why is that? Is this a feature or bug?

Well, I’ve deliberately left-out two things:

if I try to ping my machine from the same subnet, the ping is passing through
if I try to ping my machine from the different subnet (routing is all set and working OK, in case you’re wondering), the ping is not passing through

The security feature that enables this kind of behavior is set in Windows Firewall by default – by default, Windows Firewall allows ping (and other traffic) only from the Local subnet, for all networks that use the Public profile. Of course, you may want to change this in certain scenarios (and you can… easily).

This is yet another thing that should be kept in mind during troubleshooting, right? (hope it helps) Smile

Have a great weekend!

Microsoft Security Essentials

By Tomica Kaniski in Other 29/09/2009 0 Comment

Novi BESPLATNI Microsoftov antivirus je konačno dostigao RTW (release to Web)!

Dorađeni nasljednik Windows Live OneCare sigurnosnog rješenja koji je već nekoliko mjeseci u beti, možete preuzeti na službenim stranicama.

S obzirom da ga koristim na svim svojim računalima otkako sam čuo za njega (odnosno, uključio se u testiranje), preporučio bih ga svima koji trebaju zaštitu od virusa/spywarea.

Kako do sada imam samo dobra iskustva sa ovim programom (a i njegovim prethodnikom), mislim da se isplati isprobati i vidjeti da li zadovoljava i vaše želje i potrebe…

Slobodno pogledajte i First look na Ars Technica stranicama.