hyp5r.io The personal blog of William Quinn

Disabling Yammer, StaffHub, and Delve from Your Office 365 Tenant

Earlier today, I had a request to look into Microsoft’s Delve to see what it could do for my place of work… well, kind of. Delve seems like a nice product to see what everyone may be working on, but unfortunately, it’s a little misleading and it looks like files can be accessed by anyone on there. While the above statement isn’t actually true, certain aspects when browsing Delve really make you think that some of these documents shouldn’t be listed “publicly,” even though odds are that you were emailed the document and Delve just happened to place it there since it found it.

Admittedly, seeing this at the bottom of Delve doesn’t help matters too much, but it does lead to knowing how Delve actually works.

Now, this doesn’t mean that Delve is bad. It’s actually a pretty useful tool to see what documents are actively being worked on, and it’s a great tool to see items such as organizational charts, contact info, and more. However, there’s many other tools that do just that without the perceived risk of losing control of your data. Note that I said perceived risk – your data is not at risk, as Delve does not change file permissions nor actually store files, it just finds them in various areas like OneDrive, Outlook, Skype, Teams, etc.

This got me to looking around and see what else we don’t use, so I’ve looked and noticed we don’t use Yammer or StaffHub as well, so let’s disable these apps.

Disabling Delve

Disabling Delve isn’t really disabling Delve, but this disables Office Graph. Disabling Office Graph prevents Delve from showing any working files, but keeps access to other features such as the profile page with contact info, org. chart, etc.

You’ll need to log into your Office 365 Admin Center, then navigate to the SharePoint Admin Center. From there, click on Settings and look for the Office Graph setting. Set that to Don’t allow access to the Office Graph and you’re good to go.

Disabling StaffHub

Disabling StaffHub is probably the easiest of all of these as it’s just a toggle. To disable, head to https://staffhub.office.com/admin and login with an account that has administrative capabilities. From there, switch that toggle on Enable Microsoft StaffHub to Off, and you’re golden.

If you want to revoke the license from the accounts as well, you can run the following PowerShell code to quickly remove it from all users in your organization:

Connect-MsolService
$LO = New-MsolLicenseOptions -AccountSkuId <AccountSkuId> -DisabledPlans "<UndesirableService>"
$acctSKU="<AccountSkuId>"
$AllLicensed = Get-MsolUser -All | Where {$_.isLicensed -eq $true -and $_.licenses[0].AccountSku.SkuPartNumber -eq ($acctSKU).Substring($acctSKU.IndexOf(":")+1, $acctSKU.Length-$acctSKU.IndexOf(":")-1)}
$AllLicensed | ForEach {Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -LicenseOptions $LO}
  • <AccountSkuId> will be the license assigned to the users. For example, one of my AccountSkuIds is org:STANDARDWOFFPACK_IW_FACULTY.
  • <UndesirableService> is the service that you want disabled. For StaffHub, this would be Deskless.

Disabling Yammer

Alright, get ready to be annoyed. There is no easy toggle for Yammer unless you’re a small organization. To disable it, you need to revoke the Yammer license from every licensed user in your tenant. If you’re like me, you’re going to want to PowerShell this. You’ll want to use the same code as above for disabling StaffHub, but with one notable change.

Connect-MsolService
$LO = New-MsolLicenseOptions -AccountSkuId <AccountSkuId> -DisabledPlans "<UndesirableService>"
$acctSKU="<AccountSkuId>"
$AllLicensed = Get-MsolUser -All | Where {$_.isLicensed -eq $true -and $_.licenses[0].AccountSku.SkuPartNumber -eq ($acctSKU).Substring($acctSKU.IndexOf(":")+1, $acctSKU.Length-$acctSKU.IndexOf(":")-1)}
$AllLicensed | ForEach {Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -LicenseOptions $LO}
  • <AccountSkuId> will be the license assigned to the users. For example, one of my AccountSkuIds is org:STANDARDWOFFPACK_IW_FACULTY.
  • <UndesirableService> is the service that you want disabled. For Yammer, this can be YAMMER_EDU or YAMMER_ENTERPRISE, depending on your licenses.

Thoughts?

Here’s hoping this helps some Office 365 administrators on disabling services that they may not be using and do not want to use in the organization.

Locking Down a Linux Server - The Entryways

So my main goal for this week was to lock down my Linux servers at home. For the moment, I run two: A Raspberry Pi 3 running Raspbian, and my Synology DS418play which runs DSM. I’ll try to go over security basics that can apply to a wide range of Linux servers, but the bulk of my experience is with Debian-based distros, so if you’re not running Ubuntu, Debian, Linux Mint, or any other Debian derivative, your mileage may vary. These can also apply to other operating systems like Windows and Mac, it just depends on what you do with them.

Depending on what all you run on your servers, you may have various entryways to get in, including a web-based authentication (common on NAS appliances), GUI (whether it be GNOME, KDE, Cinnamon, etc.), SSH, Telnet (please don’t use Telnet), and other items you may not be thinking. It’s wise to think of all the possible ways to access data and secure them.

Telnet

So I’ll start with Telnet, and this one’s simple: Do not use Telnet. Seriously, if you still rely on Telnet in 2019, something’s wrong. You should never use Telnet if at all possible. By default everything under it is plaintext, including authentication. Disable it when possible.

SSH

SSH is the preferred CLI method, so here’s a couple of pointers for securing your SSH environment.

  • Disable password-based authentication and switch to a key-based authentication. Is it annoying as hell sometimes? Yes. Does it really increase your security? Yes. If you’re securing systems that include a lot of data, this should be a standard.
    • To accomplish this, edit the /etc/ssh/sshd_config file on your installation and set PasswordAuthentication no. You’ll also need to add your public key to ~/.ssh/authorized_keys, otherwise you’ll lock yourself out of SSH! Once all of that is set, a restart of your machine or a restart of the ssh daemon is needed (systemctl restart sshd).
  • Disable the root account and do not use it. It’s another one of those annoying things, but it’s much safer to add your account as a sudoer and sudo your commands. This also prevents you from being an idiot and accidentally running rm -rf / on your machine. At least then you’ll have to actually type in sudo rm -rf / for that to work. Also, don’t do that.
    • A quick-and-easy command to disable the root account would be passwd -l root. This will prevent the root account from being able to log in.
  • Change the default port of SSH. Yes, this is more of security-through-obscurity than anything else, but you’d be surprised how many common port scanners will check that port 22 to see if anything happens to run on it. Why not run your SSH on port 23, or port 21, or any other port? You do have 65535 options to choose from, might as well choose your favorite number… unless it’s 22.
    • To change this, you’ll be back in the /etc/ssh/sshd_config file on your system. Find the line that states # Port 22, remove the #, and change the number to what you’d like it to be. Restart your ssh daemon and you’ll be good to go.

GUI

So GUI methods sound a little weird, but this includes any way you see a system with more than just text. This can include accessing it through your favorite X server, through a web interface, and other means. Here’s some things to take a look at to help secure this side of your systems.

  • Enable two-factor authentication. This is by far the most common thing you can do to help secure these areas. Whether you use an app on your phone that supports TOTP codes, a hardware token like a Yubikey, or you print out a giant list of one-time-use codes (don’t do that), these methods add the extra step of “what you have” to your “what you know”.
    • Need some recommended apps to hold those TOTP keys? I personally use Authy as it syncs with my phone number. Want something that doesn’t sync and always stays local? Take your pick of Google Authenticator, Microsoft Authenticator, or go the open source route with FreeOTP.
  • Change the default port of your administration console. It’s another one of those security-through-obscurity things, but if you run a web interface admin console, it’d be a good idea to change the port from the default setting, as the default settings are likely a quick search away from being found.
    • A good example of this is setting up my Synology server, default ports for admin are 5000 and 5001 (HTTP and HTTPS, respectively). Did I change those? You’re damn right I did.

Other Quick Things to Note

So these are just a few things to think about when securing the so-called entryways to your systems, but here’s a couple of other general items to keep in mind.

  • Never expose your SSH port to the Internet. Seriously. If you want to see what it’s like to be port-scanned and potentially DDoS’d, then by all means, but this is a practice that is never recommended.
  • Never expose your admin console to the Internet. This is deja vu, really. Insert what I said above here.

Conclusion

So this is just a first port in securing your Linux systems. Later on I may decide to publish more advanced things to think about when securing these systems, as there are many things to think of when making sure your data stays where you want it.

Linux Gaming - Viscera Cleanup Detail

Thanks to Steam’s Proton and lucifertdark on the VCD Steam Community, there seems to be a pretty solid way to run Viscera Cleanup Detail on Linux!

Prerequisites

  • A Steam copy of Viscera Cleanup Detail
  • Protontricks (https://github.com/Sirmentio/protontricks)
  • Visual C++ Redistributable for Visual Studio 2012 Update 4 (https://download.microsoft.com/download/1/6/B/16B06F60-3B20-4FF2-B699-5E9B7962F9AE/VSU_4/vcredist_x64.exe)

Downloading the Game

On your machine, make sure you have enabled Steam Play for all titles. You can find this setting by going to Steam > Settings > Steam Play.

Once that option is enabled, download Viscera Cleanup Detail as you would any other game. Once it’s completed downloading, head to the next section.

Removing the Redistributables

Navigate to the install directory for the game. Now, delete the following files and folders from the directory:

  • The entire _CommonRedist folder.
  • The dotNetFx40_Full_setup.exe file located in Binaries/Redist.

Once those are removed, run the game once in 32-bit mode (the first option Steam asks). You’ll see a few items launch, go through those items and install if necessary. The game may crash or you can close out of all of the programs whenever necessary, but once the game is no longer running, head to the next step.

Protontricks

Open a terminal and type in the following command:

protontricks 246900 dotnet452

Follow all prompts that show on screen to install .NET Framework for the game. If anything asks to restart your computer, always click on Restart Later!

Once all of .NET Framework has been installed, run the following command:

protontricks 24690

Select the Select the default wineprefix option, then click OK. On the second screen, select the Run taskmgr option and click OK.

When Task Manager opens, you’ll want to go to File > New Task (Run…) and navigate to the Visual C++ Redistributable you downloaded in your prerequisites.

Let Task Manager sit for about 30 seconds, then close out of both Task Manager and Protontricks (Winetricks).

Time to Launch

At this point, all of the setup should be complete, so head back to Steam and launch Viscera Cleanup Detail. This time (and every other time), you’ll want to select the 64-bit option as it tends to be more stable.

In my experience, this launched the game in windowed mode at 720p resolution, so some in-game tweaks and I was running full-screen 1080p easily.

Issues

The only issue I’ve come across in this game so far is that my mouse sensitivity was exceptionally high. Luckily, there’s an in-game option to lower that, so not a big issue.

Conclusion

Getting this game to run isn’t that hard, it just takes a bit of time. If it wasn’t for the effort of Steam user lucifertdark, this may not have happened, so all credit should go to this person!

How do I install Halo Online? (ElDewrito)

This install guide is current as of ElDewrito 0.6.0.0. Keep in mind that all of this can be found by going to the official source located on /r/HaloOnline. This was written to explain the install process a little easier as well as address any extras that may make your gameplay experience the way you’d like.

Obtain a copy of ms23

As ElDewrito is a modification of Halo Online, the Halo Online files are required in order to play. Download the ms23 archive from one of the three places:

These links have been removed due to the DMCA takedown requests being issued from Microsoft. It’s best to search for ms23 downloads on your own. The files you’re looking for are called Halo Online 1.106708 cert_ms23 with the verified MD5 hash of 5ae9e3d0a4952686cedb7d7261ad6c11.

Once downloaded, extract the file using 7-Zip or your favorite archival tool that supports the .7z format.

Download ElDewrito Updater

You can download the official ElDewrito updater by clicking here. Once downloaded, extract the contents into the ms23 directory. You know you’re in the right directory if you see the eldorado.exe file.

Run ElDewrito Updater

Run the updater.exe file and press Update to download the ElDewrito files. Once this is done, you can run Halo Online by running the eldorado.exe file. Have fun!

Extras

How can I make Halo Online look like Halo 3?

Halo Online is practically the Halo 3 engine ported to PC, though those who are used to playing Halo 3 may have to adjust to how Halo Online’s default settings are. There are a lot of different things between Halo 3 and Halo Online, such as:

  • Halo 4 weapon skins such as the Battle Rifle, Assault Rifle, etc.
  • The weapons seem to stick out too far from your body (in comparison to Halo 3).
  • HUD differences

None of these are game-breaking, but for nostalgia sake, here’s how you can make the game feel a lot more like Halo 3.

Foundation Mod Manager (FMM)

Unfortunately, this section is now invalid as the Foundation Mod Manager no longer includes these selections. This section has been kept for historical purposes.

You first need to download the Foundation Mod Manager by clicking here and clicking on FMM.exe. Once downloaded, place FMM.exe in the same directory as eldorado.exe, then run FMM.exe.

Once Foundation Mod Manager is running, head to the Downloadable Mods tab and check the following mods:

  • Halo 3 Sniper Rifle
  • Halo 3 Battle Rifle
  • Halo 3 Assault Rifle
  • Halo 3 Beam Rifle
  • Halo 3 Fuel Rod
  • Halo 3 Rocket Launcher
  • Halo 3 Magnum
  • Halo 3 Shotgun
  • Halo 3 SMG
  • Halo 3 Spartan Laser

Once those mods are checked, click on the Download Checked Mods button in the bottom-right. You’ll get a log that shows what’s going on, and once everything is downloaded you’ll get a notification. Close the log by clicking the button in the bottom-right corner and go to the My Mods tab.

In this tab, check every mod again and then click on the Apply Checked Mods button in the bottom-right. Let FMM complete the tasks as it may take a little bit and you will see random command-line windows pop up and disappear. Once it’s done, you’ll get a notification. Close the log and you’re done with FMM!

Halo Online Settings

If you’d like to go the extra step and have the weapon views like Halo 3, you’ll need to run Halo Online and head to the Settings area by pressing [HOME].

These are the options I select in order to have a more Halo 3-esque feel.

  • VIEWMODEL CONFIG: H390FOV
    • For this setting, if you’re playing with an FOV higher than 90, you’ll want to change this to HALO3VIEWMODELS or edit a view model to your liking.
  • HUD SHAKE: ENABLED
  • PLAYER MARKER COLORS: ALLY BLUE

That’s it! Your Halo Online experience should bring you back to the Halo 3 days. Make sure you have a good amount of Game Fuel.