Akzium_Blog - Akzium

CISA SCuBA Goggles and SCuBA Gear

4/24/2026

In 2023 the Cybersecurity and Infrastructure Security Agency (CISA[.]gov) introduced their Secure Cloud Business Applications (SCuBA) project with two sub-projects: SCuBA Gear for M365 and SCuBA Goggles for Google Workspace.

These secure configuration baselines (SCBs) for Microsoft 365 (M365) and Google Workspace (GWS) provide easily adoptable recommendations that complement an organization’s unique requirements and risk tolerance levels. The baselines include automation features to help federal agencies, businesses and organizations rapidly assess their M365 and GWS services.

ScubaGear is a no-cost assessment tool that verifies M365 tenant configuration alignment to the policies described in SCuBA’s secure configuration baselines. CISA has made this tool and the baselines available to all agencies and private sector organizations seeking security improvements. Visit CISA’s GitHub and PowerShell Gallery to view the M365 baselines and download the ScubaGear assessment tool.

ScubaGoggles is a no-cost assessment tool that verifies a GWS organization’s configuration conforms to the policies in SCuBA’s secure configuration baselines. ScubaGoggles provides a breakdown of security vulnerabilities in GWS, allowing organizations to see where changes should be made to their configuration. CISA has made this tool and the baselines available to all agencies and private sector organizations seeking security improvements. Visit CISA’s GitHub or Python Package Index page to view the GWS baselines and download the ScubaGoggles assessment tool.

Source: CISA[.]gov: https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project

Deploying IBM Virtual HMC (vHMC) 11 on Proxmox

4/11/2026

IBM Virtual Hardware Management Console 11 (vHMC-11) Dashboard Example

IBM only provides instructions for deploying the Virtual Hardware Management Console on KVM running on Red Hat or Ubuntu, neither of which will probably be running in most datacenters that have an IBM Power system.

So, we undertook the task of figuring out how to deploy the new vHMC version 11 on Proxmox and the IBM instructions for KVM deployment are of no help for this endeavor. After downloading the ~6.8GB IBM vHMC tar.gz file, you'll need to unzip to a folder, resulting in a nearly 13GB .tar file. Don't try to expand this file unless you have about 510GB (yes, gigabytes) of extra disk space on your PC. If you DO have that extra space, the .tar file expands into a 500GB disk1.img file and four other files (see image below)

Files in the IBM vHMC 11 for KVM tar archive

If you have the extra disk space on the PC to expand the .tar file you can then use WinSCP to secure copy the file over to the Proxmox server, again taking care to make sure you have enough disk space (510GB EXTRA Gigabytes) to /tmp or /var/tmp.

In our case, we needed a "bridge" to park the expanded tar archive so we elected to use a NAS storage device that supported both SMB/CIFS as well as NFS 4.x.

Then, on the Proxmox server we mounted the shared folder as an NFS mount on the Proxmox server (see image below) which created three subfolders: images, import, and template . After mounting the shared folder on the NAS to the PC and using an archive extraction tool we unzipped the files to the shared folder's subfolder named IMPORT.

Proxmox - mount NFS storage

Next, you need to create a virtual machine definition on the Proxmox server, but on the tab for Disk you remove the default disk, creating a VM definition with CPU, RAM and networking but no pre-provisioned disk space. Now that the VM is created, notate the VM ID number, in our example here the ID is 101.

Now, we will use the QM IMPORTDISK command to convert the disk1.img file into a Proxmox QEMU disk image file.

Select the Proxmox server node you want to use for the import, click on >SHELL to get a command line, and navigate to the mounted NFS share:

cd /mnt/pve/vz/INSERT_NFS_NAME_HERE/import

If you do a ls -la command you will see the files extracted from the .tar file

List of files from vHMC .tar archive

The syntax for the import command is as follows:

qm importdisk VMID /LOCATION_OF_img_FILE/disk1.img TargetStorageName

In our example the command is as follows, which places the converted .img file onto our internal ZFS storage array:

qm importdisk 101 /mnt/pve/synnas01/import/disk1.img pxmxsvr1ZFS

***(remember, do NOT leave the SHELL environment until the import is COMPLETE or it will abort the command)***

qm import disk command example to import .img file

Once the disk1.img file has been imported you can go back to the Proxmox manager and select your VM and go to the Hardware tab. You will see a device name Unused Disk 0.

Click on the Unused Disk 0 and select EDIT from the top menu, which will initiate the Add Unused Disk wizard. Click on ADD and the imported disk will now be added to the new vHMC virtual machine.

Once this process is complete, you can edit any other VM hardware items as needed. The base vHMC image configures four (4) network adapters within the virtual machine. Eth0 is intended to be the management interface and Eth1 is the primary interface for the HMC port vLAN. In smaller environments your vHMC and the Power System HMC port may be configured on the same VLAN. Adjust the quantity of network adapters as needed. IBM's default recommendation is for (4) virtual CPUs and 16GB of RAM.

Once these items are modified as necessary, there is one more order of business to tend to: adjusting the BOOT ORDER of the devices so that the VM will boot when you start it.

Navigate to Options -> Boot Order, and check the box for Enabled next to the scsi0 disk, then grab the hamburger menu next to the #3 and drag the scsi0 device to the top of the boot order list. Then click OK.

Change VM virtual disk boot order

Click on START to power on your new vHMC virtual machine and then >Console to watch the boot process. Once the boot cycle completes (yes, it takes FOREVER to boot) then you can log into the management GUI (hscroot / abc123) and begin the configuration process for setting up the network(s) devices.

Your mouse will NOT work on the two initial setup questions that pop up, you will need to use the keyboard arrow keys and the TAB key.

*note: network changes will not take effect until the vHMC is rebooted.

IBM vHMC 11 login screen

IBM vHMC 11 Main Dashboard

Multiple DHCP Scopes in Windows Server DHCP

2/5/2026

If you're using a Windows server as a DHCP server, you can configure multiple DCHP scopes for different VLANs.

There are two main concepts to understand for this setup:

1) Each scope needs a route to reach the intended VLAN via the route setting in the scope;

2) Your core switch that controls your VLAN settings needs to have a "helper IP" set to know where to route DHCP requests on each VLAN. In addition to these settings, the DCHP server's assigned VLAN and static IP address must have the ability to reach each VLAN segment that it is serving via inter-VLAN routing if the DCHP server only has a single network interface.

So, don't put your DCHP server on a VLAN with other servers or devices that should not be reachable by endpoint devices that it is servicing for DCHP requests. For example, don't put your DCHP server on your servers VLAN and have it serve up DCHP requests for your Guest Wifi VLAN.

Also, just a quick note about the Filters setting. Filters are applied to the entire DHCP server instance, not on a per-scope basis. If you enable ALLOW filtering, only those MAC addresses listed in the Allow filter list will get an IP address via DCHP. All other DHCP requests will be denied. If you enable DENY filtering, any MAC address in the Deny filter list will be denied an IP address while all other devices will be assigned an IP.

Installing Uptime Kuma on Ubuntu 24.04

5/5/2025

These instructions assume the installation of Ubuntu 24.04 has already been done. The example USERID for the Ubuntu login will be UbuntuUser. The example USERID for the Uptime Kuma admin screen will be KumaAdmin. Adjust instructions accordingly.

Log in to the Ubuntu instance and launch a terminal window.
In our example, this will put us in the /home/UbuntuUser folder.
Verify your folder ID by typing pwd at the terminal command promt

sudo apt-get update -y

sudo apt-get upgrade -y

sudo apt-get install nodejs -y

sudo node -v to check the nodejs installed version

sudo apt-get install git -y

sudo git clone https://github.com/louislam/uptime-kuma.git

You can verify the git clone process by typing ls -l at the prompt which should now show an uptime-kuma folder

sudo apt-get install npm --no-install-recommends

at the /home/InsertUserIDHere prompt type: cd uptime-kuma

sudo npm run setup
*this will install uptime-kuma

sudo npm install pm2 -g

**PM2 is a production process manager for Node.js applications with a built-in load balancer. It allows you to keep applications alive forever, to reload them without downtime, and to facilitate common system admin tasks.

sudo pm2 install pm2-logrotate

*You should see output similar to the image below:

Verify your location is still /home/InsertUserIDhere

cd uptime-kuma
*type pwd to verify location is /home/InsertUserIDHere/uptime-kuma

sudo pm2 start server/server.js --name uptime-kuma

*You should see output similar to the image below:

If you do not see this output, then type:

sudo pm2 status

Now, type:

sudo pm2 startup

sudo pm2 save

cd /etc/systemd/system

sudo nano pm2-root.service

find the line labeled Environment=PATH=....

go to the end of the line

add the following: :/home/InsertUserIDHere/uptime-kuma/server
*note: be sure to include the : and do not put a space after the end of the previous entry on the line

Ctrl+O to write file edits to disk. Ctrl+X to exit nano editor

Now, we'll install the Nginx web server:

sudo apt-get install nginx -y

sudo nano /etc/nginx/conf.d/kuma.conf

Add the following lines:

server {
listen 80;
servername kuma.example.com;
location / {
proxy_pass http://localhost:3001;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
}
}

Ctrl+O to write file to disk. Ctrl+X to exit nano editor.

Now, copy the kuma.conf file to /etc/nginx/sites-available folder by typing:

sudo cp /etc/nginx/conf.d/kuma.conf /etc/nginx/sites-available/kuma
*note: leave the .conf off of the target filename

Now, create a symbolic link in the /etc/nginx/sites-enabled folder to the kuma file in the /etc/nginx/sites-available folder

sudo ln -s /etc/nginx/sites-available/kuma /etc/sites-enabled/kuma

Verify the link by:
cd /etc/nginx/sites-enabled
sudo ls -la
There should be a kuma symbolic link file in the /etc/nginx/sites-enabled folder

Remove the Nginx default website link
cd /etc/nginx/sites-enabled
sudo rm /etc/nginx/sites-enabled/default
sudo ls -la

Reboot the host:
sudo reboot

Now, you should be able to navigate within the Kuma host linux system using a browser to:
http://localhost:3001

This will bring up the initial setup Kuma administrator login screen.

**NOTE: Be careful in choosing your admin USERID here as there is not a simple process for changing this ID once it is created and written into the SQLlite database.

Remove Ghost Network Adapters in Windows

4/19/2025

Ghost adapters left behind by physical-to-virtual conversions have been an issue since the early days of virtualization. The Great VMWare Exodus has brought this issue back into the limelight as Broadcom customers begin to abandon VMware in favor of more customer-friendly Type 1 Hypervisor companies.

If you're preparing to migrate a VMware virtual machine over to, let's say a KVM-based Type-1 Hypervisor environment, there are several preparation steps that should be undertaken, the first of which will be to change the network adapter from a static IP addresss to a DHCP address, and to remove the VMware Tools. If you forget to remove VMware tools prior to conversion, the converted VM may not boot. If you forget to manipulate the network LAN adapter settings, you could end up with a "ghost" adapter, one that has entries in the Windows registry, but that does not show up in device manager. If you also forgot to change the static IP address to a DHCP address, the static IP could be "trapped" by the ghosted adapter and Windows will give you error messages saying another adapter already has that IP address.

Here's how to "reveal" those ghosted adapters so you can clean up the mess left behind by a hypervisor platform migration.

1. Launch a command prompt as administrator in the VM.
2. Run: set devmgr_show_nonpresent_devices=1 (press enter)
3. Launch Device Manager (devmgr.msc)
4. In Device Manager -> View select "Show Hidden Devices"
5. Scroll down to Network Devices and expand
6. Ghost adapters will be greyed out - right click and Uninstall
7. Select Action -> Scan for Hardware Changes to refresh device list
8. Repeat as necessary until all ghost adapters are removed

Windows OS Hub has a write-up on this process here: https://woshub.com/remove-hidden-ghost-network-adapter-windows/

Interworks has a blog post about the topic here:
https://interworks.com/blog/ijahanshahi/2014/08/21/removing-hidden-device-device-manager/

The official VMware-to-Proxmox conversion instructions are here:
https://pve.proxmox.com/wiki/Migrate_to_Proxmox_VE

Scale Computing has their own SC//Migrate toolkit to make VMware to Scale migrations easy:
https://www.scalecomputing.com/resources/sc-migrate-data-sheet

Windows Server Change Time Commandline

4/15/2025

Ever join a server to the domain and forgot to change the time zone beforehand, then the Time Zone GUI change options are greyed out? There's a way around that using either a command line option or via PowerShell.

Option1: Invoke CMD as administrator
tzutil /g (displays current time zone)
tzutil /l (displays all time zone options)
tzutil /s "Central Standard Time" (sets time zone)
tzutil /g (to verify change)

Option2: Invoke Powershell as administrator
Get-TimeZone
Get-Timezone -ListAvailable
Set-Timezone -Id "Central Standard Time"
Get-TimeZone

Add email aliases to personal Gmail accounts

4/14/2025

Creating email aliases for work emails is common, but did you know you can also create emails aliases for your (at)gmail(.)com email address using Gmail+ email aliases? Example: if your email is bobsmith(at)gmail you can create an alias email such as bobsmith+myamazonorders(at)gmail, use that alias for receiving emails and they will come to the inbox for your primary email account.

Here are the steps:
1. Log in to your personal gmail account in a browser
2. Go to the Settings gear icon at the top right
3. See all settings
4. Go to the Accounts and Import tab
5. Navigate down to Send Email As section
6. Click on Add another email address
7. The the email address box type your email addres and a + sign and whatever you want to add to it (ex: bobsmith+myamazonorders(at)gmail, but use the actual at sign. LinkedIn keeps trying to link when I attempt to use it in a post.
8. Make sure the "Treat as an alias" box is checked

Now you can use this alias email as a filter or in some cases to sign into a website that is having problems directing you do different sign-in functions using the same email address.

MailMeteor has a good write-up outlining the steps here: https://mailmeteor.com/blog/gmail-alias

Streak has a blog post about the process here: https://www.streak.com/post/gmail-plus-addressing-trick

*kudos to Streak for the cool graphic below this post.

Easy File Server Migrations

4/7/2025

The registry key that contains all of the shares and share permissions on a Windows file server is located: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares
and the Security subkey. You can export this key set from your current file server, mount the shares data drive to a new server with an updated OS and import this registry key to restore all of the shares and their associated permissions. Since you've moved the data drive to the new server, all files retained their NTFS permissions. Also, this detach/re-attach process assumes you're not using DFS.

So, step by step (assuming you're doing this in a virtual environment):
1) Create new VM with virtual HDD for OS
2) Install new OS, patch, update, etc. (Do not join to domain yet)
3) Export registry key from old file server
4) Copy registry key file to new file server
4) Unjoin old file server from domain
5) Change server name and IP address of old file server and shut down
6) Detach data volume virtual disk from old file server
7) Change server name and IP address of new file server to match old server and reboot sever
8) Join new file server to domain
9) Attach data drive virtual disk to new file server and mount with same drive letter as it had on the old file server
10) Import registry key from old file server
11) Reboot new file server

Instructions for Exporting Registry Key from old server:
Navigate to:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares
Right click on Shares in the left-side view window
Select Export
Name file. Example: filesharesexport.reg
copy this file to the new server

Instructions for Importing Registry Key to New Server:
Open Registry Editor on the new server.
Go to File > Import
Navigate to the location where you copied the .reg file.
Double-click the .reg file to start the import process.
You may be prompted to confirm the import, click "Yes" to proceed.
The registry key will be added to the registry on the new server.

At this point your new file server has the data volume mounted from the old file server and the shares permissions have been imported. I'll make a separate post on some ways to consolidate the new VM data files with the old server data virtual disk into a single folder.

*edit: One problem we have become aware of in using this process is the shared folder OWNER permissions. If the shared folder on the source system is OWNED by a LOCAL administrator user, the NTFS and share permissions of the sub-folders WILL NOT be applied on the target system. Local user \\Server1\Administrator is NOT the same as local user \\Server2\Administrator, even though the names are the same. To "fix" the issue, we changed the OWNER of the root folders on the source system to a DOMAIN admin user with local admin rights on the source and target servers. After that change, the sub-folder permissions were applied properly on the target system after the .reg key import. This is also a problem if sub-folder permissions were granted using local users instead of domain users on the source host.

If you are migrating a physical file server to a virtual machine, or possibly migrating a VM-based file server to an new VM on a different platform, you can create a root shared folder on the target system, map a drive to the shared folder from the existing file server, and use a robocopy job to copy the data to the new server.

Example1: robocopy e:\rootshare r:\remoteshare /e /copy:datso /z /MT:128

Example 2: robocoy e:\rootshare r:\remoteshare /mir /z /MT:128 /LOG+:logfilename.log

After the copy job finishes and is validated, export the registry key that stores the share permissions data from the existing file server and then import the exported .reg file into the new file server's registry.

I recently had a customer's file server boot drive MBR record get irreparably corrupted. We mounted the boot volume to the new file server as a data disk, used the remote registry mount utility to mount the \Windows\System32\Config\SYSTEM registry file and export the shares registry key. When you use the remote mount utility you have to give it a temporary name. Thus, when you export the key the registry file header data has the temporary name in the (2) header paths instead of the correct header path names. We had to correct those using notepad to edit the .reg file two header data paths as follows before attempting to import the shares key into the new file server.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares\Security]

Don't forget to change the notepad save settings to *.* to preserve the .reg file extension.

Link to all Robocopy Commands: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/robocopy

Windows 11 24H2 Bypass Microsoft Account Requirement

4/1/2025

Microsoft is removing the OOBE\BYPASSNRO.cmd command from the Windows 11 installer in yet another attempt at forcing every Windows 11 PC to have a Microsoft online account. The good news is that NeoWin is reporting that there's another workaround available.

1. Start Windows 11 Setup
Begin the Windows 11 Setup Process.
Select your region and keyboard layout.

2. Stop at the Secondary Keyboard Layout Screen
When you reach the Secondary Keyboard Layout screen, DO NOT click Skip.

3. Open the Developer Console
Press Ctrl + Shift + J to open the Developer Console.
Your screen will go dark and will appear with a prompt (indicated by a > symbol) at the top left of the screen.

4. Enter the Restart Command
Type the following command exactly as shown:
WinJS.Application.restart("ms-cxh://LOCALONLY")
Note: This command is case-sensitive. You can use Tab-completion to help:
After typing WinJS.A, press Tab to auto-complete Application.
After typing res, press Tab to auto-complete restart.

5. Exit the Developer Console
After entering the command, press Enter to execute it.
Press Escape to exit the Developer Console and return to the OOBE interface.
Note: If the Escape key doesn't close the Console, click anywhere on the screen to ensure the console is focused and then press the key again.

6. Local Account Setup
The Secondary Keyboard Layout screen will refresh, and a Windows 10-style local account setup screen will appear.
Enter your desired username, password, and security questions and click Next.

7. Complete the Setup
The Setup will go black and will then log you in to your newly created account. Allow Windows 11 a few moments to configure the user.
Continue with the remaining privacy setting prompts.
Once finished, you will have successfully created a local account in Windows 11.

Here's a link to the write-up on NeoWin: https://www.neowin.net/news/forget-bypassnro-a-new-internetaccount-bypass-during-windows-11-installs-already-exists/

Here's a fiery Reddit thread discussing the disappearance of the BypassNRO command from the Windows 11 installer ISO: https://www.reddit.com/r/pcmasterrace/comments/1jmgia4/microsoft_is_removing_the_bypassnro_command_which/

Use AWS EC2 VM and IIS to Share Files

3/27/2025

If you need to share large files over an internet connection, one easy way to do that is to spin up an Amazon AWS EC2 virtual server running Windows and the IIS Role and use the virtual directory feature in Microsoft IIS. The real key to ensuring that the files in the shared folder linked to the virtual directory default to "file -> download" when clicked on is to edit the MIME Types function. For each type of file in the virtual directory shared folder (e.g.: .ISO, .EXE, .MSI, .DOC, .PDF, .ZIP, .TGZ, etc.) change the MIME Type flag to file/download. Once you do this, when the user clicks on the file in the browser it will open the file download window. If you don't edit the MIME Type for each file extension that will be in your shared folder, when you click on the file you will get a 404 Error.

One note here is that if using Chrome or Edge and you do NOT install an SSL certificate on the IIS server, it will flag the download as unsecure. If the "Keep" option isn't working properly, you can click on the download icon in the browser toolbar to close the download window and then click it again to re-open the download option window, click on the > to expand the download item prompt, which should give you the option to "Download Insecure File".

One way to restrict access to this publicly-facing IIS file hosting server is to use the AWS EC2 Security Groups - Inbound Rules to only allow HTTP access to the EC2 VM from specific public IP addresses. Once in place, only those public IPs on the Inbound - Allow rules list will have HTTP (port 80) access to the EC2 VM. **NOTE: Be sure to give YOUR public IP address HTTP Allow access for testing. The default rule allows RDP access, which should be edited to restrict access from only YOUR public IP address.**

**EDIT**: I took this "easy" file sharing up a notch by creating a self-signed SSL certificate using Git Bash, importing the certificate into IIS and also into my personal certificates store on my local PC, and binding SSL in IIS using the new self-signed certificate. Now I can access the site using HTTPS and the browser doesn't prompt the download as "insecure".
Launch Git Bash for Windows
$ winpty openssl genrsa -out awsserver.key 4096
$ winpty openssl req -key awsserver.key -out awsserver.csr
*answer prompts*
$ winpty openssl x509 -req -days 3650 -in awsserver.csr -signkey awsserver.key -out awsserver.crt
$ winpty openssl x509 -in awsserver.crt -text -noout (*this verifies certificate)
$ winpty openssl pkcs12 -export -out awsserver.pfx -inkey awsserver.key -in awsserver.crt
*this creates PFX file to import into IIS
** Don't forget to add a DNS entry, either into your local DNS server or your PC's hosts file (Windows/system32/drivers/etc)