It didn’t take long time for spammers to start abusing the Boston Marathon bombing sending emails with links to various Youtube videos of the explosions at the Boston Marathon, an automatic download of a malicious binary named “boston.avi_______.exe”, embedded malicious java code and other iframed pages with malicious content.
Sample email
Sample landing page with videos and Java
The presenations from our pre-con/workshop sessions “Defending your Microsoft infrastructure from cyber threats” at TechDays 2013 in Belgium and the Netherlands are now available for download:
TechDays 2013 Presentations download:(4.7 MiB, 161)
If you have any follow up questions about the sessions or any related topics please contact Hasain Alshakarti or Marcus Murray 
Kerberos authentication has always been a challenge specially when deploying complex environments with many different components and authentication requirements. There are some good guides about how to deploy kerberos authentication and delegate constrained authentications in general but as my colleague and Sharepoint expert Thomas Balkeståhl already realized there are very few ones focusing specific products. Thomas has in a recent blog post about how to bring together kerberos and Sharepoint done some wonderful job in bringing real life experience into one of the best guides I found about kerberos and Sharepoint.
Enjoy reading the complete “The final Kerberos guide for SharePoint technicians”
The Hey, Scripting Guy! Blog is one of those blogs I would normally recommend to any body interested in scripting Windows. But I do have a very good reason to bump that recommendation this week just to make sure everybody following my blog do not miss that my colleague and fellow MVP Niclas Goude will be writing a couple of guest posts on The Scripting Guys blog regarding security from the 2:ndto the 6:th of July.
The specific subjects will be:
Monday: Scanning
Tuesday: Brute Force
Wednesday: Shares and Metadata
Thursday: Give yourself System Permission without psexec
Friday: LSA Secrets
Enjoy Powershell!
Microsoft has published the Windows 8 Release Preview Product Guide for Business, the guide describes how Windows 8 changes the work environments and how Windows is reimagined to support people’s unique working styles.
Windows 8 provides enterprise-class security capabilities that keep clients more secure from power-on to power-off.
Windows 8 provides the following enhanced security features:
Trusted boot process
With UEFI 2.3.1 equipped devices, the UEFI Secure Boot feature helps to ensure that malware is not able to start before Windows 8. The Windows 8 Trusted boot feature protects the integrity of the remainder of the boot process, including the kernel, system files, boot critical drivers, and even the antimalware software itself. The system’s antimalware software is the first 3rd party application or driver to start. Moving antimalware into the Trusted Boot process prevents it from being tampered with. In the event that malware is able to successfully tamper with the boot process Windows can automatically detect and repair the system.
Measured boot process
On Trusted Platform Module (TPM)-based systems, Windows 8 can perform a comprehensive chain of measurements during the boot process that can be used to further validate the boot process beyond Trusted Boot. Measured boot process enables all aspects of the boot process to be measured, signed, and stored in a Trusted Platform Module (TPM) chip. This information can be evaluated by a remote service to further validate a computer’s integrity before granting it access to resources. This process is called Remote Attestation.
BitLocker Drive Encryption
BitLocker now supports encrypted drives, which are hard drives that come pre-encrypted from the manufacturer. BitLocker offloads the cryptographic operations to hardware, increasing overall encryption performance and decreasing CPU and power consumption. On devices without hardware encryption, BitLocker allows you to choose to encrypt the used space on a disk instead of the entire disk. As free space is used, it will be encrypted. This results in a faster, less disruptive encryption of a hard drive. In addition, the user experience is improved by allowing a standard user, one without administrative privileges, to reset the BitLocker PIN.
AppLocker
AppLocker enables IT administrators to create security policies through Group Policy to prevent potentially harmful or other non-approved apps from running. With AppLocker, IT administrators can set rules based on a number of properties, including the signature of the application’s package or the app’s package installer and can more effectively control apps with less management.
Windows SmartScreen app reputation service
Windows SmartScreen app reputation is a safety feature in Windows 8. This service provides application reputation-based technologies to help protect users from malicious software that they may encounter on the Internet. This technology checks reputation on any new application, helping to keep users safe no matter what browser they use Windows 8. This helps to prevent malware and other viruses from infiltrating your organization. The Windows SmartScreen app reputation feature works with Internet Explorer’s SmartScreen feature, which also protects users from websites seeking to acquire personal information such as user names, passwords, and billing data.
Claim-based access control
With Windows 8, IT administrators can dynamically allow users access to the data they need based on the user’s role in the company. Unlike previous statically-controlled security groups, Claim-based access control allows IT admins to dynamically control access to corporate resources based on the user and device properties that are stored in Active Directory. For example, a policy can be created that enables individuals in the finance group to have access to specific budget and forecast data, and the human resources group to have access to personnel files.
Windows Server provides features that you can use to deploy IEEE 802.1X authenticated wireless service for wireless network clients. In combination with the 802.1X-capable wireless access points APs and other Windows Server services that you deploy on your network, you can use these Windows Server features to control who can access your network.
You can also use features in Windows Server to define the wireless network adapter connectivity and security settings that your wireless clients use for connection attempts. For example, Network Policy Server NPS allows you to create and enforce network access policies for authentication, authorization, and client health. The Wireless Network (IEEE 802.11) Policies in Windows Server Group Policy GPO enable you to configure your network client computers with the security and connectivity settings that they must use to connect to your network.
This checklist provides the tasks required to deploy 802.1X wireless access points with Network Policy Server (NPS).
| Task | Reference |
|---|---|
| Install and configure 802.1X wireless access points on your network. | RADIUS Server for 802.1X Wireless or Wired Connections and your hardware documentation |
| Determine the authentication method you want to use. | RADIUS Server for 802.1X Wireless or Wired Connections; Certificate Requirements for PEAP and EAP; EAP Overview; PEAP Overview; and your hardware documentation |
| Autoenroll a server certificate to servers running NPS or purchase a server certificate. | Deploy a CA and NPS Server Certificate and Obtaining and Installing a VeriSign WLAN Server Certificate for PEAP-MS-CHAP v2 Wireless Authentication on the Microsoft Download Center at http://go.microsoft.com/fwlink/?LinkId=33675 |
| If you are using Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) or Protected Extensible Authentication Protocol-Transport Layer Security (PEAP-TLS) without smart cards, autoenroll client or computer certificates to domain member client computers. | Deploy Client Computer Certificates and Deploy User Certificates |
| Configure 802.1X wireless access clients by using the Group Policy Management extension, Wireless Network (IEEE 802.11) Policies. | Configure 802.1X Wireless Access Clients by using Group Policy Management |
| Configure 802.1X wireless access points as Remote Authentication Dial-In User Service (RADIUS) clients in NPS. | Add a New RADIUS Client and RADIUS Client |
| Create a user group in Active Directory® Domain Services (AD DS) that contains the users who are allowed to access the network through the wireless access points. | Create a Group for a Network Policy |
| In NPS, configure one or more network policies for 802.1X wireless access. | Add a Network Policy; Create policies for 802.1X Wired or Wireless with a Wizard; and Network Policies |
Inspelningen från TechDays Sweden 2012 finns nu att ladda ner här
TechDays Sweden 2012 download:(219.3 MiB, 617)
Tack till DXter på PowerAdmin för medverkande med ADFS demo
/Hasain
Microsoft Extended Expert Team MEET is a network of experts who loves to share the passion and knowledge they have about Microsoft based systems and products. All members are acknowledged experts within one ore more focus area spanning widely between different technologies, products, technical disciplines and categories. Many of the MEET members are established speakers and MVPs and are often seen on Microsoft’s events arround the world like TechEd, TechDays and MMS.
Having access to the MEET network helps me getting many questions that I can not answer myself solved easily because of the wide range of the networks expertise. The list below is a sample of some of the MEET members online presence and the expertise they represent:
LAS VEGAS — April 17, 2012 — Today at the sold-out Microsoft Management Summit, Corporate Vice President Brad Anderson spoke to nearly 5,000 IT professionals about their opportunity to deliver fast, reliable services with cloud computing. His keynote speech highlighted how customers around the world are already using Microsoft System Center 2012, available today for evaluation and purchase, to create private clouds. Anderson also discussed how IT professionals can evolve their roles with cloud computing to help their businesses be more competitive.
Anderson provided a preview of how Microsoft’s private cloud will become even more powerful with Windows Server “8” and announced that the operating system will officially be named Windows Server 2012. The new “cloud-optimized OS” is due out later this year.
Read the complete press release: http://www.microsoft.com/en-us/news/Press/2012/Apr12/04-17MMSDay1PR.aspx
Yet another day of troubleshooting DirectAccess, this time it was my colleague and friend Mikael Nystrom asking about expired IPHTTPS and NLS certificates. He already knew about my other post about changing the IPHTTPS certificate.
So he did delete the old binding by using the [netsh http del sslcert] command for both external addresses, and did replace the binding by using the [netsh http add sslcert] and/or the IIS management console.
Now the DirectAccess server is restored in functional state again but Mikael realized another error, the DirectAccess Management Console started showing an error about not being able to read the XML config file due to errors in certificate hashes for the IpHttpsCertHash and NidCertHash?
Now my advice was to manually edit the %WINDIR%\DirectAccess\DirectAccessConfig.xml file and replace the certificate thumbprints in the file with the new ones from the renewed certificates. But the console was still complaining about the hashes! After some thinking and when comparing the old and the new config files we realized that the console needed the certificate hash values in CAPITAL letters!!!!
Yes, the certificate hash/thumbprint is a hex representation, and according to W3C XML Schema Part 2: Datatypes Second Edition http://www.w3.org/TR/xmlschema-2/#hexBinary:
hexBinary has a lexical representation where each binary octet is encoded as a character tuple, consisting of two hexadecimal digits ([0-9a-fA-F]) representing the octet code. For example, “0FB7″ is a hex encoding for the 16-bit integer 4023 (whose binary representation is 111110110111).
Reading the above carefully, any developer can simply realize that the expression “digits ([0-9a-fA-F])” means not case sensitive, but this does apparently not apply to whom ever developed the DirectAccess Management Console in Windows Server 2008 R2
To change any of the IPHTTPS or NLS (if NLS is running on the DA server) certificate and keep the DA Management Console happy:
If you happen to know the person responsible for this at Micrososft, please give him/her the link to W3C 
I många sammanhang brukar penetrationstester förknippas med 3:e parts verktyg och linux-distributioner. Det brukar exempelvis krävas ett antal olika produkter och tekniker för att samla in den information som krävs för att avgöra om ditt företag sitter i en säker miljö.
I den här presentationen kommer vi att fokusera på vad du kan utföra i form av penetrationstestning utifrån en standardinstallerad Windowsklient.
Vi kommer även att gå igenom olika metoder du kan använda för att säkra upp din miljö.
Hasain, MVP på Security och Goude,MVP på Powershell kommer både att ge en spännande presentation som en spännande diskussion om pentest, säkerhet och PowerShell.
Ladda ner presentationen här: 2W-Pentest-Powershell
Anteckningarna och inspelningen från “ITProffs Live Meeting Series – PKI/ADCS” mötet den 23 feb 2012 finns at hämta här: WinSec.IT-Proffs.LiveMeeting.2012-02-23.pdf & WinSec.IT-Proffs.LiveMeeting.2012-02-23.wmv
Once someone has an Enrollment Agent certificate, that person can enroll for a certificate and generate a smart card on behalf of anyone in the organization, including all domain admins. The resulting smart card could then be used to log on to the network and impersonate the real user. Because of the powerful capability of the Enrollment Agent certificate, it is strongly recommended that your organization maintain very strong security policies for these certificates.
Permitting an enrollment agent to enroll only a certain type of certificate to a certain group of users was not possible before Windows 2008. In Windows Server 2003 Enterprise Edition the enterprise CA does not provide any configurable means to control enrollment agents except by enforcing the application policy extension of the enrollment agent certificate, which verifies that the credentials grant the ability to enroll on behalf of other users, including the domain admins.
In Windows Server 2008 the PKI architecture of an enterprise has the possibility to restrict enrollment agents so that enrollment is only possible for a certain certificate template and a certain group of users. By providing a technical possibility to limit the scope of enrollment agents, an enterprise can is given a better tool to control the delegation of trust and the risk associated with granting that trust.
On a Windows Server 2008 Enterprise-based certification authority (CA), the restricted enrollment agent features allow an enrollment agent to be used for one or many certificate templates. For each certificate template, you can choose which users or security groups the enrollment agent can enroll on behalf of.
Note: The feature cannot constrain an enrollment agent based on a certain Active Directory organizational unit (OU) or container; you must use security groups instead. The restricted enrollment agent is not available on a Windows Server® 2008 Standard-based CA.
By using the Certificate Services snap-in, you can create a permissions list for each enrollment agent to configure which users or security groups an enrollment agent can enroll on behalf of for each certificate template.
To enroll for a smart card certificate on behalf of someone, the user must have an enrollment agent certificate. The smart card enrollment agent can create smart cards on behalf of any user, including an enterprise administrator.
Follow the steps below to create an enrollment agent trusted to enroll for a smart card certificate on behalf of other users:
Create an Enrollment Agent enabled Smart Card Certificate Template:
Specify/adjust the permissions of the Enrollment Agents and publish the Enrollment Agent certifiacte template:
Enroll the smart card enrollment agent certificate:
Note: It is recommended to store the enrollment agent certificate on a smart card to provide proper protection
Create a smart card certificate for a user using the new smart card template and the enrollment agent:
It seems that EAP-TTLS is getting supported by Microsoft on the next version of Windows. Using the 802.1x Policies in the Developer Preview version of Windows 8 Build 8102, you can configure EAP-TTLS as an authentication method for both Wireless and Wired IEEE 802.3 & 802.11 Policies.
The certificate selection user interface in Windows supports filtering logic to provide a simplified user experience when an application presents multiple certificates. But some applications are not designed to use filtering logic (developers not aware of functionality…) or uses filters that does not provide efficient reduction of the number of certificates presented to the user making it almost impossible for a user to know witch certificate to choose unless opening the certificate and looking at the details of template name, EKU, etc.
This is particularly true when all certificates has been automatically enrolled using the same user DN/CN attribute based on the users Active Directory user object attributes. In addition to that, Autoenrollment does not support variations in certificate subject name unless using some third party policy module installed on the Active Directory Certificates Services.
Knowing that the certificate selection UI supports certificate friendly names. Setting the certificate friendly name to include information about the certificate template can simplify the users task to select the correct certificate.
Friendly names are properties in the X.509 certificate store in Windows that can be set at any time after the certificate has been created/installed in the store.
One way to set the friendly name is through the certificate MMC SnapIn. Alternatively certutil.exe can be used in the following way:
Create a text file containing the following information:
[Version]
Signature = “$Windows NT$”
[Properties]
11 = “{text}My Friendly Name”
Save the file as friendlyname.inf
Determine the serialnumber of the certificate where the friendly name should be changed.
Run the following command at a command-line:
certutil –repairstore –user my {SerialNumber} FriendlyName.inf
Automating the friendly name can be achieved by either automating/scripting the steps above alternatively by creating a tool that enumerates all certificates in the personal store and assign the friendly name.
A proof of concept CertFN.exe tool was created to automate the above. The tool receives a parameter for the template name to use when filtering the user store, it then sets the friendly name based on the schema “Template Name – Certificate Subject Name”
CertFN - Certificate Friendly Name Tool download:(39.3 KiB, 679)
CertFN - Certificate Friendly Name Tool - The Powershell Edition download:(1.1 KiB, 1,946)
The Basics of PKI
Public Key Infrastructure (PKI) refers to the set of hardware, software, people, policies, and procedures necessary to create, manage, store, distribute, and revoke certificates based on public key cryptography. The characteristic operation of PKI is known as certification (the issuance of certificates). PKI certification provides a framework for the security feature known as authentication (proof of identification).
Understanding the role of PKI in identity management involves the following basic terms:
When developing Metro style apps, Network Isolation helps your product to take advantage of the isolation mechanisms that will keep the app and system secure.
The new Windows Runtime APIs enable a developer to control the security profile of an app under development. Network access is part of this application security model. Not all apps will require access to the network. However for those that do, Windows provides the appropriate level of granularity for apps to access the network securely.
With network isolation, developers can define the scope of the network access required for each process, which prevents a process without the appropriate scope from accessing the specified type of network or connection. The ability to set and enforce these boundaries ensures that compromised apps have access only to networks they have explicitly been granted access to, significantly reducing the scope of their impact in other apps or the system itself.
Download and Read more about Network Isolation for Metro style Apps http://www.microsoft.com/download/en/details.aspx?id=27534. This paper provides information about network isolation for Windows operating systems. It provides guidelines for developers to determine the network boundary that a Metro style app will operate in, and what capabilities will be necessary to access required resources.
Microsoft IT has released an updated version of the “Public Key Infrastructure at Microsoft” whitepaper found at http://www.microsoft.com/download/en/details.aspx?id=27581 or here Public Key Infrastructure at Microsoft 1750_PKI_TWP
The update deals with changes to the Microsoft internal PKI structure as part of the Windows Server 2008 R2 migration. There are many good “lessons learned and best practicess” outlined by Microsoft IT as a result of the migration/upgrade process that was performed.
Some of my favorites are the way they use CRL Overlap to provide higher availablity of CRLs and the simplified two tier structure together with Cross Forest Enrollment and the discussions about virtualisation of CAs
Some of the highlighted features in the document are:
Windows Server 2008:
Windows Server 2008 R2:
SYMPTOMS:
Alshakarti via Twitter Hasain @TechNet Forum
