Archive

Archive for September, 2011

IPSec StrongCRLCheck does not work on Windows Server 2008 R2-based RRAS

September 15th, 2011 Comments off

SYMPTOMS:

  • You install the Routing and Remote Access Service (RRAS) role on a server that is running Windows Server 2008 R2.
  • You configure the server to accept Layer Two Tunneling Protocol with IPsec (L2TP/IPsec) connections.
  • You run the Netsh ipsec dynamic set config property=strongcrlcheck value=2 command to configure the StrongCRLCheck setting on the server.
  • You revoke a certificate on a client computer. The certificate is used to make L2TP/IPsec connections to the RRAS server.
  • You establish an L2TP/IPsec connection from the client computer to the server.
  • The connection to the RRAS server is successful. However, you expect that the client computer cannot connect to the server.
The issue occurs because the Remote Access Service (RAS) ignores the StrongCRLCheck setting!
To correct this you need a hot fix and a new registry key as instructed by KB2351254 http://support.microsoft.com/kb/2351254

Interesting notes from the DigiNotar report

September 6th, 2011 Comments off

The notes below are extracted from the “DigiNotar public report version 1″ published at http://www.rijksoverheid.nl/documenten-en-publicaties/rapporten/2011/09/05/diginotar-public-report-version-1.html

“The most critical servers contain malicious software that can normally be detected by anti-virus software. The separation of critical components was not functioning or was not in place. We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN.

The network has been severely breached. All CA servers were members of one Windows domain, which made it possible to access them all using one obtained user/password combination. The password was not very strong and could easily be brute-forced.

The software installed on the public web servers was outdated and not patched.

No antivirus protection was present on the investigated servers.

An intrusion prevention system is operational. It is not clear at the moment why it didn‟t block some of the outside web server attacks. No secure central network logging is in place.”

Categories: Security Tags:

Out of band update KB2607712 – Fraudulent DigiNotar certificates could allow spoofing

September 6th, 2011 Comments off

Microsoft has published an update for all supported releases of Microsoft Windows that revokes the trust of the following DigiNotar root certificates by placing them into the Microsoft Untrusted Certificate Store:

• DigiNotar Root CA
• DigiNotar Root CA G2
• DigiNotar PKIoverheid CA Overheid
• DigiNotar PKIoverheid CA Organisatie – G2
• DigiNotar PKIoverheid CA Overheid en Bedrijven

http://support.microsoft.com/kb/2607712