Hasain Alshakarti

Six months ago I had a talk with Fabio Viggiani  about the development of ransomware and we made an educated guess about the next big type of ransomware attack to be CRYPTOWORMS!

The last few days many of us witnessed how a major ransomware attack affected many organizations across the world. Telefonica in Spain, theNational Health Service in the UK, and FedEx in the US are some tom mentions among many many more. The responsible for this attack was reported to be a ransomware variant known as ‘WannaCry’.

The malware has the ability to spread to other system by scanning a attacking the Server Message Block/SMB protocol resulting in a worm behavior. Once the malware has a foothold on a system it used different techniques to persist on that host.  The WannaCry malware appeared to primarily use the ETERNALBLUE modules for the initial exploitation of the SMB vulnerability addressed as part of Microsoft Security Bulletin MS17-010. If successful it then used the DOUBLEPULSAR backdoor to install the ransomware.

The domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com – a “randomly” human-typed address primarily consists of keys in the top row of the keyboard, was observed in the malware code as a kill switch. If the malware could establish communication with the mentioned domain, it would stop but because the domain wasn’t registered, it continued to execute. A researcher worked out what was going on and simply registered the domain name and activated the kill switch!

In this particular case, the foremost reason for the success of “WannaCry” was because many didn’t upgrade or patch things. Reports started talking about the malware hitting machines as old as Windows XP and Windows 2003! Once infected other problems started to appear. Many affected individuals and organisations had no proper backups to recover from the ransomware.

At this point many affected entities are in the clean-up phase of the “WannaCry” story. Vendors and security professionals are helping out with patches, signatures, detection tools, removal tools, damage assessment and recommendations. The bigger lesson remains that we need to reinforce proper security focus and measures such as:

• Keep systems current and supported
• Apply and verify patches early
• Establish robust backups and recovery procedures
• Lock down and harden machines
• Conduct least privilege and protect administrative provileges
• Don’t open suspicious emails or attachments
• Restrict access to network resources
• Block unnecessary ports and implement host-based firewalls
• Enhance you ability to detect attacks
• Ensure you have the tools to perform incident response
• Establish strategies to inform users

These recommendations and many more discussions and security features and strategies are discussed as part of my Windows Cyber Security Road Trip. The class offers a detailed description and demonstrations of current risks and how to mitigate these risks using modern tools, features and strategies in the most current versions of Windows 10 and Windows Server 2016.

To summarize some of the most important steps needed during an attack we made this poster

Play safe and make sure to get well prepared before the next time! 

Microsoft has released the security baseline settings for Windows 10 along with an updated baseline settings for Internet Explorer 11. With this release Microsoft reevaluated older settings to determine whether they address contemporary threats, and have so far removed 44 that don’t.

The new baseline is to be combined with the newly released Local Administrator Password Solution (LAPS), Enhanced Mitigation Experience Toolkit EMET 5.5 beta and new security features in Windows 10 such as Credential Guard.

The draft baseline is available through the Microsoft Security Guidance blog http://blogs.technet.com/b/secguide/archive/2015/10/08/security-baseline-for-windows-10-draft.aspx

Deploying the Network Device Enrollment Service NDES component, part of the Active Directory Certificate Services ADCS, is a fairly easy task.

Once the installation is completed we need to test and verify the system is working properly but there are no tools available to perform such test. The only option for many administrators is to perform a real deployment using a device that supports SCEP and wait for the results.

After doing some research I found many tools that could perform SCEP operations but almost none of the tools was designated to perform a complete SCEP operation in Windows.

I managed to build a toolbox that works in Windows to test and verify NDES/SCEP deployment. The toolbox is a combination of Openssl and sscep from the The CertNanny Project.

  SCEP Toolbox download:(1.2 MiB, 18,344)

Once you downloaded the toolbox and extracted the files, you need to follow the steps below to verify your NDES/SCEP deployment

1. Get a new SCEP Challenge Password from your SCEP/NDES server

   Direct your browser to http://172.16.1.20/certsrv/mscep_admin/

2. Generate a certificate request providing a Common Name and the Challenge Password when prompted by openssl

   openssl.exe req -config scep.cnf -new -key priv.key -out test.csr

3. Retrieve the CA and RA certificates from your SECP/NDES

   sscep.exe getca -u http://172.16.1.20/certsrv/mscep/ -c ca.crt

   Note: The getca operation will download the RA and CA certificates and save each cert in a file prefixed with a number: ca.crt-0, ca.crt-1, ca.crt-2

4. Enroll a new certificate and make sure to specify the correct RA (-c flag) & CA (-e flag) certificates

   sscep.exe enroll -u http://172.16.1.20/certsrv/mscep/ -k priv.key -r test.csr -l test.crt -c ca.crt-0 -e ca.crt-1

   Note: The requested certificate is stored in the test.crt file

Having a Windows Server 2012 with the certification authority role (ADCS) installed where the CA name contains space characters. When a certificate is issued from this CA, the ADCS service does not replace the space characters with “%20” in the URL paths for certificate revocation list (CRL) distribution points and authority information access extensions. This results in errors when clients accesses the URL’s.

A supported hotfix is available from Microsoft that is intended to correct the problem described above. To download the hotfix, read KB2827759 http://support.microsoft.com/kb/2827759.

/Hasain

Det är dessutom väldigt väldigt roligt och smickrande att man blir uppmärksammad som “en av landets främsta experter inom it-säkerhet” 🙂

Att bli porträtterad på TechWorld som “MÅNADENS IT-HJÄLTE” ger en ordentlig klapp på axeln och en energi boost utan dess like, men jag vill verkligen hoppas att artikeln ger lika mycket inspiration och positiv energi till alla de som söker en framtid inom it-säkerhet som intresse eller yrke.

Att anta utmaningen, att inte släppa bollen, att inte ge upp hoppet, att se det möjliga i de omöjliga, att bestämma att det går om man anstränger sig mera, att tro på sina medmänniskor, att finnas till när andra behöver hjälp, det är några verktyg jag har haft mycket stor nytta utav i mitt liv och inte minst i min karriär så se till att skaffa en egen verktygslåda och använda den väl!

Läs hela artikeln på TechWorld så syns vi och hörs någonstans i it-Sverige, och glöm inte att höra av dig om du har en knepig utmaning till mig 😉

/Hasain

Microsoft Message Analyzer

As the official release of the Microsoft Message Analyzer is here, a new era for troubleshooting and analysis has been defined. The Microsoft Message Analyzer brings a new set of ideas and techniques to make analysis of protocols, log files, and system events allowing  you to virtually explore and correlate any kind of structured message data and traces.

The Microsoft Message Analyzer brings together Event Tracing for Windows, NDIS, Firewall and HTTP Proxy providers to mix and match using Grouping, Quick Filtering or an alternate viewer to see what you want and how it’s connected. You can then save your trace scenario and share it with your colleagues.

You can download the official release of Microsoft Message Analyzer from the Microsoft Download Center her: http://www.microsoft.com/en-us/download/details.aspx?id=40308

You can access the Message Analyzer Team Blog here: http://blogs.technet.com/b/messageanalyzer/

Or access the official Microsoft Message Analyzer Operating Guide here: http://technet.microsoft.com/en-us/library/jj649776.aspx

Analyze Now 🙂

I en bunker långt under Normalms gator finns “The Nerd Herd” studion, där produceras det varje vecka tunga teknikprogram med erkända experter!

Tillsammans med Johan Persson, Michael Anderberg och Fredrik ”DXter” Jonsson försöker vi under detta avsnitt ge våra synpunkter och tankar om och kring PKI i och PKI relaterade frågor och funderingar…

Avsnittet kan laddas ner här… (Du kan även prenumerera på showen i iTunes och gPodder – ge gärna en positiv review också, så att fler kan hitta showen, tack!)

Du kan givetvis följa The Nerd Herd på http://thenerdherdse.wordpress.com, DXter på hans blogg http://poweradmin.se

/Hasain

It didn’t take long time for spammers to start abusing the Boston Marathon bombing sending  emails with links to various Youtube videos of the explosions at the Boston Marathon, an automatic download of a malicious binary named “boston.avi_______.exe”, embedded malicious java code and other iframed pages with malicious content.

Sample email

Sample landing page with videos and Java 

The presenations from our pre-con/workshop sessions “Defending your Microsoft infrastructure from cyber threats” at TechDays 2013 in Belgium and the Netherlands are now available for download:

  TechDays 2013 Presentations download:(4.7 MiB, 4,592)

If you have any follow up questions about the sessions or any related topics please contact Hasain Alshakarti or Marcus Murray 🙂

Kerberos authentication has always been a challenge specially when deploying complex environments with many different components and authentication requirements. There are some good guides about how to deploy kerberos authentication and delegate constrained authentications in general but as my colleague and Sharepoint expert Thomas Balkeståhl already realized there are very few ones focusing specific products. Thomas has in a recent blog post about how to bring together kerberos and Sharepoint done some wonderful job in bringing real life experience into one of the best guides I found about kerberos and Sharepoint.

Enjoy reading the complete “The final Kerberos guide for SharePoint technicians”

The Hey, Scripting Guy! Blog is one of those blogs I would normally recommend to any body interested in scripting Windows. But I do have a very good reason to bump that recommendation this week just to make sure everybody following my blog do not miss that my colleague and fellow MVP Niclas Goude will be writing a couple of guest posts on The Scripting Guys blog regarding security from the 2:ndto the 6:th of July.

The specific subjects will be:

Monday: Scanning

Tuesday: Brute Force

Wednesday: Shares and Metadata

Thursday: Give yourself System Permission without psexec

Friday: LSA Secrets

Enjoy Powershell!

Microsoft has published the Windows 8 Release Preview Product Guide for Business, the guide describes how Windows 8 changes the work environments and how Windows is reimagined to support people’s unique working styles.

Windows 8 provides enterprise-class security capabilities that keep clients more secure from power-on to power-off.

Windows 8 provides the following enhanced security features:

Trusted boot process

With UEFI 2.3.1 equipped devices, the UEFI Secure Boot feature helps to ensure that malware is not able to start before Windows 8. The Windows 8 Trusted boot feature protects the integrity of the remainder of the boot process, including the kernel, system files, boot critical drivers, and even the antimalware software itself. The system’s antimalware software is the first 3rd party application or driver to start. Moving antimalware into the Trusted Boot process prevents it from being tampered with. In the event that malware is able to successfully tamper with the boot process Windows can automatically detect and repair the system.

Measured boot process

On Trusted Platform Module (TPM)-based systems, Windows 8 can perform a comprehensive chain of measurements during the boot process that can be used to further validate the boot process beyond Trusted Boot. Measured boot process enables all aspects of the boot process to be measured, signed, and stored in a Trusted Platform Module (TPM) chip. This information can be evaluated by a remote service to further validate a computer’s integrity before granting it access to resources. This process is called Remote Attestation.

BitLocker Drive Encryption

BitLocker now supports encrypted drives, which are hard drives that come pre-encrypted from the manufacturer. BitLocker offloads the cryptographic operations to hardware, increasing overall encryption performance and decreasing CPU and power consumption. On devices without hardware encryption, BitLocker allows you to choose to encrypt the used space on a disk instead of the entire disk. As free space is used, it will be encrypted. This results in a faster, less disruptive encryption of a hard drive. In addition, the user experience is improved by allowing a standard user, one without administrative privileges, to reset the BitLocker PIN.

AppLocker

AppLocker enables IT administrators to create security policies through Group Policy to prevent potentially harmful or other non-approved apps from running. With AppLocker, IT administrators can set rules based on a number of properties, including the signature of the application’s package or the app’s package installer and can more effectively control apps with less management.

Windows SmartScreen app reputation service

Windows SmartScreen app reputation is a safety feature in Windows 8. This service provides application reputation-based technologies to help protect users from malicious software that they may encounter on the Internet. This technology checks reputation on any new application, helping to keep users safe no matter what browser they use Windows 8. This helps to prevent malware and other viruses from infiltrating your organization. The Windows SmartScreen app reputation feature works with Internet Explorer’s SmartScreen feature, which also protects users from websites seeking to acquire personal information such as user names, passwords, and billing data.

Claim-based access control

With Windows 8, IT administrators can dynamically allow users access to the data they need based on the user’s role in the company. Unlike previous statically-controlled security groups, Claim-based access control allows IT admins to dynamically control access to corporate resources based on the user and device properties that are stored in Active Directory. For example, a policy can be created that enables individuals in the finance group to have access to specific budget and forecast data, and the human resources group to have access to personnel files.

Windows Server provides features that you can use to deploy IEEE 802.1X authenticated wireless service for wireless network clients. In combination with the 802.1X-capable wireless access points APs and other Windows Server services that you deploy on your network, you can use these Windows Server features to control who can access your network.

You can also use features in Windows Server to define the wireless network adapter connectivity and security settings that your wireless clients use for connection attempts. For example, Network Policy Server NPS allows you to create and enforce network access policies for authentication, authorization, and client health. The Wireless Network (IEEE 802.11) Policies in Windows Server Group Policy GPO enable you to configure your network client computers with the security and connectivity settings that they must use to connect to your network.

Inspelningen från TechDays Sweden 2012 finns nu att ladda ner här 

  TechDays Sweden 2012 download:(219.3 MiB, 4,746)

Tack till DXter på PowerAdmin för medverkande med ADFS demo 🙂

/Hasain

Microsoft Extended Expert Team MEET is a network of experts who loves to share the passion and knowledge they have about Microsoft based systems and products. All members are acknowledged experts within one ore more focus area spanning widely between different technologies, products, technical disciplines and categories. Many of the MEET members are established speakers and MVPs and are often seen on Microsoft’s  events arround the world like TechEd, TechDays and MMS.

Having access to the MEET network helps me getting many questions that I can not answer myself solved easily because of the wide range of the networks expertise. The list below is a sample of some of the MEET members online presence and the expertise they represent:

• Alan Smith (Azure)
• Andreas Stenhall (Windows) – Killer features in Windows 8 – Dare to miss them on TechDays?
• Björn Axell (System Center)
• Cecilia Wiren (.NET) – Möt MEET på TechDays 2012
• Chris Klug (.NET)
• Daniel Bugday (Sharepoint) – See you on TechDays 2012 Örebro #MSDN #TD2012
• Henrik Nilsson (FIM, ADFS, Security) – Microsoft Extended Experts Team – MEET
• Johan Arwidmark (System Center) –  Networking at TechDays 2012 in Sweden – The Microsoft Extended Experts Team (MEET)
• Johan Åhlén (SQL Server) – SQL Server sessions at TechDays Sweden 2012
• Magnus Björk (Exchange) – #td2012 here I come
• Magnus Mårtensson (Azure) – TechDays.se 2012 – About Windows Azure
• Patrik Löwendahl (.NET)
• Mathias Olausson (ALM) –  Come see Visual Studio ALM 11 and TFS 11 in action!
• Jörgen Nilsson (System Center) – Microsoft Extended Experts Team – MEET
• Ola Skoog (IT Pro Evanglist) – MEET@TechDays
• Anders Olsson (Forefront) – Få mer ut av TechDays
• Joakim Nässlander (Windows Server, Cluster) – TechDays 2012 – The preparation!
• Martin Lidholm (Unified Communication, Lync)
• Kent Nordström (FIM) – TechDays in Sweden
• Sergio Molero – Techdays 2012

LAS VEGAS — April 17, 2012 — Today at the sold-out Microsoft Management Summit, Corporate Vice President Brad Anderson spoke to nearly 5,000 IT professionals about their opportunity to deliver fast, reliable services with cloud computing. His keynote speech highlighted how customers around the world are already using Microsoft System Center 2012, available today for evaluation and purchase, to create private clouds. Anderson also discussed how IT professionals can evolve their roles with cloud computing to help their businesses be more competitive.

Anderson provided a preview of how Microsoft’s private cloud will become even more powerful with Windows Server “8” and announced that the operating system will officially be named Windows Server 2012. The new “cloud-optimized OS” is due out later this year.

Read the complete press release: http://www.microsoft.com/en-us/news/Press/2012/Apr12/04-17MMSDay1PR.aspx

Yet another day of troubleshooting DirectAccess, this time it was my colleague and friend Mikael Nystrom asking about expired IPHTTPS and NLS certificates. He already knew about my other post about changing the IPHTTPS certificate.

So he did delete the old binding by using the [netsh http del sslcert] command for both external addresses, and did replace the binding by using the [netsh http add sslcert] and/or the IIS management console.

Now the DirectAccess server is restored in functional state again but Mikael realized another error, the DirectAccess Management Console started showing an error about not being able to read the XML config file due to errors in certificate hashes for the IpHttpsCertHash and NidCertHash?

Now my advice was to manually edit the %WINDIR%\DirectAccess\DirectAccessConfig.xml file and replace the certificate thumbprints in the file with the new ones from the renewed certificates. But the console was still complaining about the hashes! After some thinking and when comparing the old and the new config files we realized that the console needed the certificate hash values in CAPITAL letters!!!!

Yes, the certificate hash/thumbprint is a hex representation, and according to W3C XML Schema Part 2: Datatypes Second Edition http://www.w3.org/TR/xmlschema-2/#hexBinary:

hexBinary has a lexical representation where each binary octet is encoded as a character tuple, consisting of two hexadecimal digits ([0-9a-fA-F]) representing the octet code. For example, “0FB7” is a hex encoding for the 16-bit integer 4023 (whose binary representation is 111110110111).

Reading the above carefully, any developer can simply realize that the expression “digits ([0-9a-fA-F])” means not case sensitive, but this does apparently not apply to whom ever developed the DirectAccess Management Console in Windows Server 2008 R2

To change any of the IPHTTPS or NLS (if NLS is running on the DA server) certificate and keep the DA Management Console happy:

• Redo the certificate bindings either using the netsh http del/add sslcert command or the IIS console
• Change the IpHttpsCertHash and NidCertHash in the DirectAccessConfig.xml file and make sure the hash value is in CAPITAL letters

If you happen to know the person responsible for this at Micrososft, please give him/her the link to W3C 😉

I många sammanhang brukar penetrationstester förknippas med 3:e parts verktyg och linux-distributioner. Det brukar exempelvis krävas ett antal olika produkter och tekniker för att samla in den information som krävs för att avgöra om ditt företag sitter i en säker miljö.

I den här presentationen kommer vi att fokusera på vad du kan utföra i form av penetrationstestning utifrån en standardinstallerad Windowsklient.

Vi kommer även att gå igenom olika metoder du kan använda för att säkra upp din miljö.

Hasain, MVP på Security och Goude,MVP på Powershell kommer både att ge en spännande presentation som en spännande diskussion om pentest, säkerhet och PowerShell.

Ladda ner presentationen här: 2W-Pentest-Powershell

Anteckningarna och inspelningen från “ITProffs Live Meeting Series – PKI/ADCS” mötet den 23 feb 2012 finns at hämta här: WinSec.IT-Proffs.LiveMeeting.2012-02-23.pdf & WinSec.IT-Proffs.LiveMeeting.2012-02-23.wmv

Once someone has an Enrollment Agent certificate, that person can enroll for a certificate and generate a smart card on behalf of anyone in the organization, including all domain admins. The resulting smart card could then be used to log on to the network and impersonate the real user. Because of the powerful capability of the Enrollment Agent certificate, it is strongly recommended that your organization maintain very strong security policies for these certificates.

Permitting an enrollment agent to enroll only a certain type of certificate to a certain group of users was not possible before Windows 2008. In Windows Server 2003 Enterprise Edition the enterprise CA does not provide any configurable means to control enrollment agents except by enforcing the application policy extension of the enrollment agent certificate, which verifies that the credentials grant the ability to enroll on behalf of other users, including the domain admins.

In Windows Server 2008 the PKI architecture of an enterprise has the possibility to restrict enrollment agents so that enrollment is only possible for a certain certificate template and a certain group of users. By providing a technical possibility to limit the scope of enrollment agents, an enterprise can is given a better tool to control the delegation of trust and the risk associated with granting that trust.

On a Windows Server 2008 Enterprise-based certification authority (CA), the restricted enrollment agent features allow an enrollment agent to be used for one or many certificate templates. For each certificate template, you can choose which users or security groups the enrollment agent can enroll on behalf of.

Note: The feature cannot constrain an enrollment agent based on a certain Active Directory organizational unit (OU) or container; you must use security groups instead. The restricted enrollment agent is not available on a Windows Server® 2008 Standard-based CA.

By using the Certificate Services snap-in, you can create a permissions list for each enrollment agent to configure which users or security groups an enrollment agent can enroll on behalf of for each certificate template.