Archive

Author Archive

FIM CM 2010 – Sommarkollo 2011 @ MS Sweden

June 30th, 2011 Comments off

Tack för en bra diskussion hos Microsoft i Kista under FIM CM sommarkollo 2011

Inspelningen av del 1 :

Ladda ner ADCS powershell skriptet adcs_install.ps1

Ladda ner presenationen för FIM CM Sommarkollo

TechNet videos: Security Compliance Manager 2 teaser

June 30th, 2011 Comments off

Want to take an early look at the next version of the Security Compliance Manager (SCM) 2 tool? In this three-part screencast series with Sr. IT pro Evangelist Matt Hester, he takes you on a quick tour of the tool’s features and benefits, including new features in SCM 2 like GPO import, baseline setting customization, local GPO functionality, an enhanced user interface, and an improved installation experience.Check out these new screencasts!

Use SCM 2 to harden your machines to meet industry standards

June 29th, 2011 Comments off
Microsoft Security Compliance Manager (SCM) 2 enables organizations to take better advantage of their existing knowledge and investments, and customize security and compliance settings with ease. Customers can harden their machines to industry standards, monitor for configuration drift and address the configuration requirements of hundreds of regulations like SOX, PCI and HIPAA. Learn more.

New SCM 2 features include:

  • GPO import: SCM 2 can now import Group Policy Object (GPO) Backup files to allow organizations to import and compare their existing knowledge against Microsoft baseline recommendations. This long-awaited feature effectively helps you to customize and manage your organization’s existing knowledge stored in Active Directory.
  • Baseline setting customization: Modifying baselines just got easier. Adding, extending, or deleting settings from a baseline is an effortless process in this new version of the tool.
  • Local GPO functionality: Apply security baselines directly to client and server computers using the LocalGPO command-line tool, which enables you to secure stand-alone computers and test different baselines without using Active Directory to deploy them. Use this tool to create local policy snapshots that you can import into SCM 2 using the new GPO import capabilities, which you can then compare, customize, and export as needed.
  • Additional features: These include a new and enhanced UI that provides simpler navigation in the tool, and improved installation with SQL Server 2005 and later releases of SQL Server.

Version 2 of the SCM tool will release with a full complement of Microsoft product baselines, including these new and/or updated baselines:

  • Windows Internet Explorer 9
  • Windows Server 2008 R2 Service Pack 1 (SP1)
  • Windows Server 2008 SP2
  • Windows Server 2003 SP2

————————————————————————————————————-

In more detail

Microsoft Security Compliance Manager (SCM) 2 provides security and compliance configuration recommendations from Microsoft, centralized baseline management features, a baseline portfolio, customization capabilities, and security and compliance baseline export flexibility to accelerate your organization’s ability to efficiently manage the security and compliance process for the most widely used Microsoft products and technologies. The formerly stand-alone product-specific security guides are now included in the SCM tool.

Version 2 of the SCM tool releases with a full complement of Microsoft security and compliance baselines, including a new Windows Internet Explorer 9 Security Baseline, and updated baseline versions for Windows Server 2008 R2 SP1, Windows Server 2008 SP2, and Windows Server 2003 SP2.

These new beta baselines provide:

  • Setting severity ratings, allowing you to quickly sort, prioritize, and apply Microsoft security and compliance recommendations.
  • Consolidated product baselines that eliminate EC and SSLF baseline components, and make viewing, customizing, and implementing your security baselines easier than ever!
  • New compliance-based settings groups allow quicker and easier compliance reporting and audit preparation, when used with the  GRC management solution within System Center.

Additional product baselines are currently in development, including baselines for: Windows 7 SP1, Microsoft Exchange Server 2007, Exchange Server 2010, SQL Server 2008 and SQL Server 2008 R2 (multiple roles), Office 2010, Windows Vista SP2, Windows XP SP3, and Windows Internet Explorer 8.

To learn more about the Security Compliance Manager tool, visit the TechNet Library.

UAG SSL Client Certificate Authentication Problems…

June 17th, 2011 4 comments

It is pretty straight forward to configure SSL Client Certificate Authentication in UAG, just follow the steps in the online guide at http://technet.microsoft.com/en-us/library/ee861163.aspx and you should be able to run in almost no time except for an issue that occurs whenever your logon name and  common name does not match!

An authentication error will occur with the error message in UAG telling that the user account does not have the expected cn, upn or email value that has been extracted from the users SSL authentication certificate at the time of logon. Looking at the certificate all values of cn, upn and email shows a 100% match of the same values on the user account!

Looking at the cert auth scripts in UAG we can see that UAG is using the value of the common name of the certificate subject as the user_name. The user_name is then used to obtain information from Active Directory regarding that user account. And this is where the error occurs, the matching for the username is simply wrong.

To correct this you can obtain the UPN value from the client certificate in the certificate validation script and use that value to obtain the user logon name by simply splitting at the @ sign.

Download the UAG customupdate-cert scripts and make sure to change the authserver01 key word to the name of your authentication repository.

/Hasain

secadmins.com is IPv6 enabled :)

June 7th, 2011 Comments off
Categories: IPv6 Tags:

HTTP Strict Transport Security (HSTS)

May 24th, 2011 Comments off

The issue that HSTS addresses is that users tend to type http:// at best, and omit the scheme entirely most of the time. In the latter case, browsers will insert http:// for them.

An attacker can grab that connection, manipulate it and only the most eagle eyed users might notice that it redirected to https://www.bank0famerica.com or some such. From then on, the user is under the control of the attacker, who can intercept passwords etc at will.

An HSTS enabled server can include the following header in an HTTPS reply:

Strict-Transport-Security: max-age=16070400; includeSubDomains

When the browser sees this, it will remember, for the given number of seconds, that the current domain should only be contacted over HTTPS. In the future, if the user types http:// or omits the scheme, HTTPS is the default. In fact, all requests for URLs in the current domain will be redirected to HTTPS. (So you have to make sure that you can serve them all!).

For more details, see the specification at http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02

HSTS is supported in Google Chrome, Firefox 4, and the popular NoScript Firefox extension

Go to chrome://net-internals/#hsts to check your HSTS settings in Google Chrome.

For a more secure web experience…

Categories: HSTS Tags: , , ,

Modify your existing code base from IPv4 to IPv4- and IPv6-interoperability

May 4th, 2011 1 comment

The practice of hard coding IPv4 addresses creates problems when modifying and existing application to support IPv6 or creating new IP version-independent applications.
The Checkv4.exe utility is designed to provide you with a code porting partner; a utility that steps through your code base with you, identifies potential problems or highlights code that could benefit from IPv6-capable functions or structures, and makes recommendations. With the Checkv4.exe utility, the task of modifying an existing IPv4 application to support IPv6 becomes much easier.
 

Recommendations for Running Checkv4.exe:

  1. Acquire the Checkv4.exe utility. The Checkv4.exe utility is installed as part of the Microsoft Windows Software Development Kit (SDK) released for Windows Vista and later. The Windows SDK is available through an MSDN subscription and can also be downloaded from the Microsoft website (http://msdn.microsoft.com).
  2. Run the Checkv4.exe utility against your code. Learn about how to run the Checkv4.exe utility against your files in the section on Using the Checkv4.exe Utility.
  3. The Checkv4.exe utility alerts you to the presence of common defines for IPv4 addresses, such as INADDR_LOOPBACK. Modify any code that uses literal strings with code that is protocol-version agnostic.
  4. Search your code base for other potential literal strings, as appropriate.

 

The Checkv4.exe utility can help you find common literal strings, but there may be others that are specific to your application. You should perform thorough searching and testing to ensure your code base has eradicated potential problems associated with literal strings.

/Hasain

 

Categories: Checkv4.exe, IPv6 Tags: , ,

DirectAccess – The adapter configured as external-facing is connected to a domain!

May 4th, 2011 Comments off

Server side DirectAccess requires one network adapter to be configures as external with the Public or Private profile to apply the Connection Security rules. With the security connection rules in place the DirectAccess server will be able to offer IPSec authentication and tunneling to the clients.

Recently I was involved in a customer case where the DirectAccess server decided to change the external-facing interface to the domain profile, this caused the server to deactivate all security connection rules and the whole DirectAccess solution to stop working.

Now the decision about the profile type for a network interface in Windows is handled by the Network Location Awareness NLA service. The NLA probes for the possibility to reach the servers domain and if a connection is successful the profile will change to domain and the interface will be categorised as "Intranet Authenticated" according to NLA.

The solution or rather said the reason for the sudden change in the specific customer case was firewall related. The firewall was configured to allow traffic from DMZ, where the DirectAccess server external interface was connected, to the internal domain network, this caused NLA to "see" the domain over the external interface and…. So the solution was simply to configure a deny rule prohibiting the DirectAccess server external IP from accessing internal resources and all was back to normal again!

The following registry location is good help when troubleshooting NLA related problems

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList

 

/Hasain

Categories: DirectAccess, NLA Tags:

TSINK – the PowerPoint add-on

April 2nd, 2011 Comments off
Categories: PowerPoint, TSINK Tags:

IPv6 Survival Guide – the presentation

April 2nd, 2011 Comments off
Categories: IPv6, TechDays 2011 Tags:

IE CRL check FAIL…

March 2nd, 2011 2 comments

Just follow the steps below:

 

1. IE setting for CRL checking of the server certificate is enabled

 

2. Set the hostnames of servers hosting the CRL and /or OCSP to 127.0.0.1 in your hosts file

 

3. Execute [certutil.exe -urlcache * delete] to remove all cached CRLs

 

4. Start your browser and tell it to HTTPS:// to the site

 

5. It will take some time trying to check the CRL/OCSP from the non-existing server

 

6. After that you are on the site without any warnings! Not really what I expected?!

 

Firefox gives the same results and only Google Chrome gives us a warning…

What if the same happens with Code Signing? Interesting case we have!

/Hasain

I have just received a postcard from Google…

March 2nd, 2011 Comments off

with my login id and code included and fully readable for everyone.

It is a folded paper with a tiny piece of tape holding the middle of the long edge

 

If you apply some pressure on the paper then tne content is fully readable with the login ID and Pin Code

Google‘s security philosophy:

As a provider of software and services for many users, advertisers and publishers on the Internet, we recognize how important it is to help protect your privacy and security…..

Speaking DirectAccess @ Second Wednesday

November 23rd, 2010 Comments off

Hi,

The last Second Wednesday this year is going to be about DirectAccess. Why, who, how, when and what is it all about? Take the opportunity to discuss all of that and much mor…

Read more and reserve your free seat at:

http://www.labcenter.se/2w.aspx

or

http://www.facebook.com/event.php?eid=104672269605105&num_event_invites=0

See you the 8:th of December at LabCenter in Stockholm.

BR
Hasain

Tech·Ed Europe 2010

November 8th, 2010 Comments off

I am not going to deliver any session at Tech·Ed Europe 2010 but you can still find me at the TLC (Technical Learning Center) | Server & Cloud Platform | Management & Security Station on Wednesday, November 10, 2010 14:45-17:30 to answer your questions about security and ADCS

You can as well connect with me after the Breakout sessions with Marcus Murray on:

  • Tuesday, November 9 | 12:00 PM – 1:00 PM | Hall 7.2c Dublin
  • Thursday, November 11 | 2:30 PM – 3:30 PM | Hall 7.2c Dublin

/Hasain

 

 

Categories: Server & Cloud Platform, TechEd, TLC Tags:

Changing the IPHTTPS tunnel certificate in DirectAccess

September 15th, 2010 Comments off

Yet another day of troubleshooting DirectAccess, this time it was about a broken IPHTTPS tunnel. During the troubleshooting we recognized that the client is not able to establish a connection the the IPHTTPS url https://da.domain.com/IPHTTPS, using a network sniffer we could very clear see the server sending a reset packet after the Client Hello message. This indicates that the SSL server is not able to continue communicating using SSL. Knowing that there was a certificate change just a few days before this error occurred we found that the old certificate was still used for the SSL binding at the DA server even though the configuration was reapplied using the DA management console after the certificate change.

When changing the certificate used for the IPHTTPS tunnel it is very important to clear the old SSL certificate binding before adding the new one.

If you configured your DirectAccess using the DA management console follow the steps below to change the IPHTTPS certificate:

·         Run the command: netsh http show sslcert
This will show the current sslcert binding with details about ip, port and the certificate

·         Delete the old bindning using the command: netsh http del sslcert

·         Using the DA management console, select the new IPHTTPS certificate, save an apply the new configuration

If you configured your DirectAccess using scripts or netsh commands to define all setting follow the steps below to change the IPHTTPS certificate:

·         Run the command: netsh http show sslcert
This will show the current sslcert binding with details about ip, port and the certificate

·         Delete the old bindning using the command: netsh http del sslcert

·         Add the new sslcert binding using the command: netsh http add sslcert

 

/Hasain

Migrera till Windows 7, Windows Server 2008 R2 och Hyper-V R2?

September 7th, 2010 Comments off

Det går att implementera och migrera till Windows 7, Windows Server 2008 R2 och Hyper-V R2 på massor av olika sätt, några direkt skadliga, andra helt ok med diverse för- och nackdelar och självklart vissa riktigt bra och genomtänkta.
 
Utmaningar som att samexistera med XP under en period, uppgradera roller som
AD, DNS, DHCP, Clustering, att ändra kommunikationsprotokoll och införa
nya funktioner som Direct Access m.m. kräver en hel del av oss som jobbar med IT.
 
På Summiten får du den osminkade sanningen och tipsen som du  inte finner
i manualerna om hur du inför den senaste tekniken på bästa sätt i din IT-miljö.
 
Mer information och agenda finns på http://infrastructuresummit.se/

Vi ses den 7:e oktober

/Hasain

IPv6 addressing

September 1st, 2010 Comments off

Just some important IPv6 prefixes to remember whenever dealing with DirectAccess or IPv6 as such, have fun and remember to think in HEX J

Global-Unicast – 2000::/3
6to4 – 2002::/16
Teredo – 2001:0000::/32
Link Local Unicast — FE80::/10
Unique Local Unicast – FC00::/7
Multicast – FF00::/8

DirectAccess IPv6 addressing:
2002:WWXX:YYZZ:8000::/49 as the organizational prefix
2002:WWXX:YYZZ:8000::/64 as the ISATAP prefix
2002:WWXX:YYZZ:8001::/96 as the NAT64/DNS64 prefix
2002:WWXX:YYZZ:8100::/56 as the IP-HTTPS prefix

/Hasain

Missa inte Sveriges mest omfattande DirectAccess labb & utbildning

September 1st, 2010 Comments off

DirectAccess är mer än bara ett alternativ till VPN och för att kunna ansluta till interna resurser via Internet. DirectAccess kommer att förändra vår syn på nätverksdesign och tillsammans med IPv6 skapa oanade möjligheter till öppnare och säkrare infrastruktur oavsett var våra klienter befinner sig.

Under två dagar kommer du att förstå principen bakom DirectAccess och vilka komponenter och system den är beroende av. Du kommer även att förstå och kunna hantera de olika alternativen i båda renodlade IPv6-miljöer och blandmiljöer med båda IPv4 och IPv6 i olika grad.

Under labben kommer vi dessutom att skapa en förståelse och lägga grunden för IPv6 och skapa förståelse för kravet och hur vi kan hantera det kommande generationsskiftet i våra nät och framför allt hur samexistensen kan hanteras.

Genom att testa de olika alternativen för hur man bygger DirectAccess kommer du att kunna välja rätt strategi för just din DirectAccesss implementation till din it-miljö.

Vi  ses den 25:e oktober på LabCenter i Stockholm. Labben bokas på http://labcenter.se/Lab/2068

/Hasain

Categories: DirectAccess, Hands-on, IPv6, UAG2010 Tags:

Automated install of your Smart Card Minidriver

March 9th, 2010 Comments off

Using Microsoft Base Smart Card Crypto Provider, smart cards can use a card module to enable the smart card in Windows. Windows 7 features enhanced support for smart card–related Plug and Play making Windows able to use smart cards from vendors who have published their drivers through Windows Update without needing special middleware to be preinstalled.

If the smart card used does not have drivers/card module available through Windows Update or if you want to preinstall the driver during operating system deployment you need then to perform the following steps:

Having the card module installation files aailable in the desitnation computer run the command

RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 .\crdmxxx.inf

The crdmxxx.inf is the name of the inf file included in the card module package you are installing

Categories: Install, Minidriver, Smart Card Tags:

Är det svårt, dyrt eller ren slarv?

March 1st, 2010 Comments off

Kunde inte låta bli att notera texten nedan på ett informationsblad som beskriver hur man gjorde för att ansluta till ett trådlöst WIFI nät. Det som drog min blick extra mycket var notisen på bladet som syns på bilden nedan.

  

Jag blir riktigt fundersam när jag ser sådana beskrivningar där vi lär våra användare ett felaktigt beteende. Vad tror vi kommer att hända om samma användare får ett liknande fel när han eller hon surfar till sin internetbank eller företagets webbmail mm.

/Hasain