Hasain Alshakarti

Det är dessutom väldigt väldigt roligt och smickrande att man blir uppmärksammad som “en av landets främsta experter inom it-säkerhet” 🙂

Att bli porträtterad på TechWorld som “MÅNADENS IT-HJÄLTE” ger en ordentlig klapp på axeln och en energi boost utan dess like, men jag vill verkligen hoppas att artikeln ger lika mycket inspiration och positiv energi till alla de som söker en framtid inom it-säkerhet som intresse eller yrke.

Att anta utmaningen, att inte släppa bollen, att inte ge upp hoppet, att se det möjliga i de omöjliga, att bestämma att det går om man anstränger sig mera, att tro på sina medmänniskor, att finnas till när andra behöver hjälp, det är några verktyg jag har haft mycket stor nytta utav i mitt liv och inte minst i min karriär så se till att skaffa en egen verktygslåda och använda den väl!

Läs hela artikeln på TechWorld så syns vi och hörs någonstans i it-Sverige, och glöm inte att höra av dig om du har en knepig utmaning till mig 😉

/Hasain

The Hey, Scripting Guy! Blog is one of those blogs I would normally recommend to any body interested in scripting Windows. But I do have a very good reason to bump that recommendation this week just to make sure everybody following my blog do not miss that my colleague and fellow MVP Niclas Goude will be writing a couple of guest posts on The Scripting Guys blog regarding security from the 2:ndto the 6:th of July.

The specific subjects will be:

Monday: Scanning

Tuesday: Brute Force

Wednesday: Shares and Metadata

Thursday: Give yourself System Permission without psexec

Friday: LSA Secrets

Enjoy Powershell!

I många sammanhang brukar penetrationstester förknippas med 3:e parts verktyg och linux-distributioner. Det brukar exempelvis krävas ett antal olika produkter och tekniker för att samla in den information som krävs för att avgöra om ditt företag sitter i en säker miljö.

I den här presentationen kommer vi att fokusera på vad du kan utföra i form av penetrationstestning utifrån en standardinstallerad Windowsklient.

Vi kommer även att gå igenom olika metoder du kan använda för att säkra upp din miljö.

Hasain, MVP på Security och Goude,MVP på Powershell kommer både att ge en spännande presentation som en spännande diskussion om pentest, säkerhet och PowerShell.

Ladda ner presentationen här: 2W-Pentest-Powershell

The certificate selection user interface in Windows supports filtering logic to provide a simplified user experience when an application presents multiple certificates. But some applications are not designed to use filtering logic (developers not aware of functionality…) or uses filters that does not provide efficient reduction of the number of certificates presented to the user making it almost impossible for a user to know witch certificate to choose unless opening the certificate and looking at the details of template name, EKU, etc.

This is particularly true when all certificates has been automatically enrolled using the same user DN/CN attribute based on the users Active Directory user object attributes. In addition to that, Autoenrollment does not support variations in certificate subject name unless using some third party policy module installed on the Active Directory Certificates Services.

Knowing that the certificate selection UI supports certificate friendly names. Setting the certificate friendly name to include information about the certificate template can simplify the users task to select the correct certificate.

Friendly names are properties in the X.509 certificate store in Windows that can be set at any time after the certificate has been created/installed in the store.

One way to set the friendly name is through the certificate MMC SnapIn. Alternatively certutil.exe can be used in the following way:

Create a text file containing the following information:

[Version]
Signature = “$Windows NT$”
[Properties]
11 = “{text}My Friendly Name”

Save the file as friendlyname.inf

Determine the serialnumber of the certificate where the friendly name should be changed.

Run the following command at a command-line:
certutil –repairstore –user my {SerialNumber} FriendlyName.inf

Automating the friendly name can be achieved by either automating/scripting the steps above alternatively by creating a tool that enumerates all certificates in the personal store and assign the friendly name.

A proof of concept CertFN.exe tool was created to automate the above. The tool receives a parameter for the template name to use when filtering the user store, it then sets the friendly name based on the schema “Template Name – Certificate Subject Name”

  CertFN - Certificate Friendly Name Tool download:(39.3 KiB, 4,438)

  CertFN - Certificate Friendly Name Tool - The Powershell Edition download:(1.1 KiB, 5,673)

When developing Metro style apps, Network Isolation helps your product to take advantage of the isolation mechanisms that will keep the app and system secure.

The new Windows Runtime APIs enable a developer to control the security profile of an app under development. Network access is part of this application security model. Not all apps will require access to the network. However for those that do, Windows provides the appropriate level of granularity for apps to access the network securely.

With network isolation, developers can define the scope of the network access required for each process, which prevents a process without the appropriate scope from accessing the specified type of network or connection. The ability to set and enforce these boundaries ensures that compromised apps have access only to networks they have explicitly been granted access to, significantly reducing the scope of their impact in other apps or the system itself.

Download and Read more about Network Isolation for Metro style Apps http://www.microsoft.com/download/en/details.aspx?id=27534. This paper provides information about network isolation for Windows operating systems. It provides guidelines for developers to determine the network boundary that a Metro style app will operate in, and what capabilities will be necessary to access required resources.

SYMPTOMS:

• You install the Routing and Remote Access Service (RRAS) role on a server that is running Windows Server 2008 R2.
• You configure the server to accept Layer Two Tunneling Protocol with IPsec (L2TP/IPsec) connections.
• You run the Netsh ipsec dynamic set config property=strongcrlcheck value=2 command to configure the StrongCRLCheck setting on the server.
• You revoke a certificate on a client computer. The certificate is used to make L2TP/IPsec connections to the RRAS server.
• You establish an L2TP/IPsec connection from the client computer to the server.
• The connection to the RRAS server is successful. However, you expect that the client computer cannot connect to the server.

Microsoft has published an update for all supported releases of Microsoft Windows that revokes the trust of the following DigiNotar root certificates by placing them into the Microsoft Untrusted Certificate Store:

• DigiNotar Root CA
• DigiNotar Root CA G2
• DigiNotar PKIoverheid CA Overheid
• DigiNotar PKIoverheid CA Organisatie – G2
• DigiNotar PKIoverheid CA Overheid en Bedrijven

http://support.microsoft.com/kb/2607712

CMC certificate requests are normally used in combination with EOBO enrollment (Enroll On Behalf Of) scenarios where additional enrollment agent signatures are required by the certification authority to accept and process the certificate request.

Generating and signing the CMC certificate request can either be done using the certmgr.msc MMC snap-in or scripted using the certreq.exe tool provided in the Windows platform. The procedure using certreq to generate and sign the CMC certificate request is defined by the following steps

1. Create a certificate request inf file describing the request, below you find a sample inf file for EOBO request

[Version]
Signature= “$Windows NT$”

[NewRequest]
RequesterName = Crisco0\Administrator
RequestType = CMC

[RequestAttributes]
CertificateTemplate = EOBO_Template

2. Generate the initial self signed CMC certficate request using the command:

certreq.exe -new certificate_request.inf certificate_request.req

3. Sign the initial self signed CMC certficate request with the enrollment agent certificate using the command:

certreq.exe -sign certificate_request.req signed_certificate.req

4. Submit the agent signed CMC request to the enterprise CA and receive the certificate using the command:

certreq.exe -submit signed_certificate.req new_certificate.cer

The procedure described above works as expected until you try it in Windows 2008 R2 SP1 (I have not had the chans to test other versions yet) and you will get an error message at step 3 failing the agent signing.

What happens in step 3 is that the certreq tools will try to read the referenced certificate template from Active Directory and to figure out the signing requirements and it simply fails with the error message:

Certificate Request Processor: An attempt was made to perform an initialization operation when initialization has already been completed. 0x800704df (WIN32: 1247)

After struggling with my request inf file and certificate template with the same error I decided to perform the agent signing using other tools, after some research I found this very interesting MSDN article http://msdn.microsoft.com/en-us/library/ms867026.aspx  about Creating Certificate Requests Using the Certificate Enrollment Control and CryptoAPI. The article looked nice with provided samples but I wanted something more simple so I ended up in this article http://technet.microsoft.com/en-us/library/ff182315(WS.10).aspx about “Create Enroll on Behalf of Another User Request”. Usingthe code from the “Create Enroll on Behalf of Another User Request” article I created the cmcSigner tool and the CMC request could be signed and the certificate issued without errors.

What if this version certreq.exe has some issue? To figure out that I decided to test the certreq -sign operation with an older version of certreq.exe so I grabbed the Windows 2003 Admin Tool Pack and extracted the certreq.exe and tested the signing step with no errors!

Conclusion: certreq.exe in some later versions has a problem performing a certificate signing operation.

Solution: use another version of certreq.exe or another tool like the cmcSigner tool

  cmcSigner Tool download:(258.8 KiB, 3,627)

Learn how, in Windows 7, you can connect to a wireless access point in just three clicks. With this screencast from the Springboard Series IT Pro at Home: Tips and Tricks series, you’ll see how, whether you’re sitting in a coffee shop or at the airport, connecting to a wireless network is simple and easy when you’re using Windows 7. This demonstration will also go over moving between wireless networks and provide tips to help you go from home to the office using each network seamlessly.

Download the Wireless Networking screencast here or from Microsoft at http://www.microsoft.com/download/en/details.aspx?id=1271

Microsoft has released an updated version of the banned.h header file to help developers sanitizing resource which supports the SDL requirement and to remove banned functions from code. The header file simply lists all banned APIs and allows any developer to locate them in code and remove or adjust the code to be aligned with the SDL requirements.

The updated banned.h can be downloaded from Microsoft Download Center http://www.microsoft.com/download/en/details.aspx?id=24817

Some interesting FIM CM 2010 links from Microsoft Donwloads:

Test Lab Guide: Demonstrating Forefront Identity Manager 2010 Certificate Management Smart Card Centralized Registration

Demonstrating FIM CM using a centralized smart card registration model in a test lab.

Test Lab Guide: Demonstrating Forefront Identity Manager 2010 Certificate Management User Smart Card Self-Service

Demonstrating User Smart Card Self-Service using FIM CM in a test lab.

Test Lab Guide: Demonstrating Forefront Identity Manager 2010 Certificate Management Delegated Smart Card Registration

Delegated smart card registration with FIM CM in a test lab.

Test Lab Guide: Demonstrating Forefront Identity Manager 2010 Certificate Management User Certificate Self-Service

Demonstrate using FIM CM for Self-Service certificate management.

Test Lab Guide: Installing Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1, and FIM 2010 Integration

Install FIM CM with Constrained Delegation, Update 1, and FIM 2010 in a test lab.

Hur hanterar du och ditt företag er it-miljö på bästa sätt?

Best of MMS är eventet du inte ska missa. Här får du veta allt om de mest aktuella produkterna och teknikerna från Microsoft när det gäller it-management. Under det kommande året väntas till exempel flera produktlanseringar inom System Center-familjen.

På plats är de främsta svenska it-experterna. Det blir två dagar fyllda med teknikspäckade föredrag – om ämnen som Opalis, System Center Configuration Manager 2012, IPv6, System Center Virtual Machine Manager 2012 och System Center Service Manager R2, Hyper-V Cloud med mera.

Är du nyfiken på IPv6 och hur det nya protokollet kommer att påverka båda hanteringen av Windows Server och säkerheten i dina system?

Läs mer och boka din plats redan idag på http://www.microsoft.com/sverige/bestofmms2011/default.html

Microsoft has published a document http://www.microsoft.com/download/en/details.aspx?id=26673 that provides an overview of the Win32/Rustock family of rootkit-enabled backdoor trojans.

The document examines the background of Win32/Rustock, its functionality, how it works, and provides threat telemetry data and analysis from calendar year 2010 through May 2011.

In addition, the document details the legal and technical action used to takedown the Rustock botnet and how to detect and remove the threat using Microsoft antimalware products.

Jag har nöjet att presentera gruppen Swedish Windows Security User Group som fokuserar på att erbjuda alla medlemmar möjligheten att kunna nätverka andra experter och kunniga på området med målet att sprida information och kunskaper om säkerhetsfrågor.

Gruppen kommer att användas ett forum på itproffs.se som gruppens publika informationsplats där vi bl.a. meddelar våra aktiviteter samt tar emot förfrågningar om medlemskap och delaktighet i gruppen. Alla medlemmar som dessutom är aktiva itproffs medlemmar uppmanas att fortsätta sitt engagemang i andra forum som fokuserar på säkerhet och inte flytta sina aktiviteter till gruppen privata areor som finns på http://winsec.groups.live.com.

Gruppen kommer att använda http://winsec.groups.live.com under en period tills vi har fått bättre förutsättningar inom ramen för itproffs så att vi kan använda den nya plattformen för gruppens privata behov.

Vi har som mål att anordna återkommande träffar och möten för diskutera intressanta nyheter och ämnen samt utöka gruppens möjligheter att sprida och dela med sig av kunskaper kring säkerhet i Windows plattformen.

mvh

Hasain