Certificate Selection & Certificate Friendly Name Tool

November 4th, 2011 Comments off

The certificate selection user interface in Windows supports filtering logic to provide a simplified user experience when an application presents multiple certificates. But some applications are not designed to use filtering logic (developers not aware of functionality…) or uses filters that does not provide efficient reduction of the number of certificates presented to the user making it almost impossible for a user to know witch certificate to choose unless opening the certificate and looking at the details of template name, EKU, etc.

This is particularly true when all certificates has been automatically enrolled using the same user DN/CN attribute based on the users Active Directory user object attributes. In addition to that, Autoenrollment does not support variations in certificate subject name unless using some third party policy module installed on the Active Directory Certificates Services.

Knowing that the certificate selection UI supports certificate friendly names. Setting the certificate friendly name to include information about the certificate template can simplify the users task to select the correct certificate.

Friendly names are properties in the X.509 certificate store in Windows that can be set at any time after the certificate has been created/installed in the store.

One way to set the friendly name is through the certificate MMC SnapIn. Alternatively certutil.exe can be used in the following way:

Create a text file containing the following information:

[Version]
Signature = “$Windows NT$”
[Properties]
11 = “{text}My Friendly Name”

Save the file as friendlyname.inf

Determine the serialnumber of the certificate where the friendly name should be changed.

Run the following command at a command-line:
certutil –repairstore –user my {SerialNumber} FriendlyName.inf

Automating the friendly name can be achieved by either automating/scripting the steps above alternatively by creating a tool that enumerates all certificates in the personal store and assign the friendly name.

A proof of concept CertFN.exe tool was created to automate the above. The tool receives a parameter for the template name to use when filtering the user store, it then sets the friendly name based on the schema “Template Name – Certificate Subject Name”

  CertFN - Certificate Friendly Name Tool download:(39.3 KiB, 1,021)

  CertFN - Certificate Friendly Name Tool - The Powershell Edition download:(1.1 KiB, 2,861)


The Active Directory Certificate Services Ultimate Guide – Part 1

October 14th, 2011 Comments off

The Basics of PKI

Public Key Infrastructure (PKI) refers to the set of hardware, software, people, policies, and procedures necessary to create, manage, store, distribute, and revoke certificates based on public key cryptography. The characteristic operation of PKI is known as certification (the issuance of certificates). PKI certification provides a framework for the security feature known as authentication (proof of identification).

Understanding the role of PKI in identity management involves the following basic terms:

  • The Public/Private Key Pair - The mathematics of public/private key pairs is beyond the scope of this guide, but it is important to note the functional relationship between a public and a private key. PKI cryptographic algorithms use the public key of the receiver of an encrypted message to encrypt data, and the related private key and only the related private key to decrypt the encrypted message.
  • Digital Signature - A digital signature of a message is created with the signer’s private key. The corresponding public key, which is available to everyone, is then used to verify this signature. The secrecy of the private key must be maintained because the framework falls apart after the private key is compromised.
  • Certification Authority (CA) - An authority that trusted to create and issue certificates that contain public keys acting as a trust in a public key infrastructure and providing services that authenticate the identity of individuals, computers, and other entities in a network.
  • Certificate - A data structure containing an entities public key and related identification information, which is digitally signed with the private key of the CA that issued it. The certificate securely binds together the information that it contains; any attempt to tamper with it will be detected at the time of use.
  • Self-signed - In a self-signed certificate, the public key in the certificate and the key used to verify the certificate are the same. Some self-signed certificates are designated as Root CAs.
  • Root CA - A root CA is a special class of CA, which is trusted unconditionally by a client and is at the top of a certification hierarchy. All certificate chains terminate at a root CA. The root authority must sign its own certificate because there is no higher certifying authority in the certification hierarchy.
  • Subordinate CA / Intermediate CA / Cross CA / Bridge CA - A CA that has been certified by another CA. Subordination creates a managed trust between separate certification authorities resulting in CA hierarchies.
  • Certificate policy and practice statements -  The two documents that outline how the CA and its certificates are to be used, the degree of trust that can be placed in these certificates, legal liabilities if the trust is broken, and so on.
  • Public key standards - Standards are developed to describe the syntax for digital signing and encrypting of messages and to ensure that a user has an appropriate private key. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, as specified in RFC5280 is one part of a family of standards for the X.509 Public Key Infrastructure (PKI) for the Internet.
  • Revocation and Expiration – Certificates are issued with a planned lifetime, which is defined through a validity start time and an explicit expiration date. Once issued, a certificate becomes valid when its validity time has been reached, and it is considered valid until its expiration date. However, various circumstances may cause a certificate to become invalid prior to the expiration of the validity period. Such circumstances include change of name, change of association between subject and CA, and compromise or suspected compromise of the corresponding private key. Under such circumstances, the issuing CA needs to revoke the certificate.
  • Registration Authority (RA) – A Registration Authority vouches to a CA for the binding between public keys and the identity and attributes of a prospective certificate holder. Essentially, using the RA is a form of administrative delegation—the CA delegates to the RA the task of verifying the binding of a public key to an entity.
  • Certificate Chains – A certificate chain consists of all the certificates needed to certify the subject identified by the end certificate. In practice this includes the end certificate, the certificates of intermediate CAs, and the certificate of a root CA trusted by all parties in the chain. Every intermediate CA in the chain holds a certificate issued by the CA one level above it in the trust hierarchy.


Windows 8 – Network Isolation for Metro style Apps

October 8th, 2011 Comments off

When developing Metro style apps, Network Isolation helps your product to take advantage of the isolation mechanisms that will keep the app and system secure.

The new Windows Runtime APIs enable a developer to control the security profile of an app under development. Network access is part of this application security model. Not all apps will require access to the network. However for those that do, Windows provides the appropriate level of granularity for apps to access the network securely.

With network isolation, developers can define the scope of the network access required for each process, which prevents a process without the appropriate scope from accessing the specified type of network or connection. The ability to set and enforce these boundaries ensures that compromised apps have access only to networks they have explicitly been granted access to, significantly reducing the scope of their impact in other apps or the system itself.

Download and Read more about Network Isolation for Metro style Apps http://www.microsoft.com/download/en/details.aspx?id=27534. This paper provides information about network isolation for Windows operating systems. It provides guidelines for developers to determine the network boundary that a Metro style app will operate in, and what capabilities will be necessary to access required resources.

 

Public Key Infrastructure at Microsoft – 2008 R2 Edition

October 3rd, 2011 Comments off

Microsoft IT has released an updated version of the “Public Key Infrastructure at Microsoft” whitepaper found at http://www.microsoft.com/download/en/details.aspx?id=27581 or here Public Key Infrastructure at Microsoft 1750_PKI_TWP

The update deals with changes to the Microsoft internal PKI structure as part of the Windows Server 2008 R2 migration. There are many good “lessons learned and best practicess” outlined by Microsoft IT as a result of the migration/upgrade process that was performed.

Some of my favorites are the way they use CRL Overlap to provide higher availablity of CRLs and the simplified two tier structure together with Cross Forest Enrollment and the discussions about virtualisation of CAs

Some of the highlighted features in the document are:

Windows Server 2008:

  • Improved enrollment capabilities that enable delegated enrollment agents to be assigned on a per-template basis
  • Enhanced performance monitoring with the addition of new performance counters
  • Scalable, high-speed revocation status response services that combine CRLs and integrated Online Responder services
  • Support for Cryptography Next Generation (CNG) to enable the use of Suite B algorithms
  • Enhanced service monitoring with the introduction of the Windows Server 2008 AD CS Management Pack for Microsoft Operations Manager 2005
  • More detailed server administration with restricted certificate managers
  • Failover cluster support

Windows Server 2008 R2:

  • Cross-forest enrollment capability that allows for consolidation of existing hardware
  • Databaseless CA feature to avoid storing unnecessary certificate records
  • Best Practice Analyzer for improved configuration practices
  • Web-based certificate enrollment protocol to allow enrollment over the Internet

 

IPSec StrongCRLCheck does not work on Windows Server 2008 R2-based RRAS

September 15th, 2011 Comments off

SYMPTOMS:

  • You install the Routing and Remote Access Service (RRAS) role on a server that is running Windows Server 2008 R2.
  • You configure the server to accept Layer Two Tunneling Protocol with IPsec (L2TP/IPsec) connections.
  • You run the Netsh ipsec dynamic set config property=strongcrlcheck value=2 command to configure the StrongCRLCheck setting on the server.
  • You revoke a certificate on a client computer. The certificate is used to make L2TP/IPsec connections to the RRAS server.
  • You establish an L2TP/IPsec connection from the client computer to the server.
  • The connection to the RRAS server is successful. However, you expect that the client computer cannot connect to the server.
The issue occurs because the Remote Access Service (RAS) ignores the StrongCRLCheck setting!
To correct this you need a hot fix and a new registry key as instructed by KB2351254 http://support.microsoft.com/kb/2351254


Interesting notes from the DigiNotar report

September 6th, 2011 Comments off

The notes below are extracted from the “DigiNotar public report version 1″ published at http://www.rijksoverheid.nl/documenten-en-publicaties/rapporten/2011/09/05/diginotar-public-report-version-1.html

“The most critical servers contain malicious software that can normally be detected by anti-virus software. The separation of critical components was not functioning or was not in place. We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN.

The network has been severely breached. All CA servers were members of one Windows domain, which made it possible to access them all using one obtained user/password combination. The password was not very strong and could easily be brute-forced.

The software installed on the public web servers was outdated and not patched.

No antivirus protection was present on the investigated servers.

An intrusion prevention system is operational. It is not clear at the moment why it didn‟t block some of the outside web server attacks. No secure central network logging is in place.”

Categories: Security Tags:

Out of band update KB2607712 – Fraudulent DigiNotar certificates could allow spoofing

September 6th, 2011 Comments off

Microsoft has published an update for all supported releases of Microsoft Windows that revokes the trust of the following DigiNotar root certificates by placing them into the Microsoft Untrusted Certificate Store:

• DigiNotar Root CA
• DigiNotar Root CA G2
• DigiNotar PKIoverheid CA Overheid
• DigiNotar PKIoverheid CA Organisatie – G2
• DigiNotar PKIoverheid CA Overheid en Bedrijven

http://support.microsoft.com/kb/2607712

 

How do I enable Single Sign-on for RD Gateway Server?

August 24th, 2011 Comments off
  1. Create, edit or change a group policy object for your clients
  2. Navigate to “User Configuration”, “Administrative Templates”, “Windows Components”, “Remote Desktop Services”, “RD Gateway” and select the “Set RD Gateway server authentication method” setting:
  3. Select the “Enabled” radio button.
  4. Under “Set RD Gateway server authentication method”, click on the combo-box and select “Use locally logged-on credentials”.
  5. If you want the users to be able to override this authentication method then select “Allow users to change this setting” checkbox.
  6. Confirm the changes by clicking on the “OK” button until you return back to the main Group Policy Object Editor dialog.
  7. Apply the policy and make sure it has been enforced on the client by running “gpupdate” to force the policy to be refreshed immediately on the local machine.
  8. Start up the RD client and navigate to “Options”, “Advanced”, click on “Settings” under “connect from anywhere”. You should see the status text indicate the following: “Your Windows logon credentials will be used to connect to this RD Gateway server”.
  9. The client will now be able to connect to the gateway server using locally logged on credentials


Speaking IPv6 @ Best of MMS Sweden 2011

August 23rd, 2011 Comments off

Yes, you can get by without it, but probably not for long. Adopting the new IPv6 protocols will be a challenge, and there are ways to work around the shortages of IPv4. So why bother to make the move? Because any workarounds eventually will get in the way of new services and devices, and the rest of the world will pass by those who do not adapt. What are the requirement, what management options are available and how should we implement the new protocol and the required management.

Welcome to my session “IPv6::Why:Should:I:Care?” at Best of MMS Sweden 2011 http://www.microsoft.com/sverige/bestofmms2011/default.html


Categories: IPv6, Speaking Tags: ,

Single-Label-Domains (SLD) in Active Directory Domain Services (AD DS)

August 19th, 2011 Comments off

An Active Directory domain name that contains one or more labels separated by a dot is referred to as a fully qualified domain name with two or more names, in contrast there is the concept of single-label domain (SLD), which refers to Active Directory domain names with only one label.Given that SLD is not a commonly deployed configuration today.

Not that many Microsoft and third-party applications have not been tested under an SLD configuration as Microsoft recommends FQDN Active Directory deployments and companies who have deployed SLD should transition to an FQDN Active Directory deployment. This will ensure that they get the most value out of their deployed applications.

For companies that will be evaluating transition to FQDN from SLD configurations Microsoft has finally released a whitepaper describing the options and considerations that they will need to take into account. In particular it describes Domain Migration and Domain Rename operations and explains the different considerations of these two options, so that companies can build a transition plan that makes sense to them.

The complete whitepaper “Single-Label-Domains in Active Directory Domain Services (AD DS) - Considerations, Migration, and Co-existence” can be downloaded from http://www.microsoft.com/download/en/details.aspx?id=27143

 

 

Problem in certreq.exe sign operation

August 13th, 2011 2 comments

CMC certificate requests are normally used in combination with EOBO enrollment (Enroll On Behalf Of) scenarios where additional enrollment agent signatures are required by the certification authority to accept and process the certificate request.

Generating and signing the CMC certificate request can either be done using the certmgr.msc MMC snap-in or scripted using the certreq.exe tool provided in the Windows platform. The procedure using certreq to generate and sign the CMC certificate request is defined by the following steps

1. Create a certificate request inf file describing the request, below you find a sample inf file for EOBO request

[Version]
Signature= “$Windows NT$”

[NewRequest]
RequesterName = Crisco0\Administrator
RequestType = CMC

[RequestAttributes]
CertificateTemplate = EOBO_Template

 

2. Generate the initial self signed CMC certficate request using the command:

certreq.exe -new certificate_request.inf certificate_request.req

3. Sign the initial self signed CMC certficate request with the enrollment agent certificate using the command:

certreq.exe -sing certificate_request.req signed_certificate.req

4. Submit the agent signed CMC request to the enterprise CA and receive the certificate using the command:

certreq.exe -submit signed_certificate.req new_certificate.cer

The procedure described above works as expected until you try it in Windows 2008 R2 SP1 (I have not had the chans to test other versions yet) and you will get an error message at step 3 failing the agent signing.

What happens in step 3 is that the certreq tools will try to read the referenced certificate template from Active Directory and to figure out the signing requirements and it simply fails with the error message:

Certificate Request Processor: An attempt was made to perform an initialization operation when initialization has already been completed. 0x800704df (WIN32: 1247)

After struggling with my request inf file and certificate template with the same error I decided to perform the agent signing using other tools, after some research I found this very interesting MSDN article http://msdn.microsoft.com/en-us/library/ms867026.aspx  about Creating Certificate Requests Using the Certificate Enrollment Control and CryptoAPI. The article looked nice with provided samples but I wanted something more simple so I ended up in this article http://technet.microsoft.com/en-us/library/ff182315(WS.10).aspx about “Create Enroll on Behalf of Another User Request”. Usingthe code from the ”Create Enroll on Behalf of Another User Request” article I created the cmcSigner tool and the CMC request could be signed and the certificate issued without errors.

What if this version certreq.exe has some issue? To figure out that I decided to test the certreq -sing operation with an older version of certreq.exe so I grabbed the Windows 2003 Admin Tool Pack and extracted the certreq.exe and tested the signing step with no errors!

Conclusion: certreq.exe in some later versions has a problem performing a certificate signing operation.

Solution: use another version of certreq.exe or another tool like the cmcSigner tool

  cmcSigner Tool download:(258.8 KiB, 832)


IT Pro at Home Demonstration: Wireless Networking

August 6th, 2011 Comments off

Learn how, in Windows 7, you can connect to a wireless access point in just three clicks. With this screencast from the Springboard Series IT Pro at Home: Tips and Tricks series, you’ll see how, whether you’re sitting in a coffee shop or at the airport, connecting to a wireless network is simple and easy when you’re using Windows 7. This demonstration will also go over moving between wireless networks and provide tips to help you go from home to the office using each network seamlessly.

Download the Wireless Networking screencast here or from Microsoft at http://www.microsoft.com/download/en/details.aspx?id=1271

 

 

Maintain SDL requirement in code

August 5th, 2011 Comments off

Microsoft has released an updated version of the banned.h header file to help developers sanitizing resource which supports the SDL requirement and to remove banned functions from code. The header file simply lists all banned APIs and allows any developer to locate them in code and remove or adjust the code to be aligned with the SDL requirements.

The updated banned.h can be downloaded from Microsoft Download Center http://www.microsoft.com/download/en/details.aspx?id=24817

Infrastructure Planning and Design (IPD) guides for Microsoft technologies

July 13th, 2011 Comments off

Infrastructure Planning and Design guides share a common structure, including:

  • Definition of the technical decision flow through the planning process.
  • Listing of decisions to be made and the commonly available options and considerations.
  • Relating the decisions and options to the business in terms of cost, complexity, and other characteristics.
  • Framing decisions in terms of additional questions to the business to ensure a comprehensive alignment with the appropriate business landscape.

These guides complement product documentation by focusing on infrastructure design options.

Each guide leads the reader through critical infrastructure design decisions, in the appropriate order, evaluating the available options for each decision against its impact on critical characteristics of the infrastructure. The IPD Series highlights when service and infrastructure goals should be validated with the organization and provides additional questions that should be asked of service stakeholders and decision makers.

IPD consists of the following downloadable packages:

  • Exchange Server
  • Active Directory Certificate Services
  • Active Directory Domain Services
  • DirectAccess
  • Dynamic Datacenter
  • Exchange Online—Evaluating Software-plus-Services
  • File Services
  • Forefront Identity Manager 2010
  • Forefront Unified Access Gateway
  • Internet Information Services
  • IPD Series Introduction
  • Malware Response
  • Microsoft Application Virtualization 4.6
  • Microsoft Enterprise Desktop Virtualization (MED-V)
  • Print Services
  • Remote Desktop Services
  • Selecting the Right NAP Architecture
  • Selecting the Right Virtualization Technology
  • SharePoint Online—Evaluating Software-plus-Services
  • SQL Server
  • System Center Configuration Manager 2007 SP1 with R2
  • System Center Data Protection Manager 2007 with SP1
  • System Center Operations Manager 2007
  • System Center Service Manager
  • System Center Virtual Machine Manager 2008
  • Terminal Services
  • Windows Deployment Services
  • Windows Optimized Desktop Scenarios
  • Windows Server Virtualization
  • Windows User State Virtualization

The guides are available as individual downloads or as a single all-in-one package from http://www.microsoft.com/download/en/details.aspx?id=732

 

Categories: Guides Tags: , , ,

FIM CM 2010 links from Microsoft Donwloads

July 13th, 2011 Comments off

Best of MMS Sverige 2011

July 10th, 2011 Comments off

Hur hanterar du och ditt företag er it-miljö på bästa sätt?

Best of MMS är eventet du inte ska missa. Här får du veta allt om de mest aktuella produkterna och teknikerna från Microsoft när det gäller it-management. Under det kommande året väntas till exempel flera produktlanseringar inom System Center-familjen.

På plats är de främsta svenska it-experterna. Det blir två dagar fyllda med teknikspäckade föredrag – om ämnen som Opalis, System Center Configuration Manager 2012, IPv6, System Center Virtual Machine Manager 2012 och System Center Service Manager R2, Hyper-V Cloud med mera.

Är du nyfiken på IPv6 och hur det nya protokollet kommer att påverka båda hanteringen av Windows Server och säkerheten i dina system?

Läs mer och boka din plats redan idag på http://www.microsoft.com/sverige/bestofmms2011/default.html

 

Battling the Rustock Threat

July 10th, 2011 Comments off

Microsoft has published a document http://www.microsoft.com/download/en/details.aspx?id=26673 that provides an overview of the Win32/Rustock family of rootkit-enabled backdoor trojans.

The document examines the background of Win32/Rustock, its functionality, how it works, and provides threat telemetry data and analysis from calendar year 2010 through May 2011.

In addition, the document details the legal and technical action used to takedown the Rustock botnet and how to detect and remove the threat using Microsoft antimalware products.

 

IE – Enable Certificate Revocation Failure Notification

July 5th, 2011 2 comments

Internet Explorer 7 and later. In order to confirm the identity of organizations that host secure webpages, certifying authorities issue security certificates. These certificates are validated when you request a secure webpage.

By default, Internet Explorer performs a number of steps in order to validate the security certificate for a secure website. If a certificate is invalid, is out-of-date, or improperly identifies the website in question, Internet Explorer displays a notification to the user.

As an additional verification step, many certifying authorities also provide a service that identifies certificates that have been recently revoked. Earlier versions of Internet Explorer displayed notifications when this service could not be reached.

Because the inability to reach these services does not necessarily indicate that a certificate has been revoked, many users complained that such notifications were “false positives.” After considerable negative feedback, these notifications were disabled by default in Internet Explorer 7 and later.

When enabled, the FEATURE_WARN_ON_SEC_CERT_REV_FAILED feature displays notifications when Internet Explorer cannot reach the certificate revocation service published by a certifying authority. By default, this feature is disabled for Internet Explorer. This feature is not supported for applications hosting the WebBrowser Control.

To enable this feature using the registry, add the name of the Internet Explorer executable file to the following setting.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WARN_ON_SEC_CERT_REV_FAILED]
“iexplore.exe”=dword:00000001

The feature is enabled when the value is set to (DWORD) 00000001 and disabled when the value is (DWORD) 00000000.

FIM CM 2010 – Sommarkollo 2011 @ MS Sweden

June 30th, 2011 Comments off

Tack för en bra diskussion hos Microsoft i Kista under FIM CM sommarkollo 2011

Inspelningen av del 1 :

Ladda ner ADCS powershell skriptet adcs_install.ps1

Ladda ner presenationen för FIM CM Sommarkollo

TechNet videos: Security Compliance Manager 2 teaser

June 30th, 2011 Comments off

Want to take an early look at the next version of the Security Compliance Manager (SCM) 2 tool? In this three-part screencast series with Sr. IT pro Evangelist Matt Hester, he takes you on a quick tour of the tool’s features and benefits, including new features in SCM 2 like GPO import, baseline setting customization, local GPO functionality, an enhanced user interface, and an improved installation experience.Check out these new screencasts!