Tack för en bra diskussion hos Microsoft i Kista under FIM CM sommarkollo 2011
Inspelningen av del 1 :
Ladda ner ADCS powershell skriptet adcs_install.ps1
Ladda ner presenationen för FIM CM Sommarkollo
Want to take an early look at the next version of the Security Compliance Manager (SCM) 2 tool? In this three-part screencast series with Sr. IT pro Evangelist Matt Hester, he takes you on a quick tour of the tool’s features and benefits, including new features in SCM 2 like GPO import, baseline setting customization, local GPO functionality, an enhanced user interface, and an improved installation experience.Check out these new screencasts!
New SCM 2 features include:
Version 2 of the SCM tool will release with a full complement of Microsoft product baselines, including these new and/or updated baselines:
————————————————————————————————————-
In more detail
Microsoft Security Compliance Manager (SCM) 2 provides security and compliance configuration recommendations from Microsoft, centralized baseline management features, a baseline portfolio, customization capabilities, and security and compliance baseline export flexibility to accelerate your organization’s ability to efficiently manage the security and compliance process for the most widely used Microsoft products and technologies. The formerly stand-alone product-specific security guides are now included in the SCM tool.
Version 2 of the SCM tool releases with a full complement of Microsoft security and compliance baselines, including a new Windows Internet Explorer 9 Security Baseline, and updated baseline versions for Windows Server 2008 R2 SP1, Windows Server 2008 SP2, and Windows Server 2003 SP2.
These new beta baselines provide:
Additional product baselines are currently in development, including baselines for: Windows 7 SP1, Microsoft Exchange Server 2007, Exchange Server 2010, SQL Server 2008 and SQL Server 2008 R2 (multiple roles), Office 2010, Windows Vista SP2, Windows XP SP3, and Windows Internet Explorer 8.
To learn more about the Security Compliance Manager tool, visit the TechNet Library.
It is pretty straight forward to configure SSL Client Certificate Authentication in UAG, just follow the steps in the online guide at http://technet.microsoft.com/en-us/library/ee861163.aspx and you should be able to run in almost no time except for an issue that occurs whenever your logon name and common name does not match!
An authentication error will occur with the error message in UAG telling that the user account does not have the expected cn, upn or email value that has been extracted from the users SSL authentication certificate at the time of logon. Looking at the certificate all values of cn, upn and email shows a 100% match of the same values on the user account!
Looking at the cert auth scripts in UAG we can see that UAG is using the value of the common name of the certificate subject as the user_name. The user_name is then used to obtain information from Active Directory regarding that user account. And this is where the error occurs, the matching for the username is simply wrong.
To correct this you can obtain the UPN value from the client certificate in the certificate validation script and use that value to obtain the user logon name by simply splitting at the @ sign.
Download the UAG customupdate-cert scripts and make sure to change the authserver01 key word to the name of your authentication repository.
/Hasain
The issue that HSTS addresses is that users tend to type http:// at best, and omit the scheme entirely most of the time. In the latter case, browsers will insert http:// for them.
An attacker can grab that connection, manipulate it and only the most eagle eyed users might notice that it redirected to https://www.bank0famerica.com or some such. From then on, the user is under the control of the attacker, who can intercept passwords etc at will.
An HSTS enabled server can include the following header in an HTTPS reply:
Strict-Transport-Security: max-age=16070400; includeSubDomains
When the browser sees this, it will remember, for the given number of seconds, that the current domain should only be contacted over HTTPS. In the future, if the user types http:// or omits the scheme, HTTPS is the default. In fact, all requests for URLs in the current domain will be redirected to HTTPS. (So you have to make sure that you can serve them all!).
For more details, see the specification at http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02
HSTS is supported in Google Chrome, Firefox 4, and the popular NoScript Firefox extension
Go to chrome://net-internals/#hsts to check your HSTS settings in Google Chrome.
For a more secure web experience…
Recommendations for Running Checkv4.exe:
The Checkv4.exe utility can help you find common literal strings, but there may be others that are specific to your application. You should perform thorough searching and testing to ensure your code base has eradicated potential problems associated with literal strings.
/Hasain
Server side DirectAccess requires one network adapter to be configures as external with the Public or Private profile to apply the Connection Security rules. With the security connection rules in place the DirectAccess server will be able to offer IPSec authentication and tunneling to the clients.
Recently I was involved in a customer case where the DirectAccess server decided to change the external-facing interface to the domain profile, this caused the server to deactivate all security connection rules and the whole DirectAccess solution to stop working.
Now the decision about the profile type for a network interface in Windows is handled by the Network Location Awareness NLA service. The NLA probes for the possibility to reach the servers domain and if a connection is successful the profile will change to domain and the interface will be categorised as "Intranet Authenticated" according to NLA.
The solution or rather said the reason for the sudden change in the specific customer case was firewall related. The firewall was configured to allow traffic from DMZ, where the DirectAccess server external interface was connected, to the internal domain network, this caused NLA to "see" the domain over the external interface and…. So the solution was simply to configure a deny rule prohibiting the DirectAccess server external IP from accessing internal resources and all was back to normal again!
The following registry location is good help when troubleshooting NLA related problems
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList
/Hasain
Ladda ner TSINK PowerPoint tillägget och skapa roligare PowerPoint presentationer
Du använder detta verktyg på eget ansvar 😉
/Hasain
Tack alla som var med och diskuterade IPv6 med mig på Microsoft TechDays 2011
Bifogar min presentation för nedladdning
/Hasain
Just follow the steps below:
1. IE setting for CRL checking of the server certificate is enabled
2. Set the hostnames of servers hosting the CRL and /or OCSP to 127.0.0.1 in your hosts file
3. Execute [certutil.exe -urlcache * delete] to remove all cached CRLs
4. Start your browser and tell it to HTTPS:// to the site
5. It will take some time trying to check the CRL/OCSP from the non-existing server
6. After that you are on the site without any warnings! Not really what I expected?!
Firefox gives the same results and only Google Chrome gives us a warning…
What if the same happens with Code Signing? Interesting case we have!
/Hasain
with my login id and code included and fully readable for everyone.
It is a folded paper with a tiny piece of tape holding the middle of the long edge
If you apply some pressure on the paper then tne content is fully readable with the login ID and Pin Code
Google‘s security philosophy:
As a provider of software and services for many users, advertisers and publishers on the Internet, we recognize how important it is to help protect your privacy and security…..
Hi,
The last Second Wednesday this year is going to be about DirectAccess. Why, who, how, when and what is it all about? Take the opportunity to discuss all of that and much mor…
Read more and reserve your free seat at:
http://www.labcenter.se/2w.aspx
or
http://www.facebook.com/event.php?eid=104672269605105&num_event_invites=0
See you the 8:th of December at LabCenter in Stockholm.
BR
Hasain
I am not going to deliver any session at Tech·Ed Europe 2010 but you can still find me at the TLC (Technical Learning Center) | Server & Cloud Platform | Management & Security Station on Wednesday, November 10, 2010 14:45-17:30 to answer your questions about security and ADCS
You can as well connect with me after the Breakout sessions with Marcus Murray on:
/Hasain
Yet another day of troubleshooting DirectAccess, this time it was about a broken IPHTTPS tunnel. During the troubleshooting we recognized that the client is not able to establish a connection the the IPHTTPS url https://da.domain.com/IPHTTPS, using a network sniffer we could very clear see the server sending a reset packet after the Client Hello message. This indicates that the SSL server is not able to continue communicating using SSL. Knowing that there was a certificate change just a few days before this error occurred we found that the old certificate was still used for the SSL binding at the DA server even though the configuration was reapplied using the DA management console after the certificate change.
When changing the certificate used for the IPHTTPS tunnel it is very important to clear the old SSL certificate binding before adding the new one.
If you configured your DirectAccess using the DA management console follow the steps below to change the IPHTTPS certificate:
· Run the command: netsh http show sslcert
This will show the current sslcert binding with details about ip, port and the certificate
· Delete the old bindning using the command: netsh http del sslcert
· Using the DA management console, select the new IPHTTPS certificate, save an apply the new configuration
If you configured your DirectAccess using scripts or netsh commands to define all setting follow the steps below to change the IPHTTPS certificate:
· Run the command: netsh http show sslcert
This will show the current sslcert binding with details about ip, port and the certificate
· Delete the old bindning using the command: netsh http del sslcert
· Add the new sslcert binding using the command: netsh http add sslcert
/Hasain
Det går att implementera och migrera till Windows 7, Windows Server 2008 R2 och Hyper-V R2 på massor av olika sätt, några direkt skadliga, andra helt ok med diverse för- och nackdelar och självklart vissa riktigt bra och genomtänkta.
Utmaningar som att samexistera med XP under en period, uppgradera roller som
AD, DNS, DHCP, Clustering, att ändra kommunikationsprotokoll och införa
nya funktioner som Direct Access m.m. kräver en hel del av oss som jobbar med IT.
På Summiten får du den osminkade sanningen och tipsen som du inte finner
i manualerna om hur du inför den senaste tekniken på bästa sätt i din IT-miljö.
Mer information och agenda finns på http://infrastructuresummit.se/
Vi ses den 7:e oktober
/Hasain
Just some important IPv6 prefixes to remember whenever dealing with DirectAccess or IPv6 as such, have fun and remember to think in HEX J
Global-Unicast – 2000::/3
6to4 – 2002::/16
Teredo – 2001:0000::/32
Link Local Unicast — FE80::/10
Unique Local Unicast – FC00::/7
Multicast – FF00::/8
DirectAccess IPv6 addressing:
2002:WWXX:YYZZ:8000::/49 as the organizational prefix
2002:WWXX:YYZZ:8000::/64 as the ISATAP prefix
2002:WWXX:YYZZ:8001::/96 as the NAT64/DNS64 prefix
2002:WWXX:YYZZ:8100::/56 as the IP-HTTPS prefix
/Hasain
DirectAccess är mer än bara ett alternativ till VPN och för att kunna ansluta till interna resurser via Internet. DirectAccess kommer att förändra vår syn på nätverksdesign och tillsammans med IPv6 skapa oanade möjligheter till öppnare och säkrare infrastruktur oavsett var våra klienter befinner sig.
Under två dagar kommer du att förstå principen bakom DirectAccess och vilka komponenter och system den är beroende av. Du kommer även att förstå och kunna hantera de olika alternativen i båda renodlade IPv6-miljöer och blandmiljöer med båda IPv4 och IPv6 i olika grad.
Under labben kommer vi dessutom att skapa en förståelse och lägga grunden för IPv6 och skapa förståelse för kravet och hur vi kan hantera det kommande generationsskiftet i våra nät och framför allt hur samexistensen kan hanteras.
Genom att testa de olika alternativen för hur man bygger DirectAccess kommer du att kunna välja rätt strategi för just din DirectAccesss implementation till din it-miljö.
Vi ses den 25:e oktober på LabCenter i Stockholm. Labben bokas på http://labcenter.se/Lab/2068
/Hasain
Using Microsoft Base Smart Card Crypto Provider, smart cards can use a card module to enable the smart card in Windows. Windows 7 features enhanced support for smart card–related Plug and Play making Windows able to use smart cards from vendors who have published their drivers through Windows Update without needing special middleware to be preinstalled.
If the smart card used does not have drivers/card module available through Windows Update or if you want to preinstall the driver during operating system deployment you need then to perform the following steps:
Having the card module installation files aailable in the desitnation computer run the command
RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 .\crdmxxx.inf
The crdmxxx.inf is the name of the inf file included in the card module package you are installing
Kunde inte låta bli att notera texten nedan på ett informationsblad som beskriver hur man gjorde för att ansluta till ett trådlöst WIFI nät. Det som drog min blick extra mycket var notisen på bladet som syns på bilden nedan.
Jag blir riktigt fundersam när jag ser sådana beskrivningar där vi lär våra användare ett felaktigt beteende. Vad tror vi kommer att hända om samma användare får ett liknande fel när han eller hon surfar till sin internetbank eller företagets webbmail mm.
/Hasain
Hasain @TechNet Forum
