Tuesday, December 17, 2013

Network Discovery for Dummies

As a consultant I work several client projects over the year and sometimes I do not get a good/meaningful documentation before I start. Some environments are even so restricted that I cannot install tools or that I have to survive with a regular user account until I get clearance for a domain admin account.
So I checked out what built-in tools I could use on a Windows machine to do a basic discovery of the IT eco system.

1. Either I can connect my laptop or I get a machine fro the client and so I can run a command prompt and see the IP configuration with ipconfig.

2. Run ipconfig again with the /all parameter and find out the primary DNS suffix (what is most likely the DNS name of AD), here in this example it is frontoso.co

nslookup -querytype=SRV _ldap._tcp.dc._msdcs.frontoso.com

Nslookup should give you a list of all domaincontrollers of frontoso.com

3. Now I want see what other machines areound me in the same subnet.

The FOR /L command will fire up a ping command for each IP address in the range (10.0.1.1 - 10.0.1.250). Depending on the subnet this can be adjusted. We use it only to get the mac addresses in from the arp cache and if you scan more then the subnet range you will not get more hits from the arp cache.

 so run FOR /L %v IN (1,1,250) DO start ping -n 1 10.0.1.%v from the command line

and then arp -a to see all entries from the arp cache

Example
Interface: 172.16.32.15 --- 0xa
  Internet Address      Physical Address      Type
  172.16.32.1           54-75-d0-e2-c5-42     dynamic
  172.16.32.8           00-15-5d-20-08-35     dynamic
  172.16.32.9           00-14-5e-45-6e-25     dynamic
  172.16.32.10          68-ef-bd-93-82-04     dynamic
  172.16.32.11          00-15-5d-20-0e-32     dynamic
.....


So event ping was not working because ICMP is disabled on the target machine the arp cache entry exist.
The mac address tells you also the vendor of the network card, so sometime this helps, e.g. in the example above all 00-15-... machines are virtual machines on Microsoft Hyper-V.

4. If you want the server names use ping -a to ask DNS for a reverse DNS resolution. Server names can tell a lot, e.g about location and purpose depending on the naming convention.

FOR /L %v IN (1,1,250) DO ping -a -n 1 10.0.1.%v > pinga.txt

5.  If you just want check that you can access a SMB share through a firewall you can use

net use \\IPorServername\ipc$

even you do not have permissions to access the share, then you get an access denied message. But this tells you also that the firewall is mot likely not preventing SMB traffice to that machine.

Hope that helps,
Lutz




Sunday, November 10, 2013

Creating a IPSEC tunnel with the Windows Firewall with Advanced Security

Windows provides a very simple way to establish a secure communication (IPSEC) between two machines on the machine level: Connection Security Rules.
Connection Securiy Rules allow the configuration of a encrypted communication even a user is not logged on. The IPSEC rule can use a preshared key (for testing, single server or you do not have a PKI) or digital certificates for authentication in an enterprise environment Using certificates is the best way for authentication and my recommendation.
The computer and the users have still to authenticate before they can use any service on a IPSEC protected host, so see IPSEC as an pre-authentication.

Use scenarios:
- You want allow only access from corporate laptop computers to Exchange Outlook Anywhere or other internal services directly, or over TMG or UAG
- You have a server externally hosted and you want have a more secure way to RDP in
- You want allow access to a file share for remote workers in a way they do not have to VPN-in all the time
- You want make sure that computers for remote worker can use the corporate WSUS server for patching even the machines are not connected back via VPN to corporate network
- ...

Requirement:
- Windows Firewall service must be running
- Windows Firewall profiles must be active the network profile(s)
- Firewall rules must allow IPSEC traffic ESP and UDP500(ISAKMP). UDP4500(IPSEC NAT-T) is required if the server is behind a NAT firewall (as it is in this example)


Note: You can require IPSEC also only for certain TCP ports, e.g. you have an externally hosted web server. Require IPSEC only for 3389(RDP) for web server administration but port 80 is open because you clients want surf your companies public web site.And make all other ports not available from outside of that server at all.

Client Configuration Steps


The client configuration can be done using the Advanced Windows Firewall management console (wf.msc) or via group policy. In this post i use the group policy.

1.       Open Group Policy Management

2.       Navigate to Computer Configuration/Policies/Windows Settings/Security Settings/Windows Firewall with Advanced Security/ Windows Firewall with Advanced Security/Connection Security Rules

Note: as alternative and for testing you can also start the Windows Firewall management console by starting wf.msc from the Run dialog.

3.       Make a right mouse click on Connection Security Rules and click on New Rule…

4. Select Server-to-server as rule type and click Next.

5.   Add the public IP address of the edge server to the list of IP addresses under “Which computers are in Endpoint 2?” Then select Next to continue.

6.       Select and then click Next.

7. Click Browse and select the appropriate CA name. Then click Next.

8. Select all firewall profiles and click Next.

9. Enter name and description of the rule. Then click Finish to end the configuration wizard.



Server Side Configuration Steps


The server must have a second network card for external facing connections. The configuration of the IPSEC rules should be for this interface, otherwise you might lose the network connection to the server.

1. Start the Windows Firewall Advanced Configuration management console from the Run menu by running wf.msc.



2. Click on Connection Security Rules and then New Rule …

3. Select Server-to-server and click Next.

4. Add the server IP address to the list of IP address under “Which computers are in Endpoint 2?” and click Next to continue.

5. Select Require authentication for inbound and outbound connections and then click on Next.

6. Click Browse and select the appropriate CA name. Then click Next.

7. Select all firewall profiles and click Next.


Monday, October 28, 2013

UAG 2010 Migration from NLB to Hardware Load Balancer

As many other companies we got some pressure to migrate from TMG to UAG because of Microsoft's decision to discontinue TMG. We use the system solely for application publishing.
We brought up a UAG array with 2 nodes with NLB, both running on Vmware vSphere. From the beginning those servers had some issues seeing or not seeing each other so we opened a ticket with Microsoft. They insisted/highly recommended to run the NLB in uni-cast mode and to make settings in Vmware according to this article http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1556.

Vmware is saying to support uni-cast you have to run both machines on the same virtual network switch on the same host.
WOW, so what is then the purpose of having the array if on physical node fails, all will fail?

Okay so we have a hardware load balancer as well, so lets move from NLB to HW LB. I did some research how to do that and basically found nothing. Nothing else then saying a migration will not work. Bummer.
So one disadvantage of not using NLB is that you need more IP addresses, because then each UAG trunk node needs two (if you have 2 servers) IP addresses.
Trying to remove the NLB cluster was not working because the IP addresses were still in use from UAG. And you cannot add new IP addresses to the interface used from NLB.
To work around those issues I added to each internal interface private IP addresses for the time of migration, then I changed the trunk configurations to use the temporary addresses (caused a service unavailability of course) and then I removed NLB using the UAG management console..
The rest was easy. Adding old plus the new external IP addressed to the UAG array members and reconfigure the UAG trunks to use these. Then change the DNS name from the NLB cluster IPs to the hardware load balancer IPs.
Now I have only to make sure that the UAG array nodes are not running on the same hardware. :-)

P.S. And yes, the hardware load balancer is high available as well.









Saturday, August 31, 2013

Perfect Forward Secrecy (PFS) for IIS, TMG and UAG (and other services)

Traditionally during a client and a server establishes a SSL/TLS session they exchange a secret to protect this session. This secret is the same for all sessions established using the same certificate private key.

SSL web browser - server handshake (simplified):
1. Browser opens a connection to https://www.mywebsite.com
2. Server sends its public certificate
3. Web browser runs certificate verification and sends a message encrypted with the servers public key back
4. Web browser creates a secret session password
5. Server acknowledges the secret session password

If a attacker gets access to the web server's private key he can reveal the password and decrypt a previously recorded session.
That is where PFS is stepping in using Diffie-Hellman. Diffie-Hellman is a "magic" algorithm where 2 communication parties can create a secret without ever sending the secret over the wire. So even the attacker has the private key he cannot re-create the session password.

Quick facts:

- Perfect Forward Secrecy helps to mitigate attacks, when the attacker has access to the web server's private key and has a recording of previous sessions.
- PFS is not supported on all platforms and devices, but it seems we have reached a large enough volume and for legacy clients you should keep accepting at least one of the non-PFS ciphers.
- PFS has a performance overhead of 15 percent (in best case) depending on the exact cipher, depending on the overall traffic on your website this is a small or big number


Windows settings e.g. for IIS as reg file (update 11/15/2013):


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"EventLogging"=dword:00000001
"DisableRenegoOnClient"=dword:00000001
"DisableRenegoOnServer"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CipherSuites]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:ffffffff


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
"Functions"="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA"



To test you web server I recommend:

Qualys SSL Labs - https://www.ssllabs.com/ssltest/

For further reading:

Vincent Bernat about PFS including performance benchmarks - http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html

Wikipedia article about PFS - http://en.wikipedia.org/wiki/Perfect_forward_secrecy

GUI for changing Windows SSL settings - https://www.nartac.com/Products/IISCrypto/Default.aspx

Diffie- Hellman - http://en.wikipedia.org/wiki/Diffie-Hellman

Friday, August 30, 2013

Bitlocker Data Recovery Agent Certificate

Microsoft BitLocker supports Data Recovery Agents in Windows 7 and above.
That is a great way for large organizations to ensure that the corporate IT or Information Security has access to data for if the individual pass-phrase recovery is not working and for forensics.

To setup a Data Recovery Agent you can follow Microsofts blog post http://blogs.technet.com/b/askcore/archive/2010/10/11/how-to-use-bitlocker-data-recovery-agent-to-unlock-bitlocker-protected-drives.aspx

If you do not see the BitLocker Drive Encryptin and BitLocker Data Recovery Agent extended key usage (EKU) listed in the GUI install the BitLocker feature on your management machine. Even feature installation does not require a reboot, you will not see the EKU showing up in the last until you do so.

If you Certification Authority is running on Windows 2003 you have to add the EKUs manually. For this you need the OIDs, here you go.

Bitlocker Drive Encryption - 1.3.6.1.4.1.311.67.1.1
Bitlocker Data Recovery Agent - 1.3.6.1.4.1.311.67.1.2


Sunday, August 18, 2013

Microsoft DNS server migration or IP address change

The IP address of a DNS server is almost a in stone written number. That is because the client DNS settings contain the IP address of the DNS server. Some clients are configured via DHCP, others manually, other clients are not known for using this DNS server. But you want catch them all.
So if you come into the situation to relocate your DNS server on the network, build a new machine but you cannot take the IP with you or if you are in the middle of a Active Directory migration project and you have already changed the DHCP settings and you need to find all manually configured machines, especially the unknowns; you can turn on debugging in the Microsoft DNS.

First of all enable the DNS debug logging. Open the DNS management console and click on properties of DNS server. Go to the Debug Logging tab.



Enable Log packets for debugging but disable Outgoing  under Packet direction.


Here the PowerShell script to process the debug files.


New-Variable -Name RegexIP -Force -Description "A regular expression object which matches and validates IP addresses." -Value ([regex]'(?<First>2[0-4]\d|25[0-5]|[01]?\d\d?)\.(?<Second>2[0-4]\d|25[0-5]|[01]?\d\d?)\.(?<Third>2[0-4]\d|25[0-5]|[01]?\d\d?)\.(?<Fourth>2[0-4]\d|25[0-5]|[01]?\d\d?)')
$Files = Get-Content "c:\system\DNS\log1.dns.txt" 

$RegexIP.Matches($Files)|Group value | foreach { 

$chkip=$_."Name"

try { [System.Net.Dns]::GetHostbyAddress($chkip).Hostname }

catch { write-host $chkip  }
#write-host $_.Exception.Message
}

The script does two things. First it reads all IP addresses from the log file and group them, and in a second step it tries to get from DNS the hostnames. If it cannot find a hostname for a an IP address it will just list the IP address in the output list.

output example:

PS C:\system> .\ipstat.ps1
win5010.frontoso.com
win5014.frontoso.com
win5052.frontoso.com
win5510.group.frontoso.com
10.0.1.11
10.0.1.10
win5012.frontoso.com


Now you have a list you start from the top, to change the DNS settings of those machines.
Because not every machine is connected every day you may want run the debug more often or for a longer period of time.
If you have multiple DNS servers you can process them all at once. Just append the debug log file name to $Files, seperated all files names by comma

This article targets DNS but if you get a logfile from any other service you could use the same method to identify who is accessing your server/service. e.g. with IIS log files.



Saturday, July 27, 2013

Error opening SSL protected web sites running on IIS from a Windows XP computer

Recently I have experienced an error accessing a HTTPS web site using Internet Explorer 8. Even this is not the most current setup I thought I should share what happened.

1. A SSL certificate is installed on the Windows Server and is configured in IIS on the default web site or any other web site you have.

2. The client is a Windows XP machine and you use Internet Explorer to access the web site. (The problem does not occur if you use Chrome or Firefox.)

3. The problem: IE reports a "Internet Explorer cannot display the webpage" immediately when you try to access the web site. This is the same message you see if the web site or server does not exist or the DNS name cannot be resolved.

4. Accessing the same web site from Windows 7 using Internet Explorer works with no issues.

So what is wrong?

To investigate the problem I used Fiddler and the information from the server's event log that the browser and the web server could not found a common encryption cipher.
Because the server was just using the default settings I thought it would be good to verify the local machine's certificate store.
So I run a certutil.exe -store my on the server and I found out that the SSL certificate was installed using the Microsoft Strong Cryptographic provider. So I exported it and I have imported it using the certutil.exe -importpfx command to the Microsoft RSA SChannel Cryptographic Provider CSP. After that the access from the XP machines worked again.

btw: Qualys runs a free service with a excellent test drive for SSL web sites (including explanations what and why to configure) at https://www.ssllabs.com/ssltest/

Sunday, June 30, 2013

How to transfer binary files through a RDP session

This post can a) help you to transfer binary files to a server over the RDP session or b) it can help you to close a gap in your server hardening procedures.


a)
Transferring a simple text file is just open the file on your local machine and copy&paste to the file on the server. But what if you have a binary file or you need to transfer multiple files which you have packed into a zip container?
All Windows PKI users should know the certutil.exe command line utility. Besides many other functions, it can also encode and decode files from and to base64. Originally this was planned to convert certificates between the base64 format and the binary format. You can also write a powershell script an use the ToBase64String and FromBase64String method. If you are not familiar with powershell you want use certutil.exe what is pre-installed on Windows 7, 2008 R2, Windows 8, Windows 2012.

1. to get your file prepared for the transfer run:

certutil.exe -encode file.zip filezip.txt

2. next, open the filezip.txt with Notepad and mark all and copy it to the clipboard

3. Open Notepad on the server with the same file name

notepad.exe filezip.txt

and paste the content from the clipboard. Save the file.

4. Last step is to convert the file back to binary using certutil again:

certutil.exe -decode filezip.txt file.zip

Now you can extract your files from the file.zip on the server.

According to comments made to this article http://blogs.msdn.com/b/rds/archive/2006/11/20/why-does-my-shared-clipboard-not-work-part-2.aspx
you cannot transfer any size of data through the RDP session. But you can transfer files in slices you have only to split the text file. And don't worry about the ---- BEGIN CERTIFICATE ----- and ----- END CERTIFICATE ----- line in the text file.



b)
To prevent these transfers you must disable the RDP clipboard in the RDP server settings directly or over Group Policy settings. It seems that this is a server-wide setting and cannot be set on a user-base. Well, you lose a lot of convenience in working with the server console but it is more secure.

Friday, May 31, 2013

PowerShell script to enhance the Windows CA SMTP exit module

Windows CA SMTP exit module

the Windows Certification Authority has a built in feature (Windows Enterprise SKU) to send out emails to inform the PKI administrators if a new pending certificate request waiting for approval or if a new certificate has been issued. Just 2 examples.

The configuration must be done in the registry: See here for an example
http://social.technet.microsoft.com/wiki/contents/articles/2004.active-directory-certificate-services-smtp-exit-module-for-windows-server-2008-r2-example.aspx

Unfortunately you cannot configure it to send the issued certificate to the certificate requestor. For that I wrote a PowerShell script what is also working with the Windows Server 2008 R2 Standard Server.

Config file - sendcert_inc.ps1:

$sendcertpath=".\sendcert"
$msgFrom='noreply@frontoso.com'
$smtphost='127.0.0.1'
$certtmpl="1.3.6.1.4.1.311.21.8.5245527.10310595.8014498.11013764.15833798.137.13192380.4508386" #CorpWebServer
$certfileExt="txt" # fyi: extensions cer and der are blocked by Outlook
$mailbody="mailbody.txt"
$dbscanperiod="03:00" # 01:00 = 1 day, 1:15 = 1 day 15 hours; $dbscanperiod is the max time (now - $dbscanperiod) sendcert goes back in the certificate database, e.g. useful if you have already issued certs for years and you going to enable sendcert now


Mailbody.txt

Hello, attached is the requested certificate.

Please download the certificate and proceed with the SSL/TLS setup of your application.

For your convenience the certificate can be found as attachment and in the mail body.


Thank you,


----------------------------------------------------------------------------
Do not reply to this message. It was sent from an unmonitored email account.




sendcert.ps1

#
# Author: lutz.mueller-hipper@tribaldi.net
# Updates: lutz.mueller-hipper@insight.com
# Date: May 23, 2013 - v3.1
#
clear

import-module ActiveDirectory
# if not yet installed please install the ActiveDirectory PowerShell module
#dism /online /enable-feature /featurename:ActiveDirectory-PowerShell

if (-not (Test-Path .\sendcert_inc.ps1))
{
  write-host "Error: sendcert_inc.ps1 configuration file not found." >>sendcert.log
  exit;
} else {
  . .\sendcert_inc.ps1
}

if (-not (Test-Path $sendcertpath)) { mkdir $sendcertpath >$null}

$Arr_SendCert = @()

write-host "=========================="
write-host Start Send certificate via email to certificate requestor
write-host "=========================="
write-host

#Disposition Description
#20 certificate was issued
#21 certificate is revoked
#30 certificate request failed
#31 certificate request is denied

$reqid_db = @()
$reqid_db = get-content $sendcertpath\reqid_do_not_remove.txt

$reqid_db2 = @()

foreach ( $line in $reqid_db) {
 write-host "Line: "$line
 $reqid_db2 = $reqid_db2 + $line
}

certutil.exe -view -out "Request.requestid,Request.requestid" -restrict "CertificateTemplate=$certtmpl,Disposition=20,NotBefore>now-$dbscanperiod" csv > $sendcertpath\sendcert_scope.csv
$collection = @(Import-CSV $sendcertpath\sendcert_scope.csv)
write-host Issued certs during period: $collection.count

if ($collection.count -gt 0) {
  foreach($CADBentry in $collection)
  {

    $reqid = $CADBentry."request id"

    if ($reqid_db2 -notcontains $reqid) {  
    write-host 'Preparing email for request: ' $reqid

    $certview = certutil.exe -view -out "rawcertificate" -restrict "Request.requestid=$reqid"

    $certemail = @()
    $certattach = @()
    foreach($line in $certview)
     {
     #write-host "Line: " $line

     if ( $line -eq "-----BEGIN CERTIFICATE-----" ) { $certbegin="1" }
     if ( $certbegin -eq "1") {
       #write-host "next person in line pls"
       $certemail = $certemail + $line.trim() + "`n" #+ "`r`n"
       $certattach = $certattach + $line.trim() # + "`n" #+ "`r`n"
     
     }
     if ( $line -eq "-----END CERTIFICATE-----" ) { $certbegin="0" }

    }
    $cadb_requser= certutil.exe -view -out "Requester Name" -restrict "Request.requestid=$reqid" csv
    $requser = $cadb_requser[1]
    $requser = $requser.split("\")
    $user = $requser[1]
    $requser = $user.split("`"")
    $user = $requser[0]

$aduser=""

try {
 $aduser = get-aduser $user -Properties mail
  #$aduser.mail
}

catch [Exception] {
   write-host $_.Exception.Message
}

if ($aduser.mail.length -lt 1) {
  write-host "no email address found"
} else {

    $certattach > $sendcertpath\$reqid"."$certfileExt

$msg=new-object System.Net.Mail.MailMessage
$msg.From=$msgFrom
$msg.to.Add($aduser.mail)
$msg.Subject=$env:computername + ": SSL certificate " + $reqid
$msg.IsBodyHtml=$false
$mailbody = @()
$getmailbody = Get-Content mailbody.txt
foreach ($line in $getmailbody) {
  $mailbody = $mailbody + $line + "`n"
}
$msg.Body=@"

$mailbody

$certemail

-
Ref $reqid_$env:computername

"@

$att = new-object Net.Mail.Attachment($sendcertpath + "\" + $reqid + "." + $certfileExt)
$msg.Attachments.Add($att)


$smtp=new-object System.Net.Mail.SmtpClient
$smtp.host=$smtphost

try {
  $smtp.Send($msg)
  $reqid >> $sendcertpath\reqid_do_not_remove.txt
}
catch {
 write-host $_.Exception.Message
}
finally {
  $smtp.dispose
  $att.dispose()
    }
   }
  }
 }
}


Friday, March 29, 2013

Cannot request a certificate and Error 1722: The RPC server is unavailable

RPC errors can be ugly and are often not that easy to identify. In the last months I had two Windows PKI Installations where I ran into the error 1722 RPC server not available. In both cases the Windows CA was up and running but I could not enroll or autoenroll certificates. So I check the firewall rules, the CA server time and date and I used certutil.exe -ping CAhostname to verify RPC network communication.

I ran certutil -ping one time with the netbios name of the CA and all worked. That's why no one had an issued with the machine before for file transfer or a ping with the netbios name.


C:\system\>certutil -ping win5011
Connecting to win5011 ...
Server "AAA Frontoso R3" ICertRequest2 interface is alive
CertUtil: -ping command completed successfully.


But the certutil -ping for the full qualified hostname failed.


C:\system\adhc>certutil -ping win5011.frontoso.com
Connecting to win5011.frontoso.com ...
Server could not be reached: The RPC server is unavailable. 0x800706ba (WIN32: 1722)

CertUtil: -ping command FAILED: 0x800706ba (WIN32: 1722)
CertUtil: The RPC server is unavailable.


So it turned out that in both cases the client used a non-MS DNS server for the Active Directory environment and the FQDN name of the CA server was incorrectly configured there. After adjusting the IP address in DNS certutil -ping with the FQDN name worked and the certificate enrollment as well.

Ease Your Life when using Openssl s_client

I am really a big fan of openssl for certificate and network communication troubleshooting. And I am using it most of time from a Windows system.
I use the openssl s_client command very often to verify the network connectivity to a web or application server and to troubleshoot certificate errors in applications.

Openssl s_client gives out a lot of valuable information, but for inspecting the certificate you have first to transfer it into the correct file format. That should be easier to do. :-)

Example: openssl s_client -connect www.google.com:443



Loading 'screen' into random state - done
CONNECTED(00000128)
depth=1 C = US, O = Google Inc, CN = Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDgDCCAumgAwIBAgIKO6d8eAAAAACBeTANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0xMzAzMTMxMzUyNDJaFw0xMzA2MDcxOTQzMjda
MGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRcwFQYDVQQDEw53d3cu
Z29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzhYmBbH1F/Es
0HQevxU1WnQ+08bGZS615oiYVxxl2D74Nf4WbQRuXs6iju+RLOFrNAKgOPtQ8DLw
zo/ln9yzzm1iXGQJa8lOScTMdTg/4UQAQjJ5F8fYZr8zAdQbur/BQ5YSiyVqLO0t
N3IeezSvYC9r5SwSMLmnEqXCIa5B8sECAwEAAaOCAVEwggFNMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUdfF5NV20rqEcyl3mVAxqB7bE
2JkwHwYDVR0jBBgwFoAUv8Aw6/VDET5nup6R+/xq2uNrEiQwWwYDVR0fBFQwUjBQ
oE6gTIZKaHR0cDovL3d3dy5nc3RhdGljLmNvbS9Hb29nbGVJbnRlcm5ldEF1dGhv
cml0eS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS5jcmwwZgYIKwYBBQUHAQEEWjBY
MFYGCCsGAQUFBzAChkpodHRwOi8vd3d3LmdzdGF0aWMuY29tL0dvb2dsZUludGVy
bmV0QXV0aG9yaXR5L0dvb2dsZUludGVybmV0QXV0aG9yaXR5LmNydDAMBgNVHRMB
Af8EAjAAMBkGA1UdEQQSMBCCDnd3dy5nb29nbGUuY29tMA0GCSqGSIb3DQEBBQUA
A4GBAKD8fqndlHcfvIHSXo5R/ehNsRXkyinvxwG4r1oMuO60c1KRV0DB22Mvqjp5
vn4nnkYfiVoQv/LlsIBy48is9jKB5AYyPq5R3LSrn7iheYlGY1omSZkdmHDBLtcl
+TtjTtz444O+7dYZAM0GyUdf/3HUoebs949KIu2Cg5QS8INZ
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 2103 bytes and written 332 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
[cut]

Information about the validity (start,end), the server certificate thumbprint are not displayed. In the past I copied the lines from BEGIN CERTIFICATE to END CERTIFICATE into a text file using Notepad and I saved the file as cert1.cer. Then I could double-click the file in Windows Explorer and I had a nice interface to search through all attributes. Last week I figured out a more convenient way to do that. You can redirect the entire openssl s_client output into a cert1.cer file and the Windows Certificate Wizard is smart enough to read just the certificate from all the result data.

openssl s_client -connect www.google.com:443 > cert1.cer

Now you have a nice looking graphical interface to go through all the certificate information.



Wednesday, January 9, 2013

Manipulating the Microsoft Deployment Toolkit (MDT) database using PowerShell

I am helping at the school of our children to run the Windows server and workstations. For this and also in my lab I setup MDT to deploy new physical or virtual machines.
At school we buy used/re-furbished desktop or laptop computers a lot and all of them come with a unique Windows license. And we just cannot afford to buy a additional Enterprise license for each.
So MDT helps us also to keep track of all Windows product keys and we put them one time in a spreadsheet (we get some help from students here). So end of 2012 we got 35 new machines and I thought it would be nice to import the spreadsheet into the MDT database and assign the role to install Windows 7 32bit to them as well.

So I found this post http://blogs.technet.com/b/mniehaus/archive/2009/05/15/manipulating-the-microsoft-deployment-toolkit-database-using-powershell.aspx from Michael Niehaus and I downloaded the PowerShell command lets he provided as well.

Our spreadsheet has the format:
- 1. line includes the data headers: computername, Windows product code, machine's serial number
- the other lines have the data
The spreadsheet is delimited by tabs.

And her is the PowerShell I created:

##########


# Import the CSV file into a PowerShell array
$collection = @(Import-CSV .\HPlabcomputers20121231.csv -Delimiter "`t")

# Connect to the SQL database
connect-mdtdatabase -sqlserver . -database MDTDB

# Create for each computer an entry in the MDT database
foreach($computer in $collection)
{
$PCNAME=$computer.ComputerName
$SerialNum=$computer.SerialNum
$ProdKey=$computer.WinProductKey
write-host Importing $PCNAME
new-mdtcomputer -assetTag $computer.ComputerName -serialNumber $SerialNum -settings @{OSInstall='YES'; OSDComputerName=$PCNAME; ProductKey=$ProdKey}
}

# Assign for each computer the role to install Win7 Pro 32 bit
foreach($computer in $collection)
{
$PCNAME=$computer.ComputerName
write-host Updating $PCNAME
# Search for the computername and set the computer role
get-mdtcomputer -assetTag $PCNAME | Set-MDTComputerRole -roles @('Win7_lab_computers')
}


##########

So obviously the user account you use must have SQL permissions on the MDT database to update the database.
Also note that the MDT MMC (aka Deployment Workbench) does not show the new computers if you just click refresh on the Computers view under MDT Deployment Share/Advanced Configuration/Database. Click instead on Database and hit refresh, and go back to the Computers view.