As an update to a former post I want provide an updated registry file which turns of SSL3. You can do the same thing using the NARTAC tool or group policy settings.
Just a reminder, that will disable SSL3 for all services using the Microsoft Crypto API on that server. For other services, e.g Apache you have find out yourself what to do. See also the bettercrypto project at https://bettercrypto.org/
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"EventLogging"=dword:00000001
"DisableRenegoOnClient"=dword:00000001
"DisableRenegoOnServer"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CipherSuites]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
"Functions"="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA"
Friday, October 31, 2014
Thursday, July 31, 2014
PowerShell arrays with just one entry are not real arrays
Earlier this year I wrote about ADfind and PowerShell.
http://secattic.blogspot.com/2014/05/combine-adfind-and-powershell.html
So what I found is, that the LDAP result contains only one entry PowerShell is not creating an array, more like an single. string. I am not sure how to explain that better. But what happens is if you run e.g.
$content.length or $content.count it does not return any value at all.
or
if you have code where you want process all entries in a array e.g. with foreach and you access the array like this:
$content[i].uid
it is not working and you see an error "Unable to index into an object..."
So the resulting is to suround the array variable with an @(), e.g. @($content).count
or
$dn=@($content)[i].dn
http://secattic.blogspot.com/2014/05/combine-adfind-and-powershell.html
So what I found is, that the LDAP result contains only one entry PowerShell is not creating an array, more like an single. string. I am not sure how to explain that better. But what happens is if you run e.g.
$content.length or $content.count it does not return any value at all.
or
if you have code where you want process all entries in a array e.g. with foreach and you access the array like this:
$content[i].uid
it is not working and you see an error "Unable to index into an object..."
So the resulting is to suround the array variable with an @(), e.g. @($content).count
or
$dn=@($content)[i].dn
Thursday, July 10, 2014
Sync between LDAP directories with LSC
Currently I am working on a Forefront Identity Manager IdM project. The client has a test environment what is a mirror of the production environment to a certain point. This includes AD LDS and multiple Active Directories. Because of bindproxy objects we cannot just export and import user objects because those rely on the objectSID in their environment and after the account creation we can only update entries unless we have too much time waiting to get tens of thousands of accounts recreated. So when we run management agents in the test environment we changed a lot of data in AD LDS. I was looking for a way to turn back changes and also to get fresh data from production and also to get data from production we do not handle with our management agents in test. For example street address, location and zip code of users, just to keep it simple for this post.
While exporting data from the production system into CSV and then reimprting was my first approach I really had a hard time to find tools for the import. Some great tools are just working for AD user objects, so no luck with my objects in AD LDS (http://www.wisesoft.co.uk/software/bulkadusers/default.aspx). For others I had first to find out if I want add a new attribute or change an existing attribute value. I considered that as too much effort to implement (ADfind/ADmod). I spent also some time with PowerShell but I was not really successful either. So finally I asked around in our team and I got a recommendation for LSC (http://tools.lsc-project.org/news/49). I installed it on Windows 2008 R2 and even all documentation guides to Linux it is working well on Windows because of Java. The developer website has an article describing how to run it on Windows but I guess it is outdated. I did not needed Maven or Ant to get version 2.10 running.
Just in case I need it again I post here the configuration file I use to sync from prod to test (AD LDS to AD LDS). In my example I sync only accounts for user with the last name Mueller. You can change that of course. ;-)
Many thanks to the LSC team ! And thanks to Kevin pointing me into the right direction!
Install steps:
- Install Java
- set JAVA_HOME
- Create a new folder and copy the logback.xml from the examples there
- Create the lsc.xml (feel free to be a copy cat)
- Run from the bin directory: lsc.bat -f <folderwherelsc.xmlis>-s all -c all -n
(with -n it will start a dry-run)
lsc.xml
<?xml version="1.0" ?>
<lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.1.xsd" revision="0">
<connections>
<ldapConnection>
<name>LDAPsource</name>
<url>ldap://source.mydomain.com:389/o=mydomain.com</url>
<username>username@mydomain.com</username>
<password>password</password>
<authentication>SIMPLE</authentication>
<referral>IGNORE</referral>
<derefAliases>NEVER</derefAliases>
<version>VERSION_3</version>
<pageSize>1000</pageSize>
<factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
<tlsActivated>false</tlsActivated>
</ldapConnection>
<ldapConnection>
<name>LDAPdestination</name>
<url>ldap://destination.mydomain.com:389/o=mydomain.com</url>
<username>uid=svc_acct,OU=admins,O=mydomain.com</username>
<password>password</password>
<authentication>SIMPLE</authentication>
<referral>IGNORE</referral>
<derefAliases>NEVER</derefAliases>
<version>VERSION_3</version>
<pageSize>1000</pageSize>
<factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
<tlsActivated>false</tlsActivated>
</ldapConnection>
</connections>
<tasks>
<task>
<name>People</name>
<bean>org.lsc.beans.SimpleBean</bean>
<ldapSourceService>
<name>LDAPsource-service</name>
<connection reference="LDAPsource" />
<baseDn>ou=users,o=mydomain.com</baseDn>
<pivotAttributes>
<string>uid</string>
</pivotAttributes>
<fetchedAttributes>
<string>uid</string>
<string>street</string>
<string>l</string>
<string>postalCode</string>
<string>C</string>
<string>mobile</string>
<string>userCertificate</string>
</fetchedAttributes>
<getAllFilter>(sn=mueller)</getAllFilter>
<getOneFilter>(&(objectClass=person)(uid={uid}))</getOneFilter>
<cleanFilter>(&(objectClass=person)(uid={uid}))</cleanFilter>
</ldapSourceService>
<ldapDestinationService>
<name>LDAPdestination-service</name>
<connection reference="LDAPdestination" />
<baseDn>ou=users,o=mydomain.com</baseDn>
<pivotAttributes>
<string>uid</string>
</pivotAttributes>
<fetchedAttributes>
<string>uid</string>
<string>street</string>
<string>l</string>
<string>postalCode</string>
<string>c</string>
<string>mobile</string>
<string>userCertificate</string>
</fetchedAttributes>
<getAllFilter><![CDATA[(objectClass=person)]]></getAllFilter>
<getOneFilter><![CDATA[(&(objectClass=person)(uid={uid}))]]></getOneFilter>
</ldapDestinationService>
<propertiesBasedSyncOptions>
<mainIdentifier>"uid="+srcBean.getDatasetFirstValueById("uid") + ",ou=users,o=mydomain.com"</mainIdentifier>
<defaultDelimiter>;</defaultDelimiter>
<defaultPolicy>FORCE</defaultPolicy>
<conditions>
<create>false</create>
<update>true</update>
<delete>false</delete>
<changeId>false</changeId>
</conditions>
<dataset>
<name>uid</name>
<policy>KEEP</policy>
<createValues>
<string>srcBean.getDatasetFirstValueById("uid")</string>
</createValues>
</dataset>
</propertiesBasedSyncOptions>
</task>
</tasks>
</lsc>
While exporting data from the production system into CSV and then reimprting was my first approach I really had a hard time to find tools for the import. Some great tools are just working for AD user objects, so no luck with my objects in AD LDS (http://www.wisesoft.co.uk/software/bulkadusers/default.aspx). For others I had first to find out if I want add a new attribute or change an existing attribute value. I considered that as too much effort to implement (ADfind/ADmod). I spent also some time with PowerShell but I was not really successful either. So finally I asked around in our team and I got a recommendation for LSC (http://tools.lsc-project.org/news/49). I installed it on Windows 2008 R2 and even all documentation guides to Linux it is working well on Windows because of Java. The developer website has an article describing how to run it on Windows but I guess it is outdated. I did not needed Maven or Ant to get version 2.10 running.
Just in case I need it again I post here the configuration file I use to sync from prod to test (AD LDS to AD LDS). In my example I sync only accounts for user with the last name Mueller. You can change that of course. ;-)
Many thanks to the LSC team ! And thanks to Kevin pointing me into the right direction!
Install steps:
- Install Java
- set JAVA_HOME
- Create a new folder and copy the logback.xml from the examples there
- Create the lsc.xml (feel free to be a copy cat)
- Run from the bin directory: lsc.bat -f <folderwherelsc.xmlis>-s all -c all -n
(with -n it will start a dry-run)
lsc.xml
<?xml version="1.0" ?>
<lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.1.xsd" revision="0">
<connections>
<ldapConnection>
<name>LDAPsource</name>
<url>ldap://source.mydomain.com:389/o=mydomain.com</url>
<username>username@mydomain.com</username>
<password>password</password>
<authentication>SIMPLE</authentication>
<referral>IGNORE</referral>
<derefAliases>NEVER</derefAliases>
<version>VERSION_3</version>
<pageSize>1000</pageSize>
<factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
<tlsActivated>false</tlsActivated>
</ldapConnection>
<ldapConnection>
<name>LDAPdestination</name>
<url>ldap://destination.mydomain.com:389/o=mydomain.com</url>
<username>uid=svc_acct,OU=admins,O=mydomain.com</username>
<password>password</password>
<authentication>SIMPLE</authentication>
<referral>IGNORE</referral>
<derefAliases>NEVER</derefAliases>
<version>VERSION_3</version>
<pageSize>1000</pageSize>
<factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
<tlsActivated>false</tlsActivated>
</ldapConnection>
</connections>
<tasks>
<task>
<name>People</name>
<bean>org.lsc.beans.SimpleBean</bean>
<ldapSourceService>
<name>LDAPsource-service</name>
<connection reference="LDAPsource" />
<baseDn>ou=users,o=mydomain.com</baseDn>
<pivotAttributes>
<string>uid</string>
</pivotAttributes>
<fetchedAttributes>
<string>uid</string>
<string>street</string>
<string>l</string>
<string>postalCode</string>
<string>C</string>
<string>mobile</string>
<string>userCertificate</string>
</fetchedAttributes>
<getAllFilter>(sn=mueller)</getAllFilter>
<getOneFilter>(&(objectClass=person)(uid={uid}))</getOneFilter>
<cleanFilter>(&(objectClass=person)(uid={uid}))</cleanFilter>
</ldapSourceService>
<ldapDestinationService>
<name>LDAPdestination-service</name>
<connection reference="LDAPdestination" />
<baseDn>ou=users,o=mydomain.com</baseDn>
<pivotAttributes>
<string>uid</string>
</pivotAttributes>
<fetchedAttributes>
<string>uid</string>
<string>street</string>
<string>l</string>
<string>postalCode</string>
<string>c</string>
<string>mobile</string>
<string>userCertificate</string>
</fetchedAttributes>
<getAllFilter><![CDATA[(objectClass=person)]]></getAllFilter>
<getOneFilter><![CDATA[(&(objectClass=person)(uid={uid}))]]></getOneFilter>
</ldapDestinationService>
<propertiesBasedSyncOptions>
<mainIdentifier>"uid="+srcBean.getDatasetFirstValueById("uid") + ",ou=users,o=mydomain.com"</mainIdentifier>
<defaultDelimiter>;</defaultDelimiter>
<defaultPolicy>FORCE</defaultPolicy>
<conditions>
<create>false</create>
<update>true</update>
<delete>false</delete>
<changeId>false</changeId>
</conditions>
<dataset>
<name>uid</name>
<policy>KEEP</policy>
<createValues>
<string>srcBean.getDatasetFirstValueById("uid")</string>
</createValues>
</dataset>
</propertiesBasedSyncOptions>
</task>
</tasks>
</lsc>
Tuesday, May 6, 2014
Combine ADfind and PowerShell
I really love adfind.exe (http://www.joeware.net/freetools/tools/adfind/index.htm) to search in AD and AD LDS, also if not all these machines part of AD or a different AD. Especially the CSV export is really powerful and so I was wondering how I can feed the adfind CSV output directly in a PowerShell array for further processing.
PS C:\System> $content= (tools\adfind -h dir.server.com:389 -b "o=mycompany" -u "username" -up "userpass" -maxe 25 -csv -csvdelim "|" -f "(objectclass=*)" cn | ConvertFrom-Csv -delimiter "|" )
So the command line above will run adfind to search for all entries on dir.server.com regardless what the object class is, but it will only return the first 25 entries. You can adjust the maxe option. I am working on mostly larger projects so I found the 25 entries limitation convenient and time saving.
Then all results will be available in the content array for further processing with PowerShell, e.g. counting, sorting, check for duplicates on specific attributes, ... ,you name it.
Saturday, April 26, 2014
Welcome MIM
Welcome Microsoft Identity Manager!
after MMS, MIIS, CLM, ILM and FIM we got a new acronym: MIM - Microsoft Identity Manager.
http://blogs.technet.com/b/server-cloud/archive/2014/04/23/forefront-identity-manager-vnext-roadmap-now-microsoft-identity-manager.aspx
Perhaps because I never understood why it was called Forefront .. Microsoft thought simpler is better.
So then the only question is why FIM did become MIM and not CIM - Cloud Identity Manager. Perhaps one day we all have just one ID in the cloud and there is no need for identity management anymore. Nice dream.
.
after MMS, MIIS, CLM, ILM and FIM we got a new acronym: MIM - Microsoft Identity Manager.
http://blogs.technet.com/b/server-cloud/archive/2014/04/23/forefront-identity-manager-vnext-roadmap-now-microsoft-identity-manager.aspx
Perhaps because I never understood why it was called Forefront .. Microsoft thought simpler is better.
So then the only question is why FIM did become MIM and not CIM - Cloud Identity Manager. Perhaps one day we all have just one ID in the cloud and there is no need for identity management anymore. Nice dream.
.
Tuesday, December 17, 2013
Network Discovery for Dummies
As a consultant I work several client projects over the year and sometimes I do not get a good/meaningful documentation before I start. Some environments are even so restricted that I cannot install tools or that I have to survive with a regular user account until I get clearance for a domain admin account.
So I checked out what built-in tools I could use on a Windows machine to do a basic discovery of the IT eco system.
1. Either I can connect my laptop or I get a machine fro the client and so I can run a command prompt and see the IP configuration with ipconfig.
2. Run ipconfig again with the /all parameter and find out the primary DNS suffix (what is most likely the DNS name of AD), here in this example it is frontoso.co
nslookup -querytype=SRV _ldap._tcp.dc._msdcs.frontoso.com
Nslookup should give you a list of all domaincontrollers of frontoso.com
3. Now I want see what other machines areound me in the same subnet.
The FOR /L command will fire up a ping command for each IP address in the range (10.0.1.1 - 10.0.1.250). Depending on the subnet this can be adjusted. We use it only to get the mac addresses in from the arp cache and if you scan more then the subnet range you will not get more hits from the arp cache.
so run FOR /L %v IN (1,1,250) DO start ping -n 1 10.0.1.%v from the command line
and then arp -a to see all entries from the arp cache
Example
Interface: 172.16.32.15 --- 0xa
Internet Address Physical Address Type
172.16.32.1 54-75-d0-e2-c5-42 dynamic
172.16.32.8 00-15-5d-20-08-35 dynamic
172.16.32.9 00-14-5e-45-6e-25 dynamic
172.16.32.10 68-ef-bd-93-82-04 dynamic
172.16.32.11 00-15-5d-20-0e-32 dynamic
.....
So event ping was not working because ICMP is disabled on the target machine the arp cache entry exist.
The mac address tells you also the vendor of the network card, so sometime this helps, e.g. in the example above all 00-15-... machines are virtual machines on Microsoft Hyper-V.
4. If you want the server names use ping -a to ask DNS for a reverse DNS resolution. Server names can tell a lot, e.g about location and purpose depending on the naming convention.
FOR /L %v IN (1,1,250) DO ping -a -n 1 10.0.1.%v > pinga.txt
5. If you just want check that you can access a SMB share through a firewall you can use
net use \\IPorServername\ipc$
even you do not have permissions to access the share, then you get an access denied message. But this tells you also that the firewall is mot likely not preventing SMB traffice to that machine.
Hope that helps,
Lutz
So I checked out what built-in tools I could use on a Windows machine to do a basic discovery of the IT eco system.
1. Either I can connect my laptop or I get a machine fro the client and so I can run a command prompt and see the IP configuration with ipconfig.
2. Run ipconfig again with the /all parameter and find out the primary DNS suffix (what is most likely the DNS name of AD), here in this example it is frontoso.co
nslookup -querytype=SRV _ldap._tcp.dc._msdcs.frontoso.com
Nslookup should give you a list of all domaincontrollers of frontoso.com
3. Now I want see what other machines areound me in the same subnet.
The FOR /L command will fire up a ping command for each IP address in the range (10.0.1.1 - 10.0.1.250). Depending on the subnet this can be adjusted. We use it only to get the mac addresses in from the arp cache and if you scan more then the subnet range you will not get more hits from the arp cache.
so run FOR /L %v IN (1,1,250) DO start ping -n 1 10.0.1.%v from the command line
and then arp -a to see all entries from the arp cache
Example
Interface: 172.16.32.15 --- 0xa
Internet Address Physical Address Type
172.16.32.1 54-75-d0-e2-c5-42 dynamic
172.16.32.8 00-15-5d-20-08-35 dynamic
172.16.32.9 00-14-5e-45-6e-25 dynamic
172.16.32.10 68-ef-bd-93-82-04 dynamic
172.16.32.11 00-15-5d-20-0e-32 dynamic
.....
So event ping was not working because ICMP is disabled on the target machine the arp cache entry exist.
The mac address tells you also the vendor of the network card, so sometime this helps, e.g. in the example above all 00-15-... machines are virtual machines on Microsoft Hyper-V.
4. If you want the server names use ping -a to ask DNS for a reverse DNS resolution. Server names can tell a lot, e.g about location and purpose depending on the naming convention.
FOR /L %v IN (1,1,250) DO ping -a -n 1 10.0.1.%v > pinga.txt
5. If you just want check that you can access a SMB share through a firewall you can use
net use \\IPorServername\ipc$
even you do not have permissions to access the share, then you get an access denied message. But this tells you also that the firewall is mot likely not preventing SMB traffice to that machine.
Hope that helps,
Lutz
Sunday, November 10, 2013
Creating a IPSEC tunnel with the Windows Firewall with Advanced Security
Windows provides a very simple way to establish a secure communication (IPSEC) between two machines on the machine level: Connection Security Rules.
Connection Securiy Rules allow the configuration of a encrypted communication even a user is not logged on. The IPSEC rule can use a preshared key (for testing, single server or you do not have a PKI) or digital certificates for authentication in an enterprise environment Using certificates is the best way for authentication and my recommendation.
The computer and the users have still to authenticate before they can use any service on a IPSEC protected host, so see IPSEC as an pre-authentication.
Use scenarios:
- You want allow only access from corporate laptop computers to Exchange Outlook Anywhere or other internal services directly, or over TMG or UAG
- You have a server externally hosted and you want have a more secure way to RDP in
- You want allow access to a file share for remote workers in a way they do not have to VPN-in all the time
- You want make sure that computers for remote worker can use the corporate WSUS server for patching even the machines are not connected back via VPN to corporate network
- ...
Requirement:
- Windows Firewall service must be running
- Windows Firewall profiles must be active the network profile(s)
- Firewall rules must allow IPSEC traffic ESP and UDP500(ISAKMP). UDP4500(IPSEC NAT-T) is required if the server is behind a NAT firewall (as it is in this example)
Note: You can require IPSEC also only for certain TCP ports, e.g. you have an externally hosted web server. Require IPSEC only for 3389(RDP) for web server administration but port 80 is open because you clients want surf your companies public web site.And make all other ports not available from outside of that server at all.
Client Configuration Steps
1.
Open Group Policy Management
2.
Navigate to Computer
Configuration/Policies/Windows Settings/Security Settings/Windows Firewall with
Advanced Security/ Windows Firewall with Advanced Security/Connection Security
Rules
Note: as alternative and
for testing you can also start the Windows Firewall management console by starting
wf.msc from the Run dialog.
3.
Make a right mouse click on Connection Security
Rules and click on New Rule…
4. Select Server-to-server as rule type and click Next.
5. Add the public IP address of the edge server to
the list of IP addresses under “Which computers are in Endpoint 2?” Then select
Next to continue.
6.
Select and then click Next.
7. Click
Browse and select the appropriate CA name. Then click Next.
8. Select all firewall profiles and click Next.
9. Enter
name and description of the rule. Then click Finish to end the configuration wizard.
Server Side Configuration Steps
The server must have a second network card for external
facing connections. The configuration of the IPSEC rules should be for this
interface, otherwise you might lose the network connection to the server.
1. Start the Windows Firewall Advanced
Configuration management console from the Run menu by running wf.msc.
2. Click
on Connection Security Rules and then New
Rule …
3. Select
Server-to-server and click Next.
4. Add
the server IP address to the list of IP address under “Which computers are in
Endpoint 2?” and click Next to
continue.
5. Select
Require authentication for inbound and outbound connections and then click on Next.
6. Click
Browse and select the appropriate CA name. Then click Next.
7. Select all firewall profiles and click Next.
Subscribe to:
Posts (Atom)