Archive

Archive for April, 2010

The Get On The Bus tour is coming and we’re bringing some free SWAG!

April 27th, 2010 No comments

The Get On The Bus tour is coming and we’re bringing some free SWAG!


We are giving away 50 copies of Windows 7 Ultimate for the first 50 Get On the Bus event attendees through the door at EVERY STOP! Don’t miss your chance to win a copy of Microsoft’s newest software offering plus some chances at some other great swag so hurry and register today at www.thebustour.com.


What is the “Get On The Bus Tour”? Well, it’s where Microsoft comes to you. We are coming to the East Coast May 21-June 4! Come spend some time with us as we travel the East Coast for a deep dive into Windows 7 and Office 2010, along with a specific path on how to get certified. Learn why Windows 7 has received rave reviews from IT organizations and why so many IT Pros are excited about Office 2010. We will show you best practices for deploying Windows 7 and how to keep it running efficiently after deployment. We will also take a tour through all of the Office 2010 features from an IT Professional’s point of view. Registration is free but limited at http://thebustour.com .


For the latest updates follow us on Twitter @thebustour


Disclaimer:


To receive your free copy of Windows 7 Ultimate, be one of the first 50 people who are US residents (includes D of C) or Canada 18+ to arrive at a Microsoft Get On the Bus Tour afternoon event.  50 copies of the software title are available. Limit one gift per person.  This offer is non-transferable and cannot be combined with any other offer.  This offer ends on June 4, 2010 while supplies last, and is not redeemable for cash.  Taxes, if any, are the sole responsibility of the recipient.  There is no shipment of your gift – all gifts will be distributed onsite.

How to Request a Certificate With a Custom Subject Alternative Name

April 22nd, 2010 Comments off
Categories: Uncategorized Tags:

Disaster Recovery Procedures for Active Directory Certificate Services (ADCS)

April 20th, 2010 Comments off

 

Introduction:

When designing a public key infrastructure (PKI) for your organization, you must develop an effective disaster recovery plan to ensure that, in the event of failure of the computer hosting Certificate Services, you can recover in a timely manner with little effect on your organization.

Common Reasons that Make a Disaster Recovery Plan Necessary Include: 

Failed services. If Certificate Services fails to start on the certification authority (CA) computer, no certificate can be issued and certificate revocation lists (CRLs) cannot be published. Your disaster plan for recovery should include performing either System State or manual CA backups and testing recovery (on a different system) on a regular basis.

Hardware failure. Disaster plan options for recovering after hardware failure include: 

·         Maintaining duplicate hardware (such as spare motherboards or spare computers);

·         Implementing fault-tolerant RAID 1 or RAID 5 volumes to prevent CA failure due to a single disk failure.

Network infrastructure failure. Disaster recovery plans must account for network infrastructure failures. If an application implements CRL checking and network infrastructure failure prevents the application from accessing the most recent version of the CRL, an application will not validate the certificates presented to the application. Your disaster recovery should include methods of diagnosing network infrastructure failures and developing methods of publishing CRL information that are redundant to protect against network failure. 

Developing Required Documentation

One of the most important tasks during the design and deployment of a PKI is to ensure that your network and configuration documentation is updated continually. When you undergo disaster recovery, this documentation is the most important source of information regarding the previous Certificate Services configuration.

You should maintain the following documentation to ensure that you can apply all required configuration of Certificate Services successfully. The backup and recovery procedure for each of these items is explained later in this document. 

 All certificate template definitions. In the worst case, you might have to rebuild Active Directory, which requires the redefinition of all certificate templates. By documenting the individual settings for each certificate template on a tab-by-tab basis, you can easily re-create each certificate template.

All certificate templates published at the CA. You can create a custom script file that implements the certutil –SetCAtemplates +<TemplateName> to publish certificate templates and certutil –SetCAtemplates –<TemplateName> to remove certificate templates from the CA.

 All permissions and user rights assignments. CA permissions define which users or groups hold the CA administrator and certificate manager Common Criteria roles, which groups or users can read the CA configuration, and which groups or users can request certificates from the CA. In addition, the Local Security Policy or domain-based Group Policy objects (GPOs) applied to the CA’s computer account defines the user rights assigned to the computer account, including the Common Criteria backup operators and auditor role holders.

 All names used for the CA. Includes the CA’s logical name, the NetBIOS name of the computer hosting Certificate Services, and the domain or workgroup membership. The certificate information is based on the CA’s specific names and must be restored exactly.

 All specific settings in the properties of the CA in the Certification Authority console. Be sure to identify which certificates are designated for key recovery, if implemented, as well as certificate manager restrictions.

 Any post- or preinstallation script files used to configure the CA. For example, if you run a batch file consisting of certutil commands that define the CA’s registry settings, you should store a copy of the batch file for documentation and recovery purposes. Likewise, you should keep a copy of a batch file that publishes the CA’s CRL on an externally accessible Web server.

The CA data paths. When you restore the CA, the previous file locations for the CA database, CA log files, and CA configuration information must be maintained to match the restored registry values.

The CRL and Authority Information Access (AIA) publication points. Once the CA is restored, you must publish an updated CRL and, possibly, an updated CA certificate to the designated publication points. Ensure that no previous publication points are omitted.

The cryptographic service provider (CSP) used to protect the CA’s private key. The same CSP must be used to restore the previous key pair for the CA. The CSP might require additional software.

 The key length of the CA’s certificate. If you are reinstalling the CA or renewing the CA certificate, you should maintain the same key length as originally deployed.

 The logical disk-partitioning scheme for the CA computer. When you restore Certificate Services configuration, the disk volumes must implement the same drive letters. Disk volumes can be different sizes or implement different RAID levels, but the drive letters and locations must remain the same for the CA database, CA logs, CA configuration folder (if implemented), and operating system.

 A copy of the CAPolicy.inf file deployed in the %windir% of the CA computer. The CAPolicy.inf must be in place when renewing the CA’s certificate.

Disaster Recovery Procedures: 

There are two methods to backup and restore the Certification Authority. The methods are:

1-      System State Backup

2-      Certutil command line in combination of registry export

 Update: It just came to my attention that System State Backup in Windows 2008 and 2008 R2 will not backup the private key of the CA. The private key will be stored in hidden folder structure “%systemdrive\ProgramData\Microsoft\Crypto\Keys” which will be linked and accessible via “%systemdrive%\users\all users\microsoft\crypto\keys”. %systemdrive%\ProgramData\Microsoft\Crypto\Keys” is not included in System State backup as it’s not in system writers metadata and so will be empty when doing a System State restore.

If you prefer to have System State Backup, then you should consider backing up the private key separately using Certutil –Backup. 

Advantages and Disadvantages of Each Procedure: 

Each method has advantages and disadvantages. The main advantage of System State backup is simplicity, where the administrator has to join an identical piece of hardware to the domain where the CA existed and restore System State Backup. The main disadvantage of System State is dependence on identical hardware

The Certutil command in combination with the registry export allows the administrator to restore the Certification Authority to any server – hardware agnostic. The main disadvantage of the Certutil command is the amount of steps required to perform the restore.

The document hereafter will only discuss the backup and restore methods using the Certutil command. In addition the document assumes Web Enrollment Pages are installed at the Certification Authority.


Back Up the Certification Authority: 

Any proper backup of a CA should include the Certificate Security Protocol, Templates published at the CA, Private Key, Certificate Database and logs in addition to the configuration of the CA stored in HKLM\System\CurrentControlSet\Services\Certsvc\Configuration. The script below combines all of these steps

1-      Log on as user who has CA administrator rights.

2-      Create a folder under %Homedrive% called Backup.

3-      Create a new text document under C:\scripts

4-      Paste the following text: 

Echo Backup Certification Authority, Certificates, Templates and CSP

c:

cd \scripts

Echo Y| del C:\backup\database

rd C:\backup\database

Echo Y| del c:\backup

Echo Backing up the Certification Authority and Certificates

certutil -backup -p Password c:\backup

Echo Backing up the registry keys

reg export HKLM\System\CurrentControlSet\Services\CertSvc\Configuration c:\backup\regkey.reg

 Certutil –getreg CA\CSP > C:\Backup\CSP.txt

Echo Documenting all certificate templates published at the CA

Certutil –catemplates > C:\Backup\CATemplates.txt

*Note* You need to enter a valid Password in the script where noted. The immediate line following the Certification Authority backup will back up the registry

5-      Save the file as “BackupCertificates.cmd”

6-      Schedule a task to run every day using an administrative account.

7-      Schedule your regular backup software job to backup the System State and the C:\Backup folder every day or copy the folder to a safe location.

Steps to Restore the Certification Authority:

Restoring the CA will require using the backup files taken from the Certification Authority, in addition to rebuilding a new server. The steps required are:

 1-      Extending the life of the CRL file

2-      Decommission the Old Certification Authority

3-      Install Active Directory Certificate Services (ADCS) at the new server

4-      Restore the Certification Authority Configuration

5-      Restore the Database and Templates to the Certification Authority 

Extending the Life of the CRL file: 

This step is necessary to ensure clients’ revocation files are processed in a timely manner,

1-      Log on to a any machine in your domain as an administrator

2-      Obtain a CRL or certificate issued by the CA being tested. The CRL or certificate must correspond to the CA key and certificate being tested where you are restoring multiple keys.

3-      Extend the life of the CRL by running Certutil –sign <CRLFileName.crl>  ++dd, and when prompted , select the CA certificate (imported in the previous procedure) as the signing certificate.

 

Example:

                Certutil -sign Contoso-Issuing-CA.crl ++03

 This command will extend the life of the CRL by 3 days

                  Certutil -sign CertFileName.cer NewCertFile.cer

 4-      Publish the CRL file to all distribution points as follows:

a.       Copy the CRL file to the http distribution points

b.      Log on to any machine in the domain as an enterprise admin and run the Certutil –f –dspublish <CRLFileName.crl>

 You must now clean the keys from the test system.  To clean the keys from the system

1.       Log on as a member of local Administrators and delete the user profile of the administrator account using Advanced Properties in My Computer.

2.       Delete the administrator account.

3.       Securely erase unallocated areas of the disk to permanently remove traces of the keys by running the following command.

                 Cipher /W:%AllUsersProfile%

 Note:  Specifying %allusersprofile% as the path ensures that the cipher.exe command operates on the drive holding the user profiles. It clears the whole drive, not just the indicated path, hence making the machine unusable.

Decommission the Old Certification Authority:

This procedure is explained in details in a support article. Refer to http://support.microsoft.com/kb/889250 for the steps required to decommissions the old Certification Authority

Install Active Directory Certificate Services at the New Server:

The new server must have the same computer name as the old server. Furthermore, it should have the same Operating System of the failed server

1-      Partition the server with the same volume names

2-      Copy or restore the files from the Backup folder. You should have the database, PKCS12 (*.P12) file, the registry, CATemplates.txt, and CSP.txt  to the new server.

3-      In Server Manager, click Add Roles.

4-      In the Select Role Services window, select Certification Authority and Certification Authority Web Enrollment – if installed previously , and then click Next

5-      In the Specify CA Type dialog box, click the appropriate CA type based on the failed server CA type.

6-      Click Use custom settings to generate the key pair and CA certificate, and then click Next.

7-      In the Set Up Private Key windows, select Use existing private key and then select the option select a certificate and use its associated private key. Click Next

8-      In the Select Existing Certificate, choose the Import option and browse to the PKCS12 file in the backup folder, type the password you used during the backup, and click OK, then click Install

9-      Follow the setup screens until the CA is restored

Restore the Certification Authority Configuration:

1-      Stop the Certificate Services service.

2-      Locate the registry file that you restored, and then double-click it to import the registry settings. If the path that is shown in the registry export from the old CA differs from the new path, you must adjust your registry export accordingly. By default, the new path is C:\Windows in Windows Server 2003.

Restore the Database and Templates to the Certification Authority:

Use the Certification Authority snap-in to restore the CA database. To do this, follow these steps:

1-      In the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Restore CA. The Certification Authority Restore Wizard starts.

2-      Click Next

3-      Click Certificate database and certificate database log.

4-      Type the backup folder location, and then click Next.

5-      Verify the backup settings. The Issued Log and Pending Requests settings should be displayed.

6-      Click Finish, and then click Yes to restart Certificate Services when the CA database is restored.

7-      In the Certification Authority snap-in, manually add or remove certificate templates based on the templates published at the CA using the CAtemplates.txt file 

Categories: Uncategorized Tags:

Data recovery out of “lost” or corrupted Transaction Logfiles ?

Many customers ask for data recovery out of corrupt transaction log files or “lost”  transaction log files following a gap when running eseutil /ml e0X.


(Restore from backup running hard recovery being interrupted by a corrupted transaction log file)     


In other words – can we extract data out of Transaction log files?


The answer is NO. The content is binary.


If we open transaction log files in notepad we only see few data in clear text like:  


 


————


From:
To:
Subject:


————


 


Here is a sample to figure out what senders and recipients should be informed about potential data loss in case not all log files could be recovered in a restore scenario.


A good explanation using strings.exe to filter information out of transaction log is available in the familiar blog from Scott Oseychik


 “Rough and Tough” guide to identifying patterns in transaction logs


http://blogs.msdn.com/scottos/archive/2007/07/12/rough-and-tough-guide-to-identifying-patterns-in-ese-transaction-log-files.aspx


###########


1.  Download the “Unix for Win32” utilities from http://downloads.sourceforge.net/unxutils/UnxUtils.zip?modtime=1172730504&big_mirror=0


2.    Extract all files from the UnxUtils\usr\local\wbin subsirectory to C:\UNIX


3.    Download strings.exe from http://www.microsoft.com/technet/sysinternals/Miscellaneous/Strings.mspx, and place strings.exe into C:\UNIX


4.    Make a C:\TMP directory (Unix tools need a Win32 equivalent of /tmp)


5.    Make a directory for all your transaction log files (i.e. D:\customers\test), and place all the logs in this dir


6.    From a cmd prompt, navigate to your C:\UNIX dir


7.    Run the following command:


 


strings -q -n 16 D:\customers\test\*.log | cut -f3 -d: | sort | uniq -c | sort | tee c:\log-output.wri


  


What this is doing:


 


·         Identifies all strings in the logs greater than 16 chars


·         Removes the D:\customers\test\E00xxxx.log: from the output


·         Sorts the output


·         Finds all duplicate records, and retains a count


·         Sorts the final output (ending with the largest # of occurrences)


·         Writes all the output to c:\log-output.wri (use WordPad / write.exe to open; notepad.exe mangles the output)


############


 


Strings.exe command to filter for the following info out of transaction logs


==========================================================


 


————


From:
To:
Subject:


————


 


1. Create a text file called search.txt with exactly following content :


 


From:
To:
Subject:


 


2. Run following command and correct folder path appropriate:


strings.exe -q -n 8 C:\UNIX\Trans_Logfilesfolder\*.log | findstr /i /G:c:\UNIX\search.txt >> C:\UNIX\output.txt


(Prerequisites are step 1 to 6 from the blog above)


 


It does the following:


===============


-Look for data with a string length of 8


-handover to findstr.


-filter for criteria out of search.txt


-export result to output.txt


 


Example for OUTPUT.txt: (info crossed out to hide customer data)


===================


C:\UNIX\Logfiles_HA_RE\E033A952.log: From: XXXXXXX <XXXX@DOMAIN_A.de>


C:\UNIX\Logfiles_HA_RE\E033A952.log: Reply-To: XXXXXXX <XXXX@DOMAIN_B.de


C:\UNIX\Logfiles_HA_RE\E033A952.log: Subject: Re: Testmail Analyzer


C:\UNIX\Logfiles_HA_RE\E033A952.log: To: XXXXXXX <XXXX@DOMAIN_C.de


C:\UNIX\Logfiles_HA_RE\E033A952.log: Subject: Testmail Analyzer


C:\UNIX\Logfiles_HA_RE\E033A952.log: from: < XXXXXXX <XXXX@DOMAIN_D.de >


C:\UNIX\Logfiles_HA_RE\E033A952.log: To: < XXXXXXX <XXXX@DOMAIN_E.de >


C:\UNIX\Logfiles_HA_RE\E033A952.log: X-TBoneOriginalfrom: < XXXXXXX <XXXX@DOMAIN_Fde >


C:\UNIX\Logfiles_HA_RE\E033A952.log: X-TBoneOriginalTo: < XXXXXXX <XXXX@DOMAIN_G.de >


 

In case we have many log files to analyze, we need to filter the OUTPUT.txt appropriate in EXCEL or script based

Categories: Transaction Logs Tags:

Asset Inventory Service (AIS) 2.0 Open Beta

April 15th, 2010 No comments

In November 2009 we ran a small scale beta of the 2.0 version of the Asset Inventory Service (AIS) and got a lot of feedback on the product which has helped us get to feature complete.  We are interested in getting even more input from the community, so today we are announcing an open beta for anyone (current MDOP customer or not) who is interested in trying out the service.


Some of the key changes in AIS 2.0:


·         Improved user interface


·         Title normalization and version aggregation in software reporting


·         Virtual machine and App-V package support in software reporting


·         Improved Microsoft licensing reports


·         Better hardware reporting and the ability to view the hardware properties of a computer


 


This open beta is feature complete and localized in English only (additional languages will be made available in a future beta tests).  We ask participants to please submit their feedback to us on their experiences with the service and will consider this input for the RTW version.  Please be aware that all inventory data that you upload will be deleted once the beta is completed at the end of June 2010. 


 


To sign up for the beta, please go to – https://connect.microsoft.com/site310/SelfNomination.aspx?ProgramID=3615&pageType=1


 


You will need to have a Microsoft Live ID to join.  Once you have signed up and accepted the AIS pre-release online services agreement, we will begin process of provisioning your AIS account and send you an email within seven days with the account details.

Categories: AIS Tags:

The future of security baseline management has arrived: Download the Security Compliance Manager!

April 13th, 2010 No comments

The Security Compliance Manager is now available for download! Windows 7 security just got easier. The tool includes support for this and other Microsoft operating systems and applications.
Many thanks to those of you who participated in the beta review…(read more)

The future of security baseline management has arrived: Download the Security Compliance Manager!

April 13th, 2010 No comments

The Security Compliance Manager is now available for download! Windows 7 security just got easier. The tool includes support for this and other Microsoft operating systems and applications.
Many thanks to those of you who participated in the beta review…(read more)

The future of security baseline management has arrived: Download the Security Compliance Manager!

April 13th, 2010 Comments off

The Security Compliance Manager is now available for download! Windows 7 security just got easier. The tool includes support for this and other Microsoft operating systems and applications.
Many thanks to those of you who participated in the beta review…(read more)

Microsoft Security Advisory (977544): Vulnerability in SMB Could Allow Denial of Service – Version: 2.0

Revision Note: V2.0 (April 13, 2010): Advisory updated to reflect publication of security bulletin.
Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-020 to address this issue. For more information about this issue, including download links for an available security update, please review MS10-020. The vulnerability addressed is the SMB Client Incomplete Response Vulnerability – CVE-2009-3676.

Categories: Uncategorized Tags:

Microsoft Security Advisory (981169): Vulnerability in VBScript Could Allow Remote Code Execution

Revision Note: V2.0 (April 13, 2010): Advisory updated to reflect publication of security bulletin.
Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-022 to address this issue. For more information about this issue, including download links for an available security update, please review MS10-022. The vulnerability addressed is the VBScript Help Keypress Vulnerability – CVE-2010-0483.

Categories: Uncategorized Tags:

Microsoft Security Advisory (981169): Vulnerability in VBScript Could Allow Remote Code Execution – 4/13/2010

April 13th, 2010 Comments off

Revision Note: V2.0 (April 13, 2010): Advisory updated to reflect publication of security bulletin. Advisory Summary:Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-022 to address this issue. For more information about this issue, including download links for an available security update, please review MS10-022. The vulnerability addressed is the VBScript Help Keypress Vulnerability – CVE-2010-0483.

Categories: Uncategorized Tags:

Microsoft Security Advisory (977544): Vulnerability in SMB Could Allow Denial of Service – 4/13/2010

April 13th, 2010 Comments off

Revision Note: V2.0 (April 13, 2010): Advisory updated to reflect publication of security bulletin. Advisory Summary:Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-020 to address this issue. For more information about this issue, including download links for an available security update, please review MS10-020. The vulnerability addressed is the SMB Client Incomplete Response Vulnerability – CVE-2009-3676.

Categories: Uncategorized Tags:

MDOP 2010, Windows 7, and Office 2010 – Coming to a City Near You!

April 12th, 2010 No comments


 Get on the Bus


 






“Get On the Bus” is back in North America!


 


Montreal, May 21 | Boston, May 24 | New York, May 25 | Philadelphia, May 26 | Washington DC, May 27 & 28 | Richmond, June 1 | Raleigh, June 2 | Charlotte, June 3 | Atlanta, June 4 | New Orleans, June 5


 


www.thebustour.com


 


The Get On the Bus Tour is back home and we’re kicking off our new tour with a visit to Canada! Montreal marks our first location on a 10-city North American road show en route to TechEd in New Orleans, June 7. Come spend some time with us as we tour the East Coast for a deep dive into MDOP 2010, Windows 7 and Office 2010, along with a specific path on how to get certified. Learn why Windows 7 has received rave reviews from IT organizations and is setting records as the fastest selling operating system in history.  Find out why so many IT Pros are eagerly awaiting the release of Office 2010. We will show you both the best practices for deploying Windows 7 and MDOP 2010 and how to keep it running efficiently after deployment.  We will also take a tour through all of the features of Office 2010 from an IT Professional’s point of view. It’s time to join us at a stop nearest you for technical training, professional networking, hands-on experiences, and real world guidance from industry experts sent to you from Redmond. Don’t miss your chance to “Get On the Bus!”


 


REGISTER


For your local event today!


 


Get your Bus Tour updates first! Follow us on Twitter @thebustour