Archive

Archive for June, 2010

CAT.NET v2.0 Update

June 29th, 2010 No comments

 

Frank Brisse here… I wanted to provide an update on CAT.NET v2.0.  We were looking to release CAT.NET v2.0 in June but ran into a design issue at the last moment causing us to delay the release.  At this point we are working with internal teams to determine how to best fix this concern.  Once we have a solution and a definitive timeframe we’ll announce the new release date. 

While we’re looking to resolve this issue we still want to hear your feedback about features needed in future releases.  Shortly we’ll release a list of features that will be included in CAT.NET v2.0 and items on the product backlog for future releases.

Categories: Uncategorized Tags:

CAT.NET v2.0 Update

June 29th, 2010 No comments

 

Frank Brisse here… I wanted to provide an update on CAT.NET v2.0.  We were looking to release CAT.NET v2.0 in June but ran into a design issue at the last moment causing us to delay the release.  At this point we are working with internal teams to determine how to best fix this concern.  Once we have a solution and a definitive timeframe we’ll announce the new release date. 

While we’re looking to resolve this issue we still want to hear your feedback about features needed in future releases.  Shortly we’ll release a list of features that will be included in CAT.NET v2.0 and items on the product backlog for future releases.

Categories: Uncategorized Tags:

CAT.NET v2.0 Update

June 29th, 2010 Comments off

 

Frank Brisse here… I wanted to provide an update on CAT.NET v2.0.  We were looking to release CAT.NET v2.0 in June but ran into a design issue at the last moment causing us to delay the release.  At this point we are working with internal teams to determine how to best fix this concern.  Once we have a solution and a definitive timeframe we’ll announce the new release date. 

While we’re looking to resolve this issue we still want to hear your feedback about features needed in future releases.  Shortly we’ll release a list of features that will be included in CAT.NET v2.0 and items on the product backlog for future releases.

Categories: Uncategorized Tags:

CAT.NET v2.0 Update

June 29th, 2010 No comments

 

Frank Brisse here… I wanted to provide an update on CAT.NET v2.0.  We were looking to release CAT.NET v2.0 in June but ran into a design issue at the last moment causing us to delay the release.  At this point we are working with internal teams to determine how to best fix this concern.  Once we have a solution and a definitive timeframe we’ll announce the new release date. 

While we’re looking to resolve this issue we still want to hear your feedback about features needed in future releases.  Shortly we’ll release a list of features that will be included in CAT.NET v2.0 and items on the product backlog for future releases.

Categories: Uncategorized Tags:

Are you ready to realize the value of App-V in your enterprise? Forrester’s App-V TEI will show you how.

June 28th, 2010 No comments

Firewall Rules for Active Directory Certificate Services

June 25th, 2010 Comments off

 

 Below is a list of ports that need to be opened on Active Directory Certificate Services servers to enable HTTP and DCOM based enrollment

 The information was developed by Microsoft Consultant Services during one of our customer engagements

Protocol

Port

From

To

Action

Comments

Kerberos

464

Certificate Enrollment Web Services

 

 

Domain Controllers (DC)

Allow

Source Certificate Enrollment Web Services

Destination: DC

Service: Kerberos (network port tcp/464)

LDAP

389

Certificate Enrollment Web Services

 

 

Domain Controllers (DC)

Allow

Source Certificate Enrollment Web Services

Destination: DC

Service: LDAP (network port tcp/389)

LDAP

636

Certificate Enrollment Web Services

 

 

Domain Controllers (DC)

Allow

Source Certificate Enrollment Web Services

Destination: DC

Service: LDAP (network port tcp/636)

DCOM/RPC

Random port above port 1023

·       Certificate Enrollment Web Services

·        All XP clients requesting certs

 

CA

Allow

Please see for details on RPC/DCOM configuration: http://support.microsoft.com/kb/154596/en-us

HTTPS

443

All clients requesting certs

Certificate Enrollment Web Services

 

 

Allow

Source: Windows 7 client

Destination:

 

Service: https (network port tcp/443)

Certificate Enrollment Web Services

Categories: Uncategorized Tags:

Great MDOP Resources

June 23rd, 2010 No comments

In my last several blog posts, I’ve used a lot of words to tell you why I think the Microsoft Desktop Optimization Pack (MDOP) is a great way to optimize Windows 7 deployment. I’ve provided links along the way, of course, but I really haven’t…(read more)

Categories: Uncategorized Tags:

Easing the Move to Windows 7 with MDOP

June 23rd, 2010 No comments

This blog post wraps up my series of entries on how the Microsoft Desktop Optimization Pack (MDOP) can help make the move to Windows 7 a bit easier. Just to recap, I described the MDOP products that you can use during the Planning, Deployment, and Operating…(read more)

Categories: Uncategorized Tags:

Design Considerations before Building a Two Tier PKI Infrastructure

June 19th, 2010 Comments off

Environmental Dependencies:

 1- Determine if the Active Directory Forest has Windows 2000 Domain Controllers. This is important because of modifications to the CertPublishers group scope, and permissions related to the AdminSDHolder role. These permissions can be added by using the Dsacls command.

2- Determine if the Active Directory Schema was upgraded to at least Windows 2003 (version 30) or Windows 2003 R2 (versions 31). This item needs to be checked at the Forest Root and the child domains if they exist. Active Directory Certificate Services require Windows 2003 schema updates. Windows 2008 or Windows 2008 R2 schema updates would work too. The Schema should have been extended if there is at least one Windows 2008/R2 domain controller installed in the environment.

3- Determine if there are any Exchange Mangled Attributes and fix them before the implementation. In some cases, when the Active Directory Schema is expanded, it can cause mangled attributes. Incorrect modification of the LDAP display names occurs in the following scenarios:

a. When you install Exchange Server 2000 or Exchange Server 2003 before you install Windows Server 2003 schema updates.

b. When you install Exchange Server 2000 or Exchange Server 2003 before you apply the inetOrgPerson kit.

c. When you install Windows Server 2003 schema updates before replication of the modifications to the LDAP display names is complete.

 The following table describes the attributes:

 

Attribute

Original LDAP Display Name

Modified LDAP Display Name

Ms-Exch-Assistant-Name         

Secretary

 

msExchAssistantName

Ms-Exch-LabeledURI

labeledURI

msExchLabeledURI

 

Ms-Exch-House-Identifier

 

houseIdentifier

msExchHouseIdentifier

 

If these attributes were mangled, they will change to something like DUP-secretaryc5a1240d-70c0-455c-9906-a4070602f85f. This can be fixed by following the steps outlined in http://support.microsoft.com/kb/314649/en-us

 4- An Enterprise Admin account is required for the install. An Online CA can’t be installed without it. The other option would be delegating permissions at the CA containers in the Active Directory Configuration partition, which can be complicated in some environments.

5- The following OS versions are required before the install:

a. Root CA: Windows 2003/2003 R2/2008/2008 R2 Server Standard/Enterprise Edition, member of a workgroup.

b. All Issuing CAs: Windows 2003 Server Enterprise Edition or Windows 2008 R2 Standard edition to allow V2 templates, and should be a member of the domain, preferably the child domain to follow the security model.

c. If V3 templates are required, then all Issuing CAs should be installed on Windows 2008 or 2008 R2 Enterprise or Standard Editions.

d. If Key Archival is required, then all Issuing CAs should be installed on the Enterprise Edition of the OS.

e. If you are not sure about the requirements, then it is preferred to install the Issuing CAs on the Windows 2008 or Windows 2008 R2 Enterprise Edition.

 6- If there are any HSM device(s), then they should be present and functional before the install.

a. Review the documents provided by the vendor for their recommendations of the install. In most cases, this will require installing the HSM software and management tools on each CA server communicating with the HSM.

b. Determine if all CAs are going to share the same Security World, or having separate Security Worlds for each installed CA (more secure).

 7- <Optional> Determine if the PKI infrastructure is installed on physical servers or virtual servers. Virtual servers should be secured in the same manner as physical servers due to the criticality of the infrastructure.

8- Make sure to have a thorough understanding of Microsoft’s support boundaries regarding VMs as described in Microsoft Virtual Server and Support Policy for Non-Microsoft Hardware Virtualization.

 Certification Authority Planning: 

 1- Understand the CRL and AIA locations fully, and determine the following before proceeding with the install

a. Root CA: Should be a member of a workgroup, and offline when the setup is completed. It is needed anytime a new sub CA is created, and anytime a new Root Base CRL is needed.

b. Root CA: Determine the appropriate Key Length of the CA, 1024, 2048, 4096, etc…. This has to be determined based on the applications using the CA. If in doubt, the vendor of the application should be contacted contact the vendors. As an example, if the organization is planning to use SAP Portal access certs. The key length has to be determined before hand, so the certs can chain up to the Root CA.

c. Root CA: The root should only have a base CRL, because it is offline. Ensure the following is also planned:

i. Frequency of Base CRL generation, 3 months, 6 months, a year, etc….

ii. Remember to bring the CA online before the expiration of the Base CRL and issue certutiul -CRL command. Copy the new CRL file to the CDP, and publish it to Active Directory depending on the locations of the AIA and CDP (mentioned below).

iii. Patch and backup the offline Root every time before and after the processes mentioned above. Patching should only be for major releases

iv. For the tasks mentioned above, add a team calendar reminder to ensure operations are not disrupted

d. Root CA: Determine if the CRL and AIA are published in Active Directory or a web site that can be accessed internally and externally. It can be either option, or both, but each have caveats such as:

i. Active Directory Only: This type of setup is only recommended if certificates are used internally. Any certificate used outside of the internal network might fail such as SCCM Internet Based Client Management Pack, or Direct Access. The CRL needs to be published to AD on regular intervals depending on the time set for the CA to issue a Base CRL.

ii. Web Site: This option has to take into consideration that the web site is accessed internally and externally especially if certificates are used outside the internal network. Like Active Directory, the web server distribution point should be updated with CRL files based on their generation frequency.

iii. Active Directory and Web Server: Combination of both notes above.

 e. Issuing CA: Should be a member of any domain in the forest. ADCS is a forest wide resource and can publish certificates to any member client in any domain

f. Issuing CA: If there is one Issuing CA only for a multi domain forest, then the Issuing CAs computer account needs to be added to the Certpublishers group of each domain.

g. Issuing CA: Determine how many issuing CAs are needed. The design can be set such as having a CA per geography, per function (user, or computer certs).

i. Certification Authorities are not Active Directory site aware, and will not abide by site boundaries. The control of certificate enrollment is done by the permissions set at the Certificate templates, with the right to enroll, autoenroll and read.

ii. Determine if the Issuing CA needs to issue user certs and computer certs, or having a designated CA for each type of cert.

iii. If CA high availability is required, then the CA can be clustered in Windows 2008 and 2008 R2 Enterprise Editions of the OS. Refer to Configuring and Troubleshooting Certification Authority Clustering in Windows Server 2008 for more information.

h. Determine the generation frequency of the Base and Delta CRL files for each CA. This step is critical to ensure appropriate revocation is taking place. Any organization should evaluate the process of terminating users, and adjust the frequency accordingly.

i. There should be a process in place to revoke user and computer certificates before hand, and train the helpdesk or the person(s) handling termination how to revoke certificates.

ii. If real-time revocation checking is required, then you should consider implementing an Online Responder. Refer to Online Responder Installation, Configuration, and Troubleshooting Guide for more information.

i. Determine the AIA and CDP distribution points for each CA. This step is very critical because these locations are hard coded in each certificate issued by the CA, and will not get updated unless the certificate is renewed. The locations can be:

i. AD, internal CA web server and file: This condition is good when using certs internally only. The AD, internal CA web server and file locations will have the CRL and CRT files published automatically. The file location is used by the CA to generate the CRL files and also has the CRT file. This location is typically under %windir%\system32\Certsrv\Certenroll

 ii. AD, Web server access internally and externally and file: This condition is ideal for most implementation, and can be used with certificates used externally. A process needs to be in place to copy the Base and Delta CRL file to the Web server which is accessible internally only, or internally and externally. The AD location will be updated automatically. The file location is similar to point above.

iii. Web Server, and file: Same as above, but this configuration allows you to use external certificates or in environments where certificates will be used by applications or operating systems which are not Active Directory aware. A process needs to be in place to copy the Base and Delta CRL file to the Web server which is accessible internally only, or internally and externally. The file location is similar to the points above.

j. Issuing CA: Determine the appropriate Key Length of the CA, 1024, 2048, 4096, etc…. …. This has to be determined based on the applications using the CA. If in doubt, the vendor of the application should be contacted.

k. Ensure there is a process to backup the CA on a daily basis, or at least backup the System State. Root CA backups should be carried out anytime the CA is brought online. Refer to Disaster Recovery Procedures for Active Directory Certificate Services for mote information.

Certificate Templates:

1- Determine the type of Certificate Templates used from the moment of standing up the issuing CA, and remove any unneeded templates.

2- Discuss the certificate template design with application vendors and subject matter experts

3- Design and document each template created, including the issuance requirements, and which Active Directory groups are allowed to enroll for that template

a. Determine which CAs issue the templates designed, as an example, a CA in Europe may issue templates that don’t exist in the US, and vice versa. This can be controlled by using certificate template permissions, and issuing the templates at the CA issuing the cert.

4- Determine the scope of users, and computers auto enrolling for certificates

a. Auto enrollment can only occur for user certificates for users running on Windows XP or higher

b. Autoenrollment can only occur for computer certificates running on Windows XP or higher

c. Automatic Computer Request Services can be used for computers running Windows 2000 and above. This only applies to computer certificates only, using V1 templates

d. Version 3 templates can only be used with Windows Vista and above. These new templates utilize Crypto Next Generation algorithms. You should contact the application vendor to make sure the certificate generated by these templates, specifically the algorithm used is compatible with the application.

Security Concerns: 

1- Consider using Role Sepearation for the day to day administration tasks of the CA. Review http://technet2.microsoft.com/WindowsServer/en/library/3ef594f5-758f-43d1-81c4-108a82017fa11033.mspx?mfr=true for more information

2- Enable Object Access Auditing for Success and Failure in the local security policy of each CA server, or through a group policy. Once that is set, run the Certutil -setreg CA\Auditfilter 127 at the command line and restart certificate services.

 

Amer Kamal

Senior Premier Field Engineer

Categories: Uncategorized Tags:

Microsoft Security Advisory (980088): Vulnerability in Internet Explorer Could Allow Information Disclosure

Revision Note: V1.2 (June 9, 2010): Added information about MS10-035 and clarified a FAQ entry about the caching vector.
Summary: Microsoft is investigating new public reports of a vulnerability in Internet Explorer. This advisory contains information about which versions of Internet Explorer are vulnerable as well as workarounds and mitigations for this issue.

Categories: Uncategorized Tags:

Microsoft Security Advisory (980088): Vulnerability in Internet Explorer Could Allow Information Disclosure – 6/9/2010

June 9th, 2010 Comments off

Revision Note: V1.2 (June 9, 2010): Added information about MS10-035 and clarified a FAQ entry about the caching vector. Advisory Summary:Microsoft is investigating new public reports of a vulnerability in Internet Explorer. This advisory contains information about which versions of Internet Explorer are vulnerable as well as workarounds and mitigations for this issue.

Categories: Uncategorized Tags:

Microsoft Security Advisory (983438): Vulnerability in Microsoft SharePoint Could Allow Elevation of Privilege – Version: 2.0

Revision Note: V2.0 (June 8, 2010): Advisory updated to reflect publication of security bulletin.
Summary: Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-039 to address this issue. For more information about this issue, including download links for an available security update, please review MS10-039. The vulnerability addressed is the Help.aspx XSS Vulnerability – CVE-2010-0817.

Categories: Uncategorized Tags:

Microsoft Security Advisory (983438): Vulnerability in Microsoft SharePoint Could Allow Elevation of Privilege – 6/8/2010

June 8th, 2010 Comments off

Revision Note: V2.0 (June 8, 2010): Advisory updated to reflect publication of security bulletin. Advisory Summary:Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS10-039 to address this issue. For more information about this issue, including download links for an available security update, please review MS10-039. The vulnerability addressed is the Help.aspx XSS Vulnerability – CVE-2010-0817.

Categories: Uncategorized Tags:

Accelerate Windows 7 using MDOP’s Desktop Virtualization: App-V and MED-V

June 7th, 2010 No comments