Archive

Archive for February, 2012

Update Rollup 1 for Exchange 2010 Service Pack 2

February 29th, 2012 No comments

On the Exchange Team blog they recently released an annoucement, Released: Update Rollup 1 for Exchange 2010 Service Pack 2, regarding Update Rollup 1 for Exchange 2010 SP2. I wanted to call out the included note for Forefront Protection for Exchange customers who will be applying the rollup to their Exchange servers:

Note for Forefront Protection for Exchange users  For those of you running Forefront Protection for Exchange, be sure you perform these important steps from the command line in the Forefront directory before and after this rollup’s installation process. Without these steps, Exchange services for Information Store and Transport will not start after you apply this update. Before installing the update, disable ForeFront by using this command: fscutility /disable. After installing the update, re-enable ForeFront by running fscutility /enable.

Categories: Exchange, FPE 2010 Tags:

Update Rollup 1 for Exchange 2010 Service Pack 2

February 29th, 2012 No comments

On the Exchange Team blog they recently released an annoucement, Released: Update Rollup 1 for Exchange 2010 Service Pack 2, regarding Update Rollup 1 for Exchange 2010 SP2. I wanted to call out the included note for Forefront Protection for Exchange customers who will be applying the rollup to their Exchange servers:

Note for Forefront Protection for Exchange users  For those of you running Forefront Protection for Exchange, be sure you perform these important steps from the command line in the Forefront directory before and after this rollup’s installation process. Without these steps, Exchange services for Information Store and Transport will not start after you apply this update. Before installing the update, disable ForeFront by using this command: fscutility /disable. After installing the update, re-enable ForeFront by running fscutility /enable.

Categories: Exchange, FPE 2010 Tags:

Update Rollup 1 for Exchange 2010 Service Pack 2

February 29th, 2012 No comments

On the Exchange Team blog they recently released an annoucement, Released: Update Rollup 1 for Exchange 2010 Service Pack 2, regarding Update Rollup 1 for Exchange 2010 SP2. I wanted to call out the included note for Forefront Protection for Exchange customers who will be applying the rollup to their Exchange servers:

Note for Forefront Protection for Exchange users  For those of you running Forefront Protection for Exchange, be sure you perform these important steps from the command line in the Forefront directory before and after this rollup’s installation process. Without these steps, Exchange services for Information Store and Transport will not start after you apply this update. Before installing the update, disable ForeFront by using this command: fscutility /disable. After installing the update, re-enable ForeFront by running fscutility /enable.

Categories: Exchange, FPE 2010 Tags:

Update Rollup 1 for Exchange 2010 Service Pack 2

February 29th, 2012 No comments

On the Exchange Team blog they recently released an annoucement, Released: Update Rollup 1 for Exchange 2010 Service Pack 2, regarding Update Rollup 1 for Exchange 2010 SP2. I wanted to call out the included note for Forefront Protection for Exchange customers who will be applying the rollup to their Exchange servers:

Note for Forefront Protection for Exchange users  For those of you running Forefront Protection for Exchange, be sure you perform these important steps from the command line in the Forefront directory before and after this rollup’s installation process. Without these steps, Exchange services for Information Store and Transport will not start after you apply this update. Before installing the update, disable ForeFront by using this command: fscutility /disable. After installing the update, re-enable ForeFront by running fscutility /enable.

Categories: Exchange, FPE 2010 Tags:

Security, privacy, and reliability in a connected world

February 28th, 2012 No comments

Microsoft’s Trustworthy Computing corporate vice President Scott Charney shared his security vision for the next decade in his keynote address at the RSA conference today. Charney’s keynote highlighted new and persistent security risks in light of society’s increased dependence on information systems and identified key drivers of change in today’s interconnected world.

Learn more about security, cybersecurity and technology trends, news and guidance at the Official Microsoft Security blog or follow Microsoft Security on Twitter.

In Memoriam – Tareq Saade

February 28th, 2012 No comments

January 26 1983 – February 19 2012

Tareq was part of the MMPC for several years, in which the social media properties (including this blog) were part of his responsibilities. He was one of those people who make an impact on you from the moment you meet them. He was well-loved and well-respected, much admired and very much missed. We at the MMPC feel his loss tremendously, and our thoughts are with his family and loved ones at this difficult time.

Categories: Uncategorized Tags:

Update: Microsoft, Hadoop and Big Data

February 28th, 2012 No comments

I’m really excited to be able to give you an update on our strategy and product roadmap for Big Data, especially around our embrace of Apache Hadoop as part of our data platform.

As you may remember, at the PASS Summit last October we laid out our roadmap for Big Data, with Microsoft Corporate Vice President Ted Kummert announcing plans to deliver enterprise class Apache Hadoop based distributions on both Windows Server and Windows Azure.

Even more importantly, he announced that Microsoft will be working with the community to offer contributions for inclusion into the Apache Hadoop project and its ecosystem of tools and technologies.

Now, this week at the O’Reilly Strata Conference, Dave Campbell, a Microsoft Technical Fellow, will give a keynote address on Wednesday morning where he will talk about how we are demonstrating our progress on this front as we strive to help organizations derive new insights from Big Data.

In a blog post today, Campbell notes that Microsoft has been working hard to bring the simplicity and manageability of Windows to Hadoop based solutions, and we are expanding the reach with a Hadoop based service on Windows Azure.

“Hadoop is a great tool but, to fully realize the vision of the modern data platform, we also need a marketplace to search, share and use 1st and 3rd party data and services. And, to bring the power to everyone in the business, we need to connect the new big data ecosystem to business intelligence tools like PowerPivot and Power View,” he says.

Microsoft is working closely with the community and ecosystem – including partners such as Karmasphere, Datameer and HStreaming – to deliver an open and flexible platform that is compatible with Hadoop and works well with leading 3rd party tools and technologies.

“We have recently reached a significant milestone in this journey, with our first series of contributions to the Apache Hadoop projects. Working with Hortonworks, we have submitted a proposal to the Apache Software Foundation for enhancements to Hadoop to run on Windows Server and are also in the process of submitting further proposals for a JavaScript framework and a Hive ODBC Driver,” Campbell says.

As Gianugo Rabellino, Microsoft’s Senior Director for Open Source Communities said last October, these moves benefit not only the broader Open Source community by enabling them to take their existing skill sets and assets use them on Windows Azure and Windows Server, but also developers, our customers and partners.

“It is also another example of our ongoing commitment to providing Interoperability, compatibility and flexibility,” he said at that time.

You can read Campbell’s blog here and learn more about what we are doing for Big Data here.

Connecting iPads to an Enterprise Wireless 802.1x Network Using Certificates and Network Device Enrollment Services (NDES)

February 27th, 2012 No comments

Important notice: Microsoft does not support any apple products, if you need to troubleshoot any problem related to apple products, please refer to http://www.apple.com/support

   Warning
SCEP was designed to be used in a closed network where all end-points are trusted. The warnings from CERT in the article “Simple Certificate Enrollment Protocol (SCEP) does not strongly authenticate certificate requests ” should be considered when implementing the NDES service. If an application utilizes SCEP, it should provide its own strong authentication.

 

I am often asked by customers how to deploy certificates to iPads using NDES, where I refer them to Rob Greene’s blog for the steps required configuring NDES and enrolling these devices for certificates. Lately, I was presented with a challenge where a customer wanted to enroll these devices for certificates and authenticate them to an 802.1x infrastructure using Network Policy Server (NPS)

Let’s review how a non-domain joined machine authenticates to an 802.1x network before delving into the required steps for iPads to connect to the same network. Historically, the following steps were followed:

1. Create a placeholder computer account in Active Directory Domain Services (AD DS)

2. Configure a Service Principal Name (SPN) for the new computer object.

3. Enroll a computer certificate passing the FQDN of the placeholder computer object as a Subject Name, using Web Enrollment Pages or Certificates MMC snap-in directly from the computer (Skip step 4 if you are using the Certificates MMC snap-in)

4. Export the certificate created for the non-domain joined machine and install it.

5. Associate the newly created certificate to the placeholder AD DS domain computer account manually created through Name Mappings

a.  Select Advanced View in Active Directory Users and Computers

b. Right-click the placeholder computer object and then select Name Mappings.

Note: Windows 7 and Windows Server 2008 R2 allows to you skip steps 3 and 4 by using Certificate Enrollment Web Services (CES) and Certificate Enrollment Web Policy (CEP) to enroll non-domain joined computers for certificates

The method described earlier applies to computers where the computer certificate enrolled is based on a computer template. The computer will present the certificate (Subject Name) to the Network Policy Server (NPS), which in turn will check if the computer account is enabled in AD DS.

Devices such as iPads behave differently, where they treat all certificates installed as a user certificate, hence when passing the subject name to the NPS server, NPS will look for a user object in AD DS rather than a computer object, causing the authentication request to fail

 

Log Name:      Security

Source:        Microsoft-Windows-Security-Auditing

Date:          2/15/2012 8:55:49 PM

Event ID:      6273

Task Category: Network Policy Server

Level:         Information

Keywords:      Audit Failure

User:          N/A

Computer:      DC1.contoso.com

Description:

Network Policy Server denied access to a user.

 

Contact the Network Policy Server administrator for more information.

 

User:

       Security ID:               NULL SID

       Account Name:              ipad.contoso.com

       Account Domain:                   CONTOSO

       Fully Qualified Account Name:     CONTOSO\ipad.contoso.com

 

Client Machine:

       Security ID:               NULL SID

       Account Name:              –

       Fully Qualified Account Name:     –

       OS-Version:                –

       Called Station Identifier:        021c1049ef6a

       Calling Station Identifier:       b8ff6154d066

 

NAS:

       NAS IPv4 Address:          192.168.25.254

       NAS IPv6 Address:          –

       NAS Identifier:                   021c1049ef6a

       NAS Port-Type:                    Wireless – IEEE 802.11

       NAS Port:                  34

 

RADIUS Client:

       Client Friendly Name:             wrt350n

       Client IP Address:                192.168.25.254

 

Authentication Details:

       Connection Request Policy Name:   Secure Wireless Connections

       Network Policy Name:       –

       Authentication Provider:          Windows

       Authentication Server:            DC1.contoso.com

       Authentication Type:       EAP

       EAP Type:                  –

       Account Session Identifier:       –

       Logging Results:                  Accounting information was written to the local log file.

       Reason Code:               8

       Reason:                    The specified user account does not exist.

 

 

The certificates installed on IPads use the Network Device Enrollment Services (NDES) which utilizes the Simple Certificate Enrollment Protocol (SCEP) to enroll for device certificates – This is the default and can’t be changed – These device certificates are computer certificates and not user certificates.

 

certutil -v -adtemplate ipsecintermediateoffline

 

IPSECIntermediateOffline: IPSec (Offline request) — Auto-Enroll: Access is denied.

  msPKI-Enrollment-Flag = 0

  msPKI-Certificate-Name-Flag = 1

    CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT — 1

  msPKI-Private-Key-Flag = 0

  flags = 10241 (66113)

    CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT — 1

    CT_FLAG_MACHINE_TYPE — 40 (64)

    CT_FLAG_ADD_TEMPLATE_NAME — 200 (512)

    CT_FLAG_IS_DEFAULT — 10000 (65536)

  cn = IPSECIntermediateOffline

  distinguishedName = IPSECIntermediateOffline

  displayName = IPSec (Offline request)

  templateDescription = Computer

  pKIExtendedKeyUsage = 1.3.6.1.5.5.8.2.2 IP security IKE intermediate

  pKIDefaultCSPs = Microsoft RSA SChannel Cryptographic Provider

  pKICriticalExtensions = 2.5.29.15 Key Usage

  revision = 7

  msPKI-Template-Schema-Version = 1

  msPKI-Template-Minor-Revision = 1

  msPKI-RA-Signature = 0

  msPKI-Minimal-Key-Size = 400 (1024)

  msPKI-Cert-Template-OID = 1.3.6.1.4.1.311.21.8.800281.5632585.475790.4272720.15075391.217.1.20

  msPKI-Supersede-Templates =

  msPKI-RA-Policies =

  msPKI-RA-Application-Policies =

  msPKI-Certificate-Policy =

  msPKI-Certificate-Application-Policy =

  dwKeySpec = AT_KEYEXCHANGE

  pKIExpirationPeriod =  2 Years

  pKIOverlapPeriod =  6 Weeks

 

Template Extensions: 3

    1.3.6.1.4.1.311.20.2: Flags = 0, Length = 32

    Certificate Template Name (Certificate Type)

        IPSECIntermediateOffline

 

    2.5.29.37: Flags = 0, Length = c

    Enhanced Key Usage

        IP security IKE intermediate (1.3.6.1.5.5.8.2.2)

 

    2.5.29.15: Flags = 1(Critical), Length = 4

    Key Usage

        Digital Signature, Key Encipherment (a0)

 

As a result, the Network Policy Server (NPS) will deny access to the iPad device, because it is mapping the wrong certificate type, and will log the following security event.

 

Log Name:      Security

Source:        Microsoft-Windows-Security-Auditing

Date:          2/19/2012 12:38:38 PM

Event ID:      6273

Task Category: Network Policy Server

Level:         Information

Keywords:      Audit Failure

User:          N/A

Computer:      DC1.contoso.com

Description:

Network Policy Server denied access to a user.

 

Contact the Network Policy Server administrator for more information.

 

User:

       Security ID:               CONTOSO\ipad

       Account Name:              ipad

       Account Domain:                   CONTOSO

       Fully Qualified Account Name:     CONTOSO\ipad

 

Client Machine:

       Security ID:               NULL SID

       Account Name:              –

       Fully Qualified Account Name:     –

       OS-Version:                –

       Called Station Identifier:        021c1049ef6a

       Calling Station Identifier:       b8ff6154d066

 

NAS:

       NAS IPv4 Address:          192.168.25.254

       NAS IPv6 Address:          –

       NAS Identifier:                   021c1049ef6a

       NAS Port-Type:                    Wireless – IEEE 802.11

       NAS Port:                  34

 

RADIUS Client:

       Client Friendly Name:             wrt350n

       Client IP Address:                192.168.25.254

 

Authentication Details:

       Connection Request Policy Name:   Secure Wireless Connections

       Network Policy Name:       Secure Wireless Connections

       Authentication Provider:          Windows

       Authentication Server:            DC1.contoso.com

       Authentication Type:       EAP

       EAP Type:                  Microsoft: Smart Card or other certificate

       Account Session Identifier:       –

       Logging Results:                  Accounting information was written to the local log file.

       Reason Code:               293

           Reason:       The certificate is not valid for the requested usage.

 

The only way to make this work is to map the computer enrolled certificate to a user account, which is described in the remainder of this blog. 

Extreme Caution: The steps mentioned in this blog were tested in an isolated network, and not verified to work fully in an Enterprise Network. This solution is provided as is without any Microsoft support.

 But, wait! What if we issue a certificate with subject type computer (e.g. IPSec Offline Request) and associate to the user account?

 Important:

 The steps to enroll certificates for IPads and iPhone were described in iPad/iPhone Certificate Issuance . The solution provided in this blog assumes you read it first.

The X.500 notation in the Iphone Configuration Utility for CN (common name) or O (Organization ) has to be  upper case letters – example CN=IPAD1 – failure to type the correct syntax will generate the following error on the Network Device Enrollment Service (NDES) during certificate enrollment:

Log Name:      Application

Source:        Microsoft-Windows-NetworkDeviceEnrollmentService

Date:          2/16/2012 4:40:58 AM

Event ID:      31

Task Category: None

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      NDES.contoso.com

Description:

The Network Device Enrollment Service cannot submit the certificate request (The request subject name is invalid or too long.).  0x80004005

 

Basic lab topology

 

High Level Operational Steps

 

  1. The device connects to a deployment wireless network (isolated) while connected via USB to the Mobile Device Management Software (MDM). In this example, the IPad is connected to the Iphone Configuration Utility. 
  2. The device Administrator connects to the Network Device Enrollment Service (NDES) to obtain a temporary password which is entered in the Mobile Device Management (MDM) as the device’s profile.  
  3. The Mobile Device Management (MDM) software pushes the profile configuration to the device.
  4. The device creates the private/public pair key and sends a request to the Network Device Enrollment Service (NDES)to request a certificate
  5. The Network Device Enrollment Service (NDES) sends an RA request to the Certification Authority (CA)
  6. The Certification Authority (CA) sends the certificate to the Network Device Enrollment Service (NDES)
  7. The Network Device Enrollment Service (NDES) sends the certificate to Device which in turn installs it
  8. The Device connects to the corporate network using 802.1X

 

Configuration steps

 

1. Create a user account for each device you want to enroll in AD DS with the following specifications:

a. Set a long complex password (at least 15 characters).

b. Set the password to not expire by selecting Password never expires.

c. In the user properties Account tab, select Smart Card is required for interactive logon. Select Smart card is required for interactive logon.

d. Select Account is sensitive and cannot be delegated in the user properties “Account “ tab.

e. Click on “Logon On To” button and in “The Following Computers” and then enter a placeholder computer name (IPad’s IMEI for example). The placeholder computer account doesn’t need to exist in AD DS.

 

Note: Disabling the user account will not work, because the Network Policy Service (NPS) will detect that the account is disabled it will deny access to the iPad. The Network Policy Server (NPS) will log the following event if the user account is disabled

 

Log Name:      Security

Source:        Microsoft-Windows-Security-Auditing

Date:          2/16/2012 4:52:50 PM

Event ID:      6273

Task Category: Network Policy Server

Level:         Information

Keywords:      Audit Failure

User:          N/A

Computer:      DC1.contoso.com

Description:

Network Policy Server denied access to a user.

 

Contact the Network Policy Server administrator for more information.

 User:

   Security ID:               CONTOSO\ipad

   Account Name:              ipad

   Account Domain:                   CONTOSO

   Fully Qualified Account Name:     CONTOSO\ipad

 

Client Machine:

   Security ID:               NULL SID

   Account Name:              –

   Fully Qualified Account Name:     –

   OS-Version:                –

   Called Station Identifier:        021c1049ef6a

   Calling Station Identifier:       b8ff6154d066

 

NAS:

   NAS IPv4 Address:          192.168.25.254

   NAS IPv6 Address:          –

   NAS Identifier:                   021c1049ef6a

   NAS Port-Type:                    Wireless – IEEE 802.11

   NAS Port:                  34

 

RADIUS Client:

   Client Friendly Name:             wrt350n

   Client IP Address:                192.168.25.254

 

Authentication Details:

   Connection Request Policy Name:   Secure Wireless Connections

   Network Policy Name:       –

   Authentication Provider:          Windows

   Authentication Server:            DC1.contoso.com

   Authentication Type:       EAP

   EAP Type:                  –

   Account Session Identifier:       –

   Logging Results:                  Accounting information was written to the local log file.

   Reason Code:               34

   Reason:       The user or computer account that is specified in the RADIUS Access-Request message is disabled.

 

2. Duplicate the User template with the following configuration (name it as “UserV2” for example):

 a. Request Handling tab:

                             i. Purpose – Signature and encryption

                             ii. No other checkbox selected

                             iii. CSP – Microsoft RSA Schannel Cryptographic Provider

b. Subject Name Tab:

               i. Select “Supply in the request”

c. Issuance Requirements Tab

                                 i. Nothing selected or configured

d. Extensions tab:

                                  i. Application Policies:

        • IP Security IKE Intermediate
        • Server Authentication
        • Client Authentication

                                    ii. Basic Constraints:

        •  Leave as default

                                     iii. Certificate Template Information:

        • This configuration comes from the AD Template object; you need to modify the subject type from user to computer, which allows  NDES to enroll for user certificates (described in Step 4).

                                     iv. Issuance Policy:

        • Leave as default

                                     v. Key Usage:

        • Signature requirements:
          • Digital Signature
          • Allow key exchange only with key encryption
          •  Critical extension

e. Security Tab

                            i. Configure in the same way as described in the iPad/iPhone Certificate Issuance.

 

3. Check the certificate template attributes you created in step 2 using certutil –v –adtemplate userv2 and  note the template description attribute. This attribute will be changed later on

 

Userv2: User v2 — Auto-Enroll: .

  msPKI-Enrollment-Flag = 0

  msPKI-Certificate-Name-Flag = 1

    CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT — 1

  msPKI-Private-Key-Flag = 0

  flags = 2023a (131642)

    CT_FLAG_ADD_EMAIL — 2

    CT_FLAG_PUBLISH_TO_DS — 8

    CT_FLAG_EXPORTABLE_KEY — 10 (16)

    CT_FLAG_AUTO_ENROLLMENT — 20 (32)

    CT_FLAG_ADD_TEMPLATE_NAME — 200 (512)

    CT_FLAG_IS_MODIFIED — 20000 (131072)

  cn = Userv2

  distinguishedName = Userv2

  displayName = User v2

  templateDescription = User

  pKIExtendedKeyUsage =

    0: 1.3.6.1.5.5.8.2.2 IP security IKE intermediate

    1: 1.3.6.1.5.5.7.3.1 Server Authentication

    2: 1.3.6.1.5.5.7.3.2 Client Authentication

  pKIDefaultCSPs = Microsoft RSA SChannel Cryptographic Provider

  pKICriticalExtensions =

    0: 2.5.29.7 Subject Alternative Name

    1: 2.5.29.15 Key Usage

  revision = 64 (100)

  msPKI-Template-Schema-Version = 2

  msPKI-Template-Minor-Revision = 8

  msPKI-RA-Signature = 0

  msPKI-Minimal-Key-Size = 800 (2048)

  msPKI-Cert-Template-OID = 1.3.6.1.4.1.311.21.8.800281.5632585.475790.4272720.15075391.217.15856343.7753402 User v2

  msPKI-Supersede-Templates =

  msPKI-RA-Policies =

  msPKI-RA-Application-Policies =

  msPKI-Certificate-Policy =

  msPKI-Certificate-Application-Policy =

    0: 1.3.6.1.5.5.8.2.2 IP security IKE intermediate

    1: 1.3.6.1.5.5.7.3.1 Server Authentication

    2: 1.3.6.1.5.5.7.3.2 Client Authentication

  dwKeySpec = AT_KEYEXCHANGE

  pKIExpirationPeriod =  1 Years

  pKIOverlapPeriod =  6 Weeks

 

Template Extensions: 4

    1.3.6.1.4.1.311.21.7: Flags = 0, Length = 2f

    Certificate Template Information

        Template=User v2(1.3.6.1.4.1.311.21.8.800281.5632585.475790.4272720.15075391.217.15856343.7753402)

        Major Version Number=100

        Minor Version Number=8

 

    2.5.29.37: Flags = 0, Length = 20

    Enhanced Key Usage

        IP security IKE intermediate (1.3.6.1.5.5.8.2.2)

        Server Authentication (1.3.6.1.5.5.7.3.1)

        Client Authentication (1.3.6.1.5.5.7.3.2)

 

    2.5.29.15: Flags = 1(Critical), Length = 4

    Key Usage

        Digital Signature, Key Encipherment (a0)

 

    1.3.6.1.4.1.311.21.10: Flags = 0, Length = 26

    Application Policies

        [1]Application Certificate Policy:

             Policy Identifier=IP security IKE intermediate

        [2]Application Certificate Policy:

             Policy Identifier=Server Authentication

        [3]Application Certificate Policy:

             Policy Identifier=Client Authentication

 

4. Network Device Enrollment Service (NDES) does not support user templates; as a result, the user template created in Step 2 has to be changed to a computer template. To do so:

a.   Open Active Directory Sites and Services

b.   Select Menu , View and then select Show Services Node.

c.   Expand Services, Public Key Services and then click Certificate Templates.

d.   Open the duplicated certificate template created in step 2 (UserV2 in this example)

e.   Edit the flags attribute and change its value from 131642 to 131706.

Extreme Warning: This method is supplied as is, and should be thoroughly tested in your environment. Deploy this solution at your own risk

If you run certutil –v –adtemplate userv2command again, you can see that the templatedescription attribute was changed from user to computer.

       

5. Publish the certificate created in step 2 to the  Certification Authority (CA).

 

Note: If you don’t perform these changes to the certificate template and configure NDES to deploy this template, then you will receive the following error when requesting the challenge password from the Network Device Enrollment Service (NDES):

 

Network Device Enrollment Service

Network Device Enrollment Service allows you to obtain certificates for routers or other network devices using the Simple Certificate Enrollment Protocol (SCEP).

 You do not have sufficient permission to enroll with SCEP. Please contact your system administrator.

 For more information see Using Network Device Enrollment Service.

 6. Configure the Network Device Enrollment Service  (NDES) to  issue certificates based on the certificate template created in step do by editing the following registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP]

“SignatureTemplate”=”Userv2”

“EncryptionTemplate”=”Userv2”

“GeneralPurposeTemplate”=”Userv2”

7. Restart Internet Information Services (IIS) on the Network Device Enrollment Service (NDES).

8.  Install the Root CA’s certificate on the computer where you will run the iPhone Configuration Utility.

9. Open the iPhone Configuration Utility and create a configuration profile.

10. Make sure NDES and SCEP settings are configured in the iPhone Configuration Utility using the steps in iPad/Iphone Certificate Issuance blog.

11.  Select Wi-fi and enter the SSID of the 802.1x wireless network.

12. Select Auto-Join.

13. On Security type, select WPA/WPA2 Enterprise.

14. Select Protocols and then choose TLS

 

15. Next, select Authentication and choose the SCEP identity certificate that was previously configured as outlined in iPad/Iphone Certificate Issuance blog.

 

 

16. Select “Trust” and choose your Root CA certificate as a trusted certificate.

 

17. After the CA issues the new certificate, you must export it from the CA and associate this certificate with the user account that was created in step 1:

a. Open Active Directory Users and Computers

b. Select menu, View-and then select Advanced Features

c. Find the user account that represents the IPad

d. Right-click the user account and choose Name Mappings

e. Click Add,  then select the certificate to import

 

18. Deploy the profile to your IPad

 

NPS Basic Settings

 

The Network Policy Server (NPS) settings that were configured during this solution were:

1. Make your Network policy Server (NPS) member of “RAS and IAS Servers” group

2. Publish the “RAS and IAS Server” certificate template to your CA

3. Enroll your Network policy Server (NPS) server for the “RAS and IAS Server”  certificate

4. In Policies, select Connection request policies:

a. Create a Policy named “Secure Wireless Connections” with a condition:

    • NAS Port Type = “Wireless – Other or Wireless – IEE 802.11”

b. Disable the default policy called “Use Windows authentication for all users”

5. In Policies, select Network Policies:

a. Create a policy named “Secure Wireless Connections” with following settings:

    • Overview Tab
      • Select “Grant Access. Grant access if the connection request matches this policy.”
      • Select “Ignore user account dial-in properties”
    • Conditions Tab
      • NAS Port Type = “Wireless – Other or Wireless – IEE 802.11”
      • Windows Groups = “Contoso\Domain users” (this could be any group, just make sure to make the user account member of it)
    • Constraints Tab
      • Authentication Methods
        •  Microsoft: Smart Card or other certificate (choose the enrolled RAS and IAS Server certificate)

 Thanks to Paulo Marques da Costa for writing this informative Blog

 

Categories: Uncategorized Tags:

Connecting iPads to an Enterprise Wireless 802.1x Network Using Certificates and Network Device Enrollment Services (NDES)

February 27th, 2012 No comments

Important notice: Microsoft does not support any apple products, if you need to troubleshoot any problem related to apple products, please refer to http://www.apple.com/support

   Warning
SCEP was designed to be used in a closed network where all end-points are trusted. The warnings from CERT in the article “Simple Certificate Enrollment Protocol (SCEP) does not strongly authenticate certificate requests ” should be considered when implementing the NDES service. If an application utilizes SCEP, it should provide its own strong authentication.

 

I am often asked by customers how to deploy certificates to iPads using NDES, where I refer them to Rob Greene’s blog for the steps required configuring NDES and enrolling these devices for certificates. Lately, I was presented with a challenge where a customer wanted to enroll these devices for certificates and authenticate them to an 802.1x infrastructure using Network Policy Server (NPS)

Let’s review how a non-domain joined machine authenticates to an 802.1x network before delving into the required steps for iPads to connect to the same network. Historically, the following steps were followed:

1. Create a placeholder computer account in Active Directory Domain Services (AD DS)

2. Configure a Service Principal Name (SPN) for the new computer object.

3. Enroll a computer certificate passing the FQDN of the placeholder computer object as a Subject Name, using Web Enrollment Pages or Certificates MMC snap-in directly from the computer (Skip step 4 if you are using the Certificates MMC snap-in)

4. Export the certificate created for the non-domain joined machine and install it.

5. Associate the newly created certificate to the placeholder AD DS domain computer account manually created through Name Mappings

a.  Select Advanced View in Active Directory Users and Computers

b. Right-click the placeholder computer object and then select Name Mappings.

Note: Windows 7 and Windows Server 2008 R2 allows to you skip steps 3 and 4 by using Certificate Enrollment Web Services (CES) and Certificate Enrollment Web Policy (CEP) to enroll non-domain joined computers for certificates

The method described earlier applies to computers where the computer certificate enrolled is based on a computer template. The computer will present the certificate (Subject Name) to the Network Policy Server (NPS), which in turn will check if the computer account is enabled in AD DS.

Devices such as iPads behave differently, where they treat all certificates installed as a user certificate, hence when passing the subject name to the NPS server, NPS will look for a user object in AD DS rather than a computer object, causing the authentication request to fail

 

Log Name:      Security

Source:        Microsoft-Windows-Security-Auditing

Date:          2/15/2012 8:55:49 PM

Event ID:      6273

Task Category: Network Policy Server

Level:         Information

Keywords:      Audit Failure

User:          N/A

Computer:      DC1.contoso.com

Description:

Network Policy Server denied access to a user.

 

Contact the Network Policy Server administrator for more information.

 

User:

       Security ID:               NULL SID

       Account Name:              ipad.contoso.com

       Account Domain:                   CONTOSO

       Fully Qualified Account Name:     CONTOSO\ipad.contoso.com

 

Client Machine:

       Security ID:               NULL SID

       Account Name:              –

       Fully Qualified Account Name:     –

       OS-Version:                –

       Called Station Identifier:        021c1049ef6a

       Calling Station Identifier:       b8ff6154d066

 

NAS:

       NAS IPv4 Address:          192.168.25.254

       NAS IPv6 Address:          –

       NAS Identifier:                   021c1049ef6a

       NAS Port-Type:                    Wireless – IEEE 802.11

       NAS Port:                  34

 

RADIUS Client:

       Client Friendly Name:             wrt350n

       Client IP Address:                192.168.25.254

 

Authentication Details:

       Connection Request Policy Name:   Secure Wireless Connections

       Network Policy Name:       –

       Authentication Provider:          Windows

       Authentication Server:            DC1.contoso.com

       Authentication Type:       EAP

       EAP Type:                  –

       Account Session Identifier:       –

       Logging Results:                  Accounting information was written to the local log file.

       Reason Code:               8

       Reason:                    The specified user account does not exist.

 

 

The certificates installed on IPads use the Network Device Enrollment Services (NDES) which utilizes the Simple Certificate Enrollment Protocol (SCEP) to enroll for device certificates – This is the default and can’t be changed – These device certificates are computer certificates and not user certificates.

 

certutil -v -adtemplate ipsecintermediateoffline

 

IPSECIntermediateOffline: IPSec (Offline request) — Auto-Enroll: Access is denied.

  msPKI-Enrollment-Flag = 0

  msPKI-Certificate-Name-Flag = 1

    CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT — 1

  msPKI-Private-Key-Flag = 0

  flags = 10241 (66113)

    CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT — 1

    CT_FLAG_MACHINE_TYPE — 40 (64)

    CT_FLAG_ADD_TEMPLATE_NAME — 200 (512)

    CT_FLAG_IS_DEFAULT — 10000 (65536)

  cn = IPSECIntermediateOffline

  distinguishedName = IPSECIntermediateOffline

  displayName = IPSec (Offline request)

  templateDescription = Computer

  pKIExtendedKeyUsage = 1.3.6.1.5.5.8.2.2 IP security IKE intermediate

  pKIDefaultCSPs = Microsoft RSA SChannel Cryptographic Provider

  pKICriticalExtensions = 2.5.29.15 Key Usage

  revision = 7

  msPKI-Template-Schema-Version = 1

  msPKI-Template-Minor-Revision = 1

  msPKI-RA-Signature = 0

  msPKI-Minimal-Key-Size = 400 (1024)

  msPKI-Cert-Template-OID = 1.3.6.1.4.1.311.21.8.800281.5632585.475790.4272720.15075391.217.1.20

  msPKI-Supersede-Templates =

  msPKI-RA-Policies =

  msPKI-RA-Application-Policies =

  msPKI-Certificate-Policy =

  msPKI-Certificate-Application-Policy =

  dwKeySpec = AT_KEYEXCHANGE

  pKIExpirationPeriod =  2 Years

  pKIOverlapPeriod =  6 Weeks

 

Template Extensions: 3

    1.3.6.1.4.1.311.20.2: Flags = 0, Length = 32

    Certificate Template Name (Certificate Type)

        IPSECIntermediateOffline

 

    2.5.29.37: Flags = 0, Length = c

    Enhanced Key Usage

        IP security IKE intermediate (1.3.6.1.5.5.8.2.2)

 

    2.5.29.15: Flags = 1(Critical), Length = 4

    Key Usage

        Digital Signature, Key Encipherment (a0)

 

As a result, the Network Policy Server (NPS) will deny access to the iPad device, because it is mapping the wrong certificate type, and will log the following security event.

 

Log Name:      Security

Source:        Microsoft-Windows-Security-Auditing

Date:          2/19/2012 12:38:38 PM

Event ID:      6273

Task Category: Network Policy Server

Level:         Information

Keywords:      Audit Failure

User:          N/A

Computer:      DC1.contoso.com

Description:

Network Policy Server denied access to a user.

 

Contact the Network Policy Server administrator for more information.

 

User:

       Security ID:               CONTOSO\ipad

       Account Name:              ipad

       Account Domain:                   CONTOSO

       Fully Qualified Account Name:     CONTOSO\ipad

 

Client Machine:

       Security ID:               NULL SID

       Account Name:              –

       Fully Qualified Account Name:     –

       OS-Version:                –

       Called Station Identifier:        021c1049ef6a

       Calling Station Identifier:       b8ff6154d066

 

NAS:

       NAS IPv4 Address:          192.168.25.254

       NAS IPv6 Address:          –

       NAS Identifier:                   021c1049ef6a

       NAS Port-Type:                    Wireless – IEEE 802.11

       NAS Port:                  34

 

RADIUS Client:

       Client Friendly Name:             wrt350n

       Client IP Address:                192.168.25.254

 

Authentication Details:

       Connection Request Policy Name:   Secure Wireless Connections

       Network Policy Name:       Secure Wireless Connections

       Authentication Provider:          Windows

       Authentication Server:            DC1.contoso.com

       Authentication Type:       EAP

       EAP Type:                  Microsoft: Smart Card or other certificate

       Account Session Identifier:       –

       Logging Results:                  Accounting information was written to the local log file.

       Reason Code:               293

           Reason:       The certificate is not valid for the requested usage.

 

The only way to make this work is to map the computer enrolled certificate to a user account, which is described in the remainder of this blog. 

Extreme Caution: The steps mentioned in this blog were tested in an isolated network, and not verified to work fully in an Enterprise Network. This solution is provided as is without any Microsoft support.

 But, wait! What if we issue a certificate with subject type computer (e.g. IPSec Offline Request) and associate to the user account?

 Important:

 The steps to enroll certificates for IPads and iPhone were described in iPad/iPhone Certificate Issuance . The solution provided in this blog assumes you read it first.

The X.500 notation in the Iphone Configuration Utility for CN (common name) or O (Organization ) has to be  upper case letters – example CN=IPAD1 – failure to type the correct syntax will generate the following error on the Network Device Enrollment Service (NDES) during certificate enrollment:

Log Name:      Application

Source:        Microsoft-Windows-NetworkDeviceEnrollmentService

Date:          2/16/2012 4:40:58 AM

Event ID:      31

Task Category: None

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      NDES.contoso.com

Description:

The Network Device Enrollment Service cannot submit the certificate request (The request subject name is invalid or too long.).  0x80004005

 

Basic lab topology

 

High Level Operational Steps

 

  1. The device connects to a deployment wireless network (isolated) while connected via USB to the Mobile Device Management Software (MDM). In this example, the IPad is connected to the Iphone Configuration Utility. 
  2. The device Administrator connects to the Network Device Enrollment Service (NDES) to obtain a temporary password which is entered in the Mobile Device Management (MDM) as the device’s profile.  
  3. The Mobile Device Management (MDM) software pushes the profile configuration to the device.
  4. The device creates the private/public pair key and sends a request to the Network Device Enrollment Service (NDES)to request a certificate
  5. The Network Device Enrollment Service (NDES) sends an RA request to the Certification Authority (CA)
  6. The Certification Authority (CA) sends the certificate to the Network Device Enrollment Service (NDES)
  7. The Network Device Enrollment Service (NDES) sends the certificate to Device which in turn installs it
  8. The Device connects to the corporate network using 802.1X

 

Configuration steps

 

1. Create a user account for each device you want to enroll in AD DS with the following specifications:

a. Set a long complex password (at least 15 characters).

b. Set the password to not expire by selecting Password never expires.

c. In the user properties Account tab, select Smart Card is required for interactive logon. Select Smart card is required for interactive logon.

d. Select Account is sensitive and cannot be delegated in the user properties “Account “ tab.

e. Click on “Logon On To” button and in “The Following Computers” and then enter a placeholder computer name (IPad’s IMEI for example). The placeholder computer account doesn’t need to exist in AD DS.

 

Note: Disabling the user account will not work, because the Network Policy Service (NPS) will detect that the account is disabled it will deny access to the iPad. The Network Policy Server (NPS) will log the following event if the user account is disabled

 

Log Name:      Security

Source:        Microsoft-Windows-Security-Auditing

Date:          2/16/2012 4:52:50 PM

Event ID:      6273

Task Category: Network Policy Server

Level:         Information

Keywords:      Audit Failure

User:          N/A

Computer:      DC1.contoso.com

Description:

Network Policy Server denied access to a user.

 

Contact the Network Policy Server administrator for more information.

 User:

   Security ID:               CONTOSO\ipad

   Account Name:              ipad

   Account Domain:                   CONTOSO

   Fully Qualified Account Name:     CONTOSO\ipad

 

Client Machine:

   Security ID:               NULL SID

   Account Name:              –

   Fully Qualified Account Name:     –

   OS-Version:                –

   Called Station Identifier:        021c1049ef6a

   Calling Station Identifier:       b8ff6154d066

 

NAS:

   NAS IPv4 Address:          192.168.25.254

   NAS IPv6 Address:          –

   NAS Identifier:                   021c1049ef6a

   NAS Port-Type:                    Wireless – IEEE 802.11

   NAS Port:                  34

 

RADIUS Client:

   Client Friendly Name:             wrt350n

   Client IP Address:                192.168.25.254

 

Authentication Details:

   Connection Request Policy Name:   Secure Wireless Connections

   Network Policy Name:       –

   Authentication Provider:          Windows

   Authentication Server:            DC1.contoso.com

   Authentication Type:       EAP

   EAP Type:                  –

   Account Session Identifier:       –

   Logging Results:                  Accounting information was written to the local log file.

   Reason Code:               34

   Reason:       The user or computer account that is specified in the RADIUS Access-Request message is disabled.

 

2. Duplicate the User template with the following configuration (name it as “UserV2” for example):

 a. Request Handling tab:

                             i. Purpose – Signature and encryption

                             ii. No other checkbox selected

                             iii. CSP – Microsoft RSA Schannel Cryptographic Provider

b. Subject Name Tab:

               i. Select “Supply in the request”

c. Issuance Requirements Tab

                                 i. Nothing selected or configured

d. Extensions tab:

                                  i. Application Policies:

        • IP Security IKE Intermediate
        • Server Authentication
        • Client Authentication

                                    ii. Basic Constraints:

        •  Leave as default

                                     iii. Certificate Template Information:

        • This configuration comes from the AD Template object; you need to modify the subject type from user to computer, which allows  NDES to enroll for user certificates (described in Step 4).

                                     iv. Issuance Policy:

        • Leave as default

                                     v. Key Usage:

        • Signature requirements:
          • Digital Signature
          • Allow key exchange only with key encryption
          •  Critical extension

e. Security Tab

                            i. Configure in the same way as described in the iPad/iPhone Certificate Issuance.

 

3. Check the certificate template attributes you created in step 2 using certutil –v –adtemplate userv2 and  note the template description attribute. This attribute will be changed later on

 

Userv2: User v2 — Auto-Enroll: .

  msPKI-Enrollment-Flag = 0

  msPKI-Certificate-Name-Flag = 1

    CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT — 1

  msPKI-Private-Key-Flag = 0

  flags = 2023a (131642)

    CT_FLAG_ADD_EMAIL — 2

    CT_FLAG_PUBLISH_TO_DS — 8

    CT_FLAG_EXPORTABLE_KEY — 10 (16)

    CT_FLAG_AUTO_ENROLLMENT — 20 (32)

    CT_FLAG_ADD_TEMPLATE_NAME — 200 (512)

    CT_FLAG_IS_MODIFIED — 20000 (131072)

  cn = Userv2

  distinguishedName = Userv2

  displayName = User v2

  templateDescription = User

  pKIExtendedKeyUsage =

    0: 1.3.6.1.5.5.8.2.2 IP security IKE intermediate

    1: 1.3.6.1.5.5.7.3.1 Server Authentication

    2: 1.3.6.1.5.5.7.3.2 Client Authentication

  pKIDefaultCSPs = Microsoft RSA SChannel Cryptographic Provider

  pKICriticalExtensions =

    0: 2.5.29.7 Subject Alternative Name

    1: 2.5.29.15 Key Usage

  revision = 64 (100)

  msPKI-Template-Schema-Version = 2

  msPKI-Template-Minor-Revision = 8

  msPKI-RA-Signature = 0

  msPKI-Minimal-Key-Size = 800 (2048)

  msPKI-Cert-Template-OID = 1.3.6.1.4.1.311.21.8.800281.5632585.475790.4272720.15075391.217.15856343.7753402 User v2

  msPKI-Supersede-Templates =

  msPKI-RA-Policies =

  msPKI-RA-Application-Policies =

  msPKI-Certificate-Policy =

  msPKI-Certificate-Application-Policy =

    0: 1.3.6.1.5.5.8.2.2 IP security IKE intermediate

    1: 1.3.6.1.5.5.7.3.1 Server Authentication

    2: 1.3.6.1.5.5.7.3.2 Client Authentication

  dwKeySpec = AT_KEYEXCHANGE

  pKIExpirationPeriod =  1 Years

  pKIOverlapPeriod =  6 Weeks

 

Template Extensions: 4

    1.3.6.1.4.1.311.21.7: Flags = 0, Length = 2f

    Certificate Template Information

        Template=User v2(1.3.6.1.4.1.311.21.8.800281.5632585.475790.4272720.15075391.217.15856343.7753402)

        Major Version Number=100

        Minor Version Number=8

 

    2.5.29.37: Flags = 0, Length = 20

    Enhanced Key Usage

        IP security IKE intermediate (1.3.6.1.5.5.8.2.2)

        Server Authentication (1.3.6.1.5.5.7.3.1)

        Client Authentication (1.3.6.1.5.5.7.3.2)

 

    2.5.29.15: Flags = 1(Critical), Length = 4

    Key Usage

        Digital Signature, Key Encipherment (a0)

 

    1.3.6.1.4.1.311.21.10: Flags = 0, Length = 26

    Application Policies

        [1]Application Certificate Policy:

             Policy Identifier=IP security IKE intermediate

        [2]Application Certificate Policy:

             Policy Identifier=Server Authentication

        [3]Application Certificate Policy:

             Policy Identifier=Client Authentication

 

4. Network Device Enrollment Service (NDES) does not support user templates; as a result, the user template created in Step 2 has to be changed to a computer template. To do so:

a.   Open Active Directory Sites and Services

b.   Select Menu , View and then select Show Services Node.

c.   Expand Services, Public Key Services and then click Certificate Templates.

d.   Open the duplicated certificate template created in step 2 (UserV2 in this example)

e.   Edit the flags attribute and change its value from 131642 to 131706.

Extreme Warning: This method is supplied as is, and should be thoroughly tested in your environment. Deploy this solution at your own risk

If you run certutil –v –adtemplate userv2command again, you can see that the templatedescription attribute was changed from user to computer.

       

5. Publish the certificate created in step 2 to the  Certification Authority (CA).

 

Note: If you don’t perform these changes to the certificate template and configure NDES to deploy this template, then you will receive the following error when requesting the challenge password from the Network Device Enrollment Service (NDES):

 

Network Device Enrollment Service

Network Device Enrollment Service allows you to obtain certificates for routers or other network devices using the Simple Certificate Enrollment Protocol (SCEP).

 You do not have sufficient permission to enroll with SCEP. Please contact your system administrator.

 For more information see Using Network Device Enrollment Service.

 6. Configure the Network Device Enrollment Service  (NDES) to  issue certificates based on the certificate template created in step do by editing the following registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP]

“SignatureTemplate”=”Userv2”

“EncryptionTemplate”=”Userv2”

“GeneralPurposeTemplate”=”Userv2”

7. Restart Internet Information Services (IIS) on the Network Device Enrollment Service (NDES).

8.  Install the Root CA’s certificate on the computer where you will run the iPhone Configuration Utility.

9. Open the iPhone Configuration Utility and create a configuration profile.

10. Make sure NDES and SCEP settings are configured in the iPhone Configuration Utility using the steps in iPad/Iphone Certificate Issuance blog.

11.  Select Wi-fi and enter the SSID of the 802.1x wireless network.

12. Select Auto-Join.

13. On Security type, select WPA/WPA2 Enterprise.

14. Select Protocols and then choose TLS

 

15. Next, select Authentication and choose the SCEP identity certificate that was previously configured as outlined in iPad/Iphone Certificate Issuance blog.

 

 

16. Select “Trust” and choose your Root CA certificate as a trusted certificate.

 

17. After the CA issues the new certificate, you must export it from the CA and associate this certificate with the user account that was created in step 1:

a. Open Active Directory Users and Computers

b. Select menu, View-and then select Advanced Features

c. Find the user account that represents the IPad

d. Right-click the user account and choose Name Mappings

e. Click Add,  then select the certificate to import

 

18. Deploy the profile to your IPad

 

NPS Basic Settings

 

The Network Policy Server (NPS) settings that were configured during this solution were:

1. Make your Network policy Server (NPS) member of “RAS and IAS Servers” group

2. Publish the “RAS and IAS Server” certificate template to your CA

3. Enroll your Network policy Server (NPS) server for the “RAS and IAS Server”  certificate

4. In Policies, select Connection request policies:

a. Create a Policy named “Secure Wireless Connections” with a condition:

    • NAS Port Type = “Wireless – Other or Wireless – IEE 802.11”

b. Disable the default policy called “Use Windows authentication for all users”

5. In Policies, select Network Policies:

a. Create a policy named “Secure Wireless Connections” with following settings:

    • Overview Tab
      • Select “Grant Access. Grant access if the connection request matches this policy.”
      • Select “Ignore user account dial-in properties”
    • Conditions Tab
      • NAS Port Type = “Wireless – Other or Wireless – IEE 802.11”
      • Windows Groups = “Contoso\Domain users” (this could be any group, just make sure to make the user account member of it)
    • Constraints Tab
      • Authentication Methods
        •  Microsoft: Smart Card or other certificate (choose the enrolled RAS and IAS Server certificate)

 Thanks to Paulo Marques da Costa for writing this informative Blog

 

Categories: Uncategorized Tags:

Can we believe our eyes? Another story…

February 24th, 2012 No comments

​In Windows, the “hosts” file (located in “%SystemRoot%\System32\drivers\etc” directory by default) is often used by malware authors when hijacking websites. The local Hosts file overrides the DNS resolution of a website URL to a particular IP address. Malware authors make changes to affected users’ Hosts files to redirect specified URLs to different IP addresses of the author’s choice. In August last year, I blogged about malware authors using Unicode characters in the hosts file filename, in order to trick users and hide the real hosts file. However, it seems that malware writers never stop doing their malicious work. This time, they’re using another trick to mislead people.

Several days ago, one of my friends wanted to buy something from Taobao, which is one of the most popular online trading platforms in China. When he opened the website by typing its URL “http://www.taobao.com” in the address bar of web browser, he found the URL changed to “http://www.taobao.com.cn” automatically, with some strings embedded in the URL, looking like an identifier, as the following example.

He has a little rough security knowledge, and thought this might be an attempted website hijacking. So he opened the hosts file using notepad. But to his surprise, the file seemed to be filled with garbage, as you can see below.

He couldn’t understand this, because he thought that the hosts file was just a text file, and that he could easily remove the website hijacking by deleting the corresponding entries in the hosts file. So he asked me.
At first, I just wanted to see what the real content of this hosts file was. So I opened it with a hex editor.

When I saw the BOM character (0xFEFF) at the beginning of the file and the ASCII text following it, I realized what it was. This hosts file is just an ASCII text file, but with a Unicode file marker at the beginning of the file, which misleads a Unicode aware text editor, such as notepad, into treating it as a Unicode text file. In the middle of this big hosts file, we can see the entry hijacking www.taobao.com.

But now the question is, how was this malicious Hosts file being interpreted? To figure out this question, I used Process Monitor with the following filters to identify which process in the system interprets the hosts file and uses it.

I made some minor modifications to the hosts file, saved it using notepad, and captured the whole process. After that, using Process Monitor’s stack function, I discovered that the hosts file is interpreted by the “DNS Client” service.

From the picture above, we can see that the “DNS Client” service (dnsrslvr.dll) calls the HostsFile_ReadLine function of dnsapi.dll to get the line from the hosts file, which in turn calls the fgets function of msvcrt.dll to do the real work of getting a line from the hosts file. The function fgets in the CRT library only supports ASCII files. Using this function to read the file means the system only supports hosts files in ASCII format, not Unicode format. The following is a part of a flowchart showing the HostsFile_ReadLine function.

We can easily get the logical process for the hosts file from this picture. The system accepts the hosts file as an ASCII file and tries to get records from it. If any invalid record is found, it just drops the record, and continues to process the next record.

Now we can start to understand the whole trick being used by this hosts file. The first line of this file (the characters before the first CRLF) is useless for the system, and will be dropped when building the hosts file records. The rest of this file will be interpreted correctly by the system, as these records are valid, and these websites will be hijacked/diverted from the affected computer. But the first line will mislead Unicode aware editors, such as notepad, and render the text in an incorrect manner, which in turn prevents users from seeing what’s really going on.

In this sample, the malicious server redirects hijacked websites to a Taobao advertisement website. The website itself is legal, and is similar to Google AdWords. Presumably the author will get illegitimate income when people search using the website. This is a very popular way for malware authors in China to get gray income (and may not be viewed quite as severely as other types of more obviously illegal activity).

It’s a fairly straight-forward procedure to create a clean hosts file if you think yours has been corrupted in this way. Have a look at this KB article for full instructions.

When we “see” a file is filled with garbage, is it really useless? Can we believe our eyes? The answer is… not always.

Zhitao Zhou
Microsoft Malware Protection Center

Categories: AdWords, ASCII, obfuscation, Taobao Tags:

Research firm rates spam filters

February 23rd, 2012 No comments

Spam filters for email programs are a little like the roof on a house. You wouldn’t want to live without one, but some are better than others.

Recent research from Cascade Insights showed that no email program they tested did better than Hotmail at filtering spam.

Get tricks for getting rid of spam, even if you don’t use Hotmail, and learn how to avoid other email and web scams.

You can also get more detailed information about SmartScreen, Microsoft’s spam-fighting technology, and go beyond the metrics in a detailed blog post by Dick Craddock, Hotmail Group Program Manager. 

MS12-014 – Important : Vulnerability in Indeo Codec Could Allow Remote Code Execution (2661637) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (February 22, 2012): Added a link to Microsoft Knowledge Base Article 2661637 under Known Issues in the Executive Summary.
Summary: This security update resolves one publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a legitimate file (such as an .avi file) that is located in the same directory as a specially crafted dynamic link library (DLL) file. An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Categories: Uncategorized Tags:

MS12-001 – Important : Vulnerability in Windows Kernel Could Allow Security Feature Bypass (2644615) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (February 22, 2012): Added a link to Microsoft Knowledge Base Article 2644615 under Known Issues in the Executive Summary.
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow an attacker to bypass the SafeSEH security feature in a software application. An attacker could then use other vulnerabilities to leverage the structured exception handler to run arbitrary code. Only software applications that were compiled using Microsoft Visual C++ .NET 2003 can be used to exploit this vulnerability.

Categories: Uncategorized Tags:

MS12-001 – Important : Vulnerability in Windows Kernel Could Allow Security Feature Bypass (2644615) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (February 22, 2012): Added a link to Microsoft Knowledge Base Article 2644615 under Known Issues in the Executive Summary.
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow an attacker to bypass the SafeSEH security feature in a software application. An attacker could then use other vulnerabilities to leverage the structured exception handler to run arbitrary code. Only software applications that were compiled using Microsoft Visual C++ .NET 2003 can be used to exploit this vulnerability.

Categories: Uncategorized Tags:

MS11-089 – Important : Vulnerability in Microsoft Office Could Allow Remote Code Execution (2590602) – Version: 1.2

Severity Rating: Important
Revision Note: V1.2 (February 22, 2012): Revised the bulletin to identify the update package KB numbers for the following non-affected software that this update applies to: Microsoft Visio (KB2553374), Microsoft Visio Viewer (KB2553353), Microsoft Office Web Application Companions (WAC) (KB2553153), and Microsoft SharePoint Server 2010 (KB2553132). See the update FAQ for details.
Summary: This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Categories: Uncategorized Tags:

MS11-088 – Important : Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege (2652016) – Version: 1.2

Severity Rating: Important
Revision Note: V1.2 (February 22, 2012): Clarified product support status for Microsoft Office Pinyin SimpleFast Style 2010 and Microsoft Office Pinyin New Experience Style 2010. These versions of Microsoft Office Pinyin are no longer supported. Microsoft recommends that all customers of these versions upgrade to the latest version of Microsoft Pinyin IME 2010 available through Microsoft Office 2010. See update FAQ for details.
Summary: This security update resolves a privately reported vulnerability in Microsoft Office IME (Chinese). The vulnerability could allow elevation of privilege if a logged-on user performed specific actions on a system where an affected version of the Microsoft Pinyin (MSPY) Input Method Editor (IME) for Simplified Chinese is installed. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. Only implementations of Microsoft Pinyin IME 2010 are affected by this vulnerability. Other versions of Simplified Chinese IME and other implementations of IME are not affected.

Categories: Uncategorized Tags:

Summary for December 2011 – Version: 2.1

Revision Note: V2.1 (February 22, 2012): For MS11-088, clarified product support status for Microsoft Office Pinyin SimpleFast Style 2010 and Microsoft Office Pinyin New Experience Style 2010. These versions of Microsoft Office Pinyin are no longer supported. See bulletin for details.
Summary: This bulletin summary lists security bulletins released for December 2011.

Categories: Uncategorized Tags:

Pramro and Sality – two PEs in a pod

February 21st, 2012 No comments

The second of the families added to the February release of the Microsoft Malicious Software Removal Tool (MSRT) is Win32/Pramro. Win32/Pramro is a family of trojans that can act as a SOCKS proxy on an infected computer. In this case, this proxy may be used to relay spam and HTTP traffic. Detection was first added for Pramro variants in January 2008.

There is a strong connection with the polymorphic file infector Win32/Sality, which shares portions of code with Pramo. For example, let’s examine one of the encrypted files which is currently downloaded by a variant of Worm:Win32/Sality.AU from the host ‘baulaung.org’.  If we apply the key ‘GdiPlus.dll’ and a modified RC4 algorithm, the resultant output is a PE file. This file is detected as TrojanProxy:Win32/Pramro.F.

Image 1 - View of Pramro using a file viewer utility

Image 1 – View of Pramro using a file viewer utility


E
xamining this particular Win32/Pramro variant, we can see that it employs the same key and decryption algorithm as this Win32/Sality variant.

 Pramro decryption algorithm

Looking closely at some detection statistics from MSRT, we observe that variants of Win32/Pramro have been reported on 104,120 unique machines during the first week of release. The majority of the affected machines were running Windows XP (81.8%), followed by Windows 7 (12.9%). For the machines which reported a variant of Win32/Pramro, the prevalence distribution of all detection reported by MSRT is listed in the following table. As expected, the connection to Win32/Sality is supported by our data.

Table 1 - MSRT detection statistics

Table 1 – MSRT detection statistics


The geographical breakdown of machines which reported a Win32/Pramro variant appears as:

Table 2 - Geographic distribution of Pramro

Table 2 – Geographic distribution of Pramro

Interestingly, the top reported file MD5: 543b96731b80fc30a7583bd22cd0d567 / SHA1: 1B9E07EAAF512DA72850612AC6D41207D4340E3C was reported on 76,690 unique machines. This appears to be the most current variant of Win32/Pramro. It was first reported in the wild from our customers in the first week of January 2012 and the encrypted copy is still available at location(s) used by Win32/Sality. This suggests that MSRT was cleaning computers with an active Win32/Pramro infection.

Scott Molenkamp
MMPC, Melbourne

Categories: MSRT, Win32/Pramro, Win32/Sality Tags:

Report scams in Hotmail, Xbox, and more

February 21st, 2012 No comments

If you think you’re a target of a phishing scam or other fraud in an email, Xbox instant message, or on a website, you can report it. Most Microsoft products have built-in tools that make this easier.

Hotmail. If you receive a suspicious email message that asks for personal information, click the check box next to the message in your Hotmail inbox. Click Mark as and then point to Phishing scam.

Xbox 360. If someone is trying to phish you in Xbox 360, bring up the player profile, select File Complaint, select File Complaint again, select Text and Voice Communication and then select Text message to file a complaint, where it will be reviewed by our Enforcement Team.

Internet Explorer. While you are on a suspicious site, click the gear icon () and then point to Safety. Then click Report Unsafe Website and use the web page that is displayed to report the website.

Microsoft Office Outlook. Attach the suspicious email message to a new email message and forward it toreportphishing@antiphishing.org. To learn how to attach an email message to an email message, see Attach a file or other item to an email message.

Get more information about how to report and avoid fraud.

BRANCHCACHE for Exchange 2010 OAB Download How-To:

BRANCHCACHE for Exchange 2010 OAB Download How-To:

Requirements for BranchCache

Following is a list of operating systems that support BranchCache content server or BranchCache client computer functionality. To successfully deploy BranchCache in a test lab environment, you must use operating systems that support BranchCache.


General Requirements to Server and Client

Server and Clients must be able to communicate to each other. Clients must be in the same Subnet (otherwise Discovery of Cached Content will not work). All Machines must be able to resolvable in DNS or WINS.


Operating systems for BranchCache client computer functionality

To perform the steps in this guide, you must have three physical or virtual client computers that are running one of the following operating systems:

  • Windows® 7 Enterprise
  • Windows® 7 Ultimate

Operating systems for BranchCache content server functionality

To perform the steps in this guide, you must have one physical or virtual server computer to be used as a BranchCache content Web server that is running one of the Windows Server® 2008 R2 family of operating systems, with the following exceptions:

  • In Windows Server® 2008 R2 Enterprise Core Install with Hyper-V, BranchCache is not supported.
  • In Windows Server® 2008 R2 Datacenter Core Install with Hyper-V, BranchCache is not supported.

Necessary Installation and Configuration Steps for Content-Server:

In our Lab Environment the Content Server should deliver the Exchange OAB. In this case the
existing CAS-Server is responsible for the Content we want to get, so the CAS-Server will be our Content-server. As prerequisite for CAS the IIS-Server is in place so we don’t need to change anything at this point.

The first neccassary Step is to install the Branchcache Feature from Roles and Features.

After this is done install the B.I.T.S. feature with IIS Extension Subfeature.

At the Server this should be the needed configuration Steps.

Additionaly to verify the functionality you can use Perfmon to Monitor the Branchcache related traffic information.

 Configure BranchCache performance counters on the content server
 

  1. 1.   On CAS with Branchcache installed, click Start, click Search programs and files, and type perfmon. In Search results, in Programs, click perfmon.exe. Windows Performance Monitor opens.
  2. 2.   In Monitoring Tools click Performance Monitor to view the Performance Monitor graph. To change the performance monitor graph to report view, click the graph toolbar icon that displays an arrow to reveal the drop-down list, and then click Report.
  3. 3.   To add BranchCache counters, click the graph toolbar icon that is a green plus sign (+). The Add Counters dialog box opens. In the left pane, scroll to BranchCache Kernel Mode, and click to expand the list of BranchCache Kernel Mode counters. Click Client Cache Miss Bytes, hold down the Ctrl key, and then click Server Cache Miss Bytes, Hash Bytes, and Projected Server Bytes Without Caching.
  4. 4.   Click Add, and then click OK.

  Perfmon Content-Server with working Branchcache

 

 To reset the Branchcache functionallity and the performance counters on the content server use:

 

        Netsh branchcache reset

 

 After the Branchcache reset the Perfmon Counters are reset as well.

 Client computer configuration: 
 Neccessary Installation and Configuration Steps for Client Computers to enable BranchCache distributed cache mode using network shell commands

 

1.   On the BranchCache client computer that you want to configure, click Start, click Search programs and files, and then type command. In search results, under Programs, right-click Command Prompt, and then click Run as Administrator. The command prompt opens with the elevated privileges that are required to run netsh commands.

2.   Run the following command: netsh branchcache set service mode=DISTRIBUTED

Suggestion:

Running the netsh branchcache set service command both configures the client computer for distributed cache mode and automatically configures the client computer firewall with the following inbound exceptions for distributed cache mode: TCP port 80 and UDP port 3702.

3.   To verify that BranchCache distributed cache mode is correctly configured on the client computer, run the following command: netsh branchcache show status. The BranchCache Service Status is displayed in the command prompt window with the following values: Service Mode: Distributed Caching; Serve peers on battery power: Disabled; and Current Status= Running.

  

To configure BranchCache performance counters on the Client Computers
 

4.   On Client with Branchcache installed, click Start, click Search programs and files, and type perfmon. In Search results, in Programs, click perfmon.exe. Windows Performance Monitor opens.

5.   In Monitoring Tools click Performance Monitor to view the Performance Monitor graph. To change the performance monitor graph to report view, click the graph toolbar icon that displays an arrow to reveal the drop-down list, and then click Report.

6.   To add BranchCache counters, click the graph toolbar icon that is a green plus sign (+). The Add Counters dialog box opens. In the left pane, scroll to BranchCache, and select all underlying counters.

7.   Click Add, and then click OK.

 

  First Windows 7 Client got Data from Server                                                                                              Other Windows 7 Clients got Hashes from Server but Data from Cache of First Client

                                      

 

To reset the Branchcache functionallity and the performance counters on the Client machines use:

 

      netsh branchcache reset

 

and after that

 

       netsh branchcache set service mode=DISTRIBUTED

These are the steps to make OAB Download over Branchcache possible.