Posts Tagged ‘How To’

Boost your internal PKI/Microsoft CA security with FREE green Extended Validation SSL in 15 minutes or close your eyes until 2016!

One of the new CAB Forum baseline requirements is that all SSL certificate issuers are to stop issuing SSL certificates with internal host names and IP addresses. Currently it is possible to get internal host names in public certificates until 2016, but after 1. July it will be shortened to 2015. But keep reading and you will remove this threat today, instead of waiting to 2015-2016.

Normal usage of SSL certificates

Most companies with a medium to large infrastructure, use an internal PKI solution like Microsoft Certification Authority for identity and encryption on internal workstations and accounts. They will also use internal CA to issue certificates for server systems that are only accessed by internal computers where Root CA trust can be controlled automatically thru GPO or similar.

But external facing websites and server systems use public external CA issued SSL certificates, to ensure trust by all units including mobile units and external computers.

(did you see the padlock in the above image?)

Example of attack

It makes sense to prevent easy attacks on the identity part of SSL security for internal systems. Any internal website would be easy to replace with a fake site or do a man in the middle attack with a real external publically trusted SSL certificate that includes the internal host names. Example: an internal password management portal on https://mypassword.abc-organization.local. The intruder gets a certificate issued to www.notyours.dk including a SAN name “mypassword.abc-organization.local”. It would be easy for the intruder to setup a fake website to harvest passwords with a real SSL certificate that all clients would trust equally to their internally issued SSL certificate on the existing system. Clients would see the padlock with no visible changes. Read the rest of this entry »

How to configure your virtual Domain Controllers and avoid simple mistakes with resulting big problems

So You went ahead and used virtualized Domain Controllers for Your Active Directory domain, congratulations! I am sure You will be happy with the decission, as long as You have a decent virtualizing environment, this will give You both peace of mind, faster recovery and cheaper redundancy.

There is however some special considerations You must do, when You are using virtual Domain Controllers, not to mention, please with sugar on top, Windows Server Active Directorydo NOT P2V/Convert Your physical Domain Controllers to virtual, without at least reading this article!

What areas do we need to consider on a virtual DC?

  • Time synchronization
  • Disk cache
  • Suspend/pausing virtual machine
  • Snapshots and System State backups
  • Performance

Personally I much prefer virtual Domain Controllers, from having a lot of physical ones, but there are some considerations to be made, about perhaps leaving some physical and what features to use on the virtual and what settings to use as well. This article attempts to uncover some of the points to consider, specifically for virtal DC's. The list is in no way meant to be the only considerations, but is mostly the things that I personally have noticed forgotten in environments I have encountered. Add Your own preferences and research to this and You should be well on Your way to live happily forever with Your virtual DC's.

Read the rest of this entry »

How to disable administrative shares on workstations thru Group Policy and avoid spending time on pesty virus infections

Large companies sometimes have problems with a virus that realy loves administrative shares on other workstations (i.e. c$ and admin$), it will try and break into theese to spread it self directly. The easy option ofcourse being kill the virus or even better harden administrative users and not use administrator rights for normal users! But untill that is an easy, non-political and not so time consuming task, why not disable the administrative shares on the workstations alltogether?

Seems like a perfect thing to do with Group Policy, unfortunately the setting is non-existing default in Group Policies, so by finding the registry key we need to change, a small custom administrative template will do the trick. This could also be used for other registry changes needed with group policy.

We might also want the option to easily enable the administrative shares later, might be used by applications, services, automated installations, etc. Heres is how to do it quick and easy. Read the rest of this entry »

How to get external SAN UC SSL certificates that work with OCS 2007 R2 and avoid having to read 100 blog posts!

Been reading up on external and internal DNS names used by OCS 2007 R2 ? Your head stopped spinning yet? So you've decided on what FQDN's to use, next step order some SSL certificates, should be easy enough right, You allready figured out You need SLL certificates that are Unified Communications Certificates (UCC) enabled. In my example I will use GlobalSign Domain Validated SAN's, if I needed multiple domains for example for @sole.dk and @soleit.dk, I would choose GlobalSign Organisation Validated SAN's instead.

For a GlobalSign SSL certificate to be UCC enabled, it must use SAN domains, no other way of enabling it. So no point in spending lots of budget on seperate SSL certificates for each service. SAN Subdomains are also quite alot cheaper than buying seperate SSL certificates.

One of the tricky parts of Office Communications Server 2007 R2 and SSL certificates, is that You can not use one single SAN SSL for all services, if You intend to use port 443 for all services!

Why would we only use port 443 ? Read the rest of this entry »

Dont forget to google it and take a vacation!

Most experienced consultants use Google daily to find descriptions of problems and solutions, knowing your way around Google and making a good search, can mean the difference between identifying and solving a problem within minutes or hours.

google logoMany times a customer have asked me how to solve a problem, that I didnt know the answer to on the top of my head, after all there is a lot of issues and only so much memory and experience. Not once have I recieved any negative responses from saying "let me do a little research and i will come right back to you", on the contrary the customer is happy and relieved that I will help them. Dont drop the ball and say "no sorry cant help you", must customers dont have the time or experience to search for an answer them self, why else would they be asking. Read the rest of this entry »

How to fix missing PPTP Interfaces from RRAS console in ISA 2006 and stop a memory leak in the process

All PPTP VPN interfaces in ISA 2006 (sp1) disappeared from the Routing and Remote Access Service console, this problem was a cool problem both because it was challenging but also due to the unexpected results and solutions we found.

The first google attempt at finding a solution told us to try the following workaround - Not recommended!

  • Run the following command: C:\> netsh int ip reset c:\resetlog.txt

Well this solution might fix the problem here and now, but you might as well turn to the good old solution of restarting your server every time it fails, because this solution will do the following.

  • Enable DHCP and remove all IP configuration of all interfaces.
    Not the smartest move on a server, and you are stuck with having to retype all your settings again.
  • Most likely the problem will reappear again, since it does not fix the problem.

Now looking deeper into the error, we started looking at event logs - nothing here to help us (let us know if you had any usefull info here for this error). Then we tried various other things, including looking at a snapshot of the memory usage (you can just open taskmgr.exe) and found something surprising. Wspsrv.exe was using more memory handles than all other processes combined on the machine. A memory leak! It has been several years since I ran into a memory leak, it used to be the most common problem for programmers to avoid, but I rarely see them any more. Read the rest of this entry »