Tuesday 30 June 2015

CRL checking with certutil

Background

You have a server with a valid certificate installed. The Root CA is installed correctly. However, you get an error stating that the certificate is invalid. Applications that rely on the certificate may not work correctly.

Resolution

Try these commands from an Elevated Command Prompt on the server having the issue:

certutil -f –urlfetch -verify [FilenameOfCertificate]

e.g. certutil -f –urlfetch -verify mycertificatefile.cer      ; this is an export of the certificate experiencing the issue

After it runs it should say:

Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.

If it fails with an error, try the below commands to see if the CRLs are reachable:

certutil -URL

or

certutil -URL [URLOfCRLToBeChecked]

This command shows the previously downloaded and cached CRLs:

certutil -urlcache CRL

If your server cannot reach the CRLs, it could be due to proxy configuration. Check the config with the following command:

netsh winhttp show proxy

The output should be:

Current WinHTTP proxy settings:
Direct access (no proxy server).

References




Sunday 28 June 2015

Suite B Cryptography

About

Suite B cryptographic algorithms are specified by the National Institute of Standards and Technology (NIST) and are used by NSA's Information Assurance Directorate in solutions approved for protecting National Security Systems (NSS). Suite B includes cryptographic algorithms for encryption, key exchange, digital signature, and hashing.

Cryptographic algorithms



OS Support

Starting with Windows Vista and Server 2008, the Cryptography Next Generation (CNG) Suite B algorithms (including SHA2) are included in the operating system. It is worth noting that even though the algorithms are available, it is up to the individual applications to implement support.

Windows XP requires SP3 to support SHA2 hashes (SHA-256, SHA-384 and SHA-512).

Server 2003 SP2 requires an update to support SHA2 - KB 938397, linked below.

Howver, both Windows XP SP3 and Server 2003 SP2 (with patch) will both require another patch (KB 968730) in order to request certificates from a 2008 CA that was signed with a SHA2 hash.

Links

Thursday 25 June 2015

Citrix XenApp error message: You do not have permissions to execute 16-bit applications


Background

When launching a 16-bit application on a 32-bit Windows Server 2008 Enterprise SP2 OS server running Citrix XenApp 5.0, the user receives a "wfshell.exe - System Error" dialog box that states the application executable "is a 16-bit application. You do not have permissions to execute 16-bit applications. Check your permissions with your system administrator".

After clicking OK to this error, another dialog box is displayed. This one, titled "Citrix XenApp" states that the application "failed to start. The Citrix server is unable to process your request to start this published application. Please try again. If the problem persists, contact your administrator".

Cause

This error happens because 16-bit applications have been restricted from running. This may be through Group Policy, the Local Policy, or a registry entry.

The user's roaming profile could have "caught this disease" after they logged onto a server that had disabled the running of 16-bit applications due to security reasons, and their roaming profile was updated as a result of this.

This issue can occur if any one of the following files are missing, damaged, or not located in the %systemroot%\System32 folder:

  • Autoexec.nt
  • Command.com
  • Config.nt


Resolution

There are a few potential resolutions to this problem.

One is the following Local or Group Policy setting:

Administrative Templates > Windows Components > Application Compatibility
Setting: Prevent access to 16-bit applications
State: Disabled

Another is the following Windows Registry settings:

Key: HKLM\System\CurrentControlSet\Control\WOW
Name: DisallowedPolicyDefault
Type: DWORD (32-bit)
Value: 0

Key: HKLM\Software\Policies\Microsoft\Windows\AppCompat
Name: VDMDisallowed
Type: REG_DWORD
Value: 0

Key: HKU\{Users_SID}\Software\Policies\Microsoft\Windows\AppCompat
Name: VDMDisallowed
Type: REG_DWORD
Value: 0

The last registry setting needs to be updated whilst the user is logged onto the Citrix server. They then need to log off and back on again for the changes to take effect. Another way would involve updating the user's roaming profile (NTUSER.DAT) by loading this hive in REGEDIT whilst the user is logged out of Citrix and making the changes before unloading the hive and asking them to log on again.

This could also be scripted by using REG.EXE if needed by running the following command:

REG ADD HKLM\Software\Policies\Microsoft\Windows\AppCompat /t REG_DWORD /v VDMDisallowed /d 0

Lastely, run a GPUPDATE /FORCE or reboot the server for good effect!

Register a Service Principal Name for Kerberos Connections


Background

A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service. The Kerberos authentication service can use an SPN to authenticate a service. When a client wants to connect to a service, it locates an instance of the service, composes an SPN for that instance, connects to the service, and presents the SPN for the service to authenticate.


References


Tuesday 23 June 2015

DISM commands

Deployment Image Servicing and Management tool

Version: 6.3.9600.17031


DISM.exe [dism_options] {Imaging_command} [<Imaging_arguments>]
DISM.exe {/Image:<path_to_offline_image> | /Online} [dism_options]
         {servicing_command} [<servicing_arguments>]

DESCRIPTION:

  DISM enumerates, installs, uninstalls, configures, and updates features
  and packages in Windows images. The commands that are available depend
  on the image being serviced and whether the image is offline or running.

GENERIC IMAGING COMMANDS:

  /Get-MountedImageInfo   - Displays information about mounted WIM and VHD
                            images.
  /Get-ImageInfo          - Displays information about images in a WIM or VHD
                            file.
  /Commit-Image           - Saves changes to a mounted WIM or VHD image.
  /Unmount-Image          - Unmounts a mounted WIM or VHD image.
  /Mount-Image            - Mounts an image from a WIM or VHD file.
  /Remount-Image          - Recovers an orphaned image mount directory.
  /Cleanup-Mountpoints    - Deletes resources associated with corrupted
                            mounted images.
WIM COMMANDS:

  /Capture-CustomImage    - Captures customizations into a delta WIM file on a
                            WIMBoot system. Captured directories include all
                            subfolders and data.
  /Get-WIMBootEntry       - Displays WIMBoot configuration entries for the specified disk volume.
  /Update-WIMBootEntry    - Updates WIMBoot configuration entry for the specified disk volume.
  /List-Image             - Displays a list of the files and folders in a
                            specified image.
  /Delete-Image           - Deletes the specified volume image from a WIM file
                            that has multiple volume images.
  /Split-Image            - Splits an existing .wim file into multiple
                            read-only split WIM (SWM) files.
  /Export-Image           - Exports a copy of the specified image to another
                            file.
  /Append-Image           - Adds another image to a WIM file.
  /Capture-Image          - Captures an image of a drive into a new WIM file.
                            Captured directories include all subfolders and
                            data.
  /Apply-Image            - Applies an image.
  /Get-MountedWimInfo     - Displays information about mounted WIM images.
  /Get-WimInfo            - Displays information about images in a WIM file.
  /Commit-Wim             - Saves changes to a mounted WIM image.
  /Unmount-Wim            - Unmounts a mounted WIM image.
  /Mount-Wim              - Mounts an image from a WIM file.
  /Remount-Wim            - Recovers an orphaned WIM mount directory.
  /Cleanup-Wim            - Deletes resources associated with mounted WIM
                            images that are corrupted.

IMAGE SPECIFICATIONS:

  /Online                 - Targets the running operating system.
  /Image                  - Specifies the path to the root directory of an
                            offline Windows image.

DISM OPTIONS:

  /English                - Displays command line output in English.
  /Format                 - Specifies the report output format.
  /WinDir                 - Specifies the path to the Windows directory.
  /SysDriveDir            - Specifies the path to the system-loader file named
                            BootMgr.
  /LogPath                - Specifies the logfile path.
  /LogLevel               - Specifies the output level shown in the log (1-4).
  /NoRestart              - Suppresses automatic reboots and reboot prompts.
  /Quiet                  - Suppresses all output except for error messages.
  /ScratchDir             - Specifies the path to a scratch directory.

For more information about these DISM options and their arguments, specify an
option immediately before /?.

  Examples:
    DISM.exe /Mount-Wim /?
    DISM.exe /ScratchDir /?
    DISM.exe /Image:C:\test\offline /?
    DISM.exe /Online /?

OS Deployment and Imaging


The DISM method


To integrate packages into an image by using the DISM method, follow these steps:

1.Download the standalone package for the update or updates that you want to integrate.
2.Create a new directory to expand the update package.
3.Extract the update package by using the following command:

expand -f:* <path to .msu> <destination>

  For example, the following command expands update 2959977 to the C:\Cabs folder:

expand -f:* Windows8.1-KB2939087-x64.msu C:\Cabs

4.Integrate the expanded cabinet (.cab) file into the image from the expanded package by using the following command:

DISM /Online /Add-Package /PackagePath:<path to extracted .cab file from step 3>

  For example, the command to integrate the update 2959977 .cab file would be as follows:

DISM /Online /Add-Package /PackagePath:c:\cabs\Windows8.1-KB2959977-x64.cab



Active Directory Certificate Services

Introduction

Active Directory Certificate Services (AD CS) provides a Public Key Infrastructure (PKI) that can be used to distribute certificates from a trusted source to enable the following:
  • Secure data transmission to a known recipient through encryption
  • Signing of code and documents that confirms who the sender is and that the data has not been tampered with in any way

PKI uses

  • Control access to the network with 802.1x authentication
  • Approve and authorize applications with Code Signing
  • Protect user data with EFS
  • Secure network traffic using IPSec
  • Remote access via Virtual Private Network (VPN)
  • Protect LDAP-based directory queries Secure LDAP
  • Implement two-factor authentication with Smart Cards
  • Secure web traffic (HTTPS)
  • Implement Secure Email (S/MIME)
  • Mobile devices connecting to Exchange Server infrastructures
  • Mutual authentication of Exchange Server components

Applications that may use certificates

  • Active Directory
  • Exchange
  • IIS
  • Internet Security & Acceleration Server
  • Office Communications Server
  • Outlook
  • System Center Configuration Manager
  • Windows Server Update Services

Hardware Security Module

A hardware security module (HSM) is a dedicated crypto processor that is specifically designed for the protection of the crypto key lifecycle. Hardware security modules act as trust anchors that protect the cryptographic infrastructure of organizations by securely managing, processing, and storing cryptographic keys inside a hardened, tamper-resistant device.

Terminology

  • AD CS - Active Directory Certificate Services
  • AIA - Authority Information Access
  • CA - Certification Authority
  • CDP - CRL Distribution Point
  • CEP - Certificate Enrollment Policy
  • CES - Certificate Enrollment Service
  • CP - Certificate Policy
  • CPS - Certificate Practice Statement
  • CRL - Certificate Revocation List
  • CSP - Cryptographic Service Provider
  • DRA - Data Recovery Agent
  • HSM - Hardware Security Module
  • KRA - Key Recovery Agent
  • KSP - Key Storage Provider
  • OID - Object Identifier
  • OSCP - Online Certificate Status Protocol
  • PEN - Private Enterprise Number
  • PKI - Public Key Infrastructure
  • SCEP - Simple Certificate Enrollment Protocol

Links

Monday 22 June 2015

It's about time...

Introduction


The Windows Time service (W32Time) uses Network Time Protocol (NTP) to synchronize the time across server and client operating systems in a domain hierarchy.

W32Time is not considered to be precise or reliable, and is not supported as an accurate time source. The service was designed to do the following:

  • Support the Kerberos V5 authentication protocol
  • Provide loose sync time for client computers

The W32Time service cannot reliably maintain sync time to the range of one to two seconds. Such tolerances are outside the design specification of the W32Time service.

The National Institute of Standards and Technology (NIST) maintains a list of third-party publishers of time and frequency software.

UPDATE:
Beginning in Windows Server 2016, Windows now supports highly accurate time with up to 1ms (millisecond) accuracy!

In the past it was necessary to use a 3rd party product (e.g. Greyware's "Domain Time II") to guarantee accurate time synchronisation for Windows (Linux does this out of the box).

The following is a quote from Microsoft’s website:

Earlier versions of Windows (Prior to Windows 10 1607 or Windows Server 2016 1607) cannot guarantee highly accurate time. The Windows Time service on these systems:

  • Provided the necessary time accuracy to satisfy Kerberos version 5 authentication requirements
  • Provided loosely accurate time for Windows clients and servers joined to a common Active Directory forest

Tighter accuracy requirements were outside of the design specification of the Windows Time Service on these operating systems and is not supported.

Time accuracy in Windows 10 and Windows Server 2016 has been substantially improved, while maintaining full backwards NTP compatibility with older Windows versions. Under the right operating conditions, systems running Windows 10 or Windows Server 2016 and newer releases can deliver 1 second, 50ms (milliseconds), or 1ms accuracy.

Time Synchronization in an AD DS Hierarchy

In a Windows domain, the Forest Root Domain PDC Emulator FSMO role holder is the server that is considered to be the best time source and should be configured to sync with an external, reliable time source (such as an Internet NTP Time Server).

Client servers and workstations will synchronize with their authenticating Domain Controller (DC).

DCs can sync with the PDC Emulator in their own domain, or any DC in the parent domain.

DCs in the forest root domain will sync with their PDC Emulator.

How to reinstall the Windows Time service and reset the default configuration


  • net stop w32time
  • w32tm /unregister
  • w32tm /register
  • net start w32time


Helpful links



Sunday 21 June 2015

Microsoft Product Licensing and Volume Activation


What is volume activation?

Volume activation is an authentication process that assures that your software copy is genuine. Activation is part of deployment and a core piece of the planning stage for Windows client and server operating systems and Office applications.

Licensed products:
  • Windows Server OS
  • Windows Client OS
  • Microsoft Office family of products

Activation methods:

  • Online (requires an active Internet connection)
  • By phone (can be used when there is no Internet connection)

License types:

  • Retail - the software is purchased "off the shelf" from a retailer and you install it yourself. The license key is included on the back of the product's CD/DVD packaging.
  • Original Equipment Manufacturer (OEM) - the software comes pre-installed on the device. A copy of the software is included along with the product key.
  • Volume licensing - you download the software and install it on company owned equipment based on an agreement with Microsoft for a set number of units. There are a number of different activation options available, as stated below:

Terminology:


  • Client Machine IDs (CMIDs)
  • Generic Volume License Key (GVLK)
  • Key Management Service (KMS)
  • Multiple Activation Key (MAK)
  • Volume License Service Center (VLSC)

Volume licensing activation options:


Volume licensing tools:

DNS Publishing of KMS server:
  • Creates a SRV (service) RR (resource record) called "_VLMCS" located in DNS Forward Lookup Zones\DomainFQND\_tcp
  • Disable DNS publishing: slmgr.vbs /cdns
  • Enable DNS publishing: slmgr.vbs /sdns
  • Registry: Create a new DWORD value called "DisableDnsPublishing" and set it's value to 1 -  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform"
  • Publish to multiple DNS Domains: Create a new multi-string value "DnsDomainPublishList" in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" which contains the DNS domain suffixes of each domain.
  • Restart Software Licensing service (SLsvc) or Software Protection service (sppsvc) on host
  • Locate your KMS server: nslookup -type=srv _vlmcs._tcp

Configuration defaults:

  • Volume license activation interval: 2 hours
  • Volume license renewal interval: 7 days
  • Volume activation expiration: 180 days
  • KMS Host protocol & port: TCP 1688

Volume licensing guides:

Errors and troubleshooting: