Fabien's IT security diary

Printing from an iPhone, iPad or Mac using AirPrint, Bonjour in an Active Directory domain

2011-01-10T15:17:00.006+01:00

AirPrint is a new feature of the 4.2.1 iPad and iPhone iOS.

It relies on Bonjour for service discovery.

Since several corporations have already started to integrate iPad, iPhone, and Mac in their assets, some people maybe wonder how to allow these peripherals to print on Windows Servers in an Active Directory environment.

In that article, I will explain the questions you have to wonder before starting such a task , and how to achieve that goal with success!

1/ Analyse on which print server(s) you want users to be able to print using their iPad / iPhone:

1.1/ check the requirements

- the right to perform administrators operations on the print server

- the ability to install services on the print server

- the print servers have to be on the same subnet as the iPad/iPhone/Mac

1.2/ Note

The following steps and screenshots are performed on a Windows 2008 R2 server, which is an x64 Windows OS. There should however no exist huge differences if you would perform these steps on Windows Vista, 7, or Server 2008.

2/ On each one of these servers, perform the following tasks:

2.1/ Download the AirPrint service

Download aiprint binaries and DLL

2.2/ Install and register the AirPrint service

Run the Windows Command Prompt "cmd.exe" as a local administrator:

2.2.1/ If you are running an x86 Windows OS

Put the airprint files in a newly created directory: %ProgramFiles%\AirPrint\

Then, in the CMD prompt, run:

sc.exe create AirPrint binPath= "%ProgramFiles%\AirPrint\airprint.exe -s" depend= "Bonjour Service" start= auto

2.2.2/ In case you are running an x64 Windows OS

Put the airprint files in a newly created directory: %ProgramFiles%\AirPrint\

Then, in the CMD prompt, run:

sc.exe create AirPrint binPath= "%ProgramFiles% (x86)\AirPrint\airprint.exe -s" depend= "Bonjour Service" start= auto

Since we indicated the AirPrint service depends on the "Bonjour Service" (see the command above and the screenshot below), we now have to install the Bonjour Service.

2.3/ Download and install the Bonjour Print services for Windows

Bonjour Print services for Windows

2.4/ Check the Bonjour service is running

Once installed, you can run services.msc to see that the Bonjour Service is now started.

If it is not the case, then within the cmd.exe prompt, run:

sc interrogate "Bonjour Service"

Thus we have to start the service:

And then check it is started:

2.5/ Start the AirPrint service:

and then check it is actually started:

2.6/ Allow AirPrint traffic through the built-in OS firewall:

Either by GPO, or locally on the print server, create an Allow rule for the AirPrint service:

Specify the path of the airprint service.

Please note that in the following screenshot, it is written so because airprint.exe is an x86 executable and I am running it on a Windows x64 server, thus just remove the " (x86)" part if you are running it on an x86 server:

Since we are not yet able to enforce IPSec policies on iPad and Iphone, just choose "Allow the connection":

Finally the rule is now created and active:

2.7/ ACL - Allow the users who will print the right to print on that server

The default permissions allow the well-known SID "Everyone" to print.

Please note that all domain users will have that SID:

2.8/ ACL - Allow the users who will print the right to log on on the print servers:

I agree this step sounds a bit weird for those who security is a main concern.

2.8.1/ Kerberos authentication

Please let me explain why this is needed:

- in the configuration we made, the built-in service airprint.exe does not run under a specified identity

- nor it has a kerberos SPN

thus built-in Kerberos authentication will not work for that service (an NTLM negociation will actually be performed)

2.8.2/ The airprint service requires the user to log locally.

At this point I did not find a better way to handle this in a more secure way.

Here are the two available options:

- grant the users the right to log on on the print server (if the server is well patched, and the corporation security policies are well applied, this is not a major security issue)

- OR grant these users the "Print Operators" memberships (this is a more important security concern, since the users would be able to change printer settings on the print server. I personally think this is a wrong choise).

In order to grant them the right to log on on the print server, you have to create a special GPO

2.8.2.1/ grant the user who will print the right to log on on the print server

Create a GPO targeting the selected print servers. This is a Computer Configuration.

For instance, in the following screenshot, I allowed the "CORP\Employees" security group the right to log locally on on the print server:

Please note that I will later write a blog article on how to finely manage the rights you assign to administrators whom you do not trust a lot.

2.9/ Install and configure your printers

3/ Enjoy !

Please keep in mind the iPad/iPhone/Mac have to be on the same IP subnet as the print servers, for the Bonjour discovery protocol to work.

When it is the case, you can now select the printer you want to print on and, you juste have to enter your corporate username + password, and it will print like a charm!

the Car-Online framework is now open-source

2010-07-18T20:41:00.005+02:00

The Car-Online framework, which has now been used to build more than twelve websites is now under GNU GPL v3 license.

Among its main features:
* focus on the application features rather than on the rendering
* share functionnalities accross websites, mutualize developpment
* automatic URL rewriting

The project repository is hosted on GitHub: https://github.com/fabien-duchene/car-online-framework/

virtual-win-lab-mgmt is now open-source

2010-07-18T15:48:00.002+02:00

virtual-win-lab-mgmt permits an easy virtual lab deployment and management in a minimalist Hyper-V environment: even without an Active Directory domain or without tools such as SCVMM.

Initially developped within 3 days, virtual-win-lab-mgmt already was 900+ PowerShell SLOC long. This tool was widely used for preparing and managing the virtual labs of the Microsoft TechDays 2010, Paris, France.

This project is hosting on the Google Code repository.
Link: https://code.google.com/p/virtual-win-lab-mgmt/

Secure and easy ucarp ip-failover using ucarp-multi

2010-07-17T16:24:00.001+02:00

ucarp-multi is an extension to the ucarp package, providing an easy way to set-up ipv4 failover within several hosts, and for several sub-interfaces.

This package is hosted on https://code.google.com/p/ucarp-multi/

Voyage-Sncf: security design flaw

2010-07-01T22:54:00.005+02:00

Voyages-sncf.com, the trip reservation website of the main french rail company, is one the most important websites on the french IT market. Each day seven thousands of train tickets are bought on that precise website.

How crazy is it that my browser was telling me "This is a non-secure form".. blabla (see the screenshot above)?

Since I already was on an https webpage, I figured the form was sent unencrypted...

It would be too much unbelievable to be true. Maybe is-it a Safari bug?

However, after having a quick look at the source code, - by the way please double check the highlighted URL - where the form is submitted:

This is just crazy! The form is sent to an uncrypted webpage (the URL does start with http:// and not https://) After some recent privacy issues with a lot of names released cause of a lack of security issue, I just find it unbelievable such lack of rigor in the way programmers did build this application.

Random thoughts to improve voice recognition

2010-06-29T23:17:00.006+02:00

As stated once more, and this time on this ITWorld article, relative to Google making Google Voice available to SMB, improvement still has to be done on the voice recognition topic.

More and more editors already did add a voicemail to email transcript service. A service, of which precision is not really the main concern: sometimes even numbers are not correctly recognized!

Just a thought on that topic, maybe researchers could:

- add several noise filters

- recognize the language

- recognize the accent

- build a recognition model for each language and for each accent, or at least a global model for each language, and a global one for each accent

- train these models on a representative set

DNS dynamic secure updates credentials

2010-06-07T19:45:00.007+02:00

As soon as Windows Server 2003, Microsoft introduced the DNS dynamic secure updates.

This mechanism permits authorized hosts such as DHCP servers, for instance to update DNS entries, thus resulting in a lot of "automatically-managed" DNS records. Thus reducing the amount of manual administrative tasks.

In order to configure this mechanism:

1/ create an update account, member of the DnsUpdateProxy security group

By default, the DnsUpdateProxy security group is located under the container Users of your domain.

In my example, I created an account named DNSSecureUpdateAccount.

You then have to update its group membership to set it as a member of the DnsUpdateProxy security group.

Also keep in mind there are several security consideration regarding the password complexity and the password expiration of this account. You should think twice about these factors.

2/ configure DNS secure updates credentials in the DHCP snap-in

Within the DHCP snap-in:

- right-click IPv4

- then go to properties

- then the Advanced tab

- then on the Credentials button, fill in the user account previously created.

3/ enable DNS secure updates

- go to the DNS tab

- under "Name Protection", click on the "Configure" button

- then check the box according to the screenshot:

- The DNS tab now does look like:

4/ Only allow dynamic secure updates in your DNS servers

- foreach DNS server:

- within the DNS snap-in:

- navigate to the Forward Lookup Zone, then to your domain

- right click > Properties

- Then under "Dynamic updates" set them to "Secure only"

5/ Enjoy !

Just as a test,

- I turned off a domain computer named vm1 (which was DHCP configured) (actually it was a virtual machine ;)

- then I manually deleted its DNS record on all DNS servers

- I also scavenged the records, and cleared the DNS caches

- nslookup vm1 : no entry

- I then powered it up and did a DNS lookup, and it just worked like a charmed!

TechDays 2010, France - Webcasts

2010-03-09T20:09:00.005+01:00

TechDays 2010 France webcasts are available at:
http://www.microsoft.com/france/vision/mstechdays10/

Here are some sessions I co-presented with Cyril Voisin, Philippe Beraud, Stéphane Métenier and Stéphane Saunier:

- Forefront: Microsoft vision of an integrated security system
- 352B - Forefront as a protection for messaging infrastructure
- I303 - FIM 2010 : smart cards management

FIM 2010 - Exchange 2010 provisioning made easy with RC1 update 3!

2010-02-27T17:32:00.034+01:00

One month ago, FIM RC1 - update 3 was released. Among its various improvements, there is now an official capability for Exchange 2010 provisioning. Before this update, an easy method only did exist for Exchange 2007 mailbox provisioning. Sure with some tricks and a lot of patience, it was also possible to provision Exchange 2010 mailboxes, but it was not really straight forward.

In that post we will see how to provision Exchange 2010 user mailboxes. And we will discover how easy it actually is!

1/ Management tools
When we wanted to provision Exchange 2007 mailboxes, we had to install Exchange 2007 Management Tools on the FIM Sync server. A nice surprise is that there is no such need for Exchange 2010, since the interfacing between the FIM Sync service and the Exchange servers are made using powershell calls over https.

2/ FIM Sync server settings

- launch the Synchronization Service Manager program
- Tools > Options
- then configure the options as shown on the following picture:

- then on the Active Directory Management Agent which will be used for Exchange 2010 provisionning, go to Configure Extensions.

- set "Provision for:" as "Exchange 2010"
- below enter the exchange 2010 RPS URI (something like http://FQDN/powershell )

- then validate

3/ Exchange servers settings
- the AD user account used for the AD management account which you want to use to provision mailboxes has to own some priviledges on the Exchange infrastructure.
- navigate to the exchange control panel (ECP): http://FQDN/ecp

- Admin Role Groups > Organization Management

- Add the FIM ADDS MA to the "Organization Management Group" (a group with less permissions could also work, but don't have time to check this out, since I am no Exchange 2010 expert. I guess just the permission to create mailbox would be enough)

4/ Synchronization rule

For the sync rule used to initially create or to update AD users, you have to define an Outbound flow for the following AD objects attributes:
- MailNickName
- msExchHomeServerName
- homeMDB

Please note the last two values depends on the exchange 2010 server and database to which you want to create the user mailbox.

If you don't feel comfortable with this, I advise you to get some informations from the Exchange 2007 provisioning with FIM 2010 RC0 webpage.

5/ Done!
- in order to check if your MPR, Workflow, and sync rule related to provisioning Exchange 2010 user mailboxes works, do the necessary stuff in order for the previously configured sync rule to apply.
- Then after the synchronization process you defined is done, logon as the user you just created
- open Outlook

OVH minicloud: Hello world bench!

2010-02-19T20:12:00.005+01:00

INTRODUCTION

The french hosting provider OVH is about to add some cloud related offers:

- minicloud: 1 small virtual machine, but very cheap 1,99euros a month

- coreCloud: 1 to 10 virtual machines instances. 9,99e/month

- myCloud: the most promising offer: 1 to 48 instances for 49,99e/month. You have your own cloud in which you can dynamically create virtual machines, distribute charge, etc..

WARNING: The OVH framework is yet not released. We are still waiting for more details to be provided.

Nothing more except a fixed price is yet provided about billing details.

MINICLOUD PRESENTATION

I had to chance to beta-test the minicloud offer. Basically you have one virtual machine, which only these caracteristics are described:

- OS: Debian 5.0 Lenny 64 bits
- RAM: 512 Mo
- CPU: 1 x64
- HDD: 5 Go

GOING FURTHER

Since we only have one virtual machine available, let us go further by discovering some details about it, and benchmarking it. However, keep in mind that since resources are shared within the cloud virtual machines, the following benchmarks actually depends of the cloud load.

# UNIX BENCH 5.1

========================================================================

BYTE UNIX Benchmarks (Version 5.1.2)

System: v12347.ovh.net: GNU/Linux

OS: GNU/Linux -- 2.6.32.2-xxxx-grs-ipv4-64 -- #1 SMP Tue Dec 29 14:41:12 UTC 2009

Machine: x86_64 (unknown)

Language: en_US.utf8 (charmap="ANSI_X3.4-1968", collate="ANSI_X3.4-1968")

CPU 0: Intel(R) Xeon(R) CPU E5504 @ 2.00GHz (3990.0 bogomips)

x86-64, MMX, Physical Address Ext, SYSENTER/SYSEXIT, SYSCALL/SYSRET

20:06:37 up 1 day, 19:57, 1 user, load average: 0.10, 0.03, 0.50; runlevel 2

------------------------------------------------------------------------

Benchmark Run: Sat Feb 20 2010 20:06:37 - 20:37:55

1 CPU in system; running 1 parallel copy of tests

Dhrystone 2 using register variables 7092797.6 lps (10.5 s, 7 samples)

Double-Precision Whetstone 2344.2 MWIPS (10.0 s, 7 samples)

Execl Throughput 1253.3 lps (30.0 s, 2 samples)

File Copy 1024 bufsize 2000 maxblocks 267298.5 KBps (30.0 s, 2 samples)

File Copy 256 bufsize 500 maxblocks 90045.7 KBps (31.0 s, 2 samples)

File Copy 4096 bufsize 8000 maxblocks 567304.8 KBps (31.0 s, 2 samples)

Pipe Throughput 770806.2 lps (10.8 s, 7 samples)

Pipe-based Context Switching 142454.6 lps (11.1 s, 7 samples)

Process Creation 3915.6 lps (30.3 s, 2 samples)

Shell Scripts (1 concurrent) 1834.1 lpm (60.0 s, 2 samples)

Shell Scripts (8 concurrent) 240.8 lpm (60.2 s, 2 samples)

System Call Overhead 1342105.8 lps (10.9 s, 7 samples)

System Benchmarks Index Values BASELINE RESULT INDEX

Dhrystone 2 using register variables 116700.0 7092797.6 607.8

Double-Precision Whetstone 55.0 2344.2 426.2

Execl Throughput 43.0 1253.3 291.5

File Copy 1024 bufsize 2000 maxblocks 3960.0 267298.5 675.0

File Copy 256 bufsize 500 maxblocks 1655.0 90045.7 544.1

File Copy 4096 bufsize 8000 maxblocks 5800.0 567304.8 978.1

Pipe Throughput 12440.0 770806.2 619.6

Pipe-based Context Switching 4000.0 142454.6 356.1

Process Creation 126.0 3915.6 310.8

Shell Scripts (1 concurrent) 42.4 1834.1 432.6

Shell Scripts (8 concurrent) 6.0 240.8 401.4

System Call Overhead 15000.0 1342105.8 894.7

========

System Benchmarks Index Score 507.1

Surprisingly, this is a pretty good score compared to more expensive cloud offers:

- Amazon: 210

- Slicehost: 295

- Rackspace: 305

- Linode x86_64: 559

- Linode i686: 723

Ref: VPS comparison

Then let us take some time to discover some features of an OVH minicloud offer:

#OS

root@v12347:~# uname -a

Linux v12347.ovh.net 2.6.32.2-xxxx-grs-ipv4-64 #1 SMP Tue Dec 29 14:41:12 UTC 2009 x86_64 GNU/Linux

#HDD

root@v12347:~# df

Filesystem 1K-blocks Used Available Use% Mounted on

/dev/sda1 5201532 673584 4265808 14% /

tmpfs 1026496 0 1026496 0% /lib/init/rw

udev 10240 2652 7588 26% /dev

tmpfs 1026496 0 1026496 0% /dev/shm

root@v12347:~# hdparm -t /dev/sda1

/dev/sda1:

Timing buffered disk reads: 126 MB in 3.03 seconds = 41.62 MB/sec

root@v12347:~# hdparm -T /dev/sda1

/dev/sda1:

Timing cached reads: 7326 MB in 2.00 seconds = 3664.46 MB/sec

#CPU

root@v12347:~# cat /proc/cpuinfo

processor : 0

vendor_id : GenuineIntel

cpu family : 6

model : 26

model name : Intel(R) Xeon(R) CPU E5504 @ 2.00GHz

stepping : 5

cpu MHz : 1995.001

cache size : 4096 KB

fpu : yes

fpu_exception : yes

cpuid level : 11

wp : yes

flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss syscall nx rdtscp lm constant_tsc up arch_perfmon pebs bts rep_good xtopology tsc_reliable nonstop_tsc aperfmperf pni ssse3 cx16 sse4_1 sse4_2 popcnt hypervisor lahf_lm

bogomips : 3990.00

clflush size : 64

cache_alignment : 64

address sizes : 40 bits physical, 48 bits virtual

power management:

root@v12347:~# tiobench --size 384

Run #1: /usr/bin/tiotest -t 8 -f 48 -r 500 -b 4096 -d . -TTT

Unit information

================

File size = megabytes

Blk Size = bytes

Rate = megabytes per second

CPU% = percentage of CPU used during the test

Latency = milliseconds

Lat% = percent of requests that took longer than X seconds

CPU Eff = Rate divided by CPU% - throughput per cpu load

Sequential Reads

File Blk Num Avg Maximum Lat% Lat% CPU

Identifier Size Size Thr Rate (CPU%) Latency Latency >2s >10s Eff

---------------------------- ------ ----- --- ------ ------ --------- ----------- -------- -------- -----

2.6.32.2-xxxx-grs-ipv4-64 384 4096 1 ###### 102.2% 0.001 0.14 0.00000 0.00000 2909

2.6.32.2-xxxx-grs-ipv4-64 384 4096 2 ###### 194.6% 0.002 8.38 0.00000 0.00000 1574

2.6.32.2-xxxx-grs-ipv4-64 384 4096 4 ###### 385.0% 0.005 20.04 0.00000 0.00000 727

2.6.32.2-xxxx-grs-ipv4-64 384 4096 8 ###### 413.6% 0.008 32.05 0.00000 0.00000 774

Random Reads

File Blk Num Avg Maximum Lat% Lat% CPU

Identifier Size Size Thr Rate (CPU%) Latency Latency >2s >10s Eff

---------------------------- ------ ----- --- ------ ------ --------- ----------- -------- -------- -----

2.6.32.2-xxxx-grs-ipv4-64 384 4096 1 ###### 129.6% 0.001 0.03 0.00000 0.00000 1953

2.6.32.2-xxxx-grs-ipv4-64 384 4096 2 ###### 67.56% 0.001 0.04 0.00000 0.00000 3906

2.6.32.2-xxxx-grs-ipv4-64 384 4096 4 ###### 123.8% 0.002 3.41 0.00000 0.00000 1953

2.6.32.2-xxxx-grs-ipv4-64 384 4096 8 ###### 56.57% 0.001 0.04 0.00000 0.00000 3906

Sequential Writes

File Blk Num Avg Maximum Lat% Lat% CPU

Identifier Size Size Thr Rate (CPU%) Latency Latency >2s >10s Eff

---------------------------- ------ ----- --- ------ ------ --------- ----------- -------- -------- -----

2.6.32.2-xxxx-grs-ipv4-64 384 4096 1 39.91 11.80% 0.021 421.55 0.00000 0.00000 338

2.6.32.2-xxxx-grs-ipv4-64 384 4096 2 30.80 29.35% 0.061 2149.02 0.00203 0.00000 105

2.6.32.2-xxxx-grs-ipv4-64 384 4096 4 29.44 52.49% 0.112 2117.31 0.00407 0.00000 56

2.6.32.2-xxxx-grs-ipv4-64 384 4096 8 34.61 50.22% 0.163 5115.43 0.00203 0.00000 69

Random Writes

File Blk Num Avg Maximum Lat% Lat% CPU

Identifier Size Size Thr Rate (CPU%) Latency Latency >2s >10s Eff

---------------------------- ------ ----- --- ------ ------ --------- ----------- -------- -------- -----

2.6.32.2-xxxx-grs-ipv4-64 384 4096 1 16.75 2.572% 0.005 1.64 0.00000 0.00000 651

2.6.32.2-xxxx-grs-ipv4-64 384 4096 2 44.54 9.122% 0.005 4.06 0.00000 0.00000 488

2.6.32.2-xxxx-grs-ipv4-64 384 4096 4 40.43 18.63% 0.007 10.73 0.00000 0.00000 217

2.6.32.2-xxxx-grs-ipv4-64 384 4096 8 18.86 -13.5% 0.003 0.63 0.00000 0.00000 -140

# RAM

Not tested.

# NETWORK (not really representative)

# using iperf from a RPS limited to 100Mbit/s

[ 3] 0.0-10.0 sec 113 MBytes 94.7 Mbits/sec

# ideally I would have to rent another minicloud to check the effective performance (because I guess it is limited by my RPS). I guess result would be closer to 10Gb/s or 1Gb/s

Getting the latest Metasploit 3.3 branch to work on Mac OS X 10.6.1 (Ruby 1.9.1)

2010-02-18T22:33:00.010+01:00

A very basic post just to help new users getting Metasploit to work with the latest OS X version:

- RUBY
cd ~/Desktop/
mkdir ruby
cd ./ruby
- Download the latest Ruby stable svn snapshot (at the time I am writing this article, it is 1.9.1) svn co http://svn.ruby-lang.org/repos/ruby/branches/ruby_1_9_1
- Compile it:
cd ruby_1_9_1
autoconf
./configure --enable-pthread
make
make test
sudo make install
cd ./../../
rm -rf ./ruby

ruby -v

ruby 1.9.1p420 (2010-02-04 revision 26571) [i386-darwin10.2.0]

- METASPLOIT
cd ~/Desktop/
mkdir msf
cd msf

- download either the latest stable version:
wget http://www.metasploit.com/releases/framework-3.3.3.tar.bz2
- or the latest dev version:
svn co https://www.metasploit.com/svn/framework3/trunk/
cd trunk
./msfconsole

ENJOY!

Techdays 2010, France - My selection

2010-02-07T15:50:00.007+01:00

Here is my selection for this 2010 edition of the Techdays in France which is about to occur on Feb 8th, 9th and 10th 2010:

I will also be present as a speaker at the following sessions:
- Forefront - Microsoft vision of an integreated security system
- Workshop - give a try to the new Forefront Identity Manager 2010 features
- Workshop - Secure messaging with Forefront Protection for Exchange Servers 2010
- Forefront Identity Manager 2010 - Smart cards management
- Forefront Protection for Exchange Servers 2010

Hope to see you there!

Enable DEP using GPO and Powershell

2010-01-19T23:17:00.007+01:00

As a response to recent security threats, it is highly advised to enable Data Execution Prevention (DEP). However, how to succeed in such a goal using group policy?

Why is there no administrative template for enabling DEP?

The DEP setting is defined inside the boot.ini file.

Thus it is not as simple as setting a registry value.

In addition, we have to be aware of the following issues:

- on windows XP, there is no command such as bcdedit, thus you will have to write an additional appropriate script to the one described here. This is really risky, since if the boot.ini is badly formatted, the system just will not boot anymore!

- on windows Vista, enabling it will break Bitlocker.

- on Windows 7, no problem. First of all, DEP is enabled as default, but you since you are reading this post, you probably want to enforce it.

How to enable DEP on a single computer?

A lot of websites already cover this topic.

They do not explain it is possible to define the DEP enhancement using command line: (as an administrator)

%windir%\system32\bcdedit /set nx [MODE]

where [MODE] is either: {AlwaysOff; AlwaysOn; OptOut;OptIn}

- AlwaysOff : This does not provide any DEP coverage for any part of the system, regardless of hardware DEP support. The processor will run in PAE mode with 32-bit versions of Windows unless the /NOPAE option is also present in the boot entry.

- AlwaysOn : This provides full DEP coverage for the entire system. All processes always run with DEP applied. The exceptions list for exempting specific applications from DEP protection is not available. System Compatibility Fixes (“shims”) for DEP do not take effect. Applications which have been opted-out using the Application Compatibility Toolkit run with DEP applied.

- OptOut : DEP is enabled by default for all processes. Users can manually create a list of specific applications which do not have DEP applied using System in Control Panel. IT Pros and Independent Software Vendors (ISVs) can use the Application Compatibility Toolkit to opt-out one or more applications from DEP protection. System Compatibility Fixes (“shims”) for DEP do take effect

- OptIn : On systems with processors capable of hardware-enforced DEP, DEP is enabled by default for limited system binaries and applications that “opt-in"

How to enable DEP on a domain?

Please note:this is one possible solution for Windows Vista and Windows 7 computers.

1/ install the powershell feature on windows vista versions (it cannot be removed on windows 7)

2/ use startup scripts to enable Unrestricted execution policy for powershell scripts:

- Create a GPO

- navigate to Computer configuration > Policies > Windows settings > Scripts (startup / shutdown)

- add a command startup script: "powershell set-execution policy unrestricted"

3/ add this powershell script inside the Machine>scripts>startup folder of the GPO:

###############

$winver = (Get-WmiObject Win32_OperatingSystem).version

$WIN_VISTA = 6

$MODE = "AlwaysOn" #of whatever DEP option you want to set

###############

if($win -lt $WIN_VISTA) { #code for windows XP

# write your own script editing the bcdedit

} else if ($win -eq $WIN_VISTA) { #code for windows vista

# check if bitlocker is enabled. see the bitlocker manipulation using powershell link below

# if bitlocker is disabled, then enable DEP

} else { # win 7 and greater

%windir%\system32\bcdedit /set nx $MODE

}

###############

References

- Technet: Memory Protection Technology

- my colleague Pascal Sauliere for his advises regarding DEP related issues on Windows XP and Vista.

- Windows versions

- Bitlocker manipulation using powershell

Administrative template for Microsoft Security Essentials

2010-01-10T23:51:00.014+01:00

Microsoft security essentials market

Small and very small home businesses usually do not need powerfull features such as protection analysis, but also NAP and SCCM integration provided by Microsoft Forefront Protection Suite 2010

In that case, it is economically more interesting to use Microsoft Security Essentials. This antispyware, antimalware, antirootkit Microsoft software is available for free since the 29th September of 2009.

Microsoft Security Essentials administrative template

However, if you are an IT administrator of your home-based business, manually configuring MSE settings for each desktop could be a pain in the head, because MSE does not support Group Policy settings. A workaround to this problem is to use the administrative template for Microsoft Security Essentials I created.

How is it achieved?

Well, keep in mind this solution is not as powerfull as a classic group policy administrative template, first because Security Essentials does not support group policy settings. It means we can not enforce settings in the same way we can with Forefront EndPoint protection. This administrative template actually applies registry values under HKLM\Software\Microsoft\... instead of HKLM\Software\Policies\Microsoft

What are the limitations?

Since MSE does not support group policy settings, it basically means an administrator / end-user would be able to change some settings inside the MSE User Interface. Of course, the settings defined inside the group policy containing this administrative template would be applied again each time a group policy update would be run, but this solution does not permit a precise control over settings such as Forefront Protection Suite 2010 does.

To conclude

Still it is pretty efficient to define Microsoft Security Essentials settings for several computers.

Going further

If you are interested in writing your own administrative templates for Active Directory, I advise you to check the Introduction to Windows 2000 group policy whitepaper. It really is a good start in order to create custom classic administrative templates.

RSync for Windows: cwrsync

2010-01-10T12:08:00.007+01:00

RSync is a very popular backup software in the Unix world. Unfortunately, there is no native port of it. An alternate answer would be cwrsync. It comes as a single installer containing a minimal cygwin x86 set, and the latest x86 compiled Rsync.

Integration with Windows server

The installer setups a new classic windows service:

Since its a service, we have to choose a user account for running it. This permits controlling very precisely the permissions the rsync user will be granted.

Permissions, privileges

In my example, I wanted to perform an incremental backup solution using dirvish (which relies on rsync) on the linux server. That is why I only needed READ permissions for the account backupsvc (and since it is also a service account, the right Logon as a service also has to be granted):

RSync shares configuration

You then have to define "shares" (similarily to smb). In our example, the share is named "test", and it points to the folder C:\Shares

We assigned read-only = true, for the rsync server not to try to write anything to the share. Note: if we would have set it to false, we however could adjust this thanks to NTFS permissions.

Transfer logging is especially important when your rsync synchronization fails.

hosts allow is not really usefull, since we will control this later using the Windows Firewall.

Network security

From the RSync Wikipedia article it binds by default on TCP 873, but also UDP 873.

The Windows Firewall with Advanced security lets us control precisely the remote IP initiating a connection to the rsync server.

Running processes

Once the Rsyncserver service is started, there are 3 processes running under the account previsouly defined:

- conhost: for the service to be controlled as a classic windows service.

- cygrunsrv.exe*32 : Cygwin environnment

- rsync.exe*32: rsync service

Please note that these processes are only x86 processes at the time I am writing these lines.

Watchout

You have to be carefull on:

- permissions on files/folders to be backed up

- permissions/rights granted to the service running the rsync server service

- firewall rule

- rsync config file

Finally

From a debian server:

Going further

If you are interested in setting up an incremental backup on a debian server, I advise you to check the dirvish and rsync websites.

Disabling Adobe Javascript using GPO

2010-01-06T11:16:00.017+01:00

Since the recent highlighted Adobe Acrobat PDF security issues, especially
- APSA09-07 in which Adobe advised to disable Javascript (until a patch would be released on the 12th of January 2010!)

A lot of domain administrators / security administrators are searching for a way to mass disable the Adobe Javascript.
This is one easy solution to mitigate most of the heap spray attacks using Adobe Javascript. But recently, a PDF exploit not using Javascript was successfull.

As far as I know, here are several answers to mitigate that problem, including:
- Using a third party PDF reader such as FoxIt Reader
- Using Adobe Customization Wizard to customize Adobe applications before deploying them
- Using GPO to set registry values disabling Adobe Javascript

I will present the third one:

Using GPO to disable Adobe Javascript

1/ Create an administrative template file.
On a DC, navigate to %windir%\inf

2/ create a new Text file "adobe.adm"

3/ Fill it with the following content: (don't forget to add a return line after the END CATEGORY item)

CLASS USER

CATEGORY "Adobe Acrobat/Reader 9.x"

POLICY "JavaScript Reader 9.x"
KEYNAME "Software\Adobe\Acrobat Reader\9.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 9.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY

END CATEGORY

4. Create a new GPO,
- Navigate to User Configuration > Policies > Administrative Template
- Then add the adobe.adm template file we previsouly created.
- and select "Disabled" for the Javascript Reader 9.x settings:

5. Close the GPM editor

6. As a user member of the security group / OU on which you choosed to apply the GPO:
- close Acrobat Reader 9.0
- gpupdate /force
- open Acrobat Reader 9.0, Edition > Preferences > Javascript

And as you can see, Javascript is now disabled!

Et voila!

VHD to WIM: from virtual machine to WIM deployment

2009-12-21T10:49:00.020+01:00

A lot of topics discuss about the process of converting VIM files to VHD, but very few about VHD to WIM.

Virtual Hard Disk (.vhd) is the file format of virtual machines hard disk drives. Connectix and Microsoft are currently using this technology. You can check the Virtual Hard Disk Image Format Specification for more details.

Windows Imaging Master (.wim, .swm) is the file format for deploying Windows OSes since the XP version.

The goal of this post is to explain how to produce a WIM master file after having prepared a VHD master.

1/ prepare the virtual machine master
- install the OS, the program you want to use
- in case you would like to perform a unattended installation, I advise you to check the Sysprep a Windows 7 Machine - Start to finish post.

- sysprep with appropriate commands

2/ convert the virtual machine VHD to a VIM
2.1/ if you used at least 1 snapshot (avhd): (if not, go to 2.2), we have to produce a single VHD file.
When using snapshots, it creates a tree of virtual machine states. The root node (the root "-" sign) is a VHD, and each icon is a AVHD storing the differences made regarding the parent disk.

In our example, we have a total of 8+1 avhd files. (8 snapshots, and the final state).

The problem is that, on windows 7 / 2008R2, we are currently only able to mount a VHD.

If you do not want to loose your snapshots, you have to perform:

2.1.1/ Virtual machine export

2.1.2/ Virtual machine import

2.1.3/ Snapshots merging
- Click on the root snapshot: delete > snapshot subtree

- wait for the merging operation to finish

- your vhd is now ready to be mounted in your host system!

2.2/ Mount the VHD (as read only) in your host system

- start > Run > diskmgmt.msc

- Action > Attach VHD. Then:

- check Read-Only

- select the vhd we just produced and notice its assignated letter. Let us assume that it has the letter G: assigned.

As a local administrator, open a command prompt:

cd "%programfiles%\Windows AIK\Tools\amd64"

(assuming that your host system is x64 Windows OS, or cd "%programfiles%\Windows AIK\Tools\x86" if it is a x86 one).

imagex /compress maximum /flags “Ultimate” /capture G: C:\image.wim “Win. 7 Ult. x86 - Off. 2007”
- wait for the process to finish

3/ Configure the WIM server
- tip: the boot.wim is located in the sources folder which is at the root level of the iso.
- the image.wim is the one we just created before

4/ Enjoy your deployment!

The idea beyond this article is to have a virtual machine which we can freely improve, thanks to a snapshot hierarchy. And as soon as a new master is ready, simply publish it as a new Windows Deployment Services entry.

November 2009 hacking attempts on my websites

2009-12-20T21:32:00.003+01:00

As you probably already know, I am maintaining several websites (Hotel-Medicis, Bazar-Discount, Cordes-Aux-Voix, Athletisme-Grenoble).

Every month I check the hacking attempts on these websites at different levels:

- server

- web application

For the month of November 2009, I detected that:

- 35 unsuccessful root logins via ssh (deferred via sshguard)

- 10 unsuccessful attempts of SQL injection have been made (catched by the SQL module of my Car-Online framework)

- 78 unsuccessful attempts of exploring the files stored on the webserver by playing with URLs

I am now starting to think about all the hacks I did not detect...

FIM 2010 RC1 update 2

2009-12-09T15:53:00.011+01:00

Update 2 for Forefront Identity Manager 2010 RC1 was publicly released yesterday on windowsupdate.
This patch applies to:
- the FIM synchronization service
- the FIM service

Before installing these optional updates:
- stop the FIM service
- stop the FIM synchronization service

Additionaly, you have to apply these updates in the following order:
- FIM 2010 RC1 update 2 for FIM SERVICE
- FIM 2010 RC1 update 2 for FIM SYNCHRONIZATION SERVICE

Since the update 1 failed if we used a non self signed certificate, altough I was not sure it was necessary, I did the temporary certificate replacement before Forefront Identity Manager 2010 RC1 update 1 trick.

It ows the KB977312. You can check details on the Microsoft Support website.
I advise you to read this article on Jorge's blog.

How to install the FIM RC1 2010 Update 2 with a custom certificate:

1. Back up the FIM Service database.
2. Start regedit, and navigate to \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FimService. Find the value for CertificateThumbprint, and save it for later use.
3. Uninstall the FIM Service and Portal.
4. Reinstall the RC1 version of the FIM Service and Portal, with the options Re-use existing database and Use self-issued certificate. This allows the FIM Service installer create the certificate.
5. Install FIM 2010 RC1 Update 2.
6. After installation is complete, start regedit, and navigate to the registry key \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FimService. Change the value of CertificateThumbprint to the value that you saved previously.
7. Restart the FIM Service.

Windows 2008 R2 Administration tools

2009-11-20T10:00:00.007+01:00

If you are running a Windows 7, you probably heard about the Remote Administration Tools for Windows 7. But what about the server version?

Well guys running a Windows 2008 R2 OS do have this pretty powerfull powershell module called "ServerManager":

Import-Module ServerManager
$mod = Get-Module ServerManager
$mod.ExportedCmdlets

When we run the Get-WindowsFeature cmdlet, a list of all the Windows features that could be installed is shown. Each checked box means the feature is alredy installed.

In particular, we do have a list of windows features, which their name is prefixed with "RSAT", which means Remote Server Administration Tools. And it is the same features than the package mentionned above for Windows 7.

I needed to install only the Hyper-V administration tools:

Add-WindowsFeature RSAT-Hyper-V

Done!

I am now able to list my virtual machines:

FIM - execute management agents run profiles with powershell

2009-11-18T16:23:00.003+01:00

Here is a script I created which permits an easy automatic execution of certain FIM MA run profiles.

Here is an example of output:

And here is the source code:
------------------------
# @author: Fabien Duchene
# @mail: fabien.duchene1 **at** googlemail.com

############
# PARAMETERS
############
$params_ComputerName = "." # "." is the current computer
$params_delayBetweenExecs = 30 #delay between each execution, in seconds
$params_numOfExecs = 0 #Number of executions 0 for infinite
$params_runProfilesOrder =
@(
@{
type="Forefront Identity Management (FIM)";
profilesToRun=@("Full Import";"Full Synchronization");
};
@{
type="Active Directory";
profilesToRun=@("Full Import";"Full Synchronization";"Export");
};
);

############
# FUNCTIONS
############
$line = "-----------------------------"
function Write-Output-Banner([string]$msg) {
Write-Output $line,("- "+$msg),$line
}

############
# DATAS
############

$MAs = @(get-wmiobject -class "MIIS_ManagementAgent" -namespace "root

\MicrosoftIdentityIntegrationServer" -computername $params_ComputerName)
$numOfExecDone = 0

############
# PROGRAM
############
do {
Write-Output-Banner("Execution #:"+(++$numOfExecDone))
foreach($MATypeNRun in $params_runProfilesOrder) {
$found = $false;
foreach($MA in $MAS) {

if(!$found) {
if($MA.Type.Equals($MATypeNRun.type)) {
$found=$true;
Write-Output-Banner("MA: "+$MA.Type)
foreach($profileName in $MATypeNRun.profilesToRun) {
Write-Output (" "+$profileName)," -> starting"
$datetimeBefore = Get-Date;
$result = $MA.Execute($profileName);
$datetimeAfter = Get-Date;
$duration = $datetimeAfter - $datetimeBefore;
if("success".Equals($result.ReturnValue)){
$msg = "done. Duration: "+$duration.Hours

+":"+$duration.Minutes+":"+$duration.Seconds
} else { $msg = "Error: "+$result }

Write-Output (" -> "+$msg)
}
}
}
}
if(!$found) { Write-Output ("Not found MA type :"+$MATypeNRun.type); }
}

$continue = ($params_numOfExecs -EQ 0) -OR ($numOfExecDone -lt $params_numOfExecs)
if($continue) {
Write-Output-Banner("Sleeping "+$params_delayBetweenExecs+" seconds")
Start-Sleep -s $params_delayBetweenExecs
}
} while($continue)

Mac OS X: automator: create a new file

2009-11-15T11:18:00.006+01:00

In a Windows OS, it is really simple to create a new text file: right-click > New > Text file.

On my dear Macbook Pro, it is still not out-of-the-box.

Hopefully Automator is here to fill the gap.Please note that this method does not require additional software. Only standard Mac OS X components are used.

First let's have a look at the final result:

1/ Right click on the folder in which you want to create a new file, and select "New file"

2/ Type the name of the file. For example: New file.txt or New file.docx

3/ The file is automatically created inside the folder we specified before and after opened in your favorite editor.

Now let's integrate this to your Mac OS X system.

- First method. the easy one:

- download the automator workflow. It is stored on my skydrive: Mac OS X Create a new file

- install it on your mac: put this file into the ~/Library/Services/ folder

- open it. (it will be opened within Automator)

- Press Cmd+S or click File > Save to register it within the Contextual menu

- Close automator

- Second method. Create an automator workflow according to these instructions:

- Launch Automator.app located in the Applications folder.

- Create a new Service

- File > Save or Cmd + S

- Here is an overview of the workflow:

As you can see:

- this Service Workflow receives Folder as input and is only available in Finder

- we will also need 2 variables: "Filename" and "Path"

Here is the detail of the workflow:

- Once this is done, just press Cmd + S to save it and register this service within the Finder.app

Enjoy this new file creation!

Disable Exchange 2010 arbitration mailboxes

2009-11-14T18:34:00.007+01:00

For the purpose of my Forefront Identity Manager 2010 RC1, I had to use to Exchange 2007 instead of Exchange 2010 I was using (because at this stage FIM RC1 does not yet support Exchange 2010, but this is planned).

Here are the steps to achieve this:

- First you have to disable all users mailboxes in the Exchange 2010 Management console.

- Then you have to remove the Arbitration mailboxes.
Here is the script I created to remove them:

Foreach($mbdb in Get-MailboxDatabase) {
$mailboxes = Get-Mailbox $mbdb.Name -Arbitration
$mailboxes Disable-Mailbox -Arbitration
$mailboxes Remove-Mailbox -Arbitration -RemoveLastArbitrationMailboxAllowed
}

NOTE: (please add a "pipe" after the two last $mailboxes. This stupid blogspot does remove them!)

For more details about arbitration mailboxes, please check this blog: http://chrislehr.com/2009/10/exchange-2010-what-is-arbitration.htm

Forefront Identity Manager 2010 CM: errors and solutions

2009-11-02T14:09:00.000+01:00

Unable to check CA in Edit Profile template

Something is wrong with the SQL connection between the CA Exit Module and the SQL Server.
Try to check the password if using SQL Auth. Try to check kerberos' spn elsewise.
Check log: Application and Services Logs > FIM Certificate Management
Restart AD CS, and check 10 seconds later if any warning is raised inside that log.

Value cannot be null. Parameter name byte

If you installed manually certificates in agents store, you have to fill certificate hashes in web.config. Please see Installation > Edit the web.config
Open the web.config file of certificatemanagement.
Search for "Hash", and check that the hash is the one of the fim cm agent certificate.

Base CSP smart card self-service control is not installed or the current site is not specified in the allowed sites list by your Administrator. Please contact your system Administrator. Additional information: Automation server can't create object

If you are on a x64 system, please install FIM CM x64 and user Internet explorer 64 bits.

FIM CM: while reading the smart card

Client encountered an unexpected error while trying to communicate with the server.
Error number: -2146828218
Error description: Permission denied

If using v3 certificate templates for the agents (windows 2008) instead of v2 (win. 2003)
Then the following errors will appear.

Currently, FIM 2010 RC1 CM only does support v2 templates.
Not sure if for RTM any improvments will be made.
Please note that this event is related to the following ones:

Windows Logs > Security > Failed login - Key Migration failed

Event ID 5059. Key operation migration failed
clmAgent ; User key ; RSA ; import of persistent cryptographic key 0x80090029 The requested operation is not supported;----------------------------------
Key migration operation.
...
Cryptographic Parameters:Provider Name: Microsoft Software Key Storage ProviderAlgorithm Name: RSA

...Additional Information:Operation: Import of persistent cryptographic key.Return Code: 0x80090029
----------------------------------

Consequences:
- When performing an enroll request on behalf of another user: Data at the root level is invalid. Line 1, position 1
- When executing a software certificate enroll: Invalid provider type specified.
Check http://www.apollojack.com/2009/06/invalid-provider-type-specified.html

FIM 2010 CM - configuration

2009-10-27T21:39:00.001+01:00

Installation

FIM Server

Install FIM Certificate Management

Please see: the technet article for Forefront Identity Manager - Certificate Management

Prepare for FIM CM setup

1. Modify the Active Directory Schema: Run D:\Certificate Management\x64\Schema\ModifySchema.vbs
2. servermanagercmd -i net-framework web-server web-asp-net
3. Create a User template for FIM CM agent:
- AD CS > Certificate templates
- Duplicate the template "User" > Windows 2008 server template type to "UserFIMAgent"
- Subject Name: Uncheck "Email name", and "Include e-mail in subject name"
4. Allow the PKI to issue following templates:
- Key Recovery Agent
- UserFIMAgent
- Enrollment Agent
5. Publish the spn in the AD:
setspn -A HTTP/fim-dc fim-dc
setspn -A HTTP/fim-dc.contoso.com fim-dc

Run the FIM CM setup

- Virtual Folder: CertificateManagement

Configure FIM CM

- Run Certificate Management config Wizard-
- SQL: FIM-SHAREPOINT\FIMINSTANCE
- templates: UserFIM

Fim client

Install the Forefront Identity Manager CM Client

FIM Websites: fim-dc.contoso.com;fim-dc

Configuration

AD DS:

Create FIM User groups

- FIMcmAdministrators: cyrilv ; administrator
- FIMcmCertMgrs: FIMcmAdministrators ; pascals
- FIMcmUsers: FIMcmCertMgrs ; fabiend ; youssefz

1. SCP permissions

- View > Advanced Features
- contoso.com > System > Microsoft > Certificate Lifecycle Manager > FIM-DC
- grant FIMcmUsers: Read
- grant FIMcertMgrs : CLM Audit and CLM Request Enroll

2. Users and groups permissions
- FIMcmUsers:
- grant FIM CM Request Enroll for SELF and for FIMcmCertMgrs

3. Policy template permissions
- create a new Smart card template: Contoso FIM smart card policy template
- grant FIMcmUsers and FIMcmCertMgrs the permission to Enroll on "Contoso

4. PKI templates:
- grant FIMcmUsers READ and ENROLL rights on the templates issued in Contoso FIM smart card card policy template

Contoso smart card profile template

- http://fim-dc/certificatemanagement/ as CONTOSO\Administrator
- Administration > Manage profile templates
- duplicate the FIM default smart card template
- Enroll policy: grant FIMcmUsers the Workflow initiate request right
- choose the Certificate templates to enroll
- foreach of them: grant FIMcmUsers the right to Enroll on ADCS> Certificates Templates

FIM CM is only supported on Windows Server 2003 or 2008 enterprise (at least for now)

The Card Management functionnality of FIM is only able to run on Windows Server 2003 or Server 2008 computers, not on Windows Server 2008 R2 - at least on this RC1 version-.

FIM CM configuration error: cannot impersonate a user

You have to set the UserFIM template to be less restrictive:
- remove email

Base CSP smart card self-service control is not installed

When loading the FIM CM http://fim-dc.contoso.com/CertificateManagement/ it shows a .NET SQL Connection timeout

Check that the SQL spn is correctly registred:
setspn -l Contoso\SQLsvc
if no result is present, then type:
setspn -a MSSQL/fim-sharepoint:1433 Contoso\SQLsvc
setspn -a MSSQL/fim-sharepoint.contoso.com:1433 Contoso\SQLsvc

If the MS SQL spn is alreday registred, then increase the timeout:
- Server Manager > AD CS > Right clic on CA > propreties > Exit Module > Fim CM Exit Module > Proprieties
- increase the Connect Timeout

Exchange 2010: Allow SMTP relaying

2009-10-27T16:49:00.006+01:00

Some old fashioned programs require to send mail without any form of authentication.
I will show you how to set up a SMTP relay with Exchange 2010 for all mail coming from a specific host.

Topology:
- fim-dc: 192.168.6.1
- fim-exchange: 192.168.6.100 (Exchange 2010 installed)

We want to allow all mail sent from fim-dc to be accepted like any other "normal" mail.

Here are the steps to achieve this goal:

- launch the Exchange management console

- in the Server Configuration > Hub Transport, create a new Receive connector

- give the receive connector a name:

- if you want to do any ip filtering on the receiving interface, fill the correct ip (here we would only allow mail to be received on the 192.168.6.100 ip)

- define the remote ip from where we want to relay all SMTP traffic (in our case: 192.168.6.1)

- then click on "New", a powershell command is run. The receive connector is now created.

- we now have to disable all authentication on that receive connector: Right click on its name > propreties > Authentication, and then uncheck all the boxes.

- then we have to grant the Anonymous users the right to connect, in order to send mail to the transport hub.

- done!

Now any mail coming from 192.168.6.1 to 192.168.6.100 will be relayed using SMTP relaying in Exchange 2010!

List permissions on Active Directory objects

2009-10-22T15:10:00.005+02:00

Here is a common need:
" List the permissions for a specific user / security group on a specific Active Directory object. "

You probably already know the dsacls command.
But let us face it: it is too much verbose and hard to filter.

Powershell is the key, once more.
On the Indeted! blog, the author explains us its Get-DsAcl powershell implementation.

Here is an example to display the FIMcmCertmgrs rights on the objects named FIMcmUsers : (which in our case is a security group):

Get-DSAcl -searchRoot "DC=contoso,DC=com" -LdapFilter "(name=FIMcmUsers)" select-string FIMcmCertmgrs

Output:

Microsoft SQL Server: usefull TCP and UDP ports

2009-10-19T15:41:00.003+02:00

If you would have to open only 2 ports in your firewall for Microsoft SQL Server to work, it would be:

- inbound TCP 1433: Authenticated SQL inbound connections
- inbound UDP 1434: Unauthenticated server browser queries

For more information, please check Configure the Firewall to allow SQL Server access article on Technet.

VB RAP test : Forefront Protection engine is improving!

2009-10-17T15:36:00.007+02:00

Virus Bulletin, the reference for comparing antivirus solutions, just released its latest VB RAP test results from Apr.09 to Oct. 09.

Microsoft Forefront engine is performing each time better. Comparing to the last RAP test, Forefront engine was
- Proactive detection: 3rd on 37 selected ones and is now 2nd on 38 ones!
- Reactive detection: 13th on 37 selected ones and is now 9th on 38 ones!

Remind that Microsoft Forefront engine is used in several products of Microsoft Forefront Protection Suite:
- Forefront EndPoint Protection 2010
- Forefront Protection 2010 for Exchange servers
- Forefront Protection 2010 for Sharepoint

For more details, check Microsoft Forefront official website

Ensimag - partner network day - presenting my Microsoft internship in IT Security

2009-10-17T10:47:00.006+02:00

The Grenoble INP Ensimag's Partner network day happened on the last thursday October 15th 2009.

I described my final project at Microsoft about Forefront Protection Suite and Forefront Identity Manager to some Ensimag students interested in IT Security.
Feel free to download this overview of Fabien Duchene's Final Study Project at Microsoft(french).

Microsoft has many offers for computer science students.
Please check the Microsoft France internships website and the Microsoft careers website.

Exchange 2010 RC1 on Windows 2008 R2: error 2147504141

2009-10-13T14:02:00.003+02:00

13/10/2009 - UPDATE: on Exchange 2010 RTM, this problem was solved.

As you probably know, Exchange 2007 refused to install if we disabled IPv6. Well Exchange 2010 RC1 did refuse to install if I did not disable it! Argh!

I encountered the error "The execution of: “$error.Clear(); install-ExsetdataAtom -AtomName SMTP -DomainController $RoleDomainController”, generated the following error: “An error occurred with error code ‘2147504141′ and message ‘The property cannot be found in the cache.’.”

The most relevant topic on that 2147504141 Exchange 2010 RC1 setup error is on technet.

Solution: The trick is that you HAVE to disable IPv6 BEFORE starting any Exchange 2010 RC1 setup. This is a known KB952842. Hopefully with virtualization, it is now easier to take a snapshot before starting anything critical.

The answer came from an italian guy's blog post: An error occurred with error code ‘2147504141′

Forefront Identity Manager 2010 RC1 platform

2009-10-09T10:45:00.074+02:00

These last few days I have been busy configuring my Forefront Identity Manager 2010 RC1 demonstration platform.

Forefront Identity Manager

FIM, formerly know as "ILM 2" is the Microsoft solution for managing identity in a corporate. FIM 2010 provides IT administrators the ability to delegate administration and creating workflows for common administrative tasks. In addition, FIM 2010 gives to end-users the ability to manage their own identity without the need to call IT service.

Topology

A picture is more efficient than a long speech:

Software

Here are the software requirements for a FIM 2010 architecture:
- Windows 2008 (standard for FIM Service and Portal, Password Synchronization, and enterprise for Certificate Management)
- Active Directory Domain (at least 2003)
- a PKI
- IIS 6.0
- Sharepoint 2007
- Exchange 2007
- SQL Server 2008

And the software I used :
- Windows 2008 R2 standard and 2008 enterprise
- Active Directory Domain Services
- Active Directory Certificate Services
- IIS 7.0
- Sharepoint 2007 SP2
- Exchange 2010 RC1
- SQL Server 2008 SP1
- Forefront Identity Manager 2010 RC1

Steps

FIM Server:

Install Windows 2008 Enterprise

Install Active Directory Domain Services AD DS

Install Active Directory Certificate Services AD CS

Configure PKI so that all servers autoenroll the website and computer certificate templates.

FIM Exchange:

Install Windows 2008 R2

Exchange 2010 pre-requesites

Please have a look at Exchange 2010 RC1/RTM Software Pre-requisites

Install Exchange 2010 RTM

Setup a receive connector allowing SMTP relaying from FIM-DC

Please see How to allow SMTP relaying in Exchange

FIM Sharepoint
Please see the Technet FIM Installation Guide

Install Windows 2008 R2

Sharepoint 2010 requirements

.Net Framework 3.5.1

Install SQL Server 2008 + SP1

- one instance for FIM with Full-Text search enabled: FIMINSTANCE
- one instance for Sharepoint with FTS: MOSSINSTANCE
- after these installs, apply SP1

Install Sharepoint 2007 SP2

- Database server: FIM-SHAREPOINT\MOSSINSTANCE
- User: CONTOSO\SqlUser
- Create a default site collection
- create a default site in that collection

Final steps

- Install and configure Forefront Identity Manager 2010 RC1 Certificate Management

Major experienced problems

Sharepoint Server 2007: Service Pack 2 needed for Windows 2008 R2

Everything is explained on the Sharepoint blog: Install Microsoft Office Sharepoint Server 2007 on Windows Server 2008 R2

Exchange 2010 RC1 on Windows 2008 R2

When I used the RC1 of Exchange 2010, I had some problems. Please see my post on Exchange 2010 RC1 on Windows 2008 R2: error 2147504141 .
Please note that with Exchange 2010 RTM, everything went fine.

Is the scared leopard hiding in the snow?

2009-09-06T11:31:00.028+02:00

With the worldwide public availability of Mac OS X Snow Leopard since Aug. 28th 2009, a lot of Mac users could not prevent themselves from stepping into the train. "I don't know if it is worth these 29$, but since I'm a geek, I'm definitely going to buy it!" told me a co-worker of mine.

Enthusiastic people, okay. However, from a user point of view - since I am writing this post from 10.6 - very few new features were added, so I could not stop wondering: what about Snow Leopard's security features?

ANTIVIRUS / ANTISPYWARE

Because of the growing Apple's market, it becomes more and more sensible to hackers' attacks. And despite latest Apple's ads claiming that Macs do not suffer from viruses, Snow Leopard now has an integrated antivirus software. However this is a very very basic protection. Let's have a look at its virus definitions:

/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist

It is a XML file containing virus definitions for:

- OSX.Iservice

- OSX.RSPlug.A

.. and that's all!

Only 2 trojans signatures? Come on Apple guys, don't you know that there is hundreds of viruses targeting your platform? (it's not a new fact: on Feb 16th 2006, the first Mac OS X virus was discovered. Older versions of Mac OS were suffering virus attacks since 1998, according to Symantec news report ).

ROOTKITS

Since the integrated antivirus only contains 2 definitions, do not expect any rootkit protection to be part of Snow Leopard! Mac OS X rootkits is a quickly growing market. One of the most famous is the one integrated inside a P2P downloadable version of iPhoto 09.

An interesting article about Mac OS X rootkits is on Dino dai Zovi's blog, who presented this topic at the BlackHat USA 2009.

FIREWALL

Since the very first release of Mac OS X 10.4, a firewall is integrated. However - and this is still the case in 10.6 - it is turned off by default! A dangerous choice, because a lot of Mac users have probably not even turned it on yet!

It is nothing else than a graphical interface for ipfw, the BSD firewall. But, from a user point of view, I still prefer the Windows 7 graphical firewall which provides a deeper overview and flexibility.

DATA / DISK ENCRYPTION

FileVault home folder encryption is present since 10.4 Tiger. However, keep in mind that FileVault is sensible to cold boot attacks (which consists in freezing the RAM so that the bits do not "disappear" from the memory. And since for performance, encryption keys are often stored in the RAM for performance issues, a thief can easily dump the memory content and retrieve the encryption key). On the other side, a Windows BitLocker drive encryption with a two factor authentication like TPM+PIN is definitely harder to retrieve.

DIVERSE

Snow Leopard also adds:

- Executive Disable which uses the processor NX_Bit to prevent RAM datas zones from being executed. This feature is also known on Windows as Data Execution Prevention and was implemented on Windows XP. However, for such a protection to be fully effective, it has to be implemented with Address Space Layout Randomization. Which is not the case right now.

More starting points are on this very interesting Dino Dai Zovi's Zdnet article.

Finally, there's not a lot of juicy features for this 10.6 release of the Mac OS X operating system. Several bloggers wrote that Apple is going in the right direction. I personally believe that they first should focus on according their marketing strategy with their technical one. Because by always telling people that there is no possible security issues on Macs, they can blind the classic user who will not care at all about some basic security concepts.

I advise you to read this interesting Brian X. Chen's article about "Snow Leopard being less secure than Windows 7, but still safer".

But for how long will this last?

Am I to the dark side of the force?

2009-08-31T22:05:00.022+02:00

The other day I was talking with a friend of mine about my current job. When I told him I was currently working in the french IT Security dept of the Redmond firm, he suddenly told me "ouch, you now belong to the dark side of the force".

Let us face it: today's IT students are really close-minded when it comes about operating systems! Because three days after, another friend of mine gave me kind of the same speech about the differences between windows and linux, thinking he was teaching me what is a unix. You just have to know that I have been using linux and windows - for nearly 7 years for the first one, and 15 years for the second one- to imagine how it is embarassing when people tell you "you know, it is really better, more secure..." (I just cut the classic arguments in favor of linux, because hearing the same -wrong- ideas over and over is starting to make me feel nautious).

The day after, one of my co-worker -who used to be an IT architecture teacher- told me "today's students do not know anything about Windows. They just conceive it as a software they download and use illegally. Furthermore they do not have any idea about what is an Active Directory domain controller, meanwhile they are used to the bash shell!"

It just makes me wonder: Would it be their teachers' fault?

I am using a Macbook Pro and a Windows laptop every day. I have 4 servers in my hometown, several of them running debian linux. To sum up, I know enought about the differences between these OS architecture and user experience to be able to judge them. So let us face it: Linux is far from being perfect, so is Windows, so is Mac OS. They are just different.

They all have they pros and contras, but let us just focus on the IT security field. A report published during the first half of 2008 indicated that vulnerabilities found in Mac OS X 10.5 -on that same period of time- were more than 5 times more important than the ones found for Windows Vista during the same period and using the same criterias!

Finally I was just wondering: if Windows would be so bad, why would 90% of the computer client market be hosting that OS?

Would you like to have a NAP?

2009-08-20T07:37:00.011+02:00

In our days, we experience more and more deeply the following feeling: we need to be permanently connected to everything. It is surfing over the Internet, reading work emails at home, or even accessing an intranet during a trip. Let us assume that you are an IT administrator. On one hand you have to open more and more gates - for the users to be able to use these services - however on the other hand you have to face complex and sophisticated threats.

This dilemna already led us to a point where the firewall on the internal gateway is not enough. Just think about the following laptop scenario. The user has a remote VPN access thanks to which he is able to connect to the corporation intranet. Then the laptop gets infected. Since most of IT network administrators currently define network policy by topology, the laptop has a full network access and therefore is able infect other computers in the domain. And this is mainly because it is connected to the VPN, which is bypassing the firewall, as shown on this picture.

We do have a REAL PROBLEM: how to enforce the network security regardless of the location of the computer?

And here comes Microsoft's answer: NAP and UAG. (altough I will only blog about NAP in this post).

You probably already guessed it, NAP actually stands for Network Access Protection. This technology - also called the "network health layer" - aims at providing a controlled network access regarding of the "Health State" of the computers. Depending of its health status (a parameter defined by the administrator, regarding to rules like "the client firewall is on", "the client antivirus has the latests available definitions", "all important and critical windows security updates have been made"), it will have a full or limited network access.

In case of restricted access, we can define "remediations servers". A client with limited access will still be able to communicate with these servers (for instance in order to install updates via Windows Server Update Services, Windows Update, or the antivirus definitions websites). The goal is to fix the health state of that computer for it to be healthy, and then be able to access the full network.

There are 5 methods to enforce the network access: DHCP, VPN, 802.1x, IPSec or TS.

In a future post, we will study more precisely this mechanism, and especially analize some possible hacks of a Network Access Protection infrastructure.

If you are interested in knowing more about Network Access Protection, just check the previous link on technet.

Big BROWSER is watching you!

2009-08-12T22:00:00.001+02:00

As the world goes on, so does the technological control on our lives. We constantly have less and less privacy because of technology "improvements". Since a several years, locating quite precisely a person only thanks to its relative gsm position is a reality, and best of breed our ISP are now forced to reveal PII (Private Identity Information) about any Internet user they serve!

IPRED in Sweden, Hadopi in France,... thinking that using the Internet anonymously is belonging each day more to a dream world than to the reality. As a protest act, ThePirateBay.org set up an anonymous proxy. Called IPredator, this service allows users to connect via a classic PPTP VPN connection, and then surf anonymously only by paying a pay a tiny monthly fee (something like 7$/month). A smart way to fight - at their scale - for more privacy over the Internet, but I really do wonder if anyone is able to fight against the pressure of worldwide corporations owning dozen of thousand of digital media copyrights.

Because actually the jungle rule does still applies...

Club-Internet or the bad Wireless student..

2009-08-10T19:08:00.002+02:00

Club-Internet, a french ISP - currently owned by Neuf Telecom which is itself currently owned by SFR (french Vodafone) - sold a lot of TECOM wireless Access Points.

On most of Hitachi and Tecom AP, the default WEP key is a result of a SHA-1 hash of the WEP SSID! The ISP offers a windows utility "WEPTool.exe" to compute this function and get the default WEP key: WEPTool website

That is why it is even easier to access these kind of wireless network than cracking the corresponding WEP network (with tools like aircrack)!!

Altough it could lead to a "simple" installation for a newbie, it seems like a huge security issue on the default configuration.

The quieter you become the more you can hear.

2009-08-09T19:33:00.001+02:00

As the first ticket on this IT security related blog, I would like you to think about this quote from Mr Baba Ram Dass, a spiritual teacher from Boston, USA.

"The quieter you become, the more you can hear" is a general assumption that could very well be applied to the field of IT related security.

Think twice about it:

- wireless hackers who put their cards in monitoring mode to check for network characteristics, and then perform an appropriate attack

- information stealing malware which create an https tunnel to send found information while the common firewall will think of a legitimate web browsing

Fabien's IT security diary

Printing from an iPhone, iPad or Mac using AirPrint, Bonjour in an Active Directory domain

the Car-Online framework is now open-source

virtual-win-lab-mgmt is now open-source

Secure and easy ucarp ip-failover using ucarp-multi

Voyage-Sncf: security design flaw

Random thoughts to improve voice recognition

DNS dynamic secure updates credentials

TechDays 2010, France - Webcasts

FIM 2010 - Exchange 2010 provisioning made easy with RC1 update 3!

OVH minicloud: Hello world bench!

Getting the latest Metasploit 3.3 branch to work on Mac OS X 10.6.1 (Ruby 1.9.1)

Techdays 2010, France - My selection

Enable DEP using GPO and Powershell

Why is there no administrative template for enabling DEP?

How to enable DEP on a single computer?

How to enable DEP on a domain?

Administrative template for Microsoft Security Essentials

Microsoft security essentials market

Microsoft Security Essentials administrative template

How is it achieved?

What are the limitations?

To conclude

Going further

RSync for Windows: cwrsync

Disabling Adobe Javascript using GPO

Using GPO to disable Adobe Javascript

VHD to WIM: from virtual machine to WIM deployment

November 2009 hacking attempts on my websites

FIM 2010 RC1 update 2

Windows 2008 R2 Administration tools

FIM - execute management agents run profiles with powershell

Mac OS X: automator: create a new file

Disable Exchange 2010 arbitration mailboxes

Forefront Identity Manager 2010 CM: errors and solutions

Unable to check CA in Edit Profile template

Value cannot be null. Parameter name byte

Base CSP smart card self-service control is not installed or the current site is not specified in the allowed sites list by your Administrator. Please contact your system Administrator. Additional information: Automation server can't create object

FIM CM: while reading the smart card

If using v3 certificate templates for the agents (windows 2008) instead of v2 (win. 2003)Then the following errors will appear.

Windows Logs > Security > Failed login - Key Migration failed

FIM 2010 CM - configuration

Install FIM Certificate Management

Prepare for FIM CM setup

Run the FIM CM setup

Configure FIM CM

Install the Forefront Identity Manager CM Client

Create FIM User groups

1. SCP permissions

Contoso smart card profile template

FIM CM is only supported on Windows Server 2003 or 2008 enterprise (at least for now)

FIM CM configuration error: cannot impersonate a user

Base CSP smart card self-service control is not installed

When loading the FIM CM http://fim-dc.contoso.com/CertificateManagement/ it shows a .NET SQL Connection timeout

Exchange 2010: Allow SMTP relaying

List permissions on Active Directory objects

Microsoft SQL Server: usefull TCP and UDP ports

VB RAP test : Forefront Protection engine is improving!

Ensimag - partner network day - presenting my Microsoft internship in IT Security

Exchange 2010 RC1 on Windows 2008 R2: error 2147504141

Forefront Identity Manager 2010 RC1 platform

Forefront Identity Manager

Topology

Software

Steps

Install Windows 2008 Enterprise

Install Active Directory Domain Services AD DS

Install Active Directory Certificate Services AD CS

Install Windows 2008 R2

Exchange 2010 pre-requesites

Install Exchange 2010 RTM

Setup a receive connector allowing SMTP relaying from FIM-DC

Install Windows 2008 R2

Sharepoint 2010 requirements

Install SQL Server 2008 + SP1

Install Sharepoint 2007 SP2

Final steps

Major experienced problems

Sharepoint Server 2007: Service Pack 2 needed for Windows 2008 R2

Exchange 2010 RC1 on Windows 2008 R2

If using v3 certificate templates for the agents (windows 2008) instead of v2 (win. 2003)
Then the following errors will appear.