archiveren

computer

Because I actually got some requests on how to accomplish this on my previous Belgium eID post, a more technical post here… It’s a bit chaotic, so I hope you’ll figure the details out on your own 🙂

I’m not reinventing wheels here. All of the things are loosely based on http://blog.debilloez.net/2010/12/ad-authentication-with-be-eid.html , http://setspn.blogspot.be/2014/10/configure-windows-logon-with-electronic.html and https://social.technet.microsoft.com/Forums/office/en-US/4eae5d60-c90c-4238-82b7-67b0ac261b8e/eid-login-for-domain?forum=winserversecurity  , https://blogs.msdn.microsoft.com/spatdsg/2008/04/17/smartcard-in-2008-and-vista-national-id-card-no-upn-no-eku-no-problem/ and there even was a word document i can’t seem to find anymore…

You can have this up and running in less then an hour.

Requirements:

  • Active Directory Domain Services
  • Active Directory Certificate Services with Enterprise CA (in good circumstances, this role is NOT installed on your DC…)
  • Some server or workstation (Windows Desktop or Terminal Server or whatever where you want your users to log-on)

Configuration

Forest/Domain

Basically, the certificate chain consists of end-entity -> intermediate -> root ( -> globalsign, FEDICT made 2 roots)

Root needs to be in “Trusted Root Certification Authorities”, intermediate needs to be in “Intermediate Certificate Authorities” of all involved machines: DC, client, server.

Download all useful certificates from http://certs.eid.belgium.be/ (please script this)

“useful” meaning:

  • non expired root certificates
  • all non expired citizen intermediate certificates
  • (foreigner if your use case needs this)

For easy deployment: create a new group policy, and add the root’s to “Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities” and the intermediates to the “Intermediate Certificate Authorities” store in the same location.

Deploy this GPO to all servers involved: Domain Controllers, IIS, RDP, …

ADCS

Make sure the “Kerberos Authentication” certificate template is made available for Domain Controllers on your freshly installed CA, DC’s have enrolled them, and have them actually available in the certlm.msc (this is the newer version of Domain Controller Authentication template, which is a newer version of the very original Domain Controller template). On of them good enough). Make sure your general PKI is healthy.

DC

Create a user.

Export the authentication certificate from the smart card (either with the Be eID viewer or using certmgr.msc).

The mapping of a Be eID to an active directory user happens in Active Directory Users and Computers (dsa.msc). Go to a user, right mouse click, name mapping, and add the exported version of the Be eID authentication certificate here.

 

The DC’s also need a modification in the registry

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001
"CRLTimeoutPeriod "=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider]
"AllowCertificatesWithNoEKU"=dword:00000001
"AllowSignatureOnlyKeys"=dword:00000001

 

Note: the new 2017 BE eID’s don’t require the AllowCertificatesWithNoEKU and AllowSignatureOnlyKeys  anymore (as they actually set the correct EKU), old eID’s do.
CRL timeout is also not really required  if outgoing network access allows it.

Target

IIS/Terminal Server/Windows logon

Always install the eID middleware, download from https://eid.belgium.be/

And set the same registry keys again

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001
"CRLTimeoutPeriod "=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider]
"AllowCertificatesWithNoEKU"=dword:00000001
"AllowSignatureOnlyKeys"=dword:00000001
"ForceReadingAllCertificates"=dword:00000001

Same notes on regkeys as above, for the newest eID’s only ForceReadingAllCertificates is really required.
ForceReadingAllCertificates is needed because the smart card contains 2 certs.

Windows Logon

You can use a eID for regular logon on a physical machine (with a reader – think cherry keyboard or terminals)

On the lock screen, logon but select smart card.
Rest should be self explanatory.

RDP host

It’s best to set an gateway in between, as NLA sometimes blocks smart card logon (or disable NLA, but not recommended).

Under normal operations, use mstsc to connect to an RDP, in the authentication windows select the correct smart card (authentication) and logon.

Once connected, you’ll notice a 1-4 seconds delay, just give it some time to tunnel the reader over the rdp connection and logon will occur.

On the computer you are using to connect to the RDP server, also set the registry keys and install the eID middleware (driver for the smart card), see below for more info.

IIS

To be updated…

Basically use the iisClientCertificateMappingAuthentication, which needs to installed as an additional feature, and us that from there on. It’s also possible to cover the mapping directly in asp. Will update this part if I find some time.

Client

The machine you’re actually working on, and connecting to the servers above.

Install the eID middleware, download from https://eid.belgium.be/

The chip on the eID itself contains 2 certificates: 1 meant for signing, 1 for authenticating.

By default, Windows only reads the 1 certificate on a smart card, and tries to use that one to authenticate. On the Belgium eID’s, this is the signing one. (plus, with pre-2017 certificates, it has a wrong EKU). So we need to configure the Windows Client to actually read both certificates and allow certificates without EKU… (Note, in the 2017 eID’s the correct EKU, client authentication, is actually set, but still on the 2nd certificate)

Registry keys!

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider]
"AllowCertificatesWithNoEKU"=dword:00000001
"AllowSignatureOnlyKeys"=dword:00000001
"ForceReadingAllCertificates"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001
"CRLTimeoutPeriod "=dword:00000001

Also, same comments on regkeys as earlier.

Limitations

There are some limitations for this solution, such as the certificate-user mapping process, deployment of eID certificates to servers, exceptions when someone lost his eID, etc…

At tSF we did try to fix those limitations, using extra policies when a user forgot their smart card and give them an exception on the authentication policy, and by building some extra tools to manage all this way easier.

But of course I can’t share those… =)

Other way around, if you’re interested, you’re always free to contact tSF: https://www.thesecurityfactory.be 😉

 

I hate backups, I really do… Even more than I hate printers 🙂

But, as recent happenings proved again, you definitely need one… Either being it for a virus or ransomware, or a failing hard disk, or even if you just delete something (why would you delete something?)

I’ve been looking around for a good off-site backup for ages, but never found a “good” (read: cheap) one… If you look at cloud-hosted backup solutions such as backblaze, crashplan, …, you’re always going to spend more than $50 yearly… (http://www.pcmag.com/article2/0,2817,2288745,00.asp)
I always figured, yeah, that’s the price of a physical disk you can keep forever…

Anyway, next issue, backup software… If someone can give me a tool that just actually works… PLEASE be my guest…
In the past I’ve used the build-in Windows one… But that one failed terrible resulting in me losing a lot of pictures… 😦

One of my last interests was backup up to Amazon’s Glacier service… But never took the actual step.

 

Last week, I took two steps!

 

Azure Simple File

https://azure.microsoft.com/en-us/services/storage/files/

A couple of months ago, a new “feature” was made available on Azure. Basically it’s just an oldskool file server in an Azure datacenter… Meaning: accessible over smb 🙂

\\fileserver.onmicrosoft and you’re good to go!
Jieehaa!
No shitty REST-interfaces! 🙂

It’s SMB 3.0, so authentication, encryption and data integrity are handled by the protocol 🙂 (hey, you’re communicating over a public network, of-course you’ll need that!)

Having a “regular” interface to the cloud opens possibilities… But, bringing me back to my earlier point of having the right tool for the job…
I don’t trust the file-history any more, so I’m looking around for other tools…

Currently running Iperius -> http://www.iperiusbackup.com/
Curious how that’s going to turn out…
It doesn’t have a restore option? WTF?

backupazure

Azure Backup

https://azure.microsoft.com/en-us/services/backup/

Another service I’m testing on Azure is the Backup functionality.

It comes with a client application. Install, configure, select data and you’re good to go! This app definitely impressed me!

azurebackupI know it says “failed”, one of the big issues with cloud storage is your upload speed… As I’m only a Belgian internet user, I’m stuck with a 5 mbit upload rate over adsl… So uploading 120GB takes forever… (forever being 2.5 days). So, on a daily schedule, after a day, the previous backup hasn’t finished yet 🙂
http://beta.speedtest.net/result/4976075067

Big plus, I crossed my “downloadlimit” uploading 650GB on backup data 😦
JEEEEJ CLOUD

Did I tell you it’s slow as hell?
And you have to pay extra for outbound network traffic, aka: to restore data you have to pay more…

I’m even considering installing this on all computers from my family!

A cool trick that was shown a couple of years ago, called BadUSB, turns random USB devices into possible snooping devices.

What if you plugin a USB-stick you found on the street and it turns out to open up an Internet Browser and steers you into a specific website, downloading and launching an application? USB has many profiles, so instead of a “mass storage device” (what you would expect from a USB drive that looks like an mass storage device) it imitates a HID device such as a keyboard or mouse… So your “drive” becomes a keyboard!
Automate some pre-defined keystrokes that randomly start after plugging in the USB device, like windows-logo+r, type https://mendelonline.be/temp/runme.exe, press enter a couple of times, and then run the same with %userprofile%\downloads\runme.exe and you’ll be pretty close running your executable without any user interaction!

Edit 26/05/2016: Exactly like this: https://www.informationsecurity.ws/2016/01/pwning-windows-7-with-avg-av/

Not that many technologies exist to prevent this from happening on Windows though… But I found some document on irongeek explaining how to block USB devices using Group :Policy. (local policy can also be used, you don’t need to have a domainjoined computer): http://www.irongeek.com/i.php?page=security/locking-down-windows-vista-and-windows-7-against-malicious-usb-devices

Open your local policy editor, open up “Computer Configuration->Administrative Templates->System->Device Installation->Device Installation Restrictions”, and start messing around 🙂

Capture

local group policy settings

I started with checking which USB devices were already known on my computer… You can use, always awesome, nirsoft’s “USBDevview” to have a look at your USB history.

So, I deleted all history, with the idea to start clean.
After deleting everything, I let Windows re-discover all devices default to my laptop.
Next, I started plugging some USB devices I owned and let it register and install.

Then, the actual blocking policy was enabled.

Another USB-device I didn’t install for testing purposes was plugged into my computer. And nothing happened.
Perfect 😎

I still needed to install that device anyway, but starting device manager with administrative credentials, allowed me to overrule the blocking policy, and to install the USB device for future use…
(Note: once a USB device is “installed”/”registered” into windows, it can be plugged in an used anytime in the future without the admin-overrule technique…)
Or you can start defining classes of usb devices, manufacturers, etc… Just check irongeek’s page 🙂

computermanagement

unrecognized

usbdevview

datatraveler not being used

computer

update driver as administrator

cptmgmtinstalled

good to go

installed

datatraveler active!

One of the recent security “packs” in the Microsoft ecosystem is LAPS, Local Administrator Password Solution (https://technet.microsoft.com/library/security/3062591). It tries to solve one of the ancient issues regarding the local administrator account on a Windows machine. It needs to exists, and it needs to have , preferably, secure and unique password. Yet, in many organizations, the default administrator account is enabled, with the exact same password on every machine…
Result: once you know the password, you’re an admin on every workstation! (latteral movement) 🙂
The idea of LAPS is to randomize each password of each workstation, and store it in the Active Directory as an confidential attribute of the computer object.

LAPS can be configured to manage the local administrator account, .\administrator, or another, configurable and existing, account.

Suprise!

Enter MS14-025.
MS14-025 disables the usage of CPasswords in Group Policy https://support.microsoft.com/en-us/kb/2962486 .

This is a good thing!

CPasswords allowed unsuspicious administrators to put plaintext password in publicly-readable group policy xml-files!
(almost plaintext as the passwords are encrypted with a known password).

Here is the password btw (https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx#endNote2):

 4e 99 06 e8  fc b6 6c c9  fa f4 93 10  62 0f fe e8
 f4 96 e8 06  cc 05 79 90  20 9b 09 a4  33 b6 6c 1b

Yet, this also means you cannot create a new account using Group Policy anymore.
Little “forgotten” side-effect…

And there is no real alternative to actually create a local account on a domain member…
(At installation of LAPS clientside-MSI, an argument can be set to actually create a new account…)

One way to solve this is to create a new local user is using a startup script!
The script below was tested on Windows 10, some things did break between 8.1 and 10!
Deploy it using SCCM or GPO startupscripts!

It creates an account and LAPS will change its password on first gpupdate

Note, another point of discussion is the fact whether the .\administrator should be used or not. There are a lot of different opinions here…
For LAPS, some people at Microsoft advise to “just use the .\administrator account, because you know it will always be there”. (note: account is prone to bruteforce attacks as a lockoutpolicy never applies to the rid500)
In other cases (src1, src2, src3), Microsoft advises to disable the .\administrator account, create another administrator account and use that one…
Point is, when you’re not using bitlocker, there is a tool called “Offline Windows Password & Registry Editor” by pogostick which can always enable and reset the .\administrator account’s password.
So, the choice is up to you! My humble opinion is to use another account 🙂 (otherwise I wouldn’t be going through all this trouble to get another one 🙂 )

See https://gist.github.com/mendel129/59a175e49c57b8ef9847

#https://gist.github.com/mendel129
function create-localaccount ([string]$accountName = "testuser", [string]$Computer = "localhost") {   
   $comp = [ADSI]"WinNT://$Computer"  
   $user = $comp.Create("User", $accountName)  
   $user.SetPassword(([char[]](50..150) + 0..9 | sort {get-random})[0..18] -join '') # set a random password, let it be changed by LAPS afterwards
   $user.SetInfo()   
}

function get-currentlocaladministrators([string]$Computer = "localhost"){
   $obj_group = [ADSI]"WinNT://$Computer/Administrators,group"
   $members= @($obj_group.psbase.Invoke("Members")) | foreach{([ADSI]$_).InvokeGet("Name")}
   $members
}

function add-localadministrators([string]$accountName = "testuser", [string]$Computer = "localhost"){
   $AdminGroup = [ADSI]"WinNT://$Computer/Administrators,group"
   #$User = [ADSI]"WinNT://$hostname/$accountName,user" #something broke on windows 10
   #$AdminGroup.Add($User.Path) #something broke on windows 10
   $objUser = [ADSI]("WinNT://$accountName")
   $AdminGroup.PSBase.Invoke("Add",$objUser.PSBase.Path)
}

get-currentlocaladministrators -Computer "localhost"
create-localaccount -Computer "localhost" -accountName "testuser"
add-localadministrators -Computer "localhost" -accountName "testuser"
get-currentlocaladministrators -Computer "localhost"

Some good LAPS references:

Get yourself a cheap cloud host running Windows Server.
Add ssl based SSTP vpn
Add ssl based Remote Desktop Gateway.
Put let’s encrypt on all of it.

For quick access to blocked url’s, put a glype php proxy somewhere (maybe on that same iis)

 

My current setup, a host in azure running vpn and rdp-gateway, mostely connecting to rdpgateway on home server connecting to vm-guest… You know… RDP-ception!

Now you can go everywhere!