Security

Enable LDAP over SSL for AD

by jonas

We will need LDAPS later on for the two factor authentication, using openOTP
The suggested solution of the OpenOTP is not best practice, they suggest setting up a CA on the domain controller.

This Microsoft article is providing the necessary information’s

http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

Template – Enhanced Key Usage – Server Authentication (1.3.6.1.5.5.7.3.1) is important

Place the certificate

how to add the certificate to the NTDS service’s Personal certificate store

http://technet.microsoft.com/en-us/library/dd941846(WS.10).aspx

for troubleshooting

http://support.microsoft.com/kb/938703

Requesting and installing a certificate

Create the CSR

Logon

Create a CSR on the core server

certreq -new c:\temp\cert.inf c:\temp\certrequest.req

the cert.inf file:

[NewRequest]
Subject=”C=CH,S=ZH,L=Zurich,O=Company,OU=IT,CN=server.domain.local”
PrivateKeyArchive=FALSE
Exportable=FALSE
UserProtected=FALSE
MachineKeySet=TRUE
ProviderName=”Microsoft RSA SChannel Cryptographic Provider”
ProviderType=12
UseExistingKeySet=FALSE
RequestType=PKCS10
HashAlgorithm=sha256
KeyLength=4096
KeyUsage = 0xF0 ; Digital Signature, Key Encipherment, Nonrepudiation, Data Encipherment
KeySpec=1
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication

Sign the Certificate at the CA

Install the certificate

certreq -accept c:\temp\SignedCertificate.cer

Install the Root certificate

Do not forget to install the root certificate into the machine “trusted store”

Certutil –addstore –f “TrustedPublisher” c:\temp\root.cer

Verification

After a certificate is installed, follow these steps to verify that LDAPS is enabled:

  1. Start the Active Directory Administration Tool (Ldp.exe)
  2. On the Connection menu, click Connect.
  3. Type the name of the LDAP server (e.g. domain controller or AD LDS/ADAM server) to which you want to connect.
  4. Type 636 as the port number.
  5. Click OK.

Debug in case of problems

Certutil –VerifyStore MY

 

result:

MY “Personal”

================ Certificate 0 ================

Serial Number: 75000000088db1a509904b6eff000000000008

Issuer: CN=XCA01-CA

NotBefore: 24.06.2015 09:03

NotAfter: 24.06.2016 09:13

Subject: CN=xdc01.xjbk.local

Non-root Certificate

Cert Hash(sha1): 1e 8b df 3f 67 1c 18 fe a9 7d 2b 32 0d d2 1a a3 9f 17 8c fd

Key Container = 87698826a058b37df04eac8a815a9b98_837e2fc9-5182-4419-9660-e414d

e50a998

Simple container name: CertReq-0ecbfed1-329c-4ac6-a5ec-246aa7b87939

Provider = Microsoft RSA SChannel Cryptographic Provider

Private key is NOT exportable

Encryption test passed

Revocation check skipped — server offline

Certificate is valid

CertUtil: -verifystore command completed successfully.

Technical Information:

How to enable LDAP over SSL with external CA

https://support.microsoft.com/de-ch/kb/321051/en-us

https://technet.microsoft.com/en-us/library/cc736326.aspx

Lazy Windows

by jonas

Typical windows Server environment

All servers have the same local Administrator password – easier to remember. Domain controller and file-servers do have internet access – it easier to activate windows that way, isn’t it? Easy to guess Domain Admin password, which does never expire – makes remembering easier. Why not agree on an easy standard password for any place, where a password is required? – This makes life and collaboration a lot easier. And this annoying Windows firewall is disabled by default anyway – it just keeps blocking important traffic.

Service account must be member of the Domain Admins group and have a never expiring password (the standard password)– you don’t have to think about privileges. Some Service accounts are used for multiple services with no logical connection.

And anyway, documentation is for wimps – no documentations helps securing my job

 

Is it lazy IT Guys, or is it time-pressure causing this?

Questions

by jonas

Ask yourself some questions

Hand on your heart: would you be able to change the password of every service account in your domain and on your servers without breaking anything?

How many peoples have left the company, which do know passwords of Service accounts, Administrator accounts which are still valid?

How many peoples within you organization do know the credentials of an high privileged account?

Do you have the passwords documented (Secure and Safe) of every Administrator or Service Account?

Do your IT Staff use a “standard” password for various stuff?

Do you use the same PC to surf the internet and receive emails as you are using to administer your active directory?

How much Money and effort is your company spending on securing the net? Firewalls, proxies, mail-gateways and so on – but your windows servers are left more or less naked

Do your users (and yourself) logout when you leave the pc, or do you just lock the machine? Do you really know what is going on in your windows session, when you are away (lunch, break and meeting)

Do you have a CSO (Chief Security Officer)? Does he know or care what is going on in the Windows area?

Do your IT-Staff have access to file structures contain business documents? Do they really need this?

Have you ever tested an active directory restore from backup?

Are you sure, all Business data is backed up properly and a restore is possible within reasonable time?

Is your password policy enforcing complex passwords? How many peoples in you organization are wring down their passwords? How many peoples just use iteration to comply with password rule?

e.g. Password1, Password2, Password3 and so on

How many passwords are guessable by social engineering? E.g. pets name, partners, children names Conclusion – in my Eyes, human beings are the weakest link here