Cupfighter.net » Active Directory

The mistery of the missing ‘MSS:’ setting on Windows 2008

Frank Breedijk — Mon, 22 Nov 2010 10:53:36 +0000

The MSS: settings used to be here...

I recently got involved in a project where I defined the Baseline Security settings for windows and Linux. I used the settings provided by the Center for Internet Security (CIS).

We decided on the following approach:

Based on the CIS templates we created a baseline document specific to our company
I, in my security role, created a Nessus .audit file, so we could audit compliance to our own baseline with Seccubus
The windows administrator created GPOs to apply the settings.

When creating in the GPOs we did a strange discovery. In a windows the settings that are normally marked as MSS: in the category Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options do not appear in a domain if its functional level is Windows 2008.

This made us wonder, have these setting become irrelevant ? If this is not the case, how can we still set them, preferably via group policy?

The settings are not irrelevant, as e.g. Peter van Eeckhoutte’s blog points out. Windows 2008 does not forward IPv4 packets that have source routing on them, but it does accept them if the machine is the final destination. However for IPv6 Windows 2008 will forward these packets by default.

So if the settings are not irrelevant, how can we apply them if they are not in the Group Policy Editor? For this purpose we created an .adm file, which can be loaded into the Group Policy editor as a Classic Administrative template.

All the MSS settings can be controlled with this Administrative template. When we applied these settings we reached our desired compliancy with our own baselines.

Mission Accomplished!

So what are these MSS setting and what do they do?

Setting	Description	Recommended value
MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)	Defines whether a user with physical access to a computer is able to automatically log on.	Disabled
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)	Determines if Windows will accept source routed packets. 0 – Accepts and forwards 1 – Accept but do not forward 2 – Do not accept	2
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes	Allows ICMP redirects to overwrite OSFP generated routes	Disabled
MSS: (KeepAliveTime) How often keep-alive packets are sent in millisecond	Defines every how many milliseconds TCP attempts to send a keep-alive packet to verify that an idle connection is still intact	No recommendation
MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic	Defines which traffic is allowed to reach the machine outside IPSec 0 – Multicast, Broadcast, RSVP, Kerberos and IKE(ISAKMP are exempt from IPSec filtering 1 – Kerberos and RSVP are not exempt, but Multicast, Broadcast and IKE are exempt from IPSec filtering 2 - Multicast and Broadcast are not exempt, but RSVP, Kerberos andand IKE traffic are exempt from IPSEC filtering 3 – Only IKE traffic is exempt from IPSec filtering	3
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers	Defines whether a computer disregards NetBIOS name release requests except those from WINS server in the SCE.	Enabled
MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended)	Defines whether a computer can stop generating 8.3 style file names: 0 – NTFS creates short file names. 1 – Disable NTFS short file name creation on all volumes. 2 – NTFS sets the 8.3 naming convention creation on a per volume basis. 3 – NTFS disables 8dot3 name creation on all volumes except the system volume.	1
MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)	Defines whether Internet Router Discovery Protocol (IRDP) is used to automatically detect and configure default gateway addresses: 0 – Disabled 1 – Enabled 2 – Enable only if DHCP server sends the Perform Router Discovery Option	0
MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)	Defines whether an application is forced to begin its DLL search in the system path before searching the current working folder	Enabled
MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)	Defines how many seconds between when the screen saver is launched and when the computer console is actually locked.	0
MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)	Defines the number of times that TCP retransmits an individual data segment before the connection is aborted	3
MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning	Defines whether an entry is added to the Security event log when the log reaches a user-defined threshold	<=90%
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)	Determines if Windows will accept source routed packets. 0 – Accepts and forwards 1 – Accept but do not forward 2 – Do not accept	2
MSS: (TCPMaxDataRetransmissions) IPv6 How many times unacknowledged data is retransmitted (3 recommended, 5 is default)	Defines the number of times that TCP retransmits an individual data segment before the connection is aborted	3

CA will not start… What do you mean, cannot download CRL…

Frank Breedijk — Wed, 20 Jan 2010 22:50:05 +0000

As part of my work I was installing a Microsoft PKi infrastructure with two tiers. A root CA and an issuing CA.

Since the root CA is in another domain then the issuing CA, it took some fiddling and tweaking around with my CDP and AIA extensions, but that is another blogpost all together.

I knew I was in for some fun when when the following happened:

I installed my Issuing CA and generated the certificate request
I issued the request to my Root CA and generated the Issuing CA certificate
I tried to install the Issuing CA certificate and got the following error:

Cannot verify certificate chain. Do you whish to ignore the error and continue? The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2168885613)

My first reaction was to call one of the network guest and notify him that I needed http access to the Issuing CA to the CDP location. But whil on the phone, I decided to try and to my surprise I was actually able to manually pull down the crl.

Intregued, I decided to check a few things:

I could download the CRL from both CDP locations with Internet Exporer
I could open the downloaded CRLs
I could telnet to port 80 of the both webservers
I could telnet to port 80 manually issue the GET /crl/CRLname.crl HTTP/1.0 command and get data back

O.K. what is going on here… Lets open PKI view, which is now included in Windows 2008 and Vista and can be downloaded for Windows 2000 and 2003.

It seemed that PKI view as in agreement, it too could not download the CRL from the CDP location

PKI view shows "Unable To Download" for both CDP locations

This did sent me on a wild goose chase:

Microsoft own documentation, clearly blames it on unavailability of the CDP location, something I, by now, had triple checked four times and refused to believe
This “Network Builders” forum and many others, simply suggest to turn off revocation checking, but that is clearly not a worthy solution either.
Apparently there is also an issue with serving delta CRLs threw IIS because the + sign at the end of the basename of a delta CRL file leads to so called “double escaping”. I could rule this out by looking at the IIS logs.
In the end this technet forum post, about OCSP reponders Brian Komar points out:

But, as stated, I would use certutil to get the “best” answer on how is my configuration.
Certutil -verify -urlfetch “certfile.cer” will check *every* CDP and AIA URL (including OCSP) and tell you how they are all doing *at that specific instance in time” since it goes to the URLs immediately.
Brian

I exported the Issuing CA certificate from the certificate database of the Root CA and ran the command against is and this is what I found

E:\>certutil -verify -urlfetch .cer
Issuer:
CN=Root CA
Subject:
CN=Issuing CA
Cert Serial Number: 115d5f6400020000000b

—————- Certificate AIA —————-
Verified “Certificate (0)” Time: 0
[0.0] http://IIS1.domain1local/crl/Root-CA.crt

Verified “Certificate (0)” Time: 0
[1.0] http://IIS2.domain1.local/crl/Root-CA.crt

—————- Certificate CDP —————-
Wrong Issuer “Base CRL (13)” Time: 0
[0.0] http://IIS1.domain1.local/crl/Root-CA.crl

Wrong Issuer “Base CRL (13)” Time: 0
[1.0] http://IIS2.domain1.local/crl/Root-CA.crl

E:\>

So while PKI view and the other error messages I was getting all pointed to the most common cause, it actually turned out that the CRl did get downloaded, but was not cryptographically relevant to what the system believes is the Root CA certificate.

Root cause

Inspection of the CRLs generated and the Root certificates installed showed what had caused the problem. In order to test the CDP extensions I had reissued the Root CA certificate, causing the Root CA to have three active certificates. Each with a different key.

This CA has three CA certificates

When validating the Issuing CA certificate, validation would end at the last certificate issued, however the CA still signs its CRLs with the key pair of the first certificate.

I guess for me there is nothing left but to reinstall the entire chain.

Kerberos Based SSO and Apache

Roeland Kuipers — Tue, 30 Jun 2009 09:51:33 +0000

Similar as OpenSSH Authentication Using Kerberos, but now Transparent Kerberos Authentication via Apache against Active Directory using mod_auth_kerb. This enables SSO from IE and Firefox on Apache, IE and Firefox configurations to enable this are also described in the document.

Abstract: The Apache authentication module mod_auth_kerb allows Apache to authenticate users against a Kerberos KDC including one from ActiveDirectory. Kerberos itself can be fairly complex to set up. This guide will attempt to show the specific steps required to make this possible as well as discuss security limitations specific to the interoperability matters. This guide assumes a basic understanding of Kerberos V and that the Active Directory domain controller is properly configured prior to starting this process.

Technical Analysis: Apache with mod_auth_kerb and Windows Server

OpenSSH Authentication using Kerberos

Roeland Kuipers — Tue, 30 Jun 2009 09:07:09 +0000

An interesting paper on how to authenticate against Active Directory using Kerberos and OpenSSH. This will enable SSO capabilities between Linux and windows, if used in combination with an Kerberos enabled SSH. And maybe even 2-factor authentication if combined with smartcards, haven’t tested this but should be working in theory if you use an SSH client from windows at least.

Components used:

On linux:

openssh
openssh-server
samba-common
samba-client
krb5-workstation
krb5-libs

On Windows:

Windows Support Tools

OpenSSH on Linux using Windows/Kerberos for Authentication

Putty With Kerberos

DFSR Debug Logging Explained

Roeland Kuipers — Thu, 18 Jun 2009 11:55:10 +0000

While troubleshooting some DFSR today, I came across this very nice and detailed post from the Directory Services Team.

From: http://blogs.technet.com/askds/archive/2009/03/23/understanding-dfsr-debug-logging-part-1-logging-levels-log-format-guid-s.aspx

Ned here again. Today begins a 21-part series on using the DFSR debug logs to further your understanding of Distributed File System Replication. While there are specific troubleshooting scenarios that will be covered, the most important part of understanding any products logging is making sure you are comfortable with it before you have errors. That way you have some point of reference if things go wrong.

As you can probably guess, these posts were a long time in development. They are based on an internal DFSR whitepaper I have worked on for six months, and which went through review by a number of excellent folks here in Support, Field Engineering, and the Product Group itself. Except for the removal of all private source code references, this series is otherwise unchanged.

I’ll start with a couple posts on the logs themselves, how they are formatted, how they can be controlled, etc. Then I’ll dig into scenarios in detail, for both Windows Server 2003 R2 and Windows Server 2008. Don’t feel like you have to read and memorize everything – this series is a reference guide as well.

ILM 2007 FP1 & MS Identity Management Jungle

Roeland Kuipers — Sun, 14 Jun 2009 21:17:10 +0000

Rebranding products is hip! So a small post to explain the real products behind ILM 2007 FP1, what they do and some links to more in depth info.

ILM 2007 Feature Pack 1 is actually a suite of two products, an updated version of Microsoft Identity Integration Server (MIIS) and Certificate Lifecycle Manager (CLM), previously idNexus which Microsoft obtained after acquiring Alacris.

MIIS is probably most famous as a tool to assist in Cross-Forest Exchange topologies (two separate exchange instances in their own forest glued together). MIIS is then used to synchronize the Exchange Global Address List (GAL), which enables a consistent addressbooks, mail routing and sharing a SMTP namespace between Exchange organizations.

CLM is the Microsoft product to manage the lifecycle of (x509) Certificates and Smartcards.

MIIS 2003, ILM 2007 and ILM 2007 FP1 will cost you money.
But Identity Integration Server for Microsoft Active Directory (SP2) (IIFP) is FREE and can be downloaded here.

This is a lightweight version of MIIS 2003 which can only be used with Active Directory but can be used to setup GAL synchronisation.
There is catch with Exchange 2007; the ILM 2007 version will run the powershell cmdlet update-recipient automatically for you. IIFP won’t do this, so you’ll have to setup this yourselves ,which is not a big deal.

A new version of ILM is underway and for now called “ILM 2″.

More details.

Technet July 2009 – Managing Active Directory users with ILM 2007

“ILM 2″ Product Page

Introducing Certificate Lifecyclemanager

ILM 2007 FP1 Product Page

How to deploy Exchange 2007 in a cros-forest topology

VMWare ESX Timekeeping and Active Directory

Roeland Kuipers — Thu, 11 Jun 2009 21:47:26 +0000

Some nice articles which explain timekeeping on vmware and how to virtualize Active Directory safely on VMWare time wise.

Time synchronisation on Active Directory is particularly important because of Kerberos, if clocks are more then 5 minutes (Default value) out of sync from the Domain Controller authentication fails. NTP is your friend here.

Timekeeping in VMWare virtual machines
TAC 9710 -Virtualizing a Windows Active Directory Domain Infrastructure (From 2006 but still usefull especially the Active Directory related inf0)