Articles with tag - Windows-vista

20.01 20104

CA will not start… What do you mean, cannot download CRL…

As part of my work I was installing a Microsoft PKi infrastructure with two tiers. A root CA and an issuing CA. Since the root CA is in another domain then the issuing CA, it took some fiddling and tweaking around with my CDP and AIA extensions, but that is another blogpost all together. I knew I was in for some fun when when the following happened:

  • I installed my Issuing CA and generated the certificate request
  • I issued the request to my Root CA and generated the Issuing CA certificate
  • I tried to install the Issuing CA certificate and got the following error:
Cannot verify certificate chain. Do you whish to ignore the error and continue? The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2168885613)

Cannot verify certificate chain. Do you whish to ignore the error and continue? The revocation function was unable to check revocation because the revocation server was offline. 0×80092013 (-2168885613)

My first reaction was to call one of the network guest and notify him that I needed http access to the Issuing CA to the CDP location. But whil on the phone, I decided to try and to my surprise I was actually able to manually pull down the crl. Intregued, I decided to check a few things:

  • I could download the CRL from both CDP locations with Internet Exporer
  • I could open the downloaded CRLs
  • I could telnet to port 80 of the both webservers
  • I could telnet to port 80 manually issue the GET /crl/CRLname.crl HTTP/1.0 command and get data back

O.K. what is going on here… Lets open PKI view, which is now included in Windows 2008 and Vista and can be downloaded for Windows 2000 and 2003. It seemed that PKI view as in agreement, it too could not download the CRL from the CDP location

PKI view shows "Unable To Download" for both CDP locations

PKI view shows “Unable To Download” for both CDP locations

This did sent me on a wild goose chase:

But, as stated, I would use certutil to get the “best” answer on how is my configuration. Certutil -verify -urlfetch “certfile.cer” will check *every* CDP and AIA URL (including OCSP) and tell you how they are all doing *at that specific instance in time” since it goes to the URLs immediately. Brian

I exported the Issuing CA certificate from the certificate database of the Root CA and ran the command against is and this is what I found

E:\>certutil -verify -urlfetch <certfile>.cer Issuer: CN=Root CA Subject: CN=Issuing CA Cert Serial Number: 115d5f6400020000000b <snip> —————-  Certificate AIA  —————- Verified “Certificate (0)” Time: 0 [0.0] http://IIS1.domain1local/crl/Root-CA.crt Verified “Certificate (0)” Time: 0 [1.0] http://IIS2.domain1.local/crl/Root-CA.crt —————-  Certificate CDP  —————- Wrong Issuer “Base CRL (13)” Time: 0 [0.0] http://IIS1.domain1.local/crl/Root-CA.crl Wrong Issuer “Base CRL (13)” Time: 0 [1.0] http://IIS2.domain1.local/crl/Root-CA.crl <snip> E:\>

So while PKI view and the other error messages I was getting all pointed to the most common cause, it actually turned out that the CRl did get downloaded, but was not cryptographically relevant to what the system believes is the Root CA certificate. Root causeInspection of the CRLs generated and the Root certificates installed showed what had caused the problem. In order to test the CDP extensions I had reissued the Root CA certificate, causing the Root CA to have three active certificates. Each with a different key.

This CA has three CA certificates

This CA has three CA certificates

When validating the Issuing CA certificate, validation would end at the last certificate issued, however the CA still signs its CRLs with the key pair of the first certificate. I guess for me there is nothing left but to reinstall the entire chain.

read more
06.10 20090

Timeline of the SMB2 vulnerability

While researching the SMB2 vulnerability I decided to make a time line. It really shows how devastating a 0-day can be in the wrong hands

Date Event
7 September Laurent Gaffié releases PoC code on his blog
8 September The news is picked up by Sans ISC
HD Moore ports the exploit to Metasploit
Microsoft confirms the existence of the flaw
Microsoft releases an advisory
9 September The BSOD exploit is published on Milw0rm
15 September A working remote code execution exploit is released in Immunity Canvas
18 September A working remote code execution exploit is released for metasploit
Microsoft releases a tool to disable SMB2
9 October Microsoft announces a patch

To date Microsoft has not released a patch. I will continue to update this post.

A tool to disable SMB2 is here. Instructions on how to disable SMB2 manually are in the workaround section of this advisory.

On the 9th of October Microsoft announced a patch for this issue and the ISS FTP issue.

read more
05.10 20094

Get rid of Event ID 5156: The Windows Filtering Platform has allowed a connection

When you install McAfee on Windows Server 2008, and probably Windows Vista also, you can get a lot of messages in your security log. Like this one:

ID 5156

Event ID 5156 means that WFP has allowed a connection. When most connections are allowed your security log will fill up very fast.

You can disable Object Access auditing but then you’ll miss other events which might be of interest. So, instead, let’s just disable Success Auditing for Filtering Platform Connections. It’s not possible to disable auditing subcategories with a policy or other GUI tool, but I found out that you can enable and disable specific subcategories with a special command-line tool: Auditpol.exe, which is included with Windows Vista and Windows Server 2008. I used the following command:

auditpol /set /subcategory:”Filtering Platform Connection” /success:disable /failure:enable

As you can see this disables Success auditing for the Filtering Platform Connection subcategory.

For more info check out this article:

http://msdn.microsoft.com/en-us/library/bb309058(VS.85).aspx

read more