TLS 1.0 is also obsolete ! This article tell you how to protect Windows Web Servers against vulnerabilities.

If your servers still support TLS 1.0 or older obsolete cryptographic protocols (SSL, PCT, …) for communication over the network , you should act asap!

Description:

SSL 3.0 and older protocols, now also TLS 1.0 are vulnerable to man-in-the-middle attacks, risking the integrity and authentication of data sent between a website and a browser. Disabling TLS 1.0 and older protocols support on your server is sufficient to mitigate this issue! These obsolete protocols should be Disabled before public deadline – June 30, 2018 for SSL/Early TLS Migration. Ups.. Yes , this date is gone already :\….and also Windows Servers 2016 by default support these protocols !!!

The deadline -June 30, 2018  it is not my invention. This deadline was scheduled by The PCI Security Standards Council which is a global open body formed to develop, enhance, disseminate and assist with the understanding of security standards for payment account security. Probably after this date, this vulnerability could be reported to ICT teams by their local security team. – https://blog.pcisecuritystandards.org/4-things-to-know-about-pci-dss-in-2018

 

Technical Details:

Secure Sockets Layer (SSL) and early versions of Transport Layer Security (TLS) are no longer considered secure forms of encryption. It is critically important that organizations upgrade to a secure version of TLS – such as TLS v1.2 or higher – as soon as possible and disable any fallback to SSL/early TLS.
Many PCI DSS requirements require the use of ‘strong cryptography’ as defined in the PCI DSS glossary. After 30 June 2018 SSL/early TLS should not be used as a security control to meet any PCI DSS requirements attempting to demonstrate strong cryptography.

 

Default Windows Server 2012 R2, Server 2016 configuration is below:

Recommend configuration (change requires server restart):

Screenshots from tool – https://www.nartac.com/Products/IISCrypto
IISCrypto is very good alternative way how to set secure sonfiguration on your server, when you do not want to do it directly in Registry.

Microsoft sources about this topic:

https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protocols

https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat

GPMC Search Item – with “User Configuration” it does not work

 

Today I  opened GPMC on the Windows Server 2019 Preview and really after long time I tried to use Search Item in GPMC console. I was surprised that Search Item with User Configuration did not allow me to add any condition. Please check in the picture below. It is suprise that same behavior I can see on S2K12R2, Windows 10 and etc….so it is nothing new :(. I spent some time with searching on  internet than I found TechNet article about it.  – https://social.technet.microsoft.com/wiki/contents/articles/23169.the-value-drop-down-list-is-grayed-out-when-you-perform-search-for-group-policy-objects-in-gpmc.aspx

Because I did not find any advice except article above I believe that more articles about this bug (or what it is) could be useful.

All what is necessary to do is open REGEDIT , go to this path (go to the part of registry, where OS has Client Side Extension for GPO) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4D2F9B6F-1E52-4711-A382-6A8B1A003DE6}]

click on GPextension with number above and choose export ! Yes, we should backup this key, because it should be our first step before we do any change in registry.

 

When we have backup, right click on GPExtension {4D2F9B6F-1E52-4711-A382-6A8B1A003DE6} again and choose “Permissions….”  perform 3 steps describes in the pictures. Change owner to your account used for logon. After we change owner, full control “Access” should be visible for our new owner.

 

Now we have to change Default value of REG_SZ which is empty. We have to put there this string RemoteApp and Desktop Connections , lets check picture below

 

Now is necessary close GPMC and open this console again. Try to use Search Item and choose User Configuration, now it should be ok 🙂 . Tested and for me it is working 🙂 . Thanks

 

 

How to re-configure ADFS Proxy Server which reports problems

How fix the problem in the picture ?  Affected server was  Sxxxxxxx.

 

Open up Remote Access management console and You see red. The red color is nice but in this case it means that something is wrong.

1_LI

 

 

We need to reset WAP configuration, in Registry we have to change value 2 = configured to the Value 1 = not configured

2

 

 

Use powershell.exe Install-WebApplicationProxy -CertificateThumbprint “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx” -FederationServiceName “xxxxxx.com” (but it did not work for me same good as GUI for server ADFS 3.0 S2K12 R2 🙁 ….)

or through console Remote Access management we configured WAP again. It requires name of ADFS service – xxxxxxxxxxx.com, usually service account – axxxxxx  and choose the right certificate –  right ADFS certificate with name xxxxxxxxxxx.com. Although we did this, the service tried to use different, self-signed certificate , In ADFS event log we could see „Unable to retrieve proxy configuration data from the Federation Service + thumbprint  of bad certificate not our ADFS certificate “ In mmc.exe we could see only the certificate for MS SCOM, xxxxxxxxxxx.com and some expirated self-signed certificates but we could not see the certificate with thumbprint found in event log. By Powershell  we could list it (example is below), we found bad certificate + others and we removed all certificates self-signed certificate.

 

Get-WebApplicationProxySslCertificate, Get-ChildItem -Path cert:\LocalMachine\My | FL FriendlyName, Thumbprint, Subject, NotBefore, NotAfter

3_LI

 

When we removed the self-signed certificates, we tried to complete the wizard again and it was success

4_LI

 

 

Now it is working well. Do not worry that we see server xxxxxx twice, we could see it because in my case we configured WAP after the server has been configured with postfix (full computer name), because for MS SCOM monitoring it is require.

 

5_LI 6_LI

 

 

The result of testing availability https://[name of your ADFS]/adfs/ls/IdpInitiatedSignon.aspx from internet. Tested from page – https://www.site24x7.com/check-website-availability.html

 

7_LI

 

Novinky v Powershell v 5

Transcript loggining – GPO ( loguje všechno, i příkazy Exchange, AD admin center atd.,  které běží na pozadí!)

GPO cesta k nastavení:
Computer Policy: Computer Configuration -> Administrative Templates -> Windows Components -> Windows PowerShell -> Turn on PowerShell Transcription
New commands v powershell v.5  ———
Compress-archive
Expand-archive

New-temporaryfile
Drive pouze – [system.io.file]::gettempfile()

Přístup do stránky (ctrl +c)
Get-clipboard -format

New-guid
Drive pouze – [guid]::newGuid()

Clear-recyclebin

Jak volat registry key:
Get-itempropertyvalue

Převody:
“hello world ” | Format-hex

Převedení zprávy do nečitelného textu :)(zakryptuj si to)
Crypto rfc5652 (base 64)
Protect-cmsmessage

Práce s balíčky 🙂
Get-package, find-package, remove -package