Monthly Archives: January 2015

Certutil-windows command

Certutil.exe is a command-line program that is installed as part of Certificate Services in the Windows Server 2003 family.

You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains.

For more information about how to use Certutil.exe to perform specific tasks, see the following topics:
•Certutil tasks for encoding and decoding certificates
http://technet.microsoft.com/en-us/library/cc772656(v=ws.10).aspx

•Certutil tasks for configuring a Certification Authority (CA)
http://technet.microsoft.com/en-us/library/cc772627(v=ws.10).aspx

•Certutil tasks for managing a Certification Authority (CA)
http://technet.microsoft.com/en-us/library/cc772751(v=ws.10).aspx

•Certutil tasks for managing certificates
http://technet.microsoft.com/en-us/library/cc772898(v=ws.10).aspx

•Certutil tasks for managing CRLs
http://technet.microsoft.com/en-us/library/cc772629(v=ws.10).aspx

•Certutil tasks for key archival and recovery
http://technet.microsoft.com/en-us/library/cc738780(v=ws.10).aspx

•Certutil tasks for backing up and restoring certificates
http://technet.microsoft.com/en-us/library/cc755341(v=ws.10).aspx

•Certutil tasks for troubleshooting certificates
http://technet.microsoft.com/en-us/library/cc772619(v=ws.10).aspx

To display the certificates in the Local Machine certificate store

Syntax

certutil-store [-f] [-enterprise] [-user] [-gmt] [-seconds] [-silent] [-v] [-dc DCName] CertificateStoreName [CertID [OutFile]]]

CertificateStoreName Specifies one of the following store names:

ca Specifies certificates in the Intermediate Certification Authorities store.
my Specifies certificates issued to the current user.
root Specifies certificates in the Trusted Root Certification Authorities store.

spc Specifies software publisher certificates.
UserCreatedStore Specifies the name of a user-created certificate store.

Eg.
C:\windows\system32>certutil -store
CA
================ Certificate 0 ================
Serial Number: 06376c00aa00648a11cfb8d4aa5c35f4
Issuer: CN=Root Agency
NotBefore: 29-05-1996 03:32
NotAfter: 01-01-2040 05:29
Subject: CN=Root Agency
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template:
Cert Hash(sha1): fe e4 49 ee 0e 39 65 a5 24 6f 00 0e 87 fd e2 a0 65 fd 89 d4
No key provider information
Cannot find the certificate and private key for decryption.

================ Certificate 1 ================
Serial Number: 46fcebbab4d02f0f926098233f93078f
Issuer: OU=Class 3 Public Primary Certification Authority, O=VeriSign, Inc., C=U
S
NotBefore: 17-04-1997 05:30
NotAfter: 25-10-2016 05:29
Subject: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU
=VeriSign International Server CA – Class 3, OU=VeriSign, Inc., O=VeriSign Trust
Network
Non-root Certificate
Template:
Cert Hash(sha1): d5 59 a5 86 66 9b 08 f4 6a 30 a1 33 f8 a9 ed 3d 03 8e 2e a8
No key provider information
Cannot find the certificate and private key for decryption.
================ Certificate 2 ================
Serial Number: 198b11d13f9a8ffe69a0
Issuer: CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright (c)
1997 Microsoft Corp.
NotBefore: 01-10-1997 12:30
NotAfter: 31-12-2002 12:30
Subject: CN=Microsoft Windows Hardware Compatibility, OU=Microsoft Corporation,
OU=Microsoft Windows Hardware Compatibility Intermediate CA, OU=Copyright (c) 19
97 Microsoft Corp.
Non-root Certificate
Template:
Cert Hash(sha1): 10 9f 1c ae d6 45 bb 78 b3 ea 2b 94 c0 69 7c 74 07 33 03 1c
No key provider information
Cannot find the certificate and private key for decryption.
================ CRL 0 ================
Issuer:
OU=VeriSign Commercial Software Publishers CA
O=VeriSign, Inc.
L=Internet
CRL Hash(sha1): a3 77 d1 b1 c0 53 88 33 03 52 11 f4 08 3d 00 fe cc 41 4d ab
CertUtil: -store command completed successfully.

usages
>certutil -?

Verbs:
-dump             — Dump configuration information or files
-asn              — Parse ASN.1 file

-decodehex        — Decode hexadecimal-encoded file
-decode           — Decode Base64-encoded file
-encode           — Encode file to Base64

-deny             — Deny pending request
-resubmit         — Resubmit pending request
-setattributes    — Set attributes for pending request
-setextension     — Set extension for pending request
-revoke           — Revoke Certificate
-isvalid          — Display current certificate disposition

-getconfig        — Get default configuration string
-ping             — Ping Active Directory Certificate Services Request interf
ace
-pingadmin        — Ping Active Directory Certificate Services Admin interfac
e
-CAInfo           — Display CA Information
-ca.cert          — Retrieve the CA’s certificate
-ca.chain         — Retrieve the CA’s certificate chain
-GetCRL           — Get CRL
-CRL              — Publish new CRLs [or delta CRLs only]
-shutdown         — Shutdown Active Directory Certificate Services

-installCert      — Install Certification Authority certificate
-renewCert        — Renew Certification Authority certificate

-schema           — Dump Certificate Schema
-view             — Dump Certificate View
-db               — Dump Raw Database
-deleterow        — Delete server database row

-backup           — Backup Active Directory Certificate Services
-backupDB         — Backup Active Directory Certificate Services database
-backupKey        — Backup Active Directory Certificate Services certificate
and private key
-restore          — Restore Active Directory Certificate Services
-restoreDB        — Restore Active Directory Certificate Services database
-restoreKey       — Restore Active Directory Certificate Services certificate
and private key
-importPFX        — Import certificate and private key
-dynamicfilelist  — Display dynamic file List
-databaselocations — Display database locations
-hashfile         — Generate and display cryptographic hash over a file

-store            — Dump certificate store
-addstore         — Add certificate to store
-delstore         — Delete certificate from store
-verifystore      — Verify certificate in store
-repairstore      — Repair key association or update certificate properties o
r key security descriptor
-viewstore        — Dump certificate store
-viewdelstore     — Delete certificate from store

-dsPublish        — Publish certificate or CRL to Active Directory

-ADTemplate       — Display AD templates
-Template         — Display Enrollment Policy templates
-TemplateCAs      — Display CAs for template
-CATemplates      — Display templates for CA
-enrollmentServerURL — Display, add or delete enrollment server URLs associat
ed with a CA
-ADCA             — Display AD CAs
-CA               — Display Enrollment Policy CAs
-Policy           — Display Enrollment Policy
-PolicyCache      — Display or delete Enrollment Policy Cache entries
-CredStore        — Display, add or delete Credential Store entries
-InstallDefaultTemplates — Install default certificate templates
-URLCache         — Display or delete URL cache entries
-pulse            — Pulse autoenrollment events
-MachineInfo      — Display Active Directory machine object information
-DCInfo           — Display domain controller information
-EntInfo          — Display enterprise information
-TCAInfo          — Display CA information
-SCInfo           — Display smart card information

-SCRoots          — Manage smart card root certificates

-verifykeys       — Verify public/private key set
-verify           — Verify certificate, CRL or chain
-sign             — Re-sign CRL or certificate

-vroot            — Create/delete web virtual roots and file shares
-vocsproot        — Create/delete web virtual roots for OCSP web proxy
-addEnrollmentServer — Add an Enrollment Server application
-deleteEnrollmentServer — Delete an Enrollment Server application
-oid              — Display ObjectId or set display name
-error            — Display error code message text
-getreg           — Display registry value
-setreg           — Set registry value
-delreg           — Delete registry value

-ImportKMS        — Import user keys and certificates into server database fo
r key archival
-ImportCert       — Import a certificate file into the database
-GetKey           — Retrieve archived private key recovery blob
-RecoverKey       — Recover archived private key
-MergePFX         — Merge PFX files
-ConvertEPF       — Convert PFX files to EPF file
-?                — Display this usage message
CertUtil -?              — Display a verb list (command list)
CertUtil -dump -?        — Display help text for the “dump” verb
CertUtil -v -?           — Display all help text for all verbs

Refferences
http://technet.microsoft.com/en-in/library/cc732443.aspx
http://ss64.com/nt/certutil.html
http://technet.microsoft.com/en-us/library/cc772898(v=ws.10).aspx

Advertisements

APIPA – Automatic Private IP Addressing

A network client fails to get an IP address using DHCP,then can discover an address on its own using APIPA(is a DHCP failover mechanism for local networks in Microsoft Windows clients can obtain IP addresses when DHCP servers are non-functional  implemented in Windows 98 and later)

The entire address range 169.254.0.0/16 has been set aside for “link local” addresses.They should not be manually assigned or assigned using DHCP.

APIPA requires all devices to use the same default subnet mask of 255.255.0.0. The systems must all reside on the same network segment. APIPA cannot provide information about local routers or about DNS servers.

APIPA is intended for small business or residential network environments, usually less than 25 clients, that are not routed or connected to the Internet.

for more informations available http://support.microsoft.com/kb/220874

References
http://en.wikipedia.org/wiki/Link-local_address
http://files.zeroconf.org/draft-ietf-zeroconf-ipv4-linklocal.txt
http://www.zeroconf.org/
http://tools.ietf.org/html/rfc4291#section-2.5.6

How to use Compatibility View in Internet Explorer 9

Below URL from Microsoft support shows How to use Compatibility View in Internet Explorer 9.

http://support.microsoft.com/kb/2536204

Installing and Uninstalling Internet Explorer 9

To install Internet Explorer
—————————–
system requirements for Internet Explorer 9
http://go.microsoft.com/fwlink/?LinkId=237124
see Prerequisites for installing Internet Explorer 9
http://go.microsoft.com/fwlink/?linkid=215272

Go to the Download Internet Explorer 9 webpage(http://windows.microsoft.com/en-in/internet-explorer/ie-9-worldwide-languages).

Select the language you want to install and your version of Windows, and then click Download.

In the File Download dialog box, click Run, and then, in the User Account Control dialog box, click Continue.

Click one of the following:

Restart now (recommended) (to finish the installation process now).

Restart later

Note:After the restart, the previous version of Internet Explorer that was on the computer is restored(IE8 or IE7).

How to uninstall Internet Explorer 9
————————————-

uninstall IE9 from w2k8r2
http://support.microsoft.com/kb/2509039

TMG2010-End Of Life

Microsoft discontinued(EOL-End Of Life)Forefront TMG 2010 product.Thismeans

there will not be another new version of TMG in the future, and there will be

no more feature enhancements made to TMG (only security updates and bug

fixes),But announced will continue to provide mainstream support for TMG until

April 14, 2015, and extended support until April 14, 2020. The Forefront TMG

2010 Web Protection Services (WPS) will be discontinued on December 31, 2015.

Beginning on January 1, 2016, Web Protection Services (URL filtering,

virus/malicious software scanning, and Network Inspection System) will

continue to function but will no longer receive updates.

This is the time to think to considering a replacement for your Forefront TMG

2010 firewall deployed your network.

AS per Richard Hicks from Celestix networks,Microsoft OEM partner They also

stated that they would discontinue selling TMG later that year.
(http://www.celestix.com/best-forefront-tmg-2010-replacement-forefront-tmg-

2010/)

There is no reason reported from Microsoft,but seems to be Forefront TMG 2010

cannot be installed on the latest release of the Windows Server operating

system(windows 2012).Supported OS is(recommended os by Microsoft is Windows

Server 2008 R2 which is not as secure as Windows Server 2012 R2.Also, not

possible to install Forfront on Windows Server core

(http://technet.microsoft.com/en-in/library/dd896981.aspx).

Medium to large enterprise want more than the basic protection capabilities

and not likely to rely on Windows Defender (or Microsoft Security Essentials).
Read Microsoft official annoncement of product lifecycle.
http://support2.microsoft.com/lifecycle/search/default.aspx?

sort=PN&alpha=Forefront&Filter=FilterNO

So,what is the replacement for TMG used places

Replacing TMG with UTM
F5
http://www.f5.com/pdf/deployment-guides/f5-tmg-replacement-dg.pdf
Barracuda
https://www.barracuda.com/tmg
Celestix MSA
http://www.celestix.com/products/msa/
Netscalar
https://www.citrix.com/content/dam/citrix/en_us/documents/products-

solutions/netscaler-a-comprehensive-replacement-for-microsoft-forefront-

threat-management-gateway.pdf
watchguard
http://www.watchguard.com/
Fortinet
http://www.fortinet.com/

softwares
Web cache/accelerator/filter/proxy:Sqiud/varnish/Nginx

TS Gateway

With a TS Gateway server configured for your network you can route all of your RDP traffic through one (or more) TS Gateway servers. This allows you to centrally control and monitor all of the remote desktop connections flowing into your network. This is especially useful in environments where central IT doesn’t necessarily have control over the RDP permissions on each user’s desktop machine. With TS Gateway you can specify who is allowed to initiate remote desktop connections to your network, and which machines each user is allowed to connect to.

Instead of listening on the normal RDP port, 3389, TS Gateway uses SSL and listens on port 443. The RDP traffic is tunneled through SSL on port 443 and then converted back to normal RDP traffic on the internal network. The desktop that is being controlled by a remote user passing through the TS Gateway doesn’t need any special configuration. This has several advantages beyond the manageability perspective. First, port 443 is normally used by secure websites so most firewalls on remote networks will not filter the traffic. Second, by using industry standard SSL technology you can be sure that your RDP connection is safe from man-in-the-middle type attacks.

Server side
1. Open Server Manager and click on Roles >> Add Roles
2. Click on Next >> Select Terminal Services from the list >> Next >> Next
3. Select TS Gateway and then if prompted, click on “Add Required Role Services” >> Next
4. Choose the desired style of SSL certificate and click on Next (self-signed is fine for testing)
5. Read the on-screen instructions and configure the Authorization Policies for your environment
6. Accept all of the defaults for the rest of the installation >> Install

If you used a self-signed certificate then you will need to install the certificate on the machine that will be initiating connections through the TS Gateway.

Export self-signed certificate from the TS Gateway server
1.Start >> Administrative Tools >> Terminal Services >> TS Gateway Manager
2.Right click on your TS Gateway server and choose Properties >> SSL Certificate tab >> Browse Certificates
3.Select the self-signed certificate you created when you installed TS Gateway >> View Certificate >> Details tab >> Copy to File…
4.In the Certificate Export Wizard click Next >> choose No >> Next >> Next >> browse to a location to save the certificate >> Next >> Finish

Import self-signed certificate to the client initiating RDP connections through the TS Gateway
1.Copy the certificate file you exported from the TS Gateway server to the client that will be used to initiate RDP connections through the TS Gateway server
2.Double click on the certificate file from the client computer >> Install Certificate…
3.In the Certificate Import Wizard click on Next >> “Place all certificates in the following store >> Browse… >> choose “Trusted Root Certificate Authorities” >> Next >> Finish

Configure the Remote Desktop Connection settings on the client that will be used to initiate RDP connections through the TS Gateway
1.Open up the Remote Desktop Connection client (mstsc.exe)
2.Click on the Advanced tab, then Settings…
3.Click on the “Use these TS Gateway server settings” and put in the server name of your TS Gateway. IMPORTANT: Be sure the server name matches the “subject” attribute of the certificate you are using on the TS Gateway server.

That’s it, next time you initiate a remote desktop connection it will be passed through the TS Gateway. The TS Gateway will determine if you are authorized to connect to the desired workstation and then allow or disallow the RDP traffic.

Microsoft Forefront Threat Management Gateway (TMG) 2010

Forefront TMG is a comprehensive secure web gateway solution that helps to

protect users from web-based threats(a proxy server, a firewall, a web content

filtering, a VPN Server,intrusion prevention,malware inspection etc).This is

revised version of Microsoft Internet Security and Acceleration Server (ISA

Server)of windows 2008(http://msdn.microsoft.com/en-us/security/aa570369.aspx)

What’s new in Forefront TMG 2010 SP2
http://technet.microsoft.com/en-US/library/hh301099.aspx

For making your system as TMG, you required 2 Network card ,one is LAN

(internal networks)and a WAN(Internet)

System requirements for Forefront TMG
http://technet.microsoft.com/en-us/library/dd896981.aspx

Installations are usual by clicking next and finish.

Installation design guide for Forefront TMG
http://technet.microsoft.com/en-us/library/dd896984.aspx

There is a step by step guide from
http://www.msserverpro.com/installation-of-forefront-tmg-2010-standard/

HTTP and HTTPS rule

By default all access rules are denied. You need to Create web access rules

for internal networks allowing HTTP and HTTPs traffic pass through from

internal network to external and perimeter. Also allow HTTP and HTTPs traffic

pass through from perimeter to external and internal.

Click Firewall Policy>Click Create Access Rule on Task Pan.

References
Installing Forefront TMG on a domain controller
http://technet.microsoft.com/en-us/library/ff808305.aspx

Configuring networks and routing
http://technet.microsoft.com/en-us/library/dd440997.aspx

Configuring roles and permissions
http://technet.microsoft.com/en-us/library/dd441007.aspx

Configuring client computers
http://technet.microsoft.com/en-us/library/cc441532.aspx

Configuring client authentication servers
http://technet.microsoft.com/en-us/library/cc441510.aspx

Configuring Network Access Protection
http://technet.microsoft.com/en-us/library/dd440978.aspx

%d bloggers like this: