Force update of Advanced Threat Analytics (ATA) on Windows Server 2106

When there is an update available for ATA you will get a blue arrow notification in the portal. Hovering with the mouse pointer over the icon will show what’s new in the available update:

clip_image002

The update notification tells you to go to Windows Update on the machine running the ATA Center. But when you check for updates, there are none available:

clip_image003

What is going on here?

It is because ATA updates are technically not classified as Recommended updates. There are a lot of extra hoops and requirements to get this classification (since everyone will get them). Using Optional is more flexible.

On Windows Server 2016 there is no obvious way to look for Optional updates, like there is on Windows Server 2012 R2 and earlier:

clip_image005

But you can use a tool that normally is used to configure Core installations called sconfig.

On the ATA Center, running on Windows Server 2016, run sconfig:

clip_image006

Select option 6 (Download and Install Updates):

clip_image007

You will be asked if you want to search for All or Recommended updates only:

clip_image008

Note that if you chose Recommended here, you will get the same result as in the normal settings interface:

clip_image010

If you instead chose All updates, you will find the ATA update (and any other Optional Updates):

clip_image012

I do not want to install Silverlight, so I chose to Select a single update and chose the number of the ATA update:

clip_image014

After a while, the installation wizard of the ATA update will start:

clip_image015

After you finish the installation you will see the installation result:

clip_image017

When you now go to the ATA Portal you will see that the update notification is gone:

clip_image018

The ATA gateways might be automatically updated now, depending on how you have configured updates in ATA:

clip_image020

You will have health alerts as long as the gateways are not updated:

clip_image022

I hope this blog post helped someone.

Advertisements
Posted in ATA, Updates | Tagged , , , | Leave a comment

Certificate related problems when using a web proxy server

I have several times encountered these issues, so it decided it was time to write a blog post about it.

The situation

You are using a proxy server for web communication. Direct communication to the Internet is blocked. The proxy is configured in Internet Explorer Options, as shown in these screenshots:

image

image

If you do not configure this, you cannot reach the Internet.
If you do configure this, you can reach the internet.
Just as expected.

The issue

Even if the proxy is configured correctly, as seen above, some Internet communication is still blocked.

One common problem area is certificate validation, specifically downloading CRLs from the Internet. I have seen problems when starting CA servers (after Root CA CRL renewal) and/or when or accessing NDES web pages. See examples at the end of this post for details. If you solve something else, let me know so I can add it to help others.

The reason

There are actually two different proxy settings in Windows, WinINet and WinHTTP.

WinINet
This is what we configure in the screenshots above. Most applications use this setting.

WinHTTP
This is a separate proxy setting. Most Windows services use this setting, including the one responsible for certificate revocation checking. This proxy setting has no GUI but can be configured using the command netsh.

You can read more about the differences between WinINet and WinHTTP here.
Especially note Services Support (Can be run from a service or a service account [Yes/No]).

The solution

The solution is to configure WinHTTP with the same proxy settings as WinINet.

This command shows the current WinHTTP proxy configuration:

netsh winhttp show proxy

image

As you can see, no proxy server is configured for WinHTTP.

You can manually add the proxy configuration (and optional Bypass List) by entering the relevant proxy information:

set proxy tomdemoproxy.se:8080 bypass-list=”*.tomdemo.se”

But there is an easier way. You can simply copy and apply the current WinINet proxy configuration to WinHTTP:

netsh winhttp import proxy source=ie

image

Note that this requires an elevated prompt, otherwise you will get the error message “Error writing proxy settings. (5) Access is denied.”

This has solved many communication issues I have had where a web proxy server is used.

If you wish to reset the WinHTTP proxy setting back to the no proxy setting you can use the following command:

netsh winhttp reset proxy

image

Example errors that were solved

Starting Active Directory Certificate Services

When trying to start the CA server you get this error message:

image
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)

The event log shows Event Id 100 from source CertificationAuthority:

Active Directory Certificate Services did not start: Could not load or verify the current CA certificate <CA name>. The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE).

Also, Event Id 48 from source CertificationAuthority:

Revocation status for a certificate in the chain for CA certificate 0 for <CA Name> could not be verified because a server is currently unavailable.  The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE).

Note: A dirty trick to quickly get the CA up and running is to disable CRL checking on the CA server:

certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

This is of course not recommended and must be turned back on as soon as the CRL is available again, but might be justified in some rare cases.

Accessing NDES / SCEP web pages

Visiting https://FQDN works great (shows IIS standard home page).

But when trying to access the URL https://FQDN/certsrv/mscep/mscep.dll you get this error message:

image
500 – Internal server error.
There is a problem with the resource you are looking for, and it cannot be displayed.

The same message appears when going to the URL http://<FQDN>/certsrv/mscep_admin

The Application event log on the NDES server shows the following error:

image
Event ID 10: The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.

followed by:

image
Event ID 2: The Network Device Enrollment Service cannot be started (0x80070057).  The parameter is incorrect.

These two error events occur every time I revisit the URLs.

Have you solve an issue

If you run into any issues solved by this, please let me know so I can add them here to help others.

Posted in CA, Certificates, CRL, NDES, PKI, SCEP | Tagged , , , | Leave a comment

Information protection with EMS [video]

Here’s a new short video from Microsoft that shows how you can protect your organisation’s information, using solutions that are part of the Enterprise Mobility + Security suite, such as Cloud App Security, Intune and Azure Information Protection.

https://www.youtube.com/watch?v=LWlRVHp7sKQ


Posted in AIP, CAS, EMS, Rights Management Services, RMS | Tagged , , , , | Leave a comment

ATA Center – Installation failed. Error code: 0x80070002

When I recently installed an ATA Center I encountered the following error message:

image
Installation failed. Error code: 0x80070002

I got the error message right after entering the Center configuration information, as seen below:

When looking on the ATA logs (which I unfortunately didn’t save, so I can’t show them here), I eventually saw that the installation had issues finding the setup executable file?

It then hit me.

I had downloaded an ISO-file with the ATA installation media on it. I double-clicked the iso to auto-mount it in Windows, and then ran the Microsoft ATA Center Setup.exe from the mounted drive.

This normally doesn’t cause any issues. But since .Net Framework wasn’t installed on the server, the ATA Center installation Wizard kindly asked to do this for me:

clip_image001

That installation required a reboot of the server.

When I logged in again, the ATA Center installation automatically resumed, but failed with the error above.

Here’s the thing: Mounting iso files does not persist a reboot. So the the wizard was looking for a virtual drive that didn’t exist at that time.

As it turns out, this is a know problem and it is even listed in the ATA Deployment documentation:

image

Kudos to the ATA team for being clear about this. I do not know how I managed to miss it.

Note that the ATA Center seems to be installed after this error occurs:

image

Although it is not (no folder called Microsoft Advanced Threat Analytics here):

image

Simple choose to “uninstall” it before trying to install the ATA Center again, otherwise you will see this message:

image

Posted in ATA | Tagged , , , | Leave a comment

Quickly find all GPOs with PKI settings

When doing PKI audits and also when troubleshooting autoenrollment I want to see if there are multiple Group Policies that configure contradictory PKI settings.

Instead of manually going through all GPOs I wrote a PowerShell script that lists all GPOs that have PKI-settings in them, and also singles out those that configure autoenrollment.

Here is a sample output:

image

As you can see I look in both Computer and User scope of the GPOs.

The script utilizes the commands Get-GPO and Get-GPOReport, so you need to run the script on a computer that has the Group Policy Management feature installed (like a DC) or a computer with the Remote Server Administration Tools installed.

As always, there is room for improvement. Besides error management, perhaps showing the actual settings and also where the GPOs are currently linked. Feel free to improve it, and let me know if I can reshare it.

You can view and download the PowerShell script here:
https://1drv.ms/u/s!ApDVTW2lda1rtekXQkWvT-SJTQYlvA

Standard Disclaimer: I am NOT a professional coder. I am not responsible for what this script does. Do a code audit and testing in test environment if you run it in a sensitive environment.

Please leave any feedback you have as a comment to this post.

Posted in Okategoriserade | Leave a comment

What is Azure Information Protection

image

One of the security solutions I work with is called Azure Information Protection.

It is Microsoft’s solution for labeling and protecting information and it has some awesome features:

  • Super simple to use for end users, just a click away or fully automatic (based on location, recipient or content)
  • Access is based on your identity, no static passwords or keys that needs to be remembered, shared or managed
  • The information can be encrypted, which keeps the bad guys out
  • You can set policies for what users are allowed to do with the information once they have access, such as printing, copying or forwarding, which makes it easier for good guys to follow the rules and avoid mistakes
  • The information is labeled in a way so that other solutions, such as Exchange, SharePoint, Cloud App Security and even third party DLP services, can make decision based on it
  • Custom watermarking and header/footer can be added to the information
  • The protection follows the information where ever it goes
  • You can share safely with anyone
  • All file types and most platforms (including Mac, iOS and Android) are supported
  • You can track who accessed your protected information
  • You can remotely kill a document (without access to the file), making it totally unreadable for anyone from that point on. Can you current information protection solution do this?
  • Microsoft never needs to have access to your information, they only manage the authentication part
  • The team at Microsoft behind this service are not only really nice people, but also really attentive to customer’s needs and have shown remarkable agility in their development
  • I could go on, but, I’m sure most of you stopped reading this list by now and jumped to the video below 🙂

If you want to know more, see this 2 minute overview video, or contact me for further discussions:

Note that this service used to be called Rights Management Services and the RMS technology is very much still used for the encryption and policy parts, but when Microsoft added the user friendly labeling part, that can be used for so much more than just RMS protection, they renamed it to Azure Information Protection. In other word, RMS went from being the front-end solution to being one of the consequences that can be applied based on the chosen labeling. Using the RMS features without the labeling is still available and works just as great.

Posted in AIP, information protection, Rights Management Services, RMS | Tagged , , , | Leave a comment

My two sessions from TechX [in Swedish]

I gave two talks at the TechX conference held at Microsoft headquarters in Stockholm on February 13-17 2017.

image

The sessions were recorded and are now available to watch on YouTube [see links below]. Note that they are delivered in Swedish.

Both sessions covered the same three security solutions from Microsoft:

  • Windows Defender Advanced Threat Protection
  • Office 365 Advanced Threat Protection
  • Advanced Threat Analytics

I know, they all have very similar names. But this image shows how they relate and how they complement each other to provide protection on several layers:

clip_image001

In the first session I talked about what the products actually are. In the second I talked about how to get started with them. Both have demos Ler

Unfortunately I had sound issues, which was a bummer since I had several embedded videos in my presentation, but hey, that’s life…

Here are the videos:

TechX 2017 – Detektera och förhindra intrång

TechX 2017 – Hur kommer du igång med WDATP + ATA + Office ATP ?

Posted in ATA, OATP, TechX, WDATP | 1 Comment

Translate Windows messages in other languages

Sometimes I run into error messages in foreign languages, like this French one:

image

Ok, I admit it, I made the dialog box myself, but the message text is real. And I have no idea what it means.

So, how can I find out what “Le contenu a été bloqué, car il utilise un protocole de chiffrement non sécurisé.” really means? Preferably with the exact wording of the corresponding English message in Windows.

As in most cases, Google is usually your friend. There are also many online translation services, but since a word can have multiple meanings they might alter the wording, and that can make further troubleshooting Googling harder.

But did you know that Microsoft has a Language Portal, where you can search and translate Microsoft official terminology?

The address is https://www.microsoft.com/Language/en-us/Search.aspx
and it look like this:

image

In the search result for the message above can see what the message says:

image

You can also search translations from English to other languages. The list contains a whopping 115 languages! Did you for instance know that the word administrator is called alábòójútó in the language Yoruba and umlawuli in the language ixiXhosa?

You do not have to search the exact string, partial matches will work as well. You can also filter your results based on 118 different products. Here I have limited my search results of the word administrator to only show results from the product Intune:

image

I hope this tip will help others that sometimes also has to troubleshoot Windows machines with foreign languages configures.

Posted in Okategoriserade | Leave a comment

LastPass now also free on mobile devices

LastPass_logo_2016.svg

The password manager LastPass has always been free to use in your web browser, but they just announced that they will no longer require a paid subscription for accessing your LastPass from mobile devices:

Untitled2

If you are not using a password manager yet there is a chance that you might be reusing the same few passwords on all you different websites and perhaps also keep them simple/short so that they are easier to remember. Both of which are really bad ideas.

I can really recommend LastPass for managing all your passwords. I have been a paid subscriber for several years and store hundreds of passwords to websites, Wi-Fi connections, PIN codes and other various secret things there.

There are other alternatives that are equally good, which one you chose is not the most important thing, just that you start using one.

Remember to use a very secure and long master password. Put some effort in creating and remembering it, and take comfort in that it is (almost) the last password you will ever have to remember. Hence the name of the service Smile

Don’t forget to activate Two Factor Authentication and to configure LastPass to log you out when you log on from another browser/device and also to log you out after a certain time of inactivity. Even if using a password manager can increase the complexity of all your passwords while making life a lot easier for you, if someone gets into your account they have the keys to all your kingdoms.

LastPass can be configured to do a lot of things, and I won’t go through all the features here. But be sure to check it out to increase your identity protection without going insane remembering tons of different complex passwords.

Read more about how LastPass can make your password life a lot easier:
https://lastpass.com/

Source:
https://blog.lastpass.com/2016/11/get-lastpass-everywhere-multi-device-access-is-now-free.html

Posted in Okategoriserade | Leave a comment

Azure Information Protection client – now with diagnostics!

The Azure Information Protection client was recently updated to version 1.2.4.0.

One of the improvements is a built-in diagnostics tool:

image

You get to this dialog box by going to the Home tab and clicking on the Protect icon in an Office application, and then selecting Help and feedback:

image

As you can see this option is not there in the previous version of the client:

image

When you click the Run diagnostics link a new window appears and the progress of the diagnostics tests are continuously updated:

image

You might get prompted to login with you Azure AD account:

image

The test takes some time (see the status bar text in the image above), but it sure takes A LOT less time than doing all these tests manually.

When the test is finished you can click Copy Result an send to your helpdesk or to Microsoft support. You can also click Reset to perform a reset on the Azure Information Protection client’s settings:

image

If you chose to perform a reset you will see these prompts:

image

image

I have seen the diagnostic tool get stuck at different stages of testing, but simply closing the result windows and re-running the diagnostics have solved it.

You can download the latest version of the Azure Information Protection client with the built-in diagnostic tool here:
https://www.microsoft.com/en-us/download/details.aspx?id=53018

Posted in AIP, information protection, Rights Management Services, RMS | Tagged , , , | 1 Comment