The consequence of not renewing ATA certificate in time

A customer who uses Microsoft Advanced Threat Analytics (ATA) recently had severe issues with their ATA implementation. At first, the portal started to behave strangely, not showing all information in alerts and some configuration settings were missing. After a restart of the ATA servers, the services failed to start at all.

The Microsoft.Tri.Center-Errors.log file contained many errors like this:

2020-01-09 12:34:27.9920 1140 98 Error [CertificateExtension] Microsoft.Tri.Infrastructure.Utils.ExtendedException: There are no matching certificates [StoreLocation=LocalMachine StoreName=My thumbprint=89E1C9790B175D2E6B716CFDDABA3D9F444829F6]

It turned out that their internal PKI had automatically renewed the certificate that ATA was configured to use. In general, this is what you want from a PKI (auto-renewed certificates), but unfortunately, ATA does not support renewing an existing certificate.

The reason is that some ATA data is encrypted using the configured certificate, and during certificate renewal, the old certificate is removed, so you lose the ability to decrypt that data.

So you need to create a new certificate before the old one expires and manually configure ATA to use the new certificate.

This requirement is clearly stated in the Microsoft ATA-documentation:

clip_image001

Source: https://docs.microsoft.com/en-us/advanced-threat-analytics/modifying-ata-center-configuration#the-ata-center-certificate

You will even get alerts in ATA Health Center about upcoming certificate expiration:

clip_image003

Source: https://docs.microsoft.com/en-us/advanced-threat-analytics/monitoring-alerts

Replacing the certificate is not really that difficult or time-consuming. But if you do not replace the certificate before it expires you will get this alert:

clip_image005

Source: https://docs.microsoft.com/en-us/advanced-threat-analytics/monitoring-alerts

You can see that that when this happens, the only resolution is to redeploy your ATA, and you will lose all your configuration, alerts, and behavior analysis history.

Other services that use certificates can usually be recovered really easy from issues caused by expired certificates by simply getting a new certificate and pointing the service to the new certificate, but since the “certificate pointing” in ATA is done in the ATA Configuration, which is encrypted by the previous certificate, there is a catch 22 situation here.

Some people have tried to manually add the thumbprint of a new certificate in the SystemProfile_date.json configuration file, and they have gotten the ATA up and running again. However, they could not edit all ATA settings after that, so they eventually ended up redeploying from scratch.

Restoring from backup after redeployment will not work either since the backup still points to the old removed certificate. You can still use that backup configuration file as a manual reference on how to configure ATA again , since it is in cleartext.

So go ahead and make sure that your ATA implementation does not use a certificate that will be automatically renewed, and/or put a reminder in your calendar to renew it before it expires. And monitor those health alerts!

Posted in ATA, Certificates, PKI, SSL | Tagged , | 1 Comment

Teams on iOS now supports Sensitivity Labels

In the newly released version 1.0.91 of Teams for iOS it was announced that it now supports Sensitivity Labels for your Teams:

(Sorry that the screenshots are in Swedish, you’ll have to trust me or translate it 😀)

I first tried to create a Team before I upgraded the Teams app, and I did not see any option to select Sensitivity Labels:

I then updated Teams to the new version, and sure enough, I could now select the Sensitivity of my new Team:

Always great to see Microsoft Information Protection getting adopted in more and more places.

Posted in Okategoriserade | Leave a comment

Copy your AIP Polices to the Security & Compliance Center

You have for a while been able to copy your AIP Labels to the Security & Compliance Center from the Azure Information Protection Portal.

But you can now also copy your AIP Policies (in Preview)!

clip_image002

You get a warning that any existing policies with the same name will be overwritten.
Click Yes to proceed:

clip_image004

It just takes a moment until you see the completion notification:

clip_image006

You will see a summary of the polices that was copied:

clip_image008
(I only had one policy in this tenant)

And sure enough, the new policy appeared right away in the Security & Compliance Center:

clip_image010

The policy settings I had configured was also copied:

clip_image002[4]

Remember that this feature is still in Preview, so use with caution in production. And as always: test first!

/Tom

Posted in AIP, encryption, information protection | Leave a comment

Using PowerShell to get wildcard certificate from Let’s Encrypt

This is a guide that shows you how to get a publicly trusted wildcard certificate at no cost from Let’s Encrypt using PowerShell.

Requirements:

  • Windows PowerShell 5.1
  • .NET Framework 4.7.2 (link to check)
  • Possibility to add CNAME in DNS

Step by step

Start PowerShell as admin (see information below for non-admin steps)

Verify that PowerShell’s ExecutionPolicy allows running scripts (i.e. RemoteSigned or less)

clip_image002

Otherwise: Set-ExecutionPolicy RemoteSigned

Run:

Install-Module -Name Posh-ACME

Accept warnings about untrusted repositories (that is, if you accept PSGallery, a common module repository):

clip_image003

Run:

New-PACertificate *.tomdemo.se -AcceptTOS -Contact <your-email> -DnsPlugin AcmeDns -PluginArgs @{ACMEServer='auth.acme-dns.io'} -Install

clip_image004

Explanation of the options used:

*.tomdemo.se The name you want in the certificate. You can add additional comma-separated names
AcceptTOS Indicates that you accept the Let’s Encrypt Terms of Service (see https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf)
Contact Email for expiration notification (optional)
DnsPlugin Which DNS plugin should be used for automatic domain ownership validation. Since my DNS provider Loopia isn’t natively supported by Posh-ACME, I used the ACMEDns option, which requires you to manually add a CNAME record in your DNS provider once, and that can be reused when updating the certificate. Here is a list of DNS providers supported by Posh-ACME: https://github.com/rmbolger/Posh-ACME/wiki/List-of-Supported-DNS-Providers
PluginArgs Options that depends on chosen DNSPlugin
Install This option will install the certificate in the computer’s Certificate Store (requires admin permission, see Getting certificate without admin permission below)

Do not close the PowerShell window!

Add the CNAME record shown in the output of the command you just ran in the DNS registrar for the domain.
Here is an example from Swedish DNS registrar Loopia, but your DNS registrar interface may look different:

clip_image006

Go back to the PowerShell window and press enter to continue.
The script will wait 2 minutes for DNS to propagate:

clip_image007

After that, you should get the certificate:

clip_image008

To see more information about the certificate, you can use the following command:

Get-PACertificate | Format-List

clip_image009

Here you can see basic information about the certificate and that all the relevant files are stored in %LOCALAPPDATA%\Posh-ACME folder, and that it includes a PFX-file if you want to install the certificate on another machine. The default PFX-password is “poshacme”. You can specify your own with the option -PfxPass when running the New-PACertificate command.

Go to the Local Computer certificate store (run certlm.msc) and verify that the certificate has been installed correctly:

clip_image011

clip_image012 clip_image013

Depending on what service you are using the certificate for, you may need to make extra configuration steps in the service to start using the certificate.

You can manually renew the certificate by running the following command:
Submit-Renewal
clip_image014

As you can see, it will not renew certificates that are not about to expire yet (I believe it uses 30 days or less validity time). You can override this by running:

Submit-Renewal -Force

To automate the renewal, you can create a scheduled task that runs this command daily:

Create a file called C:\Cert\AutoRenewal.ps1, containing the command “Submit-Renewal” (not the -Fore option, since you don’t want to renew at every check).

Run the following commands, but first change <password> to your own password
Note: The scheduled task must run in the context of the user requesting the certificate since validation information is stored in that user’s profile.

$Trigger = New-ScheduledTaskTrigger -At 10:00am -Daily
$Action= New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "C:\Cert\AutoRenewal.ps1"
Register-ScheduledTask -TaskName "Certificate AutoRenewal" -Trigger $Trigger -User "$env:USERDOMAIN\$env:USERNAME" -Password '<password>' -Action $Action -RunLevel Highest –Force

Test certificates

For testing, you can switch the Let’s Encrypt server you send your requests to. The test server does not create a publicly trusted certificate but has no rate limiting.

Read more about rate limiting here: https://letsencrypt.org/docs/rate-limits/

To use test server:

Set-PAServer LE_STAGE

To use production server:

Set-PAServer LE_PROD

It will keep using the specified server until you change it again.

Getting certificate without admin permission

Most steps above work without admin permission, with the exception of installing the certificate in the Computer certificate store.

You might need to restrict the scoop of these commands as well:

Set-ExecutionPolicy RemoteSigned -Scope CurrentUser

Install-Module -Name Posh-ACME -Scope CurrentUser

Then exclude the -Install option in the New-PACertificate command example above.

You will still get a valid publicly trusted certificate, and you can move the created pfx-file to a computer where you want to install it (where you are admin).

Custom Acme-DNS instance

In my example above, I use the public ACME-Dns service. The advantage of that is that your DNS provider does not have to support API access for the Domain Verification part. Instead, you manually create a CNAME record in your DNS provider once that redirects the DNS validation to ACME-Dns.

To increase security, you should use your own instance of Acme-DNS, see here: https://github.com/joohoi/acme-dns

Posted in Okategoriserade | 1 Comment

Hyper-V Guests with Windows 10 (1903) hangs when using Enhanced Session/RDP?

Are you also having the issue where accessing your Hyper-V VM Guests works great when connecting via Virtual Machine Connection, but the VM hangs when you try to access it using Enhanced Session or RDP?

The VM becomes irresponsible and the only solution is to use Turn off (shutdown doesn’t work). The machine starts to continuously consume about 12% or 24% CPU (seems to depend on the number of CPU cores).

I run client Hyper-V on a Windows 10 (1903) machine, and the guest is also Windows 10. Enhanced Session used to work great, until Windows 10 (1903).

After some troubleshooting and researching I found out that a new RDP display driver called WDDM was introduced in 1903. By disabling WDDM and reverting to the old XDDM driver the problem went away for me.

Here’s how to do it:

Start the Local Group Policy Editor:

clip_image001

Navigate here:
Local Computer Policy
/Computer Configuration
  /Administrative Templates
   /Windows Components
    /Remote Desktop Services
     /Remote Desktop Session Host
      /Remote Session Environment

Configure the setting Use WDDM graphics display driver for Remote Desktop Connections to Disabled:

clip_image003

In an AD environment you can of course use the regular Group Policy Management.

You can also create and import a reg-file with the following text:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"fEnableWddmDriver"=dword:00000000

Reboot the Guest VM.

Yay, now I can access that guest VM using Enhanced Session again.

Posted in Hyper-V, RDP, Windows 10 | Tagged , , | 2 Comments

Enable FIDO2 credential manager in Windows 10

Once you have enrolled your FIDO2 security key in Azure AD (which can be done here), you can easily sign-in to web pages that use Azure AD as Identity Provider without needing to enter your password.

If your security key doesn’t have a fingerprint reader, you need to enter the key’s PIN but remember that this is only to unlock the secret on the key, and it is never sent or stored anywhere outside of the key:

If you also want to sign-in on a Windows 10 machine with a FIDO2 device (currently supported on Azure AD joined and version 1809 or higher), you need to enable the FIDO security key credential provider on that machine first:

This can be enabled in one of three ways:

1. Using Intune, as explained here.

2. If Intune doesn’t manage the client, you can manually create a provisioning package using Windows Configuration Designer  (an application that is available in the Microsoft Store. The steps are explained here.
Note that you have to choose All Windows desktop editions, if you choose All Windows editions, the setting isn’t available.

3. You can enable the FIDO credential provider, you by adding the following Registry Setting:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\SecurityKey]
"UseSecurityKeyForSignin"=dword:00000001

Copy the text above to a new text file, call it something.reg, double-click it and accept the warning.

Note! I haven’t seen the last method mentioned anywhere official, so it might not be supported. Use it with caution and test before using it in production.

Posted in fido2, Password, passwordless | Tagged , , | Leave a comment

Always get the English version at docs.microsoft.com

When you visit https://docs.microsoft.com, it shows pages in the local language you have configured in your browser’s settings. Sometimes the pages are properly translated by humans, sometimes it is machine translated.

I always want the English versions of the Docs site pages, but I do not want to have English as the default language in my browser since I want Swedish version on other websites.

I discovered the Firefox plugin called Redirector. It does one very simple task. It looks for pattern matches in the URL and modifies them according to my rules.

So I installed it and created the following Redirect rule:

image

The * is a wildcard, so anything will match. $1 is the value that the first wildcard represented. Note that my rule only matches Swedish (sv-se), you may need to modify your rules to match your language (or all languages).

Now, whenever I visit a page that starts with https://docs.microsoft.com/sv-se/* it is immediately changed to https://docs.microsoft.com/en-us/*:

GIF3

There are similar extensions for Chrome, but I have not tested them yet:

ModHeader

Switcheroo Redirector

Posted in Okategoriserade | Leave a comment

Azure Information Protection – Indication that a label encrypts

I’ve been missing an easy way to tell if an AIP label will encrypt information, or if it “only” adds the label metadata and/or visual markings. Sure, I can explain it in the description of the label, but that is not very intuitive.

We cannot add images to AIP labels, but I realized that there are a lot of symbols in the Unicode world – that are in fact just text but shown as icons – and I found this padlock icon using Word’s Insert Symbol feature:

clip_image002

If I insert that symbol into Word, I can then copy it from there and paste it wherever I want it.

This is what it looks like as text in Word 2016:

image

This is what it looks like in the Azure Portal, after I have pasted it into the Label display name and Description of an AIP label:

clip_image004

This is what it looks like in Word 2016 as an AIP label:

image

So the symbol looks different on different platforms, but it is always a padlock. There are other fonts that have padlocks, but I chose Segoe UI Symbol, since that font is installed by default in Windows.

Please note that using an unusual Unicode character might cause issues:

PowerShell ISE can partly handle the symbol correctly:

image

while PowerShell cannot:

image

Azure Information Protection Client can show it (right-clicking on files in Windows):

image

Cloud App Security can also show it correctly:

image

I do not know how it will look on platforms that do not have that font.

I do not know if other systems (like DLP) are able to correctly read/set the label. Many DLP can however use partial matching of strings.

Please leave a comment below if you have any more info on where this works or does not work.

Posted in AIP, CAS, encryption, information protection, Rights Management Services, RMS | Leave a comment

Use PowerShell to see if you are mitigating Meltdown and Spectre

Microsoft has released a PowerShell module on PSGallery that can test if you are mitigating the issues that Meltdown and Spectre are using.

Simply run the following command in an elevated PowerShell window:

Install-Module SpeculationControl

Then use the following command to verify mitigations:

Get-SpeculationControlSettings

This was the result om my laptop (Lenovo X1 Yoga) before patching it:

SpeculationControl-X1

Then I installed this patch (via regular Windows Update):

Update history

After installing the patch and rebooting, it looked much better:

SpeculationControl-X1_efter update

Note that some of my older hardware only managed to mitigate some of them, and some mitigations are sometimes not turned on by default, due to some dependencies.

Posted in Meltdown, PowerShell, Spectre, Updates | Tagged , , , | Leave a comment

Get a free publicly trusted certificate using Let’s Encrypt, PowerShell and DNS

I have previously blogged about the free publicly trusted certificate solution Let’s Encrypt, see here.

In this post, I will show how you can request a certificate with a PowerShell script and prove ownership of the domain name using DNS validation. It is perhaps more common and faster to validate ownership of domain names by publishing a challenge response via HTTP (since it can be validated immediately), but sometimes you want to request a certificate for a domain name that does not host a webserver, such as email and RDP servers.

I am using the PowerShell module ACMESharp, which is an implementation of ACME, the protocol that Let’s Encrypt is using for validation and requests.

For more information about Let’s Encrypt, take a look at their FAQ.

Pros

  • Totally free
  • Simple with few steps
  • Publicly trusted certificate
  • Since we export a PFX (including the private key), the request can be performed on any computer (not necessarily from the server that will use the certificate).

Cons

  • Requires you to manually add DNS records.
  • Waiting for the new DNS record to show up can take some time (due to DNS caching).
  • The certificate is only valid for 3 months. There is no support for renewal in the PowerShell implementation yet, but on the other hand, it is quick, easy and free to request a new certificate for the same domain name again.

Important

  • I take no responsibility for what this script does, test before running in production.
  • I am not a coder, so this PowerShell-script probably breaks all of the practice rules.
  • The script automatically downloads and installs nuGet (which is then used to download the PowerShell module ACMESharp) using PackageManager. PackageManager is included in PowerShell v5 but has to manually be installed as an addon if you run PowerShell v3 and v4. Find you PowerShell version running $PSVersionTable and look at the value PSVersion.
    PackageManager for PowerShell v3 and v4 can be downloaded here:
    http://go.microsoft.com/fwlink/?LinkID=746217&clcid=0x409

Steps

Note: The video below shows these steps.

  1. Run the PowerShell script in an elevated PowerShell console.
  2. Supply the following parameters
    1. ExpirationEmail
      1. This email will receive an email notification when the certificate is about to expire. I have never received any other email, but you can enter a bogus email address.
    2. PFXPassword
      1. The PFX file will be protected by this.
    3. SANList
      1. A comma-separated list of domains you want in the certificate. You can add as many as you want, but you will need to add a DNS record for each of them (for domain name ownership verification). Note that wildcards are not allowed right now, but that has been announced to become available in 2018.
  3. Answer any questions the script asks.
  4. Done! The PFX will be created in the same folder as the script.
    The PFX will have the domain names as the file name.
  5. If you need more than the PFX, look in the following folder:
    %programdata%\ACMESharp\sysVault
    There you will find the certificate request, the certificate in PEM/KEY format, Issuing CA certificates etc.

Certificate

This is what a certificate will look like:

3Untitled

Video

Here is a 4 minute video where I run the script, so you can see how it looks:

Note that I do not show adding the DNS records to the public DNS in the video since it differs depending on your DNS provider. For me it looks like this:

clip_image001

The script

Here is a link to the latest version of the script:
http://go.mssec.se/PStoSSL

Any feedback and improvement suggestions are highly welcome.

Thanks for reading!

 

 

Posted in CA, Certificates, LetsEncrypt, PKI, SAN, SSL | Tagged , , , , , | Leave a comment