authentication

Signing a PDF with Belgian eID – step-by-step for beginners (a bit more then what they tell you on the official page)

On the website for the Belgian eID, you can find some basic hints & tips to sign PDF documents with the Belgian identity card and the Acrobat reader application….

But there are other PDF applications than Acrobat Reader DC and the guide on the eID signing doesn’t detail the prerequisites in the signing manual to make it work.

Technical tip: the tech prerequisites and how to validate them are explained in the technical manual (over here: https://eid.belgium.be/nl/technische-documentatie#7389)

Acrobat Reader DC may be the most prominent PDF reader, it’s certainly not the only one and certainly not the most performant one.

Furthermore, the document signing in Acrobat Reader is pretty confusing as you must select the “Certificates” module and NOT “Fill & Sign”.

Difference between Authentication & Signing

When you, as verified user, want to put a digital signature on documents, this is called “signing”, confirming the document content.

In this circumstances, the “authentication” part is not relevant. Authentication is used to prove your identity.

For your information: the Belgian eID is NOT designed to provide encryption (which is the 3rd option to use a certificate). So you cannot use the BE eID for encryption of documents, sadly enough.

More info (NL, also EN version available): https://eid.belgium.be/nl/aanmelden-met-eid#7559 (EN, https://eid.belgium.be/en/log-eid#7559)

Prerequisites

Certificates in user certificate store

You need to have the user certificates installed on your user account on the local pc (actually the personal user certificate store) to make the document signing work in the applications.

If you haven’t used the eID certificates before, or in the case of a new computer, you’ll need to install the user certificates on your computer.
The easiest and official way to install them, is using the eID viewer application.

eID Software

Note on Language

The eID website is supporting NL, FR, DE and EN as language, I’ll only refer to NL and EN as main languages but FR and DE are supported too.

Download

Download and install the eID software from this source: https://eid.belgium.be/nl (for NL. Also available: EN, FR and DE).
It includes the eID middleware and the eID viewer we’ll use to read and install the eID certificaties on your computer (actually your user account).

Install

The manual to install the eID software is here:

(NL) https://eid.belgium.be/nl/hoe-installeer-ik-de-eid-software

(EN) https://eid.belgium.be/en/technical-documentation

Verifying the presence of the user certificates (Signing)

When you use the certificates and/or the eID software, the certificates should be installed in the user certificates store automatically, but that is not always the case, depending the configuration and security of your computer.

Technical hint: there is a “Certificate Propagation Service” troubleshooting article on the eID website that helps you: https://eid.belgium.be/nl/technische-documentatie#7256

To sign PDF documents with a certificate, most PDF readers will check for certificates in the user certificate store on the local computer, not directly from the card reader.

Steps

1. MMC

Via the Windows button, run the mmc (Microsoft Management Console), you’ll need to run it in elevated mode (so consent the UAC popup)

2. Add snap in : Certificates

Via menu “File”, “Add/Remove Snap-in”, add the “Certificates” snap in.
Choose “My User Account” (as the eID certificates are injected in your user account, not your computer or service account)

Finish and click ok.

3. Open the personal certificate store

In the “certificates – current user” > Personal > Certificates, check the list of certificates available.

You should see something like:

If ok, then you’re ready to sign documents, using eID.

If NOT, then you’ll need to add the certificates manually.

Manual installation of the eID certs

1. Insert your eID

Attach a supported card reader and insert your eID smart card.

2. open the eID viewer > Certificates tab

Right click the “Signature” certificate (you can do the same for the Authentication certificate. Select “Detailed Information”.

Then, click the “install certificate…” button:

Then run the default option steps: click next, next next … next… finish.

Import the certificate to the current user certificate store

Click Finish and you should be set to go for signing documents.

Signing PDF docs

Adobe Acrobat DC

This is explained on the eID website:

(NL) https://eid.belgium.be/nl/digitale-handtekeningen#7261

(EN) https://eid.belgium.be/en/digital-signatures#7261

IMPORTANT

Select the “Certificates” module and NOT “Fill & Sign”.

The “Fill and Sign” is used for graphical signatures, replacing the manual signing of paper copies, and eliminates the need of rescanning.

eID is a “qualified” and legally support signature.

If your counterpart (the other signing party) doesn’t require a qualified signature, this is a good alternative for eID (as there is some sensitive data like social security number, incl birthday and gender mentioned in the eID signature)

Foxit PDF

Open the PDF file you want to sign.

Verify the presence of the Signature certificate

It should be popping up from the certificate store, which we fixed earlier. (if not present, go back and fix it)

Signing a document

When the certificate is correctly installed, go to the “Protect” menu, then click the “Sign & certify” button in the ribbon.

Then drag an area to mark a signing area and choose the signature options.

Done!

References

Digitale handtekeningen:

(NL) https://eid.belgium.be/nl/digitale-handtekeningen

(EN) https://eid.belgium.be/en/digital-signatures

And also

Add or remove a digital signature in Office files: https://support.microsoft.com/en-us/office/add-or-remove-a-digital-signature-in-office-files-70d26dc9-be10-46f1-8efa-719c8b3f1a2d

Note-to-self: Short URL for app password in Azure MFA

When you enable MFA (Multifactor Authentication) in Azure, you can configure app passwords for applications that cannot work with the code generators, applications, phone apps to logon with MFA…

The source URL for it is: https://account.activedirectory.windowsazure.com/AppPasswords.aspx

But it’s very likely you can’t remember it anymore after a while, so train your brain for these bookmarks:

Also, these point to the same URL.

 

That alphabet of Security starts with I of “Identity”

It’s an understatement to say security is moving fast, it’s changing very rapidly and the pressure to keep up with it, increases too.

From various angles, people in IT (as in Information Technology), are under fire to keep the infrastructure secure. Cloud is getting mature, new features pop up every week.
It’s almost a contradiction, but also legislation is catching up to close the holes regarding the protection of people’s security and privacy.

In many cases, the first reaction of customers, management, ITPros, Developers, DevOps,… is to look for the ultimate and ideal tool that will help to plug the security hole.

But if you only focus on the tooling, you’ll discover rather sooner than later, it is not sufficient to get your security watertight.
One of the basic reasons is that tools can’t be implemented properly without involving people and processes. I don’t need to explain the PPT (people-proces-technology) or PPP (people-proces-products) triade, right?

Lots of security management approaches and certifications handle this triad (ISO27001, CISSP, … I’ll cover that another time.

(credits: smart picture of ITGovernance.co.uk)

Rather than diving into the search for a tool, you better take a step back and consider first.

What’s the primary function of security?
Protecting an item that you want to keep (safe), right?

[The reason (“why”) for keeping it safe = the CIA triad, Confidentiality, Integrity and Availability]

When you think about the processes (“how”) to secure  an asset (anything that is worth securing), there are 3 basics actions you need to define

  • authorization: what you can do with the asset (the CRUD stuff, create/read/update/delete)
  • identification: who needs the authorization?
  • authentication: the method to proof your identity (using passwords, passes, cards, 2FA, MFA, …)

This is essentially the foundation of my credo “no security without identity”

Just by interpreting the basic components of security, you directly hit the “PROCESS” part of the PPT triad.
Now, here’s were most technical people get into trouble… not knowing how to put this in practice.

But let me ask you a simple question: within the normal, usual businesses or companies, where does the identity process typically start?
Yes, correct, HR (Human Resources)

The second question: can you name at least 2 typical high-level HR processes (for people).
Answer: something like “hire” and “fire”, or synonyms like “onboarding/off-boarding”, “termination”, “end-of-life” (but that sounds pretty dramatic when talking about people…).

These 2 events announce the beginning and the end of a lifecycle, the identity lifecycle.
And to make it complete, you also need to define the life-in-between as people change over time.

BTW, just a small side step here: this does not apply to humans only, but any other asset in your environment has pretty much the same cycle and it does not matter if it’s considered “IT” or not… computer, certificates, smart cards, disks, tapes, … but also cars, documents, …

This idea to consider the lifecycle as universal, is a great approach to explain the “identity lifecycle” to non-techies that get involved in the identity lifecycle processes.

This is the common ground you can use to talk to HR people, business managers, Executive level, …

Now, if you look on the internet for pictures on identity lifecycle management, you’re smashed with a lot of complex schemas…

google_identitylifecycle

Many of results are variations of 3 essential processes

hire-change-fire1

Depending on your background you might name them differently, like:

1AA.png

For the sake of simplicity, when teaching IDM and security workshops I usually only keep the keywords “Hire”, “Change” and “Fire”.
Short and easy to remember for most people.

For your understanding, the circle approach  would assume you start over again after the “Fire” block, but that’s not always the case. The cycle might stop.
So, the approach below is easier to visualize for most people.

Clockwise:

  1. Starting the cycle at (1),
  2. updating the identity at (2),
  3. exiting the cycle at (3)

hire-change-fire2

As I mentioned, earlier, virtually any IT or asset related proces is basically working like this.

Now, let’s take it a step further… How does identity management control security?

A first thing to consider is the typical length of the hire-change-fire modules.

How many tasks/steps does it usually take to complete each of the 3 steps?
Keep the asset in mind and keep it simple…

Typical actions in a hire process:

  • signing contract
  • getting an network/AD account
  • getting an email address
  • getting building access
  • IT stuff (laptop, …)

Pretty straight forward…
How much time would it take, in simple cases to start working?  Hours if not days.

What about the change process? For example, you get promotion to team lead or head of department…

  • hand over your tasks to peers
  • get ramped up on new job
  • in some cases, there is segregation of duties, getting rid of existing rights permissions
  •  getting access to new environment
  • changing communications channels (notifications to stakeholders of change)

In reality, this usually takes a few weeks.

And what are the typical things your consider for the “fire” process?

  • informing stakeholders/customers
  • disabling the account
  • changing password
  • lock account
  • removing access
  • extracting documentation form personal storage
  • move documents to manager or team
  • handing over ownership
  • knowledge transfer
  • data backup/archiving
  • cleaning the mailbox
  • deleting the account (* not always allowed for various reasons)
  • sending legal / tax documents
  • and more…

As you can understand, this entire termination process might take months… In many situations the termination process must be executed in different steps, like:

  • Disabling the account till x+30 days (for example, revert in case the person gets a renewal)
  • Removing access on x+60 days
  • Kill mailbox on X+90
  • Remove the account on X+1y (or even: never)

In some cases accounts must be kept for legal reasons or tracking/cybersecurity reasons…

The further you go in the lifecycle, you need to combine more tasks, and tasks or decisions get more complex.

Overall you can distinguish 2 properties of these processes: duration and complexity. Both go up.

complexity

procesduration

Now, when considering security, why is this important?
Instead of discussing the impact of successful processes, it’s easier to find out what happens if it fails.

WHAT IF… (the process fails)??

Let’s run through the cycle again….

What if the “Hire” process fails?

  • you can’t access the building
  • you do not get an account
  • you can’t logon
  • you can’t access documents

Basically, on your first (few) day(s) you can’t work. Sorry!
But what’s the balance for security: just great, because the risk is nearly 0, except for a bad start and a bit of reputation damage..
At the end: you can’t do any harm, essentially.

In case of the “change” process, a larger part of the tasks and operations will impact the security posture.

When your “change” process fails,  for example

  • you can still access your old documents
  • you get more access (eg collecting access of your old and new role)
  • you start collection sensitive accesses over time
  • managers don’t know
  • user profiles get copied from existing colleagues in the same team (no ‘reset’ or the permissions before the new ones are assigned)

So for this second piece of the circle, the impact might be significant, over time.

But for the “end-of-life” the story is completely different, a failing “deprovisioning” scenario has major impact on the business and IT process

  • accounts stay active
  • accounts not being disabled
  • access not removed
  • active accounts not detected
  • account with highly privileged access still active
  • accounts being deleted too soon
  • unauthorized users that have access to critical resources
  • hackers go undetected for a long time, using sleeping accounts
  • hardware not returned,
  • data stolen,
  • over-use of budgets to software licenses that are not revoked
  • access badges allow unauthorized access to your building and environment
  • failure to ‘deprovision’ old hard disks properly expose your company data to interested (unauthorized) parties…
  • …,

It’s clear that a failing deprovisioning/end-of-life process has major impact on your enterprise security.

risk.png

And hackers or disgruntled employees like that.

Of course you can imagine the benefits of an efficient and effective end-of-life process. It’s the opposite.

Does that require you implement an automated identity management?
No.

That’s where ISO27001 and eg GDPR surprises a lot of people.

Once you’ve got the basic processes in place you can discuss tooling, not the other way around.

questforsecurity

You have
no security without managing your identity.

you want
no identity without security.

Did I mention  that I’ll be presenting more of this fun stuff on TechoRama 2017.
Check it out here: http://sched.co/9M94

I’m very proud to present a session on the ABC of identity: Maximizing security with 10 simple processes.

 

Note-to-self: You lost access to your initial Office 365 admin?

Although Microsoft has built in quite some methods to regain access to your 0365 tenant/account, you might have some bad luck one day… (experience talking here)

First of all you should try the default options, meaning : the password reset options.

The direct way to get there is the first link to bookmark: https://passwordreset.microsoftonline.com/

Another way to get there is in the 0365 logon page (also for Azure),

o365_1

If you forgot your password or can’t access the account, hit the link at the bottom.
You get directed to :

o365_2

If you know the logon, you can proceed to

o365_3

You notice that the verification is pointing to your alternative mail address or your mobile number…

But what if you forgot your original logon ID (mail address), eg in case you have setup a test tenant in 0365 with an mail address you don’t use frequently? (yes, that happens)

If that is not working or you need more help, check these options:

And if you really ran out of luck: you might raise a ticket and ask for help. https://portal.office.com/support/newsignupservicerequest.aspx

Anyway, as shown there are some options when configuring 0365 that should keep you out of trouble in the first place

  • make sure to add a mobile number to your user account
  • make sure to add a secondary email address to your account (not belonging to your O365 domain)
  • Configure and test MFA (multifactor Authentication), eg with the Authenticator app
  • add a secondary admin account with sufficient rights (with the same security measures!)

Note-to-Self: Microsoft Security Newsletter September 2014

Source: http://aka.ms/MSSecuritynewsletter

In this months newletter you’ll find guidance on:

  • Windows Phone 8.1 Security Overview
  • Windows Phone Security Forum for IT Pros
  • Create Stronger Passwords and Protect Them
    • Inlcuding  free online tool offered by Microsoft Research, called Telepathwords, for those that would rather have a randomly generated strong password created for them.
  • Two-Factor Authentication for Office 365
  • Multi-Factor Authentication for Office 365
  • Configuring Two-Factor Authentication in Lync Server 2013
  • Adding Multi-Factor Authentication to Azure Active Directory
  • Enabling Multi-Factor Authentication for On-Premises Applications and Windows Server
  • Building Multi-Factor Authentication into Custom Apps

And:

  • Get Started with Virtual Smart Cards

Plus much more… check it out at http://aka.ms/MSSecuritynewsletter

#FIM 2010 Quicktip: Troubleshooting the FIM 2010 portal loading a blank page

Working on a case where a FIM configuration has moved from development to production.
The customer’s production environment is a highly secured environment with a server security lockdown. The customer is using a custom tool for server profiling and local security lockdown.

After installing and configuring FIM, the FIM portal was loading blank.

 

The Application Pool account had changed. When adding the Application pool account to the local administrators group, the portal loaded again…

So we needed to investigate what was going wrong.

Some references we got from our Sharepoint colleagues…

Plan for administrative and service accounts (Office SharePoint Server)
http://technet.microsoft.com/en-us/library/cc263445(v=office.12).aspx

How to change service accounts and service account passwords in SharePoint Server 2007 and Windows SharePoint Services 3.0
http://support.microsoft.com/kb/934838/en-us.

They also advised to run a security reset on the SharePoint portal, see: Command-line reference for the SharePoint Products and Technologies Configuration Wizard (Office SharePoint Server)http://technet.microsoft.com/en-us/library/cc263093(v=office.12).aspx

secureresources Performs SharePoint Products and Technologies resource security enforcement on the server. For example, security is enforced on files, folders, and registry keys.

Example

psconfig.exe -cmd secureresources

Although very useful to reset the security, it didn’t change the behaviour on the portal (still loading blank page).

Using procmon (http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx), we found out that we had quite some errors.
Just a hint: exclude ‘success’ messages and filter on the targeted application pool account.

We first checked the default WSS group memberships for the AppPoolAccount.

For reference: http://technet.microsoft.com/en-us/library/cc678863(v=office.15).aspx

 

Just to double check, during troubleshooting we removed the WSS_WPG group from the FIM Portal application pool (default Sharepoint Application pool).

This is the result:

HTTP Error 500.19 – Internal Server Error

The requested page cannot be accessed because the related configuration data for the page is invalid.

clip_image002

So that made the situation even worse.

Back to the procmon results, as procmon threw errors on the impersonation of the application pool account we checked the local security policy. And the AppPool account appeared to be removed from the setting or was not member of the groups referenced in the setting.

Solution:

Do not make the Application pool account member of the local admins.

Make sure the Application Pool account has the “Impersonate a client after authentication” right in the local Security Policy.

image

 

Need more information? Check these articles …

Account permissions and security settings in SharePoint 2013
http://technet.microsoft.com/en-us/library/cc678863(v=office.15).aspx)

Plan for administrative and service accounts (Office SharePoint Server)
http://technet.microsoft.com/en-us/library/cc263445(v=office.12).aspx