Certificates

Note-to-self: public website/server certificate quick check.

Today my ESET Endpoint Security blocked my browser for what I know is (sorry, should be) a legitimate magazine website…

Using other browsers (Chrome, Firefox, Opera, Tor, …) on my machine, I had the same issue…

Microsoft Edge

ESET Endpoint Security is reporting

“Website certificate revoked

The certificate used by this server has been marked as untrustworthy and the connection is not safe

Try connecting again later or from a different internet connection.
Access to it has been blocked.

Tor

Using another pc or smartphone (not using ESET) … I was able to connect.

So what’s going on?

ESET protecting you…

Eset forums

When you look up the Eset message (“Website Certificate Revoked” eset), you’ll probably land on the ESET forums or knowledge base, … seems to be a pretty popular topic.
Like for example: https://forum.eset.com/topic/21531-eset-giving-website-certificate-revoked-message/

ESET knowledge base

https://support.eset.com/en/kb6258-website-certificate-is-revoked-is-displayed-when-visiting-legitimate-web-pages

ESET explains

“This warning is displayed when your ESET product detects that the security certificate for a website is revoked.

ESET cannot resolve the issue because only the owner of a domain can renew their security certificate. You cannot choose to continue to the site using the insecure certificate.”

How do you double check this information?

The ESET forums point to a very interesting and eays to use tool: SSLTest at SSLLabs.com

Open: https://www.ssllabs.com/ssltest/index.html

Then you can enter the URL of the website you want to visit or check…

Depending the status of the website (good…or bad), it will take a few seconds… to minutes… to scan the website and show the quality of the certificate.

In this case, it’s fairly clear why the website was blocked:

Just for your reference if you would check a website like: https://docs.microsoft.com, you’ll get A+ (that’s the other end of the scale..)

If you want to know more about the website rating, check the SSLLabs rating guide:

https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide

The grading results in a score from A (top), (B) good, (C) average .. to (F) big fail lowest score …

So, it’s a very handy and free tool to check your website for issues.

Why are these websites not blocked by other tools or browsers?

First of all, check if you have an anti-virus or antimalware tool that checks the URL.

Because other browsers, apps or URL filters will not always check for the CRL (the certificate revocation list, containing certificates that are no longer valid…).

Or the CRL is not updated or and old CRL is cached. The ESET KB article mentioned, explains how to clear the CRL cache on your system.

Other interesting tools

The website (or mail) certificate is just one of the security indicators …
If you want to check the reputation of your URL, domain, website, mail system, DNS, … there are some more interesting tools you should have at hand, like https://mxtoolbox.com/NetworkTools.aspx.

Quite a while ago I posted an article on web and mail reputation, there is some more interesting free tools you can use to check the domain reputation.

See here: (TechNet Wiki) Hotmail/Outlook.com Solving Mass Mailing Delivery Issues

Conclusion

This situation show how easy it is to land on a website using revoked or unverified certificates…

Make sure to use a decent anti-malware and anti-virus tool. It’s worth to spend a small bit of money to protect your systems.

And if you combine it with some free tools to check the health of (your) websites and systems… you can achieve a decent level of security without spending a lot of money.

Signing a PDF with Belgian eID – step-by-step for beginners (a bit more then what they tell you on the official page)

On the website for the Belgian eID, you can find some basic hints & tips to sign PDF documents with the Belgian identity card and the Acrobat reader application….

But there are other PDF applications than Acrobat Reader DC and the guide on the eID signing doesn’t detail the prerequisites in the signing manual to make it work.

Technical tip: the tech prerequisites and how to validate them are explained in the technical manual (over here: https://eid.belgium.be/nl/technische-documentatie#7389)

Acrobat Reader DC may be the most prominent PDF reader, it’s certainly not the only one and certainly not the most performant one.

Furthermore, the document signing in Acrobat Reader is pretty confusing as you must select the “Certificates” module and NOT “Fill & Sign”.

Difference between Authentication & Signing

When you, as verified user, want to put a digital signature on documents, this is called “signing”, confirming the document content.

In this circumstances, the “authentication” part is not relevant. Authentication is used to prove your identity.

For your information: the Belgian eID is NOT designed to provide encryption (which is the 3rd option to use a certificate). So you cannot use the BE eID for encryption of documents, sadly enough.

More info (NL, also EN version available): https://eid.belgium.be/nl/aanmelden-met-eid#7559 (EN, https://eid.belgium.be/en/log-eid#7559)

Prerequisites

Certificates in user certificate store

You need to have the user certificates installed on your user account on the local pc (actually the personal user certificate store) to make the document signing work in the applications.

If you haven’t used the eID certificates before, or in the case of a new computer, you’ll need to install the user certificates on your computer.
The easiest and official way to install them, is using the eID viewer application.

eID Software

Note on Language

The eID website is supporting NL, FR, DE and EN as language, I’ll only refer to NL and EN as main languages but FR and DE are supported too.

Download

Download and install the eID software from this source: https://eid.belgium.be/nl (for NL. Also available: EN, FR and DE).
It includes the eID middleware and the eID viewer we’ll use to read and install the eID certificaties on your computer (actually your user account).

Install

The manual to install the eID software is here:

(NL) https://eid.belgium.be/nl/hoe-installeer-ik-de-eid-software

(EN) https://eid.belgium.be/en/technical-documentation

Verifying the presence of the user certificates (Signing)

When you use the certificates and/or the eID software, the certificates should be installed in the user certificates store automatically, but that is not always the case, depending the configuration and security of your computer.

Technical hint: there is a “Certificate Propagation Service” troubleshooting article on the eID website that helps you: https://eid.belgium.be/nl/technische-documentatie#7256

To sign PDF documents with a certificate, most PDF readers will check for certificates in the user certificate store on the local computer, not directly from the card reader.

Steps

1. MMC

Via the Windows button, run the mmc (Microsoft Management Console), you’ll need to run it in elevated mode (so consent the UAC popup)

2. Add snap in : Certificates

Via menu “File”, “Add/Remove Snap-in”, add the “Certificates” snap in.
Choose “My User Account” (as the eID certificates are injected in your user account, not your computer or service account)

Finish and click ok.

3. Open the personal certificate store

In the “certificates – current user” > Personal > Certificates, check the list of certificates available.

You should see something like:

If ok, then you’re ready to sign documents, using eID.

If NOT, then you’ll need to add the certificates manually.

Manual installation of the eID certs

1. Insert your eID

Attach a supported card reader and insert your eID smart card.

2. open the eID viewer > Certificates tab

Right click the “Signature” certificate (you can do the same for the Authentication certificate. Select “Detailed Information”.

Then, click the “install certificate…” button:

Then run the default option steps: click next, next next … next… finish.

Import the certificate to the current user certificate store

Click Finish and you should be set to go for signing documents.

Signing PDF docs

Adobe Acrobat DC

This is explained on the eID website:

(NL) https://eid.belgium.be/nl/digitale-handtekeningen#7261

(EN) https://eid.belgium.be/en/digital-signatures#7261

IMPORTANT

Select the “Certificates” module and NOT “Fill & Sign”.

The “Fill and Sign” is used for graphical signatures, replacing the manual signing of paper copies, and eliminates the need of rescanning.

eID is a “qualified” and legally support signature.

If your counterpart (the other signing party) doesn’t require a qualified signature, this is a good alternative for eID (as there is some sensitive data like social security number, incl birthday and gender mentioned in the eID signature)

Foxit PDF

Open the PDF file you want to sign.

Verify the presence of the Signature certificate

It should be popping up from the certificate store, which we fixed earlier. (if not present, go back and fix it)

Signing a document

When the certificate is correctly installed, go to the “Protect” menu, then click the “Sign & certify” button in the ribbon.

Then drag an area to mark a signing area and choose the signature options.

Done!

References

Digitale handtekeningen:

(NL) https://eid.belgium.be/nl/digitale-handtekeningen

(EN) https://eid.belgium.be/en/digital-signatures

And also

Add or remove a digital signature in Office files: https://support.microsoft.com/en-us/office/add-or-remove-a-digital-signature-in-office-files-70d26dc9-be10-46f1-8efa-719c8b3f1a2d

Last update:2020-12-28

Note-to-self: Strenghten your Intune/SCEP with ADCS

Recently I got a question from a customer about SCEP.
SCEP as in “Simple Certificate Enrollment Protocol”, not “System Center Endpoint protection”.

Pretty important difference, although SC (System Center as in SCCM) is involved in this case.

Background:
customer investigating integration of ADCS (Active Directory Certificate Services) with Intune.

Case:
Customer found an interesting article: “Simple Certificate Enrollment Protocol (SCEP) does not strongly authenticate certificate requests” (http://www.kb.cert.org/vuls/id/971035)

In short, the article mentions (quote):

“SCEP was designed for use “…in a closed environment” and is not well suited for MDM and “bring your own device” (BYOD) applications where untrusted users and devices are in use.

When a user or a device requests a certificate, the SCEP implementation may require a challenge password. It may be possible for a user or device to take their legitimately acquired SCEP challenge password and use it to obtain a certificate that represents a different user with a higher level of access such as a network administrator, or to obtain a different type of certificate than what was intended.”

In Windows Server 2012 R2 the Active Directory Certificate Services (AD CS), NDES supports a policy module that provides additional security SCEP.

Windows Server 2012 R2 AD CS NDES does not ship with a policy module. You must create it yourself or obtain it as part of a software solution from a MDM vendor.

Microsoft Intune DOES HAVE that module.

But how do you integrate your ADCS with Intune?
Well, here’s the interesting stuff, there is a bunch of interesting reading and even step-by-step guides available from one of our Microsoft colleagues.
Just to be clear: all credits go to the original authors of ALL these articles I point you to.

But I thinks the links below must be in your favorites collection.

The technical background info you can find on TechNet had an update, recently:

If you really want to dive into it, with practical hands-on, please check this out (credits to Pieter Wigleven)

Pieter has put quite some effort to document the procedures step-by-step with very interesting screenshots.
Enjoy and share!

Note-to-self: New Guidance for Securing Public Key Infrastructure

Source: TechNet Blogs » Microsoft Security Blog » New Guidance for Securing Public Key Infrastructure

http://blogs.technet.com/b/security/archive/2014/06/11/new-guidance-for-securing-public-key-infrastructure.aspx

“Public Key Infrastructure (PKI) is used as a building block to provide key security controls, such as data protection and authentication for organizations. Many organizations operate their own PKI to support things like remote access, network authentication and securing communications.

The threat of compromise to IT infrastructures from attacks is evolving. The motivations behind these attacks are varied, and compromising an organization’s PKI can significantly help an attacker gain access to the sensitive data and systems they are after.

 To help enterprises design PKI and protect it from emerging threats, Microsoft IT has released a detailed technical reference document – “Securing Public Key Infrastructure.”

Reviewed for you: Microsoft DirectAccess Best Practices and Troubleshooting (Packt Publishing)

Packt has recently published a new book "Microsoft DirectAccess Best Practices and Troubleshooting". (http://aka.ms/PacktPub_DA_Troubleshooting)

A few weeks ago I was asked to review the book.

Written by Jordan Krause a Microsoft MVP in Enterprise Security, and specializes in DirectAccess.

Packt Publishes advertises this book is an ideal guide for any existing or future DirectAccess administrator and system administrators who are working on Windows Server 2012.

This book will also be beneficial for someone with a basic knowledge of networking and deployment of Microsoft operating systems and software who wants to learn the intricacies of DirectAccess and its interfaces.

It’s a pretty condensed book of 116 pages in total, of which 98 technical content.

Structured in 5 chapters:

Chapter 1: DirectAccess Server Best Practices
Chapter 2: DirectAccess Environmental Best Practices
Chapter 3: Configuring Manage Out to DirectAccess Clients
Chapter 4: General DirectAccess Troubleshooting
Chapter 5: Unique DirectAccess Troubleshooting Scenarios

From a technical standpoint of view, it’s an interesting read, with lot of interesting advice.

It is quite confusing that the author discusses topics which are explained in a later chapter.
ISATAP for example. Chapter 2 discusses IPv6 vs ISATAP, while chapter 3 explains the ISATAP definition ( Intra-Site Automatic Tunnel Addressing Protocol).

To build the story in the book, it would make more sense to explain the basics first as it’s key information to the topics discussed and explained. It’s a good practice to set a common ground and vocabulary first, to start off on the right foot.

But when I say condensed, it really is condensed and not only on content level. Regarding readability, some of the pages are large blocks of heavy text, long sentences, barely using white space or paragraphs. Sentences reaching 4 lines require you to read the sentence again.

Shorter sentences and using more paragraphs is a simple fix.

Although the book is packed with valuable information, I’m a bit disappointed in the fact that the book does not get it’s full potential.

It would greatly improve by putting all hints & tips in a quick list (eg in an additional chapter or quick reference card), and/or gathering the do’s and don’ts in an action list like:

Please remember:

  • There are 3 platforms providing Direct Access: Windows 2008 R2, UAG and Windows 2012. Majority of DA deployments are covered by UAG and Windows 2012 as Windows 2008 R2 is quite difficult to handle.
  • Clients must be Windows 7 Enterprise, Windows 7 ultimate or Windows 8 Enterprise
  • Windows 7 pro and Windows 8 Pro do not support Direct Access (See: http://support.microsoft.com/kb/2756536)

Practical Hints & tips

  • The default gateway setting must only be defined on the external NIC
  • Name your NICs intuitively (chapter 1)
  • Set NIC binding correctly (chapter 1)
  • disable NICs not in use (ch.1)
  • Check Receive Side Scaling (RSS) (ch.1)
  • Enable spoofing of MAC addresses on VMs (ch.1)
  • Add static routes
  • Choose proper hostname
  • Join domain
  • Prestage the computer account
  • IP-HTTPS
  • DA must be a remote access platform and nothing else
  • Don’t use the Getting started wizard … + reasons (see chapter 1 of book)
  • Run the full Remote Access Setup Wizard
  • Create your own GPOs (ch.2)
  • Do not host the NLS website on the DA server
  • Set Teredo to Enterprise client
  • Use DNS Round Rbin for DA CLuster (ch.3)
  • Set client side firewall rules for each protocol needed (ch.3)
  • … (and so on)…

Furthermore, in the technical section in the book you won’t find any links to useful references, although there are plenty of opportunities to put in added value, again.

PacktPub has extremely good books that support this book:

  1. Windows Server 2012 Unified Remote Access Planning and Deployment
  2. Microsoft Forefront UAG 2010 Administrator’s Handbook
  3. Mastering Microsoft Forefront UAG 2010 Customization

Sorry, correction, the commercial part at the end refers to one of them.
But that’s not the author’s credit.

    There is a massive amount of additional reading and in depth material out-there, which the author could refer to. I’ll come to that in a second (cfr NRPT)
    I would love to get some insight in the list of hyperlinks the author frequently uses regarding this topic. Show me your favorites, man!
      The author explicitly targets existing DA administrators and “anyone interested in learning more about the technology before diving in for themselves”.

    But the index at the end of the book is missing essential acronym definitions.

    It would be nice to give the explanation with the acronym, like

    DIP, see Dedicated IP, 62,85
    UAG, see Unified Access Gateway, 36
    NRPT,see Name Resolution Policy Table, 50
    NAT, see Network Address Translation, 35-37
    GSW, see Getting Started Wizard

    One stunning example is NRPT, which is frequently touched in the book, but never explained.

    Even in the simplest case a reference to some useful resources would have helped, like:

      So, I’m hoping that Packt Pub will fix the gap.

    Despite, I still consider the Microsoft DirectAccess Best Practices and Troubleshooting book as a quick reference and a companion guide for Direct Access Administrators.

    An additional (online) reference list will make this book on DirectAccess rock, like Jordan kicks off with on page 1.

    And why not building that online reference on Technet Wiki?

    Note to the layout team: a small detail to make it complete: when you use justified layout (left and right aligned), that would make the book more polished.

    Note-to-self: useful links when you need to add 3rd party certs to the NTAuth store

    For Win2003:

    How to import third-party certification authority (CA) certificates into the Enterprise NTAuth store
    http://support.microsoft.com/kb/295663/en

    For Win 2008, Windows Server 2012:

    Add Published Certificates to Active Directory Containers
    http://technet.microsoft.com/en-us/library/cc731612.aspx

    “If a CA certificate is not added automatically when the new CA is created, such as a stand-alone CA created by a user who is not a member of the Enterprise Admins group, the CA certificate can still be added manually to the NTAuthCertificates container.

    This process can also be used to add the CA certificate of a non-Microsoft CA that has been used to issue smart card logon or domain controller certificates. By publishing these CA certificates to the Enterprise NTAuth store, the administrator indicates that the CA is trusted to issue certificates of these types.

    Using Enterprise PKI: http://technet.microsoft.com/en-us/library/cc754963.aspx

    Install the Enterprise PKI Console: http://technet.microsoft.com/en-us/library/cc771085.aspx