Thursday, June 30, 2011

Configure window boxes to Forward and Collect Events

http://technet.microsoft.com/en-us/library/cc748890.aspx


Event Forwarding
MS finally made improvement a bit on Event viewer, this is one I like very much: Event Subscriptions, which enables you log all events to a single remote computer. Two types of subscriptions here : Source-initiated and Collector-initiated subscriptions.
Using ‘Event Forwarding’ requires configuring both the source and collector computers to enable ‘Windows Remote Management’ and ‘Windows Event Collector’ services.
Source-initiated subscriptions: Create event subscription without defining the event source computers, multiple remote event source computers can be added to forward events to the collector computers, this is should be done by GP.
Collector-initiated subscriptions:  Create event subscription by specifying the computer name.
Steps:
Collector-initiated subscriptions:   
1.       On each source computer, type the elevated command prompt:   winrm quickconfig
2.       On the collector computer ( destination) , type the elevated command prompt: wecutil qc
3.       Add the computer account of the collector computer to the local Administrators group on each of the source computers.
If you add the collector computer to “Event Log Readers” group, that will do as well, love the command sets, you can try this:
Net localgroup “Event Log Readers” <computer_name>$@<domain_name>  /add
.       Add the NETWORK SERVICE account of the source computer to localgroup “Event Log Readers" on each of the source computers.

Source-initiated subscriptions:

Alternatively you can use this command :
wevtutil <command> /r:<remote_computer_name> /u:<user_name> /p:<password>
NOTE: You must enable the Remote Event Log Management exception in the Windows Firewall Settings on the remote computer to which you want to connect.

Monday, June 20, 2011

Manual Backup and restore CA

Apparently we can achieve CA backup through two methods: Windows server backups and manual Backup using the Certification Authority console or certutil.exe, let’s call Certification Authority console and certutil.exe Manual Backup.
What will cover here:
1.       Performing Manual Backups
2.       Restoring Manual Backups
3.       What’s next
Before we start, I would like to give you some background. Recently I tried to put my offline Root CA to domain and reuse this VM for my lab testing, but found out I couldn’t do it because AD CS role installed. So I did this Certification Authority Backup and restore, backup and remove AD CS role, so I can put the machine to AD and then restore offline Root CA, tested the online issue CA works exactly like nothing happened.
The following paragraph was quoted from “ Windows Server 2008 PKI and Certificate Security” by Brian Komar.

Performing Manual Backups


Manual backups can be performed from either the Certification Authority console or the command line by using the certutil.exe command.

Using the Certification Authority Console

Use the following procedure to perform the backup:

1.       From the Start menu, point to Administrative Tools, and then click Certification Authority.
2.       In the console tree, ensure that Certificate Services is running.
3.       In the console tree, right-click CAName, point to All Tasks, and then click Backup CA.
4.       On the Welcome To The Certification Authority Backup Wizard page, click Next.
5.       On the Items To Backup page, input the following options:
Ø Private Key And CA Certificate Includes the CA’s certificate and private key(s) in the backup set. Select this check box only if you are using software CSP. If using a hardware CSP, leave this check box cleared.
Ø Certificate Database And Certificate Database Log  Always select this check box to ensure that you include the CA database and log files in the backup set.
Ø  Perform Incremental Backup This check box is not usually selected. Full backups of the CA database and log files are recommended instead.
Ø  Backup To This Location Select a folder on the local file system that does not contain any existing data.
6.       If the Certification Authority Backup Wizard dialog box appears, click OK to create the location designated on the Items To Backup page.
7.       If you choose to back up the private key and CA certificate, open the Select A Password page, type and confirm a password to protect the PKCS #12 file generated by the backup procedure, and then click Next.
8.       On the Completing The Certification Authority Backup Wizard page, click Finish.

*.p12 file     the PKCS #12 backup of the CA’s certificate and private key

Certutil Commands


1.       Open a command prompt.
2.       At the command prompt, type net start certsvc to ensure that Certificate Services is running.
3.       Create a folder that will contain the results of the manual backup of the CA database—for example, C:\CABackup.
4.       At the command prompt, type certutil –backup C:\CABackup –p password, and then press Enter.
5.        At the command prompt, at the Enter New Password prompt, type a complex password,
6.        At the command prompt, at the Confirm New Password Prompt, type the same password again, and then press Enter.
7.       When the backup is complete, ensure there are no error messages, and then close the command prompt.


To back up only the CA database, a backup operator can use the –backupdb option, At the command prompt, type certutil –backupdb C:\CABackup.
to back up only the CA’s key pair, you can use the -backupkey option to back up the CA’s private key and public key to a PKCS #12 file. certutil –backupkey C:\CABackup


Restoring a Manual Backup

Before you do the restore, make sure all the backup you previously did are available to the CA.

Reinstalling Certificate Serveices



1.       On the Set Up Private Key page, click Use Existing Private Key, select the Select A Certificate And Use Its Associated Private Key check box.
The cryptographic service provider (CSP) is automatically set to the CSP used to generate the existing private key

2.    On the Configure Certificate Database page, set the storage locations to the same database and log locations used by the original CA (same drive letters).

Restoring Manual Backups

A manual backup, whether it was created with certutil or the Certification Authority console, can be restored by using the Certification Authority console, using the following procedure:
1.    From the Start menu, point to Administrative Tools, and then click Certification Authority.
2.    In the console tree, click CAName.
3.    In the console tree, right-click CAName, point to All Tasks, and then click Restore CA.
4.    In the Certification Authority Restore Wizard, click OK to stop Certificate Services during the restore procedure.
5.    On the Welcome To The Certification Authority Restore Wizard page, click Next.
6.    On the Items To Restore page, select the Certificate Database And Certificate Database Log check box. If required, select the Certificate Key and CA Certificate check boxes, and then click Browse.
7.    In the Browse For Folder dialog box, select the folder that contains the manual backup files, and then click OK.
8.    On the Items To Restore page, click Next.
9.    On the Completing The Certification Authority Restore Wizard, click Finish.
10.  In the Certification Authority Restore Wizard dialog box, click Yes.
11.  Verify that Certificate Services starts successfully.


What is the next

Import the CRL file to online CA, restarted the AD CS service, the services started. So everything goes back to normal.
My question here is, I always manually copy the CRL file from the offline server to online CA and run certutil -addstore -f Root  "*.crl"  command, is there a easy way to do this?

Sunday, June 12, 2011

EasyVPN+NAT/PAT


To boot up my lab machines anywhere anytime securely, the solution is VPN home, and wake up the machines through Internet via WOL magic packet.
Cisco 877W, wireless configured, DSL internet, Nat/Pat, to let all my machines get access to internet.

The following is key settings on my router.

no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname myrouter
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging reload informational
enable secret 5 $1$2AJ5$yF2kRiSSfesmnaoHFkA1l1
!
aaa new-model
!
aaa authentication password-prompt "Enter your Password:"
aaa authentication login default local
aaa authentication login VPN_LOGIN local
aaa authorization network VPN_NETWORK local
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-1438064445
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1438064445
 revocation-check none
 rsakeypair TP-self-signed-1438064445
!!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.112.200 192.168.112.254
ip dhcp excluded-address 192.168.118.200 192.168.118.254
ip dhcp excluded-address 192.168.117.1 192.168.117.100
ip dhcp excluded-address 192.168.117.128 192.168.117.254
ip dhcp excluded-address 192.168.117.0 192.168.117.63
!
ip dhcp pool Wireless
   network 192.168.114.0 255.255.255.0
   default-router 192.168.114.254
   dns-server 203.12.160.35 203.12.160.36
!
ip dhcp pool vlan200-pool
   network 192.168.117.0 255.255.255.0
   dns-server 203.12.160.35 203.12.160.36
   default-router 192.168.117.254
!
!
ip cef
ip domain name XXXX
ip name-server X.X.X.X
!
multilink bundle-name authenticated
!
username lee privilege 15 secret 5 $1$DqMx$5Pzwo10Aidt2/gtVNkrn2/
!        
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 20
 encr aes
 hash md5
 group 2
crypto isakmp client configuration address-pool local VPN_POOL1
!
crypto isakmp client configuration group LEO_WENLU
 key YOURKEY
 domain itengineer.local
 pool VPN_POOL1
 save-password
crypto isakmp profile VPNclient
   description This is my VPN Client Pro.
   match identity group LEO_WENLU
   client authentication list VPN_LOGIN
   isakmp authorization list VPN_NETWORK
   client configuration address respond
!
!
crypto ipsec transform-set TRAN_3DES esp-3des esp-sha-hmac
!
crypto dynamic-map VPN_MAP 10
 set transform-set TRAN_3DES
 reverse-route
!
!
crypto map VPN_MAP isakmp authorization list VPN_NETWORK
crypto map VPN_MAP client configuration address respond
crypto map VPN_MAP 10 ipsec-isakmp dynamic VPN_MAP
!
ip ssh time-out 30
ip ssh version 2
!
interface Loopback0
 ip address 10.11.0.1 255.255.255.0
 ip broadcast-address 10.11.0.255
 ip nat inside
 ip virtual-reassembly
!
interface ATM0
 no ip address
 no ip route-cache cef
 no ip route-cache
 no atm ilmi-keepalive
 pvc 8/35
  encapsulation aal5snap
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
 switchport access vlan 100
!
interface FastEthernet1
 switchport access vlan 200
!
interface FastEthernet2
 switchport access vlan 200
!
interface FastEthernet3
 switchport access vlan 200
!
interface Vlan1
 description $ES_LAN$
 no ip address
 ip broadcast-address 192.168.113.255
 shutdown
!
interface Vlan100
 ip address 192.168.112.254 255.255.255.0
 ip broadcast-address 192.168.112.255
 ip nat inside
 no ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Vlan200
 ip address 192.168.117.254 255.255.255.0
 ip broadcast-address 192.168.117.255
 ip directed-broadcast
 ip nat inside
 no ip virtual-reassembly
 ip tcp adjust-mss 1452
!        
interface Vlan300
 ip address 192.168.113.254 255.255.255.0
 ip broadcast-address 192.168.113.255
ip nat inside
 no ip virtual-reassembly
 ip tcp adjust-mss 1452

interface Dialer0
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
no cdp enable
ip nat outside
 no ip virtual-reassembly
 encapsulation ppp
 ip policy route-map VPN_CLIENT
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp chap hostname XXX@XXX.XXX
 ppp chap password 0 XXX
 ppp pap sent-username XXX@XXX.XXX 0 XXX
 crypto map VPN_MAP
!
ip local pool VPN_POOL1 192.168.117.128 192.168.117.191
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
!
ip nat inside source list NAT_ACL interface Dialer0 overload
ip nat inside source static tcp X interface Dialer0 X
ip nat inside source static tcp 192.168.117.1 443 interface Dialer0 443
!
ip access-list extended NAT_ACL
 deny   ip 192.168.117.0 0.0.0.127 192.168.117.128 0.0.0.63
 deny   ip 192.168.117.0 0.0.0.255 192.168.200.0 0.0.0.255
 deny   ip host 192.168.117.12 any
 deny   ip 192.168.0.0 0.0.255.255 192.168.119.0 0.0.0.255
 permit ip 192.168.117.0 0.0.0.255 any
permit ip 192.168.113.0 0.0.0.255 any
 permit ip 192.168.114.0 0.0.0.255 any
!
ip access-list extended VPN_IP
permit ip 192.168.117.128 0.0.0.63 any
ip access-list extended VPN_SPLIT_TUNNEL
 permit ip 192.168.117.0 0.0.0.255 192.168.200.0 0.0.0.255
 permit ip 192.168.114.0 0.0.0.255 192.168.200.0 0.0.0.255
 permit ip 192.168.112.0 0.0.0.255 192.168.200.0 0.0.0.255
!
logging trap notifications
!
route-map VPN_CLIENT permit 10
 match ip address VPN_IP
 set ip next-hop 10.11.0.2
!
!
control-plane
!
bridge 10 protocol ieee
bridge 10 route ip
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 transport input ssh
!
scheduler max-task-time 5000
end

Sunday, June 5, 2011

PKI deployment

I am planning to setup a whole PKI environment to secure my Wireless, routers, user accounts, VPN and EFS etc.
so far what I did:

Offline Root CA on a standalone win2k8 R2 machine.
Online CA. The following is the steps:

1.Offline Root CA
      A. Give a good name.
      B. Remember it's offline, so It's much secured, Root certificate backup is very important.
      C. Root CRL file, we need a way to copy cross CRL to all online CA, make sure it's reachable and all the time it's updated.

2. Online CA
     A. It's good idea to setup Enterprise Certificate CA if you have AD environment, so joining the machine to domain is the first step I reckon. Correct the computer name before you install and setup CA.
     B.  Install requested Certificate Services Role, CA and take Enterprise Certificate so that will publish to AD.

  •             On the Request Certificate From A parent CA page, save the request file to USB or DVD, for example: therequest.req.

     C. Publish/Install Root CA's certificate and  CRL
           Install:  
              certutil -addstore -f Root  "*.crt"
              certutil -addstore -f Root  "*.crl"
           Publish to domain:
              certutil -dspublish -f "*.crt" RootCA
              certutil -dspublish -f "*.crt" SubCA
     D. Issues the CA certificate based on the requested file gainned at B step, and installed it on the online CA machine.

  •       Export the issued certificate from the offline CA to .P7B file format ( Cryptographic Message Syntax Standard - PKCS#7 Certificates), for instance onlineca.q7b.
  • On the online CA, install onlineca.q7b, then start the Certificate Service.