Blog - Title

April, 2008

  • Office 2007 Group Policy - Loads of useful, free stuff released

    Hi, Ned here again. The Microsoft Office 2007 product group has released a terrific new whitepaper that covers the ins and outs of deploying Group Policy settings for Office 2007, and they asked that we share the love with you here from AskDS.

    The whitepaper covers (in 187 exhaustive pages) recommendations and how-to info for Planning, Deployment, Operations, and a complete technical reference. This guide is actually a subset of the even more massive 2007 Office Resource Kit.

    You can download the Group Policy for Office 2007 guide from here.

    And while this is linked in the document, there's also a complete set of ADM, ADMX, and ADML group policy templates available.

    You can download the ADM/ADMX/ADML templates from here.

    Finally, you may also want to grab the 2007 Office Security Guide. This whitepaper covers the aspects of security that are often overlooked - document security once it leaves your safe and secure file servers. Confidentiality, integrity, and availability are the watchwords here. It has a number of tie-ins to Group Policy as well.

    You can download the Office 2007 Security Guide from here.

    Keep in mind that these templates and Office Group Policy are supported by the Office teams. In Directory Services, we support you getting the policies onto your users and machines - it's up to the component affected to have it actually work as expected. But I figured if you read this blog, you probably care about GP. :-)

    If you want to get more info on the Office suite and stay in the MS blog-o-sphere, check out:

    http://blogs.technet.com/office_resource_kit/
    http://blogs.msdn.com/microsoft_office_word/
    http://blogs.msdn.com/excel/
    http://blogs.msdn.com/outlook/
    http://blogs.msdn.com/access/
    http://blogs.msdn.com/officedevdocs/
    http://blogs.msdn.com/officerocker/

    Dang, that's a lot of links. Nice work, Office folks.

    - Ned Pyle

  • Configuring Network Device Enrollment Service for Windows Server 2008 with Custom Certificates

    Introduction

    Hello, this is Jonathan from the Directory Services team.

    The Network Device Enrollment Service (NDES) is one of the role services of the Active Directory Certificate Services (ADCS) role. It implements the Simple Certificate Enrollment Protocol (SCEP). SCEP defines the communication between network devices and a Registration Authority (RA) for certificate enrollment.

    When the NDES role is added, it automatically requests two certificates that it uses as part of its functionality. The first is an Exchange Enrollment Agent certificate the other is a CEP Encryption certificate. In both cases, the private keys associated with this certificate are not exportable, so it is difficult to share these certificates amongst multiple instances of the RA.

    This document describes the steps necessary to replace the original certificates requested during the install of the role with a new set of certificates requested manually afterwards. As part of the manual request process, the Administrator can specify that the private keys be exportable facilitating the sharing of certificates and keys amongst multiple servers.

    While not recommended, it assumed that the risks associated with this practice are understood and accepted by the Administrator.

    Finally, this document assumes that the issuing CA is running Microsoft Windows Server 2008 Active Directory Certificate Services in Enterprise mode.

    Process Overview

    The first step in the process is to remove the original certificates from the server. Next, new certificates will be requested from the CA and installed in the Local Computer Personal store. After that, the permissions on the new private keys will be modified to permit the SCEP Agent account specified during role install access to the private keys. Finally, the IIS service will be reset. NDES will locate the new certificates when it receives the first SCEP request from a network device.

    Removing the Original Certificates

    After the NDES role is installed, there will be two certificates in the Local Computer Personal store issued to the NDES Registration Authority. The name of the RA is constructed like so:

    %COMPUTERNAME%-MSCEP-RA

    These certificates should be revoked on the CA and removed from the server. Simply deleting the certificates from the Local Computer Personal store is sufficient, but Windows stores private keys separately from the associated certificate so deleting the certificates will result in orphaned private keys that remain on the server. It is good practice to delete the private keys first, and then remove the associated certificates.

    The first step is to identify the private keys. NDES does not support the new Crypto Next Generation (CNG) Cryptographic Service Providers (CSP) introduced in Windows Server 2008. Instead, it uses the legacy CryptoAPI (CAPI) providers. The default Windows CAPI CSPs store private keys encrypted in the file system. You can use the following method to locate the encrypted key files so that you can delete them.

    Locating Private Keys

    The private key files for certificates issued to the Local Computer are located in the following directory:

    %systemdrive%\ProgramData\Microsoft\Crypto\RSA\MachineKeys

    ProgramData is a hidden system directory so you must be a local Administrator to perform this task. Once you have opened the directory, you then need to determine which of the files contained therein is associated with the certificate you wish to remove. This is easily accomplished using certutil.exe.

    Certutil can be used to enumerate the certificates in the Local Computer Personal store and display the associated key container. The name of the key container will match the name of the file in the directory mentioned above. Please note, non-Microsoft CSPs may not behave in this manner since key storage implementations can vary from vendor to vendor, but the behavior is consistent amongst the Microsoft default CAPI CSPs.

    The following command will search the Local Computer Personal store for all certificates issued to the RA and display the key container name.

    for /f "tokens=*" %i in ('certutil -store MY %COMPUTERNAME%-MSCEP-RA') do @echo %i | findstr /i /c:"Unique container name"

    The above command line has been wrapped, but it should be entered on one line in the command prompt. It uses the for command to step through each line of the certutil.exe output and pipe the result to the findstr.exe command. Findstr looks for the string “Key Container” and prints the line to the command prompt if it is found. Any line that does not contain the string “Key Container” is ignored.

    The actual key container names will vary from machine to machine, but the output should look similar to the following:

    Key Container = 355b8e247af95b2340ba226a6bc25ab5_cde5adfd-972a-420b-986e-e40fef6ea415
    Key Container = bc1fa1b6c3c724366bcb30b581f4280f_cde5adfd-972a-420b-986e-e40fef6ea415

    Deleting the Original Private Keys

    Putting everything together, you would delete the following files:

    %systemdrive%\ProgramData\Microsoft\Crypto\RSA\MachineKeys\355b8e247af95b2340ba226a6bc25ab5_cde5adfd-972a-420b-986e-e40fef6ea415

    %systemdrive%\ProgramData\Microsoft\Crypto\RSA\MachineKeys\bc1fa1b6c3c724366bcb30b581f4280f_cde5adfd-972a-420b-986e-e40fef6ea415

    Once the private keys have been deleted, you can simply delete the certificates in the Local Computer Personal store issued to NDES RA (%COMPUTERNAME%-MSCEP-RA).

    Requesting New Certificates

    The next step in the process is to request new certificates from the CA to be used by the NDES RA. The following steps will use certreq.exe to create and submit the certificate request, and to retrieve and install the issued certificate. Let's start with the Exchange Enrollment Agent certificate.

    Requesting the Exchange Enrollment Certificate

    First, you'll need to create an .INF file containing information that certreq.exe will use to generate the request. A sample ws08_ndes_sign.inf is included below.

    ; FileName: ws08_ndes_sign.inf
    ; Purpose: Windows Server 2008 Network Device Enrollment Service Enrollment
    ;          Agent certificate request .INF file for certreq.exe.
    ;
    ; Command Line to generate request:
    ;      certreq -f -new ws08_ndes_sign.inf ws08_ndes_sign.req
    ;
    ;           -f   : force overwrite of existing
    ;                  ws08_ndes_sign.req file
    ;           -new : generate new request
    ;
    ; Note: This file will produce a warning because the EnrollmentAgentOffline
    ;       certificate template was designed to be requested in the User
    ;       context rather than the Machine context. When prompted, just accept
    ;       the warning and move on. 
    ;
    ; Description: This .INF file creates the request for the MSCEP Registration
    ;              Authority (RA) Signing certificate. This certificate
    ;              is required in order to sign requests submitted by the MSCEP-RA
    ;              to the Certification Authority (CA) on behalf of the network
    ;              device.
    ;
    [NewRequest]
    ; Subject must be included in the file
    ; The Subject name should be somewhat descriptive. A good format is
    ; %COMPUTERNAME%-MSCEP-RA. Modify the Subject to fit your environment.
    ;
    Subject = "CN=WS08SRV03-MSCEP-RA,OU=Accounting,O=Contoso,L=Redmond,S=Washington,C=US"
    Exportable = TRUE
    KeyLength = 1024
    KeySpec = 2
    KeyUsage = 0x80
    MachineKeySet = TRUE
    ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0"
    ProviderType = 1

    [EnhancedKeyUsageExtension]
    OID = 1.3.6.1.4.1.311.20.2.1

    [RequestAttributes]
    CertificateTemplate = EnrollmentAgentOffline

    Once the ws08_ndes_sign.inf file has been created you use certreq.exe to generate the request, submit it to the CA, retrieve the issued certificate, and then install it. Follow these steps to accomplish these tasks:

    1. Open the command prompt and change to the directory that contains the file ws08_ndes_sign.inf.
    2. Run the following command:

      certreq –f -new ws08_ndes_sign.inf ws08_ndes_sign.req

      This command will generate the certificate request and save it as ws08_ndes_sign.req. If you see the warning dialog that states "User context template conflicts with machine context", click Ok. This warning can be ignored.  Please review the sample ws08_ndes_sign.inf file for more information on the switches in the command line above.
    3. Next, run the following command:

      certreq –submit ws08_ndes_sign.req ws08_ndes_sign.cer

      You will be prompted to select to which CA the request should be submitted. Once that is done, the request will be submitted and the issued certificate will be retrieved and saved as ws08_ndes_sign.cer.
    4. Finally, run the following command:

      certreq –accept ws08_ndes_sign.cer

      This command import the new certificate and move it into the Local Computer Personal store.

    Figure 1 below shows the commands described above and the expected output.

    clip_image001

    Figure 1

    Requesting the CEP Encryption Certificate

    Next you’ll need to request the CEP Encryption certificate. As with the Exchange Enrollment Agent certificate, you will need to create and .INF file that contains information that certreq.exe will use to generate the request. A sample ws08_ndes_xchg.inf file is included below.

    ; FileName: ws08_ndes_xchg.inf
    ; Purpose: Windows Server 2008 Network Device Enrollment Service Request
    ;          Agent certificate request .INF file for certreq.exe.
    ;
    ; Command Line to generate request:
    ;      certreq -f -new ws08_ndes_xchg.inf ws08_ndes_xchg.req
    ;
    ;           -f   : force overwrite of existing
    ;                  ws08_ndes_sign.req file
    ;           -new : generate new request
    ;
    ; Description: This .INF file creates the request for the MSCEP Registration
    ;              Authority (RA) Request Agent certificate. This certificate
    ;              is required to authenticate the RA to the CA in order to submit
    ;              requests on behalf of the network device.
    ;

    [NewRequest]

    ; Subject must be included in the file
    ; The Subject name should be somewhat descriptive. A good format is
    ; %COMPUTERNAME%-MSCEP-RA. Modify the Subject to fit your environment.

    Subject = "CN=WS08SRV03-MSCEP-RA,OU=Accounting,O=Contoso,L=Redmond,S=Washington,C=US"

    Exportable = TRUE
    KeyLength = 1024
    KeySpec = 1
    KeyUsage = 0x20
    MachineKeySet = TRUE
    ProviderName = "Microsoft RSA Schannel Cryptographic Provider"
    ProviderType = 12

    [EnhancedKeyUsageExtension]
    OID = 1.3.6.1.4.1.311.20.2.1

    [RequestAttributes]
    CertificateTemplate = CEPEncryption

    Once the ws08_ndes_xchg.inf file has been created you use certreq.exe to generate the request, submit it to the CA, retrieve the issued certificate, and then install it. Follow these steps to accomplish these tasks:

    1. Open the command prompt and change to the directory that contains the file ws08_ndes_xchg.inf.
    2. Run the following command:

      certreq –f –new ws08_ndes_xchg.inf ws08_ndes_xchg.req

      This command will generate the certificate request and save it as ws08_ndes_xchg.req. Please review the sample ws08_ndes_xchg.inf file for more information on the switches in the command line above.
    3. Next, run the following command:

      certreq –submit ws08_ndes_xchg.req ws08_ndes_xchg.cer

      You will be prompted to select to which CA the request should be submitted. Once that is done, the request will be submitted and the issued certificate will be retrieved and saved as ws08_ndes_xchg.cer. 
    4. Finally, run the following command:

      certreq –accept ws08_ndes_xchg.cer

      This command import the new certificate and move it into the Local Computer Personal store.

    Figure 2 below shows the command described above and the expected output.

    clip_image001[6]

    Figure 2

    Verifying the New Certificates

    You can now run the following command to verify that both certificates have been installed in the Local Computer Personal store:

    certutil -store My %COMPUTERNAME%-MSCEP-RA

    The output should look similar to the following:

    My
    ================ Certificate 0 ================
    Serial number: 6148326f0000000000004
    Issuer: CN=corp-WS08SRV02-CA, DC=corp, DC=contoso, DC=com
    NotBefore: 3/22/2008 2:33 PM
    NotAfter: 3/22/2010 2:33 PM
    Subject: CN=WS08SRV03-MSCEP-RA, OU=Accounting, O=Contoso, L=Redmond, S=Washington, C=US
    Certificate Template Name (Certificate Type): EnrollmentAgentOffline
    Non-root Certificate
    Template: EnrollmentAgentOffline, Exchange Enrollment Agent (Offline Request)
    Cert Hash(sha1): fc 09 33 fb 72 cc 0d 51 0d 42 ff 08 4f 18 ea 79 c1 f2 85 85
      Key Container = Certreq-EnrollmentAgentOffline-5090c814-cc5b-45c4-b9cd-7b87db7ff38b
      Unique Container Name: 8672d6c619559d9466ab1f1de69e5c80_33b038e1-2695-46eb-97b7-6eafe8518f17
      Provieer = Microsoft Enhanced Cryptographic Provider v1.0
    Signature test passed

    ================ Certificate 1 ================
    Serial number: 6148326f0000000000005
    Issuer: CN=corp-WS08SRV02-CA, DC=corp, DC=contoso, DC=com
    NotBefore: 3/22/2008 2:48 PM
    NotAfter: 3/22/2010 2:48 PM
    Subject: CN=WS08SRV03-MSCEP-RA, OU=Accounting, O=Contoso, L=Redmond, S=Washington, C=US
    Certificate Template Name (Certificate Type): CEPEncryption
    Non-root Certificate
    Template: CEPEncryption, CEP Encryption
    Cert Hash(sha1): a5 6e 8c 36 76 a3 cb 5d d9 bb 7b 23 bd e7 ef da 65 0a 8c 9a
      Key Container = Certreq-CEPEncryption-32a4aa85-182f-49a4-93a2-8e359ee8048f
      Unique Container Name: a6dd6175f9ff03e39a787aeb02a2d5a7_33b038e1-2695-46eb-97b7-6eafe8518f17
      Provieer = Microsoft RSA Schannel Cryptographic Provider
    Encryption test passed
    Certutil: -store command completed successfully.

    Setting Permissions on the Private Keys

    Next, the permissions on the private keys files will need to be modified to permit the MSCEP RA service account to access the associated key material.

    Windows Server 2008 now makes it easier to manage permissions on private keys through the Certificates snap-in. Once the new NDES RA certificates have been installed, the Administrator needs to grant access to the associated private keys to the MSCEP RA service account.

    To grant the MSCEP RA access to the private keys, follow these steps:

    1.  Open the Certificates MMC snap-in focused on the Local Computer.

    2.  Open the Personal store, and select the CEP Encryption certificate issued to the MSCEP RA.

    3.  Right-click on the certificate, select All Tasks from the context menu, and then select Manage Private Keys... as in Figure 3 below.

    clip_image002

    Figure 3

    4.  This will launch the ACL Editor.

    clip_image004

    Figure 4

    5.  Click Add, and select the NDES service account created prior to installing the NDES role.

    clip_image006

    6.  Click Ok.

    7.  Verify that the NDES service account has full control over the key, and then click Ok.

    clip_image008

    Figure 5

    Repeat this process with the Exchange Enrollment Agent certificate issued to the MSCEP RA account.

    Testing Enrollment

    Once all the above steps have been complete, reset the IIS service on the NDES server. To do this, launch the command prompt and run iisreset.exe. The NDES service is now ready to accept device administrator password requests as well as SCEP enrollment requests from the network devices.

    At this point the device administrator should attempt an SCEP enrollment from a network device to verify that the NDES service is configured correctly.

    To obtain the SCEP password, the device administrator uses Internet Explorer to go to the following site:

    http://<servername>/certsrv/mscep_admin

    clip_image010

    Figure 6

    With the password in hand, the device administrator configures the network device with the password and the enrollment site in order for the device to enroll for the certificate. The enrollment site is:

    http://<servername>/certsrv/mscep

    If enrollment succeeds the NDES service is configured correctly.

    Summary

    The goal of this document was to replace the non-exportable certificates and keys generated during the install of the Network Device Enrollment Service role with new certificates that are exportable. The server administrator should now take steps to export the CEP Encryption and Enrollment Agent certificates issued to the MSCEP RA so that they can be imported on another server as needed.

    - Jonathan Stephens

  • New KB Articles April 5-11

    Here are the new KB articles related to Directory Services published between April 5-11. Also note that we’ve updated the KB article on Netlogon logging (109626) to make it clear that Netlogon logging works the same way in Vista/2008 as it does in 2003/XP/2000. Logging for user profiles and group policy has moved to ETW tracing, but Netlogon is the same old human-readable plain-text logging that you know and love.

    948833

    Distributed File System Replication may not replicate a folder on a Windows Server 2003 R2-based computer if the folder was previously a member of a replication group that was removed

    949655

    On a Windows Vista SP1-based computer, the SCardReleaseContext function returns a "0x80100004 (SCARD_E_INVALID_PARAMETER)" error code when the Cryptographic Service Provider process closes

    947972

    Error message when you try to copy a file to a Distributed File System (DFS) shared folder on a Windows Vista-based computer: "The selected files could not be copied. There is not enough free space on the device"

    951024

    When you run Scanstate.exe and Loadstate.exe from a non-elevated command prompt, the programs fail without an error on a Windows Vista Service Pack 1-based computer

    951020

    A logon from a domain that is not at the Windows Server 2008 domain functional level is blocked when you enable the "Display information about previous logons during user logon" policy setting

    951005

    The Network Policy Server may not log successful authentication events or failed authentication events in Event Viewer in Windows Server 2008

    950806

    A Network Name resource that has the Kerberos protocol enabled does not come online on the first attempt in a Windows Server 2008 failover cluster

    951006

    Hyper-V virtual machines cannot reach the network when the vLan tagging is enabled on a Windows Server 2008-based computer

    947722

    The "Internet Explorer Enhanced Security Configuration" dialog box appears unexpectedly on a computer that is running Windows Server 2008

    951026

    A domain user may be able to access security logs even though the user does not have the "Manage auditing and security log" user right in Windows Server 2003

    951010

    The ConflictAndDeleted folder size may exceed its configured limitation in Windows Server 2003

    946565

    On a Windows Server 2003-based computer that has the update from security bulletin MS07-062 installed, you may experience a memory leak in DNS

    950156

    The "NetlocalgroupAddMembers" function cannot add cross-domain objects into local groups on a Windows Server 2003-based domain controller that has hotfix 923354 installed

    - Craig Landis

  • The Security Descriptor Definition Language of Love (Part 1)

    Hi. Jim from DS here to tell you more than you ever wanted to know about the Security Descriptor Definition Language (SDDL). Windows uses SDDL in the nTSecurityDescriptor. The SDDL defines string elements for enumerating information contained in the security descriptor. You may want to grab some coffee now.

    Before we explain SDDL , let me explain what SDDL describes – a security descriptor. A security descriptor is a binary data structure of changeable length that contains security information associated with a protected (securable) object. This includes information about the object’s owner and who can access the object and in what way. The security descriptor also includes information on how access to the object is audited. Windows uses security descriptors to control access to resources. Examples of resources to which security descriptors apply are files, folders, registry keys, network shares, printers and Active Directory objects like OU’s and DNS zones.

    A security descriptor contains two access control list’s (ACL) for each resource, Discretionary Access Control List (DACL) and System Access Control List (SACL). An ACL is a list of ordered Access Control Entries (ACE) that specify allowed, denied or audited access rights. The DACL identifies users and groups who are allowed or denied access to an object and in what way the object is accessed. The SACL defines how access is audited on an object.

    What we are talking about here at the core is permissions and auditing. Each permission for a securable object granted to a user or group is stored as an ACE within a DACL that is a part of…

    You guessed it! The security descriptor. Can you feel the love? Try to contain your excitement as we press onward.

    The access token is linked to the security descriptor. An access token contains security information about an authenticated user. Windows performs an access check when a user or service attempts to access a resource. During the access check, Windows compares the access token of the requesting account to the objects DACL. This bit of wonderment is discussed in great detail here - http://blogs.technet.com/askds/archive/2007/11/02/what-s-in-a-token.aspx

    If auditing is enabled for an object, the objects Security Descriptor will also contain a SACL that controls how attempts to access the object are tracked by the security subsystem.

    Just for fun let’s view the security descriptor for shares on a server by traversing the registry. The following screen shot illustrates the security descriptor on a share named Tools as REG_BINARY data on the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSEt\Services\lanmanserver\Shares\Security key of a 2003 DC. This key contains all the information I spoke about earlier (DACL, SACL, etc.) Good luck deciphering that data format.

    clip_image002

    Of course you are all familiar with the GUI representation of the security descriptor as shown in the following screenshot of the very same TOOLS share.

    clip_image004

    Auditing Tab

    clip_image006

    Now that you understand what a Security Descriptor “is”, we can explore the language used to describe what the security descriptor contains. This language is useful for developers and administrators alike to understand and utilize the administrative functionality as well as the portability of the security descriptor.

    It is possible to use the SDDL to simplify some administrative tasks in regard to setting ACL’s on objects. What follows is a cursory overview on what can be contained in an nTSecurityDescriptor SDDL string. Here is an example of a SDDL string extracted from the aforementioned TOOLS share:

    O:BAG:SYD:PAI(D;OICI;FA;;;BG)(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;FA;;;BU)S:AI(AU;OICINPFA;RPDTSDWD;;;BU)(AU;OICINPSA;CCSWRPDTLOSD;;;BU)

    Each nTSecurityDescriptor SDDL string is composed of 5 parts which correspond to:

    The Header - The header contains flags that designate whether the object is allowing or blocking inheritance for the SACL and DACL. If inheritance is allowed, permissions flow down from a parent object. If inheritance is blocked the permissions do not flow down from a parent container or object.

    DACL (D:) – The Discretionary Access Control List denoted by the (D:)

    SACL (S:) – The System Access Control List denoted by the (S:)

    Primary Group (G:) – This value is still in the security descriptor for compatibility reasons. Windows 2000/2003 does not rely on this part of the security descriptor unless you are using services for UNIX and/or Macintosh with tools and utilities applying thereto.

    Owner (O:) – Indicates which trustee owns the object. A trustee is the user account, group account, or logon session to which an access control entry (ACE) applies. Each ACE in an access control list (ACL) has one security identifier (SID, also called a principal) that identifies a trustee. The value is represented in SID string format. A security identifier (SID) identifies a user, a group, or a logon session. Each user has a unique SID, which is retrieved by the operating system at logon.

    SIDs are issued by an authority such as the operating system or a domain server. Some SIDs are well-known and have names as well as identifiers. For example, the SID S-1-1-0 identifies Everyone (or World).

    The contents of both the primary group and owner parts are a single SID. The contents of both the SACL and DACL parts are a string with varying length. ACE’s are contained within these strings.

    ACE’s are enclosed within parenthesis. There are 6 fields in each ACE. These 6 fields are separated by a semicolon delimiter.

    The fields are as follows:

    ACE type (allow/deny/audit)

    ACE flags (inheritance and audit settings)

    Permissions (list of incremental permissions)

    ObjectType (GUID)

    Inherited Object Type (GUID)

    Trustee (SID)

    By using CACLS you see below in SDDL format the security descriptor for the ACL’s on the very same Tools share:

    clip_image008

    Here is the output exported to a .txt file:

    "D:PAI(D;OICI;FA;;;BG)(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;FA;;;BU)"

    In part II of my SDDL Blog series I will dissect the SDDL format in the previous extraction and from other securable objects to further explain the descriptor language and its usefulness.

    - Jim Tierney

  • New KB Articles March 22-April 4

    Here are the new KB articles related to Directory Services published between 3/22-4/4. Obviously the big news has been the release of the 2008 remote administration tools (RSAT) and Hyper-V RC0. We use Virtual Server heavily for testing and reproducing customer issues, so I was interested to try out Hyper-V. It is a big help being able to use x64 guests, and overall the performance definitely seems improved from Virtual Server. Lots of nice little things also, like the ability to change the boot order of the guest without having to boot into the guest's BIOS.

    941314

    Description of Windows Server 2008 Remote Server Administration Tools for Windows Vista Service Pack 1

    949589

    Description of Address Resolution Protocol (ARP) caching behavior in Windows Vista TCP/IP implementations

    949758

    Availability of the Windows Vista Service Pack 1 management tools for the Hyper-V release candidate

    949608

    Changes to the default NTFS Discretionary Access Control List (DACL) settings in Windows Vista

    949390

    When you import an event log file into Excel 2007 on a Windows Server 2008-based computer, event logs are not readable

    949887

    A memory leak occurs on an RPC server that is running Windows Server 2008 after the RPC server function runs an RPC client callback function

    950257

    How to configure event subscription to pull BMC SEL events into the event logs in Windows Server 2008

    950043

    How to back up the data recovery agent certificate together with the private key in a Windows Server 2003-based domain

    949876

    LDAP queries fail for large result sets after security update MS08-003 is applied on a Windows Server 2003-based computer

    948931

    If a user account belongs to 16 groups, access to some resources is denied on a computer that is running a 64-bit version of Windows Server 2003

    951028

    You are prompted two times for credentials when you use the Remote Desktop Client to connect to a Windows 2000 Terminal Server from Window Vista or from Windows Server 2008

    945802

    Error message when you start a program that must run with elevated permissions on a Windows Vista-based computer: "The directory name is invalid"

    951018

    How to generate a full user-mode dump file in Windows Vista

    949469

    NSPI connections from Microsoft Outlook to a Windows Server 2008-based domain controller may fail with an error code: "MAPI_E_LOGON_FAILED"

    950042

    A Windows Server 2003-based domain controller may request multiple certificates every 8 hours

    947861

    Authentication of trusted users fails on a Windows Server 2003-based server if the UPN format is used and if the value of the LmCompatibilityLevel entry is equal to or larger than 3

  • Group Policy Best Practice Analyzer

    Hi, Tim here. Ever heard of a Best Practice Analyzer, otherwise known as a ‘BPA’? It’s a type of tool that many of our product or support teams have been creating the last few years which can be used to gauge the general health of a component before things go catastrophically wrong. BPA's can also identify problems that are present in one nice fell swoop so that you don’t have to work super hard to find them yourself.

    Exchange BPA is one that is widely used and has had great successes over the past few years, as an example.

    You may know of this kind of thing by its only other real world implementation: a consultant.

    This brings up the main two differences you may see between a BPA and a consultant: BPA's never vary in quality or experience and BPA's are FREE. Free, as I’ve mentioned before, is my favorite word.

    We have a BPA for Group Policy. This tool can be ran against Server 2003 and Windows XP computers to give a good and instant idea on whether there are problems and what they are. There’s your value in this folks-problems are identified for you. In addition you can take a sample of your normal problem-free environment and store it as a Baseline for comparison purposes for when you run GP BPA following a problem or as a standard procedural health check.

    Group Policy BPA installs as an application and has an easy to use wizard type interface to walk you through. Reports can be reviewed later (as I mentioned above) for comparison or even exported to send to a colleague or backup.

    Check out these problems Group Policy BPA found on one of my servers:

    clip_image002

    Anything that minimizes the required thinking without a degradation in my performance or quality of work is a Good Thing. Group Policy BPA is therefore a Good Thing for IT People.

    We have a general Knowledge Base Article about this great FREE offering here: "How to use the Microsoft Group Policy Diagnostic Best Practice Analyzer (GPDBPA) tool to collect and to analyze data" (http://support.microsoft.com/kb/940122). One of the big things that article does is contain links to where you can download GP BPA. In order to be repetitive and repeat myself or say the same thing again I’m giving you those same links below:

    Group Policy Diagnostic Best Practice Analyzer for Windows Server 2003 (KB940122)

    http://www.microsoft.com/downloads/details.aspx?FamilyId=47F11B02-8EE4-450B-BF13-880B91BA4566&displaylang=en

    Group Policy Diagnostic Best Practice Analyzer for Windows Server 2003 x64 Edition (KB940122)

    http://www.microsoft.com/downloads/details.aspx?familyid=70E0EDEC-66F7-4499-83B7-4F2009DF2314&displaylang=en

    Group Policy Diagnostic Best Practice Analyzer for Windows XP (KB940122)

    http://www.microsoft.com/downloads/details.aspx?FamilyId=70E4A971-DA91-4D4F-BF92-5C75A84F3742&displaylang=en

    Group Policy Diagnostic Best Practice Analyzer for Windows XP x64 Edition (KB940122)

    http://www.microsoft.com/downloads/details.aspx?FamilyId=317C372C-0FE3-4AD0-BE52-2FF3004DAEF0&displaylang=en

    Group Policy BPA is an administrator’s friend and can either shed light on pre-existing problems or set your mind at ease that you don’t have problems at all.

    So I have two questions for you:

    • If you’re not using Group Policy BPA, why aren’t you?
    • If you are using Group Policy BPA, what do you think?

    Microsoft is very interested in your feedback on how we can make Group Policy BPA better for you so please tell us what you think. This is a great chance to get your feedback directly back to the folks who make the product, and we’d love to hear from you.

    So please comment this post or email us to let us know!

    - Tim Springston

  • Throw Away Your Mouse! A List of Windows Snap-ins and Applets

    Hi.  This is Jim from Directory Services.  I spend a great deal of time working through remote Easy Assist / Live Meeting sessions, sometimes with client machines half way round the globe and the latency can be excruciating.

    In my experience I have found that using the CMD line as well as START - RUN to launch administrative tools can be a more expedient way to do system administration.  Using the mouse and clicking repeatedly to launch an administrative interface is not always the most efficient, especially in an extremely latent remote session.  An errant click will always do you in. To this end I felt the need to create a one stop “short cut” reference to launch some of the more popular administrative applets.  This is suitable for pinup in your cube or office.  Feel free to commit them all to memory.

    RUN/CMD shortcuts for AD management

    ADFS.msc AD Federation Services
    CERTMGR.msc Certificate Management –Current User
    CERTSRV.msc Certification Authority
    CERTTMPL.msc Certificate Templates
    COMPMGMT.msc Computer Management
    COMEXP.msc Component Services  C:\windows\system32\com
    DCOMCNFG  Component Services
    DSA.msc  ADUC (AD Users and Computers)
    DFSGUI.msc DFS Management
    DFSMGMT.msc DFS Management R2
    DNSMGMT.msc  DNS Management
    DOMAIN.msc Domains and Trusts
    DSSITE.msc Sites and Services
    EVENTVWR.msc Event Viewer
    GPEDIT.msc Local Policy
    GPMC.msc  Group Policy Management Console
    PKIVIEW.msc PKI management
    RSOP.msc Resultant set of Policy
    SECPOL.msc Local Security Policy
    SERVICES.msc Services
    SCHMMGMT.msc   Schema Management
    TASKMGR Task Manager
    TSCC.msc  TS Configuration

    These are .exe’s

    TSADMIN TS Administrator
    LICMGR TS Licensing

    The following are contained within the WINDOWS 2003 ADMINISTRATION TOOLS PACK
    *Installed from the Windows Server 2003 CD

    ADMGMT.msc AD Management –Domains, Sites, DNS and ADUC
    PKMGMT.msc PKI Management – Authorities, Templates
    IPADDRMGMT.msc WINS,DNS and DHCP in one console

    2008 SERVER

    SERVERMANAGER.msc Server Manager
    NAPCLCFG.msc Network Access Protection Client Configuration
    STOREXPL.msc Storage Manager
    TSCONFIG TS Configuration
    WBADMIN Windows Server Backup
    WF.msc Windows Firewall + Advanced Security

    RUN shortcuts for Windows OS management

    NCPA.CPL  Network Properties
    APPWIZ.CPL Add remove programs
    DEVMGMT.msc Device Manager
    FSMGMT.msc File Share Management
    SYSDM.CPL System Properties
    FIREWALL.CPL Firewall applet
    DESK.CPL Display Properties
    CONTROL Control Panel
    SYSDM.CPL System Properties       
    ACCESS.CPL  Accessibility Options         
    APPWIZ.CPL Add/Remove Programs           
    TIMEDATE.CPL Date/Time Properties
    DESK.CPL          Display Properties 
    FINDFAST.CPL           FindFast                      
    FONTS  Fonts Folder     
    INETCPL.CPL  Internet Properties           
    JOY.CPL  Joystick Properties
    LUSRMGR.MSC Local Users and Groups           
    MAIN.CPL Keyboard  Keyboard Properties    
    MLCFG32.CPL  Microsoft Exchange  
    WGPOCPL.CPL  Microsoft Mail Post Office       
    MAIN.CPL  Mouse Properties              
    MMSYS.CPL  Multimedia Properties         
    PASWORD.CPL Password Properties           
    MAIN.CPL PC CARD (pcmcia)                         PC Card 
    PRINTERS  Printers Folder               
    INTL.CPL  Regional Settings             
    STICPL.CPL  Scanners and Cameras          
    MMSYS.CPL sounds Sound Properties              

    - Jim "Mouse-Click Blues" Tierney

  • Certificate Concepts

    Hi, Brantley here. I would like to share some information with you about how digital certificates work. Understanding the concepts about how certificates work is important when troubleshooting PKI issues.

    Let’s start by defining digital certificate: digital certificates are electronic credentials that are used to assert the online identities of individuals, computers and other entities on a network. The concept of digital certificates is much like the concept of a driver’s license. Like a drivers’ license, a certificate is issued by a central authority that has validated the identity of the person (or computer, application, services, etc) requesting the certificate. Now that we have defined digital certificates let us move on to the details.

    Certificate Architecture

    Certificates issued by Windows Server 2003 and earlier are based on standards established by the Public-Key Infrastructure X.509 Working Group of the Internet Engineering Task Force. Version 1 of the standard defines a set of fields that should exist in every X.509 digital certificate. Version 2 added two more fields in order to support X.500 directory access control. Finally, version 3 introduced the concept of a Certificate Extension. Certificate extensions are simply fields that may be specified in standards or may be defined by a registered by a vendor, individual, or community. The Windows Certificate Server included in Windows 2000 and later supports X.509 Version 3 digital certificates.

    The format of a v3 digital certificate is illustrated below.

    X.509 Version 3 Certificate

    image

    • Version: Identifies the version of the X.509 standard to which the certificate adheres. Certificates issued by a Windows CA certificate authority are always v3.
    • Certificate Serial Number: A unique identifier for each certificate issued by a particular Certificate Authority. This number must be unique amongst all certificates issued by that CA.
    • Issuer: The distinguished name of the CA that issued the certificate. This field identifies the authority responsible for verifying the identity of the Subject of the certificate.
    • Subject: The name of the computer, user, network device or service to which the certificate is issued.
    • Valid from: The date and time when the certificate becomes valid.
    • Valid to: The date and time when the certificate expires.
    • Public Key: Contains the public key of the key pair that is associated with the certificate.
    • Issuer Unique Identifier: Information that can be used to uniquely identify the issuer of the digital certificate.
    • Subject Unique Identifier: Information that can be used to uniquely identify the owner of the digital certificate.
    • Extensions: Version 3 certificates include extensions that provide additional functionality and features to the certificates.

    As can be seen, a digital certificate links a subject identity and a public/private key in a signed and therefore verifiable digital document.

    Example User Certificate

    clip_image008

    When double clicking on a certificate in Windows the Details tab displays the fields mentioned above. This is an easy way of visually verifying the Validity dates and the Subject.

    clip_image009

    The Certification Path tab displays the certificate path from the root down to the certificate being evaluated.

    Basic Certificate Validation:

    For a certificate to function properly, the following items must validate correctly (at a minimum):

    1. Subject name: The subject of the certificate must match the resource subject that is being used. For example, when using https the subject in the certificate being used on the web server must match the https URL that users will use to connect to the https website. Subject name is analogous to the name on a driver’s license.

    2. Validity Period: The (Valid From) and (Valid To) must be within the time frame the certificate is planning on being used. This is much like the expiration of a driver’s license. Validity period is analogous to the expiration date on a driver’s license.

    3. Trust: The certificate must be used by a trusted Certificate Authority. Trust is analogous to the State that issued a driver’s license. Because the State that issued the license is a member of the union that makes up the United States we trust the issuer of the license.

    4. Chain Building: Chain building is the process of building a trust chain, or certification path, from the end certificate to a root CA that is trusted by the security principal. The chain-building process will validate the certification path by checking each certificate in the certification path from the end certificate to the root CA’s certificate.

    5. Key Usage: To help control the usage of a certificate outside of its intended purpose, the optional Enhanced Key Usage extension can be included in the certificate by the CA. The Enhanced Key Usage extension contains a list of usages for which the certificate is valid. These usages, also known as intended purposes, are displayed on the General tab of the certificate dialog box. This is important when evaluating why a certificate may not be working correctly. Key Usage is analogous to driver’s license endorsements (types of vehicles that can be driven with this license).

    6. Revocation Checking: Each certificate in the certificate chain is verified to ensure that none of the certificates are revoked. A certificate can be revoked prior to the expiration date to disavow the certificate. Revocation Checking is analogous to checking a driver’s license against a State database to verify that a driver’s license has not been revoked for a violation.

    Summary:

    Certificates issued by Windows Server 2003 and earlier are based on standards established by the Public-Key Infrastructure X.509 Working Group of the Internet Engineering Task Force. The Windows Certificate Server included in Windows 2000 and later supports X.509 Version 3 digital certificates. Subject Name, Validity Period, Trust, Chaining, Key Usage, and Revocation need to be validated for a certificate to function properly.

    - Brantley Whitley