Microsoft Malware Protection Center released yesterday (March 27th) a good post about Conficker that has a comprehensive timeline of this worm and how Microsoft acted to protect the systems against this threat. This post also reveals some insights of what to possibly expect next month (April 2009) when the subject is Conficker.
Read the complete post at:
http://blogs.technet.com/mmpc/archive/2009/03/27/information-about-worm-win32-conficker-d.aspx
1. Introduction
Consider a scenario where external client is trying to authenticate in an OWA publishing rule through ISA Server 2006 using Forms Base Authentication. In this scenario ISA Server 2006 was in workgroup and the FBA was using LDAPS authentication method. Problem: authentication doesn’t go through; it keeps in the same FBA window without saying any error message.
To narrow it down the problem the following article was followed:
Troubleshooting Forms Base Authentication using Secure LDAP Authentication on ISA Server 2006
2. Don’t Forget the CRL
While the core reasons for this scenario fails are covered in the above article, there are two others things to validate:
· Is ISA Server allowing the access to the CRL (Certification Revocation List)?
· Is the CRL accessible by ISA Server?
For this case the first option was true, the system policy that allows that was enabled. You can check that by opening the ISA Server 2006 System Policy and reviewing the option below:
Figure 1 – CRL Download System Policy
How to check the second option? You can use a command line utility called certutil to test that from the ISA Server itself. You just need to have the Root CA certificate file (.CER) available to test that. Here the command and the result for this scenario:
C>:\>certutil -verify –urlfetch rootca.cer
Issuer:
CN=Fabrikam CA
DC=fabrikam
DC=msft
Subject:
Cert Serial Number: 230acfb9d8e6468c4fd78ed8a899a466
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=Fabrikam CA, DC=fabrikam, DC=msft
Subject: CN=Fabrikam CA, DC=fabrikam, DC=msft
Serial: 230acfb9d8e6468c4fd78ed8a899a466
99 56 45 8f a5 57 de 5d 60 43 cb 3b ac 40 a0 53 f0 91 ff 54
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: The specified network resource or device is no longer available. 0x80070037 (WIN32: 55)
ldap:///CN=Fabrikam%20CA,CN=DCIWORK,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=fabrikam,DC=msft?certificateRevocationList?base?objectClass=cRLDistributionPoint
Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WIN32: 12007)
http://dciwork.fabrikam.msft/CertEnroll/Fabrikam%20CA.crl
--------------------------------
Exclude leaf cert:
da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
------------------------------------
Verified Issuance Policies: All
Verified Application Policies: All
Cert is a CA certificate
ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
CertUtil: -verify command completed successfully.
This result is very clear: ISA Server is unable to access the CRL and therefore it can’t authenticate the user. For this particular scenario (the real on, not my lab), the issue was resolved after opening port 80 between ISA Server and the Root CA. Yeah, ISA Server was running in sandwich mode, in between two others two firewalls (Root CA à Hardware Firewall à ISA Server à Hardware Firewall à Internet). Not an ISA issue, just again.
3. Conclusion
When the scenario involves LDAPS Authentication and SSL Publishing the amount of variants are quiet big. On top of that if your topology uses ISA Server in sandwich mode and your security policy is so tight that ISA can’t even check a CRL things can get worst. This is a scenario born to fail, due the lack of planning before put in production. Remember, planning is a key factor of any type of deployment and when the topology needs to be complex like this, be realistic, give yourself a couple of weeks to build a pilot environment that reflects the production one. Test it, write the results, work in the errors, write the results, resolve the problems, write the results, test it, test it and make sure that you cover at least what you plan to publish. Watch around ISA, because everyday my statistics that on every 5 cases 3 are not an ISA issue are just growing.
Last March 19 the Information System Security Association (ISSA) Chapter Brazil had the ISSA Day and they distributed the latest version of their magazine called Antebellum. I was invited by Fernando Fonseca (Security Consultant) to write about Forefront TMG Beta 2 and this article was published in the Antebellum March/April Edition. Here it is the magazine front cover:
Note: Portuguese readers you can download the full magazine in PDF format from here.
I just want to share this tool created by my fellow Brazilian friend Roberto Farah, that uses PowerShell to Control WinDBG:http://blogs.msdn.com/debuggingtoolbox/archive/2009/02/04/powershell-script-powerdbg-v5-0-using-powershell-to-control-windbg.aspx
Why this is cool? Here an example of how this can make it easier to find Leaked objects and send customer ready report: http://blogs.msdn.com/debuggingtoolbox/archive/2008/11/14/powershell-script-finding-the-managed-objects-that-leaked.aspx
Farah is currently writing a book with Dmitry Vostokov (from www.dumpanalysis.org) about Debugging where he will include this stuff:
http://www.dumpanalysis.org/Forthcoming+Windows+Debugging+Notebook
Dimitry has lots of books but my preferred (so far) is Memory Dump Analyses Volume I.
My friend Paul Long from Netmon Team recorded a series of videos that will allow you to better understand how Netmon works and how to use it. Check it out here:
UI Overview Part 1
UI Overview Part 2
Capturing with the UI
Capturing with NmCap
Filtering
Conversation Tree
Creating a New Parser
It is very interesting to me that many people didn’t fully realized yet the benefits of ISABPA. Certainly we already have lots of admins that use this tool, but do you know if you really use the full capability of this tool? This post will describe the most common scenarios of using ISABPA and how to take full advantage of it. In this first part of the post I’m going to discuss how ISA BPA can assist you proactively to mitigate possible issues.
2. Proactive Health Check
When you deploy ISA Server you should first of all plan, plan and plan. I worked in many cases where the ISA was installed like you install Microsoft Office, using NNF technology (Next, Next and Finish), no kidding. We all know that it is easy to install, but you need to collect information prior to deploy. Here some typical questions that can influence how you will size ISA for your environment:
· What type of scenario you plan to install ISA:
o Web Proxy?
o Firewall?
o VPN Access?
o Secure Publishing Server?
o All of them?
· What applications are you planning to publish through ISA?
o Exchange OWA?
o Outlook Anywhere?
o Sharepoint?
This is definitely not the complete list, is just an example of some questions that you should ask your customer (or yourself) when planning an ISA Server installation. After gather all the data, go ahead and use ISA Server Capacity Planner to see if you have the correct hardware for ISA.
Ok, but where ISA BPA comes in on this? I didn’t want to lose the opportunity to bring how important it is the planning phase; this is the reason why I started with that. ISABPA using Health Check option will be a post installation task.
Figure 1 – Starting a new scan.
The following screen shows ISABPA performing the scanning operation:
Figure 2 – Scanning in Progress
When this process finished you can click and view report and you will see (depends on the amount of warning or errors you have) a screen similar to Figure 3:
Figure 3 – ISA Report
This is an example of a pristine installation of ISA Server 2006 on top of Windows Server 2003 SP2 with some basic rules configured on it. Notice how many warnings I have and how many improvements I can make on this configuration. If you want more details about each one of those suggestions, just click on it and you will see what the recommendation is as shown in Figure 4:
Figure 4 – Details about the warning message.
If you want to see a hierarchal view plus more details about this configuration you can click in Tree Reports and you will have a view like the one below:
Figure 5 – Tree Reports View.
In this first part of the article I explained some advantages of using ISA BPA for a proactive work, next article I will show you how ISBPA Tools can assist you during a troubleshooting scenario.
The fun has already started with TMG MBE, what about some old friends (such as cachedir) to play with TMG MBE? That’s right; TMG MBE Tools are now available at Microsoft Download Center. Got get it at: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=82027864-4abd-4896-8255-55f6ea775489
My experience dealing with ISA Server cases on the daily basis showed me that Certificates are a delicate subject. Is the type of thing that it’s initially simple, but when it expires it can be a pain and can bring your ISA Server down if you don’t plan ahead the renew process.
In this economical turmoil that we leave is getting quiet normal that the IT Pro that before was only responsible for administer his Messaging system is now “promoted” to administer the AD infrastructure and the company’s firewall. The result sometimes is quiet frustrating because lack of documentation, no knowledge transfer and higher pressure to keep things working.
I remember one scenario where the new IT guy was in the company for only 2 weeks when his ISA Server stopped working and the whole Internet was down. Panic and clueless about what was going on happened and this IT guy contacted us. We found out that his certificate was expired and Firewall Service was not starting (see an article about that in ISA Blog next week). The problem during that time was that he had no idea about their PKI infrastructure, who was the Root CA that issues the certificate, etc. Bottom line: a case that was supposed to take 5 minutes if we have all the info that we need took 5 hours.
Last month our supportability team asked me to write an article about Certificates that could help in scenarios like this. Took me some time to repro the most common issues and document those, some members of our team reviewed (see tech reviewers in the article) and yesterday this article was published. Take a look at http://technet.microsoft.com/en-us/library/dd547090.aspx
My friend Tom Shinder that this week is up in Seattle to the MVP Summit just released Part 1 of an article that gives you an overview about the new features that TMG Beta 2 has. It is indeed worth reading it to have an idea of new functionalities and improvements that this Beta brings to you. Check it out the complete article at:
http://www.isaserver.org/tutorials/Overview-New-Features-TMG-Beta2-Part1.html