Stuff I'm Up To

Technical Ramblings

Tomcat and HTTPS — January 31, 2017

Tomcat and HTTPS

By default Tomcat gets installed with HTTP only and a number of default applications. Previously I linked documents on how to secure Tomcat. But put simply just delete the folders under webapps that you don’t need for your application. So you pretty much get left with host-manager and manager in there.

My next step was to try to figure out how to get the connection changed from HTTP to HTTPS and apply a valid certificate to the connection.

Continue reading

Securing Tomcat —

Securing Tomcat

Following a penetration test a large security weakness was exploited that allowed an attacker to gain local admin rights on a server running Tomcat. This in turn allowed the capture of session passwords from memory which in turn resulted in domain admin level access.

All because of a 3rd party application installed by a vendor who left the underlying Tomcat installation as a vanilla box product with all the softwares default settings.

Lesson: NEVER trust a vendor installation to be secure. Carry out a vulnerability scan whilst they’re still onsite and don’t sign off any installation until all security concerns have been resolved.

References:

http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html

https://www.owasp.org/index.php/Securing_tomcat

https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html

https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html

https://www.upguard.com/articles/15-ways-to-secure-apache-tomcat-8

Java SSL/TLS Ciphers — January 30, 2017

Java SSL/TLS Ciphers

You can specify what cipher suites Java uses by editing the file:

%JAVA_HOME%\lib\security\java.security

This file must also be used by the Java application. So if the application overrides this by using a -Djava.security.properties=<URL> setting then you should modify the file specified by <URL>.

The ciphers to disable are listed in the following keys:

jdk.certpath.disabledAlgorithms

jdk.tls.disabledAlgorithms

The file is documented, so you should be able to figure out the required settings from the examples.

The jdk.tls.disabledAlgorithms property in the policy file controls TLS cipher selection. The jdk.certpath.disabledAlgorithms controls the algorithms you will come across in SSL certificates.

Oracle has more information about this here.

Continue reading

Java Certificates —

Java Certificates

Certificates are the bane of my existence! After applying some updated certificates to Windows servers some of the systems are now failing to connect to database servers. This is due to the underlying Java program not knowing about the Windows certificate stores and using their own.

Now if life weren’t difficult enough the default keystores used by Java reside in their %JAVA_HOME%\lib\security folder, but we’ve got applications that have many flavours of Java installed. ie. java_jre_32bit, java_jre_64bit, java_jdk_32bit and java_jdk_64bit. I know, I didn’t install it like this, it’s a vendor install and they insist on it being this way and it must remain as a very specific version of Java.

So now we have to add the CA certificate into he cacerts file, which is where Java keeps its CA certs. So I’ve had to do this for each flavour of Java by using:

c:\> %JAVA_HOME%\bin\keytool -v -import -alias MyCA -file MyCA.pem -keystore %JAVA_HOME%\lib\security\cacert

Where MyCA is the name of the certificate and the .pem is a .cer file you must export from your CA’s mmc computer certificate snap in (management console).

Keytool will ask you for a password. What could it be? Well after a major trawl of the internet I found the default Java cacert password is ‘changeit‘.

I’m sure you can change it to whatever you’d like, but then you’re going to have to ensure that you update your Java configs to give it the new password. Which for me could be problematic as the vendors configs could be anywhere!

References: https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html

Blank Dialog when Managing Connection Server — January 27, 2017
View Composer Certificate —
Renamed Machine & Wrong Certificate Name —

Renamed Machine & Wrong Certificate Name

When we setup some virtual machines from a template and used temporary names for them because we needed to replace existing machines that were currently running on the domain, it seems the rename of the machine didn’t fully do the job after we decommissioned the old and renamed the new.

All the domain membership stuff went ok, but the certificate issued to the machine still had the temporary name. Even after deleting the wrongly named certificate we’d still get a certificate issued with the same name.

A quick trawl in the registry revealed that the following key needed to be changed to get the correctly issued certificate:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName

Once this was done the certificate was received with the correct name.

Disconnected RDP Sessions — January 25, 2017

Disconnected RDP Sessions

Who has left their account logged onto a server using RDP and has diconnected it leaving it open to session hijacking?

PowerShell Script rdp_who.ps1

# Import the Active Directory module for the Get-ADComputer CmdLet
Import-Module ActiveDirectory

# Get today’s date for the report
$today = Get-Date

# Setup email parameters
$subject = "ACTIVE SERVER SESSIONS REPORT - " + $today
$priority = "Normal"
$smtpServer = "smtp.domain.local"
$emailFrom = "rdp@domain.local"
$emailTo = "it.manager@domain.local"

# Create a fresh variable to collect the results. You can use this to output as desired
$SessionList = "ACTIVE SERVER SESSIONS REPORT - " + $today + "\n\n"

# Query Active Directory for computers running a Server operating system
$Servers = Get-ADComputer -Filter {OperatingSystem -like "*server*"}

# Loop through the list to query each server for login sessions
ForEach ($Server in $Servers) {
$ServerName = $Server.Name

# When running interactively, uncomment the Write-Host line below to show which server is being queried
Write-Host "Querying $ServerName"
# Run the qwinsta.exe and parse the output
$queryResults = (qwinsta /server:$ServerName | foreach { (($_.trim() -replace "\s+",","))} | ConvertFrom-Csv)

# Pull the session information from each instance
ForEach ($queryResult in $queryResults) {
$RDPUser = $queryResult.USERNAME
$sessionType = $queryResult.SESSIONNAME

# We only want to display where a "person" is logged in. Otherwise unused sessions show up as USERNAME as a number
If (($RDPUser -match "[a-z]") -and ($RDPUser -ne $NULL)) {
# When running interactively, uncomment the Write-Host line below to show the output to screen
Write-Host $ServerName logged in by $RDPUser on $sessionType
$SessionList = $SessionList + "\n\n" + $ServerName + " logged in by " + $RDPUser + " on " + $sessionType }
}
}

# Send the report email
Send-MailMessage -To $emailTo -Subject $subject -Body $SessionList -SmtpServer $smtpServer -From $emailFrom -Priority $priority

# When running interactively, uncomment the Write-Host line below to see the full list on screen
$SessionList

References: http://discoposse.com/2012/10/20/finding-rdp-sessions-on-servers-using-powershell/

SMC & JBoss Cipher Suites —
Exchange 2013 Error: “The Microsoft Exchange Diagnostics service terminated unexpectedly” — January 24, 2017

Exchange 2013 Error: “The Microsoft Exchange Diagnostics service terminated unexpectedly”

Had this showing up regularly in the event log of one of our Exchange servers. A quick delete of the following keys and a reboot all sorted:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PLA

ExchangeDiagnosticsDailyPerformanceLog

and

ExchangeDiagnosticsPerformanceLog

References: http://exchangeitup.blogspot.co.uk/2016/01/exchange-2013-error-microsoft-exchange.html

Sophos Mobile Control —

Sophos Mobile Control

When upgrading from v6.1.4 to v7.0.8 I ran aground as it came up with a very bland error message:

“Error! Database update error. Please contact support.”

Not very helpful.

So the next step is to look in the logfiles under the Sophos Mobile Control\wildfly\standalone\log called SMCSVC_install.log and install_wizard.log. These both pointed to an issue connecting to the database because it couldn’t find the MySQL driver.

Continue reading

Putting Exchange into Maintenance Mode — January 23, 2017