Stuff I'm Up To

Technical Ramblings

STIG — March 17, 2017
Oracle Database Patches —
Category 5 Plug Wiring — March 12, 2017
How to use vSphere 6.x Certificate Manager — March 10, 2017
Dell iDRAC and Certificates —

Dell iDRAC and Certificates

A wider vulnerability scan picked up that we had self signed certificates on our Dell iDRAC’s (Dell Remote Access Controller). But also highlighted that the certificates keys were too small. So that meant in order to resolved the issue we must issue our own certificates and ensure they are the right key size.

This would normally be fairly straight forward. Use the Web UI to generate a CSR and then submit that to the CA. Then just upload the issued certificate to the Web UI and all is done. However, when we submitted the CSR the CA responded with an “Denied by Policy Module” error.

In the CA servers Application event log we see Event ID: 53

Active Directory Certificate Services denied request 78050 because The public key does not meet the minimum size required by the specified certificate template. 0x80094811 (-2146875375 CERTSRV_E_KEY_LENGTH).  The request was for E=root@localhost, CN=DRAC.domain.local, OU=My OU, O=My Organisation, L=Any Town, S=Some County, C=UK.  Additional information: Denied by Policy Module

Continue reading

HTTPS and SNI — March 9, 2017
Guidelines for Microsoft Clustering on vSphere —

Guidelines for Microsoft Clustering on vSphere

This article provides links to a subset of articles that provide guidelines and support status for running various Microsoft clustering solutions and configurations on VMware vSphere.

VMware provides customers additional flexibility and choice in architecting high-availability solutions. Microsoft has clear support statements for its clustering solutions on VMware.

Additionally, VMware provides guidelines in terms of storage protocols and number of nodes supported by VMware on vSphere, particularly for specific clustering solutions that access shared storage. Other clustering solutions that do not access shared storage, such as Exchange Cluster Continuous Replication (CCR) and Database Availability Group (DAG), can be implemented on VMware vSphere just like on physical systems without any additional considerations.

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1037959

SSL/TLS Deployment – Best Practices —
Setting the Killbit for an ActiveX Control — March 7, 2017

Setting the Killbit for an ActiveX Control

Adding a killbit for a control that Nessus says requires one.

https://support.microsoft.com/en-gb/help/240797/how-to-stop-an-activex-control-from-running-in-internet-explorer

In brief you need to find or create the classid in:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility

However, on one I found I first had to hunt the name in HKEY_CLASSES_ROOT\CLSID

eg. Nessus reported

  Class Identifier  : {D63891F1-E026-11D3-A6C3-005004055C6C}
  Filename          : C:\Program Files (x86)\xxxx\Runtime\NCSECW.DLL
  Installed version : 1.6.6.32

But when I search for NCSECW.DLL I got a different Class ID and that was what I needed to use to add a killbit for.

Kali and OpenVAS — March 4, 2017
OpenVPN Create User Keys — March 3, 2017

OpenVPN Create User Keys

As I’d forgotten how to create a new OpenVPN user, it’s not something I do every day, I thought I put here a reminder of the process used.

To get a private key and a signed public key the easiest way is to use the Easy-RSA program that came with openvpn. Change to the directory, set the variables and run the script like this:

$ cd /etc/openvpn/easy-rsa
$ sudo source ./vars
$ sudo ./build-key-pass [USERNAME]

This creates the necessary CSR and submits it and generates the key and certificate in /etc/openvpn/easy-rsa/keys

I then wrote a script than turns the key and certificate into a single .ovpn file I can just give to the user along with the key password.

Continue reading

Diving Deeper into Windows SSL — March 2, 2017

Diving Deeper into Windows SSL

This response to a question raised some interest and I found it very interesting. I then went to investigate the keys and values on my own machine. This can also be controlled using gpedit.msc, but found it interesting to see the current entries for myself.

HKLM\System\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002 Functions

While not “incorrect” Steven’s answer is incomplete.

The linked article is a very good description for how to enable and disable cipher suites like SSL 2.0 etc, but SH’s pen test comments posted are also concerned about the mode of operation of the ciphers used – specifically about removing the use of CBC (Cipher Block Chaining) and using Counter (CTR) or Galois Counter (GCM). This is not fully covered in that answer.

In order to direct how the transport security is negotiated in this more granular level, they will also need to look at the content and ordering of the Functions list. This controls the preferred order and what is acceptable when the transport security is negotiated between server/webserver and client/browser.

HKLM\System\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002  Functions

Removal of CBC modes of operation from the list would prevent their sucesful negociation, but removal of all CBC is likely to have negative impact. Adjusting this list must be done with great care as misconfiguration will prevent sucesful connections. Support for modern modes of block cipher operation such as e.g. AES-GCM are still not completely widespread (March 2016) in all clients/browsers and OS versions.

As with much of crypto, what might be appropriate for state top-secrets and what might be appropriate for information of very low confidentiality won’t always be the same. A balanced approach for information assurance is needed depending on the categorization of the specific information and not an approach like CBC is “bad” GCM is “good”.

S.H. should probably return to his/her pen testers to discuss whether their specific use of CBC modes may be acceptable for a while longer until GCM is better adopted, before testing any adjustements to the Functions list.

Tuesday, March 08, 2016 9:46 AM, Tom Hollinghurst

 

References: https://social.technet.microsoft.com/Forums/windowsserver/en-US/a51f9574-73b0-4808-ad5f-4db081d80e6f/disable-cbc-mode-cipher-encryption-and-enable-ctr-or-gcm-cipher-mode-encryption-disable-md5-and?forum=winserversecurity