The root cause of WannaCry is budgetary, and therefor political

I don’t typically politicise my technical Twitter account, nor this blog, but some technical problems are political. It is impossible to engage with security in any depth without confronting political issues. Earlier today, I dumped some thoughts on a private Twitter account, and a friend asked me to make them public. Here’s are those Tweets:

  1. SMBv1 is a widely-used file service that has been actively deprecated by Microsoft for an eternity, but which is present in lots of devices like NAS, networking kit and other networked devices like Sonos. Microsoft runs a program to help vendors deprecate SMBv1, but these are the kinds of things that hardware vendors routinely fail to do well.
  1. With effective network segmentation, malware like WannaCry can’t propagate widely, even if machines allow arcane protocols.
  1. Some instruments simply will not work if they get patched, to address issues like SMBv1 weaknesses. However, these devices need to be isolated through controls like effectively segmenting the network, or not networking them at all.
  1. No security professionals should be surprised that WannaCry is happening.
  1. The NHS (and most of the public sector) needs money to dig itself out of a mountain of technical debt. This is not an IT/security problem. It is an inevitable consequence of the Tory assault on NHS. If people die, we know who holds blame.

One further thought post-tweets. Some people may rightly point out that some of the funding issues and IT problems at the NHS began under Labour, but the world has changed significantly since the Conservatives came to power, and there has been an unequivocal failure to engage with those issues meaningfully where budgets have been slashed. It is not possible to adapt to contemporary threats with the obsolete technologies in use today. This will not be the last significant failure of critical infrastructure unless the coffers are topped up, and even then we can’t expect upgrade projects to happen more quickly at the NHS than they do elsewhere. This basically means that even if budgetary problems are instantaneously solved, it will still take more than a year with the best will in the world to get these risks down to manageable levels.

Further reading:

I’m sure I’ll be a bit more active than I have been recently on my technical Twitter account over the coming days (@tr5tn).

Keeping AD FS Integrated Windows Authentication (IWA/WIA) Clients Signed In

Over the last couple of years we’ve started doing less AD FS work, with the advent of Password Hash Sync for Azure AD sign-on, and Microsoft’s continued investment in Azure AD Premium. We’ve also seen a few organisations struggle to operate AD FS successfully, even if I personally like the technology. So I’ve changed our approach to unveil all of this with as much realism as possible, and to draw some feature comparisons in both directions. We also spend a lot of time talking about expectations of SSO, and how the ways we think about SSO on the web aren’t quite as automatic as what we get with Windows hashes and tickets.

So… what this means is that we don’t do as much AD FS work anymore, and when Microsoft released a hotfix for AD FS in the August 2014 update rollup, it didn’t catch my eye. This hotfix and the related configuration that needs to be added to the AD FS trust with Azure AD are documented in the newer Configure Persistent Single Sign-On article, and I first picked up on this configuration in the Azure MFA article for AD FS. At any rate, this configuration specifies two new Issuance Transformation Claims Rules for the AD FS Relying Party Trust with Azure AD (AKA “Microsoft Office 365 Identity Platform”):

Continue reading “Keeping AD FS Integrated Windows Authentication (IWA/WIA) Clients Signed In”

Creating a broadly compatible, modern SSL certificate with Active Directory Certificate Services

After recently hitting the default two year expiration point with our SharePoint development environment’s AD CS-issued SSL certificates, I set about updating that environment with a new five year template. I took this opportunity to see if I could make it as good as possible without breaking compatibility with anything. I will discuss some of these compatibility issues along the way. I will also make the certificate exportable, make sure it’s using the SHA256 hash (SHA1 will be deprecated in the near future), change the Certificate Authority (CA) configuration so that HTTP Distribution Points will be contactable from “outside the network”, and set permissions on the template in a way that it will be generally usable.

Steve Peschka tackled some of these basics about 18 months ago, but as he notes, his posts covers the simplest updates you can make. I think a few other options are worth considering. I don’t pretend to know all that there is to know about Active Directory Certificate Services (AD CS), or PKI in general, but I do think we can advance considerably beyond the default with a few changes. This is not a well-documented subject, so I hope to pull a few disparate resources together and propose an improved template. If you think anything here can be improved further, please post in the comments and I’ll try to incorporate that feedback.

Continue reading “Creating a broadly compatible, modern SSL certificate with Active Directory Certificate Services”

The Rules of AD FS Claims Rules

Many people think of AD FS as merely a federated authentication service. And with a name like Active Directory Federation Services, it’s easy to see why. However, it also has the capacity to make authorisation decisions within its Claims Engine. This may be most familiar as the Office 365 Client Access Policies, but those policies are basically just a flavour of AD FS Issuance Authorisation Rules. An AD FS Issuance Authorisation rule provides a gate at AD FS, where permissions can be granted or denied to authentic users, per-Relying Party, before giving the user Claims for the requested Relying Party. In most cases we will think about these rules as coarse controls, to block a wide category of requests, such as those originating from outside the network, for members of a group, or for any combination of request-based, device-based and user attribute-based Claims. We can even create authorisation rules based on the user’s Identity Provider, or from additional factors of authentication. We will typically still implement most of our authorisation logic within the Relying Parties we are authenticating to, but in some cases it’s very useful to control access at this intermediary tier – especially if a large class of users, devices or networks should be treated as higher risk.

These concepts are not new, and the TechNet documentation I reference here dates back to the earliest wave of AD FS 2.0 RTW content:

Ultimately, I think these articles do answer the question of how to create an AD FS Issuance Authorisation rule, but I can’t point very clearly to the place on these pages that spells it out, and I do think there is a lot of confusing information about this in other places which may lead people astray. Namely, there is a lot of information that only concerns itself with the default Active Directory Claims Provider Rules and the Claims that come from request headers. Also, some of the most referenced AD FS + SharePoint content seems to have been written without authorisation rules in-mind. I want to try to clear some of that up in this post.

UPDATE 24/2/2015
I’ve added a fairly significant update regarding the new MFA stage in the pipeline half-way down this post.

Continue reading “The Rules of AD FS Claims Rules”

Coordinating AD FS 2012 R2 token lifetimes to reduce logon prompts, enforce revocation and limit session duration over public networks

Back in February, I posted a question on the Geneva forum about Adjusting token lifetimes at the Web Application Proxy (WAP) for external access:

Does the Web Application Proxy or AD FS have any separate controls for adjusting token lifetimes to a different value via WAP than directly at AD FS? I can see there’s a session cookie for EdgeAccessCookie that WAP issues but this seems to be entirely undocumented at present. I’ve poked around in C:\Windows\ADFS\Config\microsoft.identityServer.proxyservice.exe.config (also undocumented as far as I can tell) but I’m not finding anything there either. We used to have some of these controls (sort of) with TMG/UAG. Are they totally gone now? With the AD FS Proxy this was less of an issue because it was only publishing AD FS but this is something that I’d hope to be able to control with a Reverse Proxy. Any ideas?

I didn’t get any replies, but after carrying out some tests of my own, I noticed the EdgeAccessCookie, and found a bit of information on TechNet:

After the user is authenticated, the AD FS server issues a security token, the ‘edge token’, containing the following information and redirects the HTTPS request back to the Web Application Proxy server:

  • The resource identifier that the user attempted to access.
  • The user’s identity as a user principal name (UPN).
  • The expiry of the access grant approval; that is, the user is granted access for a limited period of time, after which they are required to authenticate again.
  • Signature of the information in the edge token.

Web Application Proxy receives the redirected HTTPS request from the AD FS server with the edge token and validates and uses the token as follows:

  • Validates that the edge token signature is from the federation service that is configured in the Web Application Proxy configuration.
  • Validates that the token was issued for the correct application.
  • Validates that the token has not expired.
  • Uses the user identity when required; for example to obtain a Kerberos ticket if the backend server is configured to use Integrated Windows authentication.

If the edge token is valid, Web Application Proxy forwards the HTTPS request to the published web application using either HTTP or HTTPS.

This quickly became one of those things where there was insufficient documentation and limited project time, so I had to put this inquiry on hold. Then in July, I posted a question on the Application Proxy blog (a great resource), to see if this is something that they planned to document. The response that I got from Ian Parramore was unexpected and pleasing:

Continue reading “Coordinating AD FS 2012 R2 token lifetimes to reduce logon prompts, enforce revocation and limit session duration over public networks”

Activating a Windows Server 2012 R2 evaluation installation with an MSDN license

If you’re running an evaluation version of Windows Server 2012 R2 and want to activate it with an MSDN license, you may find that you get an error like this:

“Error: 0xC004F069 On a computer running Microsoft Windows non-core edition, run ‘slui.exe 0x2a 0xC004F069’ to display the error text”

Running that slui.exe command doesn’t get you very far though. It basically tells you the same thing about struggling with the edition. Off to my favourite search engine I went, but I found surprisingly little about this. I had vague recollections that this may not be possible, but the best information I found was this Blain Barton post on converting evaluation editions. Unfortunately, it didn’t mention anything about MSDN licenses, and in principle my edition wasn’t changing, so I didn’t really know what to do for the Set-Edition parameter that he speaks to in:

DISM /online /Set-Edition:<edition ID> /ProductKey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX /AcceptEula.

Poking around a bit more I found the DISM TechNet reference and the DISM.exe /Online /Get-TargetEditions command.

That revealed an option for “ServerStandard”. So I ran the command with “ServerStandard” and it worked, as follows.

DISM /online /Set-Edition:ServerStandard /ProductKey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX /AcceptEula

One other thing I found confusing is that if you run DISM /online /Get-CurrentEdition, there is a “Current edition is” and a “Current Edition” parameter in the response.

DISM Editions

Only “Current Edition” had a value for me: “ServerStandard”. I’m including this tidbit to clarify that the empty value for “Current edition is” doesn’t seem to have any relevance here.

Yay. Hope this helps someone. Note: to commit this change your machine will need to reboot (twice I think).

Things that don’t update when changing an AD FS URL in Windows Server 2012 R2

Windows Server 2012 R2 introduces a number deep changes to the way that AD FS works, which means that as practitioners, we need to look for solutions to problems in new, unexpected places. For instance, in the old world, if AD FS was completely unresponsive, the first place I would look after AD FS itself would be IIS. In AD FS 2012 R2, IIS doesn’t play a role. Requests are still served by the HTTP.SYS kernel driver but we interact with it using NETSH HTTP, which connects to the driver via the User Mode HTTP Server API. IIS and other familiar components would also interact with this API previously, but they provided a friendlier layer of abstraction between an administrator and the API. Interacting with HTTP.SYS using NETSH HTTP brings a learning curve with it, particularly when it comes to understanding what is and is not controlled here. Also, there is no GUI and the security that HTTP.SYS enforces is stricter than the abstracted layer that IIS has historically opened up. This web server architecture change and other new differences add to the difficulty of tracking down problems when things don’t work as expected, as detailed in this post.

Continue reading “Things that don’t update when changing an AD FS URL in Windows Server 2012 R2”

Significant Identity and Access Management Improvements in Windows Server 2012 R2

Last week, Microsoft released Windows Server 2012 R2 Preview. Some information about new features like the Web Application Proxy role began to emerge from recent industry events, but there isn’t an awful lot to absorb at the moment. Having played around with the preview for a few days, I’m pleased to report that the new features look good. While there are always niggles and unsupported scenarios, the features themselves are bringing Microsoft’s Identity and Access Management (IAM) offerings nearer to parity with the industry leaders. These changes should be of particular interest for SharePoint on-premises and Office 365 customers, as a number of scenarios that were on the bleeding edge of ADFS/UAG capabilities have been brought into the fold with some important enhancements to ADFS, which isn’t just for federation anymore.

In short, we get a new Claims-Aware Reverse Proxy, Device Claims in and outside of the network, Multiple-Factor Authentication and other enhancements for making access control decisions on more than just a username and password. I’ve discussed all of these topics routinely over the last couple of years in SharePoint on-premises and Office 365 contexts, but the current provisions in ADFS and UAG are not as elegant as what we find in the preview, so I’m keenly exploring the new functionality and will try to keep the content flowing. In this post I will focus on the features themselves, as there’s a lot of new stuff and the implementation of this functionality will only be clear with a bit more information than what you’ll find online today. I’m kind of rushing this out after limited use because I know there’s a big appetite for knowledge about the Microsoft Reverse Proxy roadmap, so apologies for the incompleteness in advance.

Continue reading “Significant Identity and Access Management Improvements in Windows Server 2012 R2”

Editing the Host Name field for wildcard SSL certificate bindings in IIS 7

Not only is this the thing that I always forget, it’s the thing that I’ve just learned I didn’t really understand. My colleague Ben just absolutely pwned me about an SSL certificate’s “Friendly Name” field and how it’s used when editing SSL binding in IIS. I was certain that Friendly Name couldn’t possibly be related to getting an editable host name field when you bind multiple Web Applications on the same IP address (assuming you have a wildcard certificate to handle this multiplicity). How it works with SAN certificates I don’t really know, but that’s a topic for another post. At any rate, in this case, I was bashing my head because I couldn’t get an editable Host Name field for my newly-extended Web Application:

Continue reading “Editing the Host Name field for wildcard SSL certificate bindings in IIS 7”