Change the Admin Key or it’s over??

I have done a bit of work recently demonstrating provisioning and managing smartcards with Native Windows tools and tools provided for free by the SmartCard Vendor.

The ability to change the Admin Key is not provided for by the default tool from Gemalto. Changing the Admin Key is required to prevent compromise of a card.

Part of the “Temporary” card issue procedure  used the Pin Unblock process to allow access to a card for provisioning and issue to a new user, this was achieved by access to the card using the default Admin Key.

If a SmartCard were found in public any body with Google Foo and access to the Gemalto site could change the Pin and gain access to the resources the user has access too. Possibly even remotely :(

There are other people who mention this “Vulnerability” on line and even point to reasons the vendors don’t provide the feature, to the point of claiming it to be a all about the money. One example is a blog post by Jason Fossen where he says:

Some smart card vendors and resellers deliberately refuse to give away (or to sell cheaply) a tool to change the default Administrator PIN. Why? It’s a devious marketing trick to get you to try out their cards and then hopefully you’ll come back to buy their PKI management suite, which of course includes this tool. This is devious because it is done deliberately, the web sites of these vendors and resellers scarsely mention the risk of not changing the default Administrator PIN (if at all), and often the salespeople of these vendors/resellers only discuss the risk after you’ve purchased the cards and done your testing.

Of course my solution is the same as his but I’m telling you about it because shortly I will document the Medium Business answer in my view which will include the use of vSED:CMS by Versatile Security

Download vSEC:CMS K Series and use the free tool to change the Admin PIN as shown

clip_image002

I don’t think it is the end of the world in a smaller environment to leave the Admin Key at the defaults either which I will discuss in detail in the next day or so

Of course now that you know how to change it, I would because it is no additional effort but it would mean using a tool from a third party and a little more documentation rigor.

Perhaps a job for me on the weekend.

Managing Smartcards without a CMS

One of the most common activities for managing an environment with smart cards is the issuing of a temporary card.

A Card Management System (CMS) usually takes care of the revocation of certificates, recycling of cards and reset of PIN. The system described in Password=BAD, SmartCards=GOOD could be better suit a Small Business if we make some minor tweaks.

This procedure will allow an administrator to issue a “Temporary Card” to a user who has left their card at home.

Create additional Smartcard User Templates

To alleviate the requirement for operators to manually administer certificates and to simplify the enrolment process, create certificate templates for each class of temporary card.

clip_image002

·         Open the Certification Authority MMC

·         Click Action > Manage

clip_image004

·         Select the Smartcard User Template

·         Click Action > Duplicate Template

 

Follow this procedure to create 3 Templates

·         365 Day Permanent Card

·         1 Day Temporary Card

·         7 Day Temporary Card

clip_image006

·         Select Windows Server 2003 Enterprise

·         Click OK

clip_image008

·         Enter a Name for the Certificate Template

·         Change the Validity period to suit the Template type

o   1 Day

o   1 Week

o   1 Year

·         Click Apply

clip_image010

·         Select the Issuance Requirements Tab

·         Select This Number of Authorised Signatures

·         Enter 1

·         Change Application Policy to Certificate Request Agent

·         Click Apply

·         Click OK

Repeat until all Certificate Templates have been created

clip_image012

Click File > Exit

clip_image014

Certificate Templates needs to be added to the Issuing CA

·         Click Action > New > Certificate Template to Issue

clip_image016

·         Select all new templates

·         Press OK

clip_image018

·         Select Smartcard User

·         Click Action > Delete

clip_image020

·         Click Yes

Reset the Smartcard

Open .NET Utilities from the Gemalto Site

clip_image022

Chances are when you pick up a Temporary Card you will not know the PIN

clip_image024

·         Try to change the PIN a few times to Block the Card

clip_image026

·         Select Unblock PIN

·         Enter a new PIN

·         Confirm the new PIN

·         Click Unblock

clip_image028

·         Confirm successful unblock

·         Click OK

 

clip_image030

·         Click Manage Certificates

·         Select each existing certificate in turn

·         Press Delete

clip_image032

·         Confirm correct certificate

·         Press OK

clip_image034

·         Enter the Card PIN

Note this is why we reset the PIN earlier.

You could have asked the user who last held the cards but chances are this is the PIN they use for their permanent card :(

clip_image036

·         Press OK

Issue a Smartcard

clip_image038

·         Click > Action > Advanced Operations > Enroll On Behalf Of

 

clip_image040

·         Click Next

 

clip_image042 

·         Click Browse

 

clip_image044

·         Select the Certificate created previously

·         Click OK

 

clip_image046

·         Click Next

 

clip_image048

·         Select Smartcard User

·         Click Properties

 

clip_image050

·         Deselect Microsoft Strong Cryptographic Provider

·         Select Microsoft Base Smart Card Crypto Provider

·         Click Apply

·         Click OK

 

clip_image052

·         Click Next

 

clip_image054 

·         Enter the User name (including Domain)

·         Click Enroll

 

clip_image056

·         Insert the Smartcard

 

clip_image058

See here is one of mine J

 

clip_image060

·         Enter the Smartcards PIN

 

clip_image062

·         Observe STATUS: Succeeded

·         Click Next User or Close

 

 

Password=Bad, Smartcards=Good

I often talk about Authentication and Passwords particularly with the difficulty in managing something that end users tend to forget or write on post it notes on their monitors.

Actually I’m not too concerned about people writing down their password that is a personal liability issue; I believe users are adult enough to take responsibility for their own accounts.

I am much more concerned about remote compromise and one way this occurs is via key loggers and other malware.

So how do I mitigate that risk? With the use of a Smartcard.

I am aware that the smartcard answer is not complete due to applications that don’t support Single Sign On (SSO) and mostly Kerberos is my friend but there are MANY applications who don’t share that friendship. I am going to talk about managing passwords but not for Interactive Logon, in future guides.

I once had a customer who wanted to stop his users from having to remember the complex passwords we had implemented. I advised him that at his scale about 15 Users that a 2 Factor Authentication system might not be a solution.

Like many SMB Consultants my concerns were about cost and my ability to execute.

Back then I didn’t know what I didn’t know:

§  I was nervous about the expense of cards and readers

§  I was nervous about card management system expense and complexity

§  I was nervous about integrating the smartcard solution with SCO UNIX and an Application they ran through a Terminal Emulator (Still “Nervous” about UNIX integration but only because I have not discovered how to do that. Perhaps another guide coming there)

My point is I didn’t know how to execute and I let go of that business.

SO here is one solution to the authentication problem and I think solving the other problem with a Single Sign On solution would be job done.

Lab Environment

I have chosen Small Business Server 2011 Standard Edition partly because the client had that solution and partly because this will be a series where I build on the solution as the customer grows up the complexity stack.

Of course I love Small Business Server because it is a little engrained in the heritage of where my business came from but also because:

§  Windows Server 2008 R2

§  Active Directory

§  DHCP

§  DNS

§  Group Policy

§  Certificate Services <—Really Important Here

§  Exchange Server 2010

§  SharePoint Foundation

I’m running it all on Hyper-v 2012 RC1

Really all the fun stuff :)

Let’s Start

Install Small Business Server 2011 Standard Edition

OR

Enterprise Guys … Install Windows Server 2008 R2 and add AD and AD Certificate Services

Note SBS is based on Standard Edition of Windows Server so yes this works on STD ED Certificate Services

Add Features to SBS 2011 Standard Edition Certificate Authority

clip_image002 

·         Open Control Panel

·         Open Programs

·         Click Turn Windows features on or off

 

clip_image004 

·         Expand Roles

·         Click Add Role Services

 

clip_image006

·         Select Certification Authority Web Enrollment

·         Click Next

 

clip_image008

·         Click Install

 

clip_image010 

·         Confirm Installation succeed

·         Click Close

 

 

Issue Certificate Templates

clip_image012 

·         Run Certification Authority from Administrative Tools

·         Select Action > New > Certificate Template to Issue

 

clip_image014

·          Select Enrollment Agent and Smartcard User

·         Click OK

 

clip_image016

·         Confirm both Templates are available for Issue

 

 

Issue Enrollment Agent Certificate to Card Issuing Computer

clip_image018

·         Open MMC and Add the Certificates Snap in

·         Choose My User Account

·         Choose Personal under Certificates – Current User

 

clip_image020 

·         Click Action > All Tasks > Request New Certificate

 

clip_image022

·         Click Next

 

clip_image024 

·         Click Next

 

clip_image026 

·         Select Enrollment Agent

·         Click Properties

 

clip_image028

·         Select the Private Key Tab

·         Select Microsoft Base Cryptographic Provider 1.0

·         Click Apply

·         Click OK

 

clip_image030

·         Click Enroll

 

clip_image032

Observe STATUS: Succeeded

Click Finish

 

clip_image034

·         Observe a Certificate is Created

 

Issue a Smartcard

clip_image036

·         Click > Action > Advanced Operations > Enroll On Behalf Of

 

clip_image038

·         Click Next

 

clip_image040 

·         Click Browse

 

clip_image042

·         Select the Certificate created previously

·         Click OK

 

clip_image044

·         Click Next

 

clip_image046

·         Select Smartcard User

·         Click Properties

 

clip_image048

·         Deselect Microsoft Strong Cryptographic Provider

·         Select Microsoft Base Smart Card Crypto Provider

·         Click Apply

·         Click OK

 

clip_image050

·         Click Next

 

clip_image052 

·         Enter the User name (including Domain)

·         Click Enroll

 

clip_image054

·         Insert the Smartcard

 

clip_image056

See here is one of mine J

 

clip_image058

·         Enter the Smartcards PIN

 

clip_image060

·         Observe STATUS: Succeeded

·         Click Next User or Close

 

clip_image062 

It is possible to put more than on certificate on a given card.

I have issued two certs to this card so I can separate Administrative Rights

 

clip_image064clip_image066 

 

For fun I wanted to test how many Certificates’ would fit on a card I had lying about.

 

The answer was 8 but more importantly the card took a LONG time to load up the Certificates compared to a card with only one or two, so this would heavily impact user experience.

 

A use for a card like this would be where display screens for marketing, network monitoring or other logged on but unattended applications are required.

Next Steps

Now you have a simple way to let all your users logon with a smartcard things that I will cover later is PIN unblock and Card Management Features provided by the card vendor Gemalto but tools from other vendors would be work too I’ll link to them as I find them

 

What can I do to reduce Service Desk Calls by …

I have been thinking about iDM tool deployment and have started to think about a benefit that could be unrealised while we think about synching connected systems.

Perhaps we could reduce Service Desk calls for Password Synch and Resets and maybe save the licencing costs of the iDM solution on the front end.

Source: http://privacycartoonportfolio.blogspot.com.auGartner says

The two most frequent call types are how-to requests (how to access or operate IT resources) and password reset (establishing or regaining the privilege to access IT resources). Because password problems make up 20 percent to 30 percent of all IT service desk volume, with most of those issues resolvable by password reset tools, automating this function can save organizations the costs of supporting this type of request.

I want to talk about Password Self Service, Password Synchronisation and Enterprise Single Sign On.

I’ll tackle these topics before going on to more complicated iDM topics so over the next few weeks we will learn about Passwords yay!!

Let’s not Demonise Complexity

When I first saw this image I smiled a little and thought wow they are trying to say complexity is BAD.

To many organisations complexity is bad mostly because they want to have a lower skilled workforce… Well it seems that way at least.

Metaphor for Complexity

I was talking with someone the other day who was lamenting that “FIM was ridiculously hard, kind of like SCCM”.

I don’t want to rant about IT Generalists expecting to be able to just pick up the DVD and go with many Microsoft Technologies but will say I’m coming up on my third attempt at passing the FIM 2010 Technology Specialist Exam and it is NOT an easy product BUT I didn’t expect it would be …

I want to spend some time talking about complex products that make the Business of IT and the Business of Business easier or Complexity can be your friend.

So I’m keen to relearn my FIM 2010 mojo by building a solution but also because I’m an Infrastructure guy not an application developer, I’m keen to build it code free except for some PowerShell.

Password Creation Key Material – If you HAVE to used known passwords

I was reading my RSS Feeds today and saw a post from Wayne Small over at SBS FAQ talking about Passwords and how people store them.
He spoke about a Password Card from Savernova which gives you the beginning of a secure password system. It won’t protect you from a KeyLogger but it might protect a password to a password, which is what I might use it for…
I already use KeyPass for storing and generating my high value credentials so I can just copy and paste into Application and Web Dialogs well ones I don’t already have Single Sign on for (but that is another post)
KeyPass allows me to use a Password to open the Encrypted Password Safe AND I’m Pretty PARANOID (They still might be out to get me) so I store the App and Data on an IronKey that is pretty much always with me. Oh yeah the IronKey is Decrypted with a Password Sad smile
Now at work I use a Smartcard to login and our user Attributes are set to Require Smartcard so there is no worries about a Password or is there? My SmartCard Pin is an 8 Character Password DAMN
So to login to my Internet Banking I need a 24 Character Password I stored in KeyPass so here goes…
I am tempted to make lots of the passwords the same to make them easy to remember but I work in an Identity Management, Authentication and Security Team hmmm maybe not. Now If I did maybe they might be @BettyisPretty after someone I follow on Twitter (Because that Twitter ID makes me Smile)
Today I looked at Wayne’s Card and thought NOT Strong Enough and set about making my own
Here is how I did it:

  • Create a Constant in Excel and call it Characters
  • Insert the Characters in your Password Policy: 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*[]{}-+
  • Create a Matrix of Cells I used the same one as the Card from Wayne’s post and added some I didn’t think I needed to miss
  • Copy the Random Selection Formula to each Cell: =MID(Characters,INT(RAND()*LEN(Characters))+1,1)
  • Put a Border around it like Map Co-ordinates and you are good to go
  • Print
  • Laminate and
  • Insert into your Smart Card Holder

image
This is not the Matrix I’m using Smile and it changes with each open anyway so make sure you print a spare and save it SECURELY (against Loss not Compromise)
In my Scenario I might use the following to Comply with the ISM (Govt Security Guidance) Complexity Recommendations
Smartcard Pin – I5 Diagonal Down 7 Chars = iR5p7xh
IronKey Password – D9 Horizontal 8 Chars = “&0yfmgk
KeyPass Password – L3 Vertical 8 Chars = V-deJp#3

#BCC2011 How to Handle Difficult Clients

imageOne of the best sessions I went to at Bar Camp Canberra 2011 was “How to Handle Difficult Clients” by Danni (@daniib) and Jason (@jhando).

I found them both to be engaging speakers although it was mostly a conversation. Which gave me some insight into what it might be like to be a client ish.

I took quite a few notes and rather than retype and reimagine these are the notes as I took them

BTW I thought the session was great and some other folk spoke to me about it later and Lurved it too

imageimage

Andy Clarke’s Killer Contract

Andy Clarke 24 Ways

Merlin Project Method

Games Meh but XBox Kinect in every Board Room #messaging

I’m no big gamer I just don’t have the time so when I do set aside enough time it tends to be something like a retro game of Age of Empires or Diablo so XBOX has not been a big focus for me.Well except for the version 1.0 I have with XBMC loaded.
I have been focusing on how my customers might get value from messaging systems that extend what they already do and the Tandberg Systems they have been putting in are kind of sweet. Well not really the Tandberg kit more the 60” plasmas (3D, SD & USB plus divx)
Imagine my surprise when I saw …

In a move that surprised practically everyone, though, Microsoft also said that users of Lync (and Office 365) will be able to videoconference with home users of XBox game machines through Kinect, a new camera peripheral that tracks users’ movements in a room using infrared (IR) wireless.

Now I wonder if we need to gateway this through XBox Live or if we can directly integrate with an in house Lync 2010 System?

Microsoft will also add the shared videoconferencing capabilities for Kinect through a software update.
Corporate Lync customers can ditch their old PBX and phone systems to run Lync entirely on one or more servers. Alternatively, they can hold on to these legacy systems and interface them to Lync through gateways

Here’s to hoping that the firmware updates allow us to point to our own system if they do I can see big potential.
Plus so interesting XMAS parties in future.

Source Betanews.com

Privacy Options that don’t protect my privacy

I was signing up for a Microsoft Regional Business Building Event and part of the sign up form included…


   
info-32-32Privacy:
   Please tick this box if you do not wish Microsoft to use the details you have provided above to contact you regarding important security, product, and event information
   Trusted Microsoft Partners may use the details I have provided above to contact me regarding important security, product, and event information.
  A response for this question is required.

I do want Microsoft to contact me because we are a partner so I can’t tick that button.

I do not want Microsoft Partners to contact me because I am that trusted partner and won’t want SPAM from my competitors.

I am not concerned about the mail because I have a delete key, but I also don’t want to give explicit permission to these other companies to send me offers. I guess creating an Outlook rule for “Competitive Intelligence” is my only option.

Just saying

It’s slowly becoming an Android world, Gartner says

Earlier today I wondered why no Android Pallbearers when talking about the Windows Phone 7 RTM Launch.

Gartner seems to think Android will be number two in phones by 2014.

Despite the imminent launch of Windows Phone 7, Gartner expects Microsoft’s share in the mobile phone market to continue to shrink, from 8.7 percent last year to 4.7 percent this year to 3.9 percent by 2014. By 2014, it will range sixth behind MeeGo on a global basis, according to Gartner.

The predicted market share in 2014 is …

  1. Symbian – 30.2%
  2. Android – 29.6%
  3. Apple iOS – 14.9%
  4. Blackberry – 11.7%
  5. Others including MeeGo and Windows Phone 9.6%
  6. Windows Phone alone 3.9%

These numbers make me think Android more likely to have the credible iPhone and Crackberry killer

So I wonder who funds Common Criteria Evaluations??

I think the horse to back may well be Android but using it with Government clients will need someone to back an evaluation.

It’s slowly becoming an Android world, Gartner says – Software – Technology – News – CRN Australia