Change the Admin Key or it’s over??

I have done a bit of work recently demonstrating provisioning and managing smartcards with Native Windows tools and tools provided for free by the SmartCard Vendor.

The ability to change the Admin Key is not provided for by the default tool from Gemalto. Changing the Admin Key is required to prevent compromise of a card.

Part of the “Temporary” card issue procedure  used the Pin Unblock process to allow access to a card for provisioning and issue to a new user, this was achieved by access to the card using the default Admin Key.

If a SmartCard were found in public any body with Google Foo and access to the Gemalto site could change the Pin and gain access to the resources the user has access too. Possibly even remotely :(

There are other people who mention this “Vulnerability” on line and even point to reasons the vendors don’t provide the feature, to the point of claiming it to be a all about the money. One example is a blog post by Jason Fossen where he says:

Some smart card vendors and resellers deliberately refuse to give away (or to sell cheaply) a tool to change the default Administrator PIN. Why? It’s a devious marketing trick to get you to try out their cards and then hopefully you’ll come back to buy their PKI management suite, which of course includes this tool. This is devious because it is done deliberately, the web sites of these vendors and resellers scarsely mention the risk of not changing the default Administrator PIN (if at all), and often the salespeople of these vendors/resellers only discuss the risk after you’ve purchased the cards and done your testing.

Of course my solution is the same as his but I’m telling you about it because shortly I will document the Medium Business answer in my view which will include the use of vSED:CMS by Versatile Security

Download vSEC:CMS K Series and use the free tool to change the Admin PIN as shown

clip_image002

I don’t think it is the end of the world in a smaller environment to leave the Admin Key at the defaults either which I will discuss in detail in the next day or so

Of course now that you know how to change it, I would because it is no additional effort but it would mean using a tool from a third party and a little more documentation rigor.

Perhaps a job for me on the weekend.

Managing Smartcards without a CMS

One of the most common activities for managing an environment with smart cards is the issuing of a temporary card.

A Card Management System (CMS) usually takes care of the revocation of certificates, recycling of cards and reset of PIN. The system described in Password=BAD, SmartCards=GOOD could be better suit a Small Business if we make some minor tweaks.

This procedure will allow an administrator to issue a “Temporary Card” to a user who has left their card at home.

Create additional Smartcard User Templates

To alleviate the requirement for operators to manually administer certificates and to simplify the enrolment process, create certificate templates for each class of temporary card.

clip_image002

·         Open the Certification Authority MMC

·         Click Action > Manage

clip_image004

·         Select the Smartcard User Template

·         Click Action > Duplicate Template

 

Follow this procedure to create 3 Templates

·         365 Day Permanent Card

·         1 Day Temporary Card

·         7 Day Temporary Card

clip_image006

·         Select Windows Server 2003 Enterprise

·         Click OK

clip_image008

·         Enter a Name for the Certificate Template

·         Change the Validity period to suit the Template type

o   1 Day

o   1 Week

o   1 Year

·         Click Apply

clip_image010

·         Select the Issuance Requirements Tab

·         Select This Number of Authorised Signatures

·         Enter 1

·         Change Application Policy to Certificate Request Agent

·         Click Apply

·         Click OK

Repeat until all Certificate Templates have been created

clip_image012

Click File > Exit

clip_image014

Certificate Templates needs to be added to the Issuing CA

·         Click Action > New > Certificate Template to Issue

clip_image016

·         Select all new templates

·         Press OK

clip_image018

·         Select Smartcard User

·         Click Action > Delete

clip_image020

·         Click Yes

Reset the Smartcard

Open .NET Utilities from the Gemalto Site

clip_image022

Chances are when you pick up a Temporary Card you will not know the PIN

clip_image024

·         Try to change the PIN a few times to Block the Card

clip_image026

·         Select Unblock PIN

·         Enter a new PIN

·         Confirm the new PIN

·         Click Unblock

clip_image028

·         Confirm successful unblock

·         Click OK

 

clip_image030

·         Click Manage Certificates

·         Select each existing certificate in turn

·         Press Delete

clip_image032

·         Confirm correct certificate

·         Press OK

clip_image034

·         Enter the Card PIN

Note this is why we reset the PIN earlier.

You could have asked the user who last held the cards but chances are this is the PIN they use for their permanent card :(

clip_image036

·         Press OK

Issue a Smartcard

clip_image038

·         Click > Action > Advanced Operations > Enroll On Behalf Of

 

clip_image040

·         Click Next

 

clip_image042 

·         Click Browse

 

clip_image044

·         Select the Certificate created previously

·         Click OK

 

clip_image046

·         Click Next

 

clip_image048

·         Select Smartcard User

·         Click Properties

 

clip_image050

·         Deselect Microsoft Strong Cryptographic Provider

·         Select Microsoft Base Smart Card Crypto Provider

·         Click Apply

·         Click OK

 

clip_image052

·         Click Next

 

clip_image054 

·         Enter the User name (including Domain)

·         Click Enroll

 

clip_image056

·         Insert the Smartcard

 

clip_image058

See here is one of mine J

 

clip_image060

·         Enter the Smartcards PIN

 

clip_image062

·         Observe STATUS: Succeeded

·         Click Next User or Close

 

 

Password=Bad, Smartcards=Good

I often talk about Authentication and Passwords particularly with the difficulty in managing something that end users tend to forget or write on post it notes on their monitors.

Actually I’m not too concerned about people writing down their password that is a personal liability issue; I believe users are adult enough to take responsibility for their own accounts.

I am much more concerned about remote compromise and one way this occurs is via key loggers and other malware.

So how do I mitigate that risk? With the use of a Smartcard.

I am aware that the smartcard answer is not complete due to applications that don’t support Single Sign On (SSO) and mostly Kerberos is my friend but there are MANY applications who don’t share that friendship. I am going to talk about managing passwords but not for Interactive Logon, in future guides.

I once had a customer who wanted to stop his users from having to remember the complex passwords we had implemented. I advised him that at his scale about 15 Users that a 2 Factor Authentication system might not be a solution.

Like many SMB Consultants my concerns were about cost and my ability to execute.

Back then I didn’t know what I didn’t know:

§  I was nervous about the expense of cards and readers

§  I was nervous about card management system expense and complexity

§  I was nervous about integrating the smartcard solution with SCO UNIX and an Application they ran through a Terminal Emulator (Still “Nervous” about UNIX integration but only because I have not discovered how to do that. Perhaps another guide coming there)

My point is I didn’t know how to execute and I let go of that business.

SO here is one solution to the authentication problem and I think solving the other problem with a Single Sign On solution would be job done.

Lab Environment

I have chosen Small Business Server 2011 Standard Edition partly because the client had that solution and partly because this will be a series where I build on the solution as the customer grows up the complexity stack.

Of course I love Small Business Server because it is a little engrained in the heritage of where my business came from but also because:

§  Windows Server 2008 R2

§  Active Directory

§  DHCP

§  DNS

§  Group Policy

§  Certificate Services <—Really Important Here

§  Exchange Server 2010

§  SharePoint Foundation

I’m running it all on Hyper-v 2012 RC1

Really all the fun stuff :)

Let’s Start

Install Small Business Server 2011 Standard Edition

OR

Enterprise Guys … Install Windows Server 2008 R2 and add AD and AD Certificate Services

Note SBS is based on Standard Edition of Windows Server so yes this works on STD ED Certificate Services

Add Features to SBS 2011 Standard Edition Certificate Authority

clip_image002 

·         Open Control Panel

·         Open Programs

·         Click Turn Windows features on or off

 

clip_image004 

·         Expand Roles

·         Click Add Role Services

 

clip_image006

·         Select Certification Authority Web Enrollment

·         Click Next

 

clip_image008

·         Click Install

 

clip_image010 

·         Confirm Installation succeed

·         Click Close

 

 

Issue Certificate Templates

clip_image012 

·         Run Certification Authority from Administrative Tools

·         Select Action > New > Certificate Template to Issue

 

clip_image014

·          Select Enrollment Agent and Smartcard User

·         Click OK

 

clip_image016

·         Confirm both Templates are available for Issue

 

 

Issue Enrollment Agent Certificate to Card Issuing Computer

clip_image018

·         Open MMC and Add the Certificates Snap in

·         Choose My User Account

·         Choose Personal under Certificates – Current User

 

clip_image020 

·         Click Action > All Tasks > Request New Certificate

 

clip_image022

·         Click Next

 

clip_image024 

·         Click Next

 

clip_image026 

·         Select Enrollment Agent

·         Click Properties

 

clip_image028

·         Select the Private Key Tab

·         Select Microsoft Base Cryptographic Provider 1.0

·         Click Apply

·         Click OK

 

clip_image030

·         Click Enroll

 

clip_image032

Observe STATUS: Succeeded

Click Finish

 

clip_image034

·         Observe a Certificate is Created

 

Issue a Smartcard

clip_image036

·         Click > Action > Advanced Operations > Enroll On Behalf Of

 

clip_image038

·         Click Next

 

clip_image040 

·         Click Browse

 

clip_image042

·         Select the Certificate created previously

·         Click OK

 

clip_image044

·         Click Next

 

clip_image046

·         Select Smartcard User

·         Click Properties

 

clip_image048

·         Deselect Microsoft Strong Cryptographic Provider

·         Select Microsoft Base Smart Card Crypto Provider

·         Click Apply

·         Click OK

 

clip_image050

·         Click Next

 

clip_image052 

·         Enter the User name (including Domain)

·         Click Enroll

 

clip_image054

·         Insert the Smartcard

 

clip_image056

See here is one of mine J

 

clip_image058

·         Enter the Smartcards PIN

 

clip_image060

·         Observe STATUS: Succeeded

·         Click Next User or Close

 

clip_image062 

It is possible to put more than on certificate on a given card.

I have issued two certs to this card so I can separate Administrative Rights

 

clip_image064clip_image066 

 

For fun I wanted to test how many Certificates’ would fit on a card I had lying about.

 

The answer was 8 but more importantly the card took a LONG time to load up the Certificates compared to a card with only one or two, so this would heavily impact user experience.

 

A use for a card like this would be where display screens for marketing, network monitoring or other logged on but unattended applications are required.

Next Steps

Now you have a simple way to let all your users logon with a smartcard things that I will cover later is PIN unblock and Card Management Features provided by the card vendor Gemalto but tools from other vendors would be work too I’ll link to them as I find them

 

What can I do to reduce Service Desk Calls by …

I have been thinking about iDM tool deployment and have started to think about a benefit that could be unrealised while we think about synching connected systems.

Perhaps we could reduce Service Desk calls for Password Synch and Resets and maybe save the licencing costs of the iDM solution on the front end.

Source: http://privacycartoonportfolio.blogspot.com.auGartner says

The two most frequent call types are how-to requests (how to access or operate IT resources) and password reset (establishing or regaining the privilege to access IT resources). Because password problems make up 20 percent to 30 percent of all IT service desk volume, with most of those issues resolvable by password reset tools, automating this function can save organizations the costs of supporting this type of request.

I want to talk about Password Self Service, Password Synchronisation and Enterprise Single Sign On.

I’ll tackle these topics before going on to more complicated iDM topics so over the next few weeks we will learn about Passwords yay!!

Let’s not Demonise Complexity

When I first saw this image I smiled a little and thought wow they are trying to say complexity is BAD.

To many organisations complexity is bad mostly because they want to have a lower skilled workforce… Well it seems that way at least.

Metaphor for complexity

I was talking with someone the other day who was lamenting that “FIM was ridiculously hard, kind of like SCCM”.

I don’t want to rant about IT Generalists expecting to be able to just pick up the DVD and go with many Microsoft Technologies but will say I’m coming up on my third attempt at passing the FIM 2010 Technology Specialist Exam and it is NOT an easy product BUT I didn’t expect it would be …

I want to spend some time talking about complex products that make the Business of IT and the Business of Business easier or Complexity can be your friend.

So I’m keen to relearn my FIM 2010 mojo by building a solution but also because I’m an Infrastructure guy not an application developer, I’m keen to build it code free except for some PowerShell.

Password Creation Key Material – If you HAVE to used known passwords

I was reading my RSS Feeds today and saw a post from Wayne Small over at SBS FAQ talking about Passwords and how people store them.
He spoke about a Password Card from Savernova which gives you the beginning of a secure password system. It won’t protect you from a KeyLogger but it might protect a password to a password, which is what I might use it for…
I already use KeyPass for storing and generating my high value credentials so I can just copy and paste into Application and Web Dialogs well ones I don’t already have Single Sign on for (but that is another post)
KeyPass allows me to use a Password to open the Encrypted Password Safe AND I’m Pretty PARANOID (They still might be out to get me) so I store the App and Data on an IronKey that is pretty much always with me. Oh yeah the IronKey is Decrypted with a Password Sad smile
Now at work I use a Smartcard to login and our user Attributes are set to Require Smartcard so there is no worries about a Password or is there? My SmartCard Pin is an 8 Character Password DAMN
So to login to my Internet Banking I need a 24 Character Password I stored in KeyPass so here goes…
I am tempted to make lots of the passwords the same to make them easy to remember but I work in an Identity Management, Authentication and Security Team hmmm maybe not. Now If I did maybe they might be @BettyisPretty after someone I follow on Twitter (Because that Twitter ID makes me Smile)
Today I looked at Wayne’s Card and thought NOT Strong Enough and set about making my own
Here is how I did it:

  • Create a Constant in Excel and call it Characters
  • Insert the Characters in your Password Policy: 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*[]{}-+
  • Create a Matrix of Cells I used the same one as the Card from Wayne’s post and added some I didn’t think I needed to miss
  • Copy the Random Selection Formula to each Cell: =MID(Characters,INT(RAND()*LEN(Characters))+1,1)
  • Put a Border around it like Map Co-ordinates and you are good to go
  • Print
  • Laminate and
  • Insert into your Smart Card Holder

image
This is not the Matrix I’m using Smile and it changes with each open anyway so make sure you print a spare and save it SECURELY (against Loss not Compromise)
In my Scenario I might use the following to Comply with the ISM (Govt Security Guidance) Complexity Recommendations
Smartcard Pin – I5 Diagonal Down 7 Chars = iR5p7xh
IronKey Password – D9 Horizontal 8 Chars = “&0yfmgk
KeyPass Password – L3 Vertical 8 Chars = V-deJp#3

Open Source Procurement Policy – Reverse Discrimination??

I was an interested observer when AGIMO published their Open Source Software Policy Principles and recently I asked why are they in my view so one sided… Oh and on Twitter

I do think the Idea is solid but just like so many other things where we try to level the playing field we go to far the other way can’t we just require a detailed evaluation report be produced for all evaluations … Oh Wait Smile

Let me explain

There was a time when I was a bit of a hater when it came to use of Open Source Software and was often heard to say “Open Source is free if your time has no value”. These days I use quite a bit of software not produced by the closed source dynamos.

The Document that I’m wanting to discuss is

Australian Government Information Management Office
(AGIMO) Circular
 
Subject: Open Source Software Policy 
 
Approved by the Secretaries’ ICT Governance Board on 21 December 2010
 
Circular No:  2010/004

Now I think the intent is to level a playing field but I’d like to demonstrate how it really is reverse discriminatory.

Principle 1:  Australian Government ICT procurement processes must actively
and fairly consider all types of available software.

Australian Government agencies must actively and fairly consider all types of
available software (including but not limited to open source software and proprietary
software) through their ICT procurement processes. It is recognised there may be
areas where open source software is not yet available for consideration.
 

Can we pretend that I am a Public Servant with a project that includes software? I like that all software types are actively and fairly considered that is great.

Not all requirements will have an Open Source option but how do I determine that?? There will always be someone who has better Bing err Google Foo than I. Am I responsible for an exhaustive search or is an ATM in ausTender the end of my responsibility?

Closed Source Vendors either respond or not this should apply to Open Source Vendors too in my view.


Principle 2: Suppliers must consider all types of available software when
dealing with Australian Government agencies.

Australian Government agencies will require suppliers to consider all types of
available software (including but not limited to open source software and proprietary
software) when responding to agencies‟ procurement requests.  
 
Agencies are required to insert this requirement into their tender documentation. 
Suppliers will need to provide justification outlining their consideration and/or
exclusion of open source software in their response to the tender.  Agencies will
determine compliance with this requirement when assessing tender responses.
  

I have enormous problems with this Principle…

We provide solutions we are expert in implementing and supporting we do not pretend to be all things to all people.

This Principle forces two outcomes:

  • Justification of consideration and/or exclusion of open source software. This forces a bidder to say something negative in order to be compliant either:
    • We are not able to provide breadth of services or (not great about the bidder)
    • All other options but the one we are pitching are inferior AND BTW we have checked them all (arrogant and maybe actionable)

I’d much prefer to talk about benefits of our solution and not even talk about things that don’t enhance the evaluation teams understanding of our capabilities.

  • An evaluation team needs to decide about non compliance based on this requirement. What if a bidder says “we did not consider ANY open source options because we believe our closed source partner fits the requirement” is this a non compliant bid? Should IBM be required to explain why they did not pitch Exchange in place of Domino? or Vice Versa

Principle 3:  Australian Government agencies will actively participate in open
source software communities and contribute back where appropriate.

The Australian Government, through AGIMO, will actively seek to keep up-to-date
with international best practice in the open source software arena, through engaging
with other countries and organisations. Australian Government agencies should also
actively participate in open source software communities and contribute back where
appropriate.
  

I have no problem with Principle 3


The Key points I think are fantastic except Point 4. I think it needs work and hopefully I will have explained my position adequately enough to help someone smarter than me to redraft something a little better.

Key Point 4.  Agencies should consider re-using existing software assets before acquiring either open source or proprietary software.

I think the decision to reuse existing assets is often not taken due to fear of being accused of not being open to the market, particularly when software licencing bundles include features where there are vendors of niche software now commonly included in most operating systems.

This usually makes Departments go to tender to seem impartial and then something unexpected happens, nobody bids the product / feature that is bundled because you can’t sell someone something they already own.

This is a shame because the bundled product often needs to be disabled at risk to the solution and expense, all because the evaluation team has no option but to say if the vendor wanted us to use their product they would have bid it.

This really is a big issue not strictly related to OSS but I’m sure a frustration for IT Teams who if they could, would in house bid the product they have and can manage best.

Of course they shouldn’t have to.

Are you coming to InfraSat in BrisLantis? I am

Last year I had the opportunity to attend Infrastructure Saturday in Brisbane and remember having a fantastic day.

There is a call for topics coming soon and not certain I won’t want to talk, maybe format and something interesting to say will be my limiting factors.

Perhaps I should talk to Shane and Alan about a session where folk get to pitch an idea or a project they would like to get off the ground and would want some help collaborating on, kind of the 2-5 minutes pitches at the end of Bar Camp

Any way if I were to talk about anything it would be Identity and Access Management or Run Book Automation or maybe BOTH how about System Center FIMhestrator ????

I’ll be having a think about what I could do and maybe you should too. Last Year I saw the first Public Presentation by the Molk and I hope not the last by any stretch.

ANYWAY it all starts with registration and ends with Beer on Saturday Night so are you interested …

UPDATE:-

With the Quick Pitch Session idea I was meaning …

Something like Teachmeet sessions

  • Micro-presentations – lasting 7 minutes
  • Nano-presentations – lasting 2 minutes

Micro Presentations could be a Quick Tip / Idea / Best Practice and a few Minutes Q&A

Nano Presentations might be I have been thinking about how we might build Blah here are the beginnings of the requirements… Can we collaborate on Documentation, Automation, Design. Who’s with me?

#BCC2011 How to Handle Difficult Clients

imageOne of the best sessions I went to at Bar Camp Canberra 2011 was “How to Handle Difficult Clients” by Danni (@daniib) and Jason (@jhando).

I found them both to be engaging speakers although it was mostly a conversation. Which gave me some insight into what it might be like to be a client ish.

I took quite a few notes and rather than retype and reimagine these are the notes as I took them

BTW I thought the session was great and some other folk spoke to me about it later and Lurved it too

imageimage

Andy Clarke’s Killer Contract

Andy Clarke 24 Ways

Merlin Project Method

The Tyranny of Email Standards

Funny this happened mostly due to poor email addressing standards

In order to do get uniqueness some environments create standards which make it hard for users to find each other. In this case I am Mojo_moj180.Jojo@smemanaged.com for example but there is a mojo.jojo@smemanaged.com neither are real BTW

So when people search for mojo they just get one hit and it is not me because nobody has a first name of mojo_moj180 Sad smile 

So you can imagine how I lost it when I saw this today…

 

Fw: Amen!

Buttercup_bum215 Utonium

to:

Mojo_moj180 Jojo

11/03/2011 11:09 AM


#fail
With thanks,
Buttercup Utionium

Crime Fighter Prior to bedtime

—– Forwarded by Buttercup_bum215 Utonium on 11/03/2011 11:08 AM —–

From:

Mojo Jojo

To:

Buttercup_bum215 Utonium

Date:

11/03/2011 11:00 AM

Subject:

Re: Amen!


Hi Buttercup
Wrong Mojo Jojo – but I like your goals for today.
thanks
Mojo Jojo

 

From:

Buttercup_bum215 Utonium

To:

Bubbles Utonium, Blossom Utonium, Rowdy Rough Boy, Mojo Jojo

Date:

11/03/2011 09:50 AM

Subject:

Amen!


clip_image001[4]

With thanks,
Buttercup Utionium

Crime Fighter Prior to bedtime
Have a great day!