Certificate Services and Hardware Security Modules

A lot of deployment of Active Directory Certificate Services is never deployed with an Hardware Security Module (HSM). Now this does not have to be a problem depending on the use of the issued certificates. In some deployments however it can be a serious security risk not to incorporate a HSM into the design.

What is a Hardware Security Module

A HSM is a computing device which can generate, store and safeguard digital keys. For
example private keys of certificates. Usually these devices come in the form of an appliance or a PCI card. There are some examples of USB type HSM to be found. Since these devices almost always fulfill apparently a critical role within an security solutions they are typically certified to recognized standards such as Common Criteria and FIPS 140. Furthermore, a lot of these devices have tampering protection which can go as far as deleting all information stored in the HSM when tampering is detected.

Why would you require an HSM.

A Couple of years back there was a problem with a public certificate provider. There was a breach where apparently the root certificate was stolen and false certificates where being issued to services that weren’t to be trusted but appeared trusted at the time. To say this was a bad thing isn’t even scratching the surface.

Using an offline Root Certificate Authority (CA) can be a great help in keeping the certificate chain safe, but remember that on issuing CA ’s without a HSM an account with administrator privileges will be able to issue certificates. He will also be able to export a certificate with the private key, and even make that exportable. Thus creating a certificate that, in theory, can be used anywhere without any control over it.

An HSM stores and guards the private key, so even if someone with an administrator account logs onto an issuing or even a root CA, he or she (yes, she…) need to unlock the HSM first before they can issue a certificate. You can even set up the HSM to require more that identity set to unlock it. This will ensure that no one person can go and create certificates.

For an organization to validate their need for the use of HSM’s the following question is important:

What would be the cost of the worst case scenario when your Public Key Infrastructure was compromised?

If the number from that question was higher then say the price of an HSM wouldn’t that make a compelling argument to use HSM’s?
If your organization makes use of a PKI (or any cryptography) for any security reason I would recommend a HSM. Even if it’s just to make sure the private key of your only root CA never leaves the datacenter.

Are there alternatives

There aren’t really alternatives. The only alternative you have is an offline network. You will know all the data is in that network and can’t get out. You will also need to lock down things like USB ports and such to prevent any form of data going in or out of it. Everything considered it’s sound like a crappy solution to me.
Fortunately HSM’s don’t need to be super expensive. You can go from €50 to €50000 when

HSM’s are considered. Off course the more expensive they are the more powerful their cryptographic capabilities become. For simply hardening your security of you CA in a small organization a USB solution may suffice.

Legislation

I am not an expert on the subject of law enforcement. But considering the recent case of the FBI versus Apple there might be some legislation considering encryption. It is a good thing to keep in mind that you want to check you are not breaking the law by accident but on purpose.

Concluding

If you use a form of cryptography for security solutions within your organization please consider hardening security with a Hardware Security Module. I do not want to exaggerate but in some cases a compromised security solution such as a Public Key Infrastructure can even compromise the safety off peoples lives.
Keep your environment safe, lives may depend on it 😀

Help the Outlooks are down

So I was contacted by a panicking client. It seemed that all of his Outlook clients could not connect to Office 365 anymore. That meant investigating what was wrong. Upon inquiring he admitted that he changed some DNS settings the day before. But only the SPF record. That didn’t explain connection issues with their Outlook clients. Naturally the first thing I checked where there public DNS settings. There did not seem to be anything out of the ordinary there, apart from a tiny mistake in the SPF record they created. That did not present any insight in what might was causing this problem.

A couple of days earlier we did renew the Exchange certificate on the on premise Hybrid server. But since the auto-discover DNS records where pointing at Office 365 this should not be a problem.

So I turned to my trusty connection testing toolset provided by our friends at Microsoft: https://testconnectivity.microsoft.com/
There on the Office 365 tab I ran the Outlook connectivity test. The following picture is a screenshot of a part of the test outcome. Funny thing that HTTP 503 error for the Office 365 auto-discover service.

Connectivity Test

A little web research suggested to recreate the federation link with Office 365. I felt that would be a little bit of exaggeration. What else could be responsible for an Office 365 service being unavailable? Needless to say, I tested another tenant. That one seemed to have no problem what so ever. Then it hit me. A quick question to their administrator if anything had changed at the Federation servers of domain controllers confirmed this. Yes, updates where installed, zero reboots given. Great, go reboot those machines….
5 minutes later I got a very happy and relieved sysadmin on the phone confirming that everything was working again. He also informed me they where able to log into on premise servers again. He forgot to mention that fact in an earlier conversation…..*sigh*

Concluding

If you cannot log into your federated Office 365 environment, check your Domain Controllers and Federation servers. Something might be out of order there.

Surface Pro 3 Pen Button Windows 10 Bug

So I’ve got this lovely shiny Surface Pro 3. The Screen being al touchy, the OS being all Windows 10 Pro, and the pen button starting up the modern OneNote App. However, ,in windows 8.1 I had a choice between the modern App version and the Desktop version of OneNote. A quick review of the interwebs gave me nothing. So…

Let’s investigate…when pressing the blue button, the modern OneNote App pops up…but I want the desktop OneNote App to start.

Let’s remove the modern App since I am not going to use it anyway.

There is a nifty powershell command just for the purpose of uninstalling things that windows does not want you to uninstall. (Does not work for Edge)

Start Powershell as an Administrator and run the following:

If it generates output as in the screenshot it is installed, and piping the command to Remove-AppxPackage should remove the app.

Now, when pressing the button, a Windows store Dialog informs me of the fact that nothing can run an OneNote-cmd and I should consider installing a program that can. But wait…everything is in the registry. A quick search in the windows registry for ‘OneNote-cmd’ finds it here:

It was Empty. So adding the following keys: Shell\Open\Command. At the default I set the following: “C:\PROGRA~1\MICROS~1\Office15\ONENOTE.EXE”

And presto, pressing the blue button opens OneNote for Desktop. You can also start other executables this way.

Back from LyncConf 2014

Robin Gilijamse and I attended LyncConf 2014 in Las Vegas last February. We had a really good time attending parties from the UCArchitects and several other sponsers. We enjoyed some real American food an explored the strip a bit. The weather even permitted a dive in the Resort pool and we generally had a really, really good time.

Keynote

Apart from the good times there where also some tech sessions we have attended. Kicking off with the Keynote was Gurdeep Singh Pall, the Vice President for Lync & Skype Engineering at Microsoft. During the keynote he suggested to replace ‘unified communications’ with the term ‘universal communications’. This signifies the direction Microsoft is heading with Lync. To create a communication platform that is available on any device, at any location and even transcends the boundary between consumer and enterprise platforms as Lync and Skype possibilities will be further developed.

He Announced Full HD video chat will become available between Lync and Skype this summer. Also native interoperability with Tandberg Video Conferencing devices is coming in the near future.

Furthermore they are aiming to create a consistent experience for work and personal situations by bringing Lync and Skype closer together.

Apart from the Tandberg en Skype – Lync video chat there are some more thing Gurdeep addressed. There is a javascript wrapper heading our way that will let you run Lync in a browser. There should be regular updates for the mobile clients. Lync Online will get PSTN dial-in/dial-out support and support for meetings with +1000 users.

More details on this can be found on this blogpost by Gurdeep.

Ecosytem

It became clear while roaming the Tech Expo there are quite a few developers and suppliers of applications and peripheral for use with Lync. From status lights you van put on your desk to Video Conferencing System, headsets, desk phones and Survivable Brach Appliances. It becomes apparent Lync is growing and business is booming.

Fortunately there are quite a few API’s so the number of options is expanding.

This creates opportunity for everyone to expand upon the existing technology and come up with their own solutions. Also it gives customers great choice in all kinds of third party solutions, ranging from headsets, presence lights, to monitoring software and big video conference systems.

Concluding

Lync is serious business. The Ecosystem is getting better and better. Microsoft is going lengths to ensure Skype and Lync will deliver a seamless communication experience. A lot of third parties are creating products to enhance and expand the capabilities of Lync, both through software and hardware solutions.

At this moment Lync is available on a wide range of devices. The Android tablets will be added this year,  leaving out Linux and a new client for Mac OS X (they still have a somewhat functioning 2011 client though).

If Microsoft keeps this up, Lync will become a real Universal Communications Solution in the years to come.

Dirteam Bloggers at LyncConf 2014

From Saturday February 15, 2014 to February 22, 2014, I will be in Las Vegas to attend LyncConf 2014. I’m very excited! Together with my colleague and fellow Dirteam blogger Robin Gilijamse, I will be getting all the ins and outs on the subject of Microsoft Lync and Unified Communications.

The 2014 Lync Conference will be held at the Aria Resort and Casino (Las Vegas, what did you expect) at the Las Vegas Boulevard.

Last year I went to TechEd Europe 2013 in Madrid with Sander Berkouwer and Maarten de Vreeze. That was the first big Microsoft event I attended. It was totally awesome, despite the funny hotel. So this will be my ‘big’ second event.

I passed my ‘Microsoft Certified Solutions Expert (MCSE): Communications’ last December with some instructional help from Robin Gilijamse. Therefore, I was granted the opportunity to go by my employer.

If everything goes according to plan, I will be a lot more knowledgeable on troubleshooting and reading Lync logs. Also I’m planning to get more information about the various voice options and Survivable Branch Appliances (SBA).

Our flight will leave from Amsterdam Schiphol Airport (AMS) in the morning and we’ll be making a short stop at Detroit (DTW). I heard it was freezing over there. Usually it is freezing in the Netherlands this time of year, although not at the moment. Fortunately, Las Vegas is +20 degrees Celsius. After our short stop in Detroit, we’ll be arriving at Las Vegas (LAS) at 16:54 local time.

Viva Las Vegas!

Hope to see all you fellow Lync enthusiasts there!