AppLocker, ActiveSetup, Group Policy; all the dumb things

4846.applocker.png-200x0Welcome, strangers, to the show
I’m the one who should be lying low
Saw the knives out, turned my back
Heard the train coming, stayed out on the track
In the middle, in the middle, in the middle of a dream
I lost my shirt, I pawned my rings
I’ve done all the dumb things

– Paul Kelly, Dumb Things

Microsoft AppLocker is a wonderful technology which allows your IT Department to prevent malicious programs from being run on your work computer.  Great in theory, and my experience is that it works with some wrinkles.  It broadly works by using Group Policy to configure what is a “Trusted” location.

Applocker and Active Setup
Active Setup allows you to execute commands once per user, early, during login.   For example, you might want to do this to configure iTunes for each user who logs onto the computer.

Each Active Setup command has a file path to the commands that you need to run.  If you don’t trust this file path in Applocker, your Active Setup fails.

If you are using System Center Configuration Manager (SCCM), then it’s likely that you’ll see this failure.

Suggestion:
If you are going to add a “Path” rule to fix this issue, you need to add two.  One for EXEs and another one for MSIs.

Removing AppLocker via Group Policy
So for whatever reason, you have a class of “”special”” computers which AppLocker is not to apply to.  So you remove the AppLocker Group Policy from the “”special”” computer.  And it still seems to have AppLocker blocking programs.

What gives?
Well what seems to be happening is this:

  1. The AppLocker Application Identity service (AppIDSvc) is set to Manual.
  2. The AppLocker registry settings are being left behind.
  3. AppLocker causes applications to be blocked.

The fix?

  1. Start the Application Identity service (AppIDSvc)
  2. Logon to the computer.
  3. Restart the computer.

This causes AppLocker to finish removing the registry settings.

IE8 on Windows XP does not support SNI

, 64px-Internet_Explorer_7_Logoor “you desktop IT people have broken something”.

Just before Windows XP gets to take a well earned retirement on “the farm”, it popped it’s ugly head up this week with an end user complaining we did something to break their new website

On purpose no less.

It seems IE8/Windows XP was receiving the wrong HTTPS certificate.

Upon investigation, I realised that the issue was that IE8 on WinXP does not support SNI.

Server Name Indication allows a web browser to tell a web host what site it is connecting to.  (A web host can host multiple web sites …).  The reason why a browser needs to tell the web host it connects to, is so the web browser gets the right HTTPS certificate.

If the browser does not support SNI then the browser will get the default web host certificate.  Which may cause certificate errors to be displayed in the browser.

To prove that it was a lack of SNI support causing the issue, I used the excellent Qualys SSL Labs SSL Server Test tool.

I suggested to the customer that they use an alternate web browser, until they can replace Windows XP.

Enable TLS 1.2 on Windows 7 & 8.

My beautiful picture We’re in the process of developing a new Windows 8.1 SOE for a customer.  One of the things I looked at was Internet Explorer HTTPS transmission security.  Out of that, one of the things I recommend is enabling TLS 1.2.

TLS 1.2 – Configure Internet Explorer to use TLS 1.2 by default.
Transport Layer Security is how web browsers* communicate over the Internet.  The current version, TLS 1.2 has a number of security enhancements & protection mechanisms over previous versions.  Enabling it is, not only a Microsoft recommendation, but a good thing.  Internet Explorer will fail back to older TLS versions if the web site doesn’t support TLS 1.2.

You can enable TLS 1.2 support via Group Policy or directly via Internet Explorer –> Internet Options –> Advanced –> Security.

How do I test that Internet Explorer is using TLS 1.2?
Visit:

  1. https://cc.dcsec.uni-hannover.de/
    If the webpage reports under the “Further Information” heading that “This connection uses TLSv1.2 with …”, then you have enabled TLS 1.2.
    or
  2. How’s My SSL?  If, under the Version heading, it says TLS 1.2, then you’re using TLS 1.2.

What about other web browsers?
No.  You’ll need to configure each web browser to support TLS 1.2.  Some have better TLS support than others.

How do I tell whether a website supports TLS 1.2?
Use SSL Configuration Checker to test the website.

What if my web host tells me to disable TLS 1.1 or TLS 1.2?
”Run!”, would be my first thought.  Your web host is telling you that they are not interested in providing a secure website.

References:
Security Advisory 2868725: Recommendation to disable RC4
Microsoft MSDN Blog – Support for SSL/TLS protocols on Windows
Disabling TLS/SSL RC4 in Firefox and Chrome
RC4 in TLS is Broken: Now What?
IE11 Automatically Makes Over 40% of the Web More Secure While Making Sure Sites Continue to Work
SSL Pulse – Survey of the SSL Implementation of the Most Popular Web Sites

* amongst other things.

KB2918614 – Not only does it break MSI Repair .

“What the security bulletin doesn’t say is that the change in Windows Installer repair operations means that application repair attempts will be met with a User Account Control credential window each time. However, the credentials required are administrator access.”
Bug or Feature? KB2918614 Alters Windows Installer Behavior

KB2918614 Should your application install use Active Setup, to say, personal per-user settings, then this MS14-049 security patch causes a UAC prompt as well.

The current workaround, courtesy of happysccm,  is as follows:

  1. Uninstall the application and reinstall it with the security update installed. (sourcehash file generated with security update)
  2. Manually copy the sourcehash file to c:\windows\installer folder. As the sourcehash file is generated based on the application files, the sourcehash file generated on computer A can be used on computer B.

Not scalable if, say, you have 500 packaged applications deployed to customers.

Forgeries, Fakes and Forensics

Forgeries Fakes and Forensics Recently went to a talk by Victoria Police Chief Forensic Scientist, Bryan Found PhD, titled “Forgeries, Fakes and Forensics”.

Bryan Found is a very engaging presenter.  Things I found of interest, in no particular order:

  • You can sign your signature with different parts of your body.
    Which is to say the mechanical motions to write your signature can be used by your foot, or your bum.
  • In one security role I held, the mantra was “burn the paper, and then stir the ashes”.
    As burnt paper can be coated to stop it disintegrating, and the burnt writing can then be read.
  • All photocopiers now print a digital watermark, which can be used to identify the photocopier, and the time and date of printing.
    Printer manufacturers will extend this to all printers over time.
  • Think using a black marker to react lines in your diary will make the original text unreadable?  Think again…
  • The devices used to reassemble shredded paper files are called “graduate trainees”. 🙂

How to determine why a user has failed to logon

By looking at the Security Event Log, and Event ID 529

529_Event

In the above example, the user tried to logon to the computer while it was disconnected from the network.  You can tell this from the Logon Type of 11.

Other logon type values are as follows:

Logon Type Description
2 Interactive (logon at keyboard and screen of system) Windows 2000 records Terminal Services logon as this type rather than Type 10.
3 Network (i.e. connection to shared folder on this computer from elsewhere on network or IIS logon – Never logged by 528 on W2k and forward. See event 540)
4 Batch (i.e. scheduled task)
5 Service (Service startup)
6 Proxy
7 Unlock (i.e. unnattended workstation with password protected screen saver)
8 NetworkCleartext (Logon with credentials sent in the clear text. Most often indicates a logon to IIS with “basic authentication”)
9 New Credentials
10 RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance)
11 CachedInteractive (logon with cached domain credentials such as when logging on to a laptop when away from the network)

Reference: Auditing User Authentication