31 January 2012

Install a corporate PKI Root CA on iOS

Corporations often have their own internal PKI infrastructure.  This is often used to issue SSL certificates for non production systems.  Testing these with non domain devices may result in warnings about the certificates not being from a trusted Root CA.  In my case I was testing a Citrix Xenapp deployment and the connection was rejected because of the untrusted CA

Exporting the Root CA
Since the Corporate PKI distributes the Root CA certificate via group policy the certificate is most probably on any domain joined machine.


  • Start the MMC
  • Add the Certificates Sap-In
  • Expand Trusted Root Certification Authorities
  • Select Certificates
  • Locate and select the Corporate Root CA certificate
  • Right Click - All Tasks Export
  • Accept the default
  • Save the file



Import the Root CA Certificate
This file now need to be transferred to the iOS device.
I simply mailed it to myself
Opening the file will trigger the Certificate installation process


Select install
Select Install

Select Install now

Enter your passcode (the same one you use to unlock your phone)
The certificate will be added and the cert will now be trusted

To see what other Certificates or Profiles have been installed on the device
  • Select Settings
  • General
  • Profile(s)


Testing
After the cert had been installed I retried my Citrix connection and this time it succeeded without a problem.

The original error was:
Connection Error
You have not chosen to trust "xxxxxxx", the issuer of the server's security certificate.  Error Number: 183





24 January 2012

Control Removable Storage Access for Improved Security

Personal drives are an increasing problem for corporate networks.  These drives are not only a major source of malware but also represent a data leakage problem.

For years I have looked at malware infection attempts against corporate machines.  One thing that always shows up right at the top of the list is removable storage.  High capacity, high speed, highly portable drives are everywhere and they go everywhere.  People also shove them in everywhere, and they catch just about everything out there.

With Windows Vista and even more so with Windows 7 there are policies to assist with curbing or allowing administrators the desired access levels for removable media.

What you can Set
There are three permission options

  • Deny execute access
  • Deny read access
  • Deny write access

These apply over the following Removable Media Types

  • CD & DVD
  • Floppy Drives
  • Removable Disks
  • Tape Drives
  • Custom Classes 
  • WPD Devices ( media players, cell phones, CE devices)

There are also a few other settings here:

  • All Removable Storage classes : Deny all access  -- The good old fashioned kill switch
  • All removable Storage:  Allow direct access in remote sessions -- This related to Remote Desktop sessions
  • Time (in seconds) to force reboot -- I found that forcing a gpupdate worked fine in Windows 7

The amount of settings available in the policies now makes it possible to not only give the on or off options, but to have the granular control that is required.

What the user will see
Here is a scenario where read and write is allowed to a USB drive but execute is denied


The drives show up normally and we can read and write files to it all we want.  However if you try and execute an executable in the drive you will get the following error.



Here is a scenario where read and rite and execute has been denied.


The drive hardware is installed but no I/O to the disk is allowed.  Any attempt to access the disk returns this error 


How to setup the policy
Open MMC add the Local Computer Policy
Expand the tree to:
\Computer Configuration\Administrative Templates\System\Removable Storage Access\


Selectively choose which options to enable.
Using the the principle of the minimum required, you would normally only deny execute, but allow read and write.

Conclusion
For years it has been considered essential to disable auto-run for removable media.  With Windows 7 you can extend that to any executable content on removable media.  Unless you are a person routinely installing software from USB drives or a malicious bit of code, you will most likely never miss the ability to execute files directly on the USB drive.

Enforcing the control at the operating system level ensure you target all the current removable storage classes.  This is a far better approach than the old school thinking of "disable all the USB ports..."


For more reading on this check out http://msdn.microsoft.com/en-us/library/bb530324.aspx

20 January 2012

iOS RDS client with RDGW support - iTap RDS review

There are loads of Remote Desktop Services ( RDS) RDP clients for almost any client device.  However I have only found one that officially supports the Remote Desktop GateWay (RDGW)

Quick Explanation
RDP clients connect to RDS server on the native port 3389.  If however you want to securely publish your RDS server on the internet you would use the RDGW.  This allows your client to connect over the internet on SSL port 443.  You only need to expose a single RDGW to enable connectivity to any internal RDS server allowed the RD-CAP and RD-RAP policies.


iTap-Mobile offers a few clients for the iOS, Mac and Android platforms that supports RDGW
http://itap-mobile.com/itap-rdp

Installation
Search the app store for iTap
Purchase the "iTap Mobile RDP" application for $12 US

Pre configuration
Before you can connect via the RDGW you need to define it as an option

  • Under Global Settings
  • Select Settings
  • Select Gateways
  • Add new Gateway
  • Specify a label as a friendly name
  • For Host: Specify the TSGW public FQDN (You would need to get this form the RDS admin)
  • Port would almost always be 443
  • Credentials allows you to save a credential set.


This is handy as it allows you to re-use the set without the need to retype everything. ( They do offer some protection in the form of a pin)

Configure Server connection
They call it bookmarks. So add a manual bookmark

  • Specify a label as a friendly name
  • specify the servers's hostname (This does not have to be the FQDN or a public name)  This name will be used by the RDGW to create the secondary connection.
  • Port can be left as the default
  • Select the relevant System Proxy setting
  • Select the gateway you configured earlier
  • You can now also select your credential saved earlier

Under the setting section you can choose screen and specify basic setting such as resolution and colour depth.  Going to the advanced section allows you to specify a wide range of optimization options.

These is a connectivity test on this screen too.  It will indicate whether the RDS or RDGW is reachable.

Connecting
Once you saved the bookmark you can now select it from the main screen.
It will connect to the server and tunnel through SSL 443 to the RDS server.

Once connect the experience is very pleasant.  I actually prefer the interaction here to the Citrix receiver's.



According to the Appstore info sheet the following is also supported:

  • RemoteFX!
  • NLA Network Level Authentication
  • Native Resolution Support on iPhone4S and iPad
  • Copy and Paste of Text
  • Support external video connectors
  • 60% less bandwidth than any other RDP client on iPhone (hmmmmm)

There are a few more too

Interesting for me is the planned future support for RemoteApp and Printing

Conclusion
The ability for iOS and other platforms to use the RDGW allows you to break away from needing a Citrix deployment.  You also benefit form being able to specify the RDCAP and RDRAP policies per user or groups. The only other developer I could find to offer anything like this is Wyse with it's Wyse PocketCloud app for $15.  It also states however that RDGW support is (experimental)

If however you give up on security and allow your clients to VPN into your organisation or connect directly with their devices, there are loads or RDP clients to choose form.





16 January 2012

Scheduled Tasks fails to start with Event ID 101

A task might fail to start.  Checking the Task's history you may find an  Error with

Log Name: Microsoft-Windows-TaskScheduler/Operational
Event ID: 101
Task Category: Task Failed to start.
Source: Task Scheduler
OpCode: Launch Failure


As cause for this is often a setting on the General tab for the task.

Even if an alternative user is selected to execute the task you need to select the  "Run whether user is logged on or not" radio button.



For more event IDs check http://technet.microsoft.com/en-us/library/dd363625(WS.10).aspx


13 January 2012

Scheduled tasks Log in as batch job right fixes

When configuring scheduled task you might run into a problem where the specified user generates the following error:

This tasks requires that the user account specified has Log on as batch job rights.


This issue occurs when the specified user account does not have sufficient rights to start scheduled tasks.  By default users in the following groups have these rights.
  • Administrators
  • Backup Operators
  • Performance Log Users

Fix number one is to add the user account into one of these local groups.

Fix number two involves Group Policy.

The groups and users that have these rights are governed by group policy and the Log on as Batch job setting.


This security setting allows a user to be logged on by means of a batch-queue facility and is provided only for compatibility with older versions of Windows.
For example, when a user submits a job by means of the task scheduler, the task scheduler logs that user on as a batch user rather than as an interactive user.

The setting can be found under: Local computer Policy\Computer Configuration\Windows Security\Security Settings\Local Policies\User Rights Assignments\Log on as Batch job



You can add users or groups to this setting.

Once the change is made you need to force the policy update or wait for it to apply at the next scheduled refresh

To force it run gpupdate.exe /force

TMG configuration backup automation - Part II

In Part I http://fixmyitsystem.com/2012/01/tmg-configuration-backup-automation.html I went through the process of getting your TMG arrays and Enterprise configuration exported with scripts.

In Part II I will cover how to do all of it in a single script

I am going to start off with and then customize a script from http://social.technet.microsoft.com/Forums/en-CA/Forefrontedgegeneral/thread/4e6a148e-8c69-4023-a282-15dcfede3900 posted by Jason Jones

This script will export the EMS enterprise configuration as well as three arrays.  You will need to change the script to reflect your environment.  Only change the text in orange, leave all quotation marks in place.

'  TMG Enterprise and Array Configuration Backup Script
'
'  Original  http://social.technet.microsoft.com/Forums/en-CA/Forefrontedgegeneral/thread/4e6a148e-8c69-4023-a282-15dcfede3900
'
'  Changed by Etienne Liebetrau  - http://fixmyitsystem.com 
'  
' -------------------------------------------------------------
'
' Specify the array firendly names

 ArrayName1 = "Array names as listed in console"
 ArrayName2 = "Array names as listed in console"
 ArrayName3 = "Array names as listed in console"

'Export strings

 password = "mypassword"
 comment = """Scripted Backup"""

'Backup location can be local or network location
 BackupLocation = "\\networkname\Share\"

'--------------- No changes required beyond this line ------------
Dim root 
Dim isaEnterprise
Dim isaArray1
Dim isaArray2
Dim isaArray3

localdate = FormatDateTime(date(), 1) 'Displays according to the system long date format
Datestring = " " & localdate

Set root = CreateObject("FPC.Root")

Set isaEnterprise = root.Enterprise
Set isaArray1 = root.Arrays.Item(ArrayName1)
Set isaArray2 = root.Arrays.Item(ArrayName2)
Set isaArray3 = root.Arrays.Item(ArrayName3)

Wscript.echo "Saving Configurations to " & BackupLocation & "...."

wscript.echo "Exporting - Enterprise Configuration"
 isaEnterprise.ExportToFile BackupLocation & "Enterprise Config" & Datestring & ".xml", 15, password, comment 
wscript.echo "Exporting - " & ArrayName1
 isaArray1.ExportToFile BackupLocation & ArrayName1 & Datestring &".xml", 15, password, comment 
wscript.echo "Exporting - " & ArrayName2
 isaArray2.ExportToFile BackupLocation & ArrayName2 & Datestring &".xml", 15, password, comment 
wscript.echo "Exporting - " & ArrayName3
 isaArray3.ExportToFile BackupLocation & ArrayName3 & Datestring &".xml", 15, password, comment 
Wscript.echo "Exporting Completed"




The script is fairly simple so adding or removing arrays is not too complicated.

The script will output 4 files.  One for the enterprise configuration and three for the arrays.  To restore the export you would right click at the relevant enterprise or array level and select Import (Restore)


You might also want to purge files older than a certain age to ensure you don't keep unnecessary files.  There is a script and instruction on http://fixmyitsystem.com/2011/05/automatically-purge-old-files-and.html


 ** Update **


Thanks to Richard Hicks I have made some changes to the script.  It will now backup the enterprise configuration and automatically retrieve the names of and export the configuration of every array in the enterprise.



'  TMG Enterprise and Array Configuration Backup Script
'
'  Etienne Liebetrau  - http://fixmyitsystem.com
' -------------------------------------------------------------
'
'Export strings


         password = "mypassword"
         comment = """Scripted Backup"""

'Backup location can be local or network location
         BackupLocation = "\\networkname\share"


'--------------- No changes required beyond this line ------------
Dim root
Dim isaEnterprise
Dim Array

localdate = FormatDateTime(date(), 1) 'Displays according to the system long date format
Datestring = " " & localdate

Set root = CreateObject("FPC.Root")
Set isaEnterprise = root.Enterprise


'Backing Enterprise Config
Wscript.echo "Saving Configurations to " & BackupLocation & "...."
wscript.echo "Exporting - Entertprise Configuration"

isaEnterprise.ExportToFile BackupLocation & "Enterprise Config" & Datestring & ".xml", 15, password, comment

'Backing Up arrays

For Each Array in Root.Arrays
wscript.echo "Exporting - " & Array
Array.ExportToFile BackupLocation & Array & Datestring &".xml", 15, password, comment
Next

Wscript.echo "Exporting Completed"



Thanks everyone for all the help!

11 January 2012

TMG configuration backup automation - Part I

Having backups of your configurations are essential.  The configuration is kept in various places depending on the deployment size.  Regardless of the built in redundant configuration stores, you still need to keep backups.  You either need to backup manually regularly or automate the backup process with a script.


The following script allows you to backup and import the array level configuration.  I use this for backing up array level configuration, but my personal preference would be to use the GUI for doing the import and restore.



'  TMG Array Configuration Backyp Script
'
'  Original from http://msdn.microsoft.com/en-us/library/dd435786.aspx
'
'  Changed by Etienne Liebetrau  - http://fixmyitsystem.com to append the date
'  to the export file name
'
' Usage cscript exportimport.vbs e backup
 

Sub ImportExport()
    ' Define a constant to indicate that no optional 
    ' data will be exported or imported.
    Const noOptionalData = 0
    If WScript.Arguments.Count <> 2 Then
        WScript.Echo "Error: Invalid number of parameters." & vbCrLf & _
                     "Syntax:" & vbCrLf & _
                     "ImportExport {e | i} filename"
        Exit Sub
    End If
    'Declare the objects needed
    Dim root      ' The FPCLib.FPC root object
    Dim isaArray  ' An FPCArray object
    localDate = FormatDateTime(date(), 1)
    
    ' Create the root object.
    Set root = CreateObject("FPC.Root")
    ' Get a reference to the array object. 
    Set isaArray = root.GetContainingArray()
    If WScript.Arguments(0) = "e" Then
       WScript.Echo "Exporting the configuration of the " & _
                     isaArray.Name & " array object to " & _
                     WScript.Arguments(1) & " " & localdate & ".xml" & " ..."
      ' Export the array configuration to the XML document.
      ' Notice that values are not specified for the 
      ' optional parameters.
      isaArray.ExportToFile WScript.Arguments(1) & " " & localdate & ".xml",noOptionalData
      WScript.Echo "Exporting was completed successfully."
      WScript.Quit
    End If
    If WScript.Arguments(0) = "i" Then
      WScript.Echo "Importing the configuration from " & _
                    WScript.Arguments(1) & " to the " & _
                    isaArray.Name & " array object ..."
      ' Import the array configuration from the XML 
      ' file specified. Notice that values are not 
      ' specified for some of the optional parameters.
      isaArray.ImportFromFile WScript.Arguments(1),noOptionalData,,,True
      WScript.Echo "Importing was completed successfully."
    End If
End Sub
ImportExport



This script is originally from http://msdn.microsoft.com/en-us/library/dd435786.aspx

One thing to note the export is done with the  noOptionalData flag set.  This means that when doing the import you cannot select the option to "Import server-specific information"



If you do you will get the following error:
Import failed
Error: 0xc0040341



An XML DOM document object that was exported without the fpcExportImportServerSpecific flag set cannot be imported with the fpcExportImportServerSpecific flag set.


The error occurred on object 'GUEST' of class 'Array' in the scope of array 'GUEST'.

Given that the scripted backup is not as complete as a manual backup I would still recommend doing those periodically.  Think of the manual export as a full backup and the  scripted backup as an incremental backup.

** Update **

I have also FINALLY managed to figure out how to export the additional "check boxes" that are available in the GUI.



Export Confidential information relates to a hex value of 1 for the FpcExportImportOptionalData flag
Export User permissions settings relates to a hex value of 2

The fpcExportImportServerSpecific flag mentioned above has a hex value of 4

Here is the list from http://msdn.microsoft.com/en-us/site/aa490382


fpcExportImportPasswords (0x00000001)
The optional data includes encrypted secret data, such as passwords or shared secrets that are used to create digital signatures for authenticating to RADIUS servers.
fpcExportImportUserPermissions  (0x00000002)
The optional data includes the security roles assigned to delegated administrators. The delegated administrators are identified by the security identifiers (SIDs) of their user accounts, which are included in this optional data. These SIDs, which are relevant to the workgroup or domain of the exporting computer, are not necessarily relevant to that of the importing computer.
fpcExportImportServerSpecific  (0x00000004)
The optional data includes server-specific information, which consists of cache drive settings and SSL certificates.


When exporting with the following line from the script you have some options


isaArray.ExportToFile WScript.Arguments(1) & " " & localdate & ".xml",noOptionalData


You can remove the noOptionalData and replace it with the individual hex values.


isaArray.ExportToFile WScript.Arguments(1) & " " & localdate & ".xml",2+4


If you use fpcExportImportPasswords you also need to specify a password


isaArray.ExportToFile WScript.Arguments(1) & " " & localdate & ".xml",1+2+4, "mypassword"


Or you can add them up


isaArray.ExportToFile WScript.Arguments(1) & " " & localdate & ".xml",7, "mypassword"




So the updates script that exports all the check boxes and specifies the password would be


'  TMG Array Configuration Backyp Script
'
'  Original from http://msdn.microsoft.com/en-us/library/dd435786.aspx
'
'  Changed by Etienne Liebetrau  - http://fixmyitsystem.com to append the date
'  to the export file name and exports all the configuration for an Array
'
' Usage cscript exportimport.vbs e backup
 

Sub ImportExport()
    ' Define a constant to indicate that no optional 
    ' data will be exported or imported.
    Const noOptionalData = 0
    If WScript.Arguments.Count <> 2 Then
        WScript.Echo "Error: Invalid number of parameters." & vbCrLf & _
                     "Syntax:" & vbCrLf & _
                     "ImportExport {e | i} filename"
        Exit Sub
    End If
    'Declare the objects needed
    Dim root      ' The FPCLib.FPC root object
    Dim isaArray  ' An FPCArray object
    localDate = FormatDateTime(date(), 1)
    
    ' Create the root object.
    Set root = CreateObject("FPC.Root")
    ' Get a reference to the array object. 
    Set isaArray = root.GetContainingArray()
    If WScript.Arguments(0) = "e" Then
       WScript.Echo "Exporting the configuration of the " & _
                     isaArray.Name & " array object to " & _
                     WScript.Arguments(1) & " " & localdate & ".xml" & " ..."
      ' Export the array configuration to the XML document.
      ' Notice that values are not specified for the 
      ' optional parameters.
      isaArray.ExportToFile WScript.Arguments(1) & " " & localdate & ".xml",
7, "mypassword"
WScript.Echo "Exporting was completed successfully." WScript.Quit End If End Sub ImportExport

The resultant xml file is nearly identical to the full GUI export but they to not match 100% as an example my lab test machine exports are the following

Exporting with the GUI = 16 218 619 bytes
Export with the script above = 16 174 434 bytes

So I would still use a full GUI export as the full backup and treat the scripted ones as the last incremental.

Some additional info
If you check the exported XML file form the GUI you will see the following line

   <fpc4:OptionalData dt:dt="int">15</fpc4:OptionalData>

This is of course different to the value of 7 the script uses.  The reason is that there is an additional option


fpcExportImportEnterpriseSpecific (0x00000008)
The optional data includes information that is specific to ISA Server Enterprise Edition (available only in ISA Server Enterprise Edition).

If you add up the hex values you get F which converted to decimal is 15

You can export the enterprise configuration as follows


'  TMG Array Configuration Backyp Script
'
'  Original from http://msdn.microsoft.com/en-us/library/dd435786.aspx
'
'  Changed by Etienne Liebetrau  - http://fixmyitsystem.com to append the date
'  to the export file name and exports all the configuration for EMS only
'
' Usage cscript exportimport.vbs e backup
 

Sub ImportExport()
    ' Define a constant to indicate that no optional 
    ' data will be exported or imported.
    Const noOptionalData = 0
    If WScript.Arguments.Count <> 2 Then
        WScript.Echo "Error: Invalid number of parameters." & vbCrLf & _
                     "Syntax:" & vbCrLf & _
                     "ImportExport {e | i} filename"
        Exit Sub
    End If
    'Declare the objects needed
    Dim root      ' The FPCLib.FPC root object
    Dim isaArray  ' An FPCArray object
    localDate = FormatDateTime(date(), 1)
    
    ' Create the root object.
    Set root = CreateObject("FPC.Root")
    ' Get a reference to the Enterprise object. 
    Set isaArray = root.Enterprise
    If WScript.Arguments(0) = "e" Then
       WScript.Echo "Exporting the configuration of the " & _
                     isaArray.Name & " array object to " & _
                     WScript.Arguments(1) & " " & localdate & ".xml" & " ..."
      ' Export the array configuration to the XML document.
      ' Notice that values are not specified for the 
      ' optional parameters.
      isaArray.ExportToFile WScript.Arguments(1) & " " & localdate & ".xml",
15, "mypassword"
WScript.Echo "Exporting was completed successfully." WScript.Quit End If End Sub ImportExport


This will export a fairly small file.  You would also need to export each array's config.


Check out Part 2 http://fixmyitsystem.com/2012/01/tmg-configuration-backup-automation_13.html on how to do this for multiple arrays with a single script.



10 January 2012

BlackBerry free Sat Nav

Telmap makes a "Turn by Turn" GPS Navigation application for the BlackBerry.  It turns your blackberry into a Garmin or Tom Tom type navigation device with voice prompts to guide you.  It is hugely more useful than the native Maps application.  This application is distributed for free by Vodafone.  It does however appear to work on any network since BIS is used for the data transfer

 The app is however only supported on the following devices:



  • BlackBerry® Pearl 8110
  • BlackBerry® Curve™ 8310 smartphone
  • BlackBerry® 8800
  • BlackBerry® BOLD 9000
  • BlackBerry® Storm™ 9500
  • BlackBerry® Curve™ 8900
  • BlackBerry Bold 9700
  • BlackBerry Storm2 9520
  • BlackBerry Torch 9800
  • BlackBerry Curve 9300
  • BlackBerry Pearl 9105


The installation is pretty straight forward.  Open the browser and go to



If your device is supported you will get an option to download.
Start the download and then you will once again be prompted.
  • Select Download
  • Wait for the application to install
  • You will be prompted for Application Permissions - Select Yes
  • Scroll down and Save
  • Select Run 

The application should now start up

Warning - For the Blackberry to find itself for the first time seems to take a really long time...


I know for a fact this works in South Africa.  It would be nice if someone can confirm if this works internationally.