Saturday, 18 February 2017

Uninstalling Adobe Flash Player using Group Policy - Part 1

"Flash is a spaghetti-ball piece of technology  
that has lousy performance and really bad security problems."

Part 1 is about disabling Flash Player in Microsoft Edge using Group Policy.

What version of Flash player are your users running?


As I am writing this blog post, administrators once again find themselves in a situation that has existed since the introduction of Windows 8.
  1. Microsofts insists on integrating Adobe Flash Player in the Windows operating system.
  2. At the same time, security patches for Flash player that Adobe has already released, are occasionally withheld from Windows users.
The current situation is that Microsoft seems to have called off the February 2017 patch day altogether and Windows Users are stuck with an unpatched Flash Player.


In Microsoft Edge 38.14393.0.0 (Windows 10 14393.693) the Windows 10 Flash version number is 24,0,0,194 when it should be 24.0.0.221.

Check your Flash Player version here: http://www.adobe.com/software/flash/about/


Disabling Flash Player in Microsoft Edge using Group Policy


Create a new GPO and attach it to the OU that contains your Windows 10 users

Navigate to User Configuration \ Preferences \ Windows Settings \ Registry \

Right click on Registry. Choose New \ Registry Items

Configure the Properties:

Action: Update
Hive: HKEY_CURRENT_USER
Key Path:
SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Addons

The full path is
"HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Addons"

The key Addons may not exists and will be created later, when the GPO is applied.

Value Name: FlashPlayerEnabled
Value Type: Reg DWORD
Value Data: 00000000


Review the Group Policy:


Log on to the computer and check the Edge Settings:


Be aware that the user can always re-enable flash in their Edge settings, but the GPO will disable Flash at every login of the user.

This solution is therefore not yet perfect, but only part one of a bigger solution.

In the second part, I will show how to disable Flash in Internet Explorer.



Sunday, 5 February 2017

Perfect SSL Labs Score in 2017


"Even Paranoids Have Real Enemies"



I have written this guide show you how to achieve an A+ at Qualys' SSL Labs SSLServer Test, including full scores in all subcategories, in 2017.

I'll start with an installation of openSUSE Leap 42.1 on which all updates have been applied. The Apache webserver version is 2.4.16 and OpenSSL's version is 1.0.1i-fips. This is important because outdated versions do not support the features needed in this guide.

As I need OpenSSL 1.02, I decided to upgrade to openSUSE Leap 42.2 (Apache/2.4.23, OpenSSL 1.0.2j)

dev:~ # cat /etc/os-release  | grep PRETTY
PRETTY_NAME="openSUSE Leap 42.2"
dev:~ # apachectl -v
Server version: Apache/2.4.23 (Linux/SUSE)
Server built:   2017-01-19 09:35:11.000000000 +0000
dev:~ # openssl version
OpenSSL 1.0.2j-fips  26 Sep 2016
dev:~ #





Establish a baseline



There is room for improvement. In openSUSE's defense I will say that it probably doesn't come with this configuration out of the box. The server has most likely been tampered with, with no regard for https security in mind.

I will not edit the vhosts but instead the ssl-global.conf file.

Certificate


When you generate the CSR and obtain your certificate make sure it meets these standards:

Requirements for your server certificate

  • The key size is at least RSA 4096 bits or equivalent. EC (Elliptic Curve) with 384 bits will also work nicely.
  • Signature algorithm is SHA256withRSA
  • You need the CSR that you used to create the certificate
  • It is trusted, i.e. not self-signed
  • It is not expired, has not been revoked etc. :)

Requirements for the intermediate certificate

  • Same as above, except the key size may be as small as 2048 bits or equivalent
  • Obtain a copy of the intermediate certificate and store it locally on your webserver because you will later configure Apache to send the intermediate certificate to the client along with the server certificate.
  • If the intermediate certificate has an SHA1 signature algorithm, have your server certificate re-issued with a fully SHA256withRSA chain. This should be provided for free by your CA.

This is the bare minimum of what your vhost configuration file should contain:

/etc/apache2/vhosts.d/vhost-ssl.conf
<IfDefine SSL>
<IfDefine !NOSSL>
<VirtualHost _default_:443>


        DocumentRoot "/srv/www/htdocs"
        ServerName dev. Thehastingsfiles.local:443
        ServerAdmin administrator@thehastingsfiles
        ErrorLog /var/log/apache2/error_log
        TransferLog /var/log/apache2/access_log
 
        SSLEngine on

        SSLCertificateFile /usr/local/ssl/dev.crt
        SSLCertificateKeyFile /usr/local/ssl/dev.key
        SSLCertificateChainFile /usr/local/ssl/dev.INTERMEDIATE.crt


        CustomLog /var/log/apache2/ssl_request_log   ssl_combined
        DocumentRoot "/srv/www/htdocs"

</VirtualHost>

</IfDefine>
</IfDefine>

Protocol support

Basically ditching anything older than TLS 1.2 will give you 100 points in protocol support.

/etc/apache2/ssl-global.conf
SSLProtocol TLSv1.2




Cipher Strength and Key Exchange


/etc/apache2/ssl-global.conf
SSLCipherSuite "HIGH:!kRSA:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES128-SHA:!DHE-RSA-CAMELLIA128-SHA:!ECDHE-RSA-AES128-SHA:!ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES128-GCM-SHA256"



A+

For the A+, two more things are needed: Public Key Pinning (HPKP) and Strict Transport Security (HSTS)

Public Key Pinning (HPKP)

For this you are going to need your private key file (here cert.key) and the Certificate Signing request file (here cert.csr)

Find the pin using the private key:


dev:/etc/apache2 # openssl rsa -in /usr/local/ssl/cert.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64

writing RSA key

********************************************

Find the backup pin using the CSR file:


dev:/etc/apache2 # openssl rsa -in /usr/local/ssl/cert.csr -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64

unable to load Private Key

140386301204112:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: ANY PRIVATE KEY
********************************************

Find the intermediate cert pin on SSL Labs' website, where you can also see your own pin but not your backup pin:


Installing the pins:

ssl-global.conf

Header set Public-Key-Pins "pin-sha256=\"<insert pin>=\"; pin-sha256=\"<insert backup pin>=\"; pin-sha256=\"<insert intermediate cert pin>=\"; max-age=2592000; includeSubDomains"



Strict Transport Security (HSTS)

ssl-global.conf

Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"

This is it! A+

The complete configuration file

This includes some features not mentioned above which will improve HTTPS performance and security and will show up in the SSLLabs report, but will not further improve your score. These include OCSP stapling and caching (session resumption).

ssl-global.conf

<IfDefine SSL>

<IfDefine !NOSSL>
<IfModule mod_ssl.c>

        #for Stapling Cache
        LoadModule socache_shmcb_module /usr/lib64/apache2/mod_socache_shmcb.so

        AddType application/x-x509-ca-cert .crt
        AddType application/x-pkcs7-crl    .crl

        #Session resumption (caching)
        Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

        #HTTP Public Key Pinning (HPKP)
        Header set Public-Key-Pins "pin-sha256=\"***=\"; pin-sha256=\"***=\"; pin-sha256=\"***=\"; max-age=2592000; includeSubDomains"

        Header always set X-Frame-Options SAMEORIGIN

        #HTTP Strict Transport Security (HSTS) with long duration

        Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"

        Header always set X-Content-Type-Options nosniff

        <IfDefine SYSTEMD>
        SSLPassPhraseDialog exec:/usr/sbin/apache2-systemd-ask-pass
        </IfDefine>

        <IfDefine !SYSTEMD>
        SSLPassPhraseDialog  builtin
        </IfDefine>

        <IfModule mod_socache_dbm.c>
        SSLSessionCache         dbm:/var/lib/apache2/ssl_scache
        </IfModule>

        <IfModule mod_socache_shmcb.c>
        SSLSessionCache         shmcb:/var/lib/apache2/ssl_scache(512000)
        </IfModule>

        SSLSessionCacheTimeout  300

        SSLRandomSeed startup builtin
        SSLRandomSeed connect builtin

        SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
        SSLUseStapling on
        SSLProtocol TLSv1.2

        SSLCipherSuite "HIGH:!kRSA:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES128-SHA:!DHE-RSA-CAMELLIA128-SHA:!ECDHE-RSA-AES128-SHA:!ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES128-GCM-SHA256"

        # ECDHE key exchange.
        SSLOpenSSLConfCmd Curves P-521:P-384

        SSLHonorCipherOrder on
        SSLCompression      off
        SSLOptions +StrictRequire

</IfModule>

</IfDefine>
</IfDefine>

Monday, 29 June 2015

Converting install.esd.to install.wim

 "It's not what you look at that matters, it's what you see."

If you're like me, you have wondered what this strange install.esd file is that came with Windows 8.1 Update which was obtained via official channels. It replaces the install.wim that is usually found on Windows installation media.

(All actions were performed on a technician computer running Windows 10 Insider Preview x64 Pro En-US build number 10.0.10130)

Let's have a look by mounting the ISO.

This is the Windows 10 preview (10130).




As you'd expect, in the sources folder there are two WIM files install.wim and boot.wim

This is the Windows 8.1 Update Pro x64 En-US ISO, downloaded from Microsoft's website.



The install.wim has given way to an ESD file (install.esd), an Electronic Software Download (ESD).

The compression rate of the ESD files is even higher than the compression rate of WIM files using the /compress:max switch.

ESD files however, resists some operations like deployment using a WDS server. There is a need to convert the ESD file to a WIM file. 

There is approximately a ton of 3rd party tools out there just for that purpose, many of which sport a fancy GUI. I will demonstrate that none of these tools has its use, because we can do everything we need with dism.

 I created a work folder



C:\>md deplyoment8.1u
 
C:\>md deplyoment8.1u



C:\>cd deplyoment8.1u



C:\deplyoment8.1u>dir

 Volume in drive C has no label.

 Volume Serial Number is ***



 Directory of C:\deplyoment8.1u



06/30/2015  12:38 AM    <DIR>          .

06/30/2015  12:38 AM    <DIR>          ..

06/29/2015  09:57 PM       262,242,670 boot.wim

06/29/2015  09:58 PM     2,794,179,280 install.esd

               2 File(s)  3,056,421,950 bytes

               2 Dir(s)  197,991,677,952 bytes free



C:\deplyoment8.1u>

Time to see what is inside the WIM, ESD files.

 dism /Get-WimInfo /WimFile:boot.wim

Deployment Image Servicing and Management tool

Version: 10.0.10130.0



Details for image : boot.wim



Index : 1

Name : Microsoft Windows PE (x64)

Description : Microsoft Windows PE (x64)

Size : 1,207,581,322 bytes



Index : 2

Name : Microsoft Windows Setup (x64)

Description : Microsoft Windows Setup (x64)

Size : 1,309,445,510 bytes



The operation completed successfully.



C:\

 dism /Get-WimInfo /WimFile:install.esd

C:\deplyoment8.1u>dism /Get-WimInfo /WimFile:install.esd



Deployment Image Servicing and Management tool

Version: 10.0.10130.0



Details for image : install.esd



Index : 1

Name : Windows 8.1 Pro

Description : Windows 8.1 Pro

Size : 13,185,962,705 bytes



The operation completed successfully.



C:\deplyoment8.1u>

Conversion install.esd to install.wim

 dism /export-image /SourceImageFile:install.esd /SourceIndex:1 /DestinationImageFile:install.wim /Compress:max /CheckIntegrity
C:\deplyoment8.1u>dism /export-image /SourceImageFile:install.esd /SourceIndex:1 /DestinationImageFile:install.wim /Compress:max /CheckIntegrity

Deployment Image Servicing and Management tool
Version: 10.0.10130.0

Exporting image
[==========================100.0%==========================]
The operation completed successfully.

C:\deplyoment8.1u>


Behold the WIM file and its content


C:\deplyoment8.1u>dir

 Volume in drive C has no label.

 Volume Serial Number is ***



 Directory of C:\deplyoment8.1u



06/30/2015  01:05 AM    <DIR>          .

06/30/2015  01:05 AM    <DIR>          ..

06/29/2015  09:57 PM       262,242,670 boot.wim

06/29/2015  09:58 PM     2,794,179,280 install.esd

06/30/2015  01:01 AM     3,547,816,622 install.wim

               3 File(s)  6,604,238,572 bytes

               2 Dir(s)  194,344,812,544 bytes free



C:\deplyoment8.1u>

 dism /get-wiminfo /wimfile:install.wim
C:\deplyoment8.1u>dism /get-wiminfo /wimfile:install.wim

Deployment Image Servicing and Management tool
Version: 10.0.10130.0

Details for image : install.wim

Index : 1
Name : Windows 8.1 Pro
Description : Windows 8.1 Pro
Size : 13,185,962,705 bytes

The operation completed successfully.

C:\deplyoment8.1u>







Monday, 25 May 2015

Hyper-V Server: Un-instaling software using command prompt


This tutorial covers Hyper-V Server, not to be confused with Windows Server core installation with the Hyper-V role installed. That being said, this short tutorial should work for both scenarios.

First, I'd like to check what software is actually installed on the server


 wmic product get name,version,vendor
 C:\>wmic product get name,version,vendor
Name                                                         Vendor
    Version
Microsoft System Center 2012 R2 DPM Protection Agent         Microsoft Corporati
on  4.2.1292.0
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319  Microsoft Corporati
on  10.0.30319


C:\>


In this case I have an outdated version of the System Center Data Protection Manager 2012 R2 Protection Agent on my server.

Trying to install the latest version of the protection agent end in failure as long as the old version is installed, but that is a story for another blog entry.

Uninstalling the application in the command prompt

I took note of the name of the application I need to uninstall during.

Microsoft System Center 2012 R2 DPM Protection Agent
wmic product where name="Microsoft System Center 2012 R2 DPM Protection Agent" call uninstall

 The result

 C:\>wmic product where name="Microsoft System Center 2012 R2 DPM Protection Agen
t" call uninstall
Executing (\\HYPER-V\ROOT\CIMV2:Win32_Product.IdentifyingNumber="{6FA0CE18-E1A
B-4CA2-B552-03D16516E174}",Name="Microsoft System Center 2012 R2 DPM Protection
Agent",Version="4.2.1292.0")->Uninstall()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};


C:\>

 Supplemental: Wildcards

A batch script that uninstalls everything DPM would look like this
C:\Windows\System32\wbem\wmic product where "Name like '%%DPM%%'" call uninstall