Maung²'s Technical Adventures

Windows Vista Harden Security (Part 3)

Various Microsoft Windows Operating Systems support varieties of network authentication protocols, such as LM (LAN Manager), NTLM, NTLMv2 and Kerberos.  The obvious thing is that the older OS won’t be able to use the newer and more secure authentication protocols such as NTLMv2 and Kerberos, unless they are upgraded with service packs, or patches (only if made available by Microsoft) to support the newer technologies.

The less obvious issue is that the newer operating system, especially Windows Vista, which we expect to be backward compatible with all the older and less secure authentication protocols, such as LM and NTLM.  But that wasn’t the case with Windows Vista because Microsoft has decided to disable those protocols, by default, in view of reducing attack surface area in this release of Windows.  Well, that’s expected as Microsoft is putting all the security best practices in place in their product development lifecycle.

So what is the problem?  If you have any system or device, such as old Network Attached Storage (NAS) device, Macintosh, or Samba, that does not support NTLMv2, you cannot access to those file shares using Windows Vista, where you were able to do so in Windows XP.

The solution is fairly simple.  We just need to configure Windows Vista local security policy to accept/response to LM and NTLM challenge.  The default LAN Manager Authentication level in Windows XP is “Send LM & NTLM responses” but in Windows Vista, it has been defaulted to “Send NTMLv2 response only”, thus, denying access to the systems that do not support NTLMv2 authentication challenge.  Follow the below steps to configure Windows Vista Local Security Policy to response to LM and NTLM.

1. Go to Start Menu, and type secpol.msc in the Start Search and press <ENTER>.
   There might be an UAC elevation prompt.  Just allow the action and proceed with the next step.
2. Under Security Settings in Local Security Policy Editor, expand Local Policies, select Security Options.
3. In the right pane, double-click on the setting “Network Security: LAN Manager authentication level”
4. Set its value to “Send NTLM response only” or even lower if necessary (at your own discretion).
5. Click OK and run gpupdate command to refresh the new configured security policy.

After the refresh, you should be able to connect to your NAS devices, Mac OS or Samba share folders with no difficulty.

Here is an alternative solution to those who can't get their hands on secpol.msc (Vista Home Basic/Premium users), but this solution involves risk as you will need to edit registry value directly.

1. Launch "Registry Editor" (regedit.exe)
2. Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
3. Create DWORD registry value and name it "LMCompatibilityLevel"
4. Set its value to 2 (Send NTML response only) or lower 1/0 (again at your own discretion)
5. Quit the Registry Editor

More information on LMCompatibilityLevel values, check out the below links.

http://support.microsoft.com/kb/239869

http://www.microsoft.com/technet/technetmag/issues/2006/08/SecurityWatch/

Windows Vista Harden Security (Part 2)

If you are using Windows Vista as your primary operating system, you are likely to encounter problem in accessing some SSL enabled sites, which you have been surfing smoothly using Windows XP in the past.  Internet Explorer 7 in Windows Vista will simply throw an error message saying "Internet Explorer cannot display the webpage” when you browse to certain HTTPS URLs.  I am NOT talking about the warning of an un-trusted or an expired certificate.  If you encounter this problem before, you know how frustrating you can get. ;)

To understand this problem, let's start with the fundamentals of SSL communication.

SSL communication starts with a simple handshake between server and client, in which, asymmetric encryption is used to exchange symmetric encryption key or also known as session key.  Session key is used in subsequent communication between client and server to encrypt and sign the HTTP packets.  SSL has been evolved over many versions, starting from 1.0, then 2.0 and now we have SSL 3.0 as well as TLS 1.0, also known as SSL/TLS.  Both SSL 3.0 (http://home.netscape.com/eng/ssl3/draft302.txt), and TLS 1.0 (RFC2246) with INTERNET-DRAFT allow different asymmetric / symmetric encryption and hashing algorithm to be used within SSL/TLS session.

In Windows Vista operating system, cipher suites – pre-defined combination of encryption and hashing algorithm use for SSL communication, that uses DES encryption are disabled by default, thus, browsing to SSL sites which supports only DES encryption will result in the above-mentioned error.

The ideal solution would be to reconfigure the web site to support other encryption algorithm such as AES, or 3DES other than the DES.  But unfortunately, we won’t have much say over how the web server is setup or being configured, and hence, the only workaround is to configure our Windows Vista to support DES encryption over SSL/TLS communication till the SSL site is updated to use other algorithms.

To enable DES support for SSL/TLS in Windows Vista, try the following steps at your own discretion.

1. Go to Start Menu, and type gpedit.msc in the Start Search and press <ENTER>.
   There might be an UAC elevation prompt.  Just allow the action and proceed with the next step.
2. Under Computer Configuration in Group Policy Object Editor, expand Administrative Templates, expand Network, expand SSL Configuration Settings, and then double-click SSL Cipher Suite Order.
3. Select Enable and append “TLS_RSA_WITH_DES_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,” at the beginning of the pre-populated string value. Beware of the ending comma and there should not be any embedded space inside the string.
4. Click OK and restart your computer. (Note: gpupdate command will update the Group Policy settings but reconfiguration of SChannel.dll requires restart.)

Here is an alternative solution to those who can't get their hands on gpedit.msc (Vista Home Basic/Premium users), but this solution involves risk as you will need to edit registry value directly.

If you trust me , you can download the attachment from this post and apply the registry patch. That would be the easiest way.

After the restart, you should be able to happily browse the SSL sites which you were not able to do so in Windows Vista.

References:
http://support.microsoft.com/kb/929708
http://support.microsoft.com/kb/245030

This is the price you have to pay for more secure operating system.

TechEd SEA 2007 is coming back!

TechEd SEA 2007 is back again! Make yourself available from 11th Sept 2007 to 13th Sept 2007. Yes, this event will again be traditionally hosted in Kuala Lumpur, Malaysia.  What can you expect this time round?

·         You can update yourself with newly released products such as Windows Vista, Exchange Server 2007, ASP.NET AJAX, and the 2007 release of Microsoft Office along with content about upcoming releases such as Windows Server code name "Longhorn"

·         You can choose from 6 technical tracks with more than 100 breakout sessions

·         You can experience 120 Hands-on Labs & Instructor-Led Labs at more than 100 stations

·         You can meet 2,000 IT pros and developers with 2,000 opinions to consider

·         You can mix around with Microsoft product team members and industry gurus

Early bird registration price is RM599.

Crystal Edge Sdn Bhd. will be providing all official registration services just as last year event.  Here are the contact details:

Event Email: techedsea@crystaledge.net
Malaysia Telephone: +60 (3)-7958 5155
Malaysia Fax: +60 (3)-7954 4037
Office Hours: Monday till Friday 9:00am - 5:00pm (GMT+08:00) Kuala Lumpur

Official TechEd SEA 2007 site: http://www.microsoft.com/malaysia/techedsea2007/

Multiple Network Adapters May Cause Socket Operation Failure

This applies to .NET Framework 1.1.  If your computer has multiple network adapters resulting in more than 50 network bound protocols, you will receive error while trying to perform network operations, directly or indirectly, using System.Net.Socket class, such as consuming XML web services.

My personal experience was quite frustrating.  I was trying to add Web Reference in Visual Studio 2003 by entering the web service Url, but it took a very long time and the control didn't return to Visual Studio 2003.  After waited for some time, I decided to manually stop the operation.

And I tried to use wsdl.exe to generate proxy class and I got this exception.

Unhandled Exception: System.TypeInitializationException: The type initializer for "System.Net.Sockets.Socket" threw an exception. ---> System.Net.Sockets.SocketException: An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full at System.Net.Sockets.Socket.InitializeSockets() at System.Net.Sockets.Socket..cctor()

After some googling, I managed to find the solution to my problem.  Multiple network adapters with more than 50 protocol bindings (I didn't actually count them though) were causing the unpatched .NET Framework 1.1 to throw the above exception.  I immediately uninstalled some unused adpaters (of course temporarily). I tried again and finally managed to get it work.

For more information, check out the site below.

http://support.microsoft.com/kb/815209

http://support.microsoft.com/kb/826757

Happy patching...