Articles (RSS)

Hows Windows stores passwords and how passwords can be attacked

I was forwarded this by a colleague last week and found it interesting reading. It's a short article written by Jesper Johannson and published last month up on TechNet. It raises many good questions, many of which arise on a frequent basis, but after IT Forum last week, I can kind of now understand why the AD administrators here in Microsoft use smart cards and seperate accounts for elevated privileges to perform almost all administrative functions. It was amusing when Brian, one of these administrators pulled out a bunch of some 24 different smartcards, just to perform his day job, and the mild panic he had when one of them went walkies - turned out he'd been using it as a bookmark. Just shows you everyone's human :-)

You can read Jespers article here.

posted Monday, November 21, 2005 2:44 PM by jhoward with 0 Comments

Forms Based Authentication and RPC/HTTP over single IP using ISA 2004

You would think that this would be something fairly simple to do.... Well, think again, unless you know. In the scenario I was trying to get working, there are essentially three servers involved - a domain controller running Windows Server 2003, a single Exchange 2003 Server and an ISA 2004 Server.

The goal is to allows users to access the Exchange Server remotely, both via Outlook Web Access and through RPC/HTTP using Outlook 2003.

When you publish OWA (I'm not using a FE/BE [Front-End/Back-End] configuration - just a single Exchange Server) through ISA 2004, the principle is to create a new web listener running on port 443 (SSL) on the ISA Server. You configure the web listener to use forms based authentication (FBA) and forward the requests back to your Exchange Server. I had this going fine without a manual in sight ;-)

However, when it comes to a configuration where you have a single IP address externally, and want to publish RPC/HTTPS also on port 443, you have a problem. You cannot, in ISA 2004, have a web-listener running in both FBA mode and basic authentication.

I was puzzling about this last week, and came close to solving the problem. There wasn't much information I could find out there on the Internet, so my thoughts were to use Basic Authentication on the web listener, and proxy the FBA through another listener. I never quite got there until I found the article below, but the general principle was right.

This article by Tom Schinder "ISA Server 2004: Supporting Both Basic and Forms-based Authentication with a single External IP Address and Web Listener". This article goes through a step-by-step configuration and worked perfectly for me. Lots of screenshots to make it dead obvious what you need to do. The workaround is astonishingly simple in concept, yet resolves what should be such a simple thing to do.

...so here's a small part of my ISA configuration showing it configured

 

...and here's my OWA (with a few bits disguised - afterall, you wouldn't expect me to publicise my inbox contents or external domain name would you??? :-) )

Now for that XBox theme..... When's the XBox 360 theme coming out then, Eileen.

posted Tuesday, June 14, 2005 11:41 AM by jhoward with 0 Comments

PKI and Certificate Management Information in Windows Server 2003

While on the subject of Certificates/Encryption/IPSec/PKI in general yesterday, I was looking around for some good information on how PKI works to post up. One white paper which stuck-out from the pile was published in December last year (so it's reasonably up to date) by David B. Cross and Avi Ben-Menahem entitled "Key Archival and Management in Windows Server 2003". Now this isn't exactly going to be a best seller, but I found it very easy to read and understand, so all kudos to David & Ali. Joking aside, it is crucial to pay consideration to this subject if you are planning to implement or already have implemented a certificate authority within your organisation.

For further info on PKI in general, this link is a good starting point. The home page for Cryptography on Technet is here and information on EFS (Encrypting File System) in XP and Windows Server 2003 can be found here. Otherwise my colleague Steve Lamb will be able fill in the gaps.
 

posted Wednesday, February 02, 2005 2:16 PM by jhoward with 1 Comments

IIS 7.0 - a first look

I saw several demonstrations of an early cut of IIS 7 when I was over in Redmond a couple of weeks ago. Again it's Longhorn timeframe material, so much can change and there's little concrete information publicly available. Remember we're way before pre-beta product. One particular demonstration though was fabulous - the power and manageability of the revised architecture is truly awesome. However, at this stage, NDA sadly prevents me from providing more info :-(
 
However, it looks like Danielle and Nelson Ruest at FTPOnline have had a sneak preview and an interview direct with the product team. Have a read of their article to get a feel for where IIS may be heading.
posted Wednesday, February 02, 2005 8:42 AM by jhoward with 1 Comments

Active Directory Federation Services (ADFS) - Presentation & White Paper

I'm blogging while sitting listening to John Craddock and Sally Storey presenting one of the all-day pre-conference seminars "Stretching Directory Boundaries Cross Platform Identity Management, Authentication and Security"  at the Microsoft IT Forum in Copenhagen. On screen as I write is a fantastic demonstration of ADFS (Active Directory Federation Services) which is due to be included in the R2 release of Windows 2003 server some time next year.

This is a fantastically powerful mechanism to allow cross-organisation information sharing. This type of federation is still way in its infancy. However. for a good overview, see the White Paper Active Directory Federation Services: A Path to Federated Identity and Access Management on the Microsoft web-site.

posted Monday, November 15, 2004 4:45 PM by jhoward with 0 Comments