Enable Schannel logging

To enable logging for Secure Channel logging (Schannel), use the following guide.

Add the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging (REG_DWORD)

Set one of the following values:

0x0000 Do not log
0x0001 Log error messages
0x0002 Log warnings
0x0004 Log informational and success events

When troubleshooting I like to set it to 0x0007 (0x0001 + 0x0002 + 0x0004). Reboot your machine to start the logging process.

The data will end up in the “System” eventlog with the source name of “Schannel”. You would want to keep an eye out for event id 36880, indicating a succesful event. It would look something like:

A SSL client handshake completed successfully. The negotiated cryptographic parameters are as follows.

Protocol: TLS 1.2
CipherSuite: 0xc028
Exchange strength: 256

To translate the CipherSuite use the following site:
http://www.thesprawl.org/research/tls-and-ssl-cipher-suites/

In the example above this would translate to: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Reference


TLS/SSL Settings

https://technet.microsoft.com/en-us/library/dn786418(v=ws.11).aspx

TLS/SSL Security Considerations

https://technet.microsoft.com/en-us/library/dn786446(v=ws.11).aspx

Cipher Suites in TLS/SSL (Schannel SSP)

https://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx

Prioritizing Schannel Cipher Suites

https://msdn.microsoft.com/en-us/library/windows/desktop/bb870930(v=vs.85).aspx

How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll

https://support.microsoft.com/en-gb/kb/245030

Update to add new cipher suites to Internet Explorer and Microsoft Edge in Windows

https://support.microsoft.com/en-gb/kb/3161639

IIS Crypto

https://www.nartac.com/Products/IISCrypto/

Custom RDP Certificate on Windows Server 2012 R2

Ever since Windows 2012 the Remote Desktop host tool has been removed from the system, making it more difficult to set a custom certificate. When you’re in a domain context it’s more likely that you will use GPO’s and domain related tools to configure your system, but in my work environment I deal with stand-alone systems, making it a bit harder to manage. During one of my security scans with our vulnerability tool it started complaining about self-signed certificates. Simply removing the certificates from the local computer store and using WMI to update the system is fairly easy, but after doing the same trick twice, it gets annoying so I decided to write a PowerShell script to handle the task of setting the correct certificate.

My script has a couple of parameters that you can use:

Set-RDPCertificate.ps1 -Hash <string> [-Delete] [-Terminalname <string>] [<CommonParameters>]
Set-RDPCertificate.ps1 -listCerts [<CommonParameters>]
Set-RDPCertificate.ps1 -ListCurrent [<CommonParameters>]

  • Hash: This is the default input parameter, expects a 40 character string value
  • Delete: Delete the current certificate from the local store after setting the provided hash value.
  • Terminalname: If you changed the default RDP-TCP connection name you can enter it here, not providing the parameter will result in using the default name.
  • Listcert: Lists the certificates in the personal store of the local computer.
  • ListCurrent: Lists all certificates in the personal store of the local computer.

Download the script from here. Version 1.1.

5 Steps to get started with Azure DSC

In our never ending quest to improve our production environment we are currently looking into the possibilities that Microsoft Azure can offer us. One of offerings that has our interest is state enforcement management with Windows PowerShell, also known as “Desired State Configuration”. I was already deeply impressed with the capabilities that are offered when running DSC on a local box, via PowerShell remoting or using the pull method on-premise. Only thing that was a bit challenging is deploying the configuration in a world wide, loosely connected, non domain environment, Microsoft Azure to the rescue.

Basically PowerShell DSC is a state enforcement platform, much like Group Polies are. With the increased usage of the cloud it’s become clear that group polices via Active Directory are not the way forward anymore, especially for non-domain type systems. We need a way to do remote state enforcement whenever we need it, on demand without the requirement to make use of a self-hosted on premise environment. Introducing Microsoft Azure Desired State Configuration. Follow the steps below to make your first DSC Configuration document, Create an Automation Account, Assign the Document and configure a server to use DSC.

On this page:

  1. Creating the Automation Account
  2. Import the Configuration
  3. On-boarding the target
  4. Apply the meta-data configuration file
  5. Assign the configuration
  6. Downloads
  7. Reference

Creating the Automation Account

Azure DSC makes use of an automation account. Follow these steps to first create that account.

  1. Login to the Azure portal at https://portal.azure.com
  2. Select “More Services
  3. Type “Automation”, click “Automation Accounts
  4. Click “Add” next to the large plus sign
  5. Add the appropriate data in the ‘Add Automation Account” page. Click “Create

automationaccount

Wait a few moments for the account to be created

Import the Configuration

Once the Automation Account has been created we can start to configure desired state. Click on your just created automation account. The blade for configuring the account will open. Click on the “DSC configurations”, located in the “Configuration Management” section. The DSC Configuration node is the store where your configuration documents are saved. These documents dictate the state of your machine. Click the “Add a configuration” on the top of the page. In the “Configuration file” click the folder icon and browse to your configuration file. In my case I’ve created a document that tells the system to install the default Web Server (IIS) role and remove SMBv1, but you can basically configure your entire system this way. Click “OK” to return to the previous blade.

Give it a second to import the file.

What we need to do next  is tell Azure to convert the configuration document to a .mof file that it can deploy. To accomplish that just click the configuration that you just imported. The blade that opens allows you to convert the ps1 script to a .mof file. Click on the “Compile” button on the top of the page. Read the message and click “Yes”.

ConfigurationFile

Close the blade after the compile action successfully completes .

On-boarding the target

Now that the main configuration is done we need to on-board the server that we want to target with DSC. Microsoft made that a really simple task with providing an on-boarding script. This script is available at:

https://docs.microsoft.com/en-us/azure/automation/automation-dsc-onboarding

Just in case that location ever changes, you can easily locate the url again by browsing to your “Automation Account” blade, clicking “DSC Nodes” in “Configuration Management” and click on “Add on-prem VM”. Browse to the “Generating DSC metaconfigurations” section and copy the script content.

The only basic things that needs to be changed in the script are the “RegistrationUrl”, “RegistrationKey” and the “Computername” value. Just for fun we’ll also change the state enforcement policy by setting the “ConfigurationMode”. You first need to get the values for “RegistrationUrl” and the “RegistrationKey”. These are located in the “Automation Account” blade, “Account Settings” select “Keys”. You can use either the primary or the secondary key.

Once updated the code in the script would look something like this:

ComputerName = @('localhost');
RegistrationUrl = 'https://we-agentservice-prod-1.azure-automation.net/accounts/5eb0794a-a035-406e-8181-ece99172d6fa';
RegistrationKey = 'qLVkKkhBe4+RfVEkuIl2TicZSvzUEj+1jPXvdd0SkDM662zwolUcyVx2KzvSoUsSHZpK7FvlzkF4WuxZh4G8CA==';
ConfigurationMode = 'ApplyAndAutoCorrect';

In the example above I apply the configuration to the localhost instead of an individual hostname. That’s just the situation I’m in. Your situation could be very different. Once the script is ready, it needs to be executed to generate the meta-data configuration .mof file.

Apply the meta-data configuration file

Applying the configuration meta-data file can be done multiple ways, by using PowerShell remoting or just apply it locally on the box. In this demo I’ll use the latter.
Copy the “DscMetaConfigs” folder to the local box. Open an elevated PowerShell ISE or PowerShell Command console and use the following command to configure the system.

Set-DscLocalConfigurationManager -Path .\DscMetaConfigs

In case you want to check the configuration that’s been applied, use:

Get-DscLocalConfigurationManager

Assign the configuration

Last step we need to take is assigning the appropriate DSC configuration to the server. Obviously we need to do this in Azure. Select your “Automation Account” and click on the “DSC Nodes” under “Configuration management”. The Server that we used the on-boarding script on should be listed here. Click the Server name, next click the “Assign node configuration” icon at the top of the screen. On the “Assign Node Configuration” blade that opens, click the generated configuration document (If you used my script it will show “MyFirstConfiguration.MyServerRole”). Click “OK”.

And that’s really all there is to it. After waiting for about 15 minutes the configuration will be applied on the selected server.

dsc-node

Tip! Just in case you don’t want to wait, use the cmdlet:

Update-DscConfiguration -Wait –Verbose

To force the consistency check on the target server.

Downloads


MyServerRole PowerShell Script

OnBoardComputerInAzureDSC

Reference


Windows PowerShell Desired State Configuration Overview

https://msdn.microsoft.com/en-us/powershell/dsc/overview

Azure Automation DSC Overview

https://docs.microsoft.com/en-us/azure/automation/automation-dsc-overview

Getting Started with PowerShell Desired State Configuration (DSC)

https://mva.microsoft.com/en-US/training-courses/getting-started-with-powershell-desired-state-configuration-dsc-8672?l=ZwHuclG1_2504984382

Hybrid IT Management Part 3: Automation

https://mva.microsoft.com/en-US/training-courses/hybrid-it-management-part-3-automation-16631?l=MQrdRCHrC_4406218965