Author Archive for Francois

Page 2 of 2

How to use a Smart Card to digitally sign your e-mails in Outlook

Published on February 8, 2009 in How-to. 2 Comments Tags: , , , , , , .

Where I currently work, we are using smart cards in order to secure Active Directory accounts with elevated privileges.  That’s great way to do two-factor authentication because smart cards are integrated in AD natively.  In order to force an account to use a smart card, you only have to click on a checkbox on the user account.

In order to be able to digitally sign and encrypt your e-mails, you have to first take the following steps:

  1. Import the certificate on your smart card into the IE Store
  2. Configure Outlook to use the certificate
  3. Start signing/encrypting your e-mail

Sounds simple enough.  Let’s get into the details of how we do all of that.

The first step is to import the digital certificate that is on the smart card into what is sometimes called the IE store.  Since I use Gemalto‘s GemSafe drivers, it is fairly easy.

  1. I first go to the Certificates section of the Toolbox and click on my certificate.
  2. This enables the Export… button.  Click on it to go to the export screen.
  3. Select Export to IE store and make sure that you select Personal as the certificate store.
  4. Click the Export button.

This puts a copy of the certificate (private and public keys) into your personal store for your use.  You can verify that the certificate was imported properly by opening up Internet Explorer, click on Tools | Internet Options | Content | Certificates.  Your certificate should be listed in the Personal tab.  Click on the certificate.  This will fill the Certificate intended purposes section at the bottom of the dialog box.  If Secure Email is not one of the intended purposes, then you will not be able to use this certificate to sign your e-mails.

Now the last thing to do is to configure Outlook to use that certificate.

  1. In Outlook (I’m using Outlook 2003), click on Tools | Options… | Security tab| Settings… button in the Encrypted e-mail section.
  2. Here we need to choose our signing certificate and encryption certificate.  Click on the Choose… button and select the same certificate in both cases.
  3. Your Hash Algorithm should be SHA1 because it is stronger than the old MD5.
  4. Your Encryption Algorithm is probably defaulted to 3DES, which is the strongest algorithm available.
  5. Make sure that the checkbox for the Send these certificates with signed messages option is checked.  This will then allow your recipient to import your certificate (with your public key only) into their store.  This way they will be able to encrypt e-mails to you and only you will be able to decrypt them.

And there you go.  The next time you write an e-mail, simply click on the Options… button and then the Security Settings… button to open the dialog box that will allow you to digitally sign and encrypt your e-mail.  Make sure that your smart card is inserted.  When you click on the Send button, you will be asked to enter your PIN before your e-mail is signed and encrypted in order to confirm your identity.

I hope this was helpful to you.  Let me know if you have any questions.

Should you kill NetBIOS from your network?

Published on February 1, 2009 in Networking. Closed Tags: .

Do you still have NetBIOS turned on on all of your workstations and servers in your corporate LAN?  This old network protocol puts you at risk and should be killed without prejudice!

There are quite a few reasons why NetBIOS is bad for your network.

  1. NetBIOS is an inneficient protocol.  It is very chatty with lots of broadcasts.
  2. When used with its defaults settings, it can be used by the bad guys to gather information about your network and users.  This is done through null sessions.  An excellent source of information on null session can be found in the (old, but still true) page titled NetBIOS Null Sessions: The Good, The Bad, and The Ugly.
  3. Although it can now be routed across LANs by using NetBIOS over TCP/IP (NetBT), it was never meant to be used in a WAN environment.
  4. The original design of NetBIOS was actually for a LAN of about 70 users.

One of the major misconception about NetBIOS is the fact that people think that it has to be there in order for you to have a file share to serve files to your network users.  That is actually not the case.

File sharing on your LAN

NetBIOS uses these ports:

  • UDP 137: NetBIOS name service
  • UDP 138: NetBIOS datagram service
  • TCP 139: NetBIOS session service

In actual fact, a workstation that tries to connect to a file share might start by trying using those ports.  Windows will automatically fall back to using SMB, which is on port TCP 445.  You might have heard of SMB (Server Message Blocks) and CIFS (Common Internet File System) in the same conversation.  That’s because CIFS is actually a dialect of SMB.

The downside of disabling NetBIOS

I found only two problems that you might run into if you disable NetBIOS.  Another side effect is that this will affect trusts between forests.  This is definitely true for domains at the Windows 2000 functional level or even a Windows NT to Windows 2003 trust.  In a simpler network with only one domain in your forest, this will not be an issue.

The other negative impact that I found is the fact that you no longer browse for computer in Network Neighborhood (Windows 98) or Microsoft Windows Network (Windows XP). When NetBIOS is enabled in your network, the master browser collects information about all the computers in the network.  That information is then propagated every 12 minutes to all workstations.  This can be displayed in the network neighborhood or using the NET VIEW command.  In effect, this is how name resolution was done, by using the list maintained by the master browser. WINS is the other name resolution method in the NetBIOS world.  This method is no longer used by Microsoft OS since Windows 2000.

How to deal with NetBIOS

The best thing to do, is simply to eliminate NetBIOS.  You probably won’t miss it.  Most likely, if your network has more than a few computers in it, you are using DHCP.  You can use DHCP to easily disable NetBIOS on your workstations.  In a smaller setting, you can change the configuration on each computer in your network by doing the following (instructions for Windows XP):

  1. Click Start, point to Settings, and then click Network and Dial-up Connection.
  2. Right-click Local Area Connection, and then click Properties.
  3. Click Internet Protocol (TCP/IP), and then click Properties.
  4. Click Advanced.
  5. Click the WINS tab, and then click Disable NetBIOS over TCP/IP.

This method disables NetBIOS Session Service (which listens on TCP port 139). It does not disable NetBIOS completely.  If you do not want to have SMB enabled, you can disable it all at once by using the following instructions:

  1. From the Start menu, right-click My Computer, and then click Manage.
  2. Expand System Tools, and then clear the Device Manager check box.
  3. Right-click Device Manager, point to View, and then select Show hidden devices.
  4. Expand Non-Plug and Play Drivers.
  5. Right-click NetBios over TCP/IP, and then click Disable.

This disables the SMB direct host listener on TCP/445 and UDP 445.

Final Thoughts

Before you make such an important change in your network, you need to do some serious testing.  This is especially true if you have a lot of different servers and applications.  I intend to post again with the result of my testing and the effect that disabling NetBIOS had on our network.

Related links

Starting a new Open Source project shouldn’t be this hard

Published on January 9, 2009 in Projects. Closed Tags: , , .

Wow!  I thought it would be easier than that.  I have this application I started writing that I feel would be useful to lots of people out there and decided to share.  I wrote an application that takes the output of a Nessus scan and loads it into an SQL Server database.  I intend on working on this over time and add features like reporting.  Ultimately, what I am after is better reporting as the Nessus application only provides ONE report.

Since I wrote the code in C Sharp, I decided to go the one of the best known repository for Microsoft technology open source projects, CodePlex.  Creating the project was quick enough, but I can’t seem to be able to access the source code tab.  I always get the message that The source control server is currently unavailable. Fine, I’m moving on.

So I went to the best known open source repository, SourceForge.net, and created my project.  It looks like it needs to be reviewed by humans before I can even start uploading code.  Great!  It was bed time anyway.

Today, I decided to see if by chance my project in SourceForge would allow to upload code, and it does.  Awesome.  CodePlex is still displaying the same error message.  I don’t know if it is me who is doing something wrong or what.  I cannot find anywhere to go if I have problems.  What looks like their support board actually contains more suggestions for enhancements than support requests.