Re: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates

2012-06-05 Thread Kurt Buff 
Both relevant and helpful.

Thank you.

Kurt

On Tue, Jun 5, 2012 at 3:52 PM, Ben Scott  wrote:
>  This may or may not be helpful/relevant:
>
> "MSSA 2718704: Why and How to Reactivate License Servers in Terminal
> Services and Remote Desktop Services"
>
> (http://goo.gl/eBdJc)
>
> (http://blogs.msdn.com/b/rds/archive/2012/06/05/follow-up-to-microsoft-security-advisory-2718704-why-and-how-to-reactivate-license-servers-in-terminal-services-and-remote-desktop-services.aspx)
>
>  From the MSFT Remote Desktop Services (Terminal Services) Team Blog,
> via the inestimable Susan Bradley  on the
> patch-management list.
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates

2012-06-05 Thread Ben Scott 
  This may or may not be helpful/relevant:

"MSSA 2718704: Why and How to Reactivate License Servers in Terminal
Services and Remote Desktop Services"

(http://goo.gl/eBdJc)

(http://blogs.msdn.com/b/rds/archive/2012/06/05/follow-up-to-microsoft-security-advisory-2718704-why-and-how-to-reactivate-license-servers-in-terminal-services-and-remote-desktop-services.aspx)

  From the MSFT Remote Desktop Services (Terminal Services) Team Blog,
via the inestimable Susan Bradley  on the
patch-management list.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates

2012-06-05 Thread Ken Schaefer 
This patch removes certain MS CAs from one of the trusted CA stores.

It should have nothing to do with your IAS server rejecting your own internally 
issued certs.

Something else is up.

Also rejection <> revocation: your IAS server might be rejecting your user's 
certificates. But that is not the same as revoking the certificates.

Cheers
Ken

-Original Message-
From: Troy Adkins [mailto:tadk...@house.virginia.gov] 
Sent: Tuesday, 5 June 2012 10:21 AM
To: NT System Admin Issues
Subject: Re: US-CERT Current Activity - Unauthorized Microsoft Digital 
Certificates

I'm getting an event Id 3, reason code 300, now on my IAS server from my user 
certificates.

Sent from my iPad

On Jun 4, 2012, at 9:49 PM, "Ben Scott"  wrote:

> On Mon, Jun 4, 2012 at 9:02 PM, Troy Adkins  
> wrote:
>> Has anyone ran this patch.
>> I ran the patch on my CA, but it is still revoking my certificates.
> 
>  Isn't that what it's supposed to do?
> 
> -- Ben


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates

2012-06-04 Thread Troy Adkins 
I'm getting an event Id 3, reason code 300, now on my IAS server from my user 
certificates.

Sent from my iPad

On Jun 4, 2012, at 9:49 PM, "Ben Scott"  wrote:

> On Mon, Jun 4, 2012 at 9:02 PM, Troy Adkins  
> wrote:
>> Has anyone ran this patch.
>> I ran the patch on my CA, but it is still revoking my certificates.
> 
>  Isn't that what it's supposed to do?
> 
> -- Ben
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
> 
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
> 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates

2012-06-04 Thread Ben Scott 
On Mon, Jun 4, 2012 at 9:02 PM, Troy Adkins  wrote:
> Has anyone ran this patch.
> I ran the patch on my CA, but it is still revoking my certificates.

  Isn't that what it's supposed to do?

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates

2012-06-04 Thread Kurt Buff 
I have run this patch on several Win7 and WinXP machines, and just ran
it against my Win2k8 R2 TS/RDP server.

Please detail exactly what you mean by "it is still revoking my certificates".

This is not something that should affect your internal CA
infrastructure, unless you've somehow incorporated MSFT certs into
your cert chain.

Frankly, I'm not worried about patching my servers (on an emergency
basis - I'll catch it in my regular cycle) except for the one
mentioned above, because users actually do log into it - unless
someone shows me I need to think differently about it.

Kurt

On Mon, Jun 4, 2012 at 6:02 PM, Troy Adkins  wrote:
> Has anyone ran this patch.
>
> I ran the patch on my CA, but it is still revoking my certificates.
>
> Sent from my iPad
>
> On Jun 4, 2012, at 6:47 PM, "Kurt Buff"  wrote:
>
>> -- Forwarded message --
>> From: Current Activity 
>> Date: Mon, Jun 4, 2012 at 6:29 AM
>> Subject: US-CERT Current Activity - Unauthorized Microsoft Digital 
>> Certificates
>> To: Current Activity 
>>
>>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> US-CERT Current Activity
>>
>> Unauthorized Microsoft Digital Certificates
>>
>> Original release date: Monday, June 4, 2012 at 09:16 am
>> Last revised: Monday, June 4, 2012 at 09:16 am
>>
>>
>> Microsoft has released a security advisory to address the revocation of
>> a number of unauthorized digital certificates. Maintaining these
>> certificates within your certificate store may allow an attacker to
>> spoof content, perform a phishing attack, or perform a man-in-the-middle
>> attack.
>>
>> The following certificates have been revoked by this update:
>>  * Microsoft Enforced Licensing Intermediate PCA (2 certificates)
>>  * Microsoft Enforced Licensing Registration Authority CA (SHA1)
>>
>> Microsoft has provided an update to all support versions of Microsoft
>> Windows to address this issue. Additional information can be found in
>> Microsoft Security Advisory 2718704.
>>
>> US-CERT encourages users and administrators to apply any necessary
>> updates to help mitigate the risk.
>>
>> Relevant Url(s):
>> 
>>
>>
>> 
>>
>>   Produced by US-CERT, a government organization.
>> 
>>
>> This product is provided subject to the Notification as indicated here:
>> http://www.us-cert.gov/legal.html#notify
>>
>> This document can also be found at
>> http://www.us-cert.gov/current/#microsoft_unauthorized_digital_certificates
>>
>> For instructions on subscribing to or unsubscribing from this
>> mailing list, visit http://www.us-cert.gov/cas/signup.html
>>
>> -BEGIN PGP SIGNATURE-
>> Version: GnuPG v1.4.5 (GNU/Linux)
>>
>> iQEVAwUBT8y4OndnhE8Qi3ZhAQI7KQf9FJlkJKlULO6evs0oCeBvtrsfO7LEHdxZ
>> J18LnH6PEpiNac3QjzVnaGYmZ5HM84UgoW0gqw1hmqCpFbo6xCqdqxB0wWjL7Qh1
>> 7U5RstYN7riYCp1Z0mQsfhdrvD7Rpb0NTIGfFUJHN+/LUuFeY2YzjujgPw6PmqDo
>> P+kUK3fda05WMlxFbUxSWQ3+hcCIfRv5rUY+87jDB2NDju+7Aqs/GfNZE2JORngp
>> tKeA2ZoUo32AgFGpcDUZeGTwJlcBSGQFKmgHHlsjGEEeNB/Agn5wviX3bkIxieUX
>> zbXft1vBMCa81cf3QtdZDb4FbvWIi7+AkmNQvbCkPJkw3M5elkS26Q==
>> =nYRj
>> -END PGP SIGNATURE-
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>> ---
>> To manage subscriptions click here: 
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>>
>>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates

2012-06-04 Thread Troy Adkins 
Has anyone ran this patch.

I ran the patch on my CA, but it is still revoking my certificates.

Sent from my iPad

On Jun 4, 2012, at 6:47 PM, "Kurt Buff"  wrote:

> -- Forwarded message --
> From: Current Activity 
> Date: Mon, Jun 4, 2012 at 6:29 AM
> Subject: US-CERT Current Activity - Unauthorized Microsoft Digital 
> Certificates
> To: Current Activity 
> 
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> US-CERT Current Activity
> 
> Unauthorized Microsoft Digital Certificates
> 
> Original release date: Monday, June 4, 2012 at 09:16 am
> Last revised: Monday, June 4, 2012 at 09:16 am
> 
> 
> Microsoft has released a security advisory to address the revocation of
> a number of unauthorized digital certificates. Maintaining these
> certificates within your certificate store may allow an attacker to
> spoof content, perform a phishing attack, or perform a man-in-the-middle
> attack.
> 
> The following certificates have been revoked by this update:
>  * Microsoft Enforced Licensing Intermediate PCA (2 certificates)
>  * Microsoft Enforced Licensing Registration Authority CA (SHA1)
> 
> Microsoft has provided an update to all support versions of Microsoft
> Windows to address this issue. Additional information can be found in
> Microsoft Security Advisory 2718704.
> 
> US-CERT encourages users and administrators to apply any necessary
> updates to help mitigate the risk.
> 
> Relevant Url(s):
> 
> 
> 
> 
> 
>   Produced by US-CERT, a government organization.
> 
> 
> This product is provided subject to the Notification as indicated here:
> http://www.us-cert.gov/legal.html#notify
> 
> This document can also be found at
> http://www.us-cert.gov/current/#microsoft_unauthorized_digital_certificates
> 
> For instructions on subscribing to or unsubscribing from this
> mailing list, visit http://www.us-cert.gov/cas/signup.html
> 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.5 (GNU/Linux)
> 
> iQEVAwUBT8y4OndnhE8Qi3ZhAQI7KQf9FJlkJKlULO6evs0oCeBvtrsfO7LEHdxZ
> J18LnH6PEpiNac3QjzVnaGYmZ5HM84UgoW0gqw1hmqCpFbo6xCqdqxB0wWjL7Qh1
> 7U5RstYN7riYCp1Z0mQsfhdrvD7Rpb0NTIGfFUJHN+/LUuFeY2YzjujgPw6PmqDo
> P+kUK3fda05WMlxFbUxSWQ3+hcCIfRv5rUY+87jDB2NDju+7Aqs/GfNZE2JORngp
> tKeA2ZoUo32AgFGpcDUZeGTwJlcBSGQFKmgHHlsjGEEeNB/Agn5wviX3bkIxieUX
> zbXft1vBMCa81cf3QtdZDb4FbvWIi7+AkmNQvbCkPJkw3M5elkS26Q==
> =nYRj
> -END PGP SIGNATURE-
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
> 
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
> 
> 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates

2012-06-04 Thread Kurt Buff 
Yes. Not good.

Patching Win7 doesn't invoke a reboot.

Patching WinXP does invoke a reboot.

I'm working on an announcement for our worker bees now...

Kurt

On Mon, Jun 4, 2012 at 3:57 PM, Ben Scott  wrote:
>  Thanks for the info, Kurt.  A quick Google found this:
>
> http://blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx
>
> "When an enterprise customer requests a Terminal Services activation
> license, the certificate issued by Microsoft in response to the
> request allows code signing without accessing Microsoft’s internal PKI
> infrastructure."
>
>  Whoops.
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates

2012-06-04 Thread Ben Scott 
  Thanks for the info, Kurt.  A quick Google found this:

http://blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx

"When an enterprise customer requests a Terminal Services activation
license, the certificate issued by Microsoft in response to the
request allows code signing without accessing Microsoft’s internal PKI
infrastructure."

  Whoops.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin