RE: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates
This patch removes certain MS CAs from one of the trusted CA stores. It should have nothing to do with your IAS server rejecting your own internally issued certs. Something else is up. Also rejection revocation: your IAS server might be rejecting your user's certificates. But that is not the same as revoking the certificates. Cheers Ken -Original Message- From: Troy Adkins [mailto:tadk...@house.virginia.gov] Sent: Tuesday, 5 June 2012 10:21 AM To: NT System Admin Issues Subject: Re: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates I'm getting an event Id 3, reason code 300, now on my IAS server from my user certificates. Sent from my iPad On Jun 4, 2012, at 9:49 PM, Ben Scott mailvor...@gmail.com wrote: On Mon, Jun 4, 2012 at 9:02 PM, Troy Adkins tadk...@house.virginia.gov wrote: Has anyone ran this patch. I ran the patch on my CA, but it is still revoking my certificates. Isn't that what it's supposed to do? -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates
This may or may not be helpful/relevant: MSSA 2718704: Why and How to Reactivate License Servers in Terminal Services and Remote Desktop Services (http://goo.gl/eBdJc) (http://blogs.msdn.com/b/rds/archive/2012/06/05/follow-up-to-microsoft-security-advisory-2718704-why-and-how-to-reactivate-license-servers-in-terminal-services-and-remote-desktop-services.aspx) From the MSFT Remote Desktop Services (Terminal Services) Team Blog, via the inestimable Susan Bradley sbradcpa@... on the patch-management list. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates
Both relevant and helpful. Thank you. Kurt On Tue, Jun 5, 2012 at 3:52 PM, Ben Scott mailvor...@gmail.com wrote: This may or may not be helpful/relevant: MSSA 2718704: Why and How to Reactivate License Servers in Terminal Services and Remote Desktop Services (http://goo.gl/eBdJc) (http://blogs.msdn.com/b/rds/archive/2012/06/05/follow-up-to-microsoft-security-advisory-2718704-why-and-how-to-reactivate-license-servers-in-terminal-services-and-remote-desktop-services.aspx) From the MSFT Remote Desktop Services (Terminal Services) Team Blog, via the inestimable Susan Bradley sbradcpa@... on the patch-management list. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates
Thanks for the info, Kurt. A quick Google found this: http://blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx When an enterprise customer requests a Terminal Services activation license, the certificate issued by Microsoft in response to the request allows code signing without accessing Microsoft’s internal PKI infrastructure. Whoops. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates
Yes. Not good. Patching Win7 doesn't invoke a reboot. Patching WinXP does invoke a reboot. I'm working on an announcement for our worker bees now... Kurt On Mon, Jun 4, 2012 at 3:57 PM, Ben Scott mailvor...@gmail.com wrote: Thanks for the info, Kurt. A quick Google found this: http://blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx When an enterprise customer requests a Terminal Services activation license, the certificate issued by Microsoft in response to the request allows code signing without accessing Microsoft’s internal PKI infrastructure. Whoops. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates
Has anyone ran this patch. I ran the patch on my CA, but it is still revoking my certificates. Sent from my iPad On Jun 4, 2012, at 6:47 PM, Kurt Buff kurt.b...@gmail.com wrote: -- Forwarded message -- From: Current Activity us-c...@us-cert.gov Date: Mon, Jun 4, 2012 at 6:29 AM Subject: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates To: Current Activity current-activ...@us-cert.gov -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 US-CERT Current Activity Unauthorized Microsoft Digital Certificates Original release date: Monday, June 4, 2012 at 09:16 am Last revised: Monday, June 4, 2012 at 09:16 am Microsoft has released a security advisory to address the revocation of a number of unauthorized digital certificates. Maintaining these certificates within your certificate store may allow an attacker to spoof content, perform a phishing attack, or perform a man-in-the-middle attack. The following certificates have been revoked by this update: * Microsoft Enforced Licensing Intermediate PCA (2 certificates) * Microsoft Enforced Licensing Registration Authority CA (SHA1) Microsoft has provided an update to all support versions of Microsoft Windows to address this issue. Additional information can be found in Microsoft Security Advisory 2718704. US-CERT encourages users and administrators to apply any necessary updates to help mitigate the risk. Relevant Url(s): http://technet.microsoft.com/en-us/security/advisory/2718704 Produced by US-CERT, a government organization. This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify This document can also be found at http://www.us-cert.gov/current/#microsoft_unauthorized_digital_certificates For instructions on subscribing to or unsubscribing from this mailing list, visit http://www.us-cert.gov/cas/signup.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBT8y4OndnhE8Qi3ZhAQI7KQf9FJlkJKlULO6evs0oCeBvtrsfO7LEHdxZ J18LnH6PEpiNac3QjzVnaGYmZ5HM84UgoW0gqw1hmqCpFbo6xCqdqxB0wWjL7Qh1 7U5RstYN7riYCp1Z0mQsfhdrvD7Rpb0NTIGfFUJHN+/LUuFeY2YzjujgPw6PmqDo P+kUK3fda05WMlxFbUxSWQ3+hcCIfRv5rUY+87jDB2NDju+7Aqs/GfNZE2JORngp tKeA2ZoUo32AgFGpcDUZeGTwJlcBSGQFKmgHHlsjGEEeNB/Agn5wviX3bkIxieUX zbXft1vBMCa81cf3QtdZDb4FbvWIi7+AkmNQvbCkPJkw3M5elkS26Q== =nYRj -END PGP SIGNATURE- ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates
I have run this patch on several Win7 and WinXP machines, and just ran it against my Win2k8 R2 TS/RDP server. Please detail exactly what you mean by it is still revoking my certificates. This is not something that should affect your internal CA infrastructure, unless you've somehow incorporated MSFT certs into your cert chain. Frankly, I'm not worried about patching my servers (on an emergency basis - I'll catch it in my regular cycle) except for the one mentioned above, because users actually do log into it - unless someone shows me I need to think differently about it. Kurt On Mon, Jun 4, 2012 at 6:02 PM, Troy Adkins tadk...@house.virginia.gov wrote: Has anyone ran this patch. I ran the patch on my CA, but it is still revoking my certificates. Sent from my iPad On Jun 4, 2012, at 6:47 PM, Kurt Buff kurt.b...@gmail.com wrote: -- Forwarded message -- From: Current Activity us-c...@us-cert.gov Date: Mon, Jun 4, 2012 at 6:29 AM Subject: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates To: Current Activity current-activ...@us-cert.gov -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 US-CERT Current Activity Unauthorized Microsoft Digital Certificates Original release date: Monday, June 4, 2012 at 09:16 am Last revised: Monday, June 4, 2012 at 09:16 am Microsoft has released a security advisory to address the revocation of a number of unauthorized digital certificates. Maintaining these certificates within your certificate store may allow an attacker to spoof content, perform a phishing attack, or perform a man-in-the-middle attack. The following certificates have been revoked by this update: * Microsoft Enforced Licensing Intermediate PCA (2 certificates) * Microsoft Enforced Licensing Registration Authority CA (SHA1) Microsoft has provided an update to all support versions of Microsoft Windows to address this issue. Additional information can be found in Microsoft Security Advisory 2718704. US-CERT encourages users and administrators to apply any necessary updates to help mitigate the risk. Relevant Url(s): http://technet.microsoft.com/en-us/security/advisory/2718704 Produced by US-CERT, a government organization. This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify This document can also be found at http://www.us-cert.gov/current/#microsoft_unauthorized_digital_certificates For instructions on subscribing to or unsubscribing from this mailing list, visit http://www.us-cert.gov/cas/signup.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBT8y4OndnhE8Qi3ZhAQI7KQf9FJlkJKlULO6evs0oCeBvtrsfO7LEHdxZ J18LnH6PEpiNac3QjzVnaGYmZ5HM84UgoW0gqw1hmqCpFbo6xCqdqxB0wWjL7Qh1 7U5RstYN7riYCp1Z0mQsfhdrvD7Rpb0NTIGfFUJHN+/LUuFeY2YzjujgPw6PmqDo P+kUK3fda05WMlxFbUxSWQ3+hcCIfRv5rUY+87jDB2NDju+7Aqs/GfNZE2JORngp tKeA2ZoUo32AgFGpcDUZeGTwJlcBSGQFKmgHHlsjGEEeNB/Agn5wviX3bkIxieUX zbXft1vBMCa81cf3QtdZDb4FbvWIi7+AkmNQvbCkPJkw3M5elkS26Q== =nYRj -END PGP SIGNATURE- ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates
On Mon, Jun 4, 2012 at 9:02 PM, Troy Adkins tadk...@house.virginia.gov wrote: Has anyone ran this patch. I ran the patch on my CA, but it is still revoking my certificates. Isn't that what it's supposed to do? -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: US-CERT Current Activity - Unauthorized Microsoft Digital Certificates
I'm getting an event Id 3, reason code 300, now on my IAS server from my user certificates. Sent from my iPad On Jun 4, 2012, at 9:49 PM, Ben Scott mailvor...@gmail.com wrote: On Mon, Jun 4, 2012 at 9:02 PM, Troy Adkins tadk...@house.virginia.gov wrote: Has anyone ran this patch. I ran the patch on my CA, but it is still revoking my certificates. Isn't that what it's supposed to do? -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin