Sunday, January 24, 2010

Advanced Persistent Threat

With the recent advent of highly sophisticated attacks on Google and other commercial organisations, there is a new security term in cyber-security that called "Advanced Persistent Threat (APT)".

Look at this definition: source: [mandiant.com]
The Advanced Persistent Threat (APT) is a sophisticated and organized cyber attack to access and steal information from compromised computers. The intruders responsible for the APT attacks target the Defense Industrial Base (DIB), financial industry, manufacturing industry, and research industry. The attacks used by the APT intruders are not very different from any other intruder. The main differentiator is the APT intruder’s perseverance and resources. They have malicious code (malware) that circumvents common safeguards such as anti-virus and they tend to generate more activity than wanton “drive by hacks” on the Internet. The intruders also escalate their tools and techniques as a victim firm’s capability to respond improves. Therefore, the APT attacks present different challenges than addressing common computer security breaches.

Wednesday, January 20, 2010

Domain Migration from W2K Native to W2K8 R2

We are setting up a trial to perform inter-forest migration from the old W2K domain to the new W2K8 R2 domain. As W2K forest level is unable to support forest trust, I set up 2-way external domain trust between them. SID Filtering is enabled by default and because we want to preserve resource ACL using SIDHistory, I have to turn it off by using the following command on both sides of the domain controllers:

Netdom trust TrustingDomainName /domain: TrustedDomainName /quarantine:No /userD: domainadministratorAcct /passwordD: domainadminpwd

The tool that used to perform such migration is known as "Active Directory Migration Tool (ADMT)" and the latest version as of current is 3.1. After downloading it, I realised that it can only be installed on W2K8 server (not even R2!). Hence, I have to setup a W2K8 member server in the target domain just to install ADMT. W2K8 domain controller in the source domain is also required to run "Password Export Server v3.1" for password migration.

As for the rest, follow this migration guide (downloadable copy). Pay particular attention on "Preparing the Source and Target Domains" section, as well as the "Troubleshooting" section if you hit any error using the tool. I did stuck at an error "TcpipClientSupport" for a while until I read this part of the guide.

Monday, January 4, 2010

Enrollment Agent

To be able to request a certificate on behalf of other users and computers, you need an enrollment agent certificate. In Windows 2008, you can further restrict the enrollment agents for certain operations.

Step 1: Publish the enrollment certificate template.
Login with Enterprise Admin or CA admin. Open "mmc" and add the certificate template snap-in. Duplicate the enrollment agent template, and set its security properties (i.e. permit your enrollment security group). Open up CA console, right click on sub-folder "Certificate Template" -> New -> Certificate Template to Issue.

Step 2: Enroll the enrollment agent
Login with your enrollment agent account, open "mmc", add Certificate snap-in and select "My user account". Right click on personal folder -> Request new certificate to request for an enrollment agent certificate. Optionally, you may wish to restrict the enrollment agents to under certain constraints (e.g. only enroll certain user groups etc) on the CA properties.

Step 3: Set Issuance Requirements on the Target Cert Template
On the target cert template (whose certs are to be enrolled by enrollment agents), set the "This number of authorized signature" to "1". Otherwise, the certs won't be able to be enrolled by the agents.

Step 4: Enroll on behalf of ..
On the enrollment machine, login with your enrollment agent account and open the Certificate template. Right click on personal folder -> All tasks -> Advanced Operations -> Enroll on behalf of.. And just follow the wizard instruction. Ensure that the enrollment agent certificate is also present on the machine (e.g. smart cards or cert store).

For more detailed step-by-step, check out this blog.