Satpam Digital - Digital Security

On IIS 6.0, how do I configure my website to use SSL?

2008-12-18T04:13:00.000-08:00

By default, web browsing is being performed by use of the HTTP protocol, i.e. a connection between the client computer (using a web browser) to the web server (using IIS, Apache or any other sort of web server program). HTTP relies on TCP (Transmition Control Protocol) and uses port 80 on the listening server.

The main security issue with HTTP is the fact that all the traffic between the client and the server is done as clear text, meaning that anyone could potentially "listen" to your talk and grab frames and valuable information from the net.

To secure the transmission of information between your web server running IIS 6.0 on Windows Server 2003 and your browser clients, you can encrypt the information being transmitted by using SSL (Secure Sockets Layer).

Note: The procedure for applying SSL on IIS 5.0 (on Windows 2000) and IIS 5.1 (on Windows XP) is quite the same.

In order to successfully use SSL you need to obtain a Server Certificate. In this article I will only focus on obtaining a certificate from a local CA or importing an already existing certificate. However, it is possible (and in many cases preferred) that you obtain the Server Certificate from a trusted 3rd party CA such as Verisign or Thawte.

Configure SSL

To configure SSL for your website on IIS 6.0 (running on Windows Server 2003) complete the following steps:

Note: Although the screenshots are made with IIS 6.0 on Windows Server 2003, the same procedure applies for IIS 5.0 and IIS 5.1.

Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
In Internet Services Manager, in the console tree, expand SERVERNAME (your local computer), and then expand Web Sites.
In the console tree, right-click Default Web Site, and then click Properties.

Note: It's possible that the site you've created was stored under a different virtual server. If your website is not stored within the Default Web Site, right-click your own web site and click Properties.

In the Default Web Site Properties dialog box, click Directory Security.

On the Directory Security tab, click Server Certificate.
In the Welcome to the Web Server Certificate Wizard, on the Welcome page, click Next.
On the Server Certificate page, verify that Create a new certificate is selected, and then click Next.

Note: You can also import an already existing certificate. Do do so follow these steps:
Click Import a certificate from a .pfx file. Click Next.
In the Import Certificate path enter the path to where you've stored your existing certificate. Click Next.
Enter the password configured for the .pfx file. Click Next.
Go to step #13.

On the Delayed or Immediate Request page, click Send the request immediately to an online certification authority, and then click Next.

Note: If you don't have a Certificate Authority (CA) installed on your server or on a different server on the network you can prepare the request but you'll need to manually send it to the CA.

On the Name and Security Settings page, in the Name box, type yourservername.domainname.com (or .net, .org, .mil etc. Use your own registered domain name, the one you want people to use when browsing to your site) and then click Next.

Note: You will need a different certificate for each website you'll run on this server, so make sure you provide the exact server URL.
Important note - Internet use: You must make sure that either the Name or the Common Name fields (one of them or both of them) exactly match the external FQDN of the website. For example, if your server's NetBIOS name is SERVER1, and it is located in the MYINTERNALDOM.LOCAL domain, but it will host a website that will require users to enter WWW.KUKU.CO.IL to reach it, you must then use WWW.KUKU.CO.IL as the Name or Common Name in the certificate request wizard, and DO NOT use SERVER1.MYINTERNALDOM.LOCAL.
Important note - Intranet use: For Intranet-only purposes you CAN use the internal FQDN of the server, or even just it's NetBIOS name. For example, if your server's NetBIOS name is SERVER1, and it is located in the MYINTERNALDOM.LOCAL domain, you can use SERVER1.MYINTERNALDOM.LOCAL or just SERVER1 for the Name or the Common Name fields.
You can also change the Bit Length for the encryption key if you want.

On the Organization Information page, in the Organization box, type your own company name. In the Organizational Unit box, type a descriptive name and then click Next.

On the Your Sites Common Name page, in the Common name box, type yourservername.domainname.com (see important note in step #9) and then click Next.

On the Geographical Information page, in the State/province box, type the required info and then click Next.

On the SSL Port page, in the SSL port this web site should use box, verify that 443 is specified, and then click Next.

Note: SSL can only listen once on port 443, requiring you to either select a different SSL port for each SSL protected website you're about to host on the server, or, even better, use a different static IP for each site, and share port 443 amongst them.

On the Choose a Certification Authority page, in the Certification Authorities box, verify that your online CA is selected, and then click Next.

On the Certificate Request Submission page, click Next to submit the request, and then click Finish to complete the wizard.

To use the certificate to secure the web site that is using SSL

In the Default Web Site Properties dialog box, on the Directory Security tab, in the Secure communications area, click Edit.

Note: It's possible that the site you've created was stored under a different virtual server. If your website is not stored within the Default Web Site, right-click your own web site and click Properties.
Note: It's also possible that you might not wish to protect the entire website, but merely one or two pages within the large website. In fact, this scenario is highly probable for most site operators that would only like to protect a couple or important pages, such as an online store or registration form. In that case you do NOT need to SSL-protect the entire site, so do NOT right-click the entire site. Right-click only the directory or pages within the site.

In the Secure Communications dialog box, click the Require secure channel (SSL) check box, click the Require 128-bit encryption check box, and then click OK.

Note: Using a requirement of 128-bit encryption should pose no problem to current operation systems and web browsers, but keep in mind that older OSs might not be able to connect to your site.

On the Directory Security tab, in the Authentication and access control area, click Edit.
In the Authentication Methods dialog box, click Basic authentication (password is sent in clear text), and then click Yes to acknowledge the warning.
Clear the Integrated Windows Authentication and Enable Anonymous Access check boxes, and then click OK.

Note: You are NOT required to disable anonymous access, this is just a security measure. It might be likely that your site is supposed to allow anonymous access, while still using SSL as the encryption method. This is true for websites that offer online shopping carts where surfers are supposed to enter their credit card numbers. You might not want to restrict these online shops only for people that hold a username and password. In that case keep the Enable Anonymous Access check boxes selected.

In the Default Web site Properties dialog box, click OK.
In all Inheritance Overrides dialog boxes, click OK.

Close Internet Information Services (IIS) Manager.

Verify that SSL is working

To test your new settings connect your open a browser and type your server's FQDN (or NetBIOS name, if on the LAN) in the address bar (for example: http://server200 for your Intranet, or http://www.kuku.co.il for the Internet).

Note: Make sure you've followed the important note in step #9 above.

Since you still used HTTP (plain text http, using TCP port 80) you'll get the following error message:

Now re-type the URL by using HTTPS instead of HTTP. You should be able to view the OWA website.

You'll receive a Security Alert window. Click Ok.

If configured correctly, you should be able to connect to your now SSL-protected website.

To verify that you're using SSL try to find a small yellow lock icon on the browser lower right corner . Double click the lock icon.

A Certificate window will open. Review the information that is entered into the certificate and click Ok.

Note: Make sure you renew your certificate a few weeks before it expires in order to prevent mishaps like this one: Expired SSL Website Certificate.

How can I change my user-account password from a Command Prompt?

2008-12-17T04:08:00.000-08:00

You can change a Windows User Account password that is on any Windows computer from any other Windows computer regardless of whether the User Account is on a workstation, a stand-alone server, or a Windows domain controller. Additionally, it makes no difference whether the password being changed from a workstation, a stand-alone server, or a Windows domain controller. This is true for any NT 4.0, W2K, XP Pro and Windows Server 2003 computer.

To change a user's password at the command prompt, log on as an administrator and type:

net user danielp * /domain

(This is only an example, use your own username)

When you are prompted to type a password for the user, type the new password, not the existing password. After you type the new password, the system prompts you to retype the password to confirm. The password is now changed.

Alternatively, you can type the following command:

net user danielp 123456 /domain

When you do so, the password changes without prompting you again. This command also enables you to change passwords in a batch file.

Note: If you type these commands on a member server or workstation and you don't add the /domain switch, the command will be performed on the local SAM and NOT on the DC SAM.

For example, to change the administrator's password type:

net user administrator 123456

Note: Non-administrators receive a "System error 5 has occurred. Access is denied" error message when they attempt to change the password.

Creating Strong Passwords

2008-12-16T04:00:00.000-08:00

In today's digital world one of the most important pieces of personal identity is the user's private password. Passwords are used to protect various aspects of our digital life such as our AD user account (used to log on to network resources), email accounts (such as Yahoo!, Gmail, Hotmail and others), credit card accounts, online banking (such as PayPal), online shopping (such as eBay) and more.

Analysts estimate that about half of the people with digital identities will have them stolen sometime. Most of the victims will not even realize it until it is far too late, after they realize that someone has made transactions in their names and stolen their personal information and funds.

Even if you choose a seemingly long password there is no guarantee that it'll stay safe. Today's script kiddies use easy to obtain scripts and programs that can mount brute force and dictionary attacks on your account.

Therefore, in order to help prevent your identity from being stolen, strong password requirements should be used as often as possible. Here are some tips to help you create strong, secure passwords.

Passwords should

Never use an alphabetic series either forwards or backwards, i.e., ABCDEF or FEDCBA.
Never use a numeric series, either forwards or backwards, i.e., 123456 or 654321.
Never use a string of all identical letters or numbers, i.e., AAAAAA or 111111.
Never use a common keyboard shortcut, i.e., ASDFG or QWERTY.
Never use your name or user id, or any variation thereof, such as your name or user id spelled backwards, with mixed case letters, etc.
Never use a word(s) that can be easily associated with you, such as the name of your child, pet, spouse and so on.
Never use a common word that you might find in a dictionary.

Strong passwords should be created by

Creating a password that is at least eight characters long, however be warned that because of various hash vulnerabilities, using any password that is shorter than 14 characters is as non-secure as using a 6 character password.
Combining the first letters of each word of a known phrase to produce the password.
Including at least one symbol or number in the password, but preferably not just one at the end.
Using a varying combination of lower and upper case letters in the password.

Here are some example:

Select a 4-letter word.
Select a 4-digit number.
Change the order of the numbers and letters.
Capitalize a letter.
Add one or more special characters such as *, %, # or !

This is a bad password: qwerty12345

This is a bad password: Admin12345

This is a bad password: asdASD123

This is a nice password: P@$$w0rd!4MyC0mputer

This is a cool password: P@$$4MyPayPalAcc0unt!

You can even write a phrase, combined with numbers, lower and upper case characters, and special characters, but in a different language, yet type it in English letters. For example: sbhtkPYRH!@#$%12345 (my name in Hebrew, first name small characters, last name upper case characters, 1-5 keys presses with SHIFT, and 1-5 in regular numbers).

Password security can be maintained by

Use a different password on each account you have.
Change your passwords at regular intervals such as once every couple of months.
Never write your passwords down. No, writing them on a sticky note and posting them upside down or face down on your to-do board does not provide extra security!
Never sharing your password with others. No, calling you and asking for your credit card account password is NOT a common practice by ANY credit card company!

Security and Privacy Issues in E-passports

2008-12-14T20:18:00.000-08:00

Security and Privacy Issues in E-passports

Within the next year, travelers from dozens of nations
may be carrying a new form of passport in response to a
mandate by the United States government. The e-passport,
as it is sometimes called, represents a bold initiative in
the deployment of two new technologies: Radio-Frequency
Identification (RFID) and biometrics. Important in their
own right, e-passports are also the harbinger of a wave
of next-generation ID cards: several national governments
plan to deploy identity cards integrating RFID and biometrics
for domestic use. We explore the privacy and security
implications of this impending worldwide experiment
in next-generation authentication technology. We describe
privacy and security issues that apply to e-passports, then
analyze these issues in the context of the International Civil
Aviation Organization (ICAO) standard for e-passports.

Cryptography

2008-12-03T23:18:00.000-08:00

Cryptography

Algorithms

Blowfish
Twofish
Solitaire
Helix
Phelix
Yarrow
Skein

Papers

Miscellaneous

Password Safe
Microsoft PPTP
CMEA Digital Cellular
S/MIME Cracking Screen Saver

The Problem Is Information Insecurity

2008-12-03T21:16:00.000-08:00

By Bruce Schneier

Information insecurity is costing us billions. We pay for it in theft: information theft, financial theft. We pay for it in productivity loss, both when networks stop working and in the dozens of minor security inconveniences we all have to endure. We pay for it when we have to buy security products and services to reduce those other two losses. We pay for security, year after year.

The problem is that all the money we spend isn't fixing the problem. We're paying, but we still end up with insecurities.

The problem is insecure software. It's bad design, poorly implemented features, inadequate testing and security vulnerabilities from software bugs. The money we spend on security is to deal with the effects of insecure software.

And that's the problem. We're not paying to improve the security of the underlying software. We're paying to deal with the problem rather than to fix it.

The only way to fix this problem is for vendors to fix their software, and they won't do it until it's in their financial best interests to do so.

Today, the costs of insecure software aren't borne by the vendors that produce the software. In economics, this is known as an externality, the cost of a decision that's borne by people other than those making the decision.

There are no real consequences to the vendors for having bad security or low-quality software. Even worse, the marketplace often rewards low quality. More precisely, it rewards additional features and timely release dates, even if they come at the expense of quality.

If we expect software vendors to reduce features, lengthen development cycles and invest in secure software development processes, it needs to be in their financial best interests to do so. If we expect corporations to spend significant resources on their own network security — especially the security of their customers — it also needs to be in their financial best interests.

Liability law is a way to make it in those organizations' best interests. Raising the risk of liability raises the costs of doing it wrong and therefore increases the amount of money a CEO is willing to spend to do it right. Security is risk management; liability fiddles with the risk equation.

Basically, we have to tweak the risk equation so the CEO cares about actually fixing the problem, and putting pressure on his balance sheet is the best way to do that.

Clearly, this isn't all or nothing. There are many parties involved in a typical software attack. There's the company that sold the software with the vulnerability in the first place. There's the person who wrote the attack tool. There's the attacker himself, who used the tool to break into a network.

There's the owner of the network, who was entrusted with defending that network. One hundred percent of the liability shouldn't fall on the shoulders of the software vendor, just as 100% shouldn't fall on the attacker or the network owner. But today, 100% of the cost falls directly on the network owner, and that just has to stop.

We will always pay for security. If software vendors have liability costs, they'll pass those on to us. It might not be cheaper than what we're paying today. But as long as we're going to pay, we might as well pay to fix the problem. Forcing the software vendor to pay to fix the problem and then pass those costs on to us means that the problem might actually get fixed.

Liability changes everything. Currently, there is no reason for a software company not to offer feature after feature after feature. Liability forces software companies to think twice before changing something. Liability forces companies to protect the data they're entrusted with. Liability means that those in the best position to fix the problem are actually responsible for the problem.

Information security isn't a technological problem. It's an economics problem. And the way to improve information technology is to fix the economics problem. Do that, and everything else will follow.

Secrets & Lies Digital Security in a Networked World

2008-12-03T21:12:00.000-08:00

Welcome to the businessworld.com. It's digital: Information is more readily accessible than ever. It's inescapably connected: businesses are increasingly--if not totally--dependent on digital communications. But our passion for technology has a price: increased exposure to security threats. Companies around the world need to understand the risks associated with doing business electronically. The answer starts here.

Information security expert Bruce Schneier explains what everyone in business needs to know about security in order to survive and be competitive. Pragmatic, interesting, and humorous, Schneier exposes the digital world and the realities of our networked society. He examines the entire system, from the reasons for technical insecurities to the minds behind malicious attacks. You'll be guided through the security war zone, and learn how to understand and arm yourself against the threats of our connected world.

There are no quick fixes for digital security. And with the number of security vulnerabilities, breaches, and digital disasters increasing over time, it's vital that you learn how to manage the vulnerabilities and protect your data in this networked world. You need to understand who the attackers are, what they want, and how to deal with the threats they represent. In Secrets and Lies, you'll learn about security technologies and product capabilities, as well as their limitations. And you'll find out how to respond given the landscape of your system and the limitations of your business.

Satpam Digital - Digital Security

On IIS 6.0, how do I configure my website to use SSL?

Configure SSL

To use the certificate to secure the web site that is using SSL

Verify that SSL is working

How can I change my user-account password from a Command Prompt?

Creating Strong Passwords

Passwords should

Strong passwords should be created by

Password security can be maintained by

Security and Privacy Issues in E-passports

Cryptography

Cryptography

Algorithms

Papers

Papers by year:

Algorithm Analyses:

Protocol Analyses:

Pseudorandom Number Generators:

Protocol Designs:

New Algorithms:

Cipher Design:

Miscellaneous Papers:

Smart Cards:

Miscellaneous

The Problem Is Information Insecurity

Secrets & Lies Digital Security in a Networked World