ads

Style6

Style3[OneLeft]

Style3[OneRight]

Style4

Style5[ImagesOnly]

Style2

How to Setup a Virtual Smart Card


Fun with Virtual Smart Cards!







Outline:

Steps on how to enable a virtual smart card.

Assumptions:

Virtual smart cards require a computer with an initialized TPM.  N.B., Windows 10 initializes the TPM by default.

Virtual Smart Card Configuration:

tpmvscmgr.exe create /name VSC /pin prompt /puk prompt /adminkey random /generate

Reset the Virtual Smart Card:

tpmvscmgr.exe destroy /instance root\smartcardreader\0000

PINs, PUKs, and Keys:

  1. Smart Card Personal Identity Number (PIN).  The PIN is essentially a password.  The PIN can be changed by the end user from any domain computer:

     CRTL-ALT-Delete → Change Password → Change PIN.
  2. Smart Card Personal Unlock Key (PUK).  Windows locks the PIN after three unsuccessful attempts.  End users can use their PUK to unblock their PIN:

     CRTL-ALT-Delete → Change Password → Unblock Smart Card.

    The PUK is optional but I recommend it.   It's simply too easy to lock the PIN! 

    The PUK changes the PIN.  Keep the PUK safe and only use it when its absolutely necessary.

    In addition, Windows does not include native tools to change the PUK. In order to choose a new PUK, the virtual smart card must first be deleted (i.e., destroyed) and then recreated.  Of course, this process deletes all certificates on the smart card.
  3. Admin Key.  The key benefit to the admin key is that it allows Administrators to generate certificate keys for enrolling-on-the-behalf of others.  Organizations that do not use enrollment stations should simply generate a random admin key.    

References:

https://docs.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started

Quickly Uninstall Single KB Update







Problem: 

Uninstalling Windows Updates is a pain in the neck!
  • The Windows Update GUI provides a long list of KB updates.  
  • Updates are organized by date and not by KB numbers.  
  • It lacks a built-in search function! 

Figure 1.  Windows Update History:
No search for you (CRL+F)!   :(






















Solution:

Use the command line to search and uninstall specific updates.

List installed patches:
wmic qfe list

Uninstall specific patch:
wusa /uninstall /kb:xxxxx

That's It!

Fix Chrome Extensions in RDP



Problem:  

RDP users cannot install Chrome extensions from the Chrome Web Store.

Errors:

  • Could not install package
  • COULD_NOT_GET_TEMP_DIRECTORY
Figure 1:  Chrome Temp Directory Error







Solution:

  1. User logs onto RDP.  User does not open Chrome.
  2. Admin creates a new directory on the system drive.  This new directory holds user Chrome AppData.  For example:  c:\\mkdir c:\Temp\RDP\
  3. Move user’s Chrome AppData to the new directory.  For example:
    c:\move "c:\users\stevenjordan\AppData\Local\Google\Chrome" "c:\temp\RDP\stevenjordan\"
  4. Delete original folder if necessary. 
  5. Create new symbolic junction where the old data was located.  This junction links to the new location:

c:\mklink /j c:\users\stevenjordan\AppData\Local\Google\Chrome\
"c:\temp\RDP\stevenjordan\Chrome\"

Junction created for c:\users\smjordan\AppData\Local\Google\Chrome\
=== c:\temp\RDP\stevenjordan\Chrome\
Figure 2:  New Symbolic Junction for Chrome extension.







Analysis:

Chrome extensions reference DOS device paths.  Let's consider how dynamic profile disks use symbolic junctions that point to different disks:
c:\Users  dir 
02/23/2018  11:29 AM  bgates {\??\Volume{a5ae22c7-18b8-11e8-968e-00145de79140}
The junction link causes the problem.  Ironically, a second junction link fixes this issue:

c:\Users\bgates\AppData\Local\Google dir
 
 Directory of c:\Users\bgates\AppData\Local\Google

02/20/2018  10:58 AM   DIR
02/20/2018  10:58 AM   DIR
02/20/2018  10:58 AM   JUNCTION  Chrome c:\temp\RDP\bgates\Chrome
09/16/2015  07:46 AM   DIR       Chrome Cleanup Tool
05/14/2014  06:09 AM   DIR       CrashReports
03/11/2014  04:26 PM   DIR       Google Talk
12/04/2017  02:27 AM   DIR       Software Reporter Tool

0 File(s)              0 bytes
7 Dir(s)  36,942,458,880 bytes free
Note how the new junction link points to the system drive.

Additional Thoughts:

This solution is implemented on a per-user basis.  It does not universally "fix" Chrome extensions for all RDP users.  Nonetheless, it may be a good fit because it narrows the scope of untrusted applications.

Alternatively, use Group Policy to change user environmental variables:

Group Policy
→ Computer Configuration
      → Administrative Templates
         → System
            → Group Policy
               → Configure user Group Policy loopback processing mode:
                       Enabled:  On
                       Mode:  Merge

   → User Configuration
      → Windows Settings
         → Preferences
            → Environment (right-click) → New
               → New Environment Properties:
                      Action:  Update
                      User Variable=Check
                      Name=Temp
                      Value=c:\Temp\RDP\%USERNAME%
              → Environment (right-click) → New
                      Action:  Update
                      User Variable=Check
                      Name=TMP
                      Value=c:\Temp\RDP\%USERNAME%

This change has a wider-scoping impact.  It affects all related AppData programs -not just Chrome.  It impacts all RDP users (without GP filtering).  Avoid the system drive if possible -use a secondary disk instead.  In addition, loopback processing applies user configurations to computer objects (i.e., RDP servers).

That's It!

References:
https://blogs.technet.microsoft.com/grouppolicy/2009/05/13/environment-variables-in-gp-preferences/
https://devtidbits.com/2009/09/07/windows-file-junctions-symbolic-links-and-hard-links/
https://blogs.msdn.microsoft.com/jeremykuhne/2016/04/21/path-format-overview/
https://blog.brankovucinec.com/2017/01/09/users-cant-install-google-chrome-extensions-on-rds-farm/

Fix Broken Checkpoints

Summary:

How to delete Hyper-V checkpoints that cannot be deleted.

Problem: 

Checkpoint cannot be removed from the Hyper-V Manager.

Symptoms:

  • Hyper-V Manager shows a checkpoint.  No option to remove checkpoint.
  • VM disk directory has VHDX and AVHD files:



Solution:

1. Use PowerShell to view existing snapshot:
PS C:\Users Get-VMSnapshot -VMName tfs.stevenjordan.net

VMName  Name    SnapshotType CreationTime           
------  ----    ------------ ------------          
tfs     tfs     (2/13/2018 - 2:52:36 PM) Standard
2. Remove VM-Snapshot.
PS C:\User Get-VMSnapshot -VMName tfs | Remove-VMSnapshot 3. Confirm Snapshot has been removed.

PS C:\Users Get-VMSnapshot -VMName tfs
PS C:\Users
That's It!

How to Setup BranchCache


Guide:  

Quick and Easy BranchCache Setup.

Overview:  

 This article provides instructions on how to implement BranchCache.

Topology:  

  • Three office locations:  
    • Primary office in Atlanta (ATL).   
    • Branch offices in Chicago (CHI) and Washington D.C (DCA).
  • CHI and ATL host local file servers (i.e., hosted cache mode).
  • DCA is the only office without a dedicated file server (i.e., distributed cache mode).
  • All clients use Windows Enterprise.
      


Implement BranchCache:

  • Install the BranchCache Role and Feature.
  • BranchCace SSL Certificates.  
  • BranchCache Group policy.

Step 1.  Add Roles and Features.

Run the Add Roles and Features Wizard on each file server.  Install the (a) BranchCache for Network Files Role; and (b)the BranchCache Feature.
PowerShell:
Install-WindowsFeature BranchCache -IncludeManagementTools Enable-BCHostedServer -RegisterSCP

Step 2.  Adjust Caching.

BranchCache stores files in two directories:  (a) HashCache and (b) DataCache.
File servers store file hashes in the HashCache directory.  Remote Hosted Cache servers, as well as Distributed Cache clients, use files hashes for content tracking and updates.

The DataCache directory stores content derived from the hash.  This directory contains cached remote content (i.e., files) that are served to local clients.  Both directories are stored on the system drive -not good!

Adjust the Cache Location:

netsh branchcache set publicationcache directory=D:\BranchCache\ netsh branchcache set localcache directory=D:\LocalCache\

The default HashCache size is a measly 1% of the system disk.  The Data Cache is slightly improved with 5% of total disk.  Now consider that most system drives hold less that than 100GB.  5GB does not provide enough storage to make BrachCache worthwhile.  Let's make BrachCache useful:

Adjust the Cache Size:

Netsh branchcache set publicationcachesize size=5 percent=TRUE Netsh branchcache set localcachesize size=5 percent=TRUE
Additional caching attributes will be configured via Group Policy (Step 4).

Step 3. BranchCache SSL

BranchCache SSL certificates support Windows 7 clients.  It's not necessary for organizations with only Windows 8 or Windows 10 clients.  Of course, the file server will probably require certificates for other services -just not BranchCache.
Any trusted SSL certificate will work with BranchCache.  We simply need to associate the server certificate with BranchCache:  
  1. Add a server certificate in the personal certificate directory for each  BranchCache hosted cache server (e.g., ATL and CHI).
  2. Bind the SSL certificate hash (i.e., thumbprint) to the hosted cache server.  Use the following command: NETSH HTTP ADD SSLCERT IPPORT=0.0.0.0:443 CERTHASH=xxxxxxxxxxx APPID={d673f5ee-a714-454d-8de2-492e4c1bd8f8}
    N.B.,  CERTHASH is the certificate's thumbprint.  Further certificate information found here.

Step 4.  Group Policy

Use Group Policies to adjust caching attributes and client settings.

Policies for the File Servers:  

Table 1.  BranchCache Policy for File Servers.

Policy
Path
Setting
Function
Turn on BranchCache
ComputerConfiguration/
  Administrative Templates/
  Network/
   BranchCache
Enabled
Hash Publication for BranchCache
ComputerConfiguration/
Administrative Templates/  Network/
LanmanServer
Enabled:
Value 2
(Hash publication for all shared folders).
MinContentLength Registry Key
ComputerConfiguration/
Preferences/
Windows Settings/
Registry/
MinContentLength
Reg_D
WORD:

32768
(Decimal)
Default caching 64KB. 
New caching 32K.
Set as low as 4KB. 

N.B., Low values may impact performance.

Policies for Windows clients:

Table 2.  BranchCache policies for Win 8 and Win 10:
Policy
Path
Setting
Turn on BranchCache
ComputerConfiguration/
 Administrative Templates/
  Network/BranchCache
Enabled
Configure BranchCache for network files
Computer Configuration/
 Administrative Templates/
  Network/
   BranchCache
Enabled
Value:10
Enable Automatic Hosted Cache Discovery by Service Connection Point
Computer Configuration/
 Administrative Templates/
  Network/
   BranchCache
Enabled
Set BranchCache Distributed Cache mode
Computer Configuration/
 Administrative Templates/
   Network/
    BranchCache
Enabled
Note:  BranchCache for network files uses round trip latency.  Value 10 = 10ms.  Hosted Cache mode is for location with dedicated file servers.  Distributed Caching is for locations without dedicated file servers.

BranchCache Firewall Policies:

     BranchCache requires inbound and outbound client firewall rules.
Table 3.  BranchCache Inbound Firewall Group Policies
Policy
Path
Action
BranchCache Content Retrieval (HTTP-In)
Computer Configuration/
  Policies/
   Windows  Settings/
    Security Settings/
     Windows Firewall with
      Advanced Security/
       Inbound Rules
a. Right-click Inbound Rules. 

b. Left-click New Rule.    

c. Add predefined BranchCache rules.
BranchCache Hosted Cache Server (HTTP-In)
BranchCache Peer Discovery (WSD-In)
BranchCache Content Retrieval (HTTP-Out)
Computer Configuration/
  Policies/
   Windows  Settings/
    Security Settings/
     Windows Firewall with
      Advanced Security/
       Outbound Rules
a. Right-click Inbound Rules.
  
b. Left-click New Rule.

c. Add predefined BranchCache rules.
BranchCache Hosted Cache Clietnt (HTTP-Out)
BranchCache Hosted Cache Server (HTTP-Out)
BranchCache Peer Discovery (WSD-Out)

Optional:  BranchCache for WSUS and IIS Servers


BranchCache also accelerates content for web servers and BITS application servers.  Simply install the BranchCache feature and ensure the service is running.  No other configuration steps are necessary.  

Evaluate

User PowerShell and Performance monitor to ensure BranchCache works:
That's It!


References:

Force DC Replication CMD


Goal:  

Synchronize Active Directory in a flash.

Problem:  

How to quickly force domain controller replication throughout the domain.

Solution:

   repadmin /syncall /AdeP


That's It!

Check DFSR for Backlogs

Goal:   

Determine if file share replication is up-to-date between shares.

Problem:  

DFS replication propagation reports show usually high replication times (e.g., 11 days instead of 11 seconds).  Users complain about missing data.

Solution:  

Use DFS diagnostic commands to check for backlogs.  Large backlogs indicate replication problems (e.g., insufficient staging size, failed pre-seeding, etc.).

Example:


C:\dfsrdiag backlog /rgname:"contoso\data\content" /rfname:Namespace-Folder /sendingmember:server1-hostname /receivingmember:server2-hostname

No Backlog - member 

 References:

https://blogs.technet.microsoft.com/filecab/2009/05/28/dfsrdiag-exe-replicationstate-whats-dfsr-up-to/
https://blogs.technet.microsoft.com/askds/2010/09/07/replacing-dfsr-member-hardware-or-os-part-2-pre-seeding/



Fix Win NAT-T for L2TP and IKEv2

Problem:  

Windows 2012 RRAS IPsec VPN does not support NAT-T out-of-the-box.  By default, RRAS only works with public IP addresses -no NAT.  Windows 10 clients cannot connect with L2TP from outside the office.  Windows 2016 does not support L2TP for any client from behind routers running NAT.

Solution:  

Enable NAT-T on both Windows servers and the clients.  NAT-T allows the VPN server to serve clients (e.g., Windows 10, Android, Apple iOS) from behind the NAT device.  Modify MTU. 

Background

Why NAT-T? 

IPsec uses Encapsulating Security Payload (ESP) to encrypt packet headers and payloads.  By default, ESP is not compatible with Port Address Translation (PAT).  This is because TCP uses ports and ESP does not.  

TCP and ESP are different Internet protocols. TCP uses protocol number 6.  N.B., TCP protocol number 6 is not the same thing as TCP port 6.  TCP ports are communication endpoints.  For example, TCP uses port 80 for web traffic.  

ESP uses protocol (i.e., not port) number 50.   ESP is a protocol without ports.  Network Address Translation (NAT) uses port translation PAT to bind traffic flows with internal hosts.  Therefore, ESP does not work with NAT.

NAT-T allows ESP to work from behind NAT.  It encapsulates ESP protocol 50 inside User Datagram Protocol (UDP) 4500.   N.B, NAT-T is not the same as IPsec over UDP.

Enable NAT-T 


NAT-T is enabled on most operating systems (e.g., Android) -Windows is the exception.  Fortunately,  we can enable NAT-T on Windows 10 and Windows 2012 with a few simple changes. 

Windows IPsec clients are supposed to work from any location.  Therefore, only enable NAT-T on the 2012 RRAS server.  

Create a new registry key to enable NAT-T.

  1.   Edit Registry or create GPO:

                         HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent\Parameters\

  1.   Create new DWORD value:   AssumeUDPEncapsulationContextOnSendRule

  1.   Modify DWORD value:  2

These changes will fix those pesky L2TP-NAT problem.  

Troubleshooting Issues

Make sure clients use the latest edition of Windows 10.  Early versions had quirks where clients simply would not connect via NAT-T.  

   NAT-T does not work with  the following editions:

  • version 10240
  • version 1511 (i.e. November Update)
   Unconfirmed (may or may not work):  
  • version 1607 (i.e., Anniversary Update)
   Confirmed:

  • version 1703 (i.e., Creators Update)
   NAT-T works great with the registry fix and Creators Update.

   Workarounds:  

Some folks had to toggle the NAT-T registry value in order to connect (http://bit.ly/2r2CKnF).  I assume this fix was for the November or Anniversary Update.  

MTU

Don't forget to adjust the Max Segment Size (MSS):  
http://www.stevenjordan.net/2016/11/windows-ikev2-mtu.html.  

That's It!

TSA Searches Phones and Laptops



Headlines:  DIGITAL INTERROGATION? TRAVELERS' PHONES, SOCIALS SCANNED AT AIRPORTS... 

Takeaway:  


Personal electronic devices are subject to searches by the TSA and CBP agents -travelers beware.  U.S. Agents may request full access to smart phones, tablets and laptops.  Special emphasis is placed on search history, text history, and social media (e.g., Facebook).  TSA/ CBP may temporarily confiscate the device, up to thirty days, or copy the contents of the entire disk for further investigation.

News about digital frisking is en vogue because of recent political events.  However, this specific policy has been in effect before 2011 -during both Bush and Obama administrations. (, 2008).  The less told story, however, is that data is at greatest risk when traveling to other countries.

Problem:

It may come as a surprise to learn that most Western governments do not respect individual privacy rights -digital or otherwise.  For example, authorities at Paris Charles de Gaulle Airport are known to scan laptops (BBC, 1998).  Devices are also subject to search when traveling through Canada, Australia, or the U.K  -no warrants needed. (Hughes, 2014).  

Encryption to the rescue?  Encryption may protect your data but it's not fail-proof.  For starters, there are different types of encryption.  Some types of encryption are considered strong and nearly impossible to break.  However, encryption uses cryptographic algorithms that become obsolete within months or years.  Implementing secure encryption can be a complicated process.   

What's more, encryption may protect your data, but it will not stop a frustrated border patrol agent from taking your device or arresting you. (Hughes, 2014).

Why the Fuss?

There are two sides to every coin.  Governments have legitimate national security issues to contend with.  Digital search and seizure policies are a simple means to identify terrorists, child pornographers, and other criminal activity.

On the other hand, the majority of international travelers are not criminals.  At least in the U.S., and with exceptions, the right to privacy is a constitutional civil right.  There are legitimate reasons to keep trade secrets, health records, or financial information secret.

Data at Risk

Not all inspections are invasive.  Some agents may simply ask you to turn the device on.  Others may causally browse its contents.   However, there are situations that compromise data integrity:

  • If you provide a key code or password.
  • If the device is removed from your line of sight.
  • If the device is physically connected to another machine (e.g., scanned).
  • If the device connects to an agent's network (Ethernet or WiFi).
If a device is compromised it can no longer be trusted:

  • Your data is no longer confidential (e.g., pictures, credit cards, etc.)
  • Your data may have been altered or deleted.
  • The device may contain a viruses or malware.
  • All of your passwords may be compromised.
  • Your network accounts may be vulnerable (e.g., Exchange, VPN, RDP)

Conclusion:

In most situations, digital searches by the TSA/ CBP are probably harmless.  However, it's prudent to take extra precautions when traveling outside the United States.

Links:

http://www.vocativ.com/397897/travelers-affected-by-trump-ban-forced-to-unlock-phones-computers/
https://www.eff.org/wp/defending-privacy-us-border-guide-travelers-carrying-digital-devices
http://www.stevenjordan.net/2014/08/network-security-international-and.html
http://www.stevenjordan.net/2016/09/ipsec-security-levels.html
http://www.stevenjordan.net/2016/09/secure-ikev2-win-10.html
https://www.theguardian.com/profile/bruceschneier
http://news.bbc.co.uk/2/hi/science/nature/150465.stm


https://www.theguardian.com/technology/2008/may/15/computing.security

Android IKEv2 Client Setup

Task:  

Send end-user instructions on how to configure Android IKEv2 VPN clients.  

Solution:

Installation is a two-step process:

Step 1:  Install all three certificates.  The Administrator has sent a separate website link where you can download necessary certificates:  (a) user_device.PFX; (b) vpn_server.CER, and root.CER.  Open each attachment to start the installation.  Include the PFX password.

Step 2:  Configure the Android VPN client:  Android Settings → Connections → More Connection Settings → VPN → Add VPN.


VPN Settings (Figure 1):
N.B., Change the value for “IPSec user certificate” to “user_android”.
Figure 1.  Android IKEv2 VPN Settings.  
Hint:  VPN shortcut apps are available in the Google Play Store.  This provides a quick and easy method to connect.
For example:  https://play.google.com/store/apps/details?id=com.rosaneng.vpnsettings&hl=en


Also note, your device certificate contains a private key for your client certificate.  Anyone that gets a hold of this key can impersonate your account.  Please protect your device with a passcode and encryption.  This script is not intended for rooted devices.  I encourage you to delete this email from your mailbox after you’ve configured your devices. 

That's It!

Install Mobile-Config Script

Task:  

Setup instructions for manual distribution of mobile-config scripts for iPhones and iPads.

Assumptions:

These instructions assume the mobile-config script has already been generated,  These instructions are for situations when mobile device management (MDM) is not available.  It assumes email distribution from a private server.  Use caution whenever distributing certificates and private keys!

Background:

Mobile-device scripts run on any iPhone or iPad –simply open the email attachment to start the process.  It installs certificates and configures the IKEv2 VPN.  This script can configure multiple devices.

Security Considerations

Also note, the script includes the private key for the client certificate.  This provides identity validation, authentication, and authorization.  Anyone that gets a hold of this key can impersonate the account.  It’s critical to use a passcode and enforce encryption.  Do not install these files on jailbroken devices.  Delete the script from your mailbox after all devices are configured.

Brief instructions:

Step 1:  Open mobile-config file to start the profile installation.

· N.B., This script is not signed –that’s OK.
· Click Next.




Step 2:  Enter device passcode.

Step 3:  Consent.

· Brief description for mobile-config.
· Installation requires consent.
· Click Next.




Step 4:  Confirm Install.

· General VPN disclosure.
· Click Install.  Click Done.

Step 5.  Connect to the VPN.

· Open Settings.
· Toggle the VPN button.
· The VPN symbol appears in upper left-hand corner to confirm active VPN sessions.


The VPN is ready for action.  That's It!

Dynamic S2S VPNs


Task:

Create site-to-site (S2S) interfaces for dynamic IKEv2 VPN clients (e.g., iPhones).  Assign different cryptographic algorithms to each S2S interface.

What are dynamic S2S VPNs?

 S2S VPNs usually support static VPN endpoints.  For example, a dedicated (i.e., always-on) VPN that connects a branch office to its HQ office.  However, S2S VPNs can also connect mobile clients for dynamic connections.   This hybrid approach is for special circumstances.

Why use dynamic S2S VPNs?

Most folks should stick with the default RRAS dial-up VPN server.  It provides better management and reporting tools.  However, dynamic S2S VPNs support configuration features that are unavailable with the standard RRAS client VPNs.

For example, dial-up IKEv2 VPNs may authenticate any certificate issued from one of its trusted root certificates.  S2S VPNs can limit authentication to specific client certificates.  The best part, IMHO,  is the ability to apply unique cipher suites per S2S interface.  For example, we can create separate S2S interfaces for each client -including unique cipher suite standards.

How do we implement dynamic S2S VPNs?

PowerShell offers a straight-forward method to implement S2S VPNs.  However, consider using a GUI-Powershell hybrid approach that supports additional client management features.

Dynamic S2S via PowerShell:

The following example creates a new S2S interface with strong security targets:
• Certificate authentication
• IKEv2 Protocol
• Main Mode:   AES128-SHA256-DHGroup14
• Quick Mode:   AES256-SHA256

Add-VpnS2SInterface -name smj@stevenjordan.net -CustomPolicy -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod aes128 -IntegrityCheckMethod SHA256 -Destination 0.0.0.0 -Protocol IKEv2 -AuthenticationMethod MachineCertificates -ResponderAuthenticationMethod MachineCertificates -EncryptionType RequireEncryption

The interface name always matches the authentication certificate's subject name.  Some clients (e.g., iPhone) require a matching subject common name and matching subject alternative name (SAN) DNS name.  This attribute associates the authentication certificate with the S2S interface.  The destination flag is set to accept connection requests from any IP (i.e., it's dynamic).

Don't forget to lock down the VPN server.  Enforcing subject names does not secure the server.  Recall, Windows VPN server leaves its front door wide open -by default.  Windows VPN security requires manual changes:  http://www.stevenjordan.net/2016/10/door-wide-open-on-win-ikev2.html

Managing S2S connections via PowerShell:

Managing client connections is cumbersome compared to traditional RRAS client VPN tools.  For example, RRAS and Remote Access Management provide simple GUI tools to manage dial-up connections (Figure 1).  However, Remote Access Clients does not display S2S connections.  Additionally, RRAS Network Interfaces does display S2S interfaces by deafult.

Figure 1.  RRAS Client Connections.
The RRAS management GUI does not play well with dynamic S2S connections.  The Remote Access Clients tab does not display active connections.  However, the GUI will display active IKEv2 WAN Miniports:

Figure 2.  Active WAN Miniports.  Good enough.
PowerShell provides a better method to view active S2S connections:
PS C:\Users\SMJ> Get-VpnS2SInterface
RoutingDomain Name Destination AdminStatus ConnectionState
------ ------- ----------- ----------- ---------------
XXXXXX-XXXX-SMJ {0.0.0.0} True Connected

Dynamic S2S GUI-Powershell Hybrid

Alternately, create dynamic S2S interfaces with the RRAS GUI.  This approach offers some S2S client management benefits.  Keep in mind, these S2S interfaces use default cryptographic algorithms.  We'll need to modify S2S security targets with PowerShell:

Step 1.  RRAS → VNS server → Right-click Network Inerfaces → New Demand-Dial Interface:

• Interface Name:  Certificate's subject common name.
• Connection Type:  VPN → Next
• VPN Type:  IKEv2 → Next
• Hostname:  None (leave blank) → Next
• Protocols & Security:  Route IP packets on this interface → Next
• Static Routes:  None (or add based on your organization's needs).
• Dial-Out Credentials:  None → Next → Finish.

Step 2:  Edit S2S interface properties → Options tab.
• Connection type:  Persistent connection →  OK.

Step 3:  Edit security targets for S2S interface in PowerShell.
PS C:\Users\SMJ> Set-VpnS2SInterface -name xxxx-xxxx-SMJ -CustomPolicy -CipherTransformConstants AES256 -DHGroup Group14 -EncryptionMethod aes256 -IntegrityCheckMethod SHA256 -EncryptionType RequireEncryption

WARNING: VPN site-to-site adapter xxxx-xxxx-SMJ will be modified and the parameters 
other than IPv4Subnet/IPv6Subnet will be applicable next time the connection is dialed.

Check Hybrid S2S Connection from GUI:

 RRAS → VNS server → Network Interfaces:  Connection Status


Figure 3.  S2S connection status via RRAS GUI.

The RRAS Network Interface GUI now includes a list of S2S interfaces and connection status.  It also provides a simple method to disconnect or disable client connections.

Troubleshoot:

Use PowerShell to check server IPsec crypto-sets:
• Get-NetIPsecMainModeCryptoSet
• Get-NetIPsecQuickModeCryptoSet


Confirm server-client security targets work as intended:
• Get-VPNS2SInterface
• Get-NetIPsecMainModeSA
• Get-NetIPsecQuickModeSA

I also recommend using the Best Practice Analyzer (BPA) to check for any obvious S2S security warnings.
https://technet.microsoft.com/en-us/library/ee922676(v=ws.10).aspx


That's It!

MDM Cert Enrollment

Task:

How to manually request and enroll certificates for BYOD devices with Windows CA server.

Background:

Automated mobile device management (MDM)  (e.g., Microsoft Workplace-Join,) provides a secure method for device key management.  However, rolling out the right MDM solution can be a serious undertaking.  It may be overkill for some organizations.

This article covers device key-management for special use situations.  It provides instructions on how to manually generate device (e.g., iPhone) certificates for mutual authentication (e.g., IKEv2 VPNs).

Assumptions:

Solution:

Step 1:  Request the device certificate from from any workstation:

  • Start → MMC → File → Add Snap-In:  Add Certificates - Current User
  • Certificates → Current User →  Personal → Certificates → All Tasks → Request New Certificate


Step 2:  Complete the Certificate Enrollment Wizard:                 

  • Select Policy: No changes.  Click Next.
  • → Request Certificates:  User Device Auth → Click Details →  Click Properties.
  • → Certificate Properties:      

        →  [Subject Tab]
                  Subject Name:
                       Common Name (CN) = user_device@stevenjordan.net;  add.
                       Email = user_email@stevenjordan.net;  add. Given Name:  First and last name; add.
                  Alternative Name:
                        DNS = user_device@stevenjordan.net; add. N.B., DNS must match Full CN.
                        Email = user_email@stevenjordan.net; add.
         → [General Tab]
                   Friendly name:  user_device@stevenjordan.net
         → Click OK.

         → Request Certificates:  Add checkmark for User Device Auth → Click Enroll.
  • Note that status = Pending.
Step 3:   Approve request from Certificate Authority (CA) server.  

  • Open CA Server  MMC:
       → Certification Authority (Local) → Root-CA →  Pending Requests → Issue: 
Step 4:  Export certificate from workstation that initiated request:  
  • Certificates → Current User →  Certificate Enrollment Requests:
    → Certificate Export Wizard
         → Export Private Key:  Yes, export the key.
         → Export File Format:  Check Include all certificates in path.  Next.
         → Select Policy: No changes.  Click Next.
         → Security:  Check Password.  Enter Password.  Next.
                               N.B., Password = choose_password
         → File to Export:  Choose location:  C:\source\cert\user_device.pfx.  Next.
         → Export Root Certificate and VPN server certificate:  Location: \\securefileshare\
  • Repeat similar process to export CA public root certificate (CER).
  • Log onto the VPN server and repeat similar process to export public certificate (CER).
Step 5:  Distribute certificate files to client devices.
  • Distribute the client certificate and private key (e.g., PFX).  
  • Include the public VPN server and root certificates (e.g., CER).

Distribution methods: 

Security Considerations:

Safeguard your client PFX files!!  PFX files include certificates and their private keys.  An attacker can use this information to impersonate identity.  That means, it can be used to connect to the VPN, collect email, etc.  Do not let these PFX files fall into the wrong hands!  Mitigation:
  • Account for all PFX instances -these are security vulnerabilities!
  • Delete/ remove all device certificates generated from workstations.
  • Save client PFX file to secure off-line media. 
  • Consider IT policy that requires face-to-face installation with IT staff.
  • Email attachments can be forwarded -risk!
  • Internal web server on internal Wi-Fi SSID is preferred.  
  • Ad-Hoc Wi-Fi may be preferable to infrastructure mode. 
  • Do not enable the certificate's export flag.
  • Do not install on any rooted or jailbroken device.  
  • Ensure devices use encryption and passcodes.
  • Above all, use common sense!

That's It!