Error publishing Internal SSL site through ForeFront UAG

If you have an internal site you publish through a Microsoft ForeFront UAG and protects this with a SSL certificate, you could run into an error if the internal site is protected by a SSL certificate:

UAG specified target common name of the certificate is invalid

In my test environment I started with:

	Internal Site: https://mysite.domain.local	External URL: https://mysite.domain.com
SSL Certificate DNS/CN (Common name):	intranet.domain.local	intranet.domain.com

I publish this site with ForeFront UAG through a HTTPS Trunk, and the error occurs.

 UAG setup example

The reason for this error is that the UAG checkes the internal SSL certificate for the external “Common Name”. The internal users usually access the site and their browser checks for the internal “Common Name” match, which is intranet.domain.loca. But the ForeFront UAG needs to check whether the certificate includes the external name aswell. So even though you configure SharePoint AAM (alternate address mapping) and configure your UAG correct, this doesn’t solve this problem.

I found some forums on the internet that suggested that I just switched the internal site to be unencrypted using the standard port 80, but this did not match my security policy.

My solution was to create a new internal SSL certificate and include the external “Common Name”, and switch to this new certificate in IIS on the internal web server (Intenet Information Server). After the adjistments I got a working external site.

The new table now looks like this:

	Internal Site: https://mysite.domain.local	External URL: https://mysite.domain.com
SSL Certificate DNS/CN (Common name):	intranet.domain.local intranet.domain.com	intranet.domain.com

[DK] Datasikkerhed og mobilitet – Føler du dig sikker?

I dag bruger virksomheder mange penge på at sikre sig mod indbrud og tyveri. De bruger også mange resourcer i computersikkerhed – især sikkerhedskopiering, antivirus, antispam og firewall mod internettet. Alt dette for at beskytte virksomheden mod at miste ting og informationer. Og især virksomhedens informationer ser jeg som det vigtigste at beskytte, da det kan være alt fra hemmelige opskrifter til prisaftaler med kunder. Hvis konkurrenter får fingrene i dette, kan det i værste fald betyde at arbejdspladsen mister kunder og må lukke.

Efter vi har fået hjemmearbejdspladser og flere mobiltelefoner med afgang til virksomhedernes netværk udefra, er den potentielle risiko for at miste informationer næsten eksploderet. E-mail og dokumenter kan nemt mistes hvis mobiltelefonen eller computeren ikke er beskyttet tilstrækkeligt.

Går du rundt med vigtig information?
Tænker du på hvad din bærbare computere, telefon eller iPad har gemt af vigtige og hemmelige informationer? Er de beskyttet på nogen måde, så andre ikke kan se disse oplysninger hvis du mister den? Kan din arbejdsplads blive påvirket af at andre (herunder især konkurrenter) ser disse informationer?

Især hjemmearbejdspladser og bærbare computer er en udsat trussel da de lettere kan blive stjålet eller tabt, og ofte indeholder en direkte adgang til arbejdspladsen.

Når man snakker om at beskytte sin bærbare computer mod at andre kan komme til at se hvad der ligger på den, er det ikke nok at vælge en bruger-adgangskode til Windows eller Mac OS. Disse koder kan desværre nemt omgåes, men kan muligvis være nok for private. Virksomheder skal dog være ekstra påpasselige, og jeg vil anbefale en harddisk-kryptering som fx. den indbyggede i Lenovo® Thinkpad serien, BitLocker fra Microsoft (sidstnævnte er indbygget i Windows Vista Enterprise og Windows 7 Enterprise) eller en anden anerkendt metode som opfylder de krav og behov man har.

Mobile enheder som mobiltelefoner, iPhone og iPad er langt sværere at beskytte, og selvom man på de fleste kan aktivere en brugerkode er dette ikke nok til at stoppe de personer som vil have fat i informationerne. Her er den bedste beskyttelse at man ikke gemmer fortrolig information, og har en IT afdeling som kan slette enheden, hvis den skulle blive tabt eller stjålet. Efter min mening har der ikke været nok fokus på at udviklet og få installeret antivirus, antimalware og andre sikkerhedsprodukter til de mobile enheder.

Det kan koste penge og job
Mange virksomheder i dag er bekendt med risikoen for tab af virksomhedens mobile arbejdsenheder i form af at de koster penge, men ikke altid resultatet af tabet af de informationer som ligger på computerne. Det kan være en tilfældighed hvem der kommer i besidelse af en tabt eller stjålen computer, men hvis det er den forkerte person som sælge kundekartoteket og strategi-planerne mod konkurrenterne kan det give fatale følger.

Er internettet et godt opbevaringssted?
Hvis man vil dele sine informationer med ens egne enheder eller andre personer, skal man nogle gange også være påpasselig med hvor man gør det. Internettet giver mange muligheder, men det vigtigste er at man er sikker på at ens data er sikret på en måde så andre ikke kan se eller kopiere disse. Vælg et sted som passer ind i ens sikkerhedspolitik, og en virksomhed man har tiltro til. Dette gælder selvfølgelig også hvis man bruger en online tjeneste til sine sikkerhedskopier.

Tænk over sikkerheden – og spørg gerne andre
Virksomheder bør løbende kontakte deres IT leverandør eller anden IT sikkerhedsrådgiver, og tage en dialog med denne omkring datasikkerhed. Mulighederne og de risici der medfølger ændres konstant, og kravene fra medarbejderne kommer ofte før at løsningerne er helt klar sikkerhedsmæssigt.

SharePoint 2010 Foundation: Cannot change “My Settings” of a user

I was on a project creating an extranet using Microsoft SharePoint Foundation 2010 and ran into this problem: The users could not edit their own name. This was a bit annoying as they logged in using their Microsoft LiveID account, and this had a name like this: 00003f879q83yd9@live.com

The edit-button was actually just gone:

When I logged on as a Site Collection Administrator he edit-option was visible:

Actually this was because users do not have the correct permissions to the web application. As I did not want the users to have too many rights. I added a new permission policy in Central Administration, Web Applications for the web application:

     

Grant the users that should have this opportunity the permission policy by adding their security group on the web applications User Policy:

Remember to disable SSL 2.0 on Windows Server 2008 IIS 6/7

During a security scanning on a newly created Microsoft SharePoint 2010 extranet we found that SSL 2.0 was enabled. The report came with this statement:

“The remote service accepts connections encrypted using SSL 2.0, which
reportedly suffers from several cryptographic flaws and has been
deprecated for several years. An attacker may be able to exploit
these issues to conduct man-in-the-middle attacks or decrypt
communications between the affected service and clients.”

Microsoft Windows Server 2008 allows this by default for some reason. For the moment the SharePoint Web FrontEnd Server is directly behind a firewall, but handles the SSL requests itself.

To correct this, and make the IIS use stronger SSL versions (SSL 3.0 or TLS), we disabled SSL 2.0 in this way:

1. Enter the registryeditor (regedit)
2. Locate the following registry key:
    
   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0
3. Create a new key: Server
4. Create a new DWORD (32-bit) named Enabled and check the data value is the default 0×00000000 (0) 
5. Restart the server

Back as an active blogger–and attending conferences again

After a break where I mostly spend my time with my now 2 year old daugther, I am back to blog about the world of Security, Microsoft SharePoint and Microsoft Powershell.

I attended the european Microsoft TechEd 2010 in Berlin and next month I am off to the SharePoint Best Practices Conference in London. If any of you are attending also, please give me a pm or link with me on www.TripIt.com

So much new exciting stuff in the SharePoint world is here already, and much more to come

Cya around soon
Jesper M. Christensen

Upload a file to SharePoint with metadata with VS2010

 

I was writing a program for a customer that needed to upload a lot of files to their new Microsoft SharePoint Server 2010. It was a migration of a fileshare, and they would like to have some custom metadata in the SharePoint Document Library also.

I created a Visual Studio 2010 C# project for this issue, as it was a big job uploading and typing the metadata information by hand.

Please write me if you need the c# code

WindowsSecurity.com – Document placement: File Shares or SharePoint?

I wrote an article explaining differences between placing your documents on File Shares or on a SharePoint site. This is meant to give an overview of what to consider and to expect from the places to store data.

Please and rate my article here: Document placement: File Shares or SharePoint?

SharePoint calculated columns do not show ID og time-date

I saw this "problem" when I was creating a autonumber function for SharePoint List items. I wanted to have a project ID and an autonumber-field to every list item.

When searching the web I discovered that the hidden ID field could be used and I made the following formula:

="P2100-"&ID

Every item got the new project-ID and I was thrilled….for a while…

Then I created new items and none of these got any value in the end of the field! Only when I updated the calculated column definition (edit, no change and save) the ID’s was calculated and put on the items. A new web-search made me realize that the ID (and also Time & Date if that is used) is processed AFTER the calculation and save of this information. The sites suggested that I programmed an event handler that recalculated the item column, but with many different sites and manual work this was not an option.

I came up with an idea that worked for me with Windows Powershell. Not a pretty solution and perhaps this generates too much overhead on your system, so please evaluate other options if you have a lot of lists/items and performance is an issue.

The Windows Powershell script connects to the site, list and updates the column definition without changing anything.

#Update the field to recalculate the calculated field
System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint")
$spSite = new-object Microsoft.SharePoint.SPSite("http://intranet.domain.local")
$spWeb = $spSite.OpenWeb("/")
$spList = $spWeb.Lists["Projects"]
$field = $spList.Fields["ProjectID"]
 
$field.Update($true)
$spSite.dispose()

I made my solution a bit more creative and made a list of definitions and looped through the items with the script.

WindowsSecurity.com – Considering remote access for IT professionals

I got an article published about remote access for IT professionals – in the past and now.

It contains information that you need to consider before choosing your solution.

Considering remote access for IT professionals

WindowsSecurity.com – Active Directory information exposed to users?

For the time being I have not really time for blogging I’m afraid but will continue writing articles for the windowsecurity.com website.

I know many things are visible in the Microsoft Active Directory and tried a few things to investigate the things a standard user can see. If this is something for you, then take a look at the article – feedback and evaluation is welcome J

Active Directory information exposed to users?