Intranet Subject Alt Names for Exchange SSL Certificates

So you were using a SHA1 SSL certificate on your Microsoft Exchange server and you get an email letting you know that SHA1 is no longer a secure cryptographic hash. Or perhaps your current SSL certificate is about to expire and you just want to throw a new one in there and call it good. Well to bad! More than likely, you’re like myself and you have intranet subject alt names on your certificate e.g. “MailServ1” for your internal  URL and that is no longer supported.

Why now?

Well, the folks that are in charge of updating the web security standards got together and decided that it was in everyone’s best interest to boost the web’s security. More info can be found on most public certificate authorities websites or here. Overall its a super important job they do and SHA1 is totally broken and sites like http://hashkiller.co.uk have cracked over 131 billion SHA1 hashes.

Well thats good to know, but why can’t i use internal names on my SSL?

First of all, that is a fantastic question! The answer is basically that internal server names aren’t unique, thus man in the middle attacks can work on your exchange server. The attacker could request an SSL from the CA (certificate authority) with the same intranet name.

Great, now I have to figure out what to do!

Whoa now, I got ya covered on that one 😉 with step by step instructions and Exchange Powershell commands.

Step 1. Create a new CSR (Certificate Signing Request) I’m not going to cover this because it is sorta kinda unique to your CA. But here is GoDaddy’s how to here.

Step 2. Change the internal URL to your public FQDN.

You can copy these commands into Notepad++ and replace anything that says “MailServ1” and “YourDomain” to get your FQDN to line up with the commands.

Note* the “Uri” syntax is not a misspelling

Command 1:

Set-ClientAccessServer -Identity MailServ1 -AutodiscoverServiceInternalUri https://MailServ1.YourDomain.com/autodiscover/autodiscover.xml

Command 2: 

Set-WebServicesVirtualDirectory -Identity “MailServ1\EWS (Default Web Site)” -InternalUrl https://MailServ1.YourDomain.com/ews/exchange.asmx

Command 3:

Set-OABVirtualDirectory -Identity “MailServ1\oab (Default Web Site)” -InternalUrl https://MailServ1.YourDomain.com/oab

 

Step 3. Recycle the IIS Application Pools

Next to make these commands take effect you have to tell IIS to push these changes by recycling the application pools.

Open IIS Manager>Expand the server>Application Pools, then right-click on MSExchangeAutodiscoverAppPool, and select Recycle.

 

Step 4. Install the new SSL Certificate

GoDaddy’s how to is here

That it! you now can rest easy knowing you will not be thanked for keeping your users super important meme emails protected from the bad guys.

Advertisements

Failed to inject a ConfigMgr driver into the mounted WIM file SCCM 2012 SP1

Credit goes to  from http://sccmentor.wordpress.com/ he has a great wordpress. Check his site out!

 

Since SP1 was installed I’ve been unable to update the boot.wim file to the distribution point.

Every time I try to update I get the error:

  • Failed to inject a ConfigMgr driver into the mounted WIM file

So to get around the issue I decided it was time to create a new boot.wim file and upload.

To do this start Deployment Tools Command Line as Administrator.

BootWim01

In this instance I was creating a x64 boot.wim and the command to run for this was COPYPE.CMD amd64 c:\WINPE64\

BootWim02

Here are all the commands for the different architectures:

COPYPE.CMD x86 c:\WINPE86\
COPYPE.CMD amd64 c:\WINPE64\
COPYPE.CMD arm c:\WINPEARM\

Execute the command.

BootWim03

Once run, navigate to the c:\WINPE64\media\sources folder and copy the boot.wim to a share for use with SCCM.

BootWim04

In the SCCM console go to the Software Library workspace. Open Operating Systems>Boot Images. Right click and choose ‘Add Boot Image’.

BootWim05

Select the location of the boot.wim file and click Next.

BootWim06

Enter a name for the boot image and click Next. Continue through the wizard to completion.

BootWim07

Once complete distribute the boot image to a DP.

BootWim08

Ensure you select ‘Deploy this boot image from the PXE enable distribution point’ from the boot image properties.

boot.wim1

Delete files that you don’t have permissions too.

I was running into a issue where i wasn’t able to delete a directory in Windows Explorer or in PowerShell and i go this pesky message Image with the remove-item cmdlet. It was a file on a file server that i was full enterprise admin on! So I thought i would share my easy method to get rid of files and folders that you do not have said permissions for.

Steps:

1) Create a folder called “Windows.old”

2) Move files that cannot be deleted into that folder

3) Run Disk Cleanup in Start – All Program – Accessories – System Tools (or Search in the Start menu)

4)Choose the drive where the Windows.old file is located and click OK

5) Check the “Previous Windows Installations” box and click OK

Done!

Note that you can also Rename the Folder you want to delete to “Windows.old” instead of making a new folder

Install/Remove Server 2012 GUI

One of the best improvements with Windows Server 2012 was the ability to switch from a full server GUI to Core and back and forth between them. For instance, lets say you install a RODC with a full GUI and then decide that you want to manage that RODC remotely using remote management tools. With Server 2012 you are able to drastically decrease your attack surface area by removing the GUI. It also decreases your vulnerability and maintenance since many of the Windows Updates are patches for the GUI. You can of course do this through the GUI of your central management server with the Add/Remove server features but Powershell is way more fun!

To remove the GUI 

Step 1: Enable Remote Administration

Configure-SMRemoting.exe –Enable

This will enable remote administration.

Step 2: Uninstalling the GUI

Uninstall-WindowsFeature Server-Gui-Mgmt-Infra, Server-Gui-Shell –Restart (Also using “–Remove” actually removes the underlying binaries)

To reverse your actions and install the GUI use the below commands.

To install the GUI: 

Install-WindowsFeature Server-Gui-Mgmt-Infra,Server-Gui-Shell –Restart

This will will install the GUI and restart the server. It is literally that easy! Now if you want to keep a GUI just in case but you don’t need a full feature OS Server 2012 also has a minimalist GUI. Use this command to install the minimal interface from a core installation

Install-WindowsFeature Server-Gui-Mgmt-Infra

Install Domain Controller 2012 with Powershell

Step 1: Install Active Directory Domain Services

Install-windowsfeature -name AD-Domain-Services

If using a server with a GUI add “-IncludeManagementTools” to the end of the above line.

Step 2:

Import -Module ADDSDeployment

Install -ADDSDomainController `
-NoGlobalCatalog:$false `
-CreateDnsDelegation:$false `
-Credential (Get -Credential) `
-CriticalReplicationOnly:$false `
-DatabasePath “C: \Windows \NTDS” `
-DomainName “nuggetlab.com” `
-InstallDns:$true `
-LogPath “C: \Windows \NTDS” `
-NoRebootOnCompletion:$false `
-SiteName “Default -First -Site -Name” `
-SysvolPath “C: \Windows \SYSVOL” `
-Force:$true