Intranet Subject Alt Names for Exchange SSL Certificates

So you were using a SHA1 SSL certificate on your Microsoft Exchange server and you get an email letting you know that SHA1 is no longer a secure cryptographic hash. Or perhaps your current SSL certificate is about to expire and you just want to throw a new one in there and call it good. Well to bad! More than likely, you’re like myself and you have intranet subject alt names on your certificate e.g. “MailServ1” for your internal  URL and that is no longer supported.

Why now?

Well, the folks that are in charge of updating the web security standards got together and decided that it was in everyone’s best interest to boost the web’s security. More info can be found on most public certificate authorities websites or here. Overall its a super important job they do and SHA1 is totally broken and sites like http://hashkiller.co.uk have cracked over 131 billion SHA1 hashes.

Well thats good to know, but why can’t i use internal names on my SSL?

First of all, that is a fantastic question! The answer is basically that internal server names aren’t unique, thus man in the middle attacks can work on your exchange server. The attacker could request an SSL from the CA (certificate authority) with the same intranet name.

Great, now I have to figure out what to do!

Whoa now, I got ya covered on that one 😉 with step by step instructions and Exchange Powershell commands.

Step 1. Create a new CSR (Certificate Signing Request) I’m not going to cover this because it is sorta kinda unique to your CA. But here is GoDaddy’s how to here.

Step 2. Change the internal URL to your public FQDN.

You can copy these commands into Notepad++ and replace anything that says “MailServ1” and “YourDomain” to get your FQDN to line up with the commands.

Note* the “Uri” syntax is not a misspelling

Command 1:

Set-ClientAccessServer -Identity MailServ1 -AutodiscoverServiceInternalUri https://MailServ1.YourDomain.com/autodiscover/autodiscover.xml

Command 2: 

Set-WebServicesVirtualDirectory -Identity “MailServ1\EWS (Default Web Site)” -InternalUrl https://MailServ1.YourDomain.com/ews/exchange.asmx

Command 3:

Set-OABVirtualDirectory -Identity “MailServ1\oab (Default Web Site)” -InternalUrl https://MailServ1.YourDomain.com/oab

 

Step 3. Recycle the IIS Application Pools

Next to make these commands take effect you have to tell IIS to push these changes by recycling the application pools.

Open IIS Manager>Expand the server>Application Pools, then right-click on MSExchangeAutodiscoverAppPool, and select Recycle.

 

Step 4. Install the new SSL Certificate

GoDaddy’s how to is here

That it! you now can rest easy knowing you will not be thanked for keeping your users super important meme emails protected from the bad guys.

Advertisements

Install/Remove Server 2012 GUI

One of the best improvements with Windows Server 2012 was the ability to switch from a full server GUI to Core and back and forth between them. For instance, lets say you install a RODC with a full GUI and then decide that you want to manage that RODC remotely using remote management tools. With Server 2012 you are able to drastically decrease your attack surface area by removing the GUI. It also decreases your vulnerability and maintenance since many of the Windows Updates are patches for the GUI. You can of course do this through the GUI of your central management server with the Add/Remove server features but Powershell is way more fun!

To remove the GUI 

Step 1: Enable Remote Administration

Configure-SMRemoting.exe –Enable

This will enable remote administration.

Step 2: Uninstalling the GUI

Uninstall-WindowsFeature Server-Gui-Mgmt-Infra, Server-Gui-Shell –Restart (Also using “–Remove” actually removes the underlying binaries)

To reverse your actions and install the GUI use the below commands.

To install the GUI: 

Install-WindowsFeature Server-Gui-Mgmt-Infra,Server-Gui-Shell –Restart

This will will install the GUI and restart the server. It is literally that easy! Now if you want to keep a GUI just in case but you don’t need a full feature OS Server 2012 also has a minimalist GUI. Use this command to install the minimal interface from a core installation

Install-WindowsFeature Server-Gui-Mgmt-Infra

Install Domain Controller 2012 with Powershell

Step 1: Install Active Directory Domain Services

Install-windowsfeature -name AD-Domain-Services

If using a server with a GUI add “-IncludeManagementTools” to the end of the above line.

Step 2:

Import -Module ADDSDeployment

Install -ADDSDomainController `
-NoGlobalCatalog:$false `
-CreateDnsDelegation:$false `
-Credential (Get -Credential) `
-CriticalReplicationOnly:$false `
-DatabasePath “C: \Windows \NTDS” `
-DomainName “nuggetlab.com” `
-InstallDns:$true `
-LogPath “C: \Windows \NTDS” `
-NoRebootOnCompletion:$false `
-SiteName “Default -First -Site -Name” `
-SysvolPath “C: \Windows \SYSVOL” `
-Force:$true