Setting Up Certificate Services

Starting with this virtual machine that I previously installed Active Directory on, next I am going to setup a simple Certificate Services service. This should usually be installed on a very secure machine in your organization as it will hold all of the private keys and be able to generate the public keys used in your network and possibly used on external services if you so wish.

Start by going to Control Panel, and Add or Remove Programs.

Click Add/Remove Windows Components, check the box next to Certificate Services. A dialog will appear with a warning as per the photo below.

Be sure you read this warning, and click Yes to continue. Then click Next.

Select ‘Enterprise root CA’ and click Next.

You will be asked for the ‘Common name for this CA:’ type in the computers name. In our case from the last walk through this was “default-fm878pv” which I did not change. If you did not change the name to something more meaningful, you can cancel out now and change it.

Click Next. Click Next again to accept the database paths. You will be asked for the Windows 2003 CD now. Insert it and click OK. After the file copy, you may be presented with this.

Click OK.

In this walk through we will enable Web Enrollment. As we might use it later for smart cards and such.

Back at the Add or Remove programs screen, click Add/Remove Windows Components again click ‘Application Server’ but do not check it, then click Details.

Click on ‘Internet Information Services (IIS)’ but do not check it and click Details.

Scroll down and check the box next to ‘World Wide Web Service’ and click OK. Click OK again. Then click Next. If you removed the 2003 CD, you will need it again.

Reboot the server.

Open a Command Prompt and type ‘certutil -vroot’ as shown in the photo below and hit Enter.

Open Internet Explorer on the server, or another workstation on the network, and connect to the server via name or IP address and browse to /certsrv like shown below in the photo.

If you see this, your web enrollment is working.

You can administrate your Certificate Services install, through Administrative Tools.

You can now use EFS with certificates on your Active Directory client machines. You will now want to look up how to issue administrator certificates to decrypt files encrypted by employees or users that you need access to as the network admin and such.

By |March 9th, 2011|Categories: How To|Tags: , , |0 Comments

Installing Active Directory

I will try to include as many screen shots as possible, to help those that are learning, or are new to installing Active Directory.

This install was performed on a virtual machine running Windows 2003 R2 Standard. The install will be similar to the install on Windows 2000.

We start off with a fresh install. Close the configure your server wizard. We are going to do this manually.

Assign a static IP address to this server, and then for the machines DNS servers primary, type in it’s own IP address. I did this while installing Windows.

Next we need to give this machine a DNS suffix. Choose the same one that you will name the domain. I’m going to use testdomain.home because this is an example setup, and I choose the .home TLD because it is not valid on the internet and will never conflict with a real domain and cause internal network problems like browsing around websites.

If you were to choose say, yahoo.com for your domain name, your clients would not be able to get to the real yahoo.com because your DNS server will resolve it to your Active Directory server and not to the Yahoo servers.

To do this, right click My Computer from the Start Menu, and choose Properties. Select the Computer Name tab at the top, and then click Change. On the Computer Name Changes dialog, click the More button and type in your suffix and click OK.

Restart the server.

Login to the server and start off by making this a DNS server for Active Directory and clients.

Go to Start Menu, Control Panel, Add/Remove Programs. Click on Add/Remove Windows Components on your left. Scroll down to Networking Services and highlight it, don’t check the box next to it, and click Details. Check the box next to Domain Name System (DNS) and then click OK then click Next. Insert the CD if asked, and click OK.

After the files copy, click Finish and close the Add/Remove Programs window.

Go to Start Menu, Administrative Tools, DNS. Right click on Forward Lookup Zones and choose New Zone. Click Next, choose Primary Zone, click Next. When asked for the Zone Name you must type the same one you did for the Computer Name Suffix in the previous steps.

Click Next and then Next again to accept the filename. When asked for the Dynamic Update, choose ‘Allow both nonsecure and secure dynamic updates’. (We will secure this later). Click Next. Then Finish.

Right click on the Reverse Lookup Zones and choose New Zone. Click Next, then Primary zone, then click Next.

Type in the first portions of your networks IP space and click Next, then Next for the filename, and then click ‘Allow both nonsecure and secure updates’. (We will secure this later). Click Next. Then Finish.

Restart the server.

Open a Command Console and type in ‘nslookup’. You should get something similar to the following:

If you get an error, your DNS server is not working correctly yet, and it has to be working to proceed.

Click Start Menu, Run. Type in ‘dcpromo’ and click OK.

Click Next, Next, and Next again for new domain, Next for new forest. When asked for the Full DNS name type in the same you have been for the above steps.

Click Next after typing your DNS name. It will then test your DNS server. You can change the NetBIOS name or leave default and click Next. Default NTDS paths and click Next. Accept defautl SYSVOL and click Next. Click Next again and then Permissions for 2003 and Higher only and click Next. Choose a password for recovery mode, and click Next. Next again and the process starts.

When it’s all done, click Finish, and Restart.

Click Start Menu, Administrative Tools, DNS. Click and then Right click on your domain under Forward Lookup Zones and choose Properties. To the right of Type click Change. Click the check box, Store the zone in Active Directory click OK and then Yes then change the dynamic updates drop down box to Secure Only and then click OK.

Do the same for the Reverse Lookup Zone. Click and then Right click your network subnet, and click Properties. Change the type to Store in Active Directory. And then dynamic updates to Secure only and click OK.

You now have a domain controller to join clients to. Make sure the clients are using the domain controller as their DNS server.

By |March 4th, 2011|Categories: How To|Tags: , |0 Comments

ActiveSync on a T-Mobile MDA

Before we begin, make sure the phone has a data plan activated and that you can browse the internet using Internet Explorer on the phone.

If your Microsoft Exchange 2003 Server is using Forms Based Authentication, and you are using SSL with the forms based (You SHOULD WHY ARE YOU NOT USING SSL!!!?) then you will need to either get a certificate from a 3rd party that is trusted by the device, or you will need to transfer the certificate authority’s root certificate to the phone and intregrate it with the Windows OS on the phone.

Because we are cheap, we are going to use our own certificate and save ~$60.00 a month.

You will need to use Internet Explorer and web browse to your Certificate Server on your network. Usually it will be something like, http://adserver/certsrv replace http with https if you use SSL on that server (You should be anyway.) and replace adserver with the name of the server running IIS and Certificate Services.

At the bottom of the webpage, click on Download a CA certificate, certificate chain, or CRL. After the next page loads, click on Download CA certificate at the bottom. You will be presented with a file download dialog, save the file where you can find it later.

Close Internet Explorer and then plugin the MDA Phone into your computer with the USB cable. Make sure you have ActiveSync installed from Microsoft. Navigate to the My Computer, and you should have a new device called ‘Mobile Device’ or something similar. Nice big orange thing.

Copy the certificate into that device, under the My Documents folder on the device. Then on the device itself, use the File Explorer to find the certificate file, and click on it and choose Yes to import the certificate.

Now you can proceed to setting up ActiveSync on the phone device itself to connect to your Microsoft Exchange 2003 server.

By |January 29th, 2008|Categories: General|Tags: , , , , , |0 Comments

Airsnort in Windows XP

I have seen lots of sites around the internet that tell people that it is possible to run Airsnort in a Windows enviroment. If you don’t know, Airsnort is a wireless network sniffer. It can sniff wireless traffic, and if the signal is using WEP, Airsnort can take a shot at cracking the WEP key and showing you the key.

This is not easy of course, and it will take a VERY long time. The time is more dependent on how much wireless traffic that network is creating, makeing more packets, and thus making cracking the WEP keys chances more possible.

First, you will need a supported wireless card, so before we begin, if your card is NOT on this list, give up now, or go out and find a card on the list. I cannot guarentee that any will work for you. The card that I use is an Orinoco Classic Gold PC Card from Agere Systems. It is an B ’11MBPS’ only card, so I use it mainly for snooping around.

[ List: http://www.wildpackets.com/support/product_support/airopeek/hardware ]

The product page displays AiroPeek from WildPackets. If your card IS on this list, go ahead and grab a copy of the driver listed in that table, and a demo of AiroPeek NX from WildPackets.

[ Download: http://www.wildpackets.com/products/demos/apwnx ]

Download that demo, because we need 3 files from the installation, you can remove the program once we are done.

You are going to need to force your wireless card to use the new driver you downloaded from the website.

You are now going to need to download some files from Archaic Binary here that I have gathered for you in a nice zip file. Included in this zip file are…

1. AirSnort (Sources and Binary)
2. atk
3. glib
4. gtk
5. pango

Nothing needs to be installed, just unzip the files in a location of your choice. I choose to unzip directly in C:\Program Files and it will create the folder Airsnort for you. Now you will need to browse to the folder where you installed AiroPeek NX and copy Peek.dll, Peek4, and Peek5 files into your Airsnort/bin directory.

You will now need to modify your Enviroment Variables to include the folders above in your path, so Airsnort can find them.

Right click on ‘My Computer’ and choose Properties OR
Hold the Windows Button and click Pause/Break OR
Click on the Start Button and right click ‘My Computer’ and choose Properties.

At the top choose the Advanced Tab, then click on the Enviroment Variables button at the bottom.

In the System Variables area, choose Path and click ‘Edit’. At the end of the Variable Value copy and paste this line in, or type it in. Make sure you change it to something different if you put the Airsnort files in a different area then C:\Program Files\Airsnort.

[ Path: C:\Program Files\Airsnort\atk\bin;C:\Program Files\Airsnort\glib\bin;C:\Program Files\Airsnort\gtk\bin;C:\Program Files\Airsnort\pango\bin;C:\Program Files\Airsnort\bin ]

Click OK, then OK again, and last OK again.

You should be completely out of the System Management Dialogs.

Go to the folder where airsnort resides and run the airsnort.exe file in the bin directory.

Good Luck!

By |January 24th, 2008|Categories: General|Tags: , , , |0 Comments