Migrating Enterprise CA to new server (Part 1)

This will be a step by step process to migrate Active Directory Certificate Services from one server to another in same domain. It is a case when you upgrade or change your server where CA is installed.
You have to know some basic things before you begin to migrate a CA server:

  • It is recommended that the new server has the same name as old one – this because we have CRL and other paths in certificates. If this name is not accessible, we can’t control the validity of the certificate.
  • This is not a migration from one server to another; we have to export all settings and backups from the old server, demount it and after this install the new one with the same name. Errors and mistakes are not allowed.
  • Do the migration slowly, take your time, document everything. You will need all the documentation during the migration and supporting period.
  • In this guide, you will find steps to migrate one server. If you have a more complicated environment with more servers and subordinary CAs, then you need plans for migration of the entire migration before you start the migration.

Source server
First take full backup of the entire server. This step is non mandatory, but you may need it if something goes wrong.

After this check and write down the server name, IP address (if is static), paths where CA database and CRL are located. You will need this data to restore the same configuration on the new server.

Now, the crucial step is to make a backup of all certificates, certificate templates, settings, databases, root CA and registry settings. Unfortunately, CA backup does not care about all settings – it will backup only the CA database. Steps that are required to be able to transfer the entire configuration are:

  • Check all the roles that are installed (CA, CA Web enrolment…) because you will need to install the same roles on the destination server.
  • In MMC (mmc.exe) open the Certificate Authority snap in and take a screenshot or write down the names of certificate templates you are using. When you will install the new server, you will have to enable same templates. You can export all certificate template names also with command certutil.exe –catemplates > D:\Backup\catemplates.txt from administrative Command prompt. This step is required only if you are using enterprise CA.

  • Now, that we have the CA opened in MMC, we can also use it to backup CA database. To do this right click on CA server name, go to All tasks and select Back up CA. Follow the wizard and be careful that you select Private key and CA certificate and Certificate database and certificate database log check boxes. Only in this way you will backup all data that we need.
  • Record your CAs CSP and signature algorithm. This can be done by executing command certutil.exe –getreg ca\csp\* > d:\Backup\csp.txt from administrative Command prompt. There will be nothing to do later if you are using default algorithms, but is always better to check.

  • Export the registry keys: on destination server you will need to have the same settings as you had on source, so you need to export registry separately because this is not a part of CA backup procedure. Open Regedit.exe and navigate to HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration. Right click to key and save it to file.

  • If you are using custum policy, you should include it into backup. This means that you have to copy the file CAPolicy.inf that is located in C:\Windows (System root folder).
  • Review all steps to check if they are done correctly!
  • Using server manager remove CA roles from the server and restart the server.
  • Remove server from domain, restart it and at the end turn it off. If you have other roles on the same server, you also have to move them on other servers. From this point your old server is down – you don’t need it anymore.

Have your forgotten your Local Administrator password?

Well, if the computer is yours and you have physical access to it, than you can solve it.
This procedure will work with Windows 8.x and newer and Windows server 2012 and newer. It is not a real hacking technology, but we will use a hole of the operating system.
All we need in this case is to open a shell with enough high privileges before we are asked for the password. Impossible? Not really.
We will do it in a simple way:

  • Insert installation media to your computer and start it from installation media
  • In installation process select Repair your computer

  • In Choose your option select Troubleshoot and then Command prompt

  • Find the partition where Windows are installed (default is C:) and change directory to Windows\System32 (cd \\Windows\\System32)
  • For server systems you have to rename file “UserInit.exe” to something else, using command Ren UserInit.exe Userinit.Old and replace the missing file with cmd by copying a file with command copy cmd.exe userinit.exe
  • For windows systems you have to rename the file “Utilman.exe” to something else, using the command Ren Utilman.exe Utilman.Old and replace the missing file with cmd by copying a file with command copy cmd.exe Utilman.exe

  • Restart the computer to boot into normal operating system (where you forgot the password)
  • Click on Easy of Access icon and a Command prompt window will open. To clarify, this Command shell is opened as system, so you can do a lot of things here.

  • If Administrator account is disabled (Windows 8.x or 10), first you need to enable it with command Net user Administrator /enable:yes
  • Reset password of Administrator account with command Net user Administrator MyPassword, where MyPassword is your new password

  • Close command prompt and login to your System.

Do not use this procedure for hacking. This article is meant for recovering your passwords and passwords for your clients and will not recover domain passwords.

Cryptolocker…

Everyone of us want to stop Cryptolocker and similar programs. It seems that it is really a nightmare for all admins. Anyway, to stop Cryptolocker and any unwanted program, you have to be aware, that this will bring limitations to your system, which are not always welcome.

How does Cryptolocker work?
We have 5 phases of Cryptolocker infections:

  1. Installation: The software is delivered to your computer via download or E-Mail attachment and the user click on it. The executable is now installed, the registry keys are set and we are ready to go to the next phase.
  2. Contacting headquarters: the computer is contacting criminal headquarters for registration, so it will prepare all environment for phase 3.
  3. Creating keys: headquarter and client are now identifying each other and are ready to “handshake” and create two keys for encryption.
  4. Encryption: Cryptographic keys are now established and the encryption can begin. It depends on version, but almost all files on all local and shared drives where you have permissions will be encrypted.
  5. Extortion: The screen with a guide how much and where to pay is displayed. There is displayed also how much time you have for payment. If you will not pay in time, the headquarter key will be deleted and you will not be able to decrypt files. The payment is every day higher – so if you want to pay, do it immediately.

To prevent a large number of unwanted software, the first step to do is always remove LocalAdmin permissions and turn on UAC. This two actions will put you in situation where user will not be able to install any application and write to system crucial folders. Also have your system always up to date. And I don’t mean only OS, but include all applications installed (we know attacks to Java, Adobe FlashPlayer, Microsoft Office…).
Of course this is not enough as a lot of bed guys know how to elevate permissions or are using different folders (for example AppData is used for Cryptolocker), but been a LocalAdmin is a great way to become a victim. I suggest to all home users and system administrators to use two different accounts – one for daily use and the second for administrator tasks.
Well, the real way to prevent Cryptolocker is blocking the execution of exe files in AppData folder. You can do this with group policy in AppLocker or in software restriction policy. This are steps for basic protection with AppLocker:

  1. Create new GPO for Cryptolocker prevention
  2. Edit new created GPO
  3. Expand Computer configuration > Policies > Windows Settings > Security settings > System Services
  4. Enable “Application Identity” service and set it to automatic startup modeCrypto1
  5. Go down to Application Control Policies and expand to AppLocker
  6. In “Configure role enforcement enable Executable rules and make them in Enforce mode (I suggest you, to run them in Audit mode for week or two and analyze logs before enforcing them – just to find legal applications which can be blocked)Crypto2
  7. Expand AppLocker and click to Executable rules
  8. Right click in action pane and create Default Rules
  9. Right click in action pane and create New RuleCrypto3
  10. In Permissions on Action set Allow for EveryoneCrypto4
  11. In Conditions select that is Publisher ruleCrypto5
  12. In Publisher, just browse one file (in my case was Internet Explorer) and go with slider up to Any publisherCrypto6
  13. Give the name to the ruleCrypto7

So, this is about AppLocker, but we have still a lot of work to do. There is a big surface for attack if users are local admin. To prevent this, configure Restricted groups in GPO by using Computer Configuration > Policies > Windows Settings > Security settings > Restricted Groups.
Apply this GPO to all computers and the first step is done.
GPO is a good way to prevent Crypto, but be aware that Crypto is evolving and you have to evolve with him. And preventing Crypto with GPO means that executable is already in your system – maybe you have to prevent it before is downloaded or received with mail. For this step you will need the application firewall, good antivirus in file system and in mailing system.
But still you can do something with chip devices with closing outgoing ports 83, 846, 777, 997, 1604, 9001, 9003, 444, 9052, 8443, 7777, 9003 and 25254. This ports are used to communicate with headquarter servers to obtain a certificate for encryption (maybe exist also other ports or will be added / changed during the time). If you will close this ports, the system will not be able to retrieve a certificate for encryption and the encryption will not be able to begin. Be careful on notebooks because the users will bring their notebooks at home and the encryption will be successful.
As you can see, there are a lot of ways to prevent Cryptolocker, but you have to prevent it. When you have it, it is too late – think about it now!

And for home users? Well we cannot forget them. They have a lot of pictures and documents on their computers – practically a whole life and is a really big impact to lose all this material.
I suggest you a software from FoolishIT. It is free and it is working good (but if you want to keep it up to date, give those few Euros to the author – he is doing his job well!).

 

Additional reading:
https://blogs.technet.microsoft.com/mmpc/2015/01/13/crowti-update-cryptowall-3-0/
http://www.crowdstrike.com/blog/4-0-another-brick-in-the-cryptowall/
http://researchcenter.paloaltonetworks.com/2015/02/analysis-cryptowall-3-0-dyre-i2p/
https://tools.cisco.com/security/center/viewAlert.x?alertId=36338

About Me

EXPERIENCE

I’m, more than 10 years, active in the SMB business. During all this period I was always present in the community, solving problems related to the implementation of Microsoft products in this sector. Customers an IT companies ask me many times for help and collaboration, as they know me through my work and presence in the community. In my work, I constantly try to help my partners, end users and other administrators, who search solutions in this sector. To show you my commitment, I can tell you that I’m active also on different forums like www.smallbizserver.com, www.mstech.si,Microsoft partner user group,Slovenian SBSC community site, … and of course I have my own blog.
Microsoft Slovenia trust me, so they appointed me to be the Slovenian SBS community leader and also PAL for the CEE region (since 2009). In the community are included among 60 to 70 companies (this number seems small, but you have to know that in Slovenia we have only 112 companies with the SBS specialist competition and only 2 millions of inhabitants). Microsoft, HP, LARs (DISS and Asbis) and other companies ask me many times to be their lecturer, to improve their partners knowledge. Microsoft engaged me also to speak on conferences like NTK (the biggest Microsoft conference in central Europe, with among 2500 attendees, where I usually have two sessions). The attendees gave me always excellent votes.
From the cooperation with Microsoft, grew also one of the most successful products, the adjustment of Core IO wizard for small and medium businesses.
To keep this levels, I have to keep me informed, learning and understanding the latest currents. I’ve made almost 30 MCP exams, every year I follow conferences like WPC, Tech-Ed and others, HP invited me in their main office in Geneve to the presentation of their strategy for the SMB segment. Microsoft did many times Case Studies based on my solutions; you can find them on internet on Microsoft Slovenia page.

[contact_form]

PUBLICATIONS AND PAPERS

“5 Commandments of IT in small businesses” – Sistem, information technology for business 2010
“Rent or buy software” – Sistem, information technology for business 2010
“Social media in small companies” – Sistem, information technology for business 2010
“Microsoft Cloud services for small and agile companies” – Monitor Pro 2011
“Small Business After SBS” – Monitor Pro 2012
“Security things to use with notebooks” –
Corporate Security 2012

LANGUAGES

Slovene – native language
Italian – speak fluently and write/read with high proficiency
English – speak, read and write with basic competence

USER GROUP MEMBERSHIPS

Slovenian Microsoft Small Business Specialist Community (leader)
Slovenian Windows User Group (member and speaker)
Slovenian SharePoint User Group (member)

CERTIFICATIONS AND QUALIFICATIONS

Microsoft Certified Systems Administrator (2006)
Microsoft Certified Systems Administrator: Security (2007)
Microsoft Certified Systems Engineer (2007)
Microsoft Certified Systems Engineer; Security (2007)
Microsoft Certified IT Professional (MCITP): Enterprise Administrator on Windows Server 2008 (2008)
Microsoft Certified IT Professional (MCITP): Server Administrator on Windows Server® 2008 (2009)
Microsoft Certified IT Professional (MCITP): Enterprise Desktop Support Technician on Windows 7 (2011)
Microsoft Small to Midmarket Business Partner Area Lead Slovenia / CEE (2009 – still active)
SMB Nation winner – Worldwide Top 150 SMB Influencer (2012)
Microsoft Certified Trainer (2012)
Microsoft MVP Small Business Server (2012).