Ronald de Kock » Security

KMS (Key Management Service) and AD domain membership

Ronald de Kock — Mon, 18 Jan 2010 17:14:48 +0000

I am working on several Windows 7 deployment projects where a KMS server needs to be implemented. During design phase the question rose whether there was a need for Active Directory and/or domain membership for KMS to activate the Windows 7 clients. One of the customers did not want the workstations to be a member of an Active Directory domain. So I have done some tests in my Testlab and found that the KMS server will activate any client with a GVLK product key installed as long as it can communicate with the KMS Server on port TCP 1688. There is no need for domain membership whatsoever.

Getting rid of the RDS Single Sign on security warning.

Ronald de Kock — Wed, 25 Nov 2009 21:38:31 +0000

I have been playing with the Windows Server 2008 R2 Remote Desktop Services (formerly Terminal Services) and ran into a problem with a security warning popping up when clicking a signed rdp file in the RD Web Access interface. I have set up the following environment:

To be able to use the Single Sign On feature which is included in the RD Web Access you need to sign your RemoteApp’s with a certificate. How you can set this up is explained in an article on the Microsoft RDS Team Blog.

After implemting the RemoteApp signing you’re not quite finished. The following happens: Every time a user clicks on one of the RemoteApp a security warning comes up which states: A Website wants to run a RemoteApp program. Make sure that you trust the publisher before you connect to run the program.

Of course this is very annoying and we want this security warning to disappear. There are two ways to do this.

1. Changing logon settings.

When you log on to the RD Web Access web page you can choose whether you are on a public or on a private computer.

If you change the radio button to Private computer before you logon to the RD Web Access web page the security warning still comes up, but you will see a checkbox you can enable to never warn you again for this and the pop-up will dissapear the next time you will click the RemoteApp.

2. Create a GPO with .rdp signing settings

You can also create a GPO with the follwing settings:

{Computer | User}\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client

“Specify SHA1 thumprint of certificates representing trusted .rdp publishers” and enter the SHA1 thumprint of the certificate you use for signing your RemoteApp’s.

You can find the SHA1 thunmprint on the details tab when you open the certificate.

When you use this second option your users do not need to change the logon radio button whether they are on a private or public computer.

I have had some discussion with the guys @ Microsoft from the RDS Team. They came up with the what I call workaround. Because it seems that there are no real solutions available at the moment because the behaviour is “By Design”. Microsoft promised to get back to me when they find a better option to solve this issue because the workaround does not work for users who are working on non-domain joined workstations where we cannot apply GPO’s. Users on non-domain joined computers will always get the security warning.

Forefront UAG (Unified Access Gateway)

Ronald de Kock — Tue, 10 Nov 2009 23:24:55 +0000

Today I have attended a session @Tech-ed Berlin where the product Forefront Unified Access Gateway has been presented. Although the product is currently still in Beta. The Senior Product Manager told us that the RTM will be available before end of 2009. The product is the follow up from IAG 2007 (Intelligent Application Gateway).However UAG includes the follow up from ISA known as the Forefront Threat Management Gateway and it includes Microsoft DirectAccess which is a HOT product with high potential, access for any employee, business partner or customer from anyplace, anywhere from any device. A step forward that should eliminate the entire microsoft product thinking. Microsoft finally understands that it needs to supply acces form other platforms into their servers. Shortly after the Tech-Ed I will evaluate the Beta of UAG and you will find some interesting posts on my blog.