Why won't server certificate persist after a reboot? - visual-studio-2010

I've written a Windows TCP (NOT IIS) server program in VB that provides the backend for an enterprise iPhone app that I have also developed. The system utilizes Apple Push Notifications, and that works fine, unless the server reboots for whatever reason.
Part of the Push Notification system is the inclusion of Apple certificates on the server. I followed the steps shown here to install the necessary certificates, and even though it's for ASP.NET applications, it works for my Windows-based server. Except, as I said, a reboot requires installing the certificates all over again.
I found this page on Server Fault that suggests adding a user to the certificate through the MMC snap-in, but that didn't work either.
Two questions: Following the steps shown on the Server Fault page, do I need to add a specific user? The only users that pop up are SYSTEM (which I tried), Administrators(ComputerName/Administrators) (also tried) and "S-1-1-5-blah, blah" (didn't try). Would there need to be a different user added to make it work?
Q2: If this won't ever work, is there a different way?
Full disclosure: This is the second time I have submitted this question, but the previous one (four months ago) was never responded to. I'm hoping someone who knows will see this.
Thanks for any advice.
AFTERTHOUGHT: The instructions I linked to above say to install the certificates to Personal/Certificates. Maybe this is wrong? This stuff is way over my head, so I don't understand the function of all the different stores.

Found the problem.
The page on Server Fault left out something. I needed to add a user that the system would recognize to the Permissions list. I added my user authentication, selected it, and after that the certificate persisted after a restart.
It is at least working on my development server. I haven't tried it yet on my production server.
Update: Works the same on the production server. Also, instead of using my user authentication, I used the IUSR authentication, meaning that it should work even after my name is removed from the active directory.

Related

Best practice to store App Key in Laravel

I have been doing a lot of research on this and I can't seem to find a definitive answer. Obviously these days security is a big issue, hacks are going on all over the place of major companies that invest millions into security and they're still getting hacked.
I work on Laravel a lot and use shared hosting with Hostgator or some similar company of high report. Laravel comes with a built in function for encrypting database info and decrypting to the user when requested.
However, I have a question on how secure this ACTUALLY is. If someone gets into my cPanel, my app key which is used for encryption is right there in front of them. Granted, my cPanel password is the one that's auto-generated by Hostgator and it's complete jibberish with semicolons and alphanumeric strings all over, so it's not easy to guess.
But I'm trying to learn a little bit more about security. If my app key in my env file is locked securely behind my cPanel login, is Laravels built in "encrypt()" method "enough" to call an app "secure"? Is there other measures within Laravel or my host provider that could make it more secure than just tight passwords? Is there some sort of practice of referencing the app key through an external source that's not located in the cPanel area? So even if my cPanel got hacked, my app key wouldn't be in those files and get exposed?
I'm not a security expert, but there are a few points I can share from my experience in working at highly-secured companies.
First, Laravel itself is fine. You can generally trust open source software since it's transparent and security bugs get discovered and addressed early. So you don't need to improve Laravel, just use it as is, preferably an LTS version.
Then, CPanel is a liability. You should minimize weak points on your system, i.e. those that are externally accessible. Get a VPS or a private server and access it via an SSH, don't use tools like CPanel and PhpMyAdmin on it. The less software you have that talks to the outer world, the less vulnerable you are to bugs in that software.
In my current company the production server can only be accessed via SSH from a single IP address, the address of the dev server. So I log in to dev server first, and then log in from there to the prod. It denies all connections from all other IPs.
If you are limited to using CPanel or something similar, consider protecting the login page with HTTP Basic Auth, some hosting providers allow that.
You also want to keep your system and software up to date. Not too new either as that may have bugs that haven't been caught yet. Our devops prefer to have it a couple of minor versions behind, so that the community has time to test it out and get hacked for you.
That's all I know as a web-dev, sure enough there are special tools and ddos protection services but that's beyond a dev's concern imo. If you just follow these steps, you should be safe. Hope that helped a bit, cheers :)

DPAPI master key migration to a new computerch

First of all, if this question should go into another stackexchange site please let me know.
I have a computer that I used for a lot of years, so it has a lot of stored password, cookies, etc in my Google Chrome folder. I recently bought a new computer and wanted to keep everything that I had before, specially my cookies, extensions, etc.
At first, I just copied over the %APPDATA%\local\google folder from my old computer to my new one. When I launched Chrome i could see my history, extensions, etc. but when I went to common sites like facebook, gmail, etc. it was asking me to login.
I then went and read about how Chrome encrypts that data with DPAPI and so I changed my password and username in my new computer to match my old one, and then copied the folder over again but still nothing.
So, I read some more and discovered that DPAPI uses a master key file, so I went ahead and copied over the %APPDATA%\roaming\microsoft folder, which should contain that file, over to my new PC. So now I have the same password, username, and master key file, but I still can't get it to work. It is asking me to log in everytime instead of using the cookies/saved passwords.
Does anyone know what else I am missing to have Chrome be able to decrypt those things when I go to a website?
Again, if there is another site that would fit this better, please let me know. Thank you.
As to the DPAPI aspect: the S-identifier (which is an internal "LSA-name" (LSA=local security authority subsystem), it's the name of the folder that the mastery files reside in under the Protect directory) for the user within the Windows OS) on both computers is also used in deriving the key from the user password to decrypt the master key files. So these cannot be used on any other computer (as the majority part of the S-identifier is randomly generated when the user is created on the PC, and cannot be set manually, I believe). Using open source tools one could in theory re-encrypt the master keys of the old PC to make them valid on the new PC, but frankly that's a PITA. And still you'd have to mess a bit with the most recent masterkey files etc. No 100% guarantee there even.
Within Chrome itself, when you have it open on the old PC, you can export all the password info some structured format, and then transfer them to the new PC (say by USB) and import them there into Chrome again. You could also turn on Chrome syncing (which requires a Google login) and let "the cloud" handle the transfer (password syncing is optional there, and you can choose for encryption by Google credentials as an extra security option; I don't know the internals for that mechanism. Most password managers also offer a way to sync passwords between browsers on different computers, especially if they already offer browser integration. The export-import option seems the most practical to me.

Prove that Heroku and Github run the same code

For an open source project I'm currently working on, I need people to trust a website. Basically, the user would write "foo" on his phone. It would go on the website which would take the message "foo" and send it to a server running on this user's PC. I want people to be sure that the server did not change "foo" into "bar". I know I'm not malicious but potential users don't know it so I need them to trust me.
There are 2 possibilities. The first one is to use cryptography. The user would encrypt on his phone "abc" and the server running on the user's PC would decrypt it. But it's cumbersome for the user (he would need to encrypt it in another app). The second possibility would be to convince the user I'm not malicious by showing him the code running on the server. I can show the code on Github easily. The question is how can we ensure that the code running on Github is the same as the code running on Heroku?
It depends on your deployment, to achieve this is to make a deployment process that will fetch the whole repository and do the production or environment build. This is pretty the same with NPM setup were you will have entry file and build script.

Script to run at first logon in OS X to "call home"?

I sell Macs and i'm looking for a way for our security and to combat purchase fraud to have the machines phone home the first time they are booted up to show that machine has been in use at the clients IP address.
Now I know the client might set the computer up at a location other than their home and could spoof their IP (although the potential scammer wouldn't realise this system was in place so wouldn't be expecting to do this) but any system is better than no system.
In terms of privacy we'd put it in our privacy policy but of course we're not looking to collect any information from the user apart from their IP address and the script should delete once its connected to the internet for the first time.
How would users recommend the best way to do it? I have full access to the computers before hand and we already launch a script on first boot of user account to show a welcome and help guide - so we could add simple scripting there, but maybe a helper program which attempts until internet connection is first established, makes contact and deletes itself is best.
And of course we'd need a two pronged approach, a URL or API of some sort on our server that the computer connects to. Ideally the information to send would be the serial number and the IP address of the user, the MAC address could be useful too - as often if fraud has been committed the police will also check to see if the original MAC address of the system has connected via the ISP server logs.
I suppose the final piece of the puzzle would be that our logged data would somehow need to prove it was sent from that computer and not just generated ourselves in a database (eg we haven't just pretended its connected from their IP we've picked up from an e-mail address or something) i'm not sure if there would be any secure legal way to do this?
=============
Edit: Thinking of ways to make it legally binding in terms of presenting the information to the police or the courts I think the receiving server would need to be hosted and maintained by an independent third party whom you had a contract with and didn't allow you any write access to the information what so ever, all you could do is visit a website and pull up the data to pretend the evidence to the police.
(I seem to have been voted down because someone likes committing fraud?)
I have looked into similar solutions for macbooks in the past with little luck. One thing I have found however, if you have a web server, is to create a php page in an obscure hidden directory that will capture the ip address and send an email on access. From here you can create a page specific to each computer with MAC and serial number and set this as safari's homepage in a different tab. So every time someone attempts to access the internet you will be notified.
(This php page can be a simple blank page that just looks like a new tab, or can even display warnings such as "You are being tracked")
You could also create a python script on startup to send the information you are looking for such as ip, mac and serial number back, but again you would need another server setup as a listener.
And lastly, if possible, create a business account in icloud and use Find My Iphone/mac. This is probably the easiest if you can get away with it but unfortunately will not provide you with instant notifications.
-M

Windows Azure Portal login to portal and receive error "We are having trouble logging you into the portal"

Open browser
Navigate to http://www.windowsazure.com/en-us/
Select portal top right
login with my email address
Receive the below error
https://manage.windowsazure.com/Error/Login?getsupport=true&f=255&MSPPError=-2147217320
Receive the error
" We are having trouble logging you into the portal
Please contact Customer Service for assistance."
Using IE or Chrome, incognito or not, cookies cleared or not, cache cleared or not. The problem still exists. Also tried on multiple devices media centre PC, desktop running windows 7, iPhone 5, ipad 3...
Prior to November 2012 I have accessed the windows azure subscription without a problem.
I clicked the customer service link and the australian number is 13 20 58 I have contacted that number explaining that I cannot access my windows azure subscription and each time I login I receive an error. They proceed to redirect me to other support teams where I repeat my details and the problem they either redirect me again or provide a number to call.
In one case I was redirected to a number that no longer exists. Another I was told to raise a case on the windows azure portal page the same portal page that I receive an error on when logging in, when I asked for alternative options there were none.
So far I've spoke with the msdn support team, windows subscription support, online services, etc and still no resolution. In the latest call to support they have said to raise the issue on the forums so here goes.
Anyways long story short I have probably spent 3+ hours calling Microsoft support explaining the problem, waiting on hold, being redirect, repeating... still I can't access my windows azure subscription
I checked in commerce.microsoft.com and there is a windows azure subscription associated with my email address
Subscription-1
Windows Azure MSDN - Visual Studio Premium
Does anyone have any suggestions on how to resolve this issue?
Some time it's happened wait for while and retry
or just ask azure support in twitter
Editing for those who are like me and skipped reading the comments (in small font) below the OP's question. This was resolved and was due to the first reason I list below. However, it could (and has) happen in past for other reasons as well, so might as well keep this response here in case it helps someone else out.
Try logging at https://portal.azure.com/
The manage.windowsazure.com isn't even DNS resolvable to any website - I am not sure how you are getting that address (maybe its from some part of Azure IAM pipeline that hasn't been updated) and (more interestingly) how you are able to open that link - Maybe this is something available only in your region ! (but I am stretching here).
Regardless, I also tried to find other instances of similar issues and in general I see this issue is related to cases when the an account has been transitioned to Office 365.
Here an account was moved and resulted in creation of two accounts with different passwords - solution here was to set the Office 365 account (new account) as a co-admin on the old account that was used to setup the Azure account.
Here the account was not provisioned correctly in Azure AD Store and had to be removed and re-created using DirSync
Here, the problem seems to be related to (the new) Account Provisioning in Azure AD.
In general, it seems this is a problem that might be harder to explain to level 1 support. You might have better mileage speaking to your organizations IT admin and have them check for any inconsistencies that might be similar to those stated above.
Try forcing the directory in the URL like so
https://portal.azure.com/#domain.name
For example in case of MS AAD domain
https://portal.azure.com/#mycompany.onmicrosoft.com
In case of custom domain
https://portal.azure.com/#mycompany.com
Sometimes there is some odd behaviour with redirect loops or when you no longer have access to the tenant but you have selected 'last visited' in the Startup directory.
Glad to hear this was resolved by support. Since this was posted, we made a number of updates to the login process and types of accounts (incl. the addition of MFA). At TechEd we announced a new portal (video # http://channel9.msdn.com/Blogs/Windows-Azure/Azure-Preview-portal) if you want to see what is coming.

Resources