Dangl.Blog();

Safe Storage of Strings in PowerShell Scripts

Thu, 27 Apr 2017 19:52:21 Z

In my last post, I made use of a script that sets a secret value. The script needs to run at each system start, so it needs to be stored on the server. However, I don't want to (and never should!) store actual secrets in plain text files. Scripts tend to get stored in backups, source control or sent around via email.

Don't write something in an email you wouldn't also put on the front page of the New York Times.

You don't want your passwords on the front page of the New York Times.

There's a commandlet for working with SecureStrings in PowerShell. It's using local user account and machine information to encrypt and decrypt string values, so you manually create an "encrypted" string, store that in a script and it only ever works for a specific user account / hardware combination. It's secure as long as someone doesn't have full access to the computer the script is running on. If someone has that kind of access, you're busted anyway...

How do you do it?

Easy! Invoke the following script with your secret as parameter, e.g. like this from the commandline:

C:\Scripts>powershell .\ConvertPasswordToSecureString.ps1 P4$$w0rd

It'll print a long string to the console. That's the one that's safe to store. You can put it in any script you want and retrieve it like this:

$sharedSecret is the decrypted string value. In the example, I'm using it to set my VPNs Pre Shared Secret at system startup.

Happy storing!

Connecting to Windows Server 2016 Essentials VPN without DirectAccess

Thu, 27 Apr 2017 14:29:55 Z

Windows Server Essentials is a great option for your home network. I'm using it mostly for DNS, DHCP, client backups, storage and VPN but, really, you can do anything with it. The built-in Connector for Windows clients makes accessing your home network from anywhere charmingly easy, and Microsoft gives you a free *.remotewebaccess.com domain with dynamic DNS and automatic configuration on top of that. External clients connect via Microsoft's DirectAccess back home. In case you haven't heard of it, it's basically Windows-only proprietary VPN.

Before upgrading to Server 2016, I've used VPN extensively on my iPhone & iPad to access my home network. I chose to use L2PT with a PreSharedKey for connecting my iOS devices. Where I could simply use the GUI in Server 2012 R2, Server 2016 is less cooperative:

If you're not fluent in German, the Routing & RAS app tells me that I can't use the GUI for configuration since legacy mode is disabled. And I can't enable it. That's bad, but since Microsoft ❤️ PowerShell, there are commandlets for everything! Just make sure to have the Remote Access Tools for Windows Powershell feature installed (it comes automatically with the Essentials role).

User mazo22 at HomeServerShow nicely explained the command to set a PreSharedKey:

Set-VpnAuthProtocol -SharedSecret "YourSecretValueHere" -TunnelAuthProtocolsAdvertised PreSharedKey

The PreSharedKey is not persisted during reboots, for security reasons. For convenience reasons, there is Windows Task Scheduler. Create a job, make it run at system start and call C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe as programm and supply the path to your SetPreSharedKey.ps1 as argument.

But, for real: Here's a complete sample script that shows you how to keep the secret safe, even in a script. Don't store the PreSharedKey as plain text in the script!

Connecting your iPhone or iPad to your home server

Simply set up a new VPN connection in your device, use the L2TP type and your regular Active Directory username / password (without the domain specifier). The SharedSecret is what you've just set up.

Happy connecting!

Setup and Configure VPN and NAT on a Private Server

Mon, 17 Oct 2016 21:16:11 Z

Lately, I've been on a business trip for a few days. While the trip itself was fine, I was annoyed about not being able to access my Amazon Prime Video content from the hotel due to geo-IP issues, namely me being in the wrong country for my account. Since I happen to have a low-cost virtual server that I'm using for a lot of stuff already, I've decided to set up a VPN on it as well. You'll find a lot of information on setting that up on "real" servers, with dedicated network cards for both internal and external connections, but the process in this post will work just fine in a single NIC setup.

In Windows Server 2012 R2 or 2016 it's a quite simple process, configuring your own VPN with NAT (Network Address Translation or just "Routing") is possible with built-in components.

Install the Routing and VPN Roles

In the Server Manager, go to Add Role & Features and select Remote Access.

On the Role Services tab. make sure to check both DirectAccess & VPN (RAS) as well as Routing.

After the installation is complete, you can open your Routing & RAS (RRAS) management console via your installed programs.

Right-click on your server node, select Configure Routing and RAS and select Custom Configuration.

On the next screen, select both VPN (for connecting to the server) and NAT (so your VPN traffic gets routed to the internet). Click on next, approve your selection and wait until the service has started.

Configure VPN Access

There isn't a lot left to do for you, since the defaults are mostly correct for our use case here, but you'll want to configure some additional security settings and the assignment of local IPs to your connected devices.

Right-click again on your server node and select Properties, then go to the Security tab, activate Allow user defined IPsec policy for L2TP/IKEv2 connections and enter a random, hard to guess key (just like your WiFi key or any password, really). You'll need that Pre Shared Key (PSK) when you manually configure clients, such as Windows machines or iOS devices.

Now, switch to the IPv4 tab and tell it to use a static address pool for client connections. Ideally, you'd specify a range for private networks, like 192.168.*.* or 10.*.*.*.

After clicking OK, you'll have to select the server node again and navigate to All Tasks -> Restart in it's context menu to restart the service.

The next step is to either create a new user or modify an existing one. All you have to do is to open the users properties (which is in Computer Management -> Local Users and Groups if you're not in an Active Directory domain), switch to the Dial In tab and make sure to allow dial in network access.

Configure NAT

NAT stands for Network Address Translation and is interesting because it’s basically using a single public IP address to serve multiple clients on the inside. It's essentially what a regular router does for you at home. In a VPN setup, you not only want to connect to the internal network (Which is quite boring, being on a single virtual server somewhere on the web, actually…) but to use the server as your gateway to the internet. This has two big advantages:

Your public IP will be your servers IP. You’ll finally be able to access your Amazon Prime Video from wherever you are!
Traffic between you and the VPN server is encrypted. This is huge, since it means that even non-secure web traffic is encrypted till it leaves your server, so no one is able to snoop your data while using a public WiFi.

To set it up, expand the IPv4 node below your server, right-click on NAT and select New Device. Just select your public network interface and enable NAT on it:

Congratulations, you've just set up your private VPN!

Tip: If you’re experiencing troubles, check that your public network card does have some DNS servers configured. For me, my hosting company is using DHCP to assign my servers IP address and DNS servers, but I noticed that they’re not being passed on to connected clients. Just manually add some DNS servers (8.8.8.8 and 8.8.4.4, Googles public DNS servers, are good candidates) and you should be good to go.

Install and Configure Web Deploy for an IIS Installation

Wed, 22 Jun 2016 23:23:58 Z

Tutorials on Asp.Net deployment often do either focus on Azure deployment or for a more direct Xcopy or FTP deployment. Here, I’ll try to show you how to set up Microsoft Web Deploy for easy deployment to self-hosted IIS installations. Web Deploy can be installed via the Web Platform Installer, just search for Web Deploy and make sure to install the latest version (currently 3.6).

You only need the third entry in this screenshot

Alternatively, download it directly from the Microsoft Download Center.

For continuous integration scenarios, Web Deploy must be installed both on the build server (which will initiate the deployment process) as well as on the web server hosting IIS to enable inbound deployments.

Grant Deployment Rights to a Windows User

On the hosting server, you need to have a user whom you’ll grant deployment rights on a per website basis. It’s not a good idea to use the account you’re logging in with, so just create some user with minimal permissions (only Read/Write access to the targeted websites directories is required).

Then, in IIS, right click on your website, navigate to deployment and select Activate Web Deploy publishing.

In the following dialog, select the user whom you’ll want to grant deployment permission for that website and specify the Url for the deployment endpoint. The Url should just resolve to your server, since by default all hostnames will be accepted for the port 8172 that Web Deploy is using. Just make sure the Windows Firewall allows inbound connections on that port.

After clicking on setup, a *.PublishSettings file will be created on the directory that was specified, defaulting to the current logged in users' Desktop. For command line based deployment (or via Continuous Deployment), this file isn't needed, but when deploying from Visual Studio you should save that file somewhere for easy configuration of deployment setups. The selected user should have been automatically granted permissions for Web Deploy on the IIS server, but better check if there’s an entry for the user under IIS Manager Permissions in the server node within the Internet Information Services Manager application that specifies the selected site as Path.

Configuring SSL for the Web Deploy endpoint (IIS Management Service)

If you can, you absolutely should use TLS/SSL everywhere, especially for the endpoint you’re going to use for deploying websites. Even if you can’t get a trusted certificate (but then, StartCom issues them for free!), you should go with a self-signed one either directly from the server or from your domain root CA and trust that explicitly. It’s a really bad practice to ignore SSL errors, you should never let that catch on!

Now on how to use it:
Go to the root node of your server in the IIS management application and select Management Service in the Management category. Here, click on stop on the right action menu to stop the service (you can’t change its settings when it’s running) and then simply select the SSL certificate you want to use. It’s got a self-signed default certificate, you can go with that, too, but then you’d have to export it out of the IIS certification store to be able to import it on your clients. When you’re done, just click on start in the action menu and you’re good to go.

Tip: If you've got an SSL certificate for any website, you can use that, too. There’s no rule that says which DNS names you can use for your deployment service! It’s running on Port 8172 (or any other port that you can specify), so it doesn't interfere with any web sites.

Error “User not authorized for content path” in Web Deploy

When performing the Web Deploy operation, you might get a response stating that the user [is] not authorized for content path, even though the actual folder permissions are present and set correctly. To fix that, perform the following steps:
Go in IIS Manager to the server node and enter the configuration for Management Services Delegation.

In the applet, select Add rule on the action menu on the right side, select Deploy Applications with content and click on OK.

Go with the standard settings here and create the rule. Now it should be visible in the Management Services Delegation menu. Right click the rule (it should be named contentPath, iisApp and select Add User. Then just specify the user you want to grant deployment rights. Be careful not to forget the domain identifier or the local computer name for a local account, e.g. LocalServer\DeploymentUser.
After that, go back to the server root node, enter Management Service and select Restart in the action menu. Now you should be good to go!
There might be other issues, like ERROR_USER_NOT_AUTHORIZED_FOR_SETACL. As far as I know, when you install Web Deploy, those rules should somehow be created automatically for non-administrator users, but they never were in any of my installs. To solve this, just modify the rule that was just created and append the missing privilege, e.g. append , setAcl (don't forget the comma separator) to resolve permissions regarding the setAcl command.

Creating an IIS Apppool with a Windows Account

There are use scenarios where you want a dedicated user account to run a specific apppool or website. For example, having database access configured via the Windows Login in SQL Server or in Asp.Net Core where you can use user secrets to store machine specific configuration, such as connection strings or SMTP server credentials, specifically for a project in a Windows Users context. For this to work, the IIS Website needs to run in an Apppool that runs with the user account of a local or domain user. To set this up, simply create a local user account on the server that is hosting the IIS installation and assign it to the Remote Desktop Users group so that you can log in via remote desktop if you need to.
Then, create an Appool in IIS and go to its advanced settings. Here, scroll down to Identity, chose user defined account and enter the account name and credentials. Also make sure that Load User Profile is set to True. This tells IIS to actually load the user profile for the Windows User, which is needed if you’re planning on using Asp.Net Core user secrets for storing anything that should not be in source control.

Creating Self Signed SSL Certificates for IIS

Sat, 30 Apr 2016 21:10:05 Z

Adding a TLS / SSL wildcard certificate to your IIS installation issued from your domain controller is pretty easy, assuming you’re having a Windows Server 2012 (R2) acting as domain controller. When the Essentials Role is installed, it automatically creates a Root Certificate Authority for your domain, so you don’t even have to set up anything special besides creating the requests for the certificates you want to use. Keep in mind that by default, only domain administrators are being automatically issued requested certificates. If the user you're logged in is not a domain administrator when you are making the certificate request, you have to manually issue it in the domain controllers certification management tool and then import it to IIS later.

Now let’s start creating the certificate: In IIS Manager, navigate to the root entry for your server and select Server Certificates.

Select Create Domain Certificate on the right actions menu and the certificate creation wizard opens:

The important information here is the shared name property, where you enter the URL for which the certificate will be valid. You can use wildcards like *.yourdomain.com to have the certificate be valid for all your sub domains. Click next to continue and you’re in the second and final page of certificate request wizard:

When you’re using a vanilla Server 2012 Essentials environment, your root CA will be named like <DOMAIN>-<SERVER>-CA, so for a domain called Bob.local with the server name BobServer1, the name would be BOB-BOBSERVER1-CA. Append a backslash and the name of the server (a DNS entry that resolves to the server hosting the CA environment which is usually your server’s name). If your CA is on the home network, the webserver however is on another) server not in the same subnet (for example, a hosted virtual server), you can rely on the built-in VPN connection that is set up automatically when you’re using the Essentials Connector to establish a connection to your Certificate Authority.

Finally, the display name is the name that will be given to your certificate and shown in the IIS certification overview. If you've been successful, it should look like this:

Now when you create a binding for a website using Https, you’re able to select this certificate for the connection. You can now establish trusted connections between your devices and your personal sites=)

Install a Windows Server Active Directory Root Certificate in iOs

Fri, 22 Apr 2016 15:45:44 Z

Here's a short blog post showing you how to use self-signed certificates from your home network Active Directory Controller in iOS. I assume you either have a Windows Server 2012 (R2) with the Essentials role installed up and running on your domain or a "real" domain controller.

On Server 2012 (R2) Essentials, there should be a website called "Default Web Site" installed within IIS which has a sub site called "CertSrv" for the certification service offered by the Active Directory domain controller (There's also the "Connect" site which you've probably used before to connect client machines). On Windows clients joined to the domain, your root domain Certificate Authority (CA) certificate should get installed by the default group policies that that the Essentials role is preconfigured with. For mobile devices (like iOS), you've got to add the root CA as trusted entity yourself. To do that, navigate to http://<YourServerName>/Certsrv, log in with a domain user and you should find the following site:

Click on the last link, which is, depending on your language, something like "Download a certificate authority root certificate". This should bring you to the next page where the standard settings will be fine for you.

Now just click on the uppermost link to install the certificate and find yourself in the iOS settings to review and confirm the installation. The certificate will be named "<YourADDomain>-<ServerName>-CA".

After you have installed it, you can browse to a website that is using this certificate and you'll see that's it accepted just like a regular certificate: