Monthly Archives: February 2009

If Your GPS Worked Like An Information Security Team

GPSPath … it would fend off dangerous drivers from hitting you.


… it would give you regular statistics on the number of accidents on your daily route, so you could make decisions to avoid newly bad parts of town.


… it would help you plan your route to avoid the sorts of areas that have bad accidents, so that you would not be a part of one.


… it would give you hints on how to be a better driver, and train you every so often to keep your driving skills sharp.


… it would observe other accidents and gauge trends, to advise you what previously safe driving habits to avoid.


… it would co-operate with you in planning a trip, to help you choose the quickest, safest route to your destination.


… it would teach you how to read maps, so you could make safe routing decisions for yourself.


… it would work with your mechanic, so that every time your car went in for a service, it would come back safer.


… it would work with the police to let them know where the bad parts of town are, so that they could be cleaned up.


… it would let you know any time you were about to run a stop-light or exceed the speed limit, so that you could make an informed decision, rather than accidentally break the law and get pulled over.


Yes, it’s  another argument by analogy, which is something I dislike in general – but I see too many times when the Information Security Team is perceived as a “STOP” sign. The Security Team is employed by the same organisation as you, and therefore has the same business goals – just a different focus. Its focus is to ensure that the company can carry on doing business without interruption by hackers, crackers, viruses, spyware, regulatory and contractual damages, or public relations disasters caused by inappropriate data disclosure.


I think a GPS is a better analogy, then – if you follow the Security Team’s advice, or at least listen to it, you’ll be aware of the risks of the different ways to your –our- destination.

When “All” isn’t everything you need – Terminal Services Gateway certificates.

Setting up Terminal Services Gateway on Windows Server 2008 the other day.

It’s an excellent technology, and one I’ve been waiting for for some time – after all, it’s fairly logical to want to have one “bounce point” into which you connect, and have your connection request forwarded to the terminal server of your choice. Before this, if you were tied to Terminal Services, you had to deal with the fact that your terminal connection was taking up far more traffic than it should, and that the connection optimisation settings couldn’t reliably tell that your incoming connection was at WAN speeds, rather than LAN speeds.

image But to get TS Gateway working properly, it needs a valid server certificate that matches the name you provide for the gateway, and that certificate needs to be trusted by the client. Not usually a problem, even for a small business operating on the cheap – if you can’t afford a third-party trusted certificate, there are numerous ways to deploy a self-signed certificate so that your client computers will trust it.

I have a handily-created certificate that’s just right for the job.

I ran into a slight problem when I tried to install the certificate, however.

tsg2

The certificate isn’t there! In this machine, it isn’t even possible for me to “Browse Certificates” to find the certificate I’m looking for. On another machine, the option is present:

tsg3

That’s promising, but my certificate doesn’t appear in the list of certificates available for browsing:

tsg4

I checked in the Local Computer’s Personal Certificates store, which is where this certificate should be, and sure enough, on both machines, it’s right there, ready to be used by TSG.

image

So, why isn’t TSG offering this certificate to me to select? The clue is in the title.

The certificate that doesn’t show up is the one with “Intended purposes: <All>” – the cert that shows up has only “Server Authentication” enabled. Opening the certificate’s properties, I see this:

tsg6

Simply selecting the radio-button “Enable only the following purposes”, I click “OK”:

tsg7

And now, back over in the TSG properties, when I Browse Certficates, the Install Certificate dialog shows me exactly the certificates I expected to see:

tsg8

This isn’t a solution I would have expected, and if that one certificate hadn’t shown up there, I wouldn’t have had the one clue that let me solve this issue.

Hopefully my little story will help someone solve this issue on their system.