OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Windows 2000
From: Gene Gomez (ggomezVERANCE.COM)
Date: Fri Jun 02 2000 - 10:42:31 CDT

David,
While I'll agree that Windows 2000 isn't the "mess" that others make it out
to be, I've found the general lack of documentation to be frustrating.
Since it's a security-conscious issue, I'll give an example that I'm working
on right now.
Exchange Server 5.5 SP3 is running on one of my Windows 2000 Servers with
IIS 5.0 installed. I've got a Certificate Authority installed, and it seems
to work well (IIS 5.0 is able to request and recieve certificates and run
HTTPS). What I want to do now is install a certificate for POP3 and IMAP.
Unfortunately, NO ONE seems to know how to do it.
The Microsoft KB articles point to the fact that in Exchange 5.5/IIS 4.0,
Keyring Manager took care of this function. Unfortunately, according the
the IIS 5.0 Resource Kit, the Keyring manager has been replaced by
Certificate Request Wizard. Certificate Request Wizard is launched within
IIS from the Install Certificate... button on the Security tab for
properties, but it only seems to work for HTTPS requests, not POP3/IMAP SSL.
Keyring Manager is still there, however. In one of the IIS folders (I can't
remember which), you'll find keyring.exe. Unfortunately, it appears that
the "Online certificate request" function is disabled, and all you can do is
generate a text-based request to be mailed to a Certificate Authority.
Using certreq at the command line doesn't work on the file generated using
this process, however. It generates a "No Certificate Template specified"
error. Chances are that the request doesn't have a field that CA requires
using the default request/approval filter. The next step appears to be to
use another IIS 5.0 machine to generate a text-based request and analyzing
that for differences to add into the text-based IMAP and POP3 certificate
request.
I haven't got time for that right now (I'm the only IT person supporting 50
users [and adding around 10 a month], and my precursor didn't do that great
a job on our infrastructure to begin with), but there has GOT to be an
easier way. The only problem is that no one seems to know what it is.
I've done several searches in the Microsoft KB in the Exchange 5.5 and
Windows 2000 areas. The only articles I see cover Exchange 5.5/IIS 4.0.
I've posted to the microsoft.public.exchange.admin and .setup newsgroups,
and no one has replied.
In fact, I couldn't even find information on how to install the Active
Directory Component. I saw vague references to various Resource Guides.
Luckily, the Windows 2000 FAQ (www.windows2000faq.com) had answers on that.
I think that the documentation will be forthcoming, but only after most of
us "early adopters" have already gotten the damn thing up and running.

-Gene

-----Original Message-----
From: Focus on Microsoft Mailing List
[mailto:FOCUS-MSSECURITYFOCUS.COM]On Behalf Of David Rogers
Sent: Thursday, June 01, 2000 3:20 PM
To: FOCUS-MSSECURITYFOCUS.COM
Subject: Re: Regarding *.pwl files...

Just my view is that it is mostly a big mess because people do not do proper
planning or just are not familiar with the new product or do not know what
they are doing.

"From what you've heard"? Just curious as to whether you have much hands on
experience with the "gigantic mess" called Windows 2000? In the time I have
worked with it, I just have not found it to be the mess that others think it
is.

I have to disagree on the low product support. Check out the help files.
Also the white papers on Microsoft's web site are good too. My experience
with support may differ from others' viewpoint though.

Take a gander at http://www.microsoft.com/windows2000 and go to the
technical documents if you need good info about how to implement Windows
2000.

Are there problems in implementing it? Sure. In supporting this product, I
have found that many problems arise because people tend to deploy it using
the "seat of the pants method" instead of doing their homework first. It is
a new product with quite a bit to it. You have a learning curve that is
pretty steep too. But if you do your homework, it is not that bad to
implement and is much better than using Windows 9x on a network.

Just my two cents and not intended as an attack of any kind .....

David Rogers
Charlotte, NC