Welcome to The Power Admin, The Power Administrator.
This is the blog of two Power Administrators. Not only PowerShell administrators.
We both have been in the IT business for a long time and there for are we administrators with power.
This is the home of Fredrik "Dalle" Wall and Fredrik "DXter" Jonsson. Read more about us in the About section.
Powered by FireStats
Har precis uppdaterat Riverpoints webb med lite fix o trix.
Har dessutom publiserat en liten artikel angående Microsofts
lansering av Windows 7.
Lite om nyheterna och så.
Du hittar den här.
Jag har inte varit mycket för gadgets i Windows Vista.
Men i och med Windows 7 så har jag hittat ett par favoriter.
Dessa är perfekt för företag!
Får översättning direkt på skrivbordet.
Använder lexins underbara gratis lexicon.
Kan laddas hem här.
Det pratas mycket om skumma bolag i dessa sämre tider.
Allabolag.se är en suverän tjänst att använda när man ska
göra affärer med företag. Här ser du om företag ser ut att
vara okej eller inte.
Jag valde Dustin som ett exempel för att jag behövde ett.
Dustin är ett företag som i alla fall jag litar på!
Kan laddas hem här.
Min tredje gadget jag använder är en icke företags gadget.
Dock är det nog den som jag gillar mest 
Kan bero på att jag inte kan vara utan min Bandit radio!
Kan laddas hem här.
Så här ser mitt skrivbord ut just nu:
Windows 7 has been released and now
you can get lots of stuff for it.
On of the cool and nice are the Windows 7 themes.
Not so much for your work, but it will make your
Windows 7 look nice
And you can get lots of them for free direct from
Microsoft.
At the Personalization gallery you will find Themes,
Background pictures and Gadgets.
Choose a theme and download it.
Click on Open.
The new theme are installed.
Most of the themes just adds Background pictures and that
are great.
One of the cool new features in Windows 7 are the
Next Desktop background. To change it manually Right click
on the desktop and choose Next desktop background.
The default settings for the change of the desktop backgrounds are 30 min.
If you want the backgrounds to change faster click on
the Desktop background icon on the Theme you want to change.
You can also change what pictures you want to show
and If you want them shuffled or not.
Nu finns det en ny fråga och ett nytt svar angående PowerShell på
Svenska Microsoft techNet.
http://technet.microsoft.com/sv-se/ee692393.aspx
This short blog post will be a first view of
PowerGUI and the AD PowerPack.
Now with the Active Directory PowerPack
we have a new group in PowerGUI.
In my case, my computer belongs
to my lab Active Directory. But my logged in user
don’t. So when I try to click on Users I will get some errors.
To fix this I only need to start PowerGUI with
a different user.
The Power of the PowerGUI as I see it is the nice GUI and
the easy way to see how Its done. Because Its PowerShell
behind this and Its so easy to see it.
Right-click on Users and then Properties.
Now you can see the code behind.
This will give you some information on how to use
this in your own scripts.
But be ware of that PowerGUI does something that
you don’t see in this code.
You need to load the snap-in for Quest AD cmdlets.
More about this later on!
Hi,
my latest project or my latest lab is to install
two PowerPacks with the latest release
of PowerGUI (1.9.5).
These good PowerPacks are not new, but I’m
old fashion and I haven’t tried them before
To be able to install these two PowerPacks we needed to
install two things.
And we will find them in the Quest
ActiveRoles Management Shell. You will find it here.
The next step is very good, but will not
work for me in my lab environment. 
The 64-bit version can be found on the
Exchange 2007 disk.
The 32-bit version can be found here.
More information about the Exchange Management Shell
can be found here.
So now we have installed 4 new friends
In my last post Creating your own code signing certificate on a smartcard without an internal PKI, I showed the process to create a self signed code signing certificate on a smartcard. Since PowerShell has the ability to check signatures of PowerShell files before they are executed, signed PowerShell files are preferred for obvious security reasons. 
First we can check what code signing certificates we have using the PowerShell command:
Get-ChildItem -Path cert:\CurrentUser\my –CodeSigningCert
which in my case gives the following output:
I see the code signing certificate that I have to sign our tools for PKI ToolBox. This certificate is located on a Gemalto .NET smartcard.
Now we can build a code signing script using the PowerShell cmd-let Set-AuthenticodeSignature.
The following code is the actual PowerShell signing script that we use to sign our tools in the PKI ToolBox:
$cert=Get-ChildItem -Path cert:\CurrentUser\My\F1BF8F3ABBD6295D77C8D4BD6FEEDC19E32A9A74
$cue=Get-ChildItem .\cue
Set-Location .\cue
Set-AuthenticodeSignature -FilePath $cue -certificate $cert -IncludeChain All -TimeStampServer "http://timestamp.verisign.com/scripts/timstamp.dll"
Set-Location ..
1. The first thing we do is to create a folder called cue in the same location that the script is located. In this folder we put our PowerShell files that will be signed.
2. We specify a variable called $cert that is our code signing certificate. The reason I am not using the flag –CodeSigningCert when i call Get-ChildItem is because I want to be specific about which exact certificate we want to use for our digital signature, using the signing certificates exact thumbprint.
3. We create a variable called $cue that is equal to all objects in the cue folder. The reason we don’t want to use a hard coded reference to a target file is because the signature for the signing script itself will be broken if we modify the script and specify another file. 
4. We jump into the folder cue and try to get all child objects in the current cue folder, resulting back in a list of PowerShell files that will be signed by our script. Pretty cool huh?
5. The cmd-let Set-AuthenticodeSignature is signing all our files in the cue folder with our specified certificate on our smartcard (the script is prompting for the user for PIN to the smartcard). Since the timestamp on the signed PowerShell file is the actual time of the signing computer, this may not be so reliable to decide the actual singing time. Therefore we also include a countersignature from VeriSign’s timestamp server with the flag –TimeStampServer “http://timestamp.verisign.com/scripts/timstamp.dll” to convince our users that the timestamp is reliable.
Now, lets look at the result of a signed PowerShell file:
First we see that we have a new tab under the files properties, called “Digital Signatures”
If we look at the details, we se that our digital signature is OK and that VeriSign has confirmed our signature date and time.
A video of this is already done by me and Dalle when we visited Microsoft last Friday to record our demo of PKI ToolBox for TechNet Edge. The video will be posted on http://edge.technet.com in the near future.
// Fredrik ”DXter” Jonsson
Information at engadget.com
This seems like a strange thing.
I don’t think Microsoft like this, or…?
Almost a burger in the class of the burgers at the
Heart attack grill.
Okay, I must admit one thing: even I can use self signed certificates some times!
However, people usually only associate the term “self signed certificate” with server authentication to use SSL for HTTPS, without the thought that a self sign certificate can be used for basically any purpose as long as it is trusted and valid according to the system.
Sometimes, a self signed certificate can actually be “good enough”, a term I usually never use! The question you should ask your self, is that if there is only one code signer, which in mine and Dalles case is The PKI ToolBox Team;
”Why should we make, trust, manage and use an entire PKI structure when we only need to issue one certificate? Regardless of solution, we need to spread our root certificate to our users!”
I thought that the self signed code signing cert was actually good enough if the private key was kept confidential and stored on a two factor authentication token, such as a smartcard and that we were sure that we only needed to issue a certificate for one identity.
1. First of all we need the .NET 2.0 SDK from Microsoft. We need the .NET 2.0 SDK since it includes a component called makecert.exe which we need to use to issue a self signed certificate.
2. Makecert is located (on a x64 system) in c:\Program Files\Microsoft.NET\SDK\v2.0 64bit\Bin
3. We stand in that folder in the command prompt and run makecert with the following parameters:
makecert -r -a sha1 –n "E=firstname.lastname@domain.com,CN=Firstname Lastname” -eku 1.3.6.1.5.5.7.3.3 -ss My -sp "Microsoft Base Smart Card Crypto Provider"
–r is used to create a self signed certificate.
-a the algorithm used by signature.
-n The subject name of the certificate holder (plus the e-mail address).
-eku Which EKU (Enhanced Key Usage) that will be used in the certificate. In our case we want to use 1.3.6.1.5.5.7.3.3, which specifies that this certificate should be used for code signing.
-ss Which certificate store that should be used. We select our our own personal certificate store.
-sp Which CSP that should be used. We specify in our case in this example the Base CSP. (This requires a smartcard that uses the Base CSP. Otherwise, please change to your CSP!)
After we have enter our PIN to the smartcard, the certificate will be created on the smartcard and the certificate should already be populated in the personal certificate store. Now we export our certificate using certmgr.msc (without the private key of course ) and save it to a file.
Then we import it again with certutil to the “Trusted Root Certification Authority” and “Trusted Publishers” store:
certutil -addstore -f -user -gmt -seconds -v root filename.cer
certutil -addstore -f -user -gmt -seconds -v TrustedPublisher filename.cer
That’s it and you are done! 
However, I whould also recommend you guys to use “SCRoots Tool” from our PKI ToolBox to (with a nice GUI) also import the root certificate to your smartcard to make sure that you always can validate your certificate as a trusted certificate regardless of the computer the smartcard is connected to.
Good luck!
// Fredrik “DXter” Jonsson
Cool commercial for an event or a real hack?
You will never know
