posted
22/12/09
By Fredrik Wall
Hi,
I sat down thinking a little bit today.
And then It strikes me that the Lab AD was not finished
and that It was not done by best practice.
So I will do the structure from this document from Microsoft,
Best Practice Active Directory Design for Managing Windows Networks.
And then we need to:
- Create groups
- Computers
- OU Information
Then I think we are where we should be.
posted
24/10/09
By Fredrik "DXter" Jonsson
In my last post Creating your own code signing certificate on a smartcard without an internal PKI, I showed the process to create a self signed code signing certificate on a smartcard. Since PowerShell has the ability to check signatures of PowerShell files before they are executed, signed PowerShell files are preferred for obvious security reasons. 
First we can check what code signing certificates we have using the PowerShell command:
Get-ChildItem -Path cert:\CurrentUser\my –CodeSigningCert
which in my case gives the following output:
I see the code signing certificate that I have to sign our tools for PKI ToolBox. This certificate is located on a Gemalto .NET smartcard.
Now we can build a code signing script using the PowerShell cmd-let Set-AuthenticodeSignature. 
The following code is the actual PowerShell signing script that we use to sign our tools in the PKI ToolBox:
$cert=Get-ChildItem -Path cert:\CurrentUser\My\F1BF8F3ABBD6295D77C8D4BD6FEEDC19E32A9A74
$cue=Get-ChildItem .\cue
Set-Location .\cue
Set-AuthenticodeSignature -FilePath $cue -certificate $cert -IncludeChain All -TimeStampServer "http://timestamp.verisign.com/scripts/timstamp.dll"
Set-Location ..
1. The first thing we do is to create a folder called cue in the same location that the script is located. In this folder we put our PowerShell files that will be signed.
2. We specify a variable called $cert that is our code signing certificate. The reason I am not using the flag –CodeSigningCert when i call Get-ChildItem is because I want to be specific about which exact certificate we want to use for our digital signature, using the signing certificates exact thumbprint.
3. We create a variable called $cue that is equal to all objects in the cue folder. The reason we don’t want to use a hard coded reference to a target file is because the signature for the signing script itself will be broken if we modify the script and specify another file. 
4. We jump into the folder cue and try to get all child objects in the current cue folder, resulting back in a list of PowerShell files that will be signed by our script. Pretty cool huh?
5. The cmd-let Set-AuthenticodeSignature is signing all our files in the cue folder with our specified certificate on our smartcard (the script is prompting for the user for PIN to the smartcard). Since the timestamp on the signed PowerShell file is the actual time of the signing computer, this may not be so reliable to decide the actual singing time. Therefore we also include a countersignature from VeriSign’s timestamp server with the flag –TimeStampServer “http://timestamp.verisign.com/scripts/timstamp.dll” to convince our users that the timestamp is reliable.
Now, lets look at the result of a signed PowerShell file:
First we see that we have a new tab under the files properties, called “Digital Signatures”
If we look at the details, we se that our digital signature is OK and that VeriSign has confirmed our signature date and time.
A video of this is already done by me and Dalle when we visited Microsoft last Friday to record our demo of PKI ToolBox for TechNet Edge. The video will be posted on http://edge.technet.com in the near future.
// Fredrik ”DXter” Jonsson
posted
24/06/09
By Fredrik Wall
Microsoft have been working on a solution for us to be able to use the AD PowerShell cmdlets to manage 2003 DCs too.
http://blogs.msdn.com/adpowershell/archive/2009/06/23/use-active-directory-powershell-to-manage-windows-2003-2008-dcs.aspx
Very nice!
