Monthly Archives: December 2014

A U.S. State paid over $1,000,000 USD (million) for “fake” security in their web application!

I have the “pleasure” of interacting with a software for a US state that was contracted out to a third party.  The third party vendor is not known for high caliber software, but what found recently while digging around their web application really made me cringe.

When you first login to the application, a little modal pops up and alerts you to the fact that it is connecting to secure servers.

I noticed after the redirect, I ended up in a non-ssl web application.  I mean, literally, no SSL ANYWHERE.  Every piece of information posted back and forth to the web application is done in PLAIN TEXT across the magical internet pipes.

This piqued my interest, and led me to dig around the HTML/JS that was loading during that modal.

To my surprise, NOTHING was being done at all!  This piece of code literally LIES to its users, suggesting that it is going into secure channels.

Knowing the state paid over $1,000,000 for this web application makes me sick to my stomach.  The system has been plagues with issues since launch, (as most web applications do), but this really is going above and beyond.  Seeing the commented “alert” let’s me know someone was debugging this thing at some point.  What was the time spent to write this code (essentially misleading users about security) vs the time it would have taken to install an actual SSL certificate?!

BioCrap_SecureLogin

Tagged ,

How To: Server 2012 R2 Change Default RemoteApp Port for Web Deployments

Working on a RemoteApp configuration and I needed to change the default port (3389) that the RDWeb deployment file uses.  In Server 2008 there was an easy to use GUI that let you configure the name, port, and icon of RemoteApps.  That GUI is no longer available in Server 2012!  Not to fear, I found this nifty little PowerShell that allows you to set the port used on files that are downloaded by users at the “/RDWeb” RemoteApp web portal.

You will need to know the Collection Name for the RemoteApp session collection you are trying to edit.  Use the PowerShell command below and just replace “[[Your Collection Name]]” with your collection name, (QuickSessionCollection is the default name created by the “Quick” option during RemoteApp configuration).  Replace the “[[Your Port Here]]” with the port number you would like the RDWeb to use when giving users the .RDP file for their RemoteApp connection.

Set-RDSessionCollectionConfiguration –CollectionName [[Your Collection Name Here]] –CustomRdpProperty “server port:i:[[Your Port Here]]”

 

Tagged , ,

Server 2012 R2 : Change Remote Desktop SSL Certificate in 3 Easy Steps

Working on a Server 2012 Standard R2 today that had an initial SSL self signed certificate.  I needed to replace that certificate, so IIS and Remote Desktop would stop warning users about the security issue.  In Server 2008, you could select which certificate you wanted Remote Desktop connections to use.  In Server 2012 that GUI has been removed.  It took me a little while to get everything down for Server 2012, but these are the steps I took.  Hope this helps out someone else later on!

  1. Get the Thumbprint of the SSL certificate you want Remote Desktop to use
    1. Windows + R
    2. Type in mmc and hit enter
    3. Control + M (or File -> Add/Remove Snap In)
    4. Click on “Certificates” in the “Available snap-ins:” section
    5. Click the “Add >” button
    6. Select “Computer account”
    7. Click Next
    8. Select “Local Computer:”
    9. Click the “Finish” button
    10. Click “OK” button
    11. Open the “Certificates (Local Computer)” then, “Personal” and then “Certificates” sub folder.
    12. Double click the certificate you want Remote Desktop to use
    13. Click the “Details” tab
    14. Select “All” under “Show:” and scroll down to the “Thumbprint” field and select the “Thumprint” field.
    15. Copy the text of the hash.
    16. Remove all spaces from your copied hash
  2. Open “Power Shell” as an Administrator
  3. Run these power-shell commands (replace YOUR HASH HERE with your thumbprint you copied from step 1 above).  You can run each line one after the other.
    1. $TSGeneralSetting = Get-WmiObject -class “Win32_TSGeneralSetting” -Namespace root\cimv2\terminalservices -Filter “TerminalName=’RDP-tcp'”)
    2. $Hash = “YOUR HASH HERE”
    3. $TSGeneralSetting.SSLCertificateSHA1Hash = $Hash
    4. $TSGeneralSetting.put()

PowerShell should prompt you that everything went over successfully.  Connect to the server again with Remote Desktop or RemoteApp, and it should be using the new SSL configuration!

 

Tagged , , ,