June 2008 - Posts

Friday, June 20, 2008 4:24 PM

Security Certificates, Trusted Publishers, and ClickOnce Apps

The real author of this entry is Steve Grinker (he doesn't have a blog yet, I'm trying to convince him to get one here). By the way, Steve, yes, your name is going to be prominently displayed until you do get a blog. So you might as well get one so I stop nagging you.

Issue: We have an internally written Click-once application, with signed Infopath forms. If we put the cert in GPO, it would be added to the "Trusted Root Certication Authorities" store and trusted by the application, but once you used one of the signed Infopath forms, the user was prompted with an error that resolved to the form not properly being trusted. We needed a way to automatically get the cert into the "Trusted Publishers" store. Since this solution took several people in my team, the Internal Development team, and a call to MS, we're blogging this.

Resolution: Running this script as an advertisement via SMS, system context. The source folder contains the 4 files: the vbscript itself, certadm.dll & certutil.exe from our cert server, and the certificate.cer file.

The script copies certadm.dll to the local computers' system32 folder, and registers the .dll, then this command is run:

certutil.exe -enterprise -addstore "TrustedPublisher" certficate.cer

That places the .cer into the Trusted Publishers' area, so the end user no longer gets any prompts, from either the ClickOnce app, nor when launching an individual infopath form.

On Error Resume Next
Set sho = Wscript.CreateObject("Wscript.Shell")
Set FSO = CreateObject("Scripting.FileSystemObject")
strCurrentDir = Left(Wscript.ScriptFullName, (InstrRev(Wscript.ScriptFullName, "\") -1))
Set strSysFolder = FSO.GetSpecialFolder(1) 'get system32 folder
'Copy the dll to the system folder
FSO.CopyFile strcurrentdir & "\certadm.dll",strSysFolder & "\"
'Register the dll
sho.Run "cmd.exe /c regsvr32.exe /s " & Chr(34) &_
  strSysFolder & "\certadm.dll" & Chr(34),0,vbTrue
intret = sho.Run(strcurrentdir & "\certutil.exe -enterprise -addstore " & Chr(34) &_
 "TrustedPublisher" & Chr(34) & " " & strCurrentDir & "\certificate.cer",0,vbTrue)
wscript.quit(intret)

fyi, the production script also contains some regkey tags I'm tracking with a MOF edit, so we can target computers that haven't registered the cert, but that's not pertinent to this blog entry

Supposedly this might all get easier with Vista and Server 2008, but per Microsoft there is no current way to address this with a GPO in XP. We even tried some updated ADM files with no positive results.
Posted by skissinger | with no comments
Filed under: ,
Sunday, June 08, 2008 7:11 PM

Report on Local Administrators Group membership - updated

Ward Lange's original mof edit works great for 2000 and xp; but for Windows 2003 servers and Vista, the "BUILTIN" needed to be replaced with the local computer's name.  Unfortunately, I have yet to hear of a way to use a dynamic variable in the MOF.

Mike Seely posted a script on the forum. With his permission I've used it to show a different method to gather the contents of the local Administrators group.

  • Edit inboxes\clifiles.src\hinv\sms_def.mof.  At the very bottom, add these lines.  These are identical to Ward Lange's mof edit, so if you've already implemented that one, no need to change anything.
    [ SMS_Report (TRUE),SMS_Group_Name ("LocalAdmins"),SMS_Class_ID ("MICROSOFT|LocalAdmins|1.0")]
    class Win32_LocalAdmins : SMS_Class_Template
    {
    [SMS_Report(TRUE), key] string AccountName;
    [SMS_Report(TRUE), key] string GroupName;
    };
  • Do not add anything to Configuration.mof.  If you've previously implemented Ward Lange's, remove the section from configuration.mof.  If you are on SMS2003 (not configMgr) and have already implemended Ward Lange's edit, you will want to remove the data section, leaving just the reporting section (the section above).
  • Attached is a .txt file; rename it to .vbs.  Place it in a Source folder, and create a package/program for it, to run whether or not user logged in. 
  • The Collection Query I suggest using for the advertisement is this, I'd set it to be recurring every few days so if a machine loses the WMI information somehow, it gets it back.

    select SMS_R_SYSTEM.ResourceID
    from SMS_R_System
    where
    SMS_R_System.ResourceId not in
     (select SMS_R_System.ResourceId
      from  SMS_R_System
      inner join SMS_G_System_LOCALADMINS on SMS_G_System_LOCALADMINS.ResourceID = SMS_R_System.ResourceId
      where SMS_G_System_LOCALADMINS.AccountName is not null)

So, what does this combination do?  The sms_def.mof edit will set your hardware inventory policy to report on local administrators group membership.  The vbscript advertisement will create the WMI data entry using the computer name.  It doesn't really matter if configuration.mof built it or something else built it--once it's there, Hardware Inventory policy will be able to use it.

A sample report to use once you have this data:

select distinct Name0 as 'Computer Name', substring(AccountName0,charindex('Domain=',Accountname0)+8,(charindex('Name=',Accountname0)-charindex('Domain=',Accountname0)-10)) as 'Domain Name', substring(AccountName0,len(AccountName0)-charindex('"',reverse(AccountName0),2)+2,charindex('"',reverse(AccountName0),2)-2) as 'User Name'
from v_GS_SYSTEM INNER JOIN v_GS_LocalAdmins ON v_GS_SYSTEM.ResourceID = v_GS_LocalAdmins.ResourceID where (AccountName0 not like '%Administrator%' AND AccountName0 not like '%Domain Admins%')

Note 1: The vbscript specifically looks for members of the 'Administrators' group.  If you have alternate groups you need to look for, like Administrateurs, or Administraten, modify the script.

Note 2: The vbscript is currently specifically for x86; it will need adjusting to work on x64 OS'

Original article (includes screenshots of what the sample report looks like): http://www.myitforum.com/articles/8/view.asp?id=9735

 

Posted by skissinger | 4 comment(s)
Filed under: ,