Internet Explorer’s Explicit Security Zone Mappings

Este articulo fue aplicado para asignar los sitios de confianza en un entorno windows server de 64bits con internet explorer 8, como se indica la aplicación de los "trusted sites" depende bastante de varios factores que pueden causar problemas y no ser asignados en la sesión del usuario.


Fuente:
https://blogs.technet.microsoft.com/fdcc/2011/09/22/internet-explorers-explicit-security-zone-mappings/


[Updated 15 May 2012 to correct a bug involving precedence of Computer policies over User policies.]
I recently worked with some customers who wanted to enumerate which web sites had been assigned to which Internet Explorer security zones.  I.e., they wanted to know which web sites had been assigned to the Intranet zone, which to Trusted Sites, etc.  In the course of this work I uncovered some surprising complexities about site-to-zone assignment rules that had not yet been documented.  This blog post describes those discoveries.  Later today I will post an updated version of IEZoneAnalyzer that lists the sites that have been configured and whether those settings are in effect or ignored. [Update: it’s been posted.]
[I’m not happy with the way the blog software has reformatted this document; rather than spend the day fighting it I’m attaching the original Word doc to this post.]

Overview

Internet Explorer applies a set of rules to associate web sites (URLs) with security zones, based on criteria such as whether the server has a dot in its name.  In addition, group policies, computer settings and user preferences can be used to map specific URLs to specific zones.  For example, you could explicitly add “https://www.contoso.com” to the Trusted Sites zone.  Such site-to-zone mappings are defined under one or more ZoneMap key hierarchies in the registry.  There are five different locations where ZoneMap key hierarchies can be defined, but only one or two of them will be in effect at any particular point in time.  Exactly which settings under which ZoneMap keys are effective depends on a number of circumstances:

·         Whether Site-To-Zone-Assignment lists are configured in Computer Configuration and/or User Configuration group policies;

·         Whether the “Security Zones: Use only machine settings” group policy is configured (a.k.a., Security_HKLM_only);

·         Whether Internet Explorer’s Enhanced Security Configuration (ESC) is enabled (Server only);

and, quite surprisingly:

·         Whether or not the program is a 32-bit process on 64-bit Windows; a.k.a., “Windows On Windows 64” or WOW64.

Yes, that’s right – in some circumstances, a 32-bit process and a 64-bit process on the same computer can see the same site mapped to different security zones.

Also, my testing indicates that there is a bug that results in all URLs being treated as “Internet” zone when both ESC and a Computer or User Site-To-Zone-Assignment list are enabled.

Explicit Site To Zone Rules

The rules for selecting ZoneMap keys are listed below.  Each table shows some combination of the four circumstances described in the overview; following each table is the key or keys that are in effect in those circumstances.  There are separate settings under each ZoneMap key for “ESC on” and “ESC off”.  If ESC is on, only those settings under the EscDomains and EscRanges subkeys are used; if ESC is off, only the settings under the Domains and Ranges subkeys are used.

Note that in the tables below, WOW64 set to “Yes” means a 32-bit process on a 64-bit version of Windows.  WOW64 set to “No” means either a 32-bit process on a 32-bit version of Windows or a 64-bit process on a 64-bit version of Windows.

WOW64	Security_HKLM_only	Computer Site-To-Zone	User Site-To-Zone
Yes	Cleared	Absent	Absent

Combines results from

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

User preferences (in HKCU) take precedence over computer preferences

WOW64	Security_HKLM_only	Computer Site-To-Zone	User Site-To-Zone
No	Cleared	Absent	Absent

Combines results from

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

User preferences (in HKCU) take precedence over computer preferences

WOW64	Security_HKLM_only	Computer Site-To-Zone	User Site-To-Zone
Yes	Set	Absent	Either

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

User site-to-zone assignments are ignored if present

WOW64	Security_HKLM_only	Computer Site-To-Zone	User Site-To-Zone
No	Set	Absent	Either

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

User site-to-zone assignments are ignored if present

WOW64	Security_HKLM_only	Computer Site-To-Zone	User Site-To-Zone
Either	Either	Present	Absent

HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

WOW64	Security_HKLM_only	Computer Site-To-Zone	User Site-To-Zone
Either	Cleared	Present	Present

Combines results from

HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

Computer policies (in HKLM) take precedence over User policies

WOW64	Security_HKLM_only	Computer Site-To-Zone	User Site-To-Zone
Either	Set	Present	Either

HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

User site-to-zone assignments are ignored if present

WOW64	Security_HKLM_only	Computer Site-To-Zone	User Site-To-Zone
Either	Cleared	Absent	Present

HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

What About “ZoneMapKey”?

IT administrators trying to apply site-to-zone settings by directly manipulating registry values often discover two “ZoneMapKey” registry keys that appear to be more interesting than they actually are: specifically, HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey and HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey.  Values under these keys look like the site-to-zone assignments applied through group policy, and in fact they are.  However, these keys are not used directly by Internet Explorer, and if you directly set values there, they will have no effect.  The ZoneMapKey entries are just a temporary writing place for the Group Policy engine, which writes entries there as specified by Group Policy, and then parses them into corresponding ZoneMap subkey settings that are used by Internet Explorer.

Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2003 to 2012 R2

Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2003 to 2012 R2

 Interesante manual para realizar la migración, fue aplicado con exito.

Fuente:

http://blogs.technet.com/b/canitpro/archive/2014/11/12/step-by-step-migrating-the-active-directory-certificate-service-from-windows-server-2003-to-2012-r2.aspx

As you may be aware, support for both Windows Server 2003 and 2003 R2 is coming to end on July 14^th 2015. With this in mind, IT professionals are in midst of planning migration. This guide will provide steps on migrating AD CS from Windows Server 2003 to Windows Server 2012 R2.

In this demonstration I am using following setup.

Server Name	Operating System	Server Roles
canitpro-casrv.canitpro.local	Windows Server 2003 R2 Enterprise x86	AD CS ( Enterprise Certificate Authority )
CANITPRO-DC2K12.canitpro.local	Windows Server 2012 R2 x64	-

Step 1: Backup Windows Server 2003 certificate authority database and its configuration
1. Log in to Windows 2003 Server as member of local administrator group
2. Go to Start > Administrative Tools > Certificate Authority

3. Right Click on Server Node > All Tasks > Backup CA

4. Then it will open the “Certification Authority Backup Wizard” and click “Next” to continue

5. In next window click on check boxes to select options as highlighted and click on “Browse” to provide the backup file path location where it will save the backup file. Then click on “Next” to continue

6. Then it will ask to provide a password to protect private key and CA certificate file. Once provided the password click on next to continue

7. In next window it will provide the confirmation and click on “Finish” to complete the process
Step 2: Backup CA Registry Settings
1. Click Start > Run and then type regedit and click “Ok”

2. Then expand the key in following path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc
3. Right click on “Configuration” key and click on “Export”

4. In next window select the path you need to save the backup file and provide a name for it. Then click on save to complete the backup

Now we have the backup of the CA and move these files to the new windows 2012 R2 server.

Step 3: Uninstall CA Service from Windows Server 2003
Now we have the backup files ready and before configure certificate services in new Windows Server 2012 r2, we can uninstall the CA services from windows 2003 server. To do that need to follow following steps.
1. Click on Start > Control Panel > Add or Remove Programs
2. Then click on “Add/Remove Windows Components” button
3. In next window remove the tick in “Certificate Services” and click on next to continue
4. Once its completed the process it will give the confirmation and click on “Finish”
With it we done with Windows Server 2003 CA services and next step to get the Windows Server 2012 CA services install and configure.
Step 4: Install Windows Server 2012 R2 Certificate Services
1. Log in to Windows Server 2012 as Domain Administrator or member of local administrator group
2. Go to Server Manager > Add roles and features
3. It will open up “Add roles and feature” wizard and click on next to continue
4. Then next window select “Role-based or Feature-based installation” and click next to continue
5. From the server selections keep the default selection and click on next to continue
6. In next window click on tick box to select “Active Directory Certificate Services” and it will pop up with window to acknowledge about required features need to be added. Click on add features to add them
7. Then in features section will let it run with default. Click next to continue
8. In next window, it will give brief description about AD CS. Click next to continue
9. Then it will give option to select roles services. I have selected Certificate Authority and Certification Authority Web Enrollment. Click next to continue
10. Since Certification Authority Web Enrollment selected it will required IIS. So next window it will give brief description about IIS
11. Then in next window it gives option to add IIS role services. I will leave it default and click next to continue
12. Next window will give confirmation about service install and click on “Install” to start the installation process
13. Once installation completes you can close the wizard.
Step 5: Configure AD CS
In this step will look in to configuration and restoring the backup we created.
1. Log in to server as Enterprise Administrator
2. Go to Server Manager > AD CS
3. In right hand panel it will show message as following screenshot and click on “More”
4. It will open up window and click on “Configure Active Directory Certificate Service ……”
5. It will open role configuration wizard, it gives option to change the credential, in here I already log in as Enterprise administrator so I will leave the default and click next to continue
6. In next window it asking which service you like to configure. Select “Certification Authority”, “Certification Authority Web Enrollment” options and click next to continue
7. It will be Enterprise CA so in next window select the Enterprise CA as the setup type and click next to continue
8. Next window select “Root CA” as the CA type and click next to continue
9. The next option is very important on the configuration. If its new installation we will only need to create new private key. But since it’s a migration process we already made a backup of private key. So in here select the options as highlighted in screenshot. Then click on next to continue
10. In next window click on “Import” button
11. In here it will give option to select the key we backup during the backup process from windows 2003 server. Brows and select the key from the backup we made and provide the password we used for protection. Then click ok
12. Then it will import the key successfully and in window select the imported certificate and click next to continue
13. Next window we can define certificate database path. In here I will leave it default and click next to continue
14. Then in next window it will provide the configuration confirmation and click on configure to proceed with the process
15. Once its completed click on close to exit from the configuration wizard
Step 6: Restore CA Backup
Now it’s comes to the most important part of the process which is to restore the CA backup we made from Windows Server 2003.
1. Go To Server Manager > Tools > Certification Authority
2. Then right click on server node > All Tasks > Restore CA
3. Then it will ask if it’s okay to stop the certificate service in order to proceed. Click ok
4. It will open up Certification Authority Restore Wizard, click next to continue
5. In next window brows the folder where we stored backup and select it. Then also select the options as I did in below. Later click next to continue
6. Next window give option to enter the password we used to protect private key during the backup process. Once its enter click next to continue
7. In next window click “Finish” to complete the import process
8. Once its completed system will ask if it’s okay to start the certificate service again. Please proceed with it to bring service back online
Step 7: Restore Registry info
During the CA backup process we also backup registry key. It’s time to restore it. To do it open the folder which contains the backup reg key. Then double click on the key.
1. Then click yes to proceed with registry key restore
2. Once completed it will give confirmation about the restore
Step 8: Reissue Certificate Templates
We have done with the migration process and now it’s time to reissue the certificates. I had template setup in windows 2003 environment called “PC Certificate” which will issue the certificates to the domain computers. Let’s see how I can reissue them.
1. Open the Certification Authority Snap-in
2. Right click on Certificate Templates Folder > New > Certificate Template to Reissue
3. From the certificate templates list click on the appropriate certificate template and click ok
Step 9: Test the CA
In here I already had certificate template setup for the PC and set it to auto enroll. For the testing purposes I have setup windows 8 pc called demo1 and added it to canitpro.local domain. Once it’s loaded first time in server I open certification authority snap in and once I expanded the “Issued Certificate” section I can clearly see the new certificate it issued for the PC.

So this confirms the migration is successful.