Closed AaronG1234 closed 5 years ago
ryannewington
commented
5 years ago Hi @AaronG1234,
I've been wanting to do this for a while, but unfortunately an EV code signing certificate is required for this, and they are not cheap. I'll take another look around and see if I can find one affordable, or a CA that offers cheaper rates for open source projects.
Ryan
AaronG1234
commented
5 years ago digicert has a hidden special, accessable from
https://www.digicert.com/friends/sysdev/ (click Ok button)
104USD per year for EV
From: Ryan Newington notifications@github.com Sent: Monday, July 15, 2019 7:14:31 PM To: lithnet/ad-password-protection Cc: Aaron Galbraith; Mention Subject: [EXTERNAL] Re: [lithnet/ad-password-protection] Doesn't work with LSA Protected (#15)
I've been wanting to do this for a while, but unfortunately an EV code signing certificate is required for this, and they are not cheap. I'll take another look around and see if I can find one affordable, or a CA that offers cheaper rates for open source projects.
Ryan
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub [github.com]https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_lithnet_ad-2Dpassword-2Dprotection_issues_15-3Femail-5Fsource-3Dnotifications-26email-5Ftoken-3DAMOBT3QLCDTNP3NIJV7O7QTP7UOHPA5CNFSM4IDZESZKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZ7MS3A-23issuecomment-2D511625580&d=DwMCaQ&c=NdSJ4ILlWpqW3-KBBqEbZ68qQuJ1JYIOBIexwqzU-qw&r=Bop6lasCjn56jGDBTK-Rq4LAOW2D5E0U-xXgZ9_Cj8A&m=UxN6XakhxeD6JV4dDqB1qhohwOgHCEsbupnLiTes1W4&s=qscPEDRsQ-PIfcfvaUaRmY6qfOvtbnwWf3XqxAeFf-k&e=, or mute the thread [github.com]https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AMOBT3RXXMLX4VCQDBBKM3LP7UOHPANCNFSM4IDZESZA&d=DwMCaQ&c=NdSJ4ILlWpqW3-KBBqEbZ68qQuJ1JYIOBIexwqzU-qw&r=Bop6lasCjn56jGDBTK-Rq4LAOW2D5E0U-xXgZ9_Cj8A&m=UxN6XakhxeD6JV4dDqB1qhohwOgHCEsbupnLiTes1W4&s=Y2pprKqdCApauB5i3Jn_NUvclEzDO2_knE8Kqe-zOjQ&e=.
NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Blue Cross of Idaho, 3000 E. Pine Ave, Meridian, ID 83642
This Message Was Secured With The BCI PPS Email System
ryannewington
commented
5 years ago Yeah I found that and just got in contact with them for going through the process to validate Lithnet. I use them for the current code-signing certificate, so hopefully it's a straight forward process to upgrade lithnet's org verification level to the level required for EV. EV certs require a hardware token though, so provided all goes well, they need to ship that out and will take a few weeks.
ryannewington
commented
5 years ago It looks like we should be able to make this happen. We've set up a page to gather donations to help cover the cost of the EV (https://lithnet.io/donate). I'll keep you posted on the progress.
AaronG1234
commented
5 years ago Thanks so much for considering this... I wrote my own lsa notification filter about a year ago that uses pwnedpasswords api. but when we moved to lsa protected, it wouldn't load.
(btw i put in a feature request for allowing api.pwnedpasswords.com as an alternative to downloading the hashes)
From: Ryan Newington notifications@github.com Sent: Friday, July 19, 2019 10:41:19 PM To: lithnet/ad-password-protection Cc: Aaron Galbraith; Mention Subject: [EXTERNAL] Re: [lithnet/ad-password-protection] Support running LPP in LSA protected mode (#15)
It looks like we should be able to make this happen. We've set up a page to gather donations to help cover the cost of the EV (https://lithnet.io/donate [lithnet.io]https://urldefense.proofpoint.com/v2/url?u=https-3A__lithnet.io_donate&d=DwMCaQ&c=NdSJ4ILlWpqW3-KBBqEbZ68qQuJ1JYIOBIexwqzU-qw&r=Bop6lasCjn56jGDBTK-Rq4LAOW2D5E0U-xXgZ9_Cj8A&m=HIp9LkEBQYyePOTzoD9CxSLaI0ixPhULLpgjQqsL2-E&s=tMeYV6ln8Yt-6fZsJcpD8Uzz_qWE2BIIMSo72HGbvQY&e=). I'll keep you posted on the progress.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub [github.com]https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_lithnet_ad-2Dpassword-2Dprotection_issues_15-3Femail-5Fsource-3Dnotifications-26email-5Ftoken-3DAMOBT3W5NBCU2XQXPDTDW7DQAKJO7A5CNFSM4IDZESZKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2NGN3Y-23issuecomment-2D513435375&d=DwMCaQ&c=NdSJ4ILlWpqW3-KBBqEbZ68qQuJ1JYIOBIexwqzU-qw&r=Bop6lasCjn56jGDBTK-Rq4LAOW2D5E0U-xXgZ9_Cj8A&m=HIp9LkEBQYyePOTzoD9CxSLaI0ixPhULLpgjQqsL2-E&s=br0xx8W4iMZ32EgjVl_XCFyhFfSNXTaHBCse4O08BFI&e=, or mute the thread [github.com]https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AMOBT3Q2ZQPOT4HXO3JIXFLQAKJO7ANCNFSM4IDZESZA&d=DwMCaQ&c=NdSJ4ILlWpqW3-KBBqEbZ68qQuJ1JYIOBIexwqzU-qw&r=Bop6lasCjn56jGDBTK-Rq4LAOW2D5E0U-xXgZ9_Cj8A&m=HIp9LkEBQYyePOTzoD9CxSLaI0ixPhULLpgjQqsL2-E&s=qjoeSH23S39kopEjhfClhvvCOXSD1QxC3oaJRG51Gus&e=.
NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Blue Cross of Idaho, 3000 E. Pine Ave, Meridian, ID 83642
This Message Was Secured With The BCI PPS Email System
ryannewington
commented
5 years ago @AaronG1234 we were able to raise the money, thanks to some generous donations, including yours. Thankyou for your contribution.
re: the feature request, that's a good idea, i can look to add that in. Do you mind raising a new issue for it?
AaronG1234
commented
5 years ago i did already. (also i have code for it, however it is really fundamental idea and as I look at your source code I dont think you need much 'splaining...and I am not a C programmer by heart ... because I hate how convoluted strings are in C... ... but dont tell anyone)
From: Ryan Newington notifications@github.com Sent: Saturday, July 20, 2019 6:19:28 PM To: lithnet/ad-password-protection ad-password-protection@noreply.github.com Cc: Aaron Galbraith Aaron.Galbraith@bcidaho.com; Mention mention@noreply.github.com Subject: [EXTERNAL] Re: [lithnet/ad-password-protection] Support running LPP in LSA protected mode (#15)
@AaronG1234 [github.com]https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_AaronG1234&d=DwMCaQ&c=NdSJ4ILlWpqW3-KBBqEbZ68qQuJ1JYIOBIexwqzU-qw&r=Bop6lasCjn56jGDBTK-Rq4LAOW2D5E0U-xXgZ9_Cj8A&m=5IpBGLxaGufzsajElwB3Y8bIgRUMnFCr8P5KT00M3mU&s=bhO29ZsxrIrNaa9Epcg4FZx4j6DXJzoTU03bAURxSiw&e= we were able to raise the money, thanks to some generous donations, including yours. Thankyou for your contribution.
re: the feature request, that's a good idea, i can look to add that in. Do you mind raising a new issue for it?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub [github.com]https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_lithnet_ad-2Dpassword-2Dprotection_issues_15-3Femail-5Fsource-3Dnotifications-26email-5Ftoken-3DAMOBT3RQXIDVIXGLDEJSSUDQAOTRBA5CNFSM4IDZESZKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2NYJVY-23issuecomment-2D513508567&d=DwMCaQ&c=NdSJ4ILlWpqW3-KBBqEbZ68qQuJ1JYIOBIexwqzU-qw&r=Bop6lasCjn56jGDBTK-Rq4LAOW2D5E0U-xXgZ9_Cj8A&m=5IpBGLxaGufzsajElwB3Y8bIgRUMnFCr8P5KT00M3mU&s=CzOCCs_gwI8DGhNR48uRxO5jToZ-r4nafeLbGvK6CCs&e=, or mute the thread [github.com]https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AMOBT3XKCXHICSSUZRIOE6TQAOTRBANCNFSM4IDZESZA&d=DwMCaQ&c=NdSJ4ILlWpqW3-KBBqEbZ68qQuJ1JYIOBIexwqzU-qw&r=Bop6lasCjn56jGDBTK-Rq4LAOW2D5E0U-xXgZ9_Cj8A&m=5IpBGLxaGufzsajElwB3Y8bIgRUMnFCr8P5KT00M3mU&s=mvJV7-GpDIJUZlrkkt0jTgqy7uvGeXwnJem2ydMELYc&e=.
NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Blue Cross of Idaho, 3000 E. Pine Ave, Meridian, ID 83642
This Message Was Secured With The BCI PPS Email System
ryannewington
commented
5 years ago Maybe it didn't save? Have created a new one for you to follow for updates.
https://github.com/lithnet/ad-password-protection/issues/18#issuecomment-513535147
Code is linked in the comment if you want to have a look over. If there are any gotchas you learnt from your own implementation I should be aware of, do let me know.
We'll keep this thread on the LSA protection support feature now.
ryannewington
commented
5 years ago First build with the MS-signed binary is up!
https://github.com/lithnet/ad-password-protection/releases/tag/v1.0.7143
https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection (emphasis mine)
Signature verification
Protected mode requires that any plug-in that is loaded into the LSA is digitally signed with a Microsoft signature. Therefore, any plug-ins that are unsigned or are not signed with a Microsoft signature will fail to load in LSA. Examples of these plug-ins are smart card drivers, cryptographic plug-ins, and password filters.
anyway you could get your DLL signed so that it would be usable with LSA Protected "Mode"