|
|
|
Readme: Features Introduced in Reflection for Secure IT Windows Server 6.1
Technical Note 1898
Last Reviewed 23-Aug-2006
Applies To
Reflection for Secure IT Windows Server version 6.1
Summary
Technical Note 1898
Last Reviewed 23-Aug-2006
Applies To
Reflection for Secure IT Windows Server version 6.1
Summary
This document lists the features introduced in Reflection for Secure IT Windows Server version 6.1. It also includes supported platforms, known issues and provides information for obtaining this Reflection SSH product.
Note: Reflection for Secure IT version 7.0 is available beginning in February 2008. For a list of new features in 7.0, see Technical Note 2273. For information about purchasing Reflection for Secure IT, please e-mail us: SalesRecept@attachmate.com.
Features Introduced in Version 6.1
Supported Platforms in Version 6.1
Security Updates
Known Issues
Obtaining Your Product Upgrade
Supported Platforms in Version 6.1
Security Updates
Known Issues
Obtaining Your Product Upgrade
Features Introduced in Version 6.1
The following new features are available in Reflection for Secure IT Windows Server version 6.1.
- Support for domain accounts with the RSA SecurID and User Public Key authentication is now available on Windows 2000 Server.
- A new Domain Access pane provides settings to support Windows domain authentication using public keys (including certificates) or SecurID.
- A new password caching setting is available in the Domain Access pane. This feature provides access to network resources to users who connect to the SSH server with domain accounts, and authenticate using public keys (including certificates) or SecurID.
- The ssh-certtool.exe utility now supports creating PKCS#12 packages as well as PKCS#10 certificate requests.
- Support for multiple PKI Configurations is now available. Use the Certificates pane.
- Support for global groups is now available. Use the Group Restrictions pane.
Supported Platforms in Version 6.1
For information about platform support in Reflection for Secure IT, see Technical Note 1944.
Security Updates
Reflection for Secure IT Windows Server version 6.1 build 21 or higher contain the following security fixes.
- A fix that prevents the possibility of executing specially-crafted and potentially malicious binary files in place of subsystem binaries, such as the sftp subsystem. See Technical Note 1882 for more information.
- A fix for a security vulnerability that results from the behavior of the Windows CreateProcess() and CreateProcessAsUser() APIs when they are called in a certain way. This fix is also included in Reflection for Secure IT Windows Server version 6.0 build 42 or higher. See Technical Note 2112 for more information.
Known Issues
The following known issues exist in Reflection for Secure IT Windows Server version 6.1:
- Microsoft Windows Server 2003 and Microsoft Windows 2000 Server ship with built-in accounts, among them, Administrator and Guest. Microsoft has recommended that these accounts be renamed in order to prevent potential hackers from exploiting them. If you are using SSH on a Windows server and have set up public key authentication to work with either Guest or Administrator, then subsequently renamed these accounts, there is potential for a breach of security. A user who was authenticated via public keys to the original Guest or Administrator account will still have access to those accounts and all the privileges that go with them. This is because the server will continue to accept that user’s original key, which remains on the system. Two solutions are possible, use the one that works best for you:
Solution A—Change the server configuration using the GUI as follows:
- Add the string 'administrator' (without the quotation marks) to the Deny login for users in User Restrictions.
- Create a subconfiguration entry in the Advanced screen by adding a 'UserSpecificConfig' line to the end of the file, for example:
UserSpecificConfig New-Admin-Name admin.config- Click the Apply button to notify the running server of the changes.
- Create a file named admin.config in the folder where the server was installed (usually C:\Program Files\F-Secure\ssh server) that contains the following line:
UserConfigDirectory "C:\\Documents and Settings\\administrator\\.ssh2"Notes:
The double backslashes (\\) are required in order for the server to parse the file name correctly.
The file access permissions for the sshd2_config and admin.config files must be set appropriately, so that only members of the Administrators can access the files.
Solution B—Make the following changes:
- Create a folder in the "Documents and Settings" folder with the renamed user name (in this example: New-Admin-Name) and create a .ssh2 folder there (for example, C:\Documents and Settings\New-Admin-Name\.ssh2).
- Move all public key files and the authorization file to this new folder.
- Set the file protections on these files and folders appropriately.
- Users upgrading from the F-Secure Server for Windows (version 5.2 or version 5.3) on the Windows Server 2003 platform may see an error: "The procedure entry point ssh-random-get-bytes could not be located in the dynamic link library fssh32.dll". Dismiss the error (click OK) and proceed with the install (the next step is a reboot). This error appears because an SSH service is running on the machine. The error message will not appear if you uninstall the earlier version before installing the new version (6.0).
- Users upgrading from the F-Secure Server for Windows version 5.1, (without uninstalling version 5.1 first) will see an F-Secure management icon in the system tray after completing the install. Clicking this icon brings up a management tool that suggests, incorrectly, that the 5.1 product is still installed. Some services pertaining to the 5.1 product may also be running. Neither the icon nor the services affect the operation of the 6.1 product.
- Support for domain accounts with public key or SecurID authentication requires either that the special user Everyone be available on the server or that you have specified an alternate user for Active Directory access. See page 40 for more information. To determine if the special user Everyone is present in your environment, follow these steps:
- Log in using a domain administrator account.
- Go to Start > Programs > Administrative Tools > Active Directory Users and Computers.
- Double click the domain.
- Open the Builtin folder.
- View the properties of Pre-Windows 2000 Compatible Access.
- Click the Members tab.
- Support for Windows domain accounts and host certificate identification requires that the host certificate and Domain Access files all use the same private host key. The two Domain Access files (for Active Directory Access and Password Caching) are encrypted using the private host key file (hostkey). If you use a host certificate to identify your server, the generated certificate must be based on the original private host key file (hostkey) otherwise public key authentication with domain accounts or access to network resources will fail because the server will try to decrypt the encrypted files with the incorrect private key.
Obtaining Your Product Upgrade
If you already obtained your product upgrade, disregard this section.
Maintained customers are eligible to download the latest product releases from the Attachmate Download Library web site: https://download.attachmate.com/Upgrades/.
You will be prompted to login and accept the Software License Agreement before you can select and download a file. For more information on using the Download Library web site, see Technical Note 0200.
