Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

after deploy in server, integrated Security works for all users but only one user does not work for one user

February 12, 2014, 7:50 am
$
0
0

hi

   i'd like to ask for help.here is a brief introduction.

      i publish a web project on a server(the name,"server-deploy"),(it connect with sql server datavvase with connection string  of database  "Trusted_Connection=Yes",with web config file <authentication mode="Windows" />    <identity impersonate="true"/>

   there are some users whose Impersonae_clients_after_authentication are enabled. and most of them can connect to database via the deployed project .

  but one user,he was told 'NT AUTHORITY\ANONYMOUS LOGON', and according to even viewer("security of "windows log") of "server-deploy",it shows "Audit failure"(the Task category is "credential validation") and here is some information

[ Name]  Microsoft-Windows-Security-Auditing
   EventID 4776

The computer attempted to validate the credentials for an account.

  PackageName MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
  TargetUserName (user)
  Workstation (Workstation)
  Status 0xc0000064

   while when other user do login ,there is no log whose Task category is "credential validation".

  COULD ANY ONE CAN DO ME A FAVOR TO HELP ME?ANY HELP IS APPRECIAT. THANK U VERY MUCH IN ADVANCE :)

best regards

martin

Search

Server Logon and Restricting Windows Explorer

February 24, 2014, 2:48 pm
$
0
0

Hello

We have a server 2008 R2 (32) which is a domain controller, we recently switched from open storage (6 raid-5 drives in the server) to closed storage (removing the drive) every night. I do not want staff pulling the power on a domain controller every night to remove the drives, so I looked in the GPO "log on locally' and 'allow shut down'.

This works, however, the temptation is there to 'look around', see what we can see, etc.

Is there a way, either a security setting or a batch file that staff without admin right can log onto a server, down the server correctly, but not open windows explore.

I am thinking some way to write a script "IF logon server = \\DCSERVER then noaccess browsing" something like that, that is your are not an admin, and log onto a server, your Windows Explorer rights are limited.  I have created a group, so, the group name can be used

Thanks.

ADCS - ROOT CA domain member ?

February 3, 2014, 2:49 am
$
0
0

Hello,

I have installed a RootCA(Standalone) and SubCA(Enterprise) in my company and all its working well.

But, I just see that is not recommended to have ROOTCA as domain member. How can I do to fix that ?

(Is it a real problem ?)

Thank you,

Cannot write to Event Log from asp.net on Windows Server 2012 AZURE VM

January 31, 2014, 10:20 am
$
0
0

I found this post

http://social.technet.microsoft.com/Forums/windowsserver/en-US/986554cf-aca9-448c-8836-3881b5bcf7fa/default-customsd-for-system-application-and-security-log-on-windows-2008?forum=winserversecurity

And tried what was mentioned there but I feel like there's a difference between server 2008 and 2012 because I can't get this to work at all...

I created the Event Source using powershell... So the source exists I can see it in event viewer and inside the registry

I've tried what's suggested here in this KB and nothing I do seems to have any affect

http://support.microsoft.com/kb/2028427/en-us

Here's a list of well known SIDS that I just randomly tried a bunch of and still there is no affect and I keep getting the same exception

InvalidOperationException : Cannot open log for source 'XXXXXXXX.Services COM Library"'. You may not have write access.

http://support.microsoft.com/kb/243330/en-us

Here's my code for writing to the source

string sSource;string sLog ="Application";var eventLog =newEventLog(sLog);

        sSource ="XXXXXXXX.Services COM Library";


        eventLog.Source= sSource;
        eventLog.WriteEntry(sEvent, entryType);

I issued the following command against both "system" and "application" to get the value for CustomSD

wevtutil gl system > C:\temp\out.txt

I've tried both of those as the root for the CustomSD value and then I tried appending a few different variations to it to make it work

I tried appending the world (A;;0x3;;;S-1-1-0) And that didn't work

And then also the SIDS that were indicated for IUSR in that list of common SIDS (http://msdn.microsoft.com/en-us/library/cc980032.aspx).....

this is coming from a COM library that's been registered with REGASM.... I was able to give the COM library access to a directory to write files by giving it IUSR permissions but I can't get it to write to an event source to save my life...

Besides just continuing down the path of trying different other random ACL combinations I'm sort of at a loss of what to try next...

Also if anyone has any suggestions of a better way to debug this or (for example) see the security exception somewhere coming from the asp.net application that would also be helpful.... Changing that REGKEY, rebooting, and then trying to write to the event source all just seem all very arbitrary so it'd be nice to have something with more substance I can look at for debugging this... I used Process Monitor to watch w3wp.exe reach out to the registry and it's reading the KEY that's relevant to the source I'm writing to

HKLM\System\CurrentControlSet\Services\EventLog\Application\XXXXXXXX.Services COM Library

But it's not reading from the CustomSD key so I'm not sure if that's an indicator of anything...

Issuing certificates for user and clients from different forest/domain

February 25, 2014, 7:06 am
$
0
0

Hello,

at first I would like to say that I have made some researches on this forum and in the Internet overall.

I have AD Forest with ~10 sites all over the Europe, DFL and FFL is 2008 R2, right now we are migrating site by site from old domain (samba) to AD.

Last time I have deployed PKI based on offline root CA and 2 Enterprise acting as 2-node Failover Cluster.

Everything in my AD Forest is OK, I mean, autoenrollment works perfect for users and computers from my forest, 
now I need to deploy a certificate (for test) to one web-based pbx server in samba domain, there are no trusts etc. Samba domain as well as AD Forest are working on the same network, with routeable subnets in each site, so there is no problem with connectivity,

What are possible way to achieve this goal? I mean to issue cert to client from different forest, so that this client is able to validate it, validate certificate chain and renew it when needed?

I have Installed and Configured CE Web Service and CE Policy Web Service. Now I have configured Enrollment Policies on my virtual machine (being part of different domain), I selected username/password authentication, I am able to request certificate, I can see all templates which I should see, but when I try to enroll I got an error:

(translated from my language)A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider

My root CA cert is added to trusted publishers for computer and user node as well.

What could be wrong? If you have any ideas or questions, please share or ask. 

Thank you in advance.


NAP Agent - System Health Agent

February 25, 2014, 7:45 am
$
0
0

Hi !

I'm working on a NAP solution and I am looking for informations about "third party health agent".

I want to know if it is possible to develop a Health Agent by our own or is it just reserve for same of the Microsoft's Partners.

I explain my point, if one of my client use a special Linux distribution in his industrial network, is it possible to create a Health agent which work on this distribution if we use NAP ?

I know that some people have already ask about this subject. A found an other topic but the question is a little different here because I'm talking about Operating Systems.

Thanks.

Using a different subordinate certificate authroity template when deploying a sub ca

September 30, 2009, 9:06 am
$
0
0
I would like to extend the validity period of a subordinate CA. The default tamplate SubCA has a validiyt period of 5 years. I have duplicated this and extended the validity as required. When I install a subordinate I choose to generate a request file. This file defaults to using the SubCA template.

When I try to use certreq to submit it with a different certificate certificate template specified as a request attribute, or use certreq -policy to generate a new request file using an inf file with the new certificate template specified, I get the error - The request contains conflicting template information - Denied by policy module.


Thanks

Limiting access to SubOrdinate CA

February 25, 2014, 7:10 am
$
0
0

Thanks in advance for any assistance.

I have a Forest with multiple Active Directory domains, one domain for each geographical region I serve plus a root Domain.  I have a CA in the Forest root Domain.  I have subordinate CA in one of my regions.

How can I limit usage so the the regional subordinate CA only provides certificate services to that one region and does not issue certificates to other regional domains?

Presently occasionally a certificate is issued to an unintended region from my subordinate CA.  It causes issues, because firewalls between my regions and bandwidth availability cause complexities.  I want everyone to use the root CA, except the one region having a subordinate can use the subordinate.

Thanks for your help!

David

just david

Search

Removing 3DES ciphers from SCHANNEL

February 24, 2014, 5:00 am
$
0
0

Hi,

I am trying to remove all SSL cipher suites aside from RC4 in SCHANNEL using the registry keys mentioned in this KB support.microsoft.com/kb/245030/en-us.

After restarting the server, most of the cipher suites are removed aside from RC4 (as needed) and 3DES (TLS_RSA_WITH_3DES_EDE_CBC_SHA).

Any idea why 3DES keeps appearing in SSL scans despite adding this key? It happens both on win2012 and win2008 R2.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
"Enabled"=dword:00000000

Thanks,

Oren

Windows 8.1 Certificate Renewal Error on AD CS 2008

February 4, 2014, 1:00 pm
$
0
0

Configuration: Windows Server 2008 Enterprise AD CS Root/intermediate, Domain Win 2008 R2, Windows 8.1 and Win 7 clients

When attempting to renew a email encryption certificate using the same key via the MMC in Windows 8.1, I receive the following:

An error occurred while enrolling for a certificate.  A certificate request could not be created.

Error: The requested operation is not supported. 0x80090029 (-2146893783 NTE_NOT_SUPPORTED)

If I try to renew a certificate from Windows 7 or Windows Server 2008 it works OK.

What has changed with Windows 8.1 and certificates?  Do I need to Migrate AD CS to 2012 R2 to support Win 8.x clients or is a good idea regardless?  How may I resolve this issue?

Thanks,

Craig


Problems Certificate Services Windows 2008

August 3, 2009, 9:32 am
$
0
0
I am running a root Enterprise CA by itself on a machine that is not also a domain controller on Windows 2008.  I am getting the following errors:

EventID 87 (CertificationAuthority)
Active Directory Certificate Services could not use the default provider for encryption keys.  Keyset does not exist 0x80090016 (-2146893802)

EventID 86 (CertificationAuthority)
Active Directory Certificate Services could not use the provider specified in the registry for encryption keys.  Keyset does not exist 0x80090016 (-2146893802)

Everything else seems to be working correctly - I'm not sure what effect these errors are having...

I'm also getting errors when I drill down Roles -> AD CS -> Enterprise PKI -> <CAname>:

AIA Location #2    Unable To Download
CDP Location #2   Unable To Download

Last week, I performed an in-place upgrade of the OS hosting my CA from 2003 to 2008 and everything seemed good.  I tried to reduce the lifespan of the certificate from 10 years to 7 years using a CAPolicy.inf and was unsuccessful.  I ended up renewing the root certificate several times in the process; once choosing to generate a new key.  I don't know if any of this has anything to do with it, but I figured I'd mention it.

Thanks in advance for any assistance.

Can't use Certificate Authority console on Subordinate CA to install Root CA certificate - Windows Server 2012 R2

February 25, 2014, 2:28 pm
$
0
0

Hi

I am using the following article to setup a 2 tier certificate services on Windows Server 2012 R2.

http://blogs.technet.com/b/yungchou/archive/2013/10/21/enterprise-pki-with-windows-server-2012-r2-active-directory-certificate-services-part-1-of-2.aspx

The Subordinate CA installed successfully with warnings: Installation is incomplete. To complete the installation use request file to obtain certificate from Parent CA.

I generated a certificate request file, successfully issued a cert for my Subordinate CA from the Root CA, and copied the .p7b certificate file issued by my Root CA to my Subordinate CA Server.

When is try to access the Certificate Authority on my Subordinate CA Server using mmc or the Certificate Authority admin tool I get the following error:

Cannot manage Active Directory Certificate Services.
The network path was not found. 0x80070035 (WIN32: 53 ERROR_BAD_NETPATH)

If it try to start the CertSvc windows service I get the following error:

Active Directory Certificate Services did not start: Hierarchical setup is incomplete.  Use the request file in C:\abc.req.req to obtain a certificate for this Certificate Server, and use the Certification Authority administration tool to install the new certificate and complete the installation.

Help!

Domain Users being added to Local Administrator Group with no existing Policy

February 25, 2014, 10:16 am
$
0
0

This may seem strange, but I am having a very strange problem. 

I just inherited an AD 2003 with a single DC.  90% of the client stations are Windows 7.
The problem I have is that the Domain Users Security Group is being added to the Local Administrator Group on client stations. 

I have performed RSOP analysis from client stations. Run Group Policy Results Wizard from the DC, on both the client station and user account, and reviewed all existing GPO's (applied or not) in the entire forest and see no policy that would cause this. 

We're not using any GPO's to configure Restricted Groups.
I've reviewed all startup and logon scrpts and found nothing.
I cannot find anything that explains why this is happening. 

I've removed Domain Users from the Local Admin group manually and restarted the computer, and upon login it is back.  This is not with an elevated privilege account.  I have been using a test account that has no memberships, not is a part of any OU besides Users. 

If needed I can try to provide a link to the RSOP. And below is an event viewer log showing that Domain Users is being added to the Local Admin group.  From what I can tell, this is being done by the host machine itself? (Client station name is T430-0007)

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          2/25/2014 11:29:18 AM
Event ID:      4732
Task Category: Security Group Management
Level:         Information
Keywords:      Audit Success
User:          N/A

Computer:      T430-0007.mydomaint.local

Description:A member was added to a security-enabled local group.
Subject:
Security ID:SYSTEM
Account Name: T430-0007$
Account Domain: MYDOMAIN
Logon ID: 0x3e7
Member:
Security ID: MYDOMAIN\Domain Users
Account Name: -
Group:
Security ID: BUILTIN\Administrators
Group Name: Administrators
Group Domain: Builtin
Additional Information:
Privileges:-
Event Xml:
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4732</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>13826</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2014-02-25T17:29:18.219256000Z" />
    <EventRecordID>1127091</EventRecordID>
    <Correlation />
    <Execution ProcessID="840" ThreadID="944" />
    <Channel>Security</Channel>
    <Computer>T430-0007.mydomaint.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="MemberName">-</Data>
    <Data Name="MemberSid">S-1-5-21-1635982567-534386104-751052348-513</Data>
    <Data Name="TargetUserName">Administrators</Data>
    <Data Name="TargetDomainName">Builtin</Data>
    <Data Name="TargetSid">S-1-5-32-544</Data>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">T430-0007$</Data>
    <Data Name="SubjectDomainName">MYDOMAIN</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <Data Name="PrivilegeList">-</Data>
  </EventData>
</Event>

Any advise would be appreciated. 


Thanks!


Firewall ports

February 25, 2014, 7:49 pm
$
0
0

Hi

I have a few DC, 3 of 5 of them also do CIFS shares.

I have a windows client in a Secure VLAN, I wanted to know what ports do I allow (W7 client) to allow for authentication

This KB 

http://support.microsoft.com/kb/179442#method3

has port 445... which is CIFS/SMB

do I need all of them apart from 445. what about 135 ???

A

What does actually Version 2 and Version 3 template mean and how do we define them in issuing CA as version 2 or version 3 Template?

February 25, 2014, 8:26 pm
$
0
0

What does actually Version 2 and Version 3 template mean and how do we define them in issuing CA as version 2 or version 3 Template?

Is it the windows 2003 Server Template are version 2 and 2008 are version 3 ?

Search

How does actually Version 2 and Version 3 template mean and how do we define them in issuing CA as version or version 3 Template?

February 25, 2014, 8:22 pm
$
0
0

What does actually Version 2 and Version 3 template mean and how do we define them in issuing CA as version 2 or version 3 Template?


Server computer certificate

February 24, 2014, 4:37 am
$
0
0

Hello,

I have installed a Windows 2012 standard server called VHOST1 to run HyperV. In the Trusted Root Certificate Authorities container there was a certificate calledVHOST1 which I presume was created dunring the install of Windows 2012. I have accidently deleted this certificate.

I have noticed any issues but my question is; is this likely to cause a problem and can I recreated it without reinstalling Windows?

Thanks in advance

regards,

Chris Butler

New PKI Deployment had to re-issue subCA, now I want to clean up AD

February 25, 2014, 4:47 pm
$
0
0

Ok, so Finally got my 2 tier PKI setup. I Ran into a snag where my root CA accepted the certuil setting for publishing the CDP and AIA. Even though it said it changed the AIA it did not. I had to do it through the GUI.

Anyway because of this I had to re-issue my Enterprise Sub CA multiple times. Everything is working now except I have multiple Issuing CA in AD and in the Clients local store.

I have not issued any client certs with any of the first 3 CAs. How do I safely remove them? Can I just revoke their certs on the Offline CA, copy the CRL over and then click remove on the above screen shot? Is there something more to it?

also I don't publish the crl to AD, if that matters.

Thanks.



Configure RADIUS

February 4, 2011, 5:25 am

Securtiy Bulletins for 2012 server

February 26, 2014, 5:55 am
$
0
0

Hi,

We are planning to deploy a new 2012 server and also we've existing 2000,2003 & 2008 servers. For these servers has updated with below security bulletins. And whether the fixes to these vulnerabilities not being available for Server 2012 implies that Server 2012 does not have these vulnerabilities?

MS09-048
MS08-001
MS08-020
MS08-037
MS08-036
MS06-033

Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>