Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Certificate key usage in standalone CA

February 28, 2014, 4:11 am
$
0
0

I have a problem with a standalone sub CA.

Certificate must be able to sign Outlook mails, encrypt them and sign Word documents, so in certqtp.inc I've changed rgAvailReqTypes parametr for my certificate:

rgAvailReqTypes(0,FIELD_OID)="1.3.6.1.4.1.311.10.3.12, 1.3.6.1.5.5.7.3.4, 1.3.6.1.5.5.7.3.2, 1.3.6.1.4.1.311.10.3.4"

After that key usage field of enrolled certificates have changed to "data ecnryption (20)", but I don't know why. So with this key usage I can sign documents, can ecnrypt mails, but can't sign them (key usage must contain digital signature).

How to change key usage field in standalone CA ??

Search

Windows 8.1 Certificate Renewal Error on AD CS 2008

February 4, 2014, 1:00 pm
$
0
0

Configuration: Windows Server 2008 Enterprise AD CS Root/intermediate, Domain Win 2008 R2, Windows 8.1 and Win 7 clients

When attempting to renew a email encryption certificate using the same key via the MMC in Windows 8.1, I receive the following:

An error occurred while enrolling for a certificate.  A certificate request could not be created.

Error: The requested operation is not supported. 0x80090029 (-2146893783 NTE_NOT_SUPPORTED)

If I try to renew a certificate from Windows 7 or Windows Server 2008 it works OK.

What has changed with Windows 8.1 and certificates?  Do I need to Migrate AD CS to 2012 R2 to support Win 8.x clients or is a good idea regardless?  How may I resolve this issue?

Thanks,

Craig


Best Antivirus Software

March 6, 2014, 7:40 am
$
0
0

Hello Guys,

I am in an environment that have two servers and a new one is coming soon. 

1. Microsoft Server 2003 R2 Stranded editions service pack 2 (running sql server)

2. Small Business server 2011 Stranded service pack 1(running exchange and file share)

3. Microsoft Server 2012(we are planing to get and install this)

I would like to know from everyone's experience  what would be the best antivirus program to run on these three servers. One of the major thing i am look for is an antivirus that will protect us but will not slow down our system. I heard that Vipre does a good job. We would also like to be able to manage how the software works.

Any Insight or help will be greatly appreciated. 

AD CS - Length of the field exceeds maximum length

March 6, 2014, 7:44 am
$
0
0

Hello,

I have an issue when generating a Certificate in my local AD CS because I have too many SAN. This is mainly for testing purpose but it seems that when my SAN-field exceeds 8192(guesstimate, its around 8000) characters, the AD CS won't generate a Certificate from my CSR. 

So in my scenario, I created a CSR which included a list of 500 SAN. The number of SANs I can have depends on the length of the DNS Names.

My question is, is there a way to increase the maximum field size? 

The exact error message that certreq.exe generates is:

Certificate not issued (Denied) Error Parsing Request  Error 0xc80005e2 (ESE: -1506) The length of the field exceeds the maximum length. 0xc80005e2 (ESE: -1506)

Thanks.

Creating limited admin account

March 3, 2014, 9:58 am
$
0
0

Hello,

We are using Win2008R2 Std Active Directory and I would like to create a new group for new IT starters. They will need access to join computers to the domain, install software on domain computers, look at logs, run maintenance tasks and create accounts and reset passwords. I don't want them to be able to mess with domain admin accounts.

I have created a group "First Line" and made it a member of "Account Operators", "Performance Log Users", "Performance Monitor Users" and "Print Operators". I assigned my test user to the group and logged onto a domain computer using the account. I found that I could reset the domain Administrator's password!

Please could someone explain what I'm obviously misunderstanding here? How can a non-admin change admin passwords? Am I going about this all wrong?

Thanks in advance.

Elliot

Vulnerblity issue on windows server 2003

March 7, 2014, 2:37 am
$
0
0

Hi ,

My name is Senthil R and i am working in KITP as a Regional system.

Kindly help me on below issue and unable to get this KB Number(2671387) on Microsoft Website.

Help me to fix the issue.

Error Message : -

MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387) (uncredentialed check).

Regards,
Senthil R

Automatic renewal of certificates through CEP / CES.

October 6, 2012, 4:21 pm
$
0
0
We currently have a PKI on Windows 2008 R2 and in this case as customers use notebooks with Windows 7 SP1.
I have problem with the automatic renewal of computer certificate through CEP / CES.
Services CEP / CES are installed on the same server, the CA is in another server.
You want to automatically renew computer certificate through Internet.

These services are configured to only computer certificate renewal and renovation to allow authentication using a certificate previously issued to PC.
The first computer certificate is issued automatically through the settings in Group Policy in Active Directory, then the team has its certificate is configured PC Local Group Policy to configure the server URL CEP / CES.

I have no problem when I do the renewal through the MMC, only occurs when the team wants it done automatically.

Error events are:
-
Event ID 68
Certificate enrollment for Local system failed in authentication to policy servers with ID  {6ADBCC41-F91F-405C-88EC-4FEF12CF7FCF} 
(Provider could not perform the action since the context was acquired as silent. 0x80090022 (-2146893790))

Event ID 67
Certificate enrollment for Local system failed to load policy from policy servers with ID  {6ADBCC41-F91F-405C-88EC-4FEF12CF7FCF} 
(Provider could not perform the action since the context was acquired as silent. 0x80090022 (-2146893790))

Event ID 6
Automatic Certificate enrollment for Local system failed (0x80090022) Provider could not perform the action since the context was acquired as silent.
-

The documentation used to install CEP / CES is:
http://www.microsoft.com/en-us/download/details.aspx?id=1746

I thank anyone who can guide me with this problem.
Greetings.

How to redirect internal link (OWA, ECP ) from Https to Http in Exchange 2010

March 7, 2014, 3:29 am
$
0
0

Hi,

I have installed Exchange 2010 Sp3 in my company. How can I redirect all the queries coming to "HTTPS" to "HTTP"

I want to open OWA & ECP with HTTP.

Thanks

Search

How do I give full directory access aside from Delete

March 7, 2014, 6:22 am
$
0
0

I have a 2003 R2 File Server.  There is a directory on a file share I need to give a group full rights to excluding deletion.  I have gone into the security tabs for the group, went to advanced permissions, checked allow Full Control, then checked the Deny box next to Delete, Delete subfolders and files, and also Take ownership.  After applying these permissions to that group the group is no longer able to rename files.  The users see an access denied message.

I have also tried to just keep Delete, Delete subfolders and files, and also Take ownership unchecked on the allow column and not check the Deny column but I still have the same result.

What am I doing wrong?  I can't seem to get this to work the way I want it to.



Account Lockout - Reset account lockout counter after

March 7, 2014, 1:28 am
$
0
0

Hi Expert,

Would you know any disadvantages if we set the Account Lockout Policy - Reset account lockout counter after to longer value e.g. 24 hours or maximum of 99,999 minutes.?

Regards,

Jhun

Domain Users being added to Local Administrator Group with no existing Policy

February 25, 2014, 10:16 am
$
0
0

This may seem strange, but I am having a very strange problem. 

I just inherited an AD 2003 with a single DC.  90% of the client stations are Windows 7.
The problem I have is that the Domain Users Security Group is being added to the Local Administrator Group on client stations. 

I have performed RSOP analysis from client stations. Run Group Policy Results Wizard from the DC, on both the client station and user account, and reviewed all existing GPO's (applied or not) in the entire forest and see no policy that would cause this. 

We're not using any GPO's to configure Restricted Groups.
I've reviewed all startup and logon scrpts and found nothing.
I cannot find anything that explains why this is happening. 

I've removed Domain Users from the Local Admin group manually and restarted the computer, and upon login it is back.  This is not with an elevated privilege account.  I have been using a test account that has no memberships, not is a part of any OU besides Users. 

If needed I can try to provide a link to the RSOP. And below is an event viewer log showing that Domain Users is being added to the Local Admin group.  From what I can tell, this is being done by the host machine itself? (Client station name is T430-0007)

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          2/25/2014 11:29:18 AM
Event ID:      4732
Task Category: Security Group Management
Level:         Information
Keywords:      Audit Success
User:          N/A

Computer:      T430-0007.mydomaint.local

Description:A member was added to a security-enabled local group.
Subject:
Security ID:SYSTEM
Account Name: T430-0007$
Account Domain: MYDOMAIN
Logon ID: 0x3e7
Member:
Security ID: MYDOMAIN\Domain Users
Account Name: -
Group:
Security ID: BUILTIN\Administrators
Group Name: Administrators
Group Domain: Builtin
Additional Information:
Privileges:-
Event Xml:
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4732</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>13826</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2014-02-25T17:29:18.219256000Z" />
    <EventRecordID>1127091</EventRecordID>
    <Correlation />
    <Execution ProcessID="840" ThreadID="944" />
    <Channel>Security</Channel>
    <Computer>T430-0007.mydomaint.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="MemberName">-</Data>
    <Data Name="MemberSid">S-1-5-21-1635982567-534386104-751052348-513</Data>
    <Data Name="TargetUserName">Administrators</Data>
    <Data Name="TargetDomainName">Builtin</Data>
    <Data Name="TargetSid">S-1-5-32-544</Data>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">T430-0007$</Data>
    <Data Name="SubjectDomainName">MYDOMAIN</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <Data Name="PrivilegeList">-</Data>
  </EventData>
</Event>

Any advise would be appreciated. 


Thanks!


How does AppLocker classify files?

March 7, 2014, 8:32 am
$
0
0

For example, when a user double-clicks 'actually-a-malicious-exe.txt' - does AppLocker classify by content actions ("Wait a minute, this is trying to launch a process"), or solely by file extension? I've seen SRP catch such deception, but I haven't found anything detailing exactly how AppLocker responds to this scenario.

How does AppLocker evaluate child processes for applications that do NOT specify LOAD_IGNORE_CODE_AUTHZ_LEVEL or SANDBOX_INERT?

Windows Server 2012 R2 Certificate Services - Online Responder DNS Alias

March 7, 2014, 8:32 am
$
0
0

I am setting up a 2012 R2 PKI. Going with an offline standalone Root with an enterprise issuing CA. This is how I'd like to configure OSCP if possible & supported.

Build an OSCP array. Members will be in different sites. One in each office, one in the data center, and one in the DR data center. They will all be online 24x7. Host names are oscp1.company.com, oscp2.company.com, etc.

I want to create four A records in DNS for OSCP.company.com. One with each host's IP address.

The reason behind this is setting up the AIA extension. If I need to add a new online responder, I don't want to have to re-issue certificates so everyone can use it.

Will this work?

Using code signing certificate results in classnotfoundexception

November 1, 2013, 5:09 am
$
0
0

We are running a certificate authority on windows 2012. Our programming section developed a java application on linux and wanted to code sign it. They created a csr and sent it to me. I created a duplicate of the built in code signing template and used it to create a code signing certificate, which I sent back to the programmer. He used the certificate to sign the application jar file, and everything seemed ok. But when we try running the application we get a 'classnotfoundexception' for the main class of the program. Just to be sure it was not a fluke I wrote a small test applet and went through the same procedure of creating a csr, creating the certificate, and code signing the jar file, and ended up getting the same exact error.

The programmer tried creating a self signed certificate on linux and using that to code sign the jar file, and the program runs successfully. Of course there is a warning that the certificate is untrusted, which is why we ant to use the windows created certificate to sign the application since the root certificate in on everyone's computer.

Is there anything special needed to be done to get  the windows created certificate to successfully sign a java application?

Installing intermediate CA on foreign devices.

March 7, 2014, 7:15 am
$
0
0

Hello, we are implementing https decryption and re-encryption on our Ironport webfiltering device. I have generated a CSR and had it sign by our CA with the subordinate CA template. Everything works great for devices that trust our root or intermediate CAs. 

The question I have is if I wanted contractors, of whom are not on our domain and we have no control of their devices, to install our intermediate CA onto their machines what kind of risk does this pose if any?

Search

AD CS Key Recovery Agent problem

December 2, 2008, 8:36 am
$
0
0
Hi,

I currently have a 2008 AD CS setup with an offline root and an entrprise subordinate CA.  I am testing out key recovery on the EntCA. I found a article Certificate Services example implementation: Key archival and recovery http://technet.microsoft.com/en-us/library/cc781351.aspx on how to do this.  I was following the process and everything works until Task 6, step 3.b.  When running certutil -user -recoverkey outputblob keytest.pfx it fails with the following error:
    CertUtil: -RecoverKey command FAILED: 0x8009200c (-2146885620)
    CertUtil: Cannot find the certificate and private key to use for decryption.

While searching the internet for an answer I saw someone who had the exact same problem however no answer was provided.

Does anyone have any ideas how to resolve this?  or a checklist or process that works?

Thanks,
Craig

Securtiy Bulletins for 2012 server

February 26, 2014, 5:55 am
$
0
0

Hi,

We are planning to deploy a new 2012 server and also we've existing 2000,2003 & 2008 servers. For these servers has updated with below security bulletins. And whether the fixes to these vulnerabilities not being available for Server 2012 implies that Server 2012 does not have these vulnerabilities?

MS09-048
MS08-001
MS08-020
MS08-037
MS08-036
MS06-033

Password reset customization

March 7, 2014, 1:41 pm
$
0
0

We are running 2008 R2 Active Directory, staff log in to Windows machines on the domain so we have no issues with password reset settings there.

The issue we have is that we have students logging in from remote sites via a portal that, whilst using AD authentication, does not give students access to AD. The problem I have been asked to solve is this. When a student forgets their password they contact the service desk and request a reset. The service desk have password reset rights BUT they do not have direct access to AD, they use an admin password reset tool on the portal which allows them to reset the users password.

This works as far as it goes, but the issue is we cannot enforce the "reset password at next logon" because the portal does not recognize this, it simply says the password is incorrect and denies access.

I need to be able to find a way to enforce a reset at next logon, or at least within 24 hours. The original request was to disable the account if a reset is not done within 24 hours, though that causes other issues as I am not sure how I can reset the auto disable when the student does a reset.

Has anyone come across this type of requirement before? Is there a magic way to make this happen without having someone check each student account every day to make sure it isn't going to expire? Is there some miracle cmdlet in powershell that will let me set this?

If anyone has any ideas I'd love to hear them, I'm hitting a brick wall.

Thanks

CEP & CES Post Installation Error

March 7, 2014, 6:36 pm
$
0
0

Hi
I need some help with this error.....I don't find any useful information about this error
Both CES & CEP same error..

Rene Anton

ACTIVE DIRECTORY CERTIFICATE SERVICE

January 20, 2014, 9:38 pm
$
0
0

Team,

I an trying to publish my CRL to a webserver and I did the ffg

-- configured the CA--- installed ADCS correctly

--created an IIS server and created a virtual directory called  certdata

--on the CA I issued the command bellow: and restarted ADCS

certutil -setreg CA\CRLPublicationURLs “1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n10:LDAP:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10\n2:http://www.goryeal.com/certdata/ %%3%%8%%9.crl”

Note: www.goryeal.com is the FQDN of my IIS server

---I then Published a new CRL on the CA

---I noticed that the CA only publish the CRL locally, when i looked in Certdata folder on the IIS server, i did not see any CRL

--From the  the CA i can ping the webserver by its IP and also i can access www.goryeal.com/certdata from the browser

Thank you in advance

I wonder if i am missing anything. Any help will be much appreciated

Thank you

Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>