Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Updates could not be installed KB958869, KB2412687, KB967723, KB948590, KB956802

July 25, 2014, 2:12 am
$
0
0

Hi All,

Please kindly need your help. I have windows server 2003 32 bit. I have a warning from our internal security. 

They are says one of our server need to update some of windows security below.

  • KB958869,
  • KB2412687,
  • KB967723,
  • KB948590,
  • KB956802

I already update it on that server, It's says was successfully installed and then I reboot the server. To make sure the windows security was installed properly, so i checking on the add or remove list. I am pretty sure when I installed the update I have an access as administrator.

The problem is I cannot find any KB above on the list of add or remove even I already tick the check box button show updates. After searching 3 days by google i still cannot find it. So I decided to try again to install the update and reboot the server but I am still cannot figure it out.

I really need your advice.....

Thanks

Search

NDES/SCEP for MDM via SCCM & Intune

July 25, 2014, 3:31 am
$
0
0

We've recently deployed a NDES/SCEP server for certificate distribution via SCCM & Intune.

Can a single NDES server be used to deploy certificates from two templates (for example user and machine certificates)? Or do we need an additional NDES server for each template?

PKI Training and Resources

June 15, 2011, 11:37 am
$
0
0
Any recommendations on advanced PKI Training? I've taken the "Designing and Managing a Microsoft Windows Public Key Infrastructure" course however it doesn't go into great detail on the many intricacies of PKI (ie. certificate policies, custom application policies, CTL's, etc.).  Any suggestion are appreciated.

AUDITPOL.EXE - User rights assignments needed.

July 25, 2014, 3:34 pm
$
0
0

OS: Server 2008R2 Std.

What user rights assignments are required in order to use the following command:

C:\windows\system32>auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable

Error 0x00000522 occurred:

A required privilege is not held by the client.

DOS Vader

Certificate Store

July 25, 2014, 11:09 pm
$
0
0

Team,

Can I have link for understanding the Certificate Store? Main purpose is which certificate will be published in which store?

In addition, which ext.(PFX & Cer/CRT) file will be stored in which store?

Regards,

Biswajit

MCTS, MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, Enterprise Admin, ITIL F 2011




Certificate Trust

July 26, 2014, 3:37 am
$
0
0

I have env. like below & need to build the CA trust between Prod & Test.

PROD

Offline ROOT CA

           |

    Policy CA (Online)

           |

  Issueing CA (Online)

Test

      Root CA (Online)

           |

  Issueing CA (Online)

Need to build CA Trust between Prod & Test.. What would be better approch? exchageing the CRT & CRLs between both the CAs is enough? Store is "Trusted Root Certification Authorities"

Regards,

Biswajit

MCTS, MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, Enterprise Admin, ITIL F 2011

Blog:  Script Gallary: LinkedIn:  

Note: Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights..


Findout previous deleted domain controller computer name frome SID

July 27, 2014, 6:19 am
$
0
0

Hi

I recently suspicious that some one in my company join new additional domain controller  to my primary DC and after replication and get the domain controller partitions ,he disjoint the new additional dc .

I got the his event in my dns log :

The DNS server was unable to create a resource record for  d630907c-e2f4-41cf-a2c6-adc087f25f46._msdcs.metro.com. in zone metro.com. The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error.

I want to translate the DNS alias sid :d630907c-e2f4-41cf-a2c6-adc087f25f46to computer name in order to find who did this?

is there a way to find out previous DC computer name after hey disconnected or DC computer account deleted?

I wonder to know ho did this?

Regards

Revoked Certificate Removal

July 27, 2014, 5:48 am
$
0
0
Hello!

I have a certificate revocation issue that I'm hoping to find some information on.

The backstory: I had a machine signing certificate template that issued certificates to 500+ computers in my environment.  This template was only intended for a much smaller subset of computers, and we have since revoked all of the incorrectly issued certificates.  So far as I can tell, we have our default domain GPO set to automatically delete revoked certificates, but this does not seem to be happening.

On the client machine,  can check the validity of the certificate via certutil, which confirms that the issued certificate is revoked.

My guess as to why the revoked certificates aren't deleted is that the template on the CA was originally set to have a purpose of "Signature and Encryption" which does not allow the "Delete revoked or expired certificates" option to be selected.  I have since changed the purpose to "Signature" only and selected the "Delete revoked..." box, but it has not made a difference.

Any thoughts on how I can get rid of the revoked certificates from my 500+ clients?  If there's a way for certutil to search a machine's certificate store and delete any certificates issued from a specific template, I can deploy that via GPO.  Even better would be a way to force revoked certificates to be deleted.

Thanks for any help!

Tim
Search

Lost all permissions in Windows Server 2012

July 2, 2014, 6:54 pm
$
0
0

I installed a new server for a client 3 months ago.  The new server runs Windows Server 2012 Standard.  Everything was fine until randomly i could not open the Chrome icon on the taskbar.  Error said the following : "windows cannot access the specified device path or file. you may not have the appropriate permission"

I tried to use the control panel but got the same error.  I can, however, using classic shell start menu, right click on control panel and click open to get to it.  If using the start menu i click on control panel the little windows extends and says "empty".  As of note I uninstalled classic shell to no avail.

Trying to run sfc /scannow generates the following error "Windows Resource Protection could not perform the requested operation"

I also cannot open the hosts file, access denied.  I changed ownership and granted all access, still nothing.

In the notification area, the network icon has a red x and says "Connection Status: Unknown" yet internet and network access is uninhibited.

Using the "subinacl /subdirectories c:\*.* /grant=administrator" changed nothing.  

I decided to disable UAC via registry key after which I rebooted and could no longer login.  I received the following error: "The sign-in method you're trying to use isn't allowed.  For more info, contact your network administrator."

In response I attempted to run gpedit and I went to Computer Configuration> Security Settings> Local Policies> User Rights Assignment| and checked the Deny log on locally settings. Only SBS Remote Operators, SBS STS Worker, and Support_38945a0 were listed, none of which are groups that the administrator is a member of.  Also, this led to the discovery that all settings within gpedit are grayed out and cannot be changed.

To fix, I logged in as another user and removed the administrator from the Domain Power Users group which fixed the login issue.  I am unable to perform windows updates.  There are no virus or malware detected by Trend Micro, RogueKiller, TDSSKiller, MalwareBytes, or RKill.

CCleaner did not fix.  

PLEASE HELP!!!


Root CA not allowing LDAPs anymore. "Domain controller template using: client authentication, Server Authentication template."

July 17, 2014, 6:01 am
$
0
0

Root CA not allowing LDAPs anymore.  "Domain controller template using: client authentication, Server Authentication template."

Our Certificate Authority server has suddenly stopped allowing ldaps to bind against our active directory domains.

All certs were valid for data and subject and had been working for several months.  Root CA allows other domain controllers to enrol against it and using ldp.exe we can connect using port 389 and 636 + ssl.  However, if we try to bind, this then fails. Events show Schannel errors, however we have checked the issued certs and they have private keys assigned.

In an attempt to resolve this we removed all Root Certifiactes, un-enrolled domain controllers and revoked certificates.  Re-creating the root certificate and re-enrolling the domain controllers to the domain controller template has not resolved the issue.

Can anyone advise where we might be going wrong?

Many thanks

TFS 2010: Access Denied: Error on Web login page

July 27, 2014, 11:20 pm

A Basic Question about brut force key recovery attack

July 27, 2014, 11:19 pm
$
0
0
Hello
I am now to the area and trying to
learn more about Cryptography

I have a very basic question, can someone
please help me out

Now I see that the longer the key being using for
encryption the better lets take a 128 bit key used with AES e.g. 2 to the power
of 128

first question (and sorry if these seem a bit basic)

I
assume the actual key is a128 long binary number e.g. a combination of 128 zeros
and ones, is this correct so far?

if so then I presume any of these bits
can be set to either a 0 or a 1
which would explain why I have 2 to the power
of 128 possible combinations (keys) correct so far?

Now when I watch
videos on the subject they always state that the longer the key the longer to
crack (every thing else being equal).

However, I am thinking of a large
box with physical keys and door lock to a house say. Now I have a few million
keys in my box, one of which fits the lock and the others do not.

I put
my hand in a grab a key at random and try it, well what happens if I just get
lucky and it is the second key I try out of the box of millions on
keys?

Basically this would mean it did not take me a few 1000 years to
find the key but a couple of minutes.

So is it true to say that a longer
key does not necessary mean it will take longer (luck of the draw), but rather
you are statistically less likely to get lucky the more keys you have to check?
so no matter how long the key you could still get lucky and find the right key
within a couple of tries?

Thank you very much
AAnotherUser

AAnotherUser__

Request through http, but I cannot get a Computer certificate

July 28, 2014, 1:26 am
$
0
0

Hello,

From a client I type in my browser: http://dc1/certsrv.

Then I get to a screen where I can choose among these certificates: User, Basic EFS, Administrator....and a few more ; but I don't see "Computer certificate" in that list.

Does anyone know how could I get a Computer certificate from that web site ?.

As far as I know, one can add entries to that list, but not sure how to do it.

Thanks in advance!

Luis Olías Técnico/Admon Sistemas . Sevilla (España - Spain)


IKEv2 VPN Certificate Problem

July 22, 2014, 2:46 am
$
0
0

We have deployed a Strongswan based IPSec VPN on our premises that uses Certificate authentication. It works great with all OSs except from Windows. When trying to connect to the VPN we get Error 798: A certificate..... The user certificate contains the Client Authentication EKU and under SAN it has a UPN field.

The VPN is IKEv2 with MOBIKE and we want User authentication, not machine authentication (we use EAP-TLS).

The CA runs Hardened Gentoo with OpenSSL 1.0.0e

I have included a link to my certificate (public part only)

it's at rghost(dot)net(slash)56905698



Considerations for 802.1x Port Based and Wi-Fi Certificate Authentication

July 28, 2014, 6:55 am
$
0
0

Lately, we have been going back and for with the thought of doing certificate authentication for Wi-Fi and Port. We have Server 2012 PKI and CA and it seems fairly straight forward to pump out a certificate to a user and have them authenticate with their certificate to a RADIUS/NPS. However, every time I mention our thoughts with consultants or others they seem to cringe saying that they've seen this deployment cripple networks.

We have almost 50 branch retail locations (with hub-spoke topology - all have VPN tunnels to corporate and also a disaster recovery location) and their internet isn't always super stable and they absolutely need to have network access at all times because they are running Point Of Sale. Right now, if their internet fails, they can remain functional because we have the necessary pieces at all locations to keep a Windows network going but I'm afraid that if we force 802.1x certificate authentication for the switch ports and Wi-Fi that if their internet goes down, they won't be able to authenticate since the authentication server will be at corporate. I am curious as to how people deal with:

1. Fail over to a disaster recovery authentication server if Corporate connection goes down

and:

2. If internet fails locally and can no longer communicate with any authentication server. Is there some sort of scale-out? It seems complicated since (if I'm not mistaken) it needs access to the CRL to validate certificates and also a Network Policy Server for the authentication and so on.

What we're really trying to accomplish is to prevent people from bringing in a laptop or device with an Ethernet port and removing an existing device and plugging into the port in its place. MAC filtering doesn't seem like a good solution on a large scale, nor a super secure option so it seemed like 802.1x certificate seemed to be the most flexible without having to go full NAP/NAC. Anyhow, sorry for the lengthy post and I really appreciate your time in advance!

Search

You do not have sufficient permissions to enroll with SCEP

December 3, 2009, 2:04 pm
$
0
0
i'd like to allow "power" users on our network team to obtain certs for routers, switches, waps, etc... i've added these accounts to the local iis_iusrs group on the ca with the ndes role services, but they receive the "you do not have sufficient permissions to enroll with scep" message when they browse the /certsrv/mscep_admin page. what am i missing? permissions in the ca, on the ra certs, or iis?

This security ID may not be assigned as the owner of this objec

July 23, 2014, 8:15 am
$
0
0

I want to set owner for the file and I get the following error.

This security ID may not be assigned as the owner of this object

List of all the certificates on smart card

July 18, 2014, 1:14 am
$
0
0
I have asmart cardwith recorded threecertificatesthe same usertolog in bycard.One of thesecertificates isrevoked,and the twoare good.I havea domainpolicysetto read,all certificatesfrom the card:

Allowtimeinvalidcertificates
Filterduplicatelogoncertificates
Forcethereadingof all certificatesfrom thesmart card

Althoughthese settingsdoes not show methe listof certificatesto choose from.What else doI need to setthatappearedlist?Currentlyby default tries tolog on to therevoked certificate.

ADFS 3.0 - to - ADFS 3.0 Redirection for claims-based authentication

July 28, 2014, 8:57 pm
$
0
0

Hi,

I have the following environments(s):

- Users in DomainX - let's call a single user "UserInX"
- ADFS 3.0 (WinServer 2012 R2) using ActiveDirectory for credentials, also in DomainX - call this "AdfsX"
- MVC Website in Domain Y - "WebY"
- ADFS 3.0 (WinServer 2012 R2) in DomainY - "AdfsY"

Essentially, UserInX needs access to WebY.

I'd like to setup a federated claims-based single-sign-on authentication model, using AdfsX to [authenticate UserInXand] pass claims to AdfsY, which should trust AdfsX (pre-defined) and allow UserInX to proceed to WebY.

So, effectively:

1. UserInX hits WebY (without creds)
2. WebY redirects to AdfsY for authentication-decision
3. AdfsY knows that this user should be redirected to AdfsX for authentication and AdfsX presents a login page (or simply already knows UserInX, because he/she is logged-into said DomainX)
4. AdfsX redirects back to AdfsY with valid claims token
5. AdfsY redirects UserInX to WebY (who allows access because they trust the claims-token).
6. UserInX gets access to WebY

I have half of this setup working just fine, using *only* WebY and AdfsY, authenticating UserInX against AdfsY's ActiveDirectory (effectively skipping steps #3 and #4), so I'm pretty sure the web.config et al in WebY is all fine (ie setup properly, to send unauthenticated users to AdfsY for login).

But I can't seem to properly configure the parts that tell AdfsY to federate/redirect to AdfsX (ie step #3 (and #4) above).

Searching the interwebs, I found the scenario-based tutorial provided on MSDN, at:  http://msdn.microsoft.com/en-us/library/ff359110.aspx

While this scenario is pretty much exactly what I want to replicate, I can't seem to find anywhere that tells me how to physically achieve it. That is, how to set this all up on ADFS 3.0 WinServer 2012 R2. As mentioned, I'm fairly certain WebY shouldn't need any tweaking; it should all be quite straight-forward to setup in AdfsY and AdfsX, no?

Any help would be much appreciated.

Thanks! Tim

account locked out from RD server when no session is open?

July 23, 2014, 8:07 am
$
0
0

Windows 2008R2 DCs, two in one site, one in another

Windows 2008 functional level

I've had two instances in the past week where users, several hours after changing their passwords, had their accounts locked out.  I used LockoutStatus to track down the DC where the event 4740/lockout happened, and then read the calling workstation from there.  In both cases, the user didn't have any active or idle session on the remote desktop server where the lock was being generated.  I checked further with Process Explorer and I couldn't even find any processes running in their user context.

I would unlock the account, and in under a minute, there would be six bad password attempts (our GP setting) and the account would be locked out.  I could repeat this process indefinitely.

In both instances, when I rebooted the RD VM, the issue went away and didn't return.  In one case that was somewhat disruptive as it was an application server.  In the second case it was a domain controller and had no user impact.

I've seen this before when a user has an orphaned RD session idle for months, or with badly behaved applications, but this seeming dissociation from any active user process is really odd.

LockoutStatus always shows the lastPasswordSet timestamp in sync, replication occurs within fifteen minutes, and repadmin shows me both the expected topology and no errors.

I'm at a total loss.  What more can I check for?

Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>