Dear Support,
Due to SSL v3 issue, we have disabled SSL V3 in windows 2012 Server, using the link below:
https://technet.microsoft.com/en-us/library/security/3009008.aspx
But how can we verify that SSL v3 was indeed turned off?
Thanks and best regards, Kim Seng This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
We have few windows server 2003 web servers which have been detected with the above vulnerability, can someone let us know if there is a patch that can fix this vulnerability.
Thanks
Hi All,
I have searched in the forum, but i did not find any questions which exactly addresses the problem, i have, even though there are dozens of other questions on renewal.
Intended re-enrollment and renewal policy
In my network, i want to ensure that re-enrollment (enrolling again with same subject name (full distinguished name)) is not allowed before the renewal interval.
I have configured the renewal interval as 6 weeks before expiry, has enabled "Publish certificate in active directory" and "Do-not re-enroll if duplicate certificate already exists in the active directory options".
Current problem:
Even after configuring the template as above, i see that enrollment requests from the client(i have my own c implementation of SCEP protocol here), are accepted well before the renewal interval. Also the renewal request using the existing certificate and private key are accepted before the renewal interval. This creates problems in the network as duplicated certificates are issued and certificates can be renewed before they are supposed to be renewed.
Is this how remote enrollment of devices using NDES works or am I missing any settings?
I can share more details if needed. Any help is much appreciated.
Regards,
Sree
Hello everyone
today I am working on a mounted on a Red Hat Enterprise PKI
Linux Server release 5.5 (Tikanga) is Easycert 5.2.2.15. We need to know what are the necessary data that we have to go to the PKI so it can generate certificates of users in Active Directory for use with a USB Token (ACOS5-64 CHIP CRYPTO) functioning as Smart
Card to make the login of users on computers.
On the other hand also we need to know the necessary settings between the third party pki and the domains controllers (Windows 2012).
Greetings and I hope for you response.
TechCach
The MS10-070: Description of the security update for Microsoft.NET Framework 4. kb2416472states that the security update NDP40-KB2416472-x64.exe (timestampWednesday, September 22, 2010 6:21:53 PM) installs the below listed files:
GDR files
Collapse this tableExpand this table
File name | File version | File size | Date | Time |
System.Web.Extensions.dll | 4.0.30319.206 | 1,836,904 | 22-Sep-2010 | 12:54 |
System.Web.dll | 4.0.30319.206 | 5,146,960 | 22-Sep-2010 | 13:21 |
System.Web.dll | 4.0.30319.206 | 5,176,144 | 22-Sep-2010 | 12:55 |
Currently our server has these versions installed:
File Name File Version Date
System.Web.dll 4.0.30319.34237 7/24/2014
System.Web.Extensions.dll 4.0.30319.34237 7/24/2014
SHOULD WE INSTALL OLD VERSION AND OVER-WRITE CURRENT .NET 4.0? PLEASE EXPLAIN EFFECT OF THE PATCH.Hello All,
I finally got round to setting up WakeOnLAN for my W7 machines and server across my internal domain network. I have a WakeOnLAN freeware that is configured to start up with my Windows Server 2012 R2, this is used for waking up local W7 machines from my server which I can do by initiating a remote desktop session to the server across the WAN. Sending the WOL commands across my internal network to my local W7 machines is a simple process because I simply open the following ports on the firewall of the machines I need to access:
I don't have to worry too much about the security in this case because I am already on my internal network or logged into my server securely across the WAN
The thing is I now need to be able to wake up my main server from an external source should there be an issue such as a power cut, otherwise I have no means of accessing my network e.g use a WOL app on my laptop to send the commands to my main server across
the WAN when working away.
My Server sits behind a hardware firewall and I then use the server OS firewall too as a second barrier. If I was to simply forward the ports on my hardware firewall to my server and then open up the above three ports then I could use the WOL app relatively easily...
The thing is I do not want to leave these ports open to anyone or any computer/remote IP address trying to gain unauthorized access to my server. I have locked down nearly every port on my hardware firewall in order to provide the best possible first
line of defence
Firstly I tried using an alternative WOL app that supports integration with user accounts i.e a domain AD
I then tried to configure the above Firewall server ports with rules that should only allow traffic to pass through providing the connection was from an authenticated user, the setup was done with the following screen grabs:
Now perhaps I'm missing something here but when I enabled access through server windows firewall rules for a domain administrators account (and also tried using a normal user account as a member of domain computers) I tried to send the WOL command but get an error message saying something along the lines of 'The RPC server could not be contacted'
This error was actually present when testing this locally across my network from one W7 machine to another, but the issues I experienced I'm sure is a generic problem and I would get exactly the same problem when doing this remotely whether I am trying to access a W7 or server machine.
I know the login credentials I used on the WOL app was doing something right because if i tried using a foreign/unknown user account I would get an unauthorized access message.
Can someone please advise if I am on the right track here or what the issue might be?
Can anyone recommend a good WOL application that is geared more towards using with a domain network for remote secure connections?
Would my idea of applying the above access rules to those three ports actually provide me with a secure solution?
thanks in advance
I have been tasked with finding out what will happen to our domain controllers and the systems that depend on them when we make the change to disable null sessions on our domain controllers. We are disabling them to resolve a security hole discovered by an audit.
Normally, I would just change the registry setting and see what breaks, but I don't have that option now. The reason for the caution is that we noticed that member servers were randomly connecting anonymously to the IPC$ share on the DCs. They wouldn't open any files, they would just open a share session, then disconnect a few seconds later.
What I suspect, but cannot prove, is that member servers occasionally do this to check if the domain is "still there" or something to that effect. If that's the case, it seems like disabling null sessions could cause some problems. If anyone could offer some insight, I would appreciate it.
Thanks.
SK
Hello
Recently with all the news about Windows Server 2012 R2 and Windows 8.1 Update KB 2919355 and WSUS problems I discovered that TLS 1.2 in general does not work if just one certificate in the whole certificate chain is signed with SHA512.
The problem is described here: http://www.michaelm.info/blog/?p=1273
Our company internal Root-CA certificate could now be a big problem as it is RSA 4096 / SHA512
Does Microsoft intend to support SHA512 with TLS 1.2 in near future?
Editing registry and adding RSA/SHA512 ECDSA/SHA512 on all servers and client computers is not an option.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003]
"Functions"
RSA/SHA256
RSA/SHA384
RSA/SHA1
ECDSA/SHA256
ECDSA/SHA384
ECDSA/SHA1
DSA/SHA1
If this is not going to be fixed we will need a new root certificate.
I patched 11 servers (10 Server 2012, 1 2008 R2) without a hitch. The 12th server (2008 R2) accepted the patch, but most browsers and RDP would not connect to the server. The event log was filled with SChannel errors indicating code 80 (internal_error), implying something that was deeply wrong with SChannel:
The following fatal alert was generated: 80. The internal error state is 1250.
and
The following fatal alert was generated: 80. The internal error state is 1051.
Oddly, Internet Explorer on my Windows 8.1 machine was able to negotiate a connection; however, Firefox, Chrome, and Safari failed by indicating the connection was reset (which matched up with the fatal alerts in the event log).
I thought it might be related to mucking around with enabled ciphers for PCI compliance reasons (although most of the other servers I patched had that done and did not have an issue), so I reset SChannel to the default configuration by deleting the HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel registry key as documented in KB245030 and rebooting, but this did not resolve the issue.
I also reverted the SSL Cipher Suite Order policy under Local Computer Policy\Computer Configuration\Administrative Templates\Network\SSL Configuration Settings from its Enabled list to "Not Configured" and rebooted, but this did not resolve the issue, either.
I uninstalled the patch, and things started working again. I was able to revert back to the secure ciphers and protocols and return the server to the state it was in before, but I'd like to be up to date. This patch is the only update offered that has not been installed on the server.
Has anyone else experienced this issue with this or another update, or have some tips as to how I might better diagnose the issue? Thank you.
Hello,
I just noticed two event 4097s come through for CAPI2 in the Application event log. I started poking around and couldn't find any of these events on any other Windows Servers. Apparently two third party root certificates were auto-updated. When I looked at the list of root CAs in the Certificates Console on a few Windows Servers I noticed that each had a slightly different set of root CAs.
What is the best practice with managing these root CAs in the cert stores of each server? I would like to verify each one and determine why some servers have some root CAs and others don't. Such as the root CA for USERTrust, with thumbprint "58119f0e128287ea50fdd987456f4f78dcfad6d4". It's on certain servers in our DEV and PROD environments, but weirdly not consistently on a similar function server.
What are the scenarios in which the root CA list could be modified?
Thank you.
When I install the Certificate Authority it creates at install a certificate with a blank Friendly Name, this gets picked up by Exchange 2013, I can edit the certificate friendly Name but it does not replicate back to Exchange either I am editing the wrong Version of the Certificate or it is stored in more than one place.
Anybody know why it does this and where would the Certificate be stored that is picked up by Exchange.
Hello Experts,
Please help me with my case.
My domain account is getting locked frequently (every 15 mins it receives a bad password from some process).
Here below you will find the event information from the server which is sending the bad password.
For simplicity sake i replaced my username and system name as ABC and XYZ respectively.
<Event xmlns=>
- <System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /><EventID>4625</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated SystemTime="2014-09-23T14:30:00.187792500Z" /><EventRecordID>7587683</EventRecordID><Correlation /><Execution ProcessID="524" ThreadID="3144" /><Channel>Security</Channel><Computer>XYZ</Computer><Security /></System>
- <EventData><Data Name="SubjectUserSid">S-1-5-18</Data><Data Name="SubjectUserName">XYZ$</Data><Data Name="SubjectDomainName">EMEA</Data><Data Name="SubjectLogonId">0x3e7</Data><Data Name="TargetUserSid">S-1-0-0</Data><Data Name="TargetUserName">ABC</Data><Data Name="TargetDomainName">EMEA</Data><Data Name="Status">0xc000006d</Data><Data Name="FailureReason">%%2313</Data><Data Name="SubStatus">0xc000006a</Data><Data Name="LogonType">4</Data><Data Name="LogonProcessName">Advapi</Data><Data Name="AuthenticationPackageName">Negotiate</Data><Data Name="WorkstationName">XYZ</Data><Data Name="TransmittedServices">-</Data><Data Name="LmPackageName">-</Data><Data Name="KeyLength">0</Data><Data Name="ProcessId">0x344</Data><Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data><Data Name="IpAddress">-</Data><Data Name="IpPort">-</Data></EventData></Event>
I checked all the scheduled tasks (looking into logon type 4) but couldn't find any task which is using my account to execute the job.
Thanks in advance for your help.
Regards,
Ravi.
Hi Everyone,
We have query regarding Win shock voluntarily. Is Windows server 2008 service pack 1 is affected. What would be the remediation..
Hi!
I have a quick question that I can't seem to google an answer to.
We've deployed a new two-tier PKI-installation, which will take over from the currently running PKI (single-tier, all-in-one server, bad stuff...).
My question is: Can I safely remove all the deployed Certificate Templates from AD, and still have all the issued certificates function as they always have?
To clarify further, we are not decommissioning the old PKI yet, as we still have quite a way to go before all the services have been issued certificates from the new infrastructure, so the new and old will run in parallel for now.
But I do want to start fresh when it comes to the templates, as it's just a mess right now.
TL;DR: Any consequence to deleting certificate templates that have issued certificates that are still active/valid, and in use?
Thanks! =)
Utilizing internal USB drives on the motherboard I have been attempting to implement BitLocker onto our physical servers. I have tried 6 of them, all HP servers and all of them give the same error. After encrypting to 99.9% (go figure) it pauses with an error message:
This disk has one or more errors. Run "chkdsk /r". If these errors persist this may be indicative of hardware fault.
I would have assumed after one server, maybe it could have been hardware related...but all 6 seems rather unlikely. I have runchkdsk /r as well as chkdsk /r /b /f neither of which has solved the issue. We are running hardware raid on these machines...I cannot find anything definitively stating BitLocker does not support hardware RAID though I have seen a
few items pointing out it does not support software RAID...
Any ideas here...? I am at a lost...
The Log I receive: Error Event ID: 24586 Bitlocker-Driver
I've installed the KB2992611 patch on several Windows Server 2012 systems running IIS with PHP and all of them have stopped serving https pages altogether. I also have a 2008 sharepoint server where the patch worked.
On the systems effected by this broken patch I initially only installed a single patch, 2992611, which is when things broke. I also tried installing all the other patches thinking I missed something but it was still broken.
My system is running:
Windows 2012 - Fully Patched
IIS - php 5.5.18
Problem:
Attempt to load the page from a client on port 80 - works fine.
Attempt to load the page from a client on port 443 - page fails to load with 'The webpage at https://test.domain.com/ might be temporarily down or it may have moved permanently to a new web address.'
Event Log:
Event ID 36888
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 20. The Windows SChannel error state is 960.
Update: More Event Logs
Event ID 36888
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 1203.
I would appreciate any help in getting this patch fixed since it is an important patch and I don't want to simply uninstall it.
We are using MSCHAPv2 under PEAP against a IAS Radius Server with Windows 2003 Server as authentication method for Wifi and VPN clients. After last Tuesday's (11/11/2014) update on Windows 2003 server, the server does not allow to connect Windows clients. Clients show error 87 ("wrong parameter") and server log shows the EAP type as "unknows", as it seems it does not recognize PEAP. Linux, MacOS, iOS and Android clients are not affected by the problem.
After removing KB2992611 patch, everything seems to work OK again. But of course, we are not confortable with this bypass (in fact, patch removal was not recommended as it was associated to some more).
It is really strange since Microsoft Security Bulletin MS14-066 does not indicate any functional change, but a vulnerability fix and new cipher suites.
Has anybody experienced the same situation? Any news about a problem with this patch? Does Microsoft know anything about this situation?
Many thanks in advance, Jose.
This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.
in webmail.masmi.com/WorldClient.dll
What can i do?
We use an app from our vendor that was written in .net. At the end of the execution, a final step is performed where a code signing certificate is validated against the local windows trust store. At this point the app is failing and we get an "unrecognized client detected" error. We are going back and forth with the vendor - they are saying its our environment and we are saying its the app. We have the certs needed in the trust store and they are identical to what the client app is signed with. My question is what does .net leverage to get the cert validated and would windows log this event? Does it maybe call SSPI to validate the cert?
I am attempting to implement an Enterprise CA including web enrollment. I have installed the role and role services, and the CA appears to function. However, I receive HTTP error 500.19 when trying to browse the /certsrv virtual directory:
| Module | IIS Web Core |
|---|---|
| Notification | BeginRequest |
| Handler | Not yet determined |
| Error Code | 0x80070003 |
| Config Error | Cannot read configuration file |
| Config File | \\?\C:\Windows\system32\CertSrv\en-US\web.config |
| Requested URL | http://server11.tec.local:80/certsrv |
|---|---|
| Physical Path | C:\Windows\system32\CertSrv\en-US |
| Logon Method | Not yet determined |
| Logon User | Not yet determined |
I receive HTTP 500 in all browsers, and the above when browsing localhost/certsrv. I have researched and made many attempts to fix this, without luck. I've modified NTFS ACLs on the system32\CertSrv directory and subs, recreated the virtual directory with certutil -vroot, edited application pool settings, all to no avail. The part that strikes me as an obvious problem is the lack of any web.config file in \en-US, which the error points to. However, as I said, I have recreated the directory with certutil after clearing out the IIS virtual directory.
The server itself is a domain controller running Server 2008 R2 Enterprise SP1. It runs DNS and all FSMO roles. It also runs DHCP, file and print services, RDS Licensing (and Citrix licensing), and AD DS & CS as mentioned. There is another server in the environment running Server 2003 SP2. This is the "old" domain controller, which is also a certificate authority. I am configuring AD CS for the purpose of being able to decommission the old server. ADCS seems to be otherwise functioning, so I am hoping to avoid removing the role service itself.
Any thoughts?
(I previously posted this in Directory Services and was told to move it here)