Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Vulnerability in windows server 2008 R2

December 29, 2014, 3:36 am
$
0
0

Hi,

We are from secured project, disconnected environment with no internet access. During this quarter Vulnerability scan we found 2 vulnerabilities.

1. vulnerability in SSL 3.0 could allow information disclosure (POODLE)

workaround done : SSL 2.0 and SSl 3.0 are disabled and TLS 1.0,1.1,1.2 have been enabled through group policy 

In registry - created Dword (Enabled) and set 0 for SSL2.0 and SSl 3.0 ( both client and server)

Created Dword (Enabled) and set value to 1 for TLS 1.0,1.1,1.2 (both client and server)

2. Improperly issued digital certificates could allow spoofing

Installed KB2813430, tried to install KB2677070 (error not applicable)

Tried installing rvkroots - shows no sign of installation

Scan report says " The remote host has KB2677070 or KB2813430, but the disallowed CTL has not been updated.

Kindly help us in fixing the issue at earliest

Regards,

Shan Madhuran


Search

KRA container - KRA certificate about to expire

January 19, 2015, 1:03 am
$
0
0

Hi All,

I need to know how to renew the KRA Certificate on Enterprise PKI. All KRA certificates are about to expire this year. I need to know how to do it and what are the expected impact on services like : NAP, EMAIL, RDP services. 

When exactly does CAPI2 delete automatically an internal root CA (Event ID 4108 - Source CAPI2)

December 16, 2014, 2:29 am
$
0
0

Hi everybody,

we use certificate based authentication of clients to allow acces to the core parts of our IIS web app.

This mean, we create our own CA certificate, store it along with the private key in the Personal Certificates of "Local Machine". in "Trusted Root Certification Authorities" we store the same CA just without a private key.

To known clients we issue certificates that match our CA, so IIS allows them to access our app.

But sometimes - and only sometimes - CAPI2 deletes our root CAs and thus breaks access to the IIS. CAPI2 adds entries to event log like "Successful auto delete of third-party root certificate:...".

This we saw on Server 2008 R2s and Server 2012. But not every time and not on every machine.

We know that we could turn off the "Automatic Root Certificates Update Configuration" completely but this cannot be the solution.

So when does CAPI2 regard a CA as untrustworthy? Is there something we have to change in the certificate maybe?

Best regards,

Lars Wittenburg

OCSP server primary secondary installation

January 19, 2015, 3:29 am
$
0
0

Hi,

I have 2 CA servers on which OCSP need to be installed. THey already have CA and webenrollment configured and NDES will also be installed on it. Client want to have OCSP configured on both servers so that if one fails, second shall cater to the services.

Please let me know how shall the servers be configured, do i need to have both servers included in AIA path in both servers?

Also, if OCSP fails, does it fallback to CRL.

Thanks

Neha Garg

multiple certificates on Issuing CA server

January 19, 2015, 4:07 am
$
0
0

Hi,

Due to errors multiple certificates were issued from Root CA server for SubCA. Although old certificate was revoked from Root, but I see 2 certificates on Issuing CA. Also, because of 2 certificates, 2 CRLs are getting published everytime for each. Although when I see web server certificate issued for IIS, it was signed by new certificate of Issuing CA. Also, in PKIview, I see CDP path for this CA with new CRL.

But my questions is that how shall I remove old one from Issuing CA as I am not gettign that option. Also, in AD i see 2 certficaates published for that CA. Will that cause any issue.

Thanks

Neha Garg

PKI Migration from 2003 to 2012

December 8, 2014, 11:05 pm
$
0
0

Hi,

I need to migrate PKI win 2003 setup to 2012 setup. Currently, I have one Root CA ( w2003) and 2 SubCA (2003) and one Sub CA(2008) and future scenario would be one root (2012) and two Sub CA(2012). PLease let me know how shall we proceed with migration and key points to look for. I would like to know how to make sure of successful template replication; also how autoenrolled certificates will be migrated. Please suggest.

Also, since there is no enterprise version availabe in 2012, datacentre version will work for me for SUb CA, right ?

Thanks

Restrict access to executable

January 19, 2015, 1:31 am
$
0
0

Hi,

I'm trying to secure and lock down an executable (python) in our Windows Domain. What we want to achieve is to add control over which python scripts a user runs. Unfortunately python doesn't jack in to the GPO system. This means that our software restriction policies that restricts which directories that are allowed for execution of scripts and executables cannot be used. The only restriction that can be set is on the python executable which is more or less just an on/off switch for python.

Our idea is to wrap the python executable in a script/executable that does the script location check for us and then decides if the script can be run. This part of the solution is fairly simple. What is trickier is how to lock down the original executable (python). Since the wrapper executable will be run in the users context, the users still needs rights to execute the python binary. This allows them to just run python directly, bypassing our security checks.

So, does anyone have any suggestions on how to achieve our goals? To lock down an executable, but to allow that executable to be called from another executable/script?

Event ID 4625 Windows-Security-Auditing

January 18, 2015, 8:54 pm
$
0
0

Hi,

One of our servers is getting the following security auditing log with domain admin account. No one has logged into the system at the event occurred but not sure what triggered LogMeinToolkit.

ID= 4625; Src= Microsoft-Windows-Security-Auditing; User= edman; Catg= 12544; D/T= 01/19/2015 08:53:24; EventDesc= An account failed to log on.
Subject:
Security ID: S-1-5-21-3953983096-1473463722-3626768811-1127
Account Name: admin
Account Domain: SAMPLE
Logon ID: 0x32c13d4e
Logon Type: 2
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: admin
Account Domain: SRV2
Failure Information:
Failure Reason: %#13
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x35f04
Caller Process Name: C:\Program Files (x86)\LogMeIn\x64\LogMeInToolkit.exe
Network Information:
Workstation Name: SRV2
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Search

virus or malware not sure but some of the files in the shared folder has are corrupted

January 20, 2015, 3:27 am
$
0
0

Hi,

We have windows 2003 32 bit

From yesterday some of the excel have extension .geapoij and not opening, if file is renamed to .xls or xlsx we can see only the junk characters.

there is no suspicious software in control panel

how to get data back.

Thanks in advance...

Problem with CRL distribution in AD Certification Authority

January 3, 2015, 7:56 am
$
0
0

I am implementing an AD Cert Auth for purposes of 802.1x secure WLAN. I am using a 2012R2 domain controller as the CA and a 2008R2 web server.

Following the steps in this document: http://technet.microsoft.com/en-us/library/cc730811.aspx and other docs linked therein.

Part-way through I had to change the web server being used for distribution of Certs and CRL's (for reasons I won't elaborate just now) and doing so seems to have screwed things up.

When I run pkiview.msc on the CA it shows the cert itself and the AIA Location as OK, but the CDP and DeltaCRL locations as in error. The url's are correct.

In the event log I find Cert Auth Event ID 65 with this text: "Active Directory Certificate Services could not publish a Base CRL for key 0 to the following location: file://\\pki.mydomain.com/pki/mydomain-Server01-CA.crl.  The system cannot move the file to a different disk drive. 0x80070011 (WIN32: 17 ERROR_NOT_SAME_DEVICE)."

Running certutil -crl produces a similar error:

PS C:\Windows\system32> certutil -crl
CertUtil: -CRL command FAILED: 0x80070011 (WIN32: 17 ERROR_NOT_SAME_DEVICE)
CertUtil: The system cannot move the file to a different disk drive.
PS C:\Windows\system32>

I am not (to my knowledge) trying to move anything, but presumably under the covers something is being moved.

If I manually copy the CRL and +.crl files from the CA to the web server, the error goes away but only until the next reboot or redistribute cycle - which is daily.

Anyone know how I can recover from this?

No sig is a good sig

Effects of Disabling Null Sessions on Domain Controllers

October 30, 2014, 11:15 am
$
0
0

I have been tasked with finding out what will happen to our domain controllers and the systems that depend on them when we make the change to disable null sessions on our domain controllers. We are disabling them to resolve a security hole discovered by an audit.

Normally, I would just change the registry setting and see what breaks, but I don't have that option now. The reason for the caution is that we noticed that member servers were randomly connecting anonymously to the IPC$ share on the DCs. They wouldn't open any files, they would just open a share session, then disconnect a few seconds later.

What I suspect, but cannot prove, is that member servers occasionally do this to check if the domain is "still there" or something to that effect. If that's the case, it seems like disabling null sessions could cause some problems. If anyone could offer some insight, I would appreciate it.

Thanks.

SK

Prerequisites for Certificate in Digital Signature

January 20, 2015, 7:45 pm
$
0
0

Dear Expert,

I have a plan to do digital signature with PDF file. We will leverage self-sign certificate and public certificate. I have some question

1. Do Microsoft has the certificate standard for digital signature in self-sign and public certificate?

2. How to setup self-sign certificate to do digital signature?

3. How to setup Public Certificate to do digital signature?

Thank you

Kerberos Encryption Types in 2008/2008R2 - DES methods not available affecting SSO for SAP/J2EE apps

August 24, 2009, 1:31 am
$
0
0
Good Evening,
I have recently stood up a 2008 R2 Domain Controller (and GC). All was running well, but we have found issues with the KDC on this server not issuing tickets for users of a few of our web apps that utilise SSO, namely SAP Portal (J2EE) and Duet (the same).

Both these apps utilise the DES_CBC_MD5 encryption type. The user accounts they run as are configured in AD to "use DES encryption methods". This works absolutely perfectly with our existing 2003 Domain controllers, tickets are issued successfully and users are logged on.

Users who authenticate against the new 2008 server however do NOT get issued a kerberos ticket at all. The server logs an event 16, Kerberos-Key-Distribution-Center error, with the following text:

While processing a TGS request for the target server HTTP/sapserver.domain.tld, the account user@DOMAIN.TLD did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 9). The requested etypes were 3 1. The accounts available etypes were 23 -133 -128. Changing or resetting the password of Service Account will generate a proper key.

The requested etypes are the DES methods, DES-CBC-MD5 and DES-CBC-CRC. I do NOT want to try and reset the service account until I have tried everything possible, especially as it appears to be working at the moment.

Capturing network traffic shows the server returning a ETYPE_NOT_SUPPORTED error.

We do have other web apps using SSO using kerberos tickets that work no problem with the new 2008R2 DC, however these use RC4 encryption methods.

What I have tried:
1. I have enabled these DES methods, under Computer Configuration/Windows Settings/Local Policies/Security Options/Network Security: Configure available encryption types for Kerberos, enabling All but "Future Encryption Types". Rebooted DC, same issue.
2. As per http://support.microsoft.com/default.aspx/kb/961302 I configured the KdcUseRequestedEtypesForTickets key. Restarted server. I was then issued a ticket, but the Ticket Encryption type was RC4, while the key encryption type was DES-CBC-MD5, which meant SSO did not work.
3. Various debugging/extra logging etc, nothing useful beyond the first error.

Does anyone have any ideas or experience with this type of situation. The 2008 DC is currently powered off and holding up our NPS/NAP deployment until I can get this resolved.

Thanks,
-Jeff McLuckie

Recover efs certificate from CA backup

January 20, 2015, 8:12 pm
$
0
0

Hi all!

User encrypted files on his computer. The certificate was lost from local computer either from CA. However, I have a backup of CA. There 3 database files:certbkxp.dat, edb00003.log, CA-name.edb. Also there areconfiguration.reg and CA-name.p12 files. I want tosearch for efs basic certificate (I know username and thumbprint) and thenrecover it from there. How to do that?

Convert Digital Signature in Word to PDF

January 20, 2015, 8:42 pm
$
0
0

Dear Expert,

I create digital signature in Word 2010, can I convert Word file to PDF file. and Using Adobe PDF reader to sign the digital signature.

Can we do it?

Thank you

Search

Certificate Authority gurus needed. I need help with with CA concepts and Certutil.

January 2, 2015, 9:00 am
$
0
0

Hi, I have been working on theMS Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy that can be found on the following URLhttp://technet.microsoft.com/en-us/library/hh831348.aspx

And, I would appreciate it if someone can help to clarify some points. 

In the section titled (To configure the root CA Settings)

What is this portion of code doing?

certutil -setreg CA\CRLPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%3%8.crl\n2:http://www.contoso.com/pki/%3%8.crl"

certutil –setreg CA\CACertPublicationURLs "2:http://www.contoso.com/pki/%1_%3%4.crt"

Question: Is it telling the RootCA that the root certificate should point the user to the following location in order to locate its CRL.

Question: And what to the percentage % and other prefixed numbers mean? 

In the section (To distribute the root CA certificate)

I take it that I needed to copy over the root.crt, root.crl and add the root.crt to AD for the Subordinate CA to be able to trust the RootCA.

Question : It also says that by publishing the RootCA to AD, that all of the machines in my domain will automatically trust the RootCA. Is that correct?  

In the section (To Configure the AIA and CDP Settings)

Again, here I have to point the cert, or set the location part of the Server to point the users to the locations where they can obtain a Sub CA Crl.

In the example they use

certutil -setreg CA\CRLPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%3%8.crl\n2:http://www.contoso.com/pki/%3%8.crl"

certutil -setreg CA\CACertPublicationURLs "2:http://www.contoso.com/pki/%1_%3%4.crt\n1:file://\\App1.corp.contoso.com\pki\%1_%3%4.crt"

Question : I pressume that the first one is telling them to locate the crls in the following location and the second one is telling them they can get a copy of the Root.crt from here.

Question : Again what do the %, _, and numbers mean?

Finally

Question : How do I automatically get the content of my c:\Windows\system32\certsrv\certenroll\ store to publish to the web location in the document?

In the example the manually copy over published crls to the virtual pki directory. I was wondering if there was way so that they can be automatically sent there once they have updated.

Thanks

Two Factor Authentication on Windows Server 2008 R2

January 7, 2015, 11:35 am
$
0
0

We have a small 2008 R2 Active Directory environment with 2 domain controllers and 13 member servers. We have no additional features such as an RDP gateway or Federation Services - just a plain AD setup. We now have a requirement from our client to have a two factor authentication solution for each time we logon to any server, either using RDP or locally. We only have 4 admins that ever logon to these servers - we do not have any "regular" users.

Is there anything out there that would work in this environment without having to modify our AD (at least nothing major)?

Thanks

Frequent changes to files in Microsoft.NET folder

January 21, 2015, 10:49 am
$
0
0

I am the change management officer at my company and our detection controls are seeing frequent additions and removals to files in C:\Windows\Microsoft.NET such as ngenrootstorelock.dat, ngennicupdatelock.dat, and ngennicupdatelock.dat (just three such examples). As stated above the change activity has to do with these files being created and later deleted, sometimes multiple times throughout the day.

Since it is frequent and there have been no negative security effects so far I assume these are temporary and benign. However I would like to obtain a better understanding for why this is happening. Ideally I would take this understanding and tune our tool accordingly to ignore these changes.

User decryption e-mail with new certificate

January 22, 2015, 1:43 am
$
0
0
I have a userthat hasExchange mailandreceiveas well assendencryptedmail.Becausethe user's namewas changed,he receiveda new cardwith a certificate,and the base of(post)was attachedto a newaliaswith a newusername.However, afterthis change can not be read(decrypted)oldencrypted messagesthe oldcertificate.
How can Iget aroundthis problem, orwhat should be changedin the configurationto be able tosee(decrypt)old news.

How to find out when was local administrators group changed

January 22, 2015, 4:49 am
$
0
0

Hi

Is there any way how to find out when was user added to local administrators group on server(2003 to 2012) ?

Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>