Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Office 2007 not recognizing code signing certificate from Server 2012

April 8, 2014, 9:02 am
$
0
0

Hello,

My goal is to sign Excel 2007 macros intended for intraoffice use only, by a team of five people. I have tried the Office Tools selfsign.exe certificate, but my coworkers get warnings. So I'm trying to use a Code Signing certificate issued by our local Windows Server 2012. I have found and followed the instructions for doing so (briefly, I have added the local CA to my Trusted Root Certification Authorities, have enabled Code Signing template on the server and allowed enrollment, and then I have requested, received, and installed a Code Signing certificate using the https://servername/certsrv method), and everything appears to have worked. The local CA appears in my Trusted Root Certification Authorities, and the Code Signing certificate appears in my Personal certificates tab, along with the aforementioned Office Tools certificate.

The trouble is that when I try to sign my code in Excel Visual Basic (Tools/Digital Signature), the certificate does not appear to choose from. My only option is the self-signed certificate. If I delete the self certificate, I get a message - part of a message, really - that there are "no certificates that meet the application..." (if there's a way to expand that and see the end of that sentence, I can't find it.)

Is there something wrong with a certificate based on the built-in Code Signing template? Is there a step I've missed to get Excel to recognize it? With so little information, I really don't know where to go from here.

Search

Question about MS14-022 2952166 - Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution

January 22, 2015, 9:18 am
$
0
0

A recent vulnerability scan of a 2008 R2 ENT SP1 server stated that the server needed this update.  I viewed the programs installed and did not see anything SharePoint or Office Services/Web Apps installed.  However, I went through the folder structure and did find a folder called SharePoint Client Components.  My question is, which one of the updates do I install from the KB article?  There are so many, and I have been unable to determine which one it is.

Thanks

Root and Subordinate CA Windows version

January 22, 2015, 11:38 am
$
0
0
Can I have my root CA server on windows server 2012 and its associated subordinate CA server installed on windows server 2003 or 2008.

SHA1 and SHA2 using the same Root CA?

January 22, 2015, 9:17 am
$
0
0
We have a brand new Windows 2012 PKI in our environment. We were told by our consultants to build it using SHA1 because there were many applications that would be incompatible with SHA2. Now we find that we also need to issue SHA2 based certificates. Is it possible to build a SHA2 Issuing CA under our current SHA1 Root CA to issue these certs?

NDES - accessing to /certsrv/mscep/ : "You do not have sufficient permission to enroll with SCEP." - Service account too long ? What else ?

November 21, 2014, 3:02 am
$
0
0

Hello,

I installed NDES service as specified in http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspx

However i am getting the "You do not have sufficient permission to enroll with SCEP." error when trying to access the /certsrv/mscep/ or /certsrv/mscep_admin/ URLs.

I verified all account rights and configuration and all seems to be OK regarding the technet documentation.

However the name of my service account that I filled during the NDES installation (equivalent of the SCEPsvc account) has 28 characters. I know that for some Windows NT compatibility reasons the SAN is truncated to the first 20 characters.

Could it be the root cause of this error message? Did you already face this issue ?

Thank you community.

Kind regards,

Guillaume

Key Archival Issues

January 22, 2015, 8:24 pm
$
0
0

Hi

I have a two tier PKI heirarchy. A standalone Root CA and enterprise Issuing CA.

The Root CA has not set a CDP extension in Issuing CA.certificate. How ever the Issuing CA sets CDP and OCSP extension to its certificates.

The Issuing CA registry was configured with:

Certutil -setregca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE because there was no CRL for the Issuing CA.

I wanted to implementat key achival solution.

I was able to enroll KRA certificate and load the KRA certificate on the CA as Recovery Agents. The Issuing CA has started well and there is no issue in signing other types of certificates.

When I try to issue a EFS certificate with key archival configuration in the template, I get the below error:

"The revocation function was not unable to check the revocatoin of the certificate. A certificate request could be created."

Event Viewer Log:

Certificate enrollment for <Domain Name>\Account ID failed to enroll for a <Template Name> certificate with request ID N/A from <CA Host name>\<CA Name> (The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614)).

I understand while archiving the key using KRA certificate, the CA or requestor's system validates the KRA certificate and due to the fact Issuing CA have no CRL it might be the problem.

I wanted to know if there are any work around to disable this CRL check.

Thanks.

Sans.

D drive appeared?

January 22, 2015, 10:26 pm
$
0
0
So the other day I noticed that I have two hard drives on my windows 7. To be honest I'm not sure if it has always been like this, but I'm pretty sure that I did not create two when I set up the computer. Inside the D: drive there is a folder that I don't have permission to use that is titled "bf32".... with a whole bunch of letters and numbers following. Inside the folder there is "mrt.ex._p" and "mrtstub". I've heard that the applications are malware and I've heard that they're microsoft's malware protection. I'm not sure either way, but I did a malwarebytes scan just to be sure and I did have malware in those folders. It's all removed now but I'm still worried. Is this hard drive safe? Any ideas on what I should do?

Costing and Comparison for third party DLP Products with Microsoft AD RMS?

January 22, 2015, 5:52 pm
$
0
0

Hello All,

I'm looking for an  Costing and Comparison for third party DLP Products with Microsoft AD RMS? Is there any information available on the MS website.

Need to compare MS AD RMS product with other Third party product including the costing and features.

Appreciate your help here.

Umesh

kalanke

Search

Basic Question: 3rd party code signing cert and private keys

January 22, 2015, 5:22 am
$
0
0

Our institution uses a 3rd party CA and through them I requested a code signed certificate. To do so I simply filled out a web form and then got an email with the certificate. However, after I imported this into my Personal store, I could not export it with the private key until I ran certutil -repairstore my "SerialNumberofCert". From what I gather this command repairs the private/public key association.

I am very green when it comes to working with certificates—what is the reason for this needing to be done? Is it because the request was not native to Windows? And did I have to run the command on the computer I requested the certificate from?

Cheers,

Bryan

SID S-1-5-18 trying to copy a file - JAVA Service trying to copy files

December 23, 2014, 5:16 am
$
0
0

I have a JAVA.EXE Service, a IBM/MAXIMO application server.

The Service is running on ServerA and the shared folder is on ServerB

The service is trying to copy a file from  the remote system (SERVERB) using a UNC path (it could be use a drive letter too) and the file have to be stored on ServerA

But the result is : "Access Denied"

I´ve tried to configure SYSTEM, NETWOR< NETWORK SERVICE in the NTFS permissions, but nothing works. Everyone does not work too.

PROCMON states that the local attempt is using the well-know SID  S-1-5-18 (SYSTEM, see https://support.microsoft.com/KB/243330?wa=wsignin1.0)

"FAST IO DISALLOWED",""

"OBJECT PATH INVALID","Desired Access: Read Attributes, Dis, Options: Open For Backup, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"

The NetMon shows Access Denied too

229311:08:16 23/12/20141118.8269458SystemSRV-DTC-137 BRDC1-SRV0024 SMB2SMB2:R  - NT Status: System - Error, Code = (34) STATUS_ACCESS_DENIED  CREATE (0x5) , File=NULL@#2292{SMB2:1648, SMBOverTCP:1645, TCP:1644, IPv4:71}

245411:08:59 23/12/20141161.8779369BRDC1-SRV0024 SRV-DTC-137 SMB2SMB2:R  - NT Status: System - Error, Code = (34) STATUS_ACCESS_DENIED  TREE CONNECT (0x3)  {SMBOverTCP:1708, TCP:1707, IPv4:71}


TLS RSA AES 128 SHA enabling on Windows 2003 SP2

January 23, 2015, 9:05 am
$
0
0

Hello,

On disabling SSL2/SSL3 and using TLS1 for a secure connection we stumbled on following issue: the receiving server will only accept TLS_RSA_WITH_AES_128_CBC_SHA  cypher suite. I´ve searched the web and finally came up with a hotfix KB Article Number: 948963

However, on examining the files mentioned in this hotfix

I compared these to our current versions,

rsaenh.dll  is version 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)  (lower than hotfix version, so this should not be a problem)

schannel.dll is version 5.2.3790.5462 (srv03_sp2_qfe.141013-1501) (higherthan hotfix version)

Now I'm scared to apply the hotfix, because of the higher schannel.dll version. Could someone please tell/help  me on this,

a. how to get the ssl connection to talk TLS RSA AES 128 SHA without applying the hotfix 
OR 
b. if applying the hotfix will that check my current versions and can i protect my server so that the hotfix will not 'corrupt' the current security provider
OR
c. any other proper solution...

Thanks in advance.

File Permission basics

January 23, 2015, 10:57 am
$
0
0

I'm coming from a different platform and I'm missing some fundamentals.

I have UAC disabled on my Windows 2008R2.

Why am I still getting UAC "Windows needs your permission to continue" window before trying to change Owner of a folder?

My user is a member of the Administrators group

Thanks


File Permissions and Administrator

January 23, 2015, 11:32 am
$
0
0

This is what I did on my Windows 2008r2

1. Logged in as Administrator (UAC is disabled for a test sake)

2. Select a folder

3. Edit Advanced Permissions

4. Uncheck"Include inheritable permissions" and click on Remove button to remove inheritable permissions

5. Got a message "No one will be able to access the folder except for the owner". At this point I thought that Administrator should still have access and "no one" doesn't apply to me :)

6. After answering OK, I lost all control over the permissions window and got "Access denied" message. The only option was to take ownership and put back Administrator with Full Control.

Is there a Linux root equivalent in Windows that can have access to a file without granting full control?

If not, is the only option to administrate files in Windows is to give Administrator Full Control to ALL files (I'm excluding the take ownership option as not practical)?

Thanks.

Is there a Way we can disable CRL checking on particular client Cert ?

January 23, 2015, 8:00 am
$
0
0

Hi ALL,

I have a machine which is non domain joined and i have client cert which has CDP and AIA points information and when i am putting this cert in the non domain joined cert its trying to do CRL checking and failing .

So what are my options here ???

Puneet Singh

Cross Certification steps for Issuing CA by 2 Root CA's

January 23, 2015, 8:10 am
$
0
0

Hi All ,

I have 2 Root CA  ( Root-CA-A and Root-CA-B) and i have a Issuing CA ( Issuing-CA-X) when i did the setup of my PKI i got my Issuing CA ( Issuing-CA-X) Signed by Root-CA-A and now after running Issuing-CA-X for few years i have a requirement of getting Issuing-CA-X signed by Root-CA-B .

So can some one tell me the steps which i shud follow to achieve the above task.

Puneet Singh

Search

Some settings are managed by your system administrator

March 3, 2009, 10:50 pm
$
0
0
In Internet Explorer 7, theSecurity tab of the Internet Options dialog box displays the following message to indicate that settings are managed by the system administrator:
Some settings are managed by your system administrator
I am the system administrator but don't know how to remove this message "Some settings are managed by your system administrator".Can someone teach me?
 

pki setup in child domain

January 23, 2015, 7:52 am
$
0
0

Details:

Trying to implement a PKI infrastructure in a server 2003 functional level child domain. Parent domain is overseas.

rootca is server 2012 r2 and subordinate ca is 2012 r2. both are joined to the child domain currently.

I am not an enterprise admin so I cannot install the CAs as enterprise CAs. I'm trying to setup stand-alone CAs.

Problem:

The setup for the rootCA runs smoothly until I try to publish the certificates using certutil -dspublish. it is trying to publish the certificates to the root domain instead of the child domain. I cannot find a command switch to specify the domain I want to publish the certificates to.

Please let me know if you need more information about the setup.

Certificate Request Wizard Cannot Start

January 13, 2015, 2:06 am
$
0
0

I had an issuing root CA hosted by a WS03/DC within our WS'03 schema domain.  It was limited.  I abandoned that scheme and then installed a new issuing root CA to a memberWS'08r2 Enterprise server.  This is a single tier PKI.  Now, the new CA is fine; no errors and Win7 workstations canRequest New Certificates as expected.   However, when the existing WS03r2/DC's try toRequest New Certificate, they get the following message:

  The wizard cannot be started because one or more of the following conditions:

  • There are no trusted certificate authorities (CA’s) available.
  • You do not have the permission to request certificates from the CA’s.

    The available CA’s issue certificates for which you do not have permissions.

I found that theCertSvc_DCOM_Access group had been removed from AD while the member WS08 server had a localCertificate Services group added as is appropriated for all WS08/CA installations.  For grins (to test), i added back theCertSvc_DCOM_Access group to the AD for our domain.  I didn't help; still get the "wizard cannot be started ..." error at the DC's.  Any clues would be immensely appreciated!

Thanks,
Glenn

Glenn of xSyLent


Problem with CRL distribution in AD Certification Authority

January 3, 2015, 7:56 am
$
0
0

I am implementing an AD Cert Auth for purposes of 802.1x secure WLAN. I am using a 2012R2 domain controller as the CA and a 2008R2 web server.

Following the steps in this document: http://technet.microsoft.com/en-us/library/cc730811.aspx and other docs linked therein.

Part-way through I had to change the web server being used for distribution of Certs and CRL's (for reasons I won't elaborate just now) and doing so seems to have screwed things up.

When I run pkiview.msc on the CA it shows the cert itself and the AIA Location as OK, but the CDP and DeltaCRL locations as in error. The url's are correct.

In the event log I find Cert Auth Event ID 65 with this text: "Active Directory Certificate Services could not publish a Base CRL for key 0 to the following location: file://\\pki.mydomain.com/pki/mydomain-Server01-CA.crl.  The system cannot move the file to a different disk drive. 0x80070011 (WIN32: 17 ERROR_NOT_SAME_DEVICE)."

Running certutil -crl produces a similar error:

PS C:\Windows\system32> certutil -crl
CertUtil: -CRL command FAILED: 0x80070011 (WIN32: 17 ERROR_NOT_SAME_DEVICE)
CertUtil: The system cannot move the file to a different disk drive.
PS C:\Windows\system32>

I am not (to my knowledge) trying to move anything, but presumably under the covers something is being moved.

If I manually copy the CRL and +.crl files from the CA to the web server, the error goes away but only until the next reboot or redistribute cycle - which is daily.

Anyone know how I can recover from this?

No sig is a good sig

How to request certificate from a non-domain computer

September 27, 2011, 8:34 am
$
0
0

We using a Windows Server 2008 R2 Enterprise CA to issuing webserver-certificates (SSL). The CA-Server is a member of a AD-Domain and online. Now we want to request certificates from computers like Windows Server 2008 R2 or Linux Server which aren't member of the domain.

How we can request certificates automatically with a script remote from these Windows Servers, for example ? Is it possible to use  the "Certificate Enrollment Web Service" without the "Certificate Enrollment Policy Web Service" ?

Is it possible to use certreq in this scenario ?

Thanks for your help.


Viewing all 12072 articles
Browse latest View live
Search