Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Erreur OpenConnection : 0x80070005 -> CCertView::OpenConnection: Access denied. 0x80070005 (WIN32: 5)

February 26, 2015, 10:24 am
$
0
0

Hi,

I am trying to make a webservice work on my ADCS. The aim of the script is to automate revocation of a certificate (the CN of the certificate is given in parameter).

I am facing the following error when call my webservice:

Erreur OpenConnection : 0x80070005 -> CCertView::OpenConnection: Access denied. 0x80070005 (WIN32: 5)

My guess is, here is the line that triggers the error:

CertView.OpenConnection( strCAConf )

The script is pubished through an ASP application in IIS. The application runs with a domain account. It is based on the following method:

https://msdn.microsoft.com/en-us/library/windows/desktop/aa385432%28v=vs.85%29.aspx

Do you know what kind of right and where it needs to be applied in order to make this piece of code work?

Thank you so much.

Regards,

Alexandre


Search

Why do I see this behavior with my cert templates?

February 26, 2015, 5:25 pm
$
0
0

Hi,

My Root CA is set to issue Certs with a Validity Period of 1 day.  My Sub Issuing CA is set to issue Certs with a Validity Period of 5 hours.  I have 2 Cert templates which enables client computers to auth to workstations/servers.  Template A has a Validity Period of 5 hours and 1 Hour Renewal whereas Template B has a Validity Period of 2 hours and 0 hours renewal.  My Win 7 can always successfully enroll in Template A, regardless of when I renew my Sub Issuing CA cert, but not with Template B which gives a 'The parameter is incorrect' error.

Why can I only enroll in Template A but not B and what does the 'The parameter is incorrect' error mean?

Thanks for your help! SdeDot

External Source when using DACL (Dynamic Access Control)

February 26, 2015, 5:48 pm
$
0
0

I'm investigating the functionality of Dynamic Access Control lists and was wondering if there was a way to query an external source, such as a database as a source for properties, or if the only way is to base the security off properties from the Active Directory only.

I have a database that has a table that associates usernames with customers they manage.  I'd like to use that table to determine if they have access to the customer folder with the same name.

Thanks!

delegating group membership responsibility

February 25, 2015, 4:13 am
$
0
0

Windows Server 2008 R2, sp1

i'm trying to delegate the process of adding/modifying/deleting AD group membership. i used the delegation wizard.

i created a group named "Group Membership Admins" and assigned the object "Group objects" to it. now in the next part, show permissions, "General" is already ticked. so i selected "Property-specific" or what should i select? i'm not sure what  those permissions imply when it comes to adding/removing users to a group so i'm stuck there.

appreciate any help.

ADFS need to authenticating 2 URL

February 24, 2015, 8:58 am
$
0
0

Dear all, 

I have a ADFS Server and have a SAML 2.0 Service installed for Service Now. I need to allow the user enter this page from 2 difference URL and it will return difference page.

Is it possible achieve with a ADFS relay trust?

Thanks

Jacky

COM error while submitting certificate request

February 24, 2015, 11:21 pm
$
0
0

Hello there

I have created a group and assigned Read, Issue and Manage Certtificate, Manage CA & Request Certificate permission on the CA.When any member of this group try to sign a certificate request, the following error accours.

Your request failed. An error occurred while the server was processing your request.

Contact your administrator for further assistance.

" type=button

Request Mode: newreq - New Request

Dis"font-size:9pt;">(never set)

Disposition message: (none)

Result: The RPC server is unavailable. 0x800706ba (WIN32: 1722)

COM Error Info: CCertRequest::Submit: The RPC server is unavailable. 0x800706ba (WIN32: 1722)

LastStatus: The operation completed successfully. 0x0 (WIN32: 0)

Suggested Cause: This error can occur if the Certification Authority Service has not been started.

During this time event ID 10016 is logged on the eventlog

The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
{D99E6E73-FC88-11D0-B498-00A0C90312F3}
and APPID
{D99E6E74-FC88-11D0-B498-00A0C90312F3}
to the user <Domain>\<Username> SID (<SID>) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

I have assigned the required permissions to the group onCertSrv Request. Also verified the membership ofCertificate Service DCOM Access.

Can you please help me to resolve this?

Thanks

Ranjith

Cant Manage Private Key Permissions

February 25, 2015, 4:33 am
$
0
0

Hi All,

Yesterday I replaced the expired certificates on our ADFS server. that went through fine but I am unable to set the private key permissions on the sigining cert.

It is in the local computer cert store and is all reporting as an OK cert. However ADFS is not working and I suspect its because I need to set permissions on the private key.

If i go to manage private keys i get access denied and if i try to export I cant export private key.

Please help!

IT Professional

How to install Windows updates for Windows server 2003 SP2 Manualy

February 25, 2015, 5:29 am
$
0
0

Hi All,

We have 10 machines running Windows server 2003 SP2. These machines are ISA servers kept in DMZ.

So these servers do not have internet access any any means. We are receiving Non compliance for not patching them for specific .NET framework patches. We have installed them but still the Scanning tools says it is not installed. 

We have planned to check it through Windows update but as it is in DMZ there is no Internet connection and we also cannot push through WSUS server as well.

Is there any way we can get the update package in Bulk so we can manually patch them rather than manually downloading them 1 by one and installing them ?

Gautam.75801

Search

Microsoft Windows Remote Desktop Protocol Server Man in the Middle Weakness

September 19, 2010, 1:21 am
$
0
0

Dear All

 

i got a report from security team that i have this weakness on several servers in my domain, what i have to do here?

 

Thanks

ways an attacker might start malware with a known good service

February 27, 2015, 6:37 am
$
0
0

How would an attacker be able to get malware started at the same time a legitimate, known good service is started? I am consulting on trying to fix a server that has a service starting and using the tool StealthWatch, we can see that the service is shown as running TCP scans of blocks of network addresses. I have compared the MD5 hash of the service to a known good copy of the same service on another server and they are the same, so I pretty confident that the service itself is not changed. I see no dependencies for the service and other testing I have done is testing using sigcheck.exe to validate that the service is signed and also checked the signature all of the files in the same directory where the service is located.

What techniques have you seen that can be used to run malware along with a legitimate service?

SnoBoy

Windows Domain Controller certificate for non domain clients

February 27, 2015, 7:37 am
$
0
0

Hi,

Is it possible that we can export windows domain certificate and use it for non domain computers without joining domain, so that they can communicate each others without joining domain controller?

Regards

ADCS Question: Remove both servers and edit registry or renew existing certificates?

February 27, 2015, 7:40 am
$
0
0

Consider the following information:

I just set up a new two tier PKI with Server 2012 R2 configured as a standalone offline Root CA.
There is also a Server 2012 subordinate online Enterprise CA.

I configured the Root CA to have a self signed 10 year period certificate.
The Root CA can issue certificates for a maximum of 3 years.
Root CA has issued one certificate to the subordinate CA.

The Enterprise CA (issuing) is configured to issue certificates for a period of 1 year. It has issued no certificates.

I followed these steps as closely as possible, including placing the certificates in Active Directory. 

Here is my problem! We use HP C7000 enclosures and wanted to issue a certificate to each so we didn't get the browser warning. The requests I can generate are very rigid and only allow for a 10 year period. Because I haven't issued any important certificates from my PKI, does it make more sense to burn it all down, use ADSI Edit and take out the relevant entries, and start again, or should I leave it all the way it is and renew the Root CA with new settings, then renew the Enterprise CA's certificate with new settings?

TLDR: I didn't plan well enough for my PKI. It hasn't issued any important certificates. Should I kill it with fire and start over or just renew the certificate chain with new settings?

security event logs

February 24, 2015, 6:25 am
$
0
0
1. Login, Clear Logs and log off events in Windows 2003 when does this happen and what are the IDs for these events ?  what is the system login?
2. In an event when administrator account and password are shared by more than one person, is it is possible to prove who cleared the security logs?
3. If there is no keyboard monitoring is there a way to prove from which PC the delete came from?
4.  Can a schedule a task be run in advance to delete the security logs at a later point of time in Window 2003 using utilities like WMI, powershell etc?
5. In Windows 2003 servers, Microsoft allows 2 remote connections and 1 console session also called session 0. What is session 0 ans when is this launched?
6.  Can security and the system logs on the  server be deleted remotely from any other server in windows 2003 if the account has admin rights? Please comment if firewall setting needs to be enabled in window 2003. 

dhomya

How many certs per machine

February 27, 2015, 7:13 am
$
0
0

Just for clarification, we notice in our CA that in issued certificates there will often be may certs issued for a computer. They are different request numbers and serial numbers so they are individual certs that are being issued. But we see some computers that have up to 100 certificates issued for a computer that are active. The computer certs are being successfully pushed out by GP.

So the question is, is this unusual to have so many certs issued per computer? Shouldn't there be only 1 or a couple?

Thanks

Suspicious Windows Registry Changes

February 25, 2015, 10:39 am
$
0
0
Hello, I am stumbled on the topic of detecting, and identifying suspicious registry changes in Windows operating systems. How do I know when a registry change is a "suspicious" or a "critical" one, how do I know that it was made through a malware or an individual who normally has no access to the system? What is a recommended approach to conducting Windows Registry Analysis and Detection? Any help would be appreciated...
Search

Password Settings Object - Password Reminder function?

February 27, 2015, 12:49 pm
$
0
0
We've just implemented PSO's for password management because we're in sort of a service provider situation and didn't want to subject all of our customers to our specific password requirements. I've been asked that AD provide a reminder to our staff when their password expiration date approaches. I know this is possible when using a GPO, but can't find any documentation if we can offer this 'service' when using a PSO. Any tips? Thanks! 

Quorom configuration for a CA cluster?

February 19, 2015, 9:32 am
$
0
0

Hi All,

I am configuring a clustered CA environment. I was wondering if anyone had any tips on what the Quorom configuration would normally be like?

Thanks

Why do I see 'Unable to check revocation because the revocation server was offline'?

February 27, 2015, 9:02 am
$
0
0

Hi,

In a lab we've been renewing our Subordinate Issuing CA cert fine for 3 iterations.  On the 4th renewal attempt, when I try to perform a 'Certutil -InstallCet Cert(4).crt, I receive the message 'The revocation function was unable to check revocation because the revocation server was offline. 0x80092013'.

Why could I perform a renewal operation successfully up to this point but cant now?  What does this message really mean cause no servers are offline?

Thanks for your help! SdeDot

Configuring UNC Hardened Access through Group Policy - KB3000483 - MS15-011

February 11, 2015, 2:22 pm
$
0
0
I'm reading through KB3000483 to get a idea of the Group Policy steps needed to fully implement MS15-011. From what I understand, we should configure UNC hardened access through Group Policy by targeting specific servers that have shares we want to protect. Are we talking about all our DCs and their SYSVOL / NETLOGON shares as well as plain old file servers with user home shares, etc?

Orange County District Attorney

Unexpected behavior: NTFS OWNER RIGHTS ACE scope after changing owner

February 26, 2015, 10:25 am
$
0
0

Observed on Server 2008 R2

Expected Behavior: Changing the owner of a NTFS directory does not change the application scope (Applies to...) of its ACE's.

Actual Behavior: On any NTFS directory (D) with an ACE [OWNER RIGHTS / Modify / Apply To All child items], change the owner of (D) to any other owner. Observe that the OWNER RIGHTS ACE scope has changed from "All child items" to "Nothing". On child items that inherit this ACE, its scope will also be "Nothing". Also, the owner on child items is not updated to the new owner of (D) - they retain their previous ownership.

born to learn!

Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>