By default the Windows Security auditing generates too much logs.Having cleared this log I already have 71,000 logs for the past seven days.
Where exactly is this auditing configured cause I would like to lower it a bit.I tried all the auditing in Default Domain, Default Domain Controller Policies but didnt find any audit settings configured.So where do they come from?
Thanks.
Hi all!
Our current PKI infrastructure is as follows: Offline root CA and 2 suboordinate issuing CAs with all the CA keys stored on network attached HSM. All the CAs use SHA1 as signing algorithm ( current CSP we use to access HSM supports only SHA1 and MD5). HSM vendor said there is a new CNG KSP they can provide upon request, that supports SHA256. My question is: Is there a non-destructive way to upgrade to SHA256 (i.e. without rebuilding entire PKI infrastructure and re-issuing all the client certificates)? Shoud I address this post to HSM vendor only? (I found an article with upgrade instructions for cases when software CSP is being used: https://technet.microsoft.com/en-us/library/dn771627.aspx)
many thanks,
Arnis
Hello,
I have a 2003 offline stand alone root CA and an enterprise issuing 2008 R2 CA. My issuing CA has web enrollment support built in.
I have a requirement to:
- Add another 2008 R2 issuing CA with IIS disabled
- Disable IIS on my existing 2008 R2 issuing CA
- Install some new IIS servers for hosting the CDPs\AIAs (and web enrollment roles)
For the new server install, I'll be installing a CA, then choosing to host the web enrollment on another server as here - https://technet.microsoft.com/en-us/library/hh831822.aspx
However, how can I disable web enrollment on my existing CA? Can I just uninstall the web enrollment role on my existing CA and install the role on another server?
Thanks
IT Support/Everything
Hi there,
I just configured Bitlocker Network unlock and it is working.
As the machines are on different subnets, we use an Ip-helper, so that we have one server for several subnets.
On my Dell Optiplex machine Network unlock is working fine when I do a shutdown and then a startup.
However, when I do a reboot, it asks me for a bitlocker pin.
If I than power off the machine, and power it on again, it still asks me for a PIN.
However, when I wait for the timeout, so that the machine shuts itself down, and power it on afterwards, it does not ask me for a PIN.
What is going on here?
I tested severel BIOS settings but that had no effect.
Tsjippy
I have a VMware ESX machine running Windows Server 2012 R2. This means I don't have a TPM available to the machine. I installed BitLocker and encrypted all the drives except for the system drive, and they are set to unlock automatically. When I log in and look, all the drives are unlocked.
The problem is that this is a SQL server and we use an MSA to start the SQL service. When the server boots automatically, the SQL service always fails. The log shows the error "File not found."
Today I had another administrator log in, and when he did the drives were all locked. This other admin, as well as me and the MSA, are all members of the Local Administrators group on the server.
According to https://technet.microsoft.com/en-us/library/hh831507.aspx, "To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership in the local Administrators group is required."
I realize that doesn't say that members can "Automatically Unlock" these drives. I also not on this page that there is an entry that says, "Automatic unlocking for fixed data drives requires that the operating system drive also be protected by BitLocker. If you are using a computer that does not have a BitLocker-protected operating system drive, the drive cannot be automatically unlocked."
However, when I reboot and log in as myself, all the drives unlock. So...I guess I could try to encrypt the system drive, but since this is a VM without a TPM, that is somewhat problematic. I tried to do this before and failed, but I don't remember the reason. I guess I can try again.
My question is, has anyone else run into issues like this? Since the drives automatically unlock when I log in, why are they not doing so when other Local Admins log in?
Hi All
We have a requirement to secure traffic with IPSec security connection rules from an endpoint that will be on the internet to a reverse proxy IIS ARR server which is on our internal network.
We have created the IPSec rule on the IIS ARR server which states endpoint 1 Any and endpoint 2 - 172.12.30.8 which is the local private IP of the IIS ARR server. However we are a bit confused at how we should configure the IPSec connection security rule on the internet client.
The problem we face is that there is a firewall in-between that will NAT the IP Address of the IIS ARR server as this server has a private IP address.
My questions is:
1. Can we use IPSec in this way, possibly by using IPSec NAT-T, if so what do we need to do, is it just a matter of allowing UDP Port 4500 on the firewall between the endpoints? and what IP address should the security connection rule on the internet endpoint be configured with, should this be the Firewall public IP or the NAT (private) address on the IIS ARR server. I'm assuming this will need to be the private IP??
The other option is to move the IIS ARR server into the DMZ and give it a public IP but we are trying to avoid that if possible
any help would be greatly appreciated.
Thanks
Johny
Hi,
I'm looking at improving my PKI estate and I now need to move the NDES role from a single 2008 R2 enterprise server to 2 web front ends. We're using NDES and SCEP for several thousand devices.
My setup is as follows:
2003 Offline Root (rootca)
2008 R2 Issuing CA (issueca1) - web enrollment and NDES role installed
I need to introduce a new 2008 R2 enterprise issuing CA (issueca2), with 2 new front end servers running the NDES role. I want to do the following:
- Remove NDES from my existing issuingCA (issueca1)
- Install NDES on 2 new front end servers (basically 2 IIS servers with the NDES role installed. These servers will be configured for high availability)
I've found guides on how to install NDES from scratch, but nothing talks about migrating NDES off an enterprise issuing CA, please can someone advise?
Thanks
IT Support/Everything
We have a client that has a Shared Data area they are trying to configure that uses a very convoluted permission structure that requires certain subfolders to have different permissions from their parent folder. Parts of the folder structure they also want to be able to recreate multiple times (use a template). I know that using a simple 'copy/paste' operation kills all the permissions on the 'pasted' copy and causes all folders, subfolders and files to inherit the permissions of the parent folder they are pasted into.
I found an article online that seemed to allow me to do this using Robocopy. The command is:
robocopy source destination /E /ZB /DCOPY:T /COPYALL /R:1 /W:1 /V /TEE
The only problem with this is that it doesn't 'update' any files that are in the folders. So if a certain user/group had only 'Read' access to files in a certain folder and you use the above command to give them 'Read/Write' within that folder they still only have 'Read' access to existing files even though, when you check their properties, they say they are inheriting from their parent. The only way I found to 'update' the permissions is to 'Save As' the file under a different name (which then has the correct permissions) and then have someone that had 'Delete' permissions to delete the old file so you can then rename the new copy to the proper name.
I'm no Robocopy expert so I'm wondering if there is a switch or something that I can add that would 'refresh' the permissions on the files in the destination to match the new permissions on the folders?
Hello,
I have a 2 tier PKI consisting of an offline root and a 2008 R2 enterprise issuing CA. Both servers are configured to use SHA1. I have wireless XP clients (some are still SP2) and a couple of hundred 2003 clients.
Given that SHA1 will soon be deprecated, I'd like to use SHA256. I could change the hash algorithm on my 2008 R2 server by using the following command:
certutil -setreg ca\csp\CNGHashAlgorithm SHA256
But this might break access for the 2003\2008 R2 clients. What I was thinking of doing is starting up a new PKI infrastructure and running the 2 side by side for a period of time so that I can use a more controlled approach of removing the old clients.
Any advice appreciated.
Thanks
Hi
We do not use EFS in our organisation, however we do receive zip files created on MAC's that when extracted with the in built compression tools encrypts the files. This plays havoc with our backups.
I want to disable EFS via GPO, but as we use redirected folders I am unsure about a few things:
Thanks
Tony
Are there any scenarios where a username would appear has having cleared an event log when the user in question did no such thing?
Can the process of archival generate that event with an account that's logged on?
Thanks
Hello!
I need your help, on a 2008 R2 server, unchecking the option "include inheritable permission from this object's parent" on a subfolder has no effect. Everytime I check "replace all child object permission" on the parent folder, the
subfolder security will be reset like the parent folder and worse than that, the option "include inheritable permission..." is then selected
I always thought that checking the option "replace all child objet..." would not change the security of a subfolder if the "include inheritable" option was uncheck, I guess I'm wrong??
So, how can I reset security of many subfolder without changing the security of some?
thanks for your help
Hi Team.
I am new in this area. Please help me.
If there is any windows 2003 critical patch will released by Microsoft after July 2015. One of them said that Windows Server 2003 server received a critical patch. But they didn't tell any thing about that one. So i want to knew about if any critical patch available for windows 2003 server after July 2015.
Thanks Advance.
Hi There,
I am experiencing a very strange behavior managing a Certification Authority remotely.
I have 2 management stations, installed exactly the same way. There are no firewalling issues, and the user account being used is the same.
However, when I look at the Published templates from one management station I see this:
and when I look at the same CA from the other management station I see this:
The templates work just fine, and there are no issues with the enrollment.
For whatever reason, on Management Station n.1 I can't browse the templates, while I can on n.2.
This is driving me nuts!
Before you ask, let me tell you that:
- The user logged in both management workstations is the same
- There are no firewall issues. Both stations can connect to the CA just fine
- The user has full rights on the CA and to manage the templates
What can that be?????
Thank you,
Claudio
Hello,
We are using an Enterprise PKI (Windows 2008R2) and created a few working templates. I plan now to use our PKI to create certificates for ActiveSync users and would like to define my certiifcates validity to match the user contract (for example certificate expiration on 31th of december 2015, therefore valid only 1.5 month and not the default one year). Is there a way to create a template that would ask for validity or a parameter to pass when creating/signing the certificate) ?
Thanks in advance for any help.
Patrick
I am having an issue with migrating my EFS certificates to SHA2 on a new Enterprise CA configured for SHA2. I duplicated the Basic EFS template, set CA compatibility for Windows Server 2008 R2, and Recipient compatibility for Windows 7/2008 R2. I then issued a certificate to a test account and encrypted a folder on a server. When I try to encrypt a folder, a new self-signed EFS certificate is generated and is used to encrypt the folder.
Subsequently, I set up the EFS policy to not allow self-signed certificates and then deleted it. With the Enterprise certificate still installed, when I encrypt the folder I get and error, "Element not found" and encryption fails.
When I remove all certificates and issue an EFS certificate from my old SHA1 CA, I am able to encrypt the folder with the issued certificate.
I am trying this on a Windows Server 2012 R2 server, which should be fully compatible with SHA2. Any assistance is appreciated.
Thanks,
Brian
I want to preface this post by stating that I am a developer who knows enough to get around Windows Server, but don't know anything in depth.
Our web-based system makes alot of API calls out to 3rd Party providers. One of those providers has told us that starting in the near future they will disable the support of TLS 1.0 encryption and only support TLS 1.1 and 1.2 because of the June 2016 PCI requirements.
In working towards this, I found a great tool that has helped, IIS Crypto, that makes the registry updates based on different scenarios(one being PCI compliance). I have updated using this tool, but I am still getting errors to the test site the 3rd Party setup and I am pretty sure it has to do with the Cipher Suites and the order they are setup.
Can anyone give me some assistance in what the full requirement or best practice for this is?
Hi there
I have a single Server 2008 R2 SP-1 as a DC with DHCP, DNS, F/P, Etc. and four Windows 7 desktops.
We have a requirement to have the Firewall turned on the server and all four desktops; Public, Private and Domain.
On the server FW and the desktop FW you have to add Inbound and Outbound rules
Q: Does anyone know where there is a list of the basic IB and OB rules?
Thanks, I just don't want to start adding every rule
B.
I am seeing both of these events multiple times each day from multiple (maybe all) systems on the domain. I want to be sure that nothing odd is occurring that needs researched or fixed. The userid is removed and then added back. is this something normal or a possible security concern or maybe something with how our GP is getting implemented?
Thanks for your help.
Hi,
I had a 2003 offline root CA which I've migrated to 2008 R2. I exported the root certificate and private key, plus the registry settings and certificate DB. These have all been restored on the 2008 server and certificate services have been installed
(I'm using the same server name).
I've then ran the command below to change the HASH algorithm on the rootCA to sha256:
certutil -setreg ca\csp\CNGHashAlgorithm SHA256
I want to renew the issuingCA certificate so that the issuingCA can issue certificates and sign CRLs with sha256 encryption. I'm planning on the following:
1. Backup issuingCA
2. On the issuing CA --> "renew the CA certificate" --> generate a new certificate request
3. Copy the .req file to the rootCA and submit the request
4. Issue the certificate on the rootCA
5. Install the new sha256 issuing cert on the issuingCA
6. Restart certificate services
Now that the issuingCA has a sha256 cert itself, I'm planning on setting the issuingCA to issue sha256 certs
certutil -setreg ca\csp\CNGHashAlgorithm SHA256
I have a couple of questions:
1. I have a few hundred XP and 2003 computers which may not be sha256 compatible, if I run the process above will the existing .crt and .crl files in the CDP\AIA be over written or signed with a sha256 hash and therefore be invalidated immediately?
I'm OK with the older clients failing revocation\autoenrollment once their current certificate\CRLs expire, but it would be a nightmare if all of those clients failed at the same time. Im thinking of changing the CDP/AIA location after this process, i.e.
from "cdp.contoso.com/certenroll/pki" (current AIA\CDP) to "cdp.contoso.com/certenroll/pki/cdp/sha256" so that the old .crt and .crl files are separate from the new ones - is this needed?
2. Can I renew the issuing CA certificate with the same key? If so, should I?
Thanks in advance