Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

getting System.AccessViolationException

March 24, 2013, 4:55 am
$
0
0

I hope I am posting in the right area 

after  installing HF KB2742596 (operation system :microsoft server 2003 )  , existing Application throw exception  

Exception - System.Exception: Error getting user properties from the Active Directory profile storage. ---> System.Exception: Error getting the 'title' property from the Active Directory profile storage. ---> System.AccessViolationException: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
   at System.DirectoryServices.Interop.UnsafeNativeMethods.IAds.GetEx(String bstrName, Object& value)
   at System.DirectoryServices.PropertyValueCollection.PopulateList()
   at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
   at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)

Any help you could give in this matter would be Greatly appreciated.

Thanks.


Search

Server 2008 R2 Administrator Password

August 19, 2011, 11:34 am
$
0
0
I setup a Server 2008 standard R2 with Hyper V.  I have forgotten the Administrator password on both the local and virtual side.  Both the local and virtual have the same Administrator password.  I do have my own account on the local side and I am in the administrator group. I understand from some of the post here that I can change the Administrator account from my account, but is there a way to bridge from the local to the virtual side and change the Administrator account there using my account?

Disallow a service to run unsigned .dll files.

March 21, 2013, 2:25 am
$
0
0

Hi all,

I have some .dll files that are running with my IIS. These files are signed by a certificate I made. My question is how can I ensure that IIS (or another service/computer) only run those .dll (or other formats) that I have signed.

I mean if someone hacks my server and put some unsigned .dll files to run with my IIS I wouldn't notice a thing untill I checked the .dll files certificate...

Anyone has a clue how  to prevent this? I know it's a vage question but this is a problem my company is having a long time...

Jelle 

Block IP from logging in

March 25, 2013, 3:13 am
$
0
0

I'm trying to block an IP from logging in to the DC, or doing anything else really on the Windows domain.

I set a firewall rule with all protocols and programs enabled, all ports, and added the IP for both local and remote. The rule applies on domain, private and public. And I made sure the rule is enabled ;)

Yet somehow, I can still see in my logs that login attempts using bad credentials have occurred originating from the IP that I blocked. How's that possible, and how can I stop this?

The IP is one from our internal network.

NDES Enrollment Issue - PasswordMax reg key being ignored. Suggestions?

March 22, 2013, 7:03 am
$
0
0

Hi all,

we have the NDES service configured on our CA server to dishout certs to iPads.  Everything works fine EXCEPT the PasswordMax value.  By default, this is 5.  I have changed the value to 100 but this value is being ignored.  The system is still using the default 5.  As a result, I have to do IISRESETS when the support staff try to issue certs to more than 5 iPad within an hour.  In addition, I have updated the PasswordValidity value as well to chagne how long a password is valid for but that's also still using the default value of 60.  The odd thing is that there is the registry entry SignatureTemplate which I can change to use a different template and that is getting read correctly.

Any suggetsions why these two PasswordMax and PasswordValidity values would be getting ignored?

Thanks!

Remote Assistance and Machine Authentication (your remote desktop connection failed becuase the remote computer cannot be authenticated)

March 25, 2013, 6:03 am
$
0
0

Hi,

i have an issue with being able to securely connect to my users via remote assistance (in the same domain) the issue is that if i require server authentication, or even connect but warn me is set in my GPO (see capture 1)

then i cannot commence a remote assistance session with a user as i get this(see capture 2)

i have implemented a CA, and both machines (expert and novice machines) have machine certificates enrolled, issued from the CA (they were in the Remote Desktop branch of the local Cert store to but that made no difference so i have removed them)

i have also tried importing the expert/novice machines Cert to the personal and Remote Desktop branches of either side of the local Cert Store but this hasn't worked either.

i have also issued RemoteDesktopComputer Certificates as described in this MS page:

http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx

i am referencing my connection using the FQDN of the target machine and i have played with the settings for NLA on both sides, but it doesn't seem to make a difference.

to clarify this is W7 pro to W7 pro. my certificates are valid on either side.

i am know at a point where i have run out of threads to read and ideas to try.

cheers

Lee

Service accounts and NT AUTHORITY\Authenticated Users

October 26, 2010, 8:23 am
$
0
0

HI!

I´m working on a procedure for managing service accounts.

I´m pretty sure of in wich order you should use different account types in order for implementing the "principle of least privilege".
In certain situations you are forced to use a domainaccount, what I can´t figure out is if there is a point in removing the domainaccount from the "Domain Users"-group?

I thought of this since I´m not sure on to wich resources "Domain Users" directly or indirect by local "Users"-group have been granted access and by creating a completely new group and making it the primary for the account, and then removing membership in "Domain Users" I would take back that control for the service accounts.

However, I found out that in Windows computers the group "NT AUTHORITY\Authenticated Users" are member of the local "Users"-group. So, if an account in the domain (not member of "Domain Users") is considered as a member of the local NT AUTHORITY\Authenticated Users, I guess there is no point in doing this, or is there? They will end up in the local "Users"-group on every system anyway.

Sincerely
Peter

account failed to log on

March 25, 2013, 8:46 am
$
0
0

Hi!  We recently needed to change all admin passwords when I co worker left the company.  Since then, the security logs are filling up with audit failures such as below:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          3/25/2013 11:34:13 AM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      hcdc1.mydomain.ad
Description:
An account failed to log on.

Subject:
Security ID: SYSTEM
Account Name: HCDC1$
Account Domain:mydomain
Logon ID: 0x3e7

Logon Type:3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Administrator
Account Domain:mydomain

Failure Information:
Failure Reason:Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a

Process Information:
Caller Process ID:0x214
Caller Process Name:C:\Windows\System32\lsass.exe

Network Information:
Workstation Name:HCDC1
Source Network Address:10.1xx.xx.xx
Source Port: 55074

Detailed Authentication Information:
Logon Process:Advapi  
Authentication Package:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services:-
Package Name (NTLM only):-
Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4625</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2013-03-25T15:34:13.202353900Z" />
    <EventRecordID>33047753</EventRecordID>
    <Correlation />
    <Execution ProcessID="532" ThreadID="1284" />
    <Channel>Security</Channel>
    <Computer>hcdc1.mydomain.ad</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">HCDC1$</Data>
    <Data Name="SubjectDomainName">mydomain</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <Data Name="TargetUserSid">S-1-0-0</Data>
    <Data Name="TargetUserName">Administrator</Data>
    <Data Name="TargetDomainName">mydomain</Data>
    <Data Name="Status">0xc000006d</Data>
    <Data Name="FailureReason">%%2313</Data>
    <Data Name="SubStatus">0xc000006a</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="LogonProcessName">Advapi  </Data>
    <Data Name="AuthenticationPackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>
    <Data Name="WorkstationName">HCDC1</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0x214</Data>
    <Data Name="ProcessName">C:\Windows\System32\lsass.exe</Data>
    <Data Name="IpAddress">10.108.192.170</Data>
    <Data Name="IpPort">55074</Data>
  </EventData>
</Event>

Search

help with security log

March 25, 2013, 2:00 pm
$
0
0
I have the audit policy in place on my server to see which employees are accessing which files on our network.  The security event log does not tell me anything about what directories or files were accessed.  Is there a way to configure this as I really need to see who goes where as many files are getting moved, renamed or deleted.  Thanks

when installing KB2621440-x86 on Windows server 2008 32-bit, error - "This update does not apply to your system"

March 25, 2013, 9:57 pm
$
0
0

Hi,

When installing KB2621440 on Windows server 2008 32-bit, I got this error - "this update does not apply to your system"

Have confirm the patch downloaded is the correct one for the OS.

Thanks in advance.

Andrew.

Changes to Certification Authority 2012 CDP and AIA paths?

March 19, 2013, 6:42 am
$
0
0

Hi

For a customer I deployed a new PKI based on Windows Server 2012 since the old one was toasted. Anyway, rather quick and easy as it is a small environment.

One of the services that required certificates is the VMWare environment they are using. When trying to install the certificates to the keystore in Java using keytool it fails. As far as I can understand, it fails due to the fact that there are spaces in the LDAP path for "CN=Public Key Services".

Comparing to a 2008R2 CA, the registry shows the same path as on a Server 2012 but in the CA properties/extensions in the MMC and on the generated certs, the space has been substituted for "%20", like this "CN=Public%20Key%20Services".

The error message received is (repeated for root cert and both CDP and AIA)

Unparseable AuthorityInfoAccess extension due to java.io.IOException: invalid URI name:ldap:///CN=MyFancyRootCA,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=mydomain,DC=net?cACertificate?base?objectClass=certificationAuthority

Names obviously changed but does not contain spaces. Tried to remove the LDAP url from the issues certificates but that only moved the issue to the enterprise and root certificates.

Researching this, it seems like it should work but it fails with the above error message. Of course, when looking at this from a Windows host, everything is fine and the Enterprise PKI snapin reports everything as working.

Any hints or ideas are appreciated.

/Anders

Hth, Anders Janson Enfo Zipper

net use

March 25, 2013, 10:33 am
$
0
0

Dear All,

I am having Windows Server 2008 r2, having AD Services and DNS Installed.

I was tinkering around with net use command (Windows 7) and I realize I can get too much information using this command on our domain. So curious would that be a security risk, how can I only allow domain admins using this sort of commands on domain. If I restrict this would there be any reduced functionality for normal user.

Any help will be highly appreciated.

Thanks

Dissallow access to a folder structure to all but one person

March 26, 2013, 4:52 am
$
0
0

I need to be able to create a set of folders on a server and restrict read and write access to all but the currently logged-in user (and admins) thru a Batch/Command file script. 

I see that "subinacl" can be used to set "ownership" to a folder and "icacls" can be used to set permissions. I have the following questions:

1) Do I need to set ownership or if the folder structure is created in a batch file run under the current user's id, will they be owner already? 

2) What users need to have their permissions changed so they can't read and write? (i.e., can I just set the "Users" account to no access?)

thanks,

Bert Sirkin



Active Directory Certificate Services PKI Architecture

March 25, 2013, 1:48 pm
$
0
0

Hello everyone,

     I have some generic questions on AD CS and ultimately best practices.  I have looked around and just can't find details.  I have set up a lab environment using a two tiered approach where I have a single root and a couple of subordinates and they appear to be operational.

1.  How many different PKI setups can you have in a single Active Directory Forest with a single Domain?  The reason I ask is that even though I have multiple intermediary CAs they ultimately trust the same Root.  Example:  Say I have two SharePoint farms one for developers and one for marketing.  They both require client side certs.  Even if I sign Dev SP with one CA and the Marketing SP with the other CA, since they are both under the same Root CA, they can access each others SharePoint instance (computer cert).  If I had two and ultimately more Root CAs, I could sign each SharePoint certificate with a separate CA tree.  Hopefully this makes sense.  As you can see, I could possible have multiple PKI Root CAs depending on function.  One for computers, one for users, one for BYOD, one for specific SharePoint farm, etc.  A single PKI doesn't seem practical considering that just because all the machines belong to the same domain doesn't mean they should have access to the same PKI resources. 

2.  In reference to question 1, assuming it is not best practice to have more than one PKI Root CA, can I trust the intermediary CA on some machines as root and another intermediary CA on other machines to separate the trust?

3.  Assuming it is ok to have multiple Root CAs, should I disable "Certificate Templates" that come up by Default in a base CA install like, "Domain Controller Authentication", "Domain Controller", "Administrator", etc and only have a "Single" PKI implementation with those standard Certificate Templates?

Thanks in advance for any information you provide.

Paul

PJudt

AD CS red X under Enterprise PKI, reinstalled OS still shows

March 26, 2013, 7:37 am
$
0
0

So I have a fresh install of 08R2 joined to the domain and I went to install AD CS for the first time. I haven't really messed with AD CS before.  I created an Enterprise Root CA on this server called CA1.  By the way these are all VMs.  I then had another fresh install of 08R2 joined to the domain called CA2 that I installed AD CS on as well but this time I choose Enterprise Subordinate CA.  I had things working it seemed but I noticed that the root CA was giving out Certs to client computers and I just wanted those to come from the subordinate as I thought would happen and I also read it's best practice to issue from the Subordinate CA.  I found a bit more information online about how it's best practice to have, In my case, CA1 be a Standalone Root CA and then have CA2 be an enterprise subordinate. 

Here is where I messed up.  So I wanted to change everything. I figured well I would need to revoke the certs so I browsed to Issued Certificates, highlighted them all and chose revoke.  Then I right clicked, chose all tasks and stopped the service.  I then uninstalled the AD CS roll on both servers since I just wanted to start over from scratch and I also wanted to change the common name for this CA anyways which was domain-ca1-ca.  I reinstalled the rolls and found out I had a red X on the Enterprise PKI all the way down the tree.  I thought crap so I figured well maybe if I reinstall the OS that would clear it.  So I did that and created the same server name, joined it to the domain and tried again but I still have a red X under Enterprise PKI with the old common CA name which was domain-ca1-ca and I wanted to change the name of it to domainCA and have CA2 be called DomainIssuingCA.  Of course If I try to manage the CA it says the specified service does not exist as an installed service 0x424 (win32: 1060) and Just clicking on it says CA Offline. 

How do I go about fixing this?  Am I correct for best practices in that I should have AD CS with two servers, CA1 being the Standalone Root CA and CA2 being an Enterprise Subordinate CA?

Thanks.

Search

Security scanning - question about Windows service

March 26, 2013, 5:29 am
$
0
0

Hello,

As part of our internal security requirements all new servers are being scanned by a Nessus engine before being released to production.  My two new Lync FE servers have been tagged with having a high-level vulnerability.  See below.  It calls out the Windows Identity Foundation service as having an 'unquoted service path' in the registry.  

Before I comply with trying to 'fix' this 'vulnerability', I was wondering if anyone else runs similar internal security...and if so, have you successfully 'fixed' something like this.  I'm a little reluctant to go mucking about in the registry to modify this 'service path' to include quotes.

Thanks in advance for any advice/replies.  vulnerability data below:

445/tcp 63155 - Microsoft Windows Unquoted Service Path Enumeration [-/+] Synopsis The remote Windows host has at least one service installed that uses an unquoted service path.

Description

The remote Windows host has at least one service installed that uses an unquoted service path, which contains at least one whitespace. A local attacker could gain elevated privileges by inserting an executable file in the path of the affected service.

See Alsohttp://isc.sans.edu/diary.html?storyid=14464http://cwe.mitre.org/data/definitions/428.htmlhttp://www.commonexploits.com/?p=658

Solution Ensure that any services that contain a space in the path enclose the path in quotes.

Risk Factor High CVSS Base Score 7.2 (CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score 6.5 (CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)

Exploitable with Metasploit (true) Plugin Information:

Publication date: 2012/12/05, Modification date: 2012/12/17 Ports tcp/445

Nessus found the following service with an untrusted path: c2wts : C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe 

CA for digital siganture help!

March 26, 2013, 1:39 pm
$
0
0
Hi all,

We use InfoPath 2010 to design form and require digital signatures.  I set Certificate services as this link:

http://marcellotonarelli.wordpress.com/2009/10/28/domain-certificate-authority-signing-infopath-2007-forms/

We asked two internal users (only for domain internal users) to digitally signed and it can not validate signature each other. 

1) is code signing template right for digital signatures? (we do not have any custom code) should I use User template for requesting certificate?

2) Why internal certificates can not be validated each other even they are issued by our internal certificate server?

Thank you.


NDES Account "Enterprise or Domain Admin" Requirement

March 26, 2013, 2:23 pm
$
0
0

We have a functional NDES environment with PKI infrastructure, but we would like to not have the SCEP Administrator account be a member of the Domain Admin group for audting and security purposes. Are they any ways to configure the service accounts with different permissions on the CA to mitigate the risk and/or requirement for an account to be in the domain admin group.

I'm referencing an article in the requirements tab on page 3.

http://technet.microsoft.com/en-us/library/ff955646(v=ws.10).aspx

Thanks in advance for any assistance,
Steve Skwerski

Kerberos Security - Is there a way to get Master Key and decrypt the session key?

March 26, 2013, 2:48 pm
$
0
0

I'm not sure but I'm just guessing that if the following scenario could be achieved:

For example, there is a proxy server sitting in the middle of Kerberos Client and the Resource Server. At first, this proxy server will pretend to be the resource server and authorize itself with KDC to get the master key. And then in the subsequent packets transmission between Kerberos Client and the real resource server, this proxy server could receive the packet from client, decrypt the session key with the Master Key it received from KDC earlier, and then decrypt the whole packet with the session key, process the packet and encrypt it with the session key and then send to the real resource server.

If the above scenario is possible, then how does this proxy server get Master Key from KDC? Can it present itself to KDC as a Service Principle and receive the Master Key? If the answer is yes then how can I implement it in C++? Is there a sample code to do that?

Thanks a lot in advance,

Andy

Turn of automatic root certificates

March 21, 2013, 1:37 am
$
0
0
I want to Turn off Automatic Root Certificates Update, which I feel can be done using the group Policy. But I am not sure what Repercussion it going to have. From the description I realise that if we disbale root certificate and

"If the user is presented with a certificate issued by a root certification authoritythat is not directly trusted, and the Update Root Certificates component is not installed on the user’s computer, the user will be prevented from completing the action that required authentication"

from the above statement I want to know how it is determined if the certificate issue is trusted or not even before checking with the Microsoft website as thats been turned of.

In short, I need to know if  the Automatic root certificate is turned off and of there is any applicates certificate on what basis it is determine whether it is trusted or not trusted..what local policy is checked and how?

Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>