Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

SHA-1 to SHA-2 Conversion

December 3, 2015, 10:11 am
$
0
0

We are currently using SHA-1 for our root and intermediate signed certificates and need to update to SHA-2. Root certificate expiration is set to expire in a few years, intermediate expires in June of 16. What would be the best way to upgrade to SHA-2 and create zero user or system disruption?

I want to create a new root template as RSA with a 2048 key length, SHA-256 as the hash and set the expiration as 10 years again. After that is created, generate a new intermediate cert template with a 5 year expiration and as SHA-256 also. Deploy the new root and intermediate cert to all servers with an updated expiration date (2026 & 2021) and let the old certs expire and the new certs to take over when that occurs.

What part am I over looking? Do I need to delete existing old certs from all servers and workstations so they are not seen as expired when the expiration occurs and need to delete the old certs that are still using the old SHA-1 templates. Update is needed to pass data security scans in our environment.

Thanks for the help!

Search

2012 Dynamic Access Contols

December 3, 2015, 10:37 am
$
0
0

Is it true, that if properly configuring Dynamic Acc Controls and claims, that a file could be protected if a user copies it from one location to another that it will not inherit the permissions of the new location?

Or is there a different way to do this in order to protect sensitive data?

Thanks

Paul

Paul Glickenhaus

can not execute tpm32 class commands

December 3, 2015, 6:07 pm
$
0
0
 

Hi, I am using the wmic to display some information of tpm device installed onto system.

From win32 class I see there are properties and methods available.

I am able to issue and display properties of win32 class however calling the method is not working.

For properties I have to get and methods it appears it is call.

But none of the methods work with call.

Below is example is counter-logical to each other:

isEnabled is supposed to be called without parameter with or without the parameter it displays error message that is counter-logical. Am I doing wrong or is this class broken?

PS C:\Users\Administrator> wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm call isEnabled
Executing (win32_tpm)->isEnabled()
ERROR:
Description = Invalid method Parameter(s)
PS C:\Users\Administrator> wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm call isEnabled 0
Verb Or Method has no input parameters.

enterprise single signon

December 3, 2015, 7:44 pm
$
0
0
I am supposed to login via weblogin,desktop,mobile,Proximity Card,Bio Metric,IVRS to Web-based Applications / Client Server Applications / Mainframe Applications / .Net Applications / Java Applications / Legacy Applications using single signon feature.. what are all my prerequisites

Active Directory Certificate Services could not publish a Base CRL for key 0 or Delta CRL Key 0 (Event Id's 74 & 75)

December 3, 2015, 9:39 pm
$
0
0

Hi,

We are getting below mentioned error in our Enterprise Sub-ordinate CA's server, as Microsoft suggested i have checked the network and CA's permission for CDP folders in ADSS everything is fine. Kindly help me to resolve this issue. 

Unable to get CRL from MSCEP - No CRL For this Cert

December 3, 2015, 10:34 pm
$
0
0

Hello

I am trying to set up mscep so that it can be used by network devices to retrieve a CRL for our CA, however I am seeing this error in the event log:

The Network Device Enrollment Service cannot obtain the certificate revocation list (CRL) for key 2 from the certification authority. Verify that the CA service is running, the Network Device Enrollment Service account has Read permission on the CA service, and the CA service has successfully created the latest CRL. Use the Certification Authority management console to verify the permissions on the CA service. Use the command: Certutil -config "<caserver>\<caname>" -cainfo crl 2 to verify that the CA service has created the latest CRL. The error returned was (0x80070057). The parameter is incorrect.

Running the command that certutil -config "<caserver>\<caname>" -cainfo crl 2 gives the following output:

805.363.0:<2015/12/4, 17:33:45>: 0x80070490 (WIN32: 1168 ERROR_NOT_FOUND)
805.454.0:<2015/12/4, 17:33:45>: 0x80070490 (WIN32: 1168 ERROR_NOT_FOUND)
437.625.0:<2015/12/4, 17:33:45>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): CADescription
437.625.0:<2015/12/4, 17:33:45>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): ParentCAName
CRL[2]: 1 -- Error: No CRL for this Cert
CertUtil: -CAInfo command completed successfully.

I have not been able to work out what the problem is.

Thanks


Can duplicate identical Intermediate certificates cause a certificate validation error?

December 4, 2015, 3:30 am
$
0
0

I've got a very random certificate validation error that effects Lync sign in and also connectivity to our WiFi network both of which heavily rely on SSL certificates.

I have an organization of around 700 users and every week 2 or 3 users are unable to connect to the above services. We run our own MS 2 tier Enterprise CA setup.  Everything I look up is reporting a certificate validation error, but all of my certificates are valid. The only thing that I can find that could be the cause of the issue is that when I check the local certificate store on an end users system and check the Intermediate Certification Authorities Container I notice that here are 2 identical subordinate CA certificates installed. A GP update /force normally resolves the sign in issue, but sometimes I have to manually delete one of the identical certificates so I'm pretty sure this is the problem, but I struggling to understand why.

Has anyone come across a situation where 2 identical intermediate certificates can cause a failure in the validation chain?

LAPS - Find-AdmPwdExtendedRights - Incomplete Results

July 21, 2015, 7:29 am
$
0
0

For our OUs, the lion-share of results of the cmdlet are:

{NT AUTHORITY\SYSTEM, DOMAIN\Domain Admins}

But upon closer inspection (via ADUC MMC), the ACLs show many other groups given Full Control (including All Extended rights). These groups seem to have been ignored by the cmdlet, maybe because the rights are inherited from above?

In any case, the results seem to be incomplete, and I wonder if anyone else has noticed this...

Search

Very odd problem with remote login to server

September 17, 2015, 12:12 pm
$
0
0

There are 3 domain controllers in the domain, 2 are 2012-R2 and the other is 2008-R2. This problem just showed up out of nowhere and it has got me stumped. If I RDP to any one of these DC's and specify DOMAIN\username, it will accept any DOMAIN name as long as the username and PW are correct. As an example, if I log in as ANYDOMAIN\username and give the correct password for username, it lets me in even thought ANYDOMAIN does not exist. If I then check the security log, it shows me as being logged in with the correct DOMAIN name. All 3 server behave the same way and I have made no changes to AD for a long time. This seems to have cropped up in the last 4 weeks as I worked with a user 4 weeks ago who could not login because they were using the wrong DOMAIN name which is how it should be and has been for years.

I have googled till I am blue in the face but can find nothing related to this very odd problem. These servers are completely ignoring the NetBIOS domain name at login. As long as the username and pw are correct, I am in no matter what DOMAIN I precede the login with. I have checked for malware, run an SFC scan, nothing shows up. How is this possible?

I should also point out that if I login via the keyboard and feed it the wrong domain name, it does NOT let me in until I correct the DOMAIN name to the proper name. This only happens via RDP and also when users are logging into SharePoint which is in the same domain.

Thanks for any and all help provided.



Audit polices at a school.

December 6, 2015, 5:22 pm
$
0
0

What audit policies are used at schools and where persons are not the be trusted. :-) I want to see if any of the student computers manage to get privileged access, I guess that is possible?

 

2012 CA Server Root Cert Default/Extended Attributes on Install & How to Supercede Default CA and Subordinate Templates

November 25, 2015, 11:23 am
$
0
0

Hello,

I'm placing a 2012 R2 Enterprise CA Server into a 2008 AD Domain.

I want to add more attributes into the Root CA's certificate when it is created.

ie. Subject Alt Names (v3 Ext), E, CN, L, ST, etc. (City state zip, email , url)

For the life of me I cannot see how to do this anywhere.

Related to this It would appear as much as I can create additional CA and Subordinate CA templates, I cannot Supersede the already installed "Root Certificate Authority" and "Subordinate Certification Authority" templates with the new ones.

So how does someone install a Itermediate CA (Subordinate) much less a Root CA, and have the 'Duplicate Temlates' be used in precedence over the default Root CA and Subordinate CA templates?

Thanks much.

Syntax to output Subject Alternative Name extension using certutil -view

May 26, 2015, 8:37 am
$
0
0

Can I pull back Subject Alternative Name as the output of a certutil -view query?

I was hoping it would be something like:

certutil -config "[CA]" -view -restrict [QUERY] -out san

PKI (Smartcard) - Logging a locked card

December 7, 2015, 7:26 am
$
0
0
Hi,

We are facing a problem with getting information about locked smartcards (Gemalto) used for authentication in a Windows domain. After 5 failures writing the correct PIN-code, the smartcard (not the account) gets locked and needs to be unlocked using a 3rd-party tool (we are using Response Calculator .Net v2+). When a smartcard get locked, we cannot find any information in event logs or similar that the card is locked. The user account and certificates that is connected to the smartcards are still active and shows no disabled features.

Is there a way to get more logging / debugging that we can use to send an alarm / notification that a card has been locked?

Also, the current attempt count is set to 5 before the card is locked, were can this be changed?

Best regards,
Mattias

Upgrade CA to SHA256

December 7, 2015, 6:39 am
$
0
0

We have an internal CA hierarchy, which consists of a Windows 2008 (non R2) server (root ca) and two Windows 2012 R2 subordinate CA's. The sub CA's were upgrades from 2008 R2. Our current hasing algorithm is still SHA1, which I need to upgrade to SHA2 (SHA256) if possible. There are a few guides and blogs on this, which I've been looking at, and the actual upgrade of the hashing algorithm is almost just a one line command, but, the our current hashing provider is Microsoft RSA SChannel Cryptographic Provider, which, correct me if I'm wrong, doesn't allowing any hashing algorithm above SHA1, and the process to upgrade the hashing provider is a bit more involved.

Can anyone clarify what my options are to upgrade our CA infrastructure to support SHA256, and switch (if necessary) to a better provider?

TLS 1.2 on Windows Server 2008 (non R2)

December 7, 2015, 5:16 am
$
0
0

Hi,

As far as I know, TLS 1.2 is officially supported from Windows Server 2008 R2.

Is there any way to use TLS 1.2 on Windows Server2008?

Maybe, there is some kind of install package which enables support for TLS 1.2 on Windows Server 2008 (apart from upgrading to R2 or newer).

Regards,

BrzWit

Search

Installing 3rd Party Certificates on Domain Controllers

December 3, 2015, 3:12 am
$
0
0

Hi,

We have migrated from Microsoft PKI to Entrust PKI solution. My environment has about 50+ DC's and now i have been asked to install certificates from Entrust to support LDAP/S.

Entrust gives a document to create and install certificates on a single DC using GUID and FQDN.

Is there any possibility request and install certificates on all 50 domain controllers using any automated methods like GPO's?

Regards,
Rafic

If you found this post helpful, please give it a "Helpful" vote.
If it answered your question, remember to mark it as an "Answer".
This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

RDP access of a server restricted to few users.

December 7, 2015, 8:08 am
$
0
0

Hi..

i have a requirement wherein only few users should have RDP access with Admin rights to few specific windows machines which are part of Active directory.

For this a security group has been made in AD and that group is made a member of local administrators group of target few windows machines and domain admins group has been removed from local administrators group. since we don't want other users no matter they are domain admins to be able to logon to these machines.

Now in order to increase more security, the question arise that these security groups can be altered by a domain admin and affect the access rights of the selected few machines.

How can i achieve this?

- I just want few users to have RDP access/administrator on these machines and no other user should be able to temper the access rights for these machines in active directory.

I know it is a very unusual requirement:)

How to disable specific event log ID

December 7, 2015, 2:17 pm
$
0
0

This event 1 second in 20 times repeat, Other logs blocking investigation

Log Name:      System

Source:        Microsoft-Windows-Hyper-V-VmSwitch

Date:          7.12.2015 22:57:07

Event ID:      25

Task Category: (1018)

Level:         Information

SHA1 to SHA2 Migration

December 7, 2015, 2:04 pm
$
0
0

Hi,

We are planning to Migrate the SHA1 to SHA2 by build a Parallel environment(Side by Side Migration). 

I have a question before to start with migration of SHA1 to SHA256.

1) We have multiple Issuing CA servers and We have more number of Customized templates with different configurations in each CA server. Is there any possibility to migrate those templates to the new SHA256 Environment

Thanks in Advance

//Bala R 

CDP location - spelling mistake

December 7, 2015, 3:17 am
$
0
0

Hi guys, I'm really quite new to the Certificate Services aspect and need some help.

I created a root CA and entered the AIA and CDP extensions, however later when I ran PKIVIEW from the sub-CA I noticed I misspelled the value for the CDP. Because of this it shows that the CDP Location status as "unable to download".

I went back to the root CA and changed it, republished the revoked certificates and copied the CRL file to the CA in both c:\windows\system32\certsrv\certnenroll and c:\inetpub\www\certenroll. Restarted all the services and ran PKIVIEW again, but it still shows the old (misspelled) value, and hence "unable to download".

Have I missed something? How can I get it update the value?

Any help would be much appreciated.

Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>