Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Question about Managed Service account?

January 3, 2016, 8:48 am
$
0
0

Hi All.

I was doing some study on managed service account, I was thinking I understood it , but now I got some confusions....

- Service account are used on one computer !! what does really this mean !!! for example if I want to run a software on 100 computers do I need to create 100 MSAs ?

- one of the benefits of MSAs is saving time for Administrators when the Password is changed for the account !!, so when I run a software or service on a computer using the password associated with MSA, after some days if I reset the password for the MSA on the server I don't need to change the password on client machine ??? so how it update its saved password ?

- in my company I was using Service account on Multifunction scanner , to get LDAP work on the scanner in order to get the users on the scanner and send the scanned file for the user... in this case if I change the password for the MSA on the server I don't need to change it on the Scanner Machine ??

could some one put some example which is used on daily basis ?

many thanks

Search

CRL Download via SCEP fails in CA multi tier Hierarchy (Two tier / Three tier) with Event ID : 45 (NDES cannot match the issuer and serial number in the device request with any CA certificate)

December 21, 2015, 4:30 am
$
0
0

Hi All,

Operating system - Windows server 2012 R2

We have set up a three tier CA Hierarchy.

Root CA->SubCA->Issuing CA

NDES service is installed at the Issuing CA.

We have a developed a client application which will retrieve the CRL from Issuing CA via SCEP protocol.

We always get the error "Transaction not permitted or supported" reply in the client from Issuing CA NDES. On viewing the event viewer at the Issuing CA, we can see

"Event ID : 45, which says "NDES cannot match issuer and serial number in the device request with any Certification Authority (CA) Certificate"

--------------------------------

We have reviewed the implementation of the client multiple times. We are filling the issuer and serial number information from the "Issuing CA certificate" to the device CRL download request. For testing purpose, we have also tried to fill the same from "CA Root certificate" as well as from the "Enrolled certificate device received signed by Issuing CA".

The same error happens with two tier hierarchy as well.

--------------------------------------------------------

However CRL retrieval works fine with single tier hierarchy via SCEP.

Here we are using the CA Root certificate to fill in the issuer and serial information in the device request.

Any ideas to solve this problem will be helpful.

Is there any additional settings required to make this work in a multi hierarchy set up? Or should we use any other certificate to fill in the issuer and serial number information in device request.

Any help is appreciated. Thanks in advance.

Great Day, Sreekanth


Windows active processes

January 4, 2016, 2:58 am
$
0
0

Hi guys,

   

maybe is this post not appropriate or maybe will be deleted, but ...
As we know, many internet blog posts describe about Windows 10 and how perfect spyware is this last OS from Microsoft. Maybe is not everything true, but I have one simple example, which is maybe funny, but doubtful:

Calculator.exe

This file is located in folder:  C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_ ...  

Calculator.exe is constantly active every 20 minutes, inside process svchost!   

Inside folder C:\Program Files\WindowsApps\  ...is many subfolders  like this: 


In Process Explorer are listed this events: 

Can somebody explain more about this example? 

Ninja 4 IT

The domain controller attempted to validate the credentials for an account.

January 4, 2016, 5:50 am
$
0
0

Hi,

We are getting below mentioned event in few DC's and it's pointing to user as Administrator.

Event: The domain controller attempted to validate the credentials for an account.
Event ID: 4776
I want to know, why it's showing "Administrator" account in the event and this administrator account belongs to DC or particular server??

Cannot view Generated Certificates

January 4, 2016, 6:17 am
$
0
0
I created a custom certificate template and I generated certs based on that template. The issue is when I go into the CA Console I don't see any certs generated for that particular template. How do I obtain the ability to see those certs In the console

Event ID 4625 Logon Type 3: How to discover from where the login is being attempted??

January 4, 2016, 7:54 am
$
0
0

We're running SBS 2011 with Exchange, RWW, OWA, etc.

We have the following event occurring frequently as per our security event log. This one, for example, is being logged every minute or so as I write this and has been since around 2:00AM CST this morning.

Often the workstation name will change or be blank. From the logon type I'm guessing it's coming from IIS or Exchange? The workstation is not part of our domain nor has it ever been. DHCP has not leased an IP to this workstation.

I'd like to know if there's a process whereby we can track down from where (e.g., IP address) this login is being attempted so we can block this and other attempts of this nature:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/4/2016 9:44:00 AM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      OURSERVER.ourdomain.local
Description:
An account failed to log on.

Subject:
 Security ID:  NULL SID
 Account Name:  -
 Account Domain:  -
 Logon ID:  0x0

Logon Type:   3

Account For Which Logon Failed:
 Security ID:  NULL SID
 Account Name:  Administrator
 Account Domain:  WIN-A4DAD7SQDVD

Failure Information:
 Failure Reason:  Unknown user name or bad password.
 Status:   0xc000006d
 Sub Status:  0xc000006a

Process Information:
 Caller Process ID: 0x0
 Caller Process Name: -

Network Information:
 Workstation Name: WIN-A4DAD7SQDVD
 Source Network Address: -
 Source Port:  -

Detailed Authentication Information:
 Logon Process:  NtLmSsp
 Authentication Package: NTLM
 Transited Services: -
 Package Name (NTLM only): -
 Key Length:  0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
 - Transited services indicate which intermediate services have participated in this logon request.
 - Package name indicates which sub-protocol was used among the NTLM protocols.
 - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4625</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2016-01-04T15:44:00.140913300Z" />
    <EventRecordID>161180417</EventRecordID>
    <Correlation />
    <Execution ProcessID="504" ThreadID="18164" />
    <Channel>Security</Channel>
    <Computer>SWPSERVER.swpconstruction.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-0-0</Data>
    <Data Name="SubjectUserName">-</Data>
    <Data Name="SubjectDomainName">-</Data>
    <Data Name="SubjectLogonId">0x0</Data>
    <Data Name="TargetUserSid">S-1-0-0</Data>
    <Data Name="TargetUserName">Administrator</Data>
    <Data Name="TargetDomainName">WIN-A4DAD7SQDVD</Data>
    <Data Name="Status">0xc000006d</Data>
    <Data Name="FailureReason">%%2313</Data>
    <Data Name="SubStatus">0xc000006a</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="LogonProcessName">NtLmSsp </Data>
    <Data Name="AuthenticationPackageName">NTLM</Data>
    <Data Name="WorkstationName">WIN-A4DAD7SQDVD</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0x0</Data>
    <Data Name="ProcessName">-</Data>
    <Data Name="IpAddress">-</Data>
    <Data Name="IpPort">-</Data>
  </EventData>
</Event>

Sy Computing

Problem with Revocation check of domain controller certificate with Win2k8 R2

June 15, 2010, 3:36 pm
$
0
0

I seem to have come across an issue that there isn't alot of information on.  maybe you all can help me out.

I work for the US Army.  They have a vast AD forest.  So AD controllers are not local.  I'm building windows 2008 R2 TS servers to host my Citrix XenApp6 farm, and when trying to RDP into the servers with a CAC card I get the following error:

"The system could not log you on.  The revocation status of the domain controller certificate used for smart card authentication could not be determined."

Only happens on my 2008 R2 servers.  I have installed all the normal DoD software that is used to help facilitate CAC login (ActivClient-middleware, Tumbleweed-CRL checking).  I have talked with both vendors.  No one has alot of experience with R2 and CAC login.  I removed tumbleweed, since it deals with revocation, and that did not help.

I figure out the box the server should be able to take my CAC login.  So I built a fresh server with no GPO and just middleware and tumbleweed, and I get the same error.  I do not have this problem with any other OS.  I've tried different RDP clients (Win7, Vista) and they both display the error. 

I have seen issues on this forum with RDP and CRL checking for SSL/TLS communication with Win7 and 2008 R2.  Nothing that seems to deal with smartcards, but its the same concept. 

Anyone have any experience with R2 and TS/RDP with smartcard login or more specifically DoD CAC cards?

Creating the right certificate

January 4, 2016, 10:00 am
$
0
0

Hello,

I need to create a certificate in order to enable server-to-server authentication between my SharePoint 2016 server and my Office Online Server per this article (Link and Link). I initially tried creating a self-signed cert on the Office Online server through IIS but it didn't work and said that the cert wasn't trusted. I verified that it was in the Trusted Cert location in the Certificates mmc on the SharePoint server.

Now I have installed the ADCS role on the DC to create a cert that way but I find I am not sure how to create the correct cert for what I need. Any ideas?

-Peter

Search

Security log events 5152 for Active Directory ports

December 24, 2015, 7:29 am
$
0
0

I have a client with a DC running Windows Server 2008 R2 Enterprise in one of their remote offices.  The Security log is full of event 5152.  Most of them look like the two below.  The first one is on port 389, I've seen this and other AD port ranges.  The Windows Firewall is running and all of the Active Directory rules are enabled and traffic is allowed.  Any idea why these packets would still be dropped?

---------------------------------------------------------------------

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          12/24/2015 10:07:37 AM
Event ID:      5152
Task Category: Filtering Platform Packet Drop
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      xxx-DC3.xxxx.local
Description:
The Windows Filtering Platform has blocked a packet.

Application Information:
Process ID: 0
Application Name:-

Network Information:
Direction: Inbound
Source Address:<another IP on the same subnet as the server>
Source Port: 59338
Destination Address:<server IP>
Destination Port:389
Protocol: 6

Filter Information:
Filter Run-Time ID:75796
Layer Name: Transport
Layer Run-Time ID:13


-----------------------------------------------------------------------

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          12/24/2015 10:07:12 AM
Event ID:      5152
Task Category: Filtering Platform Packet Drop
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      xxx-DC3.xxxx.local
Description:
The Windows Filtering Platform has blocked a packet.

Application Information:
Process ID: 0
Application Name:-

Network Information:
Direction: Inbound
Source Address:<an ip on the same subnet as the server>
Source Port: 161
Destination Address:<ip of the server>
Destination Port:52705
Protocol: 17

Filter Information:
Filter Run-Time ID:75768
Layer Name: ICMP Error
Layer Run-Time ID:28

One PKI platform for two AD forests

January 5, 2016, 12:49 am
$
0
0

Hello There,

We have 2 AD domains (Forests) connected by bi-directional AD trust. These two domains have their own PKI platforms.

We are planning to build single PKI platform which can service for both domains.

Is it possible to service two domains with single PKI platform? If so, could you please provide some design inputs?

Thanks

Mahesh

Mahi

Certificate authotity upgrading from 2003 SHA1 to 2012 R2 SHA256

January 4, 2016, 11:08 pm
$
0
0

I have tried to install the 2012 R2 CA with SHA256 algorithm in our environment. After the installation the issued templates with SHA256 algorithms are not reflecting in web enrollment list.

The 2012R2 is a subordinate CA for the existing 2003 CA.

Please suggest..

Regards, Dennis


Server rebooted by explorer.exe

January 5, 2016, 4:58 am
$
0
0

Hi,

One of our file server was crashed last week. When i checked the event logs prior to reboot, it's showing "The process Explorer.exe has initiated the restart of computer TEST on behalf of user "Administartor" for the following reason: Application: Maintenance (Planned) 

Reason code: 0x84040001

Shutdown type: restart

Event ID: 1074

I want know, is someone restarted the server manually or it's rebooted by system itself?

How to recover or reset administrator password which has forgotten of windows server 2008r2 standard

June 10, 2015, 12:41 am
$
0
0

Hey guyes,

We have installed windows server 2008r2 standard version which is a new one to us. Recently we have changed the password, but next day  the changed password is not being accepted  and showing error "The user name or password is incorrect". Could anyone help /guide us how to recover administrator password.

Thanks in advance,

Sanju-rkl


Some settings are managed by your system administrator

March 3, 2009, 10:50 pm
$
0
0
In Internet Explorer 7, theSecurity tab of the Internet Options dialog box displays the following message to indicate that settings are managed by the system administrator:
Some settings are managed by your system administrator
I am the system administrator but don't know how to remove this message "Some settings are managed by your system administrator".Can someone teach me?
 

USB drives inserted triggers Bitlocker Recovery Mode

January 6, 2016, 3:31 am
$
0
0

We have an issue where many computers triggers Bitlocker Recovery Mode when they have a usb drive inserted into the machine when booting. The boot order is fine.

Is it some group policy settings with Bitlocker that can make an exception for usb drives? Tried looking but couldnt find.

Search

The request subject name is invalid or too long

January 6, 2016, 6:08 am
$
0
0

Hi All, 

I am getting a certificate error as below. Unable to find any useful threads , please help me out

The request subject name is invalid or too long, 

Certificate not issued. Error: attribute cn\dn not found (-2146877439) the request id is 145....

Regards,

Rahul.

Security Considerations: Adding alternative UserPrincipalName (UPN-) Suffixes to a Domain

January 6, 2016, 6:26 am
$
0
0

Hello Community,

I just got to know about the feature to add more UPN-Suffixes to a domain.

So my Domain could be DomainA.local and I can also add the suffix Contoso.com. So users can act as user1@contoso.com although their account is User1@DomainA.local.

This is very useful for me as we are using SQL Server Analysis Services where you can use "EffectiveUserName" for Role Security and can grant Role Memberships to Constoso.com-User and so on.

My Question is: Do I get any security issues, problems or other disadvantages when I add the Contoso.com-UPN-Suffix to my DomainA.local Domain?

kind regards
Stefan

"No certificate templates could be found. You do not have permissions to request a certificate from this CA..

March 25, 2015, 7:39 am
$
0
0

or an error occurred while accessing Active Directory."

When I set up the subordinate CA where I am seeing this error message (when attempting to make a request via the web interface for a Linux client - Group Policy not possible here) I opted to not "Load Default Templates".

Just FYI, PKI View shows "OK" for everything.

Permissions on the template are Read and Enroll for Authenticated Users.

Issuance Requirements are "CA certificate manager approval" (checked) - nothing else checked. "Same criteria for enrollment".

*

Have I googled?

That's just the problem. I've seen plenty of hits where people say "I've solved it this way and I've solved it that way".

What is the (MS) recommended method to solve this problem?

I'm concerned some solutions might be the equivalent of disabling CRL checks to resolve CRL problems - something where the solution is worse than the problem.

Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.


Auditing

January 6, 2016, 12:28 pm
$
0
0

Hello,

I would like to audit only 3 folders on a Windows 2012 Server.  I enabled Audit Object Access, but then everything is logged.  I was under the impression that you had to enable that, then specifically choose files/folders?  Am I missing something?  I don't want the event log filling up in 30 seconds.

Thanks in advance.

Simple question about corporate code-signing certificate.

January 6, 2016, 12:45 pm
$
0
0

I am new to PKI (AD CS) environment and want to start signing some of the simple scripts I run.  I have the ability to request a code-signing certificate from a very specific template on our internal CA.  Do I just request that certificate and then make sure it is loaded in my profile on the different computers that I RDP into?  I do not mind copying the cert where needed and my main concern is just making sure I do not cause any issues with our developers who also have certificates from that same template.  I do not know if all the developers would normally share the same code-signing cert or have their own code-signing cert, etc.

Thanks,

 

Dave


Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>