Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Intermediate CA certificate install fails

February 24, 2016, 5:23 pm
$
0
0

I have an offline Linux CA running OpenSSL.  I am installing certificate services in Server 2012 R2 as an Intermediate CA.  I install certificate services and go to to the root ca and sign the csr and transfer the cert back over to the CA.  I import the cert into the local machine personal certificate container and export it with the root (published in AD) as a pb7 file.  When I try to install the CA certificate in the MMC I get an error that "The certificate is not a CA certificate".

I have been chasing this around for a couple days and could really use some help.

Search

Firewall blocking incoming connections

February 24, 2016, 1:38 pm
$
0
0

Hi,

I have a VPN solution installed on my windows 2012 R2 server that creates a dedicated IP for the server; accessible through public internet. I can use RDP to remote in to my server from my home laptop when the VPN services are running and I have allowed all incoming connections for public profile on my Windows firewall.

The problem is that any application that I host on my server (which I usually access by http://server:port/app) is not accessible using my dedicated IP (i.e. http://<dedicated IP>:port/app doesn't work). I have enabled all incoming connections, disabled all the firewalls and even rebooted my server a couple of times. But it is not working out. It was fine even 2 weeks back and nothing was installed since then.

Can you please help or advise on how to track detailed logs that can show why my incoming connections are getting blocked.

Regards,
Sowmik

PS: I did enable log for dropped connections on my firewall - that doesn't give any details regarding my rejected incoming connections.

Active Directory Security Group

February 24, 2016, 12:45 pm
$
0
0

In activity directory is there a way to create a security group that utilizes a special identity? I can explain why I’m trying to do this but typing it out is getting a little wordy.

What I’d like to put together is a group that is Authenticated Users except CREATOR OWNER. I want this group in order to deny Authenticated Users permissions unless they have the CREATOR OWNER of a folder or file.

Anyway to restrict AD users for not using sybmol on a folder name

February 24, 2016, 4:15 pm
$
0
0

Hi,

This should be funny or tough question I am not sure which one but right now I am looking for a way to see if I as AD admin can disable users ability for not putting symbol of any form like #$%^&^ while creating a folder on their side ? help will be very much appreciated.

Local User in Administrators group

February 24, 2016, 10:36 pm
$
0
0

I have a Windows Server 2008 R2 server, running as a application server, non-DC, non-AD.

I need to add a local account into the administrators group. However, the local user will be out of the group after awhile.

I have checked GPO and the only policy that will be applied is the default domain policy.

The only way that i know can manipulate this is the GPO: Computer Configuration -> Windows Settings -> Security Settings -> Restricted groups. But i did not set anything on this.

Can someone help me on this?

How to move a HD protected by bitlocker to a new computer, permanently?

February 25, 2016, 3:47 am
$
0
0

How to move a HD protected by bitlocker  to a new computer, permanently?

I had a Dell Notebook with bitlocker, HD protected, ok, everything was fine.

Recently, the Notebook got damaged, the notebook was changed to a new one and the HD was moved form the old notebook to the new one

But when i reboot, the systems asks for my 48 digit recovery password, i type the big number.. system boots, fine. For EVERY boot, always ask for bitlocker key.

How can i tell the system: "now, this old HD will be attached to this new coputer, permanently", how can i avoid typing the key agian?


EFS certificate - along with self signed certificate

February 25, 2016, 6:47 am
$
0
0

Hi,

In our office pre prod environment we are implementing the EFS certificates , through PKI auto enrollment. The certificates are getting generated automatically without any issue, but along with that i'm getting another Self signed EFS certificate. Could someone please help me to stop generating of that Self signed certificate , else provide the reason of why its generating.

Thanks much for your help

hariharan 

Disallowed CTL not updated

February 25, 2016, 10:22 am
$
0
0
I have Server 2008 R2 servers in a disconnected network that are getting hit on CTL not update vulnerabilities. Now that server 2003 is not supported the KBs connected to the security notices don't actually have this fixes in them. From where can I download the latest CTLs to install on my servers.
 Also we have no servers that have internet access. I am looking for a place I can down load from, put on disk then copy to our servers.
Search

Missing Event ID 4625 for Domain Administrator Account

February 25, 2016, 9:54 am
$
0
0

I have enabled auditing of login attempts in my Default Domain Controller Policy. Under Advanced Audit Config I have selected Success and Failure for the Audit Logon policy.

Now, when I attempt to login to the domain controller as, e.g. DOMAIN\Fake with a bad password a 4625 event shows up in the Security Log. However, if I use a bad password for DOMAIN\Administrator, no event 4625 appears.

So, for some reason it appears DOMAIN\Administrator is being exempted from this policy, even though that's really the one i want to make sure no one is trying to brute force... Can't seem to find anyone else with this issue, so hopefully someone can tell me what I'm doing wrong. Thanks,

Share/NTFS Permissions

October 28, 2013, 5:14 pm
$
0
0

Question:

I have share on a Windows 12 Server that I need to set permissions on to do the following.

Allow access to the share called test for authenticated users.

Authenticated users cannot modify/delete files or folders in the root of the share.

Authenticated users can modify/delete files or folders inside of root folders.

What would be the correct way to set the share and NTFS permissions for the test folder for authenticated users.

CRL Distribution Across Multiple Sites

February 25, 2016, 5:23 pm
$
0
0

We have a customer that is looking to deploy a CA internally and there are some challenges that I need help on. They have 3 physical sites. Two of those sites have load balancers. They are looking to deploy certs for certificate based authentication to RADIUS for their wireless infrastructure and I'm not sure how to design the CA to support that in terms of the CRL distribution points. I will only use http based CRLs, so if I deploy it in the main site, I could use the load balancers to at least provide some high-availability for the webpage, but clearly if either secondary site lost connectivity, it would cause a problem since the CRL website would be unavailable. My ideal scenario would be to put the CA in Azure, but that's not likely possible for this customer. Could I distribute the CRL to each site individually (with the same DNS name) and then use DNS round robin? In other words, I would specify three different file servers to send the CRL to and then have three DNS entries for the same name? Please let me know what my options are here.

Thanks for your input.

MCITP Exchange 2010 | MCITP Lync Server 2010 | MCTS Windows 2008

issue with UAC prompt

February 25, 2016, 8:40 pm
$
0
0

Hi all,

Iam facing a problem with windows server.

Let me explain you

i installed an application with administrator account in windows server and when other user try to open that application on non administrator account its asking admin password.How to open that application without administrator password ? How to remove that UAC prompt ? Please help me

Thanking you in advance


Domain Users GPO

February 25, 2016, 11:34 am
$
0
0

Hello,

I was wondering if its possible to setup a GPO for when users log into their own workstations to have it set a lockout after a certain time period of inactivity. I have tried setting the terminal settings on the domain GPO, but that seems to only effect users who remote into our terminal server. 

Domain Controller is running Server 2003

A question about AD CS and Kerberos 'Domain Controller' Template certificates

February 24, 2016, 11:36 pm
$
0
0

Can someone please help me with the following question.

In an Active Directory domain Kerberos is used for authentication and the KDC basically distributes symmetric session keys. Also the installation of AD CS (Active Directory Certificate Services, for asymmetric encryption) is an ‘optional’ component meaning AD/Kerberos will function fine without AD CS.

I have an AD Domain 2003 R2 (LAB) with AD CS installed (2003 R2 also) installed one Server. This Server has not been switched on for a while and I see the following KDC waring in the event log

The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found.  Smartcard logon may not function correctly if this problem is not remedied.  Have the system administrator check on the state of the domain's public key infrastructure.  The chain status is in the error data.

Which leads me to the following MS article (all be it for 2008 I am pretty sure it is the same issue)

https://technet.microsoft.com/en-us/library/cc733985(v=ws.10).aspx

Looking at the Local Machine/Personal store on the Server I see a couple of certificates both issued by the 2003 R2 CA, one of which was from the template “Domain Controller”. Now I understand you do not have to configure the distribution of certificates to DCs based on this template as it is automatic when you install AD CS.

My question is if the KDC is complaining about this Cert and wants a new one from the CA, how does KDC work when no CA exists (as CA is optional).

 Also I am not sure where this Certificate (for Asymmetric encryption) fits in, as I understand the KCD encrypts the session keys using the hash of the user (UPN) password (for TGT) and the hash of the user and service (UPN and SPN) for Service Ticket. Unless the certificate is used as the initial Authentication Service (AS) stage when I believe the client initially encrypts the current date and time and sends this to the AS,  as an authenticator (or is that the other way around), but again I thought this was encrypted using the password hash UPN password hash.

 Can someone please explain (or point me to an article explain this) where this X509 Certificate fits in to the overall Kerberos authentication scheme.

Thanks All

Ernie 

Is there a way to create PVK file (private key file) from PFX file?

February 26, 2016, 4:51 am
$
0
0

Hi,

Is it possible to extract PVK file (private key file) from the PFX file?

we have PVK2PFX, but not PFX2PVK tool.

Please let me know if this is possible.

Regards,

Venkat

Venkat

Search

Is Windows aware of what it is doing? Can it be made aware?

February 28, 2016, 5:40 pm
$
0
0

Is Windows aware of what it is doing or what is happening right under it's nose? Can it be made aware? I'm referring to the wholesale encryption of file shares caused by any number of ransomeware / cryptolocker like viruses. Does this happen at some level of the OS that could be made aware that normal operating procedures are not being followed? Is it normal for a local admin of a workstation to encrypt his whole drive and connected drives? If I want to install an legitimate app I have to hit "OK" and or "Yes" 5 times. How is it that server shares are so easily encrypted, from a workstation, without the server OS stepping in and demanding the highest of credentials?  

Is transmission using negotiateWithImplicitCredentials secure??

February 28, 2016, 10:26 pm
$
0
0

Hi,

We are using the wsconnectionInfo object where the authentication is set to "negotiateWithImplicitCredentials" and the URL is set  "https://hostname/wsman" and psCredentials is set with secureString Object.

To what I know,  using wsman,  the traffic is encrypted but how does the initial handshake happens using negotiateWithImplicitCredentials.   I mean how does the password is transmitted ?

https://msdn.microsoft.com/en-us/library/system.management.automation.runspaces.authenticationmechanism%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396

Thanks.

Risk of removing NT authority\authenticated users (S-1-5-11) from group "USERS"

December 23, 2013, 9:42 am
$
0
0


How to  limit interactive logins to specific computers ! It's seems like everyone in the root domain and trusted domain can access the client, I would like to restrict access for specific AD groups.

We have two domain A and B (trustesd), where we use domain B to retrieve the users to domain A.

The reason I will limit is because everyone in Domain B has access to the client, which should not be. This is because of accessibility control of applications and only a certain group can access, etc

The members Under the "Local Users and groups ->group - > Users" (Windows 7 and the server is 2003)

    Domain Users`

   NT authority\authenticated users (S-1-5-11)

   NT authority\interactive (xxx)

It looks like , if i delete "NT authority\authenticated users (S-1-5-11)" then it's not possible to put it back, may this be right??

My question: If you delete the "NT authority\authenticated users (S-1-5-11)" and put an AD group (those who will have access) as a member. Will this cause any other issues? 
Is there any other solution for this issue?

just ask if something is unclear. Thanks in advance

warning before certificate expired on windows

February 28, 2016, 11:11 am
$
0
0

Hi!

We are using smartcards.

I want to send an email/popup message to the user 30 days before user certificate expired.

the cached certificates are stored in for any user in : current user\personal\certificates .

does someone have a script for that or idea how can I do it?


Thanks,

Aviv Hassidim

Disable static key cipher suites on Domain Controllers.

February 29, 2016, 6:03 am
$
0
0

Hi,

Is is safe to disable SSL 2.0 & SSL 3.0 on Windows 2008 Domain Controller servers, also in our environment there are two servers having Windows 2003 Installed. 

I found IIS Crypto tool using that we can disable the ciphers but need to know is disabling SSL 2.0 & SSL 3.0 is safe on DC's?


MCP, MCTS

Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>