I've integrated the LunaSA 5.2 with Windows 2012 Server but I dont see the CSP of LunaSA when creating the private key of the CA. I made sure the CSP was installed.
↧
CSP not found after integration of LunaSA HSM with 2012 CA.
↧
Fatal schannel issue “A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 51”
Recently working on a vps Windows 2012r2 server. Ran into a fatal schannel issue.
A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 51.
Tracked this back to a KB2992611 (https://support.microsoft.com/en-us/kb/2992611) which was installed on the system. I followed, probably some bad advice although it did resolve the fatal issue, and uninstalledKB2992611. I then tried to reinstall the revised KB2992611 andKB3018238 and both state the update is not applicable to your computer. I am running the Windows-8.1 version of the installs.
KB3011780 for Kerberos is installed successfully.
All available patches and updates from windows update are installed. MS Baseline Security Analyzer 2.3 reports all available patches are installed.
The question; since the revised updates will not install (KB2992611 andKB3018238) is the system at risk for the original security issue? If so, how can the situation be corrected?
Thanks
↧
↧
wildcard certificate throwing name mismatch error
I live in internaldomain.com. there is a subdomain called subdomain.internaldomain.com. there are hosts in subdomain, which are most often accessed by a short name like "https://host1.subdomain".
I created a wildcard certificate on my windows 2012 R2 CA (the Web Server template) with a common name of *.subdomain. I also gave it SAN DNS names of:
*.subdomain
*.subdomain.internaldomain.com
subdomain
subdomain.internaldomain.com
(because we actually have a website that's https://subdomain).
I have tried this with and without the common name added to the list of SAN names. same behavior.
if I bind this certificate to IIS sites, https://subdomain works, buthttps://anythingelse.subdomain warns of a name mismatch error.
chrome's warning actually has the sentence:
"This server could not prove that it is host1.subdomain, its security certificate is from *.subdomain."
just reading that is a little mind-numbing, considering the reason that wildcard certificates even exist.
I read this:
https://blogs.msdn.microsoft.com/kaushal/2013/06/12/working-with-wild-card-certificates/
its only warning is that a wildcard can only represent a 'single domain', but I don't think that applies to my scenario, because I am not trying to use a *.internaldomain.com certificate for whatever.subdomain.internaldomain.com i'm just using * to represent any host in subdomain.internaldomain.com.
what am I missing?
↧
Trusted root certificate with private key on workstation
I just noticed all our workstations in the domain as of recently has aquired a trusted root certificate issued to domainname.com issued by domainname.com to which the workstation has the private key. All certificates are unique, ie it's not the same on every computer, each certificate have a different thumbprint.
The certificate key usage is Server Authentication.
Anyone knows if there's a microsoft cloud service client that creates these trusted root certificates or if there is some other reasonable reason they exist?
↧
certutil -delkey -csp faield with 0x8010001f
Hi experts,
I am trying to delete the Key Container from my Virtual Smart Card, since the PIN no longer working once the website prompts me input the PIN.
Here is the error:
PS C:\WINDOWS\system32> certutil -delkey -pin "123456" -csp "Microsoft Smart Card Key Storage Provider" lp-3156a2bc-065c-415e-ac2d-554305509cf9 CertUtil: -delkey command FAILED: 0x8010001f (-2146435041 SCARD_E_UNEXPECTED) CertUtil: An unexpected card error has occurred.
Is there any method that I can totally reset/remove the Key Container?
Thanks!
↧
↧
Software restriction policy - For Ransomware Protection
Hello,
Can anyone please help on creating good policy configuration(Software restriction policy) for restricting ransomware or other malware programs(executable) from running on appdata and user profile directories.
Also want to know how efficient will be this setup, as a second layer of defense in addition to an anti-spam mail gateway.
Any additional suggestions on the ransomware prevention mechanism are always welcome.
Thanks,
San.
↧
Weak EC Diffie-Hellman Hash Algorithm when using TLS 1.2
During TLS 1.2 handshakes, my server (2012 R2/IIS 8.5) seems to be choosing SHA1 as the signature algorithm for the ECDHE parameters despite the fact that the client(s) and server both support better SHA2 algorithms.
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
Handshake Protocol: Server Key Exchange
Handshake Type: Server Key Exchange (12)
Length: 361
EC Diffie-Hellman Server Params
Curve Type: named_curve (0x03)
Named Curve: secp384r1 (0x0018)
Pubkey Length: 97
Pubkey:
Signature Hash Algorithm:0x0201
Signature Hash Algorithm Hash:SHA1 (2)
Signature Hash Algorithm Signature:RSA (1)
Signature Length: 256
Signature:
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 175
Version: TLS 1.2 (0x0303)
...
Extension: signature_algorithms
Type: signature_algorithms (0x000d)
Length: 20
Signature Hash Algorithms Length: 18
Signature Hash Algorithms (9 algorithms)
Signature Hash Algorithm: 0x0601
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature:RSA (1)
Signature Hash Algorithm: 0x0401
Signature Hash Algorithm Hash:SHA256 (4)
Signature Hash Algorithm Signature:RSA (1)
Signature Hash Algorithm: 0x0501
Signature Hash Algorithm Hash:SHA384 (5)
Signature Hash Algorithm Signature:RSA (1)
Signature Hash Algorithm: 0x0201
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: RSA (1)
I've tried all sorts of different clients, but SHA1 is always chosen during the handshake. This is what I see in the handshake when the clients connect to other servers and when my own server acts a client (to other IIS 8.5 servers even)...
EC Diffie-Hellman Server Params
Curve Type: named_curve (0x03)
Named Curve: secp256r1 (0x0017)
Pubkey Length: 65
Pubkey: ...
Signature Hash Algorithm: 0x0601
Signature Hash Algorithm Hash:
SHA512 (6)
Signature Hash Algorithm Signature:RSA (1)
Signature Length: 256
Signature: ...
Any idea what could be causing my server to select this weaker SHA1 hash algorithm to be used for ECDHE instead of SHA2 hashes? I've double checked that it's not falling back to TLS 1.0. As far as I can tell, it's staying at TLS 1.2 throughout the handshake.
Thanks!
↧
User Group Loopback per OU
If you set the Loopback settings in GP at a higher level, will they be inherited to the lower levels (assuming no blocking or enforcing)? Or do you need to set the Loopback settings at each level down the tree to have them take effect?
↧
User Loopback Effect
Let's say that I have a parent OU and 4 child OUs. On one or more of the child OUs, User Group Policy Loopback is set. Will the Loopback setting have any effect on the other child settings that don't have Loopback set (assuming no blocking or enforcing)?
↧
↧
How to grant specific access level
Hi all,
as we are currently in progress of access rights review, I need a little help with server authorizations (W2008 R2).
We are centrally managing critical production servers around the world. Each site has its own local IT support that should have certain access level.
The main tasks would be:
- install and share network printers
- be able to reboot the server
- in some cases to change network configuration (like local DNS server change)
- etc
As some of the things normally just Administrators can do, the question is - what would be the best way to grant as less authorizations as possible? via GPO? New local group and then define the rights in Security policy?
Thanks
Leos
--------------------- Leos
↧
Run scheduled tasks on Server for a regular domain user service account
I have a script on our DCs that is on a scheduled tasks. I have a service account who is a regular domain user that needs to run that account. The problem is that when I run the tasks it says an error that user is not allowed to run batch jobs, so I edited
group policy and allowed the user to logon as batch job. Now the next problem is that when I run the scheduled tasks it says that the user is not allowed to logon locally to the device. I understand because this is a regular user and access to server is not
allowed. What would be the minimum settings for the user in order for it to run scheduled tasks on the server? I cant add it to the server operators group as the account would have access to manage the server. What should be the best practice in order for
the user to be able to run batch jobs in scheduled tasks?
↧
Extract a report on Windows Hardening
Hi Team,
I have perform Windows Hardening on Windows 2012 R2 server. However our clients require us to generate a report to show the hardening completed.
Is there a way to generate this hardening report?
Regards,
Wei Kiang
↧
Can group accounts be created when using an HSPD12 compliant authentication method?
As an Windows System administrator it haven't had any luck finding any documentation that answers my question listed in the title.
Scenario: 8 users use HSPD12 compliant authentication via PKI certificates and all of them share 1 workstation. The workstation is tied to a position title. Is it possible to create a "group" account for the position title and have the users tied to that title while maintaining HSPD12 compliance?
↧
↧
Password policy - Min password age
The domain controller password policy allows the definition of a minimum password age (minimum time before the password can be changed). The parameter is an integer and represent the number of days. A questions has been raised by my Security Officer as to what is the interpretation of "days" by the policy. Does one day represent a difference of 24 hrs between the last time the password was changed or does it represent a difference of one in the day number difference between the dates. If it is just a day number difference and not 24 hours, then when the value is set to 1 a user could change the password at 23:55 on day X and 6 minutes after will be able to change it again. Could somebody in the forum shed some light on this issue?
Thanks
↧
"network" allows unrestricted access to a "secure" server
In both Windows 8.1 and Windows 10, all users are allowed full access to everything on all our servers through "network" in the "This PC" navigation pane.
↧
RPC Authentication Constant
I am working on an API to use the RPC_C_AUTHN_LEVEL_PKT_PRIVACY windows constant to secure TCP/IP data/connections. The description for this is as follows:"
"Includes all previous levels, and ensures clear test data can only be seen by the sender and the receiver. In local case, this involves using a secure channels. In the remote case, this involves encrypting the argument value of each remote procedure call."
This brings up many questions such as:
1) What is considered to be local and remote connections? Is this based off of domain?
2) How does it "secure" a channel? Does it encrypt this data as well? Does it secure the data or the pipe?
3) If encryption is used, for local or remote, what type of encryption is being used.
This RPC connection needs to be very secure and I would like to know the details on how secure this will be.
↧
1 out of 5 DCs unable to check revocation status Error 403 FORBIDDEN
Clip from certutil -verify -urlfetch cert.cer on DC unable to verify revocation:
---------------- Certificate AIA ----------------Failed "AIA" Time: 0
Error retrieving URL: Forbidden (403). 0x80190193 (-2145844845 HTTP_E_STATUS_FORBIDDEN)
http://entca2/certenroll/ENTCA2.crt
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: Forbidden (403). 0x80190193 (-2145844845 HTTP_E_STATUS_FORBIDDEN)
http://entca2/certenroll/ENTCA2.crl
---------------- Base CRL CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: Forbidden (403). 0x80190193 (-2145844845 HTTP_E_STATUS_FORBIDDEN)
http://entca2/certenroll/ENTCA2+.crl
---------------- Certificate OCSP ----------------
Failed "OCSP" Time: 0
Error retrieving URL: Forbidden (403). 0x80190193 (-2145844845 HTTP_E_STATUS_FORBIDDEN)
http://entca2/ocsp
Same clip from other DC's:
---------------- Certificate AIA ----------------Verified "Certificate (0)" Time: 0
[0.0] http://entca2/certenroll/ENTCA2.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (05)" Time: 0
[0.0] http://entca2/certenroll/ENTCA2.crl
Verified "Delta CRL (05)" Time: 0
[0.0.0] http://entca2/certenroll/ENTCA2+.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
Verified "OCSP" Time: 0
[0.0] http://entca2/ocsp
↧
↧
Pros and Cons of Cross Certification versus using Commercial Certificate ?
Hi All,
I am considering the following options for Two way TLS with mutual authentication using digital certs for my applications
1. Getting Cross certification
2. Using Commercial Certificate
3. Issuing Cert to the other party APP and getting my Root CA certificate installed there.
Can anyone please give me a detailed pros and cons about the option I am considering..
↧
Smart Token Issue (error occurred while retrieving a digital certificate from the inserted smart card)
Greetings:
I am testing a Windows 2012 PKI Infrastructure. The infrastructure appears to be working fine. After creating enrollment agent and smart card logon templates, I was able to successfully to apply a user certificate to a smart card. When trying to remote desktop to a Windows 2012 server with the smart card however, I get the following error message:
This smart card could not be used. Additional details may be available in the system event log. Please report this error to your administrator.
After searching the event logs, I found the following message (Event ID 5):
An error occurred while retrieving a digital certificate from the inserted smart card. The system cannot find the file specified.
I ran a certutil -scinfo and the smart card appears to be fine. All devices/servers have the full certificate chain. Any idea on what I may be doing wrong?
Thank you,
Jake
↧
User version 1 template missing from web enrollment after CA migration
I have migrated my development CA ( it's root but issued certs) from Server 2008 to server 2012 R2. The db, registry and ca cert all migrated as expected and I can see the full set of templates in manager or if requesting a cert via MMC snapin on a client. However web enroll shows no User or any other V1 template. Publishing and permissions look ok (mmc snapin works), and if I duplicate a V1 the duplicate IS available in web enroll. Anyone come across this ? AFAIK V1 templates should work in 2012.
↧