Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Excessive Event 4776 entries in EventViewer

April 6, 2016, 10:18 am
$
0
0

Good afternoon.

This morning, we noted that one of our servers was listing a multitude (in excess of 2000) entries for the following event, with approximately 24 entries per minute:

Log Name: Security

Event ID: 4776

Task Category: Credential Validation

Error Code: 0xC000006A

We have identified a mapped drive on the source workstation as the source of these repeated errors. Additionally, I've verified that the credentials used to establish this mapped drive are current and for an active Domain Administrator account. These errors have been occurring for approximately the last 24 hours. 

What could cause this issue and how can we resolve it?


Search

Enabling SMB Signing in 2008 R2 Domain

March 11, 2016, 8:11 am
$
0
0

We're testing SMB signing in a lab and can't quite figure out which GPO settings to use. After some reading, it appears that by default, Domain Controllers have SMB signing configured by default.

I've also read on TechNet that:

"By default, client-side SMB signing is enabled on workstations, servers, and domain controllers"

If this is so, what else would I need to configure if I wanted SMB signing in my lab? Do I need to configure a GPO for Servers?

Orange County District Attorney

CA certificate Keyset does not exist 0x80090016 (-2146893802 NTE_BAD_KEYSET).

April 6, 2016, 11:18 am
$
0
0
I system was attacked by a ransom bug and almost lost it all. I was able to restore the server from a 3 week old back up. But I'm getting all sorts of errors. Most relate to Certsrv. I don't have a .pfx file pull from. I click on Cert service and try to start the service but get and the service does not start. Can anyone help with this

Keyset does not exist 0x80090016 (-2146893802). 

Root CA missing issuing CA certificate

March 7, 2016, 3:58 am
$
0
0

Hi,

I have a 2 tier 2008 R2 PKI hierarchy. The root CA is missing the issuing CA's certificate, e.g. If I look at the issued certificate on IssuingCA1 it shows "issued by rootCa with thumprint xyz", however when I look for this same certificate on rootCa, I can't see the certificate under the list of issued certificates.

How this happened, I'm not sure - possibly the root CA was restored by a snapshot, backup or maybe the certificate of the issued CA was deleted.

PKI works and I have no immediate concerns, but I would like to correct this:

1. Can I just issue a new certificate from the root CA to the issuing CA?
2. Is anything likely to break (the current issuing CA certificate has another 10 years) and the PKI is used heavily by wireless clients.

Thanks

PKI Assurance level questions which should be considered ?

April 6, 2016, 12:16 pm
$
0
0

Hi All,

Can some one suggest me a list of questions to be used to determine design level guidance for a Microsoft PKI at a general level which issues user,workstation and SSL certificates to support.

Considering using FED bridge PKI assurance levels or other industry standard levels as framework and define specific criteria and security considerations between these that could be considered for use.




How do I solve the problem with this user ?

April 6, 2016, 1:25 pm
$
0
0

Hy !

I have a network with a domain controller and active directory users in one location
Also in other location i have different domain controller and active directory users, There are separate domains

My problem is that i have a person who manages to connect from one location to another

Each location that has domain controller and active directory has a firewall.....it's about fortigate machineThis person has only user account in active directory. Local accounts of his computer are disable.
On his computer the IP adress is static.Both server and workstations are up to date.

He succeeds using the Internet to connect to other network, using administrator privileges. 
This person makes changes on other computers both locations....normal changes that are made only by the network administrator.

I think it's a virus / trojan undetectable.I would like to know how can I scan servers, services from viruses / trojan undetectable and tracing how this persoon connect. From what I knew so far the user succeed to intervene over the user's session from a different computer without the user's knowledge or realizing and make any changes he wish

Any suggestion / feedback / opinion is appreciated...thank you


Logging for Logon (Windows 2008 R2)

March 28, 2016, 8:26 pm
$
0
0

Dear all,

We're request to collect and analyze logs for

1) log on in non-office period

2) use of privileged account and trace for configuration change

It is possible be done with tools come with Windows or I need third party tools? If third party tools are required, any recommendation?

bsod on win server 2008 r2 std PAGE_FAULT_IN_NO_PAGED_AREA bug check code 0X50

March 25, 2016, 1:24 pm
$
0
0

Hi to everyone I have this problem:

My server gets a BSOD evrytime I try to log on, I only can open a session in safe mode.

I already saw so many pages saying that this error is caused by a hardware fault, but I haven't intall anything new on it, I guess an update caused the problem, I already run memory test without any success, also had run hard disk tools without finding anything to help solve the problem, I also update BIOS with no success, I also unistalled the latest updates but the problem persist. Can someone help me?

  • Server: DELL PowerEdge 310
  • OS: Windows 2008 R2
  • bug check string: PAGE_FAULT_IN_NONPAGED_AREA
  • bug check code: 0x00000050
  • caused by address: ntoskrnl.exe+73c00

A problem has been detected and Windows has been shut down to prevent damage
to your computer.

The problem seems to be caused by the following file: ntoskrnl.exe

PAGE_FAULT_IN_NONPAGED_AREA

If this is the first time you've seen this stop error screen,
restart your computer. If this screen appears again, follow
these steps:

Check to make sure any new hardware or software is properly installed.
If this is a new installation, ask your hardware or software manufacturer
for any Windows updates you might need.

If problems continue, disable or remove any newly installed hardware
or software. Disable BIOS memory options such as caching or shadowing.
If you need to use safe mode to remove or disable components, restart
your computer, press F8 to select Advanced Startup Options, and then
select Safe Mode.

Technical Information:

*** STOP: 0x00000050 (0xfffff8a0103af000, 0x0000000000000000, 0xfffff8000235fdff,
0x0000000000000000)

*** ntoskrnl.exe - Address 0xfffff800020c9c00 base at 0xfffff80002056000 DateStamp
0x5684191c

Thank you very much for your help!

Oscar

Search

Software restriction policy - For Ransomware Protection

April 5, 2016, 12:32 am
$
0
0

Hello,

Can anyone please help on creating good policy configuration(Software restriction policy) for restricting ransomware or other malware programs(executable) from running on appdata and user profile directories.

Also want to know how efficient will be this setup, as a second layer of defense in addition to an anti-spam mail gateway.

Any additional suggestions on the ransomware prevention mechanism are always welcome.

Thanks,

San.

Extract a report on Windows Hardening

April 5, 2016, 9:17 pm
$
0
0

Hi Team,

I have perform Windows Hardening on Windows 2012 R2 server. However our clients require us to generate a report to show the hardening completed.

Is there a way to generate this hardening report?

Regards,

Wei Kiang

Issuing SHA256 Certificates

March 29, 2016, 5:56 pm
$
0
0

I'm trying to determine why I'm unable to issue SHA256 certificates from my Server 2012 CA's.  I checked the intermediate and root CA certificates and under Details > Signature Algorithm it lists SHA256RSA though the cryptograhic settings on the CA itself lists its algorithm as Microsoft Software Key Storage Provider - SHA1.

When I run certutil -getreg ca\csp\CNGHashAlgorithm I get:

  CNGHashAlgorithm REG_SZ = SHA1

Does this registry key need to be changed to SHA256 in order to issue 256 certs?

Thanks.


http path for CRL

March 22, 2016, 12:42 am
$
0
0

I have a issuing CA running windows server 2008 R2. It has a http path for the CRL located on another web server.

I am planning to move the http path on a different IIS server. However the other IIS server is already hosting the website

for our WSUS server. Can I create a another virtual directory on the IIS server for WSUS to act as the http path for our CRL.

Both the WSUS and CRL path are running on port 80. Would it cause any issues?

CIPER RSA key length

March 23, 2016, 5:08 am
$
0
0

In our envirnment, we have a requirement of create a certificate template for EFS purpose, with the below configuration,

- cipher RSA with 3072 key length

- digest : sha2

- private must not be exportable from end user device

- public key stored in AD

The current Root CA and issuing CA are having the RSA key lenght 2048. Can i set the key lenght 3072 for this certificate template (as root CA and issuing CA key lenght is 2048, will it support)

Due to some limitation currently we are not having SHA2. iff the key length with 3072 will support SHA 1 algorithm

The operating system in our environnment is Windows 2008 R2. Please provide your suggestion to proceed further.

how to recognize open a file or view file attributes for event id 4663?

March 30, 2016, 5:21 pm
$
0
0

after me set audit object access, via network share mode to execute fllow two action:

1、open a file
2、choose this file--> mouse right click-->propertity--> ok or cancel

after operation, open window security log,i found 4663 logs for upon two action,
but the log for action 1 as same as action 2!, them are '4663, read data mask=0x1 processid=0x4 processName is null'.

how to recognize open a file or view file attributes?

PS: i already open audit process creation, but when i am via network file share to open a file, the event log 4688 can not be create.


my log detail :
--------------------
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          3/30/2016 2:26:09 PM
Event ID:      4663
Task Category: File System
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      xxxx
Description:
An attempt was made to access an object.

Subject:
Security ID: domain\xxx
Account Name: xxx
Account Domain: domain
Logon ID: 0xf76566d

Object:
Object Server: Security
Object Type: File
Object Name: D:\logtest\ttb.txt
Handle ID: 0xaa8

Process Information:
Process ID: 0x4
Process Name:

Access Request Information:
Accesses: ReadData (or ListDirectory)

Access Mask: 0x1
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4663</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12800</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2016-03-30T06:26:09.744834300Z" />
    <EventRecordID>6880547</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="72" />
    <Channel>Security</Channel>
    <Computer>xxxx</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-21-1017008757-1827167444-311576647-46276</Data>
    <Data Name="SubjectUserName">xxx</Data>
    <Data Name="SubjectDomainName">domain</Data>
    <Data Name="SubjectLogonId">0xf76566d</Data>
    <Data Name="ObjectServer">Security</Data>
    <Data Name="ObjectType">File</Data>
    <Data Name="ObjectName">D:\logtest\ttb.txt</Data>
    <Data Name="HandleId">0xaa8</Data>
    <Data Name="AccessList">%%4416
</Data>
    <Data Name="AccessMask">0x1</Data>
    <Data Name="ProcessId">0x4</Data>
    <Data Name="ProcessName">
    </Data>
  </EventData>
</Event>

AppLocker on Server 2012 R2 causing memory spike in depedent processes

September 11, 2015, 11:03 am
$
0
0

Hello,

I am running AppLocker on my Windows Server 2012 R2 machines, and after several hours of run time, two of the Application Identity service's dependent services using SVCHOST will spike their memory utilization, in some cases to over 2-3 GB each.  The processes "families" as they are grouped in the task manager are the "Service Host: Remote Procedure Call" and "Service Host: DCOM Server Process Launcher" - as I said, these are the dependencies of the Application Identity service that AppLocker uses to enforce the defined application control policies.

Has anyone seen this before or have any ideas what could be causing this?  I have used AppLocker in the same manner with the same number of rules in Server 2008 R2 with no issues like this.  The problem also doesn't occur on the Windows 7 workstations which also run AppLocker.

Is there a memory leak in the Application Identify service somewhere?

Many thanks in advance.

Search

Inconsistent IPSec execution

April 7, 2016, 2:37 pm
$
0
0

I have applied IPSec in multiple areas of my enterprise using different methods of authentication

preshared key with local IPSec policy

IPSec certificate with group policy

On several occasions when attempting to create a secure connection, the system will repeatedly fail to connect, but if I restart the server and re attempt, I am immediately successful at establishing IPSec communication.  Is there a bug and a particular configuration setting I'm not aware of?

Take ownership without loosing other permissions

April 7, 2016, 5:20 am
$
0
0

Hi! I am in a risky situation and need you advice before I proceed solving a case

Seems that a customer has lost access to a folder and a lot of its sub-folders, and when I try to look at the permissions, I cant see anything, because it says "You must be an administrative user with permission to view this object's security properties"

If I click on continue, I am asked to change ownership of the folder and replace all subfolders or only this one...

Doubleclicking on the folder gives me this one 

and clicking continue gives me this image 

Is there a way I can fix that without removing the current permissions list for the users/groups that have access?

Second question:

What does this icon mean?

As you can see, one folder has it and the other doesn't

I know I must be an owner to see permissions, but I dont want to mess up the groups/users that already have permissions.

If I give myselv OWNER now, all other access for other users will be lost, I've seen that testing today

Freddy

IIS Lockdown Tools for IIS 8.5 on Windows Server 2012 R2 - Standard

April 7, 2016, 9:06 am
$
0
0

Hello,

What is an IIS lockdown tool you can use for Windows Server 2012 R2 Standard?  I don't see that this one is compatible with Server 2012 R2;

https://technet.microsoft.com/en-us/library/dd450372(v=ws.10).aspx

I have not been successful in locating an IIS Lockdown tool for Windows Server 2012 R2 Standard.  Any information is appreciated.


Thanks, Scott


Using AES on VPN connection

April 7, 2016, 9:19 pm
$
0
0
Hi, i'm wondering where is the option to use AES encryption for a VPN tunnel using SSTP when connecting to my DC on server 2012. I've created a NPS and NAP etc... everything is setup and works, a client is using my certificate for public/private key exchange for the encrypting of a symmetrical encryption key but it says in the options on the Network Polices section on the NPS that it uses MPPE and there doesn't seem to be any other choice? AES is the best out there and i'm wondering what i have to do to change it to that?

Thanks

upgrade pki and split the rolls

April 7, 2016, 2:33 am
$
0
0

Hi all,

I need some advice, documentations to upgrade an old PKI environment with two tier design but with only on server CA enterprise who run all the rolls. My new design it will be with;

  • CA on failover cluster with two nodes
  • two web servers cdp\certserv with load balancer
  • two ocsp with load balancer/array
  • two ndes in failover cluster

The current environment has ROOTCA offline on 2008 and one enterprise CA 2008 with cdp/web enrolment

I have created dns entry for pki which will point to load balancer for cdp and ocsp , configured load balancer with VIP for each service. Of course I will change the CA server name and use pki dns entry for web services, etc.

Now I'm a little confuse. What I will do next? My plan it's to:

  1. Upgrade the offline CA to 2012 R2
  2. Reissue the certificate with two CRL and AIA location, add the new location on pki http only and keep also the old one
  3. copy crl and aia to the new web farm with LB
  4. Reimport the new certificate in the old CA, configure the CDP/CRL and AIA and ad this new location
  5. Backup the old CA, disable certificate services, shutdown the server, keep him for any eventually issues
  6. Restore CA db, key, templates, etc and configuration on the new clustered CA with different name
  7. Install OCSP and NDES on the other servers

My questions, what happens with a client who has a valid certificate now and has old CRL and AIA configuration? I need to keep the old CA only for CRL web services? Or I need reissue certificate for all devices, users, manually certificated request and wait for all to take the new cert wit second CDP/AIA.

Until now I have found tons of documentation but only with upgrade and keep the servers names :(.

Thanks.

   

Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>