Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

RDP failed attempt events

June 3, 2016, 3:36 am
$
0
0

Hi All,

We want to monitor Remote Desktop failed logon attempts in our Domain environment. The Domain Controllers are Windows Server 2008 R2 latest version.  We enabled the advanced audit polices for the environment following technet article https://technet.microsoft.com/en-us/library/dn487457.aspx . But anyway we can't get RDP failed logon attempts for domain users. 

As for information , there is nothing in Security Logs about failed rdp logon events on the target servers locally. But we have pre-authentication failure event on Domain Controller Security Logs, which gives as less information about failed rdp attempt. We want to find the attempted user, source machine or ip, target server or ip.

Please , help any suggestions. 

Search

EV Certificates and Multilayer Internal PKI

June 1, 2016, 7:39 am
$
0
0

Hi,

We have an standalone offline root CA and a domain joined issuing CA setup, both on Server 2012 R2. I have been asked to get EV certificates deployed internally and I saw the site below:

https://blogs.technet.microsoft.com/askds/2009/08/14/extended-validation-support-for-websites-using-internal-certificates/

At the end of the document it talks about adding the root CA to the trusted root CA on the domain and adding the OID of the certificate template created into it. The thing is we have not deployed our root CA this way, but using the command -certutil -dspublish -f <certfilename> RootCA.

Would this create duplicate certificates in all the clients trusted root container on each PC if I was to add it again? Also, I have not published the intermediate certificate at all, I assume because it is domain joined it automatically publishes itself out to the Intermediate Certification Authorities container on each PC.  What if I add this certificate as well to a global Group Policy and make the OID changes? How would this affect existing users?

Thanks a lot for reading.

Migrate Certificate Authority from SBS 2011 to 2012 R2 different host name

June 16, 2016, 2:35 am
$
0
0

Hiya,

we have certificate authority installed on the old SBS2011 we are trying to decommission. we are moving all services to 2012R2 servers.

this is a migration process.

the CA on this server serves the Exchange 2010 on this box as well as other services, below screen drop shows certicates issued.

I have followed the article here:

https://social.technet.microsoft.com/wiki/contents/articles/21076.upgrading-the-pki-from-windows-server-2008-r2-to-windows-server-2012-different-host-name.aspx

to move CA to other server with host  name change, but then it looks like I might have to reissue certificates to Exchange and other services on the SBS2011 still running etc(we will move these services of this server soon as well).IS THIS TRUE. will I have to reissue certificates? what do I need to do once CA migrated?


Will Exchange stop working as well as other services?

cheers Mike



DSPublish Root CA. Will this overwrite existing Root CA?

June 16, 2016, 3:05 am
$
0
0

We have a root CA. It's SHA1.

I have created a new offline/sub CA PKI on Server 2012 and need to publish the new Root CA. I have only enabled one certificate template on this CA so far.

If I use DSPublish to do this, I believe domain joined systems will pick up that new CA for any allowed templates, but would it overwrite our existing CA or work alongside it? If it will work alongside and both have identical allowed templates, how would the client know which CA to use?

Any help would be gratefully received as Certificates are my weak point.

Nik

Certificate Services Client: Credential Roaming has failed. Error code 1381

June 16, 2016, 6:59 am
$
0
0

I'm getting this error when user certificates try to roam, but only for our IT administrator accounts.  Not domain admins, but delegated rights as needed.  And our actual domain admin accounts (very few) roam certificates properly.

The certificates don't roam at all from AD to the local computer, and this error is generated.  Schema is 2008 R2, single domain, single forest.  Clients tested with multiple accounts are Windows 7, 8.1, 10, Server 2008 R2, Server 2012 R2.

If I remove all published certificates from the AD account, the next logon will generate a new autoenroll certificate, and that will get published to the AD account.  But it won't roam to any clients after that.

Also, we recently replaced our PKI and all new certificates are sha256 2048 bit.  But I do not know if this problem was occurring before the new PKI.

Regular users are roaming certificates with no problem, so this doesn't actually affect anything important yet.  But we are rolling out 802.1x authentication on many of our wired networks this year, and this could potentially become an issue.

I can't find information on this error so far.  Does anyone know what this means, so I can know where to start troubleshooting?

Log Name:      Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational
Source:        Microsoft-Windows-CertificateServicesClient-CredentialRoaming
Date:          6/16/2016 8:29:23 AM
Event ID:      1001
Task Category: None
Level:         Error
Keywords:     
User:          xxxx
Computer:      xxxx
Description:
Certificate Services Client: Credential Roaming has failed. Error code 1381
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CertificateServicesClient-CredentialRoaming" Guid="{89A2278B-C662-4AFF-A06C-46AD3F220BCA}" />
    <EventID>1001</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x4000000000000000</Keywords>
    <TimeCreated SystemTime="2016-06-16T13:29:23.186544800Z" />
    <EventRecordID>16</EventRecordID>
    <Correlation />
    <Execution ProcessID="3408" ThreadID="2808" />
    <Channel>Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational</Channel>
    <Computer>xxxx</Computer>
    <Security UserID="xxxx" />
  </System>
  <UserData>
    <Err xmlns="http://www.microsoft.com/Windows/CertificateServicesClient/CredentialRoaming/Event">
      <ErrorCode>1381</ErrorCode>
    </Err>
  </UserData>
</Event>

This certificate can not be verified up to a trusted certificate authority

June 16, 2016, 10:12 am
$
0
0
I am getting event ID 38886 on Windows 2012 server running AD services. I am using internal CA to assign the certificate.

Kuldeep Singh

Can't login to AD user account due to Trust Relationship problem

June 10, 2016, 9:27 pm
$
0
0

Hi,

We have a Server 2012 standard addition Active Directory and more than 100 users and Computers. We have VMware 5.5 and clustered in two host machine. We shifted the AD VM from one host machine to another through VM migration process for maintenance purpose. After that some users are facing login problem in AD. The message is- "The security Database on the server does not have a computer account for this workstation trust relationship." or shows "Login ID or password incorrect". <o:p></o:p>

We have solved the issue on temporary basis doing the followings:<o:p></o:p>

1. Unplugged the network cable and logged in normally. Then plugged the cable.<o:p></o:p>

2. Dis-join and joining the Workstation to the AD. But after a day or two it happens again.<o:p></o:p>

3. Formatted the PC and newly configured the machine. <o:p></o:p>

4. Deleted the Computer account from the AD and Dis-join and joining the Workstation to the AD.<o:p></o:p>

5. Replaced the VM to its previous host machine. But still facing the same issue. <o:p></o:p>

Not All client machine at a time facing the problem but the problem increasing and the problematic client number is increasing.  <o:p></o:p>

I need support regarding this issue. Can anyone help me?

Qamrul 

Certificate Enrollment - client hang on loading active directory enrollment policy

November 21, 2012, 3:35 am
$
0
0

As of this morning I am unable to see a list of available certificates when I request them through policy.

Yesterday the system was working fine.  I created a couple of new certificates, one of which had to be requested through a custom request, and changed the security on the certsrv website but I have changed the settings back and the issue remains.

When I use the certificates console and request new certificate from gp the system hangs indefinitely and the event viewer shows event id 64 and 65. 

Certificate enrollment for Local system successfully load policy from policy server

Certificate enrollment for Local system is successfully authenticated by policy server

Search

Certutil -verify where do I get the .cer file?

June 17, 2016, 4:51 am
$
0
0

We have a newly built pki environment, (2 Subordinate CAs in separate sites, 1 root CA)

engineer who built it is no longer available.  After a restart one of the subordinate CAs will not start ADCS.  When I try to start cert services from the CA console I get:

The revocation function was unable to check revocation because the revocation server was offline. 

ADCS runs fine from the other sub CA.  The 2 sub CAs are in different locations.

Obviously I'm new to this...

I have read to run the command Certutil -verify -urlfetch certfilename.cer.  Coming at this new, what is the best way to get the cer file to run this?  will I need to export?  should this file exist already?

Thanks in advance!

Adding the Organization Field to the Root Certificate on Windows Server 2012 R2 Datacenter

June 18, 2016, 1:02 pm
$
0
0

Hi,

I recently setup a DC and decided to add ADCS. My intent was to issue internal EV ssls to get the green bar seen in IE. First try I got it IE shows the green bar and trusts the website, however chrome trusts it but does not display the organizations name. Firefox does not trust it at all and wants me to add an exception. After some tinkering I was able to determine that Organization field is missing in my root certificate. I was wondering how I can add it. This is a test environment and I am open to rebuilding the server in order to fix this. Please note I compared my environment side by side with ninite.com a well know organization.

Thanks In Advance

IE Displaying The Green Bar

IE Advanced on My CertIE Advanced on Ninites Cert

Adding a certificate to a RSA SID800 token

June 15, 2016, 3:49 am
$
0
0

Hi,

When adding a certificate to a SID800 token I get a message that the CSP settings are not supported. I choose the Smartcard User and then select Microsoft Crypto Card as the smartcard option, when I enter the token pin it fails with the CSP message.

Do I need to do something on the server to enable the RSA smartcard option?

Thanks,

Chris

Granular Password not applying to users in groups

December 7, 2009, 5:56 am
$
0
0
Hi i am wanting to implement a Granular Password policy in my domain. I have dev’ed it all in our 2008 R2 test environment, which works fine but when i try and set it up on our actually 2008 domain it won’t apply the policy to users in groups.

The msDS-PasswordSetting class is applied to a group, from the groups attribute editor it confirms that the class is applied to it but a user in that group will not inherit the password class. It will work if i assign the password class straight to the user, but with 300+ users i would obviously prefer to use groups.

The only thing that is different is that one is at 2008 R2 functional level and the other is 2008.

Am i missing somthing?
JC

MS SMB protocol encryption

June 20, 2016, 5:21 am
$
0
0

Hi there guys

We are in a printing project where some security issues has risen.

The issue is the following. SMBv1 is not activated but v2 & v3 - When printing from PC´s And Macs that are not in the domain the customer thinks that the SMBv2 protocol is unsecure.

They cant use V3 because of the Mac.

The question is the following ... When a client pc is connecting to a new printer (queue) that resides in the domain and fills in the username and password in the popup that appears, they think that someone can hijack the communication and since SMB v2 ( presumably from the customer is unsure ) the network can be comprimised.

So does SMBv2 use encryption when passing username and passwords to and from (client  - server)

When establishing connection to the printer queue via SMBv2 is that connection secure/encrypted in some way?

I know that the Printing traffic isnt encrypted ...

I hope that i make myself understandble :)   

MS plans for transition from SHA1 certificates to SHA2

June 20, 2016, 2:02 am
$
0
0

Our product is using IIS and self-signed certificate (SHA1 signed) for client-server communication (not through browser). 

Our concern is that when MS will stop recognizing SHA1 certificates our customers will start experiencing problems with our product.

I would like to know whether SHA1 certificates will become not allowed for use (not through browsing, but client-server IIS communication). 

I found some information through the MS web pages, but it is at times contradicting.

So, I would like to find some reliable data, regarding the issue.

Thanks



Windows Firewall not logging......

June 14, 2016, 8:43 am
$
0
0

Hi! I have Windows 2012R2 and I have the firewall set to log (some machines locally, some via GPO). Regardless of how its set, I notice that when the log reached the max size of 4096kb and rolls over, it stops logging. 

I see the pfirewall.log.old at the max size, and the pfirewall.log file at 0kb. 

Any ideas? 

If I reboot it starts to log again, until it hits the max file size. 

Search

MachineKeys permissions

June 14, 2016, 7:31 am
$
0
0

Hello!

It's easy to find all over the web problems related to permissions of the MachineKeys folder (C:\Documents and Settings\all users\Application Data\Microsoft\Crypto\RSA\MachineKeys)

I have seen that it's also easy to find people solving their problems by setting Everyone/Full Control permissions for this folder and children.

The most complete official documentation I could find about this, seems to also suggest everyone/full control:

https://msdn.microsoft.com/en-us/library/bb909654(v=vs.90).aspx

https://support.microsoft.com/en-us/kb/278381

But I struggle to understand how allowing everyone full control access to certificate private keys is the proper permissions to be set. Can anyone share their thoughts on this?



Encryption with EFS

May 31, 2016, 7:39 am
$
0
0

Hello,

when implementingapublic keyinfrastructureEFSencryptionwithadcsandI meta problem thatbotheredmea lot, I configuredaGPOforautomatic registrationofpersonalized certificateEFS,the problem isthecryptographicsignature in ashared(fileserver)of a member of thisgroupare not thesame as thecertificate issued byGPO.

when I searchonuser certificates"mmc", I find just the certificat issued byGPO.

what is the problem?

Thank you.

How do I enable ALPN and TLS session resumption (client tickets) in Windows Server 2012 R2

June 21, 2016, 8:12 am
$
0
0

According to the following TechNet article ALPN and TLS client-side session resumption should be supported in SChannel in Windows Server 2012 R2.

https://technet.microsoft.com/en-us/library/hh831771.aspx

We've just upgraded our webserver to 2012 R2 but SSLLabs shows these features as still not supported. Are there any extra steps required to enable them with IIS 8.5? Has anyone else experienced the same issue?

TIA

Prevent certain file types from running from the internet

June 21, 2016, 8:18 am
$
0
0

Does anyone know how to prevent certain file types, such as Excel files with a .xlsm extension, from running from the internet, in Internet Explorer, Firefox and Google Chrome?

I have looked at the software restriction policies route, but a lot of the time, the files don't seem to be downloaded to Temporary Internet Files, and a user can choose to accept the opening of a file, and it opens. I want to prevent them from being able to do so, but only for specific file extensions.

NB. I am not trying to prevent them from downloading the file at all, just from opening it directly via browser.

Thanks


Reenrollment using valid existing certificate

May 24, 2016, 7:44 am
$
0
0

Good afternoon all,

This question relates to a Windows Server 2012R2 environment.  The intention is to roll out for a client, but at the moment I'm simply trying to get this to work in a lab setup consisting of fresh installs of a DC, a CA and a web-server as a CDP.

I have a scenario where a computer certificate template's Subject Name is set to Supply in the request.  I've therefore ensured that the template requires aCA certificate manager approval before issuance.

I'd like the certificate to reenroll using a Valid existing certificate, so I set that on the Issuance Requirements tab.  I also checkedUse subject information from existing certificates for autoenrollment renewal requestson the Subject Name tab.  Finally, I've made sure that Domain Computers have ReadEnroll and Autoenroll permissions on the template.

I've configured the Default Domain Policy with Certificate Service Client - Auto-Enrollment Settings to enable Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates and Update and manage certificates that use certificate templates from Active Directory and both are visible when I rungpresult /Z.

I can request a new certificate from the end-entity (the web-server in my test environment) and as expected, I have to approve at the CA.  Once that's done, either a long wait or agpupdate /force will drag the certificate to the server.

If I now wait until the certificate expires (a few hours as I've set it to be short lived for testing purposes) I see event ID 1003 (only) in my logs telling me that the certificate is about to expire, but no event ID 1006/5/4 or a replacement cert.

On the CA, I find that the request is sat in the Pending Request queue.  If I issue the certificate and run gpupdate /force again on the web-server, everything works and the certificate is replaced.

If I select the certificate at the web-server and choose to Renew this certificate with the same key... advanced option, then I instantly get a replacement certificate without it being placed in the CA's Pending Requests queue.  I can also push a new cert from the Certificate Templates Console by selecting the template and clicking onReenroll All Certificate Holders; again it happens instantaneously without a visit to thePending Request queue.

But as I said, if I leave it to it's own devices, the web-server certificate expires while the replacement is sat in thePending Queue.

My understanding was that if Valid existing certificate is selected on theIssuance Requirements tab, then it should automatically renew the certificate without human intervention even thoughCA certificate manager approval is checked.

I've read:

  • How Autoenrollment Works
  • Certificate Enrollment in Windows XP
  • Troubleshooting Autoenrollment
  • Server 2012 PKI Key Based Renewal Explained

(I'd hyperlink all the above, but this forum won't let me - they are all TechNet articles)

From my understanding, it should work; but it isn't.  Have I missed something obvious?



Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>