Hello.
Can Windows server provide any option for protect Login? For example, If anyone attempt fro guess Windows Username and Password then his/her IP address blocked.
Thank you.
↧
Block IP address after some attempts for login
↧
Bypass File Screening
Hello.
If I enable file screening for block some files like .MP3 , .MP4 and.. but a user change his/her file suffix then how can I block his/her? For example, he/she change .MP3 to .doc.
Thank you.
↧
↧
RDP (NtLmSsp) logon timeout - LoginGraceTime
Hello.
Is it possible to set the value of logon timeout for NtLmSsp, like LoginGraceTimein ssh?
The issue is simple: some host opens a connection to server and waits. I want NtLmSsp to close connection after specific timeout.
↧
PKI - RDP - getting rid of self signed RDP certificate
I am using a Microsoft PKI to deploy server certificates. I realised that Windows automatically creates a self-signed certificates in the local Remote desktop certificated store.<o:p></o:p>
I wanted to use the default rdp certificate when connecting to the machine via rdp. After following this manual (<o:p></o:p>
http://www.darkoperator.com/blog/2015/3/26/rdp-tls-certificate-deployment-using-gpo<o:p></o:p>
) the connection was established using the server certificate.<o:p></o:p>
My problem is that even after deleting the self-signed certificate out of the store, every time I reconnect to the server the self-signed certificate is recreated again. Is there a way to get rid of this certificate?<o:p></o:p>
↧
Which part of system changed?
Hello.
If a hacker hack my Windows server and change some settings then how can I find them? For example, A hacker hack my Windows username and password and logging to my system and modify a service but how can I understand it.
Thank you.
↧
↧
Windows Server 2008 / Server 2008 R2 unable to install MS16-110 (KB3184471)
Windows Server 2008 / Server 2008 R2 unable to install MS16-110 (KB3184471)
↧
Upgrading of CA from SHA1 to SHA256 and renewal of online ROOTCA and SUBCA - Issue on certificate chain
Hi Guys,
I have a scenario where in i have an Online root CA runining on windows 2008 R2 and SubCA. These were running before with Microsoft Strong Cryptographic Provider with SHA1 hashing algorithm. I was successfully change the provider to KSP and make it SHA256 as per the procedure on technet. I completed renewing also the rootCA without any problem and also the SUBCA, however when tried to sign a certicate request from my SubCA i received the a certificate with SHA256 and KSP provider, upon checking the certificate chain i found out that the new certificate still using my old SubCA where in fact i can see it is already renewed.
Many thanks guyz..
↧
Task Schedular Error
Hi!
We have created a scheduled task to run a visual studio program. When we run the task manually by double clicking it, it runs fine but shows the below error when the task scheduler runs it.
"Visual Studio Just-in-time Debugger"
An unhandled exception occurred in programname.exe (9176).
The just-in-time debugger was launched without necessary security permissions. To debug the process, the just-in-time debugger must be run as an administrator.
Any Suggestions?
Windows 2008 R2. The account we are using to run the task is already added in local administrators group in the server.
Thanks.
↧
Single Cert Server to two-tier PKI migration
We have single Cert Server running on Windows 2008 and would like to move onto Windows 2012 R2 with two- tier ( offline root CA and Issuing CA) PKI solution.
What is the best practice to move from single cert server (SHA-1) ( named certsrv) to two-tier cert server (SHA 256) solution?
As root CA as well as Issuing CA are on same server with name "certsrv", if I install offline root CA ( named RootCA) and domain joined Issuing CA ( named IssuingCA) , how the existing clients can get new / renew certificates from new PKI without any business interruption?
How can we publish RootCA certificate on all clients ( computers and users) as trusted rootCA ?
Would some one direct me the step by step guide to move single CA to two-tier PKI ?
Thanks in advance
Tek-Nerd
↧
↧
Possible hack to the domain, how to tell how far its gone? RDP access hack on a client..
We've got a situation i've not run into before..
A local machine in the domain was apparently hacked via RDP.. we had a few test user accounts on the domain.. they used one of them to gain access to this local workstation. The user was reporting that there were requests to log on from one of the domain test user accounts. Then upon examination, it looks like the account did succeed at remoting in at some point.. accessed the chrome browser, maybe paypal/ebay etc. I'm not even sure how they would have hacked a domain level user account.. that is, figuring out the names of the accounts.
I think the root of this was our very old policy that had domain users as "remote desktop users".. i think that this was bad practice and that we should switch that (back to local? administrators?)... The other problem was having an RDP port"open" via the router, rather than strictly vpn, but we did it this way for years because our PPTP vpn was rudimentary and didnt work from some devices like phones.
The biggest fear now, is not knowing what level the "test account" could have gone into the network/network drives.
A local scan for malware and viruses on that machine turned up nothing.
Looking at domain DC logs for security only goes back a day or so due to the login successes being logged and overwriting things quicker, i think.
Any suggestions on what to do or look for at this point?
Thanks in advance
Tech, the Universe, Everything: http://tech-stew.com Just Plane Crazy http://flight-stew.com
↧
How to publish new Root sertificate
Hello.
I have a problem to publish new root certificate.
I use the command with "domain admin" rights:
certutil -dspublish -f <certfilename> RootCA
The command finished successfully, but in enterprise pki still old Root certificate.
But if i check AD Containers in NTAUTH, AIA, Certification Authorities Container, i see new root certificate.
What command i need to use and wich rights to publish new root certificate to CA certificate in Enterprise PKI?
Thanks.
↧
Disabling internet access to specific users on the network using windows server 2012 R2
Hello everyone, I have been searching for help on this for a while and Im still new to server settings. I want to disable internet acces to specific people on my network and apparently I cant do that using group policies. I read that if I want to do it I need to use the firewall. Can this be done using windows firewall from the server side?
Second question, Is there a way to assign static IP's to all the devices connected to the server by using the server settings?
Thank you.
↧
CA - no certificate templates could be found.
Dear All,
I have a 2008 Domain Controller with the CA Server role installed with the issue that the Web-Enrolement procedure is not working proper. I can´t request any cert´s using the web-browser. Cert requests via powershell works fin thought.
I get the following error:
"No Certificate templates could be found. You do not have the permissions to request a certificate from this CA, or an error occured while accessing the Active Directory"
I allready compared the the sServerConfig value in the Certdat.inc file with the dNSHostName attribute at the pkiEnrollmentService object. The values are the same (case sensitive).
I also checked the permissions on the certificate templates - they are o.k. since I do the request with a domain admin account.
I appreciate an help and thanks in advanced,
Chris
↧
↧
Minimal privileges to allow print job deletion
Hello,
I need to allow our helpdesk to delete print queues on domain member print servers. I have added the users to the Print Operators group on the domain member print servers so that they can manage the print queues, and I've added them to the Remote Management Servers so that they're able to log in. Unfortunately they do not appear to be able to delete the queues. Looking that the description of the Print Operators group:
Members can administrator printers installed on domain controllers
These print servers are domain members, however they are not domain controllers.
Is there a way to allow users to manage print queues without making them members of local administrator?
Thanks
↧
Windows Server 2012 R2 protection - Antivirus / Active protection suggestions
Hello
Since number of our clients has increased and all clients have some type of antivirus protection I've been looking for some antivirus protection for server.
Found few but they're all quite pricey.
Looking for some simple and possibly free solution.
Thanks in advance.
↧
Uninstall Windows 2008 updates
I would like to know will there have any problem if I just uninstall the updates between SP1 and SP2 and the SP2 update in windows 2008 standard(not R2).
Because I want to reinstall it as below case:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/6b33a9e3-8213-43bd-b2b3-f826c8517e3d/port-3389-for-remote-desktop-cannot-use?forum=winserverTS
I think some updates corrupted make the port 3389 cannot function normally.
I have tried copy RDP-tcp in key register to add port 3390 for remote desktop which can work successfully.
And you see the different below as they are the same PID
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 1312
TCP 0.0.0.0:3390 0.0.0.0:0 LISTENING 1312
TCP 100.5.1.32:3390 100.5.1.137:59144 ESTABLISHED 1312
↧
SubCA Certificate cannot be renewed
Dear Friends,
I've got a quite urgent problem. Maybe you can help me...
Here’s my problem:
I need to renew a sub-ca cert. To do so I followed a huge amount of blogs and tutorials, for example:
http://support.risualblogs.com/blog/2014/05/13/renew-issuingsubordinate-ca-certificate/
But in every Tutorial the writers are able to choose an online CA or export the request by clicking Cancel in the following Step:
My problem is, that this window isn’t showing up. When I choose “No” in the Window before where he asks me whether to create a new key or not and continue, he is just starting the services again and nothing has changed. In the Properties of the sub-ca is still one cert which will expire soon:
When I try to renew it by using certutil, I get the following message:
PS C:\Users\administrator.CLOUD4YOU> certutil -renewcert ReuseKeys -f CertUtil: -renewCert command FAILED: 0x8007139f (WIN32: 5023) CertUtil: The group or resource is not in the correct state to perform the requested operation.
I’ve googled the error-message already, but none of the solutions applied for us.
When I try the 3<sup>rd</sup> option by renewing the cert with the same key over mmc -> Certificates, I get the same error as this writer: https://social.technet.microsoft.com/forums/windowsserver/en-US/90c78256-6291-4e6d-8dd8-82280cc00e69/unable-to-renew-subca but in our deployment the template was already activated
I really don’t know what to do next… Do you have any idea?
Thanks in advance!
Carsten Brenner IT-Engineer at cloud4you GmbH (Germany)
↧
↧
PKIVIEW.MSC Issues - Bad AIA and CDP LDAP Locations
Hello,
I am standing up a new Two-Tier SHA-2 PKI environment (One Offline Root and Four Online Issuing CAs). All CAs have been setup and configured and all AIA and CDP publication points within pkiview.msc show ok, WITH THE EXCEPTION of two Root CA LDAP locations (AIA Location #3 and CDP Location #3). They both show status of "Unable to download" and point to a location that showsldap:///CN=.......DC=UnavailableConfigDN?.. Turns out, the Root CA did not have the "DSConfigDN" registry key populated, so I corrected this then generated a new Root CA CRL with the correct DSConfigDN. I then successfully re-published the Root CRL and Root Cert files into AD (which I can see in ADSIEdit.msc). Correct Root CA LDAP locations are now showing in pkiview.msc (AIA Location #1 and CDP Location #1). However, the bad LDAP locations still remain... I have tried revoking and renewing the CA Exchange certificates on the Issuing CAs, but still can't get rid of these bad Root LDAP locations. Any ideas on how to clear these?
Thanks, Patrick
↧
Problem trying to renew subordinate CA certificate
Hi,
http://support.risualblogs.com/blog/2014/05/13/renew-issuingsubordinate-ca-certificate/
I am following these steps to renew my subordinate CA with the same key pairs.
Steps to Renew if Root CA is offline
- Log onto your Issuing CA and open the Certificate Authority MMC
- Right click on your Issuing CA > All Tasks > Renew CA Certificate
- Press Yes to Stop AD Certificate Services
- Press No to Generate a new Public/Private Pair
I am experiencing a problem, whereby the "CA Certificate Request" dialogue box does not appear. When I click No to generate a new public/private pair, Certificate Services simply start again, the "CA Certificate Request" dialogue box does not appear at all.
The request file location is c:\certs but no request file is generated.
I found another post that has an apparent identical issue, however the suggested fix is not available.
https://social.technet.microsoft.com/Forums/en-US/7d83f2b3-23fb-412e-9ea2-14d017c00535/subca-certificate-cannot-be-renewed?forum=winserversecurity
The account I am using has Enterprise/Domain and Schema admin permissions.
Any suggestions welcome.
Brian
↧
Block IP address after some attempts for login
Hello.
Can Windows server provide any option for protect Login? For example, If anyone attempt fro guess Windows Username and Password then his/her IP address blocked.
Thank you.
↧