Was hoping somebody could help me understand what's causing some SChannel error 20 events I'm seeing in system event logs.

Running Server 2008 R2 as IIS web servers, have a commercial wildcard SSL certificate in use on multiple sites and we use IIS Crypto's "best practice" settings.

Majority of our customers, monitoring apps and SSL labs report no issues with HTTPS, however we have one customer with a data-center hosted application which sometimes connects flawlessly, yet other times causes our server to generate fatal alert 20 and reset the connection before it even reaches IIS.

Can't see any pattern to these issues and very little of the discussion online about error 20 seems to fit here as it mostly relates to invalid server certificates, low-level development with SSL or other "consistent HTTPS failure" scenarios while ours is more intermittent.

Reading up on error 20 suggests it should be indicate a "bad record mac", where I'm reading the mac to be a checksum of the SSL message suggesting the message may be incomplete, altered or incorrectly signed -- but not being an expert on either schannel or crypto I could be misunderstanding what this means.

Attempted to find more detail regarding the internal error state value, with very little luck.

Tried enabling SChannel logging for errors and warnings (3), but that's not provided any more detail before or after this event.

Right now I'm not entirely sure what's causing the problem which makes it even harder to look at solutions, so if you have any questions or need more detail let me know, will try and keep an eye on this for the next few days.

- T

Log Name: System
Source: Schannel
Date: [removed]
Event ID: 36888
Task Category: None
Level: Error
Keywords: 
User: SYSTEM
Computer: [removed]
Description:
The following fatal alert was generated: 20. The internal error state is 960.

Base Filtering Engine service is stopped and when attempting to start the service I get this message “Error 5 Access denied”. Compared the error machine with another machine using the same hardware and windows operating system 2008 R2.

I did find a delta with the error machine in the value of one of the keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE\DisplayName. The value was “Base Filtering Engine” not “@%SystemRoot%\system32\bfe.dll,-1001” however changing that value had not impact in starting the BFE service.

Next checked service's security descriptors for the BFE service on both machine found a delta and reset the error machine security descriptors for the BFE service. The results were the same “Error 5 Access denied”.

Using Process monitor I attempted to start the BFE service again while capturing the results. I found the “ACCESS DENIED” error when trying to create a sub key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE\Parameters\Policy. I checked 3 machines and I found on one of the working machines group permissions for BFE but not on the other machines.

When checking under groups I found not “BFE” group.

How do I resolve this “Error 5 Access denied” and could be related to the missing “BFE” group?

I have an IIS webpage on a windows 2012 server with a static startpage and dynamic aspx content later.

The URL to the static web page works fine in all cases.

The aspx webpage works fine in the following cases

a.) if accessed from the server itself with the ip address

b.) if accessed from other machines with the server name

The aspx webpage does not work (displaying an application specific error which basically tells that the dynamic aspx does not work) in the following cases

c.) if accessed from the server itself with the server name

d.) if accessed from other machines with the ip address

Can you please help me find out how to make it work conistently?

On the server the hosts file contains the server name pointing to the ip address. On the other machines there is no hosts file entry.

The binding of the IIS web page shows 80 and *

My question is similar to

https://social.technet.microsoft.com/Forums/windowsserver/en-US/d54b72dd-ea16-4265-83ed-b9b67febe964/url-work-with-ip-address-but-not-server-name?forum=winserversecurity

but the solution of that page did not solve my problem.

The application pool runs under application pool identity (but I tried changing it to no avail)

Hello,

I'm currently building a reminder system, and I'm needing a HIPAA compliant Windows server provider.

I'm very old school, I like a good old-fashioned VPS, but none of these tend to be HIPAA compliant. 

At the moment, we're talking a minimum of $400 p/m including MSSQL with Azure, AWS and co. To me, this seems outrageous and something a start-up simply cannot afford.

Has anyone dealt with Hipaa and know of any "start up friendly" servers which aren't going to make me bankrupt after a month. 

I have Windows 2016 essential server.  I have set up remote access anywhere using a SSL certificate purchased from Go Daddy.  for maintenance I have port 3389 open.  My router is Sonicwall. that is how I access the server through rdp and I know it is not a good idea.  What other alternative's do you recommend?  I do not want to put Team viewer or LogMeIn on the server?  Can I access the server via dashboard?  Also if I have a backup of the server and (windows server essential backup) and I have left the external backup attached to the server in case a ransomeware hits could that backup be compromised?  For that matter if I use Windows backup of the workstation and the external usb drive is attached could that backup be encrypted by the ransomware?.   I appreciate your help.

Jamshid

Hello!

https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/privileged-access-workstations

=====================================================================

7. Restrict Administrators from logging onto lower tier hosts. In this section, we will configure group policies to prevent privileged administrative accounts from logging onto lower tier hosts.

1. Create the new Restrict Workstation Logon GPO - this setting will restrict Tier 0 and Tier 1 administrator accounts from logging onto standard workstations. This GPO should be linked to the "Workstations" top-level OU and have the following settings:

   • (i) In Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a batch job, select Define these policy settings and add the Tier 0 and Tier 1 groups:

   • .......

   • (ii) In Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a service, select Define these policy settings and add the Tier 0 and Tier 1 groups:

   =====================================================================
   

As you see the Restrict Workstation Logon GPO will have onlythe  two settings: Deny log on as a batch joband Deny log on as a service - neither of them can help in preventing "...privileged administrative accounts from logging onto lower tier hosts" because the setting that does really prevent it -Deny log on locally - is not mentioned here.

Q: Am I missing anything and those two settings can really deny local log on for some reason or this is the error in the documentation?

Thank you in advance,
Michael

I create a standard user account and deliberately remove the permission to access a certain folder. I did this by disabling the inheritance and remove that permission. The remaining explicit permission is only made to "Authenticated Users", "Administrators","System".

When I logon that standard user account and try accessing that folder, I can still open it and read the files therein. Why is it so? Please advise. Thanks a lot!

Hello

 I am getting the following error: Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344), When selecting the CA server in the NDES install process.

User has Enterprise Admin rights





Regards

JS

Hi,

this is in continuance of Enterprise PKI and Domain Controller Certificate

Meanwhile I've replaced the Exchange certificate by a public one and revoked all issued certificates.

Follwing the instructions in How to Decommission a Windows Enterprise Certification Authority and How to Remove All Related Objects and Remove CA from Active Directory I found that the output of certutil -key is different and it returns an error at the end stating "LoadKeys returned The key is not present".

In my opinion there shoud be only one key store for our CA, but it seems there are 5 key stores le-DomainController-.

The "ESTOS SelfCert Container" comes from an Estos ProCall Server which is running on the same Server.

Can anyone explain what this means?

Can I run certutil -delkey against all 5 key stores?

C:\Users\Administrator>certutil -keyMicrosoftStrongCryptographicProvider:7efa5cc9-27b4-48ff-8429-cd805405d09e118a899484943e1c80aee351dca96131_c87c7636-dff5-40ba-a992-2c86f149fb55
    AT_KEYEXCHANGEle-DomainController-b0e71049-2c9b-4dc8-901e-1e9954750a823d303ae165fbee46aabb659c0d5729bc_c87c7636-dff5-40ba-a992-2c86f149fb55
    AT_KEYEXCHANGE

  iisConfigurationKey
  6de9cb26d2b98c01ec4e9e8b34824aa2_c87c7636-dff5-40ba-a992-2c86f149fb55
    AT_KEYEXCHANGE

  iisWasKey
  76944fb33636aeddb9590521c2e8815a_c87c7636-dff5-40ba-a992-2c86f149fb55
    AT_KEYEXCHANGE

  MS IIS DCOM Server7a436fe806e483969f48a894af2fe9a1_c87c7636-dff5-40ba-a992-2c86f149fb55
    AT_KEYEXCHANGE, AT_SIGNATUREle-DomainController-4f2bc3ac-0bfb-4ad4-99ec-e3611a68357982c1c86b4659f92765bfb9b2be512286_c87c7636-dff5-40ba-a992-2c86f149fb55
    AT_KEYEXCHANGEle-DomainController-6bc7d558-e348-4808-b04f-a1225ca78270
  a5b5a783601591c4e4182fed4150a68c_c87c7636-dff5-40ba-a992-2c86f149fb55
    AT_KEYEXCHANGEle-DomainController-38e1e108-8a73-4949-8bf9-2ee9e014e0e3
  b0ba5295f49ac80dabc71a5b90a60ea5_c87c7636-dff5-40ba-a992-2c86f149fb55
    AT_KEYEXCHANGEWMSvcCertificateKeyContainer
  bedbf0b4da5f8061b6444baedf4c00b1_c87c7636-dff5-40ba-a992-2c86f149fb55
    AT_KEYEXCHANGEMicrosoftInternetInformationServer
  c2319c42033a5ca7f44e731bfd3fa2b5_c87c7636-dff5-40ba-a992-2c86f149fb55
    AT_KEYEXCHANGE, AT_SIGNATURE8b87de2b-2318-46f5-b002-e444b2b05c20
  c3cdcb0214c50773c4f7ace229b31f74_c87c7636-dff5-40ba-a992-2c86f149fb55
    AT_KEYEXCHANGEle-DomainController-555efd50-6a87-4346-b215-ace84be1d9b2
  cf074b11b2e7e2b417e83bba9b9f0448_c87c7636-dff5-40ba-a992-2c86f149fb55
    AT_KEYEXCHANGENetFrameworkConfigurationKey
  d6d986f09a1ee04e24c949879fdb506c_c87c7636-dff5-40ba-a992-2c86f149fb55
    AT_KEYEXCHANGE

  ESTOS SelfCertContainer
  e1318c97b8e71174961bfb5d6be7df0f_c87c7636-dff5-40ba-a992-2c86f149fb55
    AT_KEYEXCHANGETSSecKeySet1
  f686aace6942fb7f7ceb231212eef4a4_c87c7636-dff5-40ba-a992-2c86f149fb55
    AT_KEYEXCHANGELoadKeys hat DerSchlüssel ist nicht vorhanden.0x8009000d(-2146893811) zurückgegeben.CertUtil:-key-Befehl wurde erfolgreich ausgeführt.

C:\Users\Administrator>

I have a client with a Windows Server 2012 r2 file server that I have been trying to update for the last few weeks. I have been seeing the following updates fail. I have tried the recommended fixes which have not worked. I uninstalled the .NET security rollup for June 2018, rebooted and tried to install the updates and have been unsuccessful. The newest version of the .NET didn't install either. I am not seeing any substantive responses from Microsoft regarding these errors and wanted to see if A) anyone else was experiencing this, and B) had anyone else developed or found a resolution.

Thanks,

Joseph

Joseph Rapoport

Hello,

We are looking to enable additional Windows auditing for all of the Windows Servers in the enterprise using Microsoft baseline recommendations at https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations.  In your experience, what performance implication(s) we could potentially face and will need to watch out for, especially for high traffic servers?

Thanks in advance,

-Jeff

Hello, could you please inform me how can i detect which users from a local network copied files from a shared folder which is stored on a windows 2008 server? The users have full rights on this folder...is there a programm that monitors their actions or can i find this on event manager?

thank you!

Hello,

at first I would like to say that I have made some researches on this forum and in the Internet overall.

I have AD Forest with ~10 sites all over the Europe, DFL and FFL is 2008 R2, right now we are migrating site by site from old domain (samba) to AD.

Last time I have deployed PKI based on offline root CA and 2 Enterprise acting as 2-node Failover Cluster.

Everything in my AD Forest is OK, I mean, autoenrollment works perfect for users and computers from my forest, 
now I need to deploy a certificate (for test) to one web-based pbx server in samba domain, there are no trusts etc. Samba domain as well as AD Forest are working on the same network, with routeable subnets in each site, so there is no problem with connectivity,

What are possible way to achieve this goal? I mean to issue cert to client from different forest, so that this client is able to validate it, validate certificate chain and renew it when needed?

I have Installed and Configured CE Web Service and CE Policy Web Service. Now I have configured Enrollment Policies on my virtual machine (being part of different domain), I selected username/password authentication, I am able to request certificate, I can see all templates which I should see, but when I try to enroll I got an error:

(translated from my language)A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider

My root CA cert is added to trusted publishers for computer and user node as well.

What could be wrong? If you have any ideas or questions, please share or ask. 

Thank you in advance.

Hi,

I'm looking for some advice from someone who can advise about user accounts being provided escalated privileges on a PC using Windows Server 2008, Windows 7.

My IT department are implying I knowingly provided a user with escalated privileges using my Administrator account credentials, enabling them to access a USB drive containing an Autorun virus.

I was not present when the USB drive was used on the network computer. My manager and I have tested whether a prompt window pops up requesting Administrator user credientials when someone without USB access inserts a USB Device (users only receive an 'Access Denied' pop-up). But our IT department are still implying that I still provided the user with escalated privileges.

They forwarded my the following details (my username below is for my standard account not my administrator account):

USERNAME                                         SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME

u111194 (me)                                                          8  Disc         3:42  16/07/2018 10:14

u100049 (other staff member)    console            12  Active      none   17/07/2018 09:43

Threat Detected:        Autorun.gen!A

Threat Category:              Virus

Alert Level:                         Severe

Description:                        This is a file, named autorun.inf, that worms create when they copy themselves to a local, network, or removable drive.                                               

# of Users Affected:       1

# of PCs Affected:           1

Quarantined:                     Yes

Computer:                          SC-CZC2024444

User:                                     u100049               logged in.   u111194 escalated privilege

Infection time:                  17/07/2018 10:27am

I'd be grateful if someone with a little knowledge in this are would be able to give me some advise on this issue, as my employers are taking this very seriously and I don't want this to affect opportunities for progression in the future.

It is possible if I had logged in to this PC with my administrator account at some point (weeks/months ago), that 'switching user' would provide escalated privilege on other accounts logged onto this PC if my administrator account was locked but not logged out?

Thanks you in advance.

George

Hello Friends,

We have CA server deployed on Windows 2008 R2 server, recently we changed the Hash Algorithm for our CA from SHA1 to SHA2 and now all new certificates are being issued with hash algorithm as SHA2, however our ROOT CA Certificate is still SHA1 and now we want to renew the same with SHA2, when i generate any certificate chain using CSR the chain contains the root CA having SHA1 hash, I have below question before i proceed with renewal.

1. Impact if any.

2. After i renew the CA root certificates with SHA2 what will happen on client devices/network devices having SHA1 root certificate since long time.

3. Is there any precautionary steps needs to be taken before try to renew.

Request your suggestions on this.

Regards,

Shyam Hendre.

MCP, MCTS

I am trying to install MSMQ on windowsNT by specifying MSMQ site controller on windows 2008 server but installation is failing with below error.

Please kindly provide any additional information on below security error message.

Additional Information:-

1. MSMQ down level client service is running on windows 2008 server

2. Allow cryptography algorithms compatible with Windows NT 4.0 is enabled on windows 2008 server.

Windows 2008 security event viewer error message:-

--------------------------------------------------------------------

RPC detected an integrity violation while decrypting an incoming message.
Peer Name: xx.yy.xx.zz(WinNT client computer IP address)
Protocol Sequence:ncacn_ip_tcp
Security Error:2148074255

WINNT 4.0 on pack installation error:-

-------------------------------------------------

As a local user, I want to get all schedule task no matter who created it. So what kind of permission should this local user have?

Given: Windows 2016, two users, one is local user, another one is domain administrator

When: domain administrator create a schedule named task1, logon as local user, and open 'Task Schedule', cannot see task1.

I try to :

• Add the "full control" permission for "C:\Windows\System32\Tasks" folder to local user, still can not see the task1. But for 2012R2 and 2008R2 it works.
• Add local user to 'local administrator' group it can see the task1. But the permission is too high.

So What is the minimum permission for the local user to see all tasks no matter who created it. (UAC set to never notify)

Hello,

we noticed that every night, there is a large amount of failed login attempts on our domain controller (Windows Server 2012 R2). It is a system account which logs in successfully all the time, but fails multiple times around 0:30.

Last night it started at 0:32:14, to be exact. I checked the task scheduler for any executed task for that time, failed or successful, but could not find any.

I noticed there are a few random failed logins throughout the day (not more than 1 or 2 at a time), but but they always heap up around 0:30 with dozens, sometimes hundreds of login fails in a row.

This is what the logged event (Security) has logged - they're all the same (for simplicity, let's say the server's name is "SERVER"):

Request:
     Security-ID: SYSTEM
     Account name: SERVER$
     Account domain: OUR-DOMAIN
     Login-ID: 0x3E7

Login Type: 3

Account for which the login failed:
     Security-ID: NULL SID
     Account name:
     Account domain:

Error information:
     Reason: Unknown username or invalid password.
     Status: 0xC000006D
     Substatus: 0xC0000064

Process information:
     Call process ID: 0x29c
     Call process name: C:\Windows\System32\lsass.exe

Network information:
     Workstation name: SERVER
     Source network address:
     Source port:

Detailed authentification information:
     Login process: Schannel
     Authentification packet: Kerberos
     Relayed services: -
     Packet name (NTLM only): -
     Key length: 0

Does anyone have an idea what might be going on?