Hi
I am task with disabling ntlmv1 and working through the auditing phase by setting the comtabilitlyLevel to 4, then goal is bump up to 5 once all applications using ntlmv1 have been remediated or added to exclusion list
My question is if I set to CompLevel to 5 does this mean that ntlmv2 with be the preferred over Kerberos? or will Kerberos still be used first, and only if failed will used ntlmv2?
Thanks in advance
Hello
Workstation is domain member with Windows 7 Enterprise. When I connecting via VPN with some credentials, it stores automatically in Credential Manager with "*Session" marker. When I connecting to network shares on domain servers, workstation use credentials, stored in Credential Manager. So, because stored credentials is different from domain user account, workstation can't connect to network shares in domain. When I manually remove stored "*Session" credentials, workstation connecting to domain servers OK. So I need to disable storing passwords from VPN connections in Credential Manager because it different from domain user account.
P.S. I am already posted this question on "Windows 7 Security, Privacy, and User Accounts" forum, but no answers at all. May be here somebody can help me?
Terry
Hi,
I am very new to PKI and I am currently trying to set up an two-tier PKI environment.
The OS for my Root CA and Sub CA are Windows server 2016 and I am using a luna HSM to store my keys.
I have successfully setting up my Root CA and Sub CA without any errors but when I am trying to renew my Sub CA I have the following error:
An error occurred when creating the new key container "My_Sub_CA_Name(1)". Please make sure the CSP is installed correctly or select another CSP. Provider DLL failed to initialize correctly. 0x8009001d (-2146893795 NTE_PROVIDER_DLL_FAIL)
I have tried using the command "vtl verify" and I can see my HSM so anyone can help me regarding about this error?
Regards
I tried to disable TLS 1.0 in the Microsoft server 2012 R2 using the method recommended by Microsoft.(link: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs)
However, when I scan the servers, some of the ports are still using TLS 1.0.
Does anyone know whether the TLS 1.0 is disabled or not?
Hi,
In my scenario, I have services wanting to do LDAP/S binds to AD DCs. The DCs have a DC certificate from a tactical PKI which was deployed a dozen years ago - the services (typically UNIX) trust the DC cert back to the root. We would like to deploy
a new ADCS PKI and initially the DCs will contain 'legacy' DC certs and 'new' DC certs chaining to a different root. We know that we need to make the services making the binds trust the CA chain which issues the new DC certs, so we'd be sure that whatever
DC cert is picked in the LDAP/S bind won't be a problem. No issues with that - that 'story' is just background.
We have another application, this time on a non-domain joined Windows server which will also need to make LDAP/S binds to a DC. We can if necessary make this server trust the old and new CAs, however, I was asked the question "If a service talks
to a DC to retrieve a cert for LDAP/S purposes, which cert would the DC hand back to satisfy the request?" i.e. providing the cert satisfies criteria such as time valid, has the right usage, etc. will it simply give the first one back alphabetically,
or choose the newest one, etc.?
I think this could be similar to what an IIS server would have to do if it had two valid SSL certs from different chains. When a browser makes an HTTPS request, which cert would the IIS server / CAPI chuck back to the client?
Sorry about such a load of verbose, I'll try to make it short here: "If a Windows server has two valid certs for a particular purpose, which one would it pick to chuck back to a client coming in with a request?"
Any advice would be gratefully appreciated. Thanks, Chipeater
Hello,
I've been reviewing all the MS Documentation on CA Migrations, but none cover In-Place upgrades. No documentation against the idea either.
We have a single Root CA running 2008 R2, I would like to upgrade to 2012 R2 in place.
Is that possible?
Not recommended?
Do I need to update to 2008 R2 w/SP1 first?
Or is it just better to Migrate to new installed 2012 R2 server?
Thanks, Tony
Tony
Hi, Guys.
We have a plan to enable Windows Firewall on all our servers in in our network both in on-prem and in Azure. Do you have any procedures how to start on this and procedures how to do this.
Thank you
Hey all,
I'm currently trying to implement Event collection in our environment but, I cannot get WEF working. The following are things I've done:
1. Configured winrm on the client and collector machines
2. Deployed a GPO that pointed the client machines to the collector for event forwarding
3. created a subscription on my WEF machine and selected:
1. Destination: Forwarded Events
2. Source Computer initiated
3. Computer groups: Domain Computers
4. Select Events: Critical, warning
4. Then selected OK and activated the subscription.
I currently have all my source computers checking in but, I'm still getting the same error (Event 102 / Code 5004). I've added the WEF to the domain group Event Reader and confirmed winRM connection.
What am I doing wrong?
Hi
I've a win srv 2016 Domain Controller & a windows 10 Enterprise as a client.
using Packaged App rules in AppLocker, i am enable to deny Windows Settings (formerly PC settings) in start menu on my client.
but via same procedure ican't block Builtin Packaged Apps tiles on start menu such as Xbox Game, Calendar, Mail & Accounts & etc.
in my AppLocker Policy I've raise the slider to include all versions of above Apps since the policy is created on srv2016 and needs to apply on win10, but still no result & still normal users can run these Apps.
have anybody tested blocking Packages Apps via AppLocker ?
thanks in Advanced
Hi I have numerous Windows server systems the our vulnerability scan is saying needs KB4018196 - KB4018466 - KB4018556 - KB4018821 - KB4018885 - KB4018927 - KB4019149 - KB4019204 - KB4019206.
If I have Windows Update check the MS site for updates it says there are no critical updates needed but a couple of important ones none of which are on this list. I don't see these as installed on the system and I haven't seen them replaced by another update that I can find. Several of these are related to Wannacry so I know they are critical. Why doesn't Win Update see them as nneded or being installed?
Hi All,
I have enable these ports "137,138,445" on windows server 2012 r2 firewall in base server and in VM also but still this port showing blocked.
We have to open these ports for sharing purpose to mac
but we failed again and again
server edition is datacenter and i want to know that if we enable the port on vm so is it mandatory to enable the port on base and right now i have enable the port from base as well as VM.
please let me know if anyone knows
Thanks and Regards
Vipin Jeswani
Hello All,
I am getting subjected error in MBSA report on Windows Server 2008 R2. Same error is there on multiple servers. Servers are patched still June 2018.
I have tried to disabled require settings via registry and GPO but still same error is getting on MBSA report.
Also, tried uninstall MBSA 2.1 and MBSA 2.3 but no luck.
As this error is belongs to SQL default account so not able to login as password is system generated.
Please help me with an idea resolve the issue or solution / workaround.
Thanks, Chinmay.
I have a large Enterprise AD environment. I have MY OU structure goes has follows Country OU then Site OU then an OU called Server.
Every Site OU has a Sub OU called Servers.
I am trying to implement laps, specifically trying to set computer permission the command as follows is how it is documented
Set-AdmPwdComputerSelfPermission -OrgUnit OU=Server.DC=Contoso,DC=ORZG.
I have tried running the command Set-AdmPwdComputerSelfPermission -OrgUnit OU=Servers,OU=site,OU=Country,DC=Contoso,DC=org.
The command failing. What am I doing wrong?
here is he scenarion I have two AD servers and a separate 2 tier CA. I have already installed root CA and an issued a certificate for Ad servers from subordinate CA for client authentication.
I have Ldap.exe installed in AD servers . Now from AD server i am trying to connect to another domain controller using 636 port and i am getting this below error. please help me to resolve this error.
Br//Rafiul
Hello,
is there a way to set permissions to a folder for "list folder contents" only?
http://faculty.ycp.edu/~ehostler/ifs335/vlabs/Security-Lab/adddatapermissions4.png
Thank you,
Tom
Background/Infrastructure (Just remember I didn't design it!):
I have a website(MVC5) which is deployed into production, dev, test, etc. Each of those environments is in its own domain, and the users are in another domain again. ALL of the environment domains completely trust the user account domain, but they do not trust each other.
I am attempting to get my website to work for users in all of the various environments without using credentials from those specific domains - most users don't have accounts in the other domains but will use this website. The end user experience is to type in the url for a domain and have it know who they are.
Because this is all domain based it is easy enough to setup IIS for windows authentication, that's done and working.
Problem:
Where I'm stuck is the authorization across domains. In each domain I have a group (eg DEV\WebsiteAccess) which is for access to this website. I added a group from the users domain (eg FABRIKAM\DevSystemUsers) into that access group, and it doesn't work. If I put the user into the DEV group directly, it DOES work.
It would seem that IIS is unable to traverse the full tree across the trust. The service account running the website is a DEV domain admin. DEV fully trusts FABRIKAM.
Is anyone aware of a way to tell IIS to walk the permissions on the other side?
Thanks
Jeff