Hi, Guys.
We have a plan to enable Windows Firewall on all our servers in in our network both in on-prem and in Azure. Do you have any procedures how to start on this and procedures how to do this.
Thank you
↧
Activation of Windows Firewall on Windows Servers
↧
AD Role Authorization in IIS with nested group membership across a trust relationship
Background/Infrastructure (Just remember I didn't design it!):
I have a website(MVC5) which is deployed into production, dev, test, etc. Each of those environments is in its own domain, and the users are in another domain again. ALL of the environment domains completely trust the user account domain, but they do not trust each other.
I am attempting to get my website to work for users in all of the various environments without using credentials from those specific domains - most users don't have accounts in the other domains but will use this website. The end user experience is to type in the url for a domain and have it know who they are.
Because this is all domain based it is easy enough to setup IIS for windows authentication, that's done and working.
Problem:
Where I'm stuck is the authorization across domains. In each domain I have a group (eg DEV\WebsiteAccess) which is for access to this website. I added a group from the users domain (eg FABRIKAM\DevSystemUsers) into that access group, and it doesn't work. If I put the user into the DEV group directly, it DOES work.
It would seem that IIS is unable to traverse the full tree across the trust. The service account running the website is a DEV domain admin. DEV fully trusts FABRIKAM.
Is anyone aware of a way to tell IIS to walk the permissions on the other side?
Thanks
Jeff
↧
↧
How Certificate revocation list are updated ?
Hi,
I use public certificates for email validation (S/MIME).
I got Outlook clients and an Exchange server.
I dont have internal PKI, only public certificates (Thawte, Verisign, Comodo, GoDaddy ...)
No problem for importing certificate in Outlook and digitally sign an email.
My issue is on revocation.
I can revoke a certificate, and I can see a bit later the certificate revoked in the published provider CRL
The main issue is that my Outlook clients still see the certificate as valid.
I dont know how CRL updates works.
I know that I need to setup I.E options to allow CRL checks, but I don't know how Outlook updates the CRL.
Is it Outlook ? Is it Windows ? Is it Exchange ? who does the CRL update ?
And what is the process ? Is there a service I can restart, or a command to run to force CRL update ?
Where can I see if the CRL is up to date on client side ?
Any help is welcome.
thank you.
↧
Block ip address in win server with cmd command
Hi
In win server how i can block ip address with cmd command?
Thanks
↧
batch files
I would like to do some of what i used to do with batch files. If you even can, i have never seen word one about how to do them in windows. can an icon start one? where do i find out the commands?
↧
↧
App on server 2016 cannot make request HttpClient.GetStringAsync
I'm actually using Server 2019 Preview, but I'm sure a Server 2016 answer will serve. I'm new to Server stuff period. I have the DC set up and client computers can connect. I have coded an app that is installed on the server and is making the http request.
The error message just says, essentially, can't do it. I know the code works because I can actually execute it on a Windows 10 phone and other Windows 10 PCs. It is a UWP. I have added the app to "allow through firewall". I would most appreciate
any help with what I assume is a security problem.
↧
Group policy not applied on domain as well as client
we got the error group policy not applied successfully event ID 1058
" the processing of group policy failed windows to attempt to read the file.\\domain.com\sysvol\domain.com\policies \
↧
Installing OCSP
Hi
I've got a two tier infraestructure in Windows server 2016.
IIS that provides crls is installed on the issuing ca.
Now I need to install ocsp and i have read it is recommended the installation on an independent server but I don't know if there is any type of conflict or is just a matter of traffic.
My organization is small and I don't need to publish revokation information outside my organization.
Is it a problem installing ocsp on issuing ca?
Is in this case a best practice installation on an independent server too?
Thanks in advance
↧
Local CA server untrusted in Firefox and Google chrome
Hi all
We have an internal CA server(Windows server 2012R2, Hash algorithm:SHA256)
The certificate is work in IE but in Firefox and Google chrome is Not Secure.
how can i resolve this problem?
↧
↧
Port needed between a member server and Domain Controller that are separated by a firewall
Hi guys,
about 2 years ago i have found a fabulous MS KB article that listed all port needed in order for working in a domain scenario between a client and DC Server.
Now i found only this articles:
http://support.microsoft.com/kb/179442/en-us but it's for a domain trust!
Anybody remember or have a specific KB article?
Thanks in advance
↧
How can I install Enterprise CA in child DC
Is anyone aware How can I install Enterprise CA in child DC. I am having Child DC where i am trying to install Enterprise CA but option is grayed out.
Thanks
Argha
↧
Export certificates from PKI with multiple restriction
I need to extract a list of specific certificate from a PKI on Windows Server 2012 R2.
So, in the list of all certificates issued, I would to apply a filter. Generally, It works fine!
But now, I'm facing with a new issue. I have to extract a list of certificates with more OU value.
For example CN=example.com, OU=org1, OU=org2, OU=org3, DC=...
If I apply a filter on "Issued Organization Unit" = org3, no results appear.
Also if I use a filter like this (with multi filter):
"Issued Organization Unit" = org1
"Issued Organization Unit" = org2
"Issued Organization Unit" = org3
No results again.
What I have to do? I need to extract all the certificate with the OU=org3.
Thank you so much.
Best regards,
Giuseppe.
↧
Directory Service access - Audit failure
Hi All,
I have group policy which is linked to domain controllers container, Policy contains audit settings for directory service access and I have enabled it only for failure.
I have one non-privileged domain user account which has the capability to read the groups in domain.
Whenever I try to query any group, for ex: domain admins. In my case I should not receive any event in event viewer on mentioned domain controller in below command as I have not enabled "Success" audit,
However though I am able to successfully enumerate the groups using my domain user account it still giving me Audit failure event 4662.
Get-adgroupmember "domain admins" -server aaaadc.test.domain
Kindly advise what is the reason I am getting audit failure.
Regards
Afsar Shariff
↧
↧
Applocker rules + rules for exe + folder
Hello guys,
i have a question regading Applocker.
I have a Terminal server and session hosts. What i need is to let just some .exe to run and folders to access.
When i deny for example my other domain account for calc.exe, and enforce rules i am still able to run that.
Should i restart the server or something? Do you have any other solutions?
Thanks for your help
↧
Audit failure event ID 4662, Operation: Control access
Hi,
I've exactly the same problem as discussed in this question, namely:
Several accounts (including both user and computer accounts) are trying to control accessof approx 100-200 AD objects including computers, users and groups (one of them being the domain administrator account!) at the same moment, resulting in anaudit failure, reported in the Security log of a DC. This happens rigth after a successful logon by the account creating the problem.
Event example accesing a user (for computers and groups the only difference is the properties accessed):
Subject :
Security ID:**********
Account Name:**********
Account Domain: **********
Logon ID:**********
Object:
Object Server: DS
Object Type:user
Object Name:**********
Handle ID:0x0
Operation:
Operation Type:Object Access
Accesses:Control Access
Access Mask:0x100
Properties:---
{91e647de-d96f-4b70-9557-d63ff4f3ccd8}
{6617e4ac-a2f1-43ab-b60c-11fbd1facf05}
{b3f93023-9239-4f7c-b99c-6745d87adbc2}
{b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7}
{b7ff5a38-0818-42b0-8110-d3d154c97f24}
{771727b1-31b8-4cdf-ae62-4fe39fadf89e}
{612cb747-c0e8-4f92-9221-fdd5f15b550d}
{bf967aba-0de6-11d0-a285-00aa003049e2}
Additional Information:
Parameter 1:-
Parameter 2:
The answer given in the original question explains why the events are created in the DC, the auditing and so on, which I understand, but I want to know if there's any logical reason a normal user or computer (or a software running with his credentials) would access those AD objects.
Thanks!
↧
Template does not show up in Web Enrollment pages.
We duplicated the Web Server version 1 template on our Windows 2003 Server CA and published it to the CA for issuence. Set the permissions accordingly, Domain Admins: Read, Write, Enroll
Then when we go to a Windows Server 2008 R2 Enterprise server login with an account with Domain Admins and run http://OurServer/certsrv to submit an Advanced Certificate Request we can not see that template. Days went by from the time we made the template and tried the request. The CA was stopped and restarted.
Other duplicate temples do show up just not this one, any ideas?
↧
Local GPO setting not being applied despite Domain GPO having "Not Defined" for same setting
Windows Server 2016
I have run RSOP, gpresult /H, and gpedit but have no explanation for why my local Security settings are not being applied even when the Domain GPOs have "Not Defined". The Local Policy settings within the Administrative Template section are
being applied, so that shows the policy is being successfully processed, but I am at a loss to find why the domain "Not Defined" settings are overwriting the Local Policy settings. None of the domain GPOs are set to Enforced.
This is impacting User Rights, Security Options only. Any thoughts out there?
↧
↧
Disable TLS 1.0 on all Ports on Windows Server 2012 R2
I am running Windows 2012 R2 and I have disabled TLS 1.0 in both the registry and using IISCrypto. However, my security scanner is still showing TLS 1.0 in use on certain ports, 443, 5989, 8443, 9443. If TLS 1.0 is disabled, how is it still
available on these ports and how can I completely disable it on the server?
Terry
↧
Use a wildcard certificate with RADIUS client
Can i use a wildcard certificate (issued by GoDaddy - *.sisystems.com) with an NPS (RADIUS) server to authenticate Wifi users? I couldn't find any information on how to do this
↧
Unable to provide MSMQ site controller on 2008 server and install MSMQ on windows NT
I am trying to install MSMQ on windowsNT by specifying MSMQ site controller on windows 2008 server but installation is failing with below error.
Please kindly provide any additional information on below security error message.
Additional Information:-
1. MSMQ down level client service is running on windows 2008 server
2. Allow cryptography algorithms compatible with Windows NT 4.0 is enabled on windows 2008 server.
Windows 2008 security event viewer error message:-
--------------------------------------------------------------------
RPC detected an integrity violation while decrypting an incoming message.
Peer Name:
xx.yy.xx.zz(WinNT client computer IP address)
Protocol Sequence:ncacn_ip_tcp
Security Error:2148074255
WINNT 4.0 on pack installation error:-
-------------------------------------------------
Microsoft Message Queue Setup error:Unable to obtain computer properties from the information server.
Internal DS error.
Error code = 0xC00E0043
↧