Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Install rights for a simple domain user

September 6, 2018, 4:32 am
$
0
0

Hi Everyone,

We have Windows Server 2016. I have a simple domain user who run/manage applications and services on this server and it works fine. I would like to give 3 kind of permissions for this user.

1) Windows Server restart,

2) Install applications on the Windows Server.

3) Install/manage services on the Windows Server.

1) I successfully set up the first permission in the Group Policy Management (Default Domain Controlleres Policy / Policies / Windows Settings / Security Settings / Local Policies / User Right Assignment / Shut down the system). As I see it works fine.

2) I can't find how can i set the install permissions for this simple domain user.

3) I set up the service manage permissions (https://social.technet.microsoft.com/wiki/contents/articles/5752.how-to-grant-users-rights-to-manage-services-start-stop-etc.aspx?wa=wsignin1.0), but I can't find how to grant install services rights for this simple domain user.

Is there anybody who can help me?

Many thanks in advance,

Foley

Search

CRL and CACertPublication URL unclear

September 7, 2018, 1:32 am
$
0
0

Hello everyone,

I am installing an internal root CA at the moment. I came to a point, where I wondered, if everything is configured as intended.
Since I am not very experienced in setting up a PKI infrastructure, I could need some advice here.

I followed the following guide to install and configure my offline root ca (would like to post link, but Microsoft did not yet verify me):
please google for or add https: : timothygruber.com/pki/deploy-a-pki-on-windows-server-2016-part-3/

Now I am a bit confused about this "rename the .crt-file" part and I dont even have the mentioned "second .crl-file. (the last part of this page)

I have the following settings for Certutil CRL Publication URL CACertPublication URL and the following files were created on the offline root ca, from where I would now copy them to the pki webshare and issuing ca:

(please notice, that I had to remove "http://" in front of the urls from the output, replaced by [...] and I am not allowed to post images... sorry for that)

PS C:\Users\Administrator> certutil -getreg ca\CACertPublicationURLs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CEMA AG Root CA\CACertPublicationURLs:

  CACertPublicationURLs REG_MULTI_SZ =
    0: 1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt
    CSURL_SERVERPUBLISH -- 1

    1: 2:[...]pki.cema.de/pki/CEMA AG ROOT CA%3%4.crt
    CSURL_ADDTOCERTCDP -- 2

CertUtil: -getreg command completed successfully.

PS C:\Users\Administrator> certutil -getreg ca\CRLPublicationURLs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CEMA AG Root CA\CRLPublicationURLs:

  CRLPublicationURLs REG_MULTI_SZ =
    0: 65:C:\Windows\System32\CertSrv\CertEnroll\CEMA AG ROOT CA%8%9.crl
    CSURL_SERVERPUBLISH -- 1
    CSURL_SERVERPUBLISHDELTA -- 40 (64)

    1: 4:[...]pki.cema.de/pki/CEMA AG ROOT CA%8%9.crl -AddToCertificateCDP
    CSURL_ADDTOFRESHESTCRL -- 4

CertUtil: -getreg command completed successfully.

My files on the offline root ca are named the following:

C:\Windows\System32\CertSrv\CertEnroll\CEMA AG ROOT CA.crl

C:\Windows\System32\CertSrv\CertEnroll\certrootma01_CEMA AG Root CA.crt

In the guide it says:

"Copy the CRT and CRL files
The last step in this part is to copy the .CRT and .CRL files to the other two servers.  To the subordinate CA (issuingCA) and the web server (WebServ1).
The .CRT file is located at:  “C:\Windows\System32\CertSrv\CertEnroll\RootCA_Bedrock Root Certificate Authority.crt”
First rename the above file to:  “BEDROCK-ROOTBedrock Root Certificate Authority.crt”
This is what the certificates will be looking for.  Edit appropriately for your environment."
Can anyone explain to me, if my values are set up correctly and/or if I really have to rename my .crt-file somehow?
I got confused with those %8%9 values.


Any help is very appreciated. Thank you very much!


Kind regards,
David

UAC changes are not in log event?

September 7, 2018, 4:40 am
$
0
0

Dear Community,

on a Windows Server 2012 R2 Standard edition, i try to find the log event of changes on UAC level (disable, enable, change severity of UAC level) but i can't find.

I search o Event Viewer on:

Applications and Services Logs\Microsoft\Windows\UAC\Operational

Result empty

and:

Applications and Services Logs\Microsoft\Windows\UAC-FileVirtualization \Operational

Don't find the log of disabled/enabled UAC.

Can you help me?

Thank you in advance

eX

Cached credentials and disabled accounts

September 7, 2018, 6:53 am
$
0
0

Hi,

Scenario:

User Account John signing to workstation using his domain credentials. On that workstation also Max has been signed earlier. Max have administrative credentials ot the workstation.

John ask help from Max to get xyz-task to be done, but for that Max needs his admin account. Max finalize the task using "run-as". And finally all goes fine, task is finalized and sun is shining.

Later Max notify, his admin account has been disabled, week before!

Is there any good reasons why user whose account is disabled in AD can still sign-in to the workstation using run-as and cached credentials? And I mean, the workstation which is connected to the domain. Isn't this kind of security issue?

No need to explain the situation where workstation is remotely and only cached credentials are used. But in this case the workstation was online and connected to the domain, but still "run-as" did not validated user's account against AD.

Petri

How to verify the private key in certificate

September 7, 2018, 11:58 am
$
0
0

Hi Everyone,

Can we verify the private key of certificate using certutil.

I would like to verify one certificate, which is not showing key symbol in personal store. I believe if its not showing key symbol associated with the certificate it will not have private key.

Kindly advice is there any way to determine, if the certificate is associated with private key or not.

Regards

Afsar

Replace a damaged CA Server with a new one

September 7, 2018, 11:22 pm
$
0
0

Hi all,

Our domain has a CA Windows 2008 Server running since many years now. It got damaged and we spend several days trying to restore it. Oddly, while it was down for several days, nothing impacted in our domain and services was running smoothly, which made me wonder what was going on here!

After the restoration it acting weird, refused to login to the domain, freezing in an unexpected situations especially when we opening the Control Panel, which rendered it unsuitable for usage.

Can we simply build a fresh server and enable the CA Service on it to replace the current one. Do we need to copy something from the old one?

JAM ADMIN



Sending request to OCSP server manually

September 8, 2018, 8:19 am
$
0
0

Hi All,

I am testing customized SCOM pack pertaining to PKI/OCSP. Below is the event which comes from OCSP server whenever the CRL gets expire and CA is not in active state.

1) I am stopping the CA service

2) Deleting the OCSP and CRL cache from server.

3) Waiting for the below event to trigger, However the alert is triggering after 60 to 80 Minutes.

I would like to create the situation where in, I can send manual request to OCSP server when the CA service is in stop state. So that i need not to wait for the alert to trigger.

is there any way I can send manual request to OCSP?

Event ID 17 -  


Log Name: Application

Source: Micorsoft-Windows-Onlineresponder-RevocationProvider

Description: for configuration issuingCA-OCSP(New) Online responder revocation either has no CRL confirmation or has stale information

Regards

Afsar Shariff

Windows Server 2012R2 | Windows Event Forwarder Issues (Event: 102 / Code: 5004)

August 23, 2018, 9:21 am
$
0
0

Hey all,

I'm currently trying to implement Event collection in our environment but, I cannot get WEF working.  The following are things I've done:

1. Configured winrm on the client and collector machines
2. Deployed a GPO that pointed the client machines to the collector for event forwarding
3. created a subscription on my WEF machine and selected:
   1. Destination: Forwarded Events
   2. Source Computer initiated
   3. Computer groups: Domain Computers
   4. Select Events: Critical, warning
4. Then selected OK and activated the subscription.  

I currently have all my source computers checking in but, I'm still getting the same error (Event 102 / Code 5004). I've added the WEF to the domain group Event Reader and confirmed winRM connection. 

What am I doing wrong?

Search

How much of my web browsing can my landlord see?

August 11, 2018, 7:06 am
$
0
0

I live in the UK, in a complex of apartments, about 50 apartments under one roof. My landlord is what in the UK is called a housing association, a private body that provides housing to poorer people.

The complex has internet access via one shared computer in a public area, with WiFi.  We are allowed to connect our own computers to this WiFi, but when we do we get a very long announcement about how every website we visit is recorded, and how various types of information is kept for various lengths of time. It is headed ''TF Wireless', whatever that means.

This means that the shared computer itself is being monitored, and while I don't like this, I can't afford my own broadband, and it is really good computer, so have to put up with it.

My question is, other than which websites you've visited, how much can my landlord find out? For instance, I don't much mind if the landlord knows I have visited a flight booking site but I'd HATE IT if the landlord knew which flights i had booked and where i was flying to. Similarly, I don't mind if it knows I have looked at Amazon, but I would have it to know what I'd bought, and I could stand it to know I had visited Yahoo Mail but would hate it to be able to read my emails.

Can anyone advise me here? Thanks.


Port Enable in Firewall

August 8, 2018, 11:14 pm
$
0
0

Hi All,

I have enable these ports "137,138,445" on windows server 2012 r2 firewall in base server and in VM also but still this port showing blocked.

We have to open these ports for sharing purpose to mac 

but we failed again and again

server edition is datacenter  and i want to know that if we enable the port on vm so is it mandatory to enable the port on base and right now i have enable the port from base as well as VM.

please let me know if anyone knows 

Thanks and Regards

Vipin Jeswani

Adding a Cert to Root CA store in PowerShell/.NET - how to avoid the popup?

September 9, 2018, 8:32 am
$
0
0

For testing, I am creating a self-signed certificate I am using in the testing. I want to make my local machine test it, so I just copy it into the local root store. Sadly, Copy-Item with the Certificate provider does not enable me to copy the cert with PowerShell but I can dip down easily enough into .NET, and do the following:

# 1. Create a script-signing certificate
$CHT = @{
  Subject           = 'Reskit Code Signing'
  Type              = 'CodeSigning' 
  CertStoreLocation = 'Cert:\CurrentUser\My'
}
$Cert = New-SelfSignedCertificate @CHT

# 2. Ensure certificate is trusted
$DestStoreName  = 'Root'
$DestStoreScope = 'CurrentUser'
$Type   = 'System.Security.Cryptography.X509Certificates.X509Store'
$MHT = @{
  TypeName = $Type  
  ArgumentList  = ($DestStoreName, $DestStoreScope)
}
$DestStore = New-Object  @MHT
$DestStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
# Popup occurs here
$DestStore.Add($cert)
$DestStore.Close()

That code works, however it pops up a Security Warning dialog box which must be clicked before the Add method completes. I appreciate the warning but...

So the questions:

1. How can I avoid that dialog box popping up?

2. OR, is there another way to copy $cert (a self-signed certificate) into CurrentUser\Root store avoiding the dialog box??

Thomas Lee <DoctorDNS@Gmail.Com>


Surface Go in Win 10 S mode giving 0x80090016 and "keyset does not exist" errors

September 9, 2018, 8:14 pm
$
0
0

Hello, I have a Surface Go (64Gb model) running Windows 10 in S mode that has been rock solid for the past month and a half I have had it. However, today I attempted to sign into the device and was informed that due to changes in my account my pin no longer worked, nor was I able to unlock the device using Windows Hello. After going through the process to reset my password online (either I forgot my original password or the device didn't accept it), I reset the device to find that Windows hello worked again. I signed on to find that my account was unable to log in to any of my Microsoft accounts on the device in app. This is to include all of the apps in the Office 365 suite along with the Microsoft Store. 

Every time I attempted to sign in to these apps I was met with "Something went wrong, Please try again later. 0x80090016." While troubleshooting this issue I discovered that I was not validated on my system. Figuring this may have something to do with the issue I attempted to validate my identity before being informed that the "Keyset does not exist".

I have been unable to discover any fixes for this issue so far and am at a loss as to what I should do. I am the only person with an account on the device and my account is a valid Microsoft account that I can sign in to online or on one of my other 2 computers that do not seem to be having this issue. If anyone has any more information that would be greatly appreciated!

*Edit: I can get into windows still using windows hello, but am unable to validate my information. Nor has my password for my Microsoft account been updated on the device itself. It is still using what I believe is my older password which now works again for some reason.


Revoking Subordinate CA Certificate

September 10, 2018, 12:33 am
$
0
0
Hi Technet,

I'm currently in the process of setting up a new subordinate CA. We're using our current OpenSSL root CA to sign the CSR for our Windows Subordinate CA. Unfortunately we're having a few issues with duplicate subordinate certificates. So far i've:

1) I setup the host and created a CSR which was passed over to be signed via the Root CA
2) The root CA signed the CSR and set http locations for AIA and CRL
3) The signed CSR was then uploaded onto the subordinate CA

Unfortunately, once uploaded we found that there were a few issues with the CRL location, so the original CSR was resigned with the new CRL location set and then uploaded to the subordinate. Long story short, we've ended up with 3 certificates on our subordinate CA, and we can't seem to revoke the 2 incorrect certs (containing the incorrect CRL locations): 



So from the root CA we've revoked cert #0 and #1. If i go to the CRL location i can see that the CRLs for the old certs are showing. I've uploaded the CRL to C:\Windows\System32\CertSrv\CertEnroll and can see the updated CRL via MMC > Intermediate CAs > Certificate Revocation List. Unfortunately the certificates still appear under the properties > general tab on certificate authority as per the above. They're not showing as revoked.

I've tried removing the certificates from MMC > Personal > Certificates and from C:\Windows\System32\CertSrv\CertEnroll but they instantly reappear. Worth noting that the only location we publish CRLs to is a webpage.

Any help on this would be greatly appreciated.

Apologies, my knowledge of Windows PKI is fairly limited. There may be something very obvious that i'm not currently doing.

Thanks,
R

HOW TO OPEN FB ID

September 10, 2018, 4:08 am

Microsoft CRL Validation (crl.microsoft.com)

September 10, 2018, 5:02 am
$
0
0

Hi,

I am trying to Implement to fix an issue in microsoft application startup delay in a disconnected environment. Its trying to access crl.microsoft.com. So its trying validate the certificate in CRL file. so to fix this issue, i am trying to download the crl files and keep it local. so need experts suggestion for the list of Microsoft CRLs for (crl.microsoft.com), so that i  could script it and download it.

Thanks and Regards,

Bala R

Search

How to create a cert with Data Encipherment (10) key usage using AD CS???

September 10, 2018, 10:34 am
$
0
0

I have to create a very specific certificate that has a key usage of "Data Encipherment (10)".  I can create self-signed certs with this by using the "New-SelfSignedCertificate -Type DocumentEncryptionCert -KeyUsage DataEncipherment -Subject mydataenciphermentcert -Provider 'Microsoft Enhanced Cryptographic Provider v1.0'" command.  I need to create this type of certificate in my AD CS?  I'm fairly new to AD CS but know how to create a template and do a custom request but I cannot seem to find the correct combination of settings that will produce a certificate with the Data Encipherment (10) key usage.  Any help?

Thank you in advance.

Ford Wilkinson

Question about Windows Audit Logging policy - I'm seeing conflicting settings

September 10, 2018, 12:03 pm
$
0
0

Hello experts, We are running Active Directory current Domain function level is Server 2012 R2 and Forest functional level is 2008 R2. I have a quick question about Windows Audit logging for logons/logoffs. Please see screenshot below. Our default domain policy shows for logon events, it is enabled, but when i run the auditpol command, it says it not enabled. Which is correct, or are these for different auditing features and I am getting them confused? Is there a place where I can look to see if auditing logon events is working to test it ?

ADCS cannot import PFX file with CA certificate and ECDSA private key

September 10, 2018, 12:04 pm
$
0
0

I had used ADCS to create Standalone Subordinate CAs before, with ADCS generating the ECDSA P256 private key (using the ECDSA_P256#Microsoft Software Key Storage Provider) and a CSR, then the parent CA signing the Subordinate CA certificate (using SHA256 / ECDSA signature algorithm), and the certificate imported into ADCS. All worked well.

However when attempting to create the CA by importing a PFX file containing the CA private key and CA certificate, I get the following error:

"Active Directory Certificate Service setup failed with the following error: Invalid provider specified. 0x80090013 (-2146893805 NTE_BAD_PROVIDER)"

The same error is returned whether configuration ADCS using GUI or Powershell (Install-AdcsCertificationAuthority).

The private key algorithm and cert signing algorithm in the failure case are identical to the success scenario above. In other words, all that I'm changing is that instead of having the standalone subordinate CA creating its own private key and a CSR to be signed, the parent CA generates the key for the subordinate CA (and include it in the PFX file). The rest are identical.

As an experiment, I used RSA 2048 instead of ECDSA P256 as the key algorithm for the subordinate CA. In this case the import of the PFX file appeared to be successful.

Given the error (0x80090013 (-2146893805 NTE_BAD_PROVIDER)), it sounds like ADCS may be having issue with importing keys into an ECDSA KSP - even though it has no issue generating a key in the same KSP.

Does anyone have a solution to this?

Setting up ipsec

September 10, 2018, 12:50 pm
$
0
0

Hello,

Is it possible to setup ipsec to secure my networks traffic? I i only find tutorials for vpn.

Many tha ks.

CN=MS-Organization-P2P-Access [2018] expired

August 14, 2018, 6:02 am
$
0
0
We have got the below SCOM alert from couple of Windows 2016 standard servers

Kindly suggest a fix for this issue, else is there any best practice to cleanup from registry



The certificate expires in 0 days on 08/13/2018 08:55:30 UTC.
Certificate Subject: CN=748cb722-a179-40ea-b34a-ab29dfc854a8, DC=8da49d14-e54e-453a-95c2-2185582c7233
Certificate Issuer: CN=MS-Organization-P2P-Access [2018]
Serial number: 492550EE1F480C1290390BB0D7E9E7D0
Store Name: Personal

Store Key: My
Store Provider: SystemRegistry
Store Type: LocalMachine
Monitoring User: NT AUTHORITY\SYSTEM
Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>