Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Local GPO setting not being applied despite Domain GPO having "Not Defined" for same setting

September 5, 2018, 9:15 am
$
0
0

Windows Server 2016

I have run RSOP, gpresult /H, and gpedit but have no explanation for why my local Security settings are not being applied even when the Domain GPOs have "Not Defined".  The Local Policy settings within the Administrative Template section are being applied, so that shows the policy is being successfully processed, but I am at a loss to find why the domain "Not Defined" settings are overwriting the Local Policy settings.  None of the domain GPOs are set to Enforced.

This is impacting User Rights, Security Options only.  Any thoughts out there?

Search

Effect of CA cert renewal with/without new key pair on auto-enrolment

September 11, 2018, 4:42 am
$
0
0

Hi,

Can anyone confirm the expected behaviour when renewing CA certs on auto-enrolled certificates?  Would renewal of a CA certificate trigger new certificate requests for certificates deployed using auto-enrolment, either with or without the use of new key pairs at the CA?

Directory Service access - Audit failure

September 5, 2018, 1:51 am
$
0
0

Hi All,

I have group policy which is linked to domain controllers container, Policy contains audit settings for directory service access and I have enabled it only for failure.

I have one non-privileged domain user account which has the capability to read the groups in domain.

Whenever I try to query any group, for ex: domain admins. In my case I should not receive any event in event viewer on mentioned domain controller in below command as I have not enabled "Success" audit,

However though I am able to successfully enumerate the groups using my domain user account it still giving me Audit failure event 4662.

Get-adgroupmember "domain admins" -server aaaadc.test.domain

Kindly advise what is the reason I am getting audit failure.

Regards

Afsar Shariff




Certutil -installcert not working "command FAILED: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)t

September 11, 2018, 5:53 am
$
0
0

Hi,

I'm installing a root PKI and 2 x subordinate PKIs in a test lab

I am at the stage where I'm trying to run the below command on the subordinates so they will be trusted by the root PKI.

This should prompt me to browse for a file generated from the root PKI but I never get the chance to browse for it.

certutil -installcert

This previously worked fine on both Subordinates but now I get the below error.  This problem appears to coincide (could be wrong here) with me reinstalling the certificate authority as part of testing, i.e. it did work, I reinstalled and configured everything from scratch again, then certutil stopped working.

certutil itself is working in that I can run certutil /? 

>certutil -installcert

CertUtil: -installCert command FAILED: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
CertUtil: The system cannot find the file specified.


mandatory fields when submitting CSR to Windows Server CA

September 11, 2018, 6:17 am
$
0
0

Hello!

I have CA installed and configured. I want to enforce particular fields to be filled when submitting CSR to CA (no matter is it from mmc, cmd, bash, etc..). Is there a way I can define which fields/values must be set during creating CSR for web server, code signing, mail encryption, etc...

Certificate should be issued only if all fields are filled in CSR

Thank in advance for your help!


CA standalone root certificate is with validity of 10 years is going to expire and wanted to renew with the same key pair (public/private). Could you please provide me the solution.

September 11, 2018, 9:06 am
$
0
0

couple of concerns:

we are going to renew the root certificate with the existing public and private key.

 Regarding applications that have their own keystore -The LDAPS clients look to the current root CA cert in their own Java keystore, do we need application operations to verify that when the extension is committed that the RootCA cert, which would now be a new updated certificate, would be accepted as it has the same public/private key pair and does not look at other parts of the certificate as this would be a different RootCA.

Kumar

Thank you

What is "CertificateName" in AIA extensions?

September 11, 2018, 4:48 pm
$
0
0

I just setup a new Enterprise Issuing CA.

The AIA shows the http location as http://domainname.com/pki/<CAName><CertificateName>

I know what CAName is, but I don't know what "CertificateName" is.

In the Windows\System32\CertSrv\CertEnroll folder the certificate file is configured in the AIA extensions to <ServerDNSName>_<CAName><CertificateName>.crt, but the file name is ServerDNSName_CAName.crt and I don't see what "CertificateName" refers to.

Do I have to manually rename the certificate files to something else before copying the crt files to the web location?





Windows Security Center

September 12, 2018, 2:12 am
$
0
0

We have a terminal server running windows 2012.

When our case management software tries to access outlook we get a security message to advise that something is trying to access outlook, Giving the options of Allow or deny.

On server 2008 there was windows security center service which checked if antivirus was installed, and if so then it would not prompt for access to outlook.

With server 2012 this service is not available. How does 2012 now check for antivirus so that outlook does not prompt for allow or deny access?

Search

Unable to enroll SSL certificate to Smart Card - A smart card was detected but is not the one required for the current operation

September 12, 2018, 2:40 am
$
0
0

Hello,

We migrated our CA from 2003 to 2016 and now we are unable to enroll a certificate to our Smart Cards with the following error

A smart card was detected but is not the one required for the current operation. The smart card you are using may be missing required driver software or a required certificate. Contact your system administrator

Also, when we run certutil on the PC where Card reader is connect, we get this error

CertUtil: -SCInfo command FAILED: 0x80090016 (-2146893802)
CertUtil: Keyset does not exist

Any help would be much appreciated

C:\Users\test>certutil -scinfo

The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 4
  0: AKS ifdh 0
  1: AKS ifdh 1
  2: AKS VR 0
  3: Generic  SmartCard Reader 0
--- Reader: AKS ifdh 0
--- Status: SCARD_STATE_EMPTY
--- Status: No card.
---   Card:
--- Reader: AKS ifdh 1
--- Status: SCARD_STATE_EMPTY
--- Status: No card.
---   Card:
--- Reader: AKS VR 0
--- Status: SCARD_STATE_EMPTY
--- Status: No card.
---   Card:
--- Reader: Generic  SmartCard Reader 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE
--- Status: The card is being shared by a process.
---   Card: eTokenCard/JC1.0
---    ATR:
        3b d5 18 00 81 31 fe 7d  80 73 c8 21 10 f4         ;....1.}.s.!..


=======================================================
Analyzing card in reader: AKS ifdh 0

--------------===========================--------------

=======================================================
Analyzing card in reader: AKS ifdh 1

--------------===========================--------------

=======================================================
Analyzing card in reader: AKS VR 0

--------------===========================--------------

=======================================================
Analyzing card in reader: Generic  SmartCard Reader 0
Missing stored keyset
Missing stored keyset

--------------===========================--------------

Done.
CertUtil: -SCInfo command FAILED: 0x80090016 (-2146893802)
CertUtil: Keyset does not exist

Certificate *.crt name automatically generated doesn't match name in PKIVIEW

September 12, 2018, 7:33 am
$
0
0

I noticed that our new subordinate issuing enterprise CA generates a *.crt file in the name of "serverdnsname_CAName.crt" in the CertEnroll folder.

However, when I look at PKI view, it's looking for a file with a shorter name of just "CAName.crt" in the in the HTTP URL.

I assume I can just rename the CRT file before copying it to the web server, but how can I find out why these names are not matching so the names generated match what PKIView wants to locate?

IT Person Cannot Change His Own Admin Pwd in ADUC

September 12, 2018, 8:30 am
$
0
0

Hello,

Any tips/links/ideas for troubleshooting this scenario?

We have a helpdesk person that is not a domain administrator, but is a part of the domain\administrators group. He cannot use AD Users and Computers console to change his administrator password.  He does run it with "run as" as his admin account.  When he tries, it gives the error "Windows cannot complete the the password change for "Bill Gates" :) because: Access denied".  In the event viewer of that DC, I see event ID 4724 (source = Microsoft Windows security) which really does not provide any helpful information.  He can change other peoples passwords without issue.

We have an ADFS web page that does allow him to change his password using that method.

I have found this page:

https://blogs.technet.microsoft.com/askds/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop/

And am not sure it this is whats going on.  I guess it is possible that someone temporarily gave him domain admin rights and removed it.  In ADSI I can see the attribute "AdminCount" = 1 for his account.  But wouldn't that prevent him from changing the password using any method (IE: the ADFS web password portal would not work for him).

Does anyone know how to find out more detail about why a password change action is denied?

Install rights for a simple domain user

September 6, 2018, 4:32 am
$
0
0

Hi Everyone,

We have Windows Server 2016. I have a simple domain user who run/manage applications and services on this server and it works fine. I would like to give 3 kind of permissions for this user.

1) Windows Server restart,

2) Install applications on the Windows Server.

3) Install/manage services on the Windows Server.

1) I successfully set up the first permission in the Group Policy Management (Default Domain Controlleres Policy / Policies / Windows Settings / Security Settings / Local Policies / User Right Assignment / Shut down the system). As I see it works fine.

2) I can't find how can i set the install permissions for this simple domain user.

3) I set up the service manage permissions (https://social.technet.microsoft.com/wiki/contents/articles/5752.how-to-grant-users-rights-to-manage-services-start-stop-etc.aspx?wa=wsignin1.0), but I can't find how to grant install services rights for this simple domain user.

Is there anybody who can help me?

Many thanks in advance,

Foley

Disabled SMBV1 and now Workstation and Netlogon services won't start

June 30, 2017, 10:20 am
$
0
0

I used a GPO to disable SMBV1 by changing the following below. Once I did that I can no longer RDP into the server, I noticed Workstation and Netlogon are not started. When I go to start Workstation I get and error 2 The system cannot find the file specified, which I thought is WSService.dll and that is present in the system32 folder. Then I reversed the policy by removing the GPO and changing the registry settings back using the changes further below. Still can't start the service and get the same error. It has been rebooted after each change. This is an urgent issue for us so any help would be greatly appreciated.

Disabled SMBV1 by registry changes through GPO as explained on TechNet -

1. Create a REG_DWORD of SMB1 in HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters and set the value to 0

2. Create a REG_DWORD of Start in HKLM\SYSTEM\CurrentControlSet\Services\mrxsmb10 and set the value to 4

3. Replace REG_MULTI_SZ Value DependOnService value in HKLM\SYSTEM\CurrentControlSet\LanmanWorkstation with Browser, MRxSmb20, and NSI

Reversed GPO by disabling GPO and making the following registry changes:

1. Changed REG_DWORD SMB1 created in step 1 above to 1.

2. Changed REG_DWORD Start created in step 2 above to 2.

After trying the above and it not working, I also tried adding MRxSmb10 into the DependOnService list that was edited in step 3 above, although other servers I have that didn't have the GPO applied to don't have that in that registry entry. Still no luck. 

Any ideas on what else to try? 


Request user certificates for end users

September 12, 2018, 9:48 pm
$
0
0

We are rolling out EAP-TLS wireless certificate based authentication that will need to support contractors with domain user accounts on our domain, but not using laptops from our domain (so we can't deploy to them with group policy).

We planned to have these users install user certificates on their laptops and were going to set up the ADCS Web Enrollment page, for self-service enrollment, but the page looks too clunky and confusing to have every user try to do this themselves. 

How can we configure this so IT staff request these certificates on behalf of the users so the users don't need to deal with the web enrollment page?

Is there a way to do this in bulk from a CSV file of user names so we can get the initial mass deployment of new certificates done quickly?

Windows Server 2016 Version 1607

August 27, 2018, 5:53 am
$
0
0
I couldnt download any  updates for windows Server 2016 Version 1607 since June 2018. Is Microsoft stopped releasing patches for Windows server 2016 Version 1607?
Search

i need to create a user account which has privilege to monitor the service & Machine

September 13, 2018, 12:27 am
$
0
0

Dear team,

i need to create a domain user id for our monitoring tool execute and get details for server hardware and service for monitoring console purpose .so i need to know which right/delegation/group apply on the user so they can login and install the application on all domain Client machine.kindly suggest us.

Thanks & Regard

Naved Anjum

PowerShell and AppLocker

September 13, 2018, 1:19 am
$
0
0

I appologise if this is not the correct forum for this question but please point me in the right direction if not.

I have a PS script that needs to run at logon on our domain.  However we also have AppLocker installed in allow mode which then automatically places PowerShell into Constrained Language Mode.

I have entered a path to the Netlogon share where the PS script is located but it still failes to run.

Applocker logs show the script is allowed to run but application logs show it is blocked by constrained mode.

How do we run a PS script with AppLocker installed?

Decommissioning an Old Certification Authority without affecting Previously Issued Certificates

March 21, 2016, 4:47 am
$
0
0

Hi all,

Can we use the procedure below to decommission old SUB CA server without affecting previously issued certificates from them?

https://blogs.technet.microsoft.com/pki/2012/01/27/decommissioning-an-old-certification-authority-without-affecting-previously-issued-certificates-and-then-switching-operations-to-a-new-one/

Customer have 1 root CA and 2 sub CA servers, root is workgroup and each sub CA is joined to a different domain (they have two separate forests).

Customer asked to migrate root CA and install two new sub CAs, now we need to demote the two old sub CA servers without affecting previously issued certificates from them.

Couple of quick LAPS installation questions

September 13, 2018, 8:37 am
$
0
0
Active Directory (small), one forest, two domain controllers.  DC1 is the master for all roles (netdom query fsmo).  Should LAPS (AdmPwd.Setup.x64.msi) be installed on DC1 or DC2 or does it matter?  Should we do a full install on both DCs?  Can LAPS be installed on a domain controller during business hours with no effect on users?  Can the schema be updated during business hours with no effect on users?  Does the schema need to be updated on both DCs?

Planing to upgrade CA from sha1 to sha256

September 13, 2018, 9:39 am
$
0
0

Hi All, 

I have a domain hosted on single DC. On DC itself i have installed ent root CA . Now i am planning to upgrade CA from sha1 to sha256. I planing to follow the article - https://www.petenetlive.com/KB/Article/0001243.

Request you all to please advise me. I am not expert in CA and this test domain is used by testing teams, It is crtical resource . Please let me know if any details are required here. 

 

Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>