As the title says, some of my domain controllers (2 out of 3) are each requesting a KerberosAuthentication certificate 3-4 times per day. The one that is not constantly requesting the certificates is in another site by itself. Is this normal?
↧
KerberosAuthentication certificates constantly requested from domain controllers
↧
NTFS Permissions
Just curious, is there a way to block a user from seeing all the NTFS permission on a folder but still allow that person to access it (create, delete, write, etc...)?
We have a micro manager on our hands that drive the IT Department nuts. He's going around to each folder and looking under the "Security" tab and questioning why do certain people have access to these folders. It's better off that this person not know anything about our security settings. Completely unnecessary....
Thanks,
↧
↧
admin audit logs
Dear Team,
I want to enable admin audit logs on Active directory and Exchange servers and to know how to read and trace logs if any user made any changes and run command so it can be capture.
↧
PKI Migration from Domain A to Domain B
Hi People, is there any documentation on Migration of a mature PKI solution to another domain.
What I mean by another domain is, the company I work for has been taken over and instead of being called DomainA.com we are now DomainB.com
Regards
Richard
↧
SCEP Update failed with hr: 0x80072f8f 0x80070002 if outside LAN
I have SCEP configured:
which works perfectly fine. Updates are downloaded by scheduled task to share daily, clients update from this share on schedule
Polices apply fine & show correctly in
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Microsoft Antimalware\Signature Updates FallbackOrder = FileShares|MicrosoftUpdateServer|InternalDefinitionUpdateServer
But if the user takes laptop home the updates do not happen. Of course they would not happen from the share (as it is not accessible), but SHOULD happen directly from MS site
I can even try to force manual update from GUI, it always error out the same.
MpCmdRun: Command Line: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1807.18075-0\MpCmdRun.exe" SignaturesUpdateService -UnmanagedUpdate Start Time: ?Sun ?Aug ?19 ?2018 14:36:21 MpEnsureProcessMitigationPolicy: hr = 0x0 Start: Signatures Update Service Update Started Search Started (MU/WU update) (Path: https://fe2.update.microsoft.com/v6/)... Search Completed Update failed with hr: 0x80072f8f Update completed with hr: 0x80072f8f End: Signatures Update Service MpCmdRun: End Time: ?Sun ?Aug ?19 ?2018 14:36:23
But I can download the full signatures mpam-fe.exe and run it (as the very user) and it updates fine
Something is just odd, any ideas anybody?
↧
↧
Error publishing offline root CA certificate and CRL into Active Directory
Hello,
I've been charged with setting up a 2-tier CA. When I configure it in a lab environment where the intermediate CA is also a domain controller, all goes well when publishing the offline root CA cert and CRL. However, when I attempt to publish when the intermediate CA is simply a member server, I get errors as seen in the enterprise PKI MMC. Errors occur using ldap; http locations are fine. Any help would be greatly appreciated
↧
Deletion and Modifications of Windos Server System Registry Keys
Hi Team,
Following are the screenshots I need to delete the registry in the first image but system doesnt allown me to do it. One of our vulnerability scanner (RetinaScan) has detected this key as vrulnerability so I need to delete it. In the next two screenshots registry key values are recommended to be modified but even after modifications the scanner again marks them as vulnerability.
I need help with and it would be highly appreciated.
Muhammad Nadeem Ahmed Sr System Support Engineer Premier Systems (Pvt) Ltd T. +9221-2429051 Ext-226 F. +9221-2428777 M. +92300-8262627 Web. www.premier.com.pk
↧
Question about Windows Audit Logging policy - I'm seeing conflicting settings
Hello experts, We are running Active Directory current Domain function level is Server 2012 R2 and Forest functional level is 2008 R2. I have a quick question about Windows Audit logging for logons/logoffs. Please see screenshot below. Our default domain policy shows for logon events, it is enabled, but when i run the auditpol command, it says it not enabled. Which is correct, or are these for different auditing features and I am getting them confused? Is there a place where I can look to see if auditing logon events is working to test it ?
↧
Windows Server downloads updates very slowly
Hello,
I have been experiencing this issue for a while now.
When I check for Windows updates on my Windows Server 2016, it finds a update.. but takes forever to install.
Currently, the machine is "Preparing to install updates 0%" on 2018-09 Cumulative Update for Windows Server 2016 for x64-based Systems (KB4457127).
This update has been sitting at 0% for about 30 minutes.
This happens with every cumulative update.
Please help!
↧
↧
Couple of quick LAPS installation questions
Active Directory (small), one forest, two domain controllers. DC1 is the master for all roles (netdom query fsmo). Should LAPS (AdmPwd.Setup.x64.msi) be installed on DC1 or DC2 or does it matter? Should we do a full install on both DCs?
Can LAPS be installed on a domain controller during business hours with no effect on users? Can the schema be updated during business hours with no effect on users? Does the schema need to be updated on both DCs?
↧
[Windows Server 2016] CRL Distribution points not working with certutil -setreg
Hi,
I'm currently setting up a Root Certification Authority with CAPolicy.inf file and post installation script afterwards. I noticed, that with setting the CRL Distribution Points with "certutil -setreg CA\CRLPublicationURLs" the replacement tokens will not get properly resolved. In particular I used the following command via batch file to set a standard CRL Publication point:
certutil -setreg CA\CRLPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2:http://pki.domain.de/root/RootCAv1%%8.crl"
The result I get when publishing a fresh CRL afterwards is that the "%3%8%9" characters are present instead of resolving "CaName" and other variables properly. If I insert the plain text replacement token similar to configuration via"certsrv.msc":
certutil -setreg CA\CRLPublicationURLs "1:C:\Windows\System32\CertSrv\CertEnroll\<CaName><CRLNameSuffix>.crl\n2:http://pki.domain.de/root/RootCAv1<CRLNameSuffix>.crl"
I get an error message telling me "The filename, directory name, or volume label syntax is incorrect. 0x8007007b (WIN32/HTTP: 123 ERROR_INVALID_NAME". I noticed that some *.tmp files are generated in the correct folder, so I assume the file location in general should be fine. Last but not least: if I set the CDP manually in "certsrv.msc", everything is working fine.
Thanks for any hint about that issue.
↧
New sub CA doesnt show published templates
I have installed a new enterprise sub CA. There are two existing CAs there already. When I publish the templates that this CA should issue certificates from, they will not show on the client/server. I have tried different users and I have also removed the client certificate cache, so this is not the problem.
There is also an enrollment web service policy installed in the AD. I am wondering if this has some influence on what is happening here. Should this be configured to allow templates to be published properly? You see the only templates that are shown are some internal web server certificates.
↧
How to Configure Server to generate Self Signed Certificates to use SHA256 HASH Algorithm
How to configure the server to use SHA-256 Hash Algorithm for generating the Self-Signed Certificate.
Eg: Windows 2008 R2 Server, Remote Desktop - creating Self-Signed Certificates automatically with SHA1 Hash Algorithm.
There is no CA Server. Even if we have CA, is that possible to configure the local server to create self signed certificates using SHA256 Hash Algorithm, or we need to generate the Cert Req File and get the certificates from CA server.
It is much appreciated if you provide the detailed steps for configuring the self signed certificates to use SHA256 Hash Algorithm.
Thanks in Advance
Regards
Eeswaran
Eg: Windows 2008 R2 Server, Remote Desktop - creating Self-Signed Certificates automatically with SHA1 Hash Algorithm.
There is no CA Server. Even if we have CA, is that possible to configure the local server to create self signed certificates using SHA256 Hash Algorithm, or we need to generate the Cert Req File and get the certificates from CA server.
It is much appreciated if you provide the detailed steps for configuring the self signed certificates to use SHA256 Hash Algorithm.
Thanks in Advance
Regards
Eeswaran
↧
↧
Disable TLS 1.0 on all Ports on Windows Server 2012 R2
I am running Windows 2012 R2 and I have disabled TLS 1.0 in both the registry and using IISCrypto. However, my security scanner is still showing TLS 1.0 in use on certain ports, 443, 5989, 8443, 9443. If TLS 1.0 is disabled, how is it still
available on these ports and how can I completely disable it on the server?
Terry
↧
Event Log understanding
Hello everyone. I'm doing some research on event logs and trying to understand how they should be appearing, but my studies and what I actually see isn't lining up, and the instructor didn't really clear it up either. Any help would be greatly appreciated. I posted this in the training forum at first, but I'm not sure if that was the correct area.
What I understand:
A user logs in on a regular client with a domain account:
- 4624 log created on that client
- 4768 log created on the Domain Controller
- 4625 log created on the client if log in is unsuccessful.
- 4772 log created on the Domain Controller if authentication fails
- Logon type is 2 (interactive).
A user logs in on a client with a local account
- 4624 log created on that client
- Authentication log is on the client as well (cant recall the log number)
- Logon type is 2 (interactive).
What I see in practice
- Several 4625 logs on the domain controller with the client hostname as the account name. Logon type 3.
- Several 4624 logs on the domain controller with the client hostname as the account name. Logon type 3.
- Several 4625 logs on the domain controller from Local accounts. Logon type 3 (Network).
I read that the clients have to "logon" as well, so this is may be why I am seeing the logons with hostnames as the account name, but what exactly does that mean? And if it is unsuccessful, does that just mean it couldn't get on to the domain?
I believe I've read that when a client is connected/reconnected to the domain the local accounts attempt to authenticate to the domain. Is this true?
Thank you for the help.
↧
IEEE 802.1x MD5 XML Schema
Hello,
we can set IEEE802.1x MsChapV2 settings as following code. BUT does anybody know how to set the MD5-challenge username and password?
or do you know the IEEE 802.1x MD5 XML Schema.
this question is ref from MDT support 802.1x, and my customer use MD5-challenge as there auth mothend.
Thank you
__________________________________________________________________________________________
<?xml version="1.0"?>
<EapHostUserCredentials xmlns="http://www.microsoft.com/provisioning/EapHostUserCredentials" xmlns:eapCommon="http://www.microsoft.com/provisioning/EapCommon" xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapMethodUserCredentials">
<EapMethod>
<eapCommon:Type>25</eapCommon:Type>
<eapCommon:AuthorId>0</eapCommon:AuthorId>
</EapMethod>
<Credentials xmlns:eapUser="http://www.microsoft.com/provisioning/EapUserPropertiesV1" xmlns:xsi="http://www.w3.org/2001/XMLSchemainstance" xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapUserPropertiesV1"
xmlns:MsPeap="http://www.microsoft.com/provisioning/MsPeapUserPropertiesV1" xmlns:MsChapV2="http://www.microsoft.com/provisioning/MsChapV2UserPropertiesV1">
<baseEap:Eap>
<baseEap:Type>25</baseEap:Type>
<MsPeap:EapType>
<MsPeap:RoutingIdentity>DOMAIN\USERNAME</MsPeap:RoutingIdentity>
<baseEap:Eap>
<baseEap:Type>26</baseEap:Type>
<MsChapV2:EapType>
<MsChapV2:Username>USERNAME</MsChapV2:Username>
<MsChapV2:Password>PASSWORD</MsChapV2:Password>
<MsChapV2:LogonDomain>DOMAIN</MsChapV2:LogonDomain>
</MsChapV2:EapType>
</baseEap:Eap>
</MsPeap:EapType>
</baseEap:Eap>
</Credentials>
</EapHostUserCredentials>
Frank@Hiweb 冯立超@瀚博资讯
↧
Can someone at Microsoft please document this feature? It's been in existence since Vista I think. WFAS feature
edit - is uservoice the more-appropriate place to request this?
WFAS Discussed here;
https://social.technet.microsoft.com/Forums/windowsserver/en-US/4d2e4cce-ebc2-433c-8c7c-3e1bc5376471/windows-firewall-internet-and-intranet-predefined-set-of-computers?forum=winserversecurity
and;
https://social.technet.microsoft.com/Forums/office/en-US/26125329-e4a6-4bdf-996d-8e69674056a4/firewall-how-to-defined-predefined-set-of-computers?forum=w7itprosecurity
and;
https://social.technet.microsoft.com/Forums/en-US/cb8f8898-d693-46ee-a05e-c489e82ac015/can-i-define-quotpredefined-set-of-computersquot-by-myself-in-windows-firewall?forum=winserversecurity
(do a search for "Predefined set of computers" and see the poor souls trying to figure this out over the years on superuser/forums, here, etc)
So people have been asking for it to be doc'd since 2013.
How does this feature actually work, why should end users and IT pros trust it?
One analysis scares me, I hope this isn't how WFAS really thinks...
_____
I also have not been able to find any documentation for the Internet and Intranet predefined set of computers in Windows Firewall with
Advanced Security.
I've done some tests in a network that has the following zones and network subnets:
- LAN - 192.168.1.0/24
- DMZ - 192.168.2.0/24
- WLAN - 192.168.3.0/24
- WAN - public Internet addresses
The corporate firewall allows ping from LAN to all other zones.
On a Windows 8.1 or Windows 10 PC connected to the LAN subnet you do the following in Windows Firewall with Advanced Security:
If you create an outbound rule that blocks ping (ICMPv4) and has the remote scope = Internet,
then the PC cannot ping the hosts in the WAN zone as well as hosts on the DMZ subnet and WLAN subnet, while it can ping hosts on the LAN subnet.
If you create an outbound rule that blocks ping (ICMPv4) and has the remote scope = Intranet,
then the PC cannot ping the hosts on the LAN subnet, while it can ping all other subnets.
So, from that test I'd say that for WFAS the Intranet is actually the local subnet while the Internet means "all subnets except the local subnet".
-- rpr.
↧
↧
CRL Publishing time vs CRL Expiration time
How can we maximize the amount of time between when new a CRL gets physically published and the time CRLs expire so that we have time to fix issues or rebuild the issuing CA before clients start seeing failed CRL check errors?
↧
AT command in 2008 Standard R2 broken after recent security updates
Did anyone noticed that after the Spectre and Meltdown patches recently released, any newly scheduled tasks, created using the AT command are broken?
The task is created, but when you open Task Scheduler it reports an error in the Task XML file and the task does not execute at the scheduled time. Updates that are breaking the AT command task creation are: KB4056894, KB4056897, KB4074598, KB4074736, KB4074587
and possibly others as well.
↧
X.509 SSL Self-Signed Certificate
Hi,
We run a nessus scan on our domain and getting alerts regrading SSL certificate which is assign to PC.
- https://www.tenable.com/plugins/nessus/57582
- http://www.nessus.org/plugins/index.php?view=single&id=51192
- http://www.nessus.org/plugins/index.php?view=single&id=35291
Is they any way i can tell then system that this is our trusted certificate. This is only being used internally.
↧