Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Ransomware or malicious intrusion going undetected?

March 20, 2019, 1:55 pm
$
0
0

There are several odd services running on a system that we suspect has been compromised. Whatever is on the system is avoiding detection by MS and by Sophos and other scanning software, but it is attempting user credentials at odd times and then locking out the user accounts (random accounts on our domain).

For example: DCPUserSVC_(then numbers and letters that vary). This service is running C:\windows\system32\svchost.exe -k UnistackSvcGroup

I cannot see a reason for this service to exist, let alone 3 of them with different trailing information after the underscore.

The same is true for:

Contact Data_(the same set for 3 services)

Sync Host_

User Data Access_

Windows Push Notifications User Service_

All of these seem part of an infection of some sort. We have isolated the systems, but I want to know what these are and why they are avoiding detection by any known scanning engine. I firmly believe they reside on the systems as part of a systemic approach to gather data and infiltrate our infrastructure. The fact they are attempting user credentials for accounts against domain controllers is, to me, a clear sign they are malicious.

Thoughts?

Search

KB4489878

March 28, 2019, 3:23 am
$
0
0

KB4489878 will not install on 2008 R2 servers in our environment.

It fails, have tried several times.

Anyone with similar problem or a solution please

how to to integrate cloud application authentication to local active directory domain

March 23, 2019, 12:21 am
$
0
0

Hello,

We have an application hosted in the cloud, and uses our local Active Directory domain to authenticate users, so there was a need to open all ports from internet to one of our domain controllers. And lately, we found, that this server might be infected (security issue).

I would like to ask now, if we use Active Directory LDS, or a Radius Server configured in Windows Server which should be in Workgroup, might help resolve that problem or not.

Any recommandations are also very welcome,

Thank you

Must I configure CDP and AIA locations on the Subordinate Issuing CA?

March 28, 2019, 4:21 am
$
0
0

Hello, (This is a lab setup..)

I have configured a root and subordinate CA according to the recommendations on this. I have configured CDP and AIA locations only on the root ca to be a web folder on a separate server. 

CDP / AIA on the issuing CA are default values

My question is, must the CDP/AIA paths be explicitly be configured for the issuing ca, since a client certificate as you see below has information about the root and issuing CA's and CDP/AIA locations are known to the domain through the authorization of the issuing CA by its certificate from the root CA?

Best regards, Tim 

 


Two tier Microsoft CA setup error installing Sub CA certificate

March 21, 2019, 2:57 am
$
0
0

hello All,

We are installing two tier CA, off line root CA and Online sub CA, after installing sub CA we requested certificate from ROOT CA

and try to install in the SubCA but getting below error, i regenerated multiple time but no luck, please help

IIS 7 Certificates Intermittent Binding Loss

April 30, 2013, 2:00 pm
$
0
0

I have a numerous servers running Windows Server 2008 R2 and IIS 7. Two recently began to frustrate me. Actually it started about six months ago and repeated troubleshooting has yielded nothing. We are using Enterprise CA certificates for SSL binding. On these two servers every few days to a couple weeks the bound certificate will drop off the HTTPS binding. I can go in and quickly reselect it, but this is getting annoying. I have not been able to discover the cause yet.

Can anyone suggest a cause/fix?

Thanks much!

How to generate internal CA certificate on Windows domain

March 28, 2019, 7:00 am
$
0
0

Hi all,

I am a cert newbie but have been given the task of providing some internal certificates for some new servers in our Windows domain. The web development team have sent me some .req files. We have two internal CA servers, one for root and one for intermediate but I'm not sure exactly how to forfill the requests. I tried "submit new request" and then pointing to the .req file but I got the error below.

"The request contains no certificate template information 0x80094801 CERTSRV_E_NO_CERT_TYPE

Denied by Policy Module 0x80094801. The request does not contain a certificate template extension or the CertificateTemplate request attribute."

Any advice appreciated - thanks!

Find info on domain users via Wmic

March 19, 2019, 10:04 am
$
0
0

Hi, let me state that I am new to the Microsoft environment.

I'm trying to get the SID of the accounts registered on a machine part of a domain
from the domain controller of the domain itself.

When I run the following command, everything works fine:

Wmic /node: "Computer IP" /USER: "myDomain myUser" /password: "myPassword" /PRIVILEGES: ENABLE calls the creation process "cmd.exe" /c (user account wmic where name = "localUser" gets sid> pathLog)"

but when I try to do this:

Wmic /node:'computer's IP' /USER:"myDomain\myUser" /password:'myPassword' /PRIVILEGES:ENABLE process call create "cmd.exe /c (wmic useraccount where name="domainUser" get sid > pathLog\log.txt)"

I get an empty file even if the command, launched directly from the target machine, produces the searched result.

wmic useraccount where name="domainUser" get sid > pathLog\log.txt

I can't understand where the problem may be, except in a Windows security policy.

Thank you very much for helping!  Mario.

Search

Disable ECDH public server param reuse on Windows Server 2016

March 20, 2019, 4:33 pm
$
0
0
In order to get a higher ranking on Qualys SSL Labs test, I need to disable ECDH public server param reuse. I've searched high and low but cannot find an answer. Server is Windows Server 2016 VM on Azure. Everything that comes up in searches is for 2008/R2 or 2012/R2. And they basically say it is a no-go. Same for 2016?

PKI Web Enrollment The RPC server is unavailable. 0x800706ba

May 5, 2016, 4:33 am
$
0
0

Hi all,

I'm a little stuck with this error.

So my scenario is on Subordinate CA and a web server who has installed Web Enrolment. From mmc I can request certificates and install. From Web Enrollment page no.

All the servers are 2012 R2. On the web server only CA web enrolment option was installed  from AD CS.

For installation I have follow this doc:

Configuring for constrained delegation when using custom account for AppPool Identity

https://blogs.technet.microsoft.com/askds/2009/04/22/how-to-configure-the-windows-server-2008-ca-web-enrollment-proxy/

When I try to request on cert from web enrolment this is the error.The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)

No firewall enable

C:\Users\ceobanuc>certutil -ping -config server.domain.local\ca
Connecting to server.domain.local\ca ...

Server "CA" ICertRequest2 interface is alive (16ms)
CertUtil: -ping command completed successfully.

I cant find any other errors in CA or web server about this action.

Any suggestion?


signtool.exe sometimes cannot use certificate due to private key filter

March 28, 2019, 11:30 am
$
0
0
On our build servers we use signtool.exe to sign our artifacts. 

The same arguments are passed to signtool.exe each time, but it fails or passes sporadically due to our certificate not being used because of a "private key filter".

We have been using this process for a while but we started seeing failures the morning of March 27, 2019.

We start the signtool.exe process with the following arguments:
`sign /fd sha256 /f "cert.p12" /p certPass /du hostSiteHere /v /debug /tr timeStampUrl "fileNames"`

Specifications
- signtool.exe is from the windows 10 sdk 
- build servers are hosted in AWS as windows 2016 server ec2 instances 
- jenkins (v2.1.68) runs the builds using the amazon ec2 plugin (v1.42)

The logs, depending on if it passes or fails:

- PASS
```
The following certificates were considered:
    Issued to: myCompany, Inc.
    Issued by: DigiCert SHA2 Assured ID Code Signing CA
    Expires:   Wed Oct 30 12:00:00 2019
    SHA1 hash: myCertSha1Hash
After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Private Key filter, 1 certs were left.
The following certificate was selected:
    Issued to: myCompany, Inc.
    Issued by: DigiCert SHA2 Assured ID Code Signing CA
    Expires:   Wed Oct 30 12:00:00 2019
    SHA1 hash: myCertSha1Hash
The following additional certificates will be attached:
    Issued to: DigiCert SHA2 Assured ID Code Signing CA
    Issued by: DigiCert Assured ID Root CA
    Expires:   Sun Oct 22 12:00:00 2028
    SHA1 hash: digiCertSigningSha1Hash
Done Adding Additional Store
```

- FAIL
```
The following certificates were considered:
    Issued to: myCompany, Inc.
    Issued by: DigiCert SHA2 Assured ID Code Signing CA
    Expires:   Wed Oct 30 12:00:00 2019
    SHA1 hash: myCertSha1Hash
After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Private Key filter, 0 certs were left.
No certificates were found that met all the given criteria.
```

Odd behaviors to note:
- the same ec2 instance can work successfully and then fail later
- an ec2 instance failing may start working if a user RDPs into the ec2 instance
- the same certificate, signtool.exe and arguments are being passed every time

Replacing an aging CA, running into errors with AIA and CDP in the new one

March 22, 2019, 5:59 pm
$
0
0

I've been following the directions in the article linked below, and it's been very helpful, but I seem to have made some mistakes along the way:

https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx

1) I was getting ready to configure the OSCP responder according to the directions in the article, and took a look at pkiview.msc. I find that for the new CA, the AIA and CDP locations for the root server show the error "Unable to download", with the locations set to the file system on the root server (file:////root/CertEnroll/rootcert_ROOTCERT-CA.crt). I'm trying to figure out how to fix that, but while everything I looked as says to remove it, I can't find where/how to do this.

2) Also in pkiview.msc, I see that for the issuing server, the AIA #2, Delta #2 and CDP #2 locations have an error of "Unable To Download", but they do have http URLs, and when I test the URLs from a workstation, I am able to download files. I have no idea what's causing this.

3) During the course of my investigation, I looked at the event logs on the Issuing CA, and see event IDs 65 and 66, with the following error messages (accompanied by lots of .tmp files the C:\CertEnroll directory, for which I've checked the permissions and sharing several times, to make really sure that the computer name (with$) has write permissions).

"Active Directory Certificate Services could not publish a Base CRL for key 0 to the following location: C:\CertEnroll\Example Issuing CA<DeltaCRLAllowed.crl.  The filename, directory name, or volume label syntax is incorrect. 0x8007007b (WIN32/HTTP: 123 ERROR_INVALID_NAME)."

and

"Active Directory Certificate Services could not publish a Delta CRL for key 0 to the following location: C:\CertEnroll\Zetron Issuing CA<DeltaCRLAllowed.crl.  The filename, directory name, or volume label syntax is incorrect. 0x8007007b (WIN32/HTTP: 123 ERROR_INVALID_NAME)."

Thanks for any help,

Kurt

EFS at a fileserver

March 24, 2019, 7:02 am
$
0
0

Hello,

I am trying to figure out if it is possible to use EFS at a fileservers shared folder.

is this possible?

i found the following how to,https://mizitechinfo.wordpress.com/2014/07/29/step-by-step-encrypting-user-data-with-efs-in-windows-server-2012-r2/

But that doesnt work.
Many thanks for any help.


Issued certificate list is empty on Enterprise CA server

March 25, 2019, 2:25 pm
$
0
0

We have 4 CA servers in our production environment, 1 offline root ca and 3 enterprise CA servers.

1 CA issues machine certificate to client machines, 1 CA issues certificate to web services and another CA server issues system health certificate to Direct Access client machines.

I see that issued certificate folder on system health CA server is empty although its issuing certificate to client machines regularly. 

What could be the reason for this and how to fix?

Mahi


Key Recovery Agent (KRA) and Bitlocker Data Recovery Agent (DRA) can it use the same certificate?

March 26, 2019, 5:36 am
$
0
0

I am in the process of setting up new certificate server.

Can I use KRA for decrypting bitlocker drive of another user?

I came across the below article where KRA and DRA are the same, is this the best practice?

https://hkeylocalmachine.com/?p=540

This article just configures KRA

https://ammarhasayen.com/2013/09/25/pki-key-recovery-agents-kra/?unapproved=28547&moderation-hash=769320c70991ef0258a0f6f282a36b46#comment-28547

What is the best practice?

Also what is the best option for EFS data recovery?

Thanks in advance.



Search

certutil -syncWithWU = Access denied

January 13, 2019, 7:19 am
$
0
0

Hi!

d:\cert>certutil -generateSSTFromWU WURoots.sst
Access is denied. 0x80070005 (WIN32: 5) -- authrootstl.cab
CertUtil: -generateSSTFromWU command FAILED: 0x80070005 (WIN32: 5)
CertUtil: Access is denied.

d:\cert>certutil -syncWithWU d:\cert
Access is denied. 0x80070005 (WIN32: 5) -- authrootstl.cab
CertUtil: -syncWithWU command FAILED: 0x80070005 (WIN32: 5)
CertUtil: Access is denied.

Why?

Win7 and Win 10 (x64, not a server). Running from elevated CMD. Tried disabling UAC -> no changes.

Sub CA not listed in CDP container under AD container in PKIVIEW

March 29, 2019, 7:46 am
$
0
0

I have installed a two tier PKI environment on server 2016 in parallel to our existing 2008 certificate servers following this https://timothygruber.com/pki/deploy-a-pki-on-windows-server-2016-part-1/guide.

I have a questions, hope someone would be able to help.

I went into PKIVIEW.MSC console to perform a health check, Under Enterprise PKI - Right Click Manage AD containers, I cannot find an entry for my New Certificate Server (issuing CA) under "CDP Container" tab (old servers are there with base and delta CRLs). In the active directory sites and services under Services->Public Key Services->CDP; I can see the new issuing CA folder and inside the folder the new CA name listed as cRLDistributionPoint. 

Is this normal or am I missing something? If I am missing something how do I fix it.

The top one is the new CA, status showing all OK

AIA container showing both New & Old.

New CA not listed in the CDP Container

New issuingCA is listed in Active Directory Sites and Services.

Windows Server 2016 - Certificate Server Configuration help

March 21, 2019, 5:30 am
$
0
0
I have installed a two tier PKI environment on server 2016 in parallel to our existing 2008 certificate servers following this 

https://timothygruber.com/pki/deploy-a-pki-on-windows-server-2016-part-1/ guide. 

I have  couple of questions, hope someone would be able to help.

I went into PKIVIEW.MSC console to perform a health check, On Enterprise PKI - right click Manage AD containers, I cannot find an entry for my New Certificate Server under "CDP Container" tab (old servers are there with base and delta CRL) and also the KRA container is empty. In the active directory sites and services under Services->Public Key Services->CDP; I can see the new issuing CA folder and inside the folder the new CA name listed as cRLDistributionPoint. Under KRA tab the new CA name is listed as type msPKI-PrivateKeyRecoveryAgent.

Is this normal or am I missing something? If I am missing something how do I fix it.

Also 

On the issuing CA in the Certificate Authority console when I right click on the enterprise ca and go to properties, under Extensions, When I choose CRL Distribution Point, I haven't added any entry for ldap; same thing for AIA, is this a problem, Do I need to add these entries.


Please help. Is there any other thing I need to check?



Loose access to new drive when I remove Everyone permission

March 29, 2019, 9:45 am
$
0
0

I added to this drive domain admins and administrators and then removed Everyone and I lost all access to the drive.  I would get the access denied message.  I can access the security permissions and re-add Everyone and I get access back.  This is a Vmware Server.  Not sure what I am missing here.

Can't seem to attach links or images on this since I am new to this platform.  So here are the details.

E Drive
Owner: System

Everyone - Full Control
Domain Admins - Full Control
Administrators - Full Control
System - Full Control
Creator Owner - Full Control



Which Administrative Shares is AutoShareServer responsible for?

March 29, 2019, 3:34 pm
$
0
0

Hello!

I'm planning a change to the network to disable Administrative shares (c$, d$, ADMIN$, etc.). I already know I can accomplish this by setting this registry key to 0:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareServer

This has been done on some of our test server and, after a reboot or "net stop server" and "net start server" the c$ share is indeed inaccessible. I can find administrators in 2014, 2015, and 2016 saying this is a terrible idea and not to do it - only Admins can access these shares, you should leave them alone as configured at OS install.

Best Practices change, though. Emotet, for example, re-infects networks over and over again through Admin shares if they are on, so cleanup guides recommend disabling them (see Malwarebytes blog entry about Emotet for more)

My question, then: NETLOGON and SYSVOL are required for Domain and GPO operations. Will setting AutoShareServer to 0 on a Domain Controller affect the NETLOGON and SYSVOL shares in addition to c$ and d$ or is this a safe change to make? The lists says that shares that are automatically created when the server boots will not be created any longer but the documentation I can find does not place NETLOGON and SYSVOL into either category. It just says they are "special admin shares."

Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>