I have installed a two tier PKI environment on server 2016 in parallel to our existing 2008 certificate servers following this https://timothygruber.com/pki/deploy-a-pki-on-windows-server-2016-part-1/guide.

I have a questions, hope someone would be able to help.

I went into PKIVIEW.MSC console to perform a health check, Under Enterprise PKI - Right Click Manage AD containers, I cannot find an entry for my New Certificate Server (issuing CA) under "CDP Container" tab (old servers are there with base and delta CRLs). In the active directory sites and services under Services->Public Key Services->CDP; I can see the new issuing CA folder and inside the folder the new CA name listed as cRLDistributionPoint. 

Is this normal or am I missing something? If I am missing something how do I fix it.

The top one is the new CA, status showing all OK

AIA container showing both New & Old.

New CA not listed in the CDP Container

New issuingCA is listed in Active Directory Sites and Services.

Hello,

Does anybody have an idea on how to suppress Local Service / System / Netw. service events in WEF using Xpath queries? 

Example event looks like this:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System><Provider Name="Microsoft-Windows-DNS-Client" Guid="{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}" /> <EventID>3008</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2019-04-03T11:15:22.464647000Z" /> <EventRecordID>7775625</EventRecordID> <Correlation /> <Execution ProcessID="1096" ThreadID="4420" /> <Channel>Microsoft-Windows-DNS-Client/Operational</Channel> <Computer>PCName</Computer> <Security UserID="S-1-5-19" /></System>
- <EventData><Data Name="QueryName">PCName</Data> <Data Name="QueryType">28</Data> <Data Name="QueryOptions">1208115200</Data> <Data Name="QueryStatus">0</Data> <Data Name="QueryResults">::ffff:10.12.14.117;</Data> </EventData>
- <RenderingInfo Culture="en-US"><Message>DNS query is completed for the name PCName, type 28, query options 1208115200 with status 0 Results ::ffff:10.12.14.117;</Message> <Level>Information</Level> <Task /> <Opcode>Info</Opcode> <Channel>Microsoft-Windows-DNS Client Events/Operational</Channel> <Provider>Microsoft-Windows-DNS Client Events</Provider> <Keywords /> </RenderingInfo></Event>

At this point, on WEC server I want to drop all events with such "Security UserID", but seems like my filter does not work:

<QueryList><Query Id="0" Path="Microsoft-Windows-DNS-Client/Operational"><!-- 3008: DNS Client events Query Completed --><Select Path="Microsoft-Windows-DNS-Client/Operational">*[System[(EventID=3008)]]</Select><!-- Suppresses local machine name resolution events --><Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[EventData[Data[@Name="QueryOptions"]="140737488355328"]]</Suppress><!-- Suppresses empty name resolution events --><Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[EventData[Data[@Name="QueryResults"]=""]]</Suppress><!-- Skip queries to localhost --><Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[EventData[Data[@Name="QueryName"]="0.0.0.0"]]</Suppress><!-- Skip queries to localhost --><Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[EventData[Data[@Name="QueryName"]="localhost"]]</Suppress><Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[System[(Security UserID="S-1-5-18")]]</Suppress><Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[System[(Security UserID="S-1-5-19")]]</Suppress><Suppress Path="Microsoft-Windows-DNS-Client/Operational">*[System[(Security UserID="S-1-5-20")]]</Suppress></Query></QueryList>

How should it be formatted to apply properly? 

Thanks for any hints :)

Hi,

I setup a ADCS server and revoke a certificate. How can I show to users that certificate has been revoked? That's why even after issuing new CRL and I test that with OCSP but apparently that doesn't work correctly. Any help would be appreciated.

Thanks

Hi,

I have a problem with NDES and Exchange Enrollment Agent (Offline) certificate is expired.

Currently I knowthat I can`trenew a certificate. Howcan I generatea new one without reinstall NDES?

Hello, (This is a lab setup..)

I have configured a root and subordinate CA according to the recommendations on this. I have configured CDP and AIA locations only on the root ca to be a web folder on a separate server. 

CDP / AIA on the issuing CA are default values

My question is, must the CDP/AIA paths be explicitly be configured for the issuing ca, since a client certificate as you see below has information about the root and issuing CA's and CDP/AIA locations are known to the domain through the authorization of the issuing CA by its certificate from the root CA?

Best regards, Tim 

Hi there,

Some time back, we issued client authentication certificates based on a duplicated template that is being used for Cisco AnyConnect VPN client 4.4 and wireless access. The certificate is set to expire beginning mid-June this year (about 2.5 months away) with renewal period set to 6 weeks. I've encountered a couple of situations where having two certificates of the same type in the same client certificate store caused issues, though in both cases it involved all certificates in question being valid (eg. not expired, able to access CRLs, chained properly, and so on). My questions:

1. When these certificates start to auto renew (we have GPO set up for this), do I need to be concerned about the having two valid certificates of the same type present?

2. When the older of the two certificates does expire, could the VPN app or wireless get hung up on the expired certificate and not use the new one?

3. If I do need to be concerned about duplicate valid/invalid certificates, what are my options?

4. The template in question was set to publish to AD but not automatically reenroll if a duplicate cert exists in AD for the original certificate rollout. I've read for the most part that publishing certs to AD is not really recommended. Is it okay to set the renewed certificates not to publish to AD, or are their hazards in doing that due to inconsistency?

Thanks so much and my apologies for such a long post.

Chad

I am in the process of setting up new certificate server.

Can I use KRA for decrypting bitlocker drive of another user?

I came across the below article where KRA and DRA are the same, is this the best practice?

https://hkeylocalmachine.com/?p=540

This article just configures KRA

https://ammarhasayen.com/2013/09/25/pki-key-recovery-agents-kra/?unapproved=28547&moderation-hash=769320c70991ef0258a0f6f282a36b46#comment-28547

What is the best practice?

Also what is the best option for EFS data recovery?

Thanks in advance.

Hi Guys,

I got some query here.

As you know the default Creator Owners rights set in Windows 2008 R2 is "Special" (Sub folders and Files only) while in Windows 2012 R2 is "Full Control" (Sub folders and Files only).  I wanted to get rid of this permission for both OS version. However I cannot find any official documentation or knowledge base about it that it can be remove without any issue on the current security permission. Some say this is like just a template of permission, where the creator of a specific folder/s will have special / full right but not on the "Root" Directory (C; D; so on...)

Kindly share your knowledge and perhaps if you have some kind of a document from Microsoft that it can be removed or just keep it as it is, let me know. Thanks Guys in advance!

-JOf

Got a test environment for some testing...

1 DC  Server 2016 

Few member servers 2016

When I add the user to the Protected User Security Group he cannot logon.  Thoughts?

Thank you

Hi all,

So I understand this is MS forum hence discussions about 3rd party products may not be very welcome but I'll give it a shot.

Do you install any antivirus on Server 2016 or do you just go with the built-in Windows Defender?

I haven't been using any 3rd party antivirus on my regular Windows 7 PC's ever since Microsoft Security Essentials was introduced for free (had Avast Free or AVG Free years before that). And now I am not using any additional antivirus on my Windows 10 machine either. Just going with WD. But personal computer is one thing and a corporate server is totally different. Protection and security is important these days for any business.

I've been reading about antivirus on servers and opinions seem to split. Some people say not to install it because it will slow things down or can even stop certain things from working altogether. Other people say that you should have antivirus everywhere. I think I agree with those who say that you should have antivirus, but is WD enough or do you go with 3rd party as well?

Don't give any product names in case this is not allowed on this forum. Just share your opinion/experience in general.

I also came across a page on MS support with the list of files and services that are automatically excluded in WD to make sure your server and all its services can function properly, but just looking at it seems like it would be a fairly big job to implement same exclusions on a 3rd party product.

Also if you are suggesting to go with a 3rd party, then what are specific recommendations/approaches for different server roles? I guess antivirus configuration or even requirements will be different on FS compared to RDS or DC, etc.

Thanks in advance.

I added to this drive domain admins and administrators and then removed Everyone and I lost all access to the drive.  I would get the access denied message.  I can access the security permissions and re-add Everyone and I get access back.  This is a Vmware Server.  Not sure what I am missing here.

Can't seem to attach links or images on this since I am new to this platform.  So here are the details.

E Drive
Owner: System

Everyone - Full Control
Domain Admins - Full Control
Administrators - Full Control
System - Full Control
Creator Owner - Full Control

Hello!

I'm planning a change to the network to disable Administrative shares (c$, d$, ADMIN$, etc.). I already know I can accomplish this by setting this registry key to 0:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareServer

This has been done on some of our test server and, after a reboot or "net stop server" and "net start server" the c$ share is indeed inaccessible. I can find administrators in 2014, 2015, and 2016 saying this is a terrible idea and not to do it - only Admins can access these shares, you should leave them alone as configured at OS install.

Best Practices change, though. Emotet, for example, re-infects networks over and over again through Admin shares if they are on, so cleanup guides recommend disabling them (see Malwarebytes blog entry about Emotet for more)

My question, then: NETLOGON and SYSVOL are required for Domain and GPO operations. Will setting AutoShareServer to 0 on a Domain Controller affect the NETLOGON and SYSVOL shares in addition to c$ and d$ or is this a safe change to make? The lists says that shares that are automatically created when the server boots will not be created any longer but the documentation I can find does not place NETLOGON and SYSVOL into either category. It just says they are "special admin shares."

Hi, let me state that I am new to the Microsoft environment.

I'm trying to get the SID of the accounts registered on a machine part of a domain
from the domain controller of the domain itself.

When I run the following command, everything works fine:

Wmic /node: "Computer IP" /USER: "myDomain myUser" /password: "myPassword" /PRIVILEGES: ENABLE calls the creation process "cmd.exe" /c (user account wmic where name = "localUser" gets sid> pathLog)"

but when I try to do this:

Wmic /node:'computer's IP' /USER:"myDomain\myUser" /password:'myPassword' /PRIVILEGES:ENABLE process call create "cmd.exe /c (wmic useraccount where name="domainUser" get sid > pathLog\log.txt)"

I get an empty file even if the command, launched directly from the target machine, produces the searched result.

wmic useraccount where name="domainUser" get sid > pathLog\log.txt

I can't understand where the problem may be, except in a Windows security policy.

Thank you very much for helping!  Mario.

I have a Windows Server 2016 running with ADCS and NDES configured. I call the NDES endpoint by creating CSR through a script I have prepared that acts as a SCEP Client. Is there a way for NDES to just sign any CSR (through the CA of course) that comes it's way or will it only issue certs based on the template configured in the registry?

Let's say I want to issue 4 types of certificates and all of them have keyusage as signing and encryption both. Can I somehow have 1 NDES server issue these 4 types of certs (essentially meaning just sign any CSR that comes your way) or will I have to deploy multiple NDES endpoints with each issuing 1 particular type? 

Since this cost me a couple of hours, I just want to share it. We were unable to retreive all kinds of certificates from fresh installed CA. We received the following:



Hello all,

I am looking for a solution to help machines to access my LAN when they are wired.

What I need is: When someone plugs the machine, it should not be allowed to access any resource in my domain, if possible, even does not receive ip address from DHCP.

My question: Certificates provided by AD CS solve this issue?

Thanks,

I am trying to set up transparent IPSEC encryption between clients and servers in our domain. I've set up connection security rules for transport mode via GPO for clients and servers (transport "server-to-server" type). The connection security rule has our IPv4 address space (123.4.0.0/16) configured for "Endpoint 1" and the rest of the Internet (0.0.0.0-123.3.255.255, 123.5.0.0-223.255.255.255) for "Endpoint 2". The server's definitions are set to "Require inbound and request outbound", the client's definitions are to "Request inbound and outbound". On the server's side, a single generic firewall rule is configured to "Allow connection if secure" and "require encryption" for all protocols and all addresses. 

All of servers have public IPv4 addresses, clients may either be behind a NAT device on foreign networks or have public IPv4 addresses on our network.

I can observe that in some cases a client would not start IKE negotiations with the destination server even though it is covered by the connection security rule. Example:

PS C:\Windows\system32> ping 123.4.6.61 -n 1

Ping wird ausgeführt für 123.4.6.61 mit 32 Bytes Daten:
Antwort von 123.4.6.61: Bytes=32 Zeit=82ms TTL=119

Ping-Statistik für 123.4.6.61:
    Pakete: Gesendet = 1, Empfangen = 1, Verloren = 0
    (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 82ms, Maximum = 82ms, Mittelwert = 82ms
PS C:\Windows\system32> Get-NetIPsecQuickModeSA | ft

Name LocalEndpoint  RemoteEndpoint TransportLayerFilterName EncapsulationMode Direction LocalPort RemotePort IpProtocol
---- -------------  -------------- ------------------------ ----------------- --------- --------- ---------- ----------
168  192.168.246.54 123.4.6.61     IPSec                    Transport         Inbound
168  192.168.246.54 123.4.6.61     IPSec                    Transport         Outbound
154  192.168.246.54 123.4.7.26     IPSec                    Transport         Inbound
154  192.168.246.54 123.4.7.26     IPSec                    Transport         Outbound
167  192.168.246.54 123.4.7.25     IPSec                    Transport         Inbound
167  192.168.246.54 123.4.7.25     IPSec                    Transport         Outbound


PS C:\Windows\system32> ping 123.4.6.62

Ping wird ausgeführt für 123.4.6.62 mit 32 Bytes Daten:
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.

Ping-Statistik für 123.4.6.62:
    Pakete: Gesendet = 4, Empfangen = 0, Verloren = 4
    (100% Verlust),
PS C:\Windows\system32> Get-NetIPsecQuickModeSA | ft

Name LocalEndpoint  RemoteEndpoint TransportLayerFilterName EncapsulationMode Direction LocalPort RemotePort IpProtocol
---- -------------  -------------- ------------------------ ----------------- --------- --------- ---------- ----------
173  192.168.246.54 123.4.7.25     IPSec                    Transport         Inbound
173  192.168.246.54 123.4.7.25     IPSec                    Transport         Outbound
174  192.168.246.54 123.4.6.61     IPSec                    Transport         Inbound
174  192.168.246.54 123.4.6.61     IPSec                    Transport         Outbound
154  192.168.246.54 123.4.7.26     IPSec                    Transport         Inbound
154  192.168.246.54 123.4.7.26     IPSec                    Transport         Outbound

In the network trace of the client machine (Windows 10 1803), I can see that it is not even trying to send an IKE packet to 123.4.6.62, although it perfectly connected to 123.4.6.61. This might be reversed after the client has been rebooted.

How could I debug this and is there any known remedy to this problem?

Kind regards,

Hello

I get an Unknown error trying to sign a script using a certificate store in the Trusted Publisher node.
Our organization created and deployed a certificate to all our machines and placed it in the Trusted Publisher node.
I'm trying to use this certificate to sign a powershell script by following the instructions at this site:
https://devblogs.microsoft.com/scripting/hey-scripting-guy-how-can-i-sign-windows-powershell-scripts-with-an-enterprise-windows-pki-part-2-of-2/

I ran the commands:
$Cert = (dir cert:\CurrentUser\TrustedPublisher\ -CodeSigningCert)
$script = ".\file.ps1"
Set-AuthenticodeSignature $Script $Cert -TimeStampServer http://timestamp.comodoca.com/authenticode

I get the following Output:
SignerCertificate                         Status                                 Path
-----------------                         ------                                 ----
                                          UnknownError                           file.ps1

I ran the command:  $cert | Format-list *
and noticed the "HasPrivateKey" is True but the "Private key" is blank.
Is this the cause of the unknown error? If not, how would I sign a script using our certificate in the Trusted Publisher?

Note: I have no problems signing a script if I use a certificate in my Personal Node, but then I think I would have to deploy this cert using GPO to all machines Trusted Publisher node.

Thank you for any info.