Hi, I have run an vunerbelirty scan and one outcome is this. I have done some investigatin but not come up with any solution. What to do? This RPC service allows cleartext or very weak authentication protocols without any encryption encapsulating login sessions. |
RPC can be secured by wrapping the service in SSL. If you do not need this service to be running, however, disable/filter access to it. | ||
Any suggestions how to handle this?
Zorky HPC
hello,
I have looked all over but have found it difficult to get/find useful debugging information.
I have clients connecting to a MIT kerberos enabled proxy, kerberos between proxy and Windows Server KDC and then kerberos mechanism via SPNEGO tickets between proxy and Exchange service.
Exchange server is issuing HTTP 401 with WWW-Authenticate: Negotiate very frequently.
For the service ticket, it is required on every http request or just the initial request to the kerberised exchange service?
How can I get some detailed debugging information on the Exchange IIS side to understand the 401 error are so frequent.
Is there any other sub error codes available or other guidance ( events/logs ) that I can get/look for.
Thank you kindly.
Hello,
I inherited a enterprise PKI setup and noticed a few errors. When running PKIview I get the following
Highlighting Root CA
Highlighting Issuing CA
I followed Vadims blog about using HTTP as best practice, even in an enterprise environment, so went about changing the LDAP locations to HTTP. My Issuing CA extensions now look like this
CDP Locations
AIA Locations
NOTE: We have a low change/revocation rate, so I do not see a need to publish the delta CRL.
Despite making these change (and restarting the services), when checking PKIview again, I still see the "DeltaCRL Location #1" showing the LDAP address, as shown in the first 2 screenshots above.
So, Question 1: How do remove this DeltaCRL Location?
Question 2: How do I update the locations for the Root CA? Do I need to boot up my offline Root CA and renew the certificate for the Issuing CA?
Kind regards
Hello All,
I have a scenario where I need to utilize RADIUS for wireless as well as other Web Portals.
We are wishing to use Smart Cards through our Windows Enterprise CA. I have the solution working, but wondering if its possible to achieve this scenario:
We would like RADIUS, to allow both Users w/ Digital Certificates AS WELL as Users that do not have Digital Certificates. Our Escalation Teams utilize Certs, where as normal users do not. We wish for them to use YubiKeys but we noticed when we implemented RADIUS looking for Digital Certs, the security is either we allow Smart Card Auth, or we allow PEAP-MS-CHAPv2 , can someone tell me if its possible to utilize 2 different forms of Authentication on the same Network Policy?
Thanks!
A vendor for a Linux system is asking for a certificate which the certifiacte key usage state "TLS Web Server Authentication, TLS Web Client Authentication". They provided a CSR file. On the CA server, I ran the following command:
certreq -submit -attrib "CertificateTemplate:WebServer" cms.csr
It created the certificate successfully with the Enhanced Key usage field with "Server Authentication (1.3.6.1.5.5.7.3.1)". Is this the same thing as "TLS Web Server Authentication, TLS Web Client Authentication" which they need?
I looked into the Certificate Templates console and cannot modify the Web Server template key usage extension.
Hi,
We have an internal domain and CA setup. However we do not own the Internet domain for the CA's domain.
We own several other Internet domains and I would like to use one of those to issue certificates that are able to be trusted and generated internally to the organization.
For example I would like to use the Internet registered domain to get certificates for 100 printers but don't want to pay Godaddy or whoever 75/year per cert. Would like to be able to generate for all my switches and other devices as well.
What would be the best way to accomplish this?
Thanks
Hello -
I am trying to get a YubiKey configured as a PIV card for a different user. I am a domain admin and have followed all the steps in the YubiKey guide. When I attempt to "Enroll on Behalf Of" a different user, I get all the way through the wizard, insert the card, GUI says "Status: Enrolling", and then it fails with the following message:
"Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied. Denied by Policy Module. The request ID is XXX"
I followed the suggestion provided here, but I get the same error even after doing that. I cannot find any other articles online about this.
Any and all help is greatly appreciated.
Hi Guys,
I'm working on a POC kind of environment to test the application (in the current org) access from a partner organisation. We need to create trusts between ADFS servers of the two parties, can't use the AD trust, because we just need to provide access to an application with their domain accounts.
And to perform this in a lab, I need to be able to deploy the certificates which are trusted by both the parties, can't go with 3rd party SSL because of the cost restriction for the lab, your help is much appreciated in this regard.
And the application in discussion is RD Web from Windows Remote Desktop Services.
TheWinguy
I have server 2008R2 CA which is running on the same server as the domain controller. I am looking for a microsoft article where it says supported operating system for destination server with 2016 is supported when migrating from Server 2008R2 , but I couldnt find it anywhere.
Below is one supporability link i found
I found below article which says it is not possible to migrate from Server 2008 to Server 2016 directly.
http://www.yshvili.com/migrate-windows-server-2008-r2-certification-authority-new-server-windows-2012-2012-r2-2016/
Does the same applies to Server 2008 R2 to server 2016. do i need to migrate first to Server 2012 R2 then to Server 2016 ??
ROBIN
I am running an elevated powershell script that installs an application on the local Windows machine. The script is being halted but the UAC prompt "Do you want to allow the following program to make changes to your computer?"
Is there a way to Programmatically answer 'yes' ?
The SendKeys seems to be disabled for the UAC window.
Hello Technet,<o:p></o:p>
I am in the process of setting up jump servers in our environment and have been looking for best practices online.<o:p></o:p>
I must say that there is a lot of information available in regards to jump server and have added few security components in my environment.<o:p></o:p>
Here I need your expert advice:<o:p></o:p>
>> Must points to consider in the Jump Server environment, if someone already running an environment<o:p></o:p>
>> Can we enable the Auditing or Logging for RDP/SSH session triggered from Jump Servers? like who initiated the RDP and what was the target host, etc.<o:p></o:p>
all suggestion are welcome<o:p></o:p>
<o:p> T</o:p>hanks in Advance
Hi,
From what I've read the biometric authentication data is stored on a locally on a machine.
1. This would mean that if John (fictional scenario) logs onto 4 different machines every day he would have to setup his fingerprint on each machine, despite the 4 machines being linked to the same domain controller. correct ?
2. Is it possible to store biometric data on a domain controller, so John can set up a fingerprint only once and then his profile is loaded onto any machine that he signs onto ?
Thanks,
Greg.
Hello Microsoft community,
I'm thinking about creating Test environment as close as possible to the production environment on my LAN
I have 3 Servers: the first one is not in use Dell T420 - the second one is DL360 GEN9 main server with 4 VMs and the third is DELL 5820 pc that working with DL360 to replicate the machines..
Now I cant use DELL 5820 replicated machines for my test because they are for disaster recovery if something happens to my main server DL360..
How do I create full replica of my production environment and keep the test environment up to date with my production environment?
Hi
I am being told that a major global company can not differentiate if a recorded user Windows event is a file explorer search, a copy, viewing file metadata or opening a file.
This does not feel right s no company could ever tell which file were accessed in a data breach or just found in a search.
Can someone help clarify?
2 follow up questions,
If the company shares the raw log file is t possible to determine which files were opened or just came back as teh result of a search?
What is the significance of a file called desktop.ini showing up at various stages as "Read"
Thanks
Hi
We recently patched about 200 vulnerable servers (2003, 2008, 2008 R2) with the May 2019 patch KB4499175.
Since then, a number of our 3rd party suppliers who used to be able to connect to their servers on our site using RDP are getting the following error:-
"An authentication error has occurred. The function requested is not supported"
We can remote OK to the patched servers while on site.
Any ideas much appreciated.
Many thanks
Hi,
Our server 2008 R2 not stable after installing these two patches.
Kindly confirm if any fix.
Issue: We are getting alert from nagios regard to this server is down, by the time my remote connection was also disconnected. when i tried login to this server few minutes later, my login session was active and all my files kept open (server was not rebooted) i think server goes to not responding by the time alert triggers.
ITandIT
I just got a new boss and his first mandate was that i cant use my user account to do domain admin level work. You see, my user account (with my name on it) has been a domain admin since Windows NT in the late 90's (and on Netware before that). It is insanely convenient and efficient for my account to be able to do everything i need it to do without having to login as someone else first. I have no choice but to comply, but how to i make this as painless as possible in a small business environment (100 users, and one other domain admin like me in the same boat). He says simply clone my current account, and then pull my original account out of the domain admin group. Used the cloned account when needed. What are some other methods to quickly get what he wants (me not being a domain admin except when needed) and still me feeling like i can quickly shift from regular user to domain admin without having to do a "switch users". I mean i live in the domain admin world ALOT and its important for me to set NTFS permissions while i read an email, or unlock and account while I type the question in a web browser. Please help. Give me ideas! Options!
Why would Windows 2012 listen for WMI connections on port 1027 instead of the default range 49152-65535 ? How to change is back to 49152-65535 ?
Thanks