Hi All
NDES is mandatory role in Microsoft CA, without NDES i canot enroll certificates for the network devices?
any disadvantage if i not install NDES role and any advantage?
↧
NDES is mandatory role in Microsoft CA
↧
Suitable Attribute to show organization national number in subject field in digital certificate
Hi every body
I am trying to issue digital certificates for people who work in different organizations. all people and organizations have their unique National IDs, and I want to include these national IDs in subject filed. I use serialnumber attribute for people IDs. what attribute do you suggest for organization National Id? By the way I currently use the organizationName and OrganizationalUnitName in my subject and they contain other information, and I want to use a unique attribute for Organization ID, not a repetitive one.
↧
↧
Automatic Certificate Enrollment failing for user. Event ID 47
Hello,
I have been asked to help look at an issue with a Windows 2016 certificate server at work which is not issuing auto-enrollment user certificates. This is a new implementation of PKI which consists of a 2 tier setup utilising an offline root CA server and an online issuing CA server.
I have not been involved in the setup and apparently it has been working so something has changed to cause this issue.
When I log onto a Windows 10 client workstation, it should auto-enroll a user certificate but no error was appearing. I enabled a registry key in the User section of the registry to get verbose logging in the event log which now shows the following error.
Warning: CertificateServicesClient-CertEnroll
Event ID 47
Certificate enrollment for domain\username could not enrol for a UserCertificateNamecertificate. A valid certification authority cannot be found to issue this template.
If I use network monitor on the CA server during this process, I don't see any traffic hit the CA server from the client. If I then run the Certificates snap-in from an MMC on the workstation and go through the wizard to renew the certificate, it pops up and works. During this process I see a lot of activity in network monitor running on the server.
I think someone has made a change to the server that has casused this issue, but Certificate Authority Services is not my strong point on Windows Server 2016 and am struggling to figure out what the problem could be.
Any help or suggestions would be greatly appreciated.
Dave
↧
Updates are pushed but Trust root Certificate store not updated
Hi
we pushed Cumulative and service tack update on our server 2016 but we saw that some website (under chrome or IE) have a certificate issue (not our widows 10) linked to an invalid root certificate
In deed, certificates chain is different between windows server and windows 10
how can i update those trust root certificate
thanks
↧
Enabling TLS 1.2 on Windows Server 2012 & 2016
I'm trying to establish TLS1.2 connections with SQL Server 2012 & 2016 (on Windows Server 2012 & 2016). I've read that you must enable SCHANNEL support for TLS1.2 for both host types AND I've read that it is enabled by default.
When inspecting the registry on Windows Server 2016... there are no entries for TLS1.2 support for SCHANNEL. Does this mean it is NOT supported OR is it supported but without any specific registry entries to enable it?
↧
↧
Root CA expiring on my 2008 R2 server in 3 months
We have a single Forest, single domain environment (two 2008 R2 DC's) with 100 users. I found out that we have a single cert server, it is running 2008 R2 and the cert is set to expire in about 3 months. It is self-signed and I need to renew it. We will
build a new server in the coming months but not before this cert expires. In looking at the Issued Certificates sections I only see 12 that are still valid, of those only 2 seem relevant as they were issues to our DCs (the other belong to test machines and
users). I am confused about whether or not I need to answer Yes or No to the question about generating a new public and private key pair (I am testing this out in an isolated environment.....I restored one of my DC's and this server into it)? The signing key
hasn't been compromised, our CRL isn't too big, and I don't think we don't have a program that requires a new one.
↧
Security Policies & Procedures
This isnt really a Windows Server question, although it pertains to my use of that product. My question is "does anyone know where i can download some templates for security policies"? I'm talking about "documentation" that
you create in your IT Department. Like an Access Control Policy or an Acceptable Use Policy. That kind of stuff, but slanted towards a Microsoft-centric world.
↧
Is it possible to migrate Enterprise CA from Server 2008R2 to Server 2016.
I have server 2008R2 CA which is running on the same server as the domain controller. I am looking for a microsoft article where it says supported operating system for destination server with 2016 is supported when migrating from Server 2008R2 , but I couldnt find it anywhere.
Below is one supporability link i found
I found below article which says it is not possible to migrate from Server 2008 to Server 2016 directly.
http://www.yshvili.com/migrate-windows-server-2008-r2-certification-authority-new-server-windows-2012-2012-r2-2016/
Does the same applies to Server 2008 R2 to server 2016. do i need to migrate first to Server 2012 R2 then to Server 2016 ??
ROBIN
↧
Programmatically answer the UAC's notifiaction about changes to the computer
I am running an elevated powershell script that installs an application on the local Windows machine. The script is being halted but the UAC prompt "Do you want to allow the following program to make changes to your computer?"
Is there a way to Programmatically answer 'yes' ?
The SendKeys seems to be disabled for the UAC window.
↧
↧
Granting permissions for RPC on DCs
Hi,
Could anybody give me a hint on how to grant RPC permissions for specific group / service account ondomain controllers?
We are deploying lic. inventory tool and instead of installing agent in T0 (where DCs are) I decided to do an inventory of all DCs over a network from single probe server that is also placed in T0 - this provides me better security. But unfortunately, it requires some perms on such target netw. device to gather info about licenses; RPC specifically... and I don't want to delegate such through domain admins group since that would be way too much.
Any ideas, hints?
↧
[Pre-Login] initialization=19286; handshake=16099; SQL 2017 CU14
Hey I got a simple HA/AG SQL 2017 on the latest CU14.
I am trying to copy users from the primary to the secondary and it all works well on port 1433.
I can enable/disable the firewall and the script works as expected.
The problem is that when the 1433 TCP Port is changed to another port, the script fails whenever the firewall is enabled on the intended destination. If I disable the FW, it just works.
So i tried open ports 5022, and 49000-51000, same fail, multiple reboots, applying SQLAgent and ..CEIP.. to the firewall allowed communitaction - all fails. Process monitor does not tell me what is blocked and reports the expected ports and applications are responding as intended and succeded.
In Powershell I used the same script, zero modifications.
My Script fails when it runs
Invoke-Sqlcmd -Query $Query -ServerInstance 10.10.15.204
The exact failure message is
Invoke-Sqlcmd : Connection Timeout Expired. The timeout period elapsed while attempting to consume the pre-login handshake acknowledgement. This could be because the pre-login handshake failed or the server was unable to respond back in time. The duration spent while attempting to connect to this server was - [Pre-Login] initialization=19286; handshake=16099;
At C:\scripts\powershell.ps1:344 char:17
+ ... Invoke-Sqlcmd -Query $Query -ServerInstance 10.10.15.204
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Invoke-Sqlcmd], SqlException
+ FullyQualifiedErrorId : SqlExectionError,Microsoft.SqlServer.Management.PowerShell.GetScriptCommand
Invoke-Sqlcmd :
At C:\scripts\powershell.ps1:344 char:17
+ ... Invoke-Sqlcmd -Query $Query -ServerInstance 10.10.15.204
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ParserError: (:) [Invoke-Sqlcmd], ParserException
+ FullyQualifiedErrorId : ExecutionFailureException,Microsoft.SqlServer.Management.PowerShell.GetScriptCommand
What firewall settings should I choose
↧
Change of validity of the root certificate in MS CA
Good day.
Microsoft Certificate Authority, Windows Server 2008 R2. The server worked on the SHA-1 hashing algorithm (the old root certificate is valid until 2022). The algorithm was updated to SHA-256. When updating the root certificate, a new root certificate was issued with a validity period up to 2117. This happened despite the fact that the period of 5 years is specified in the CA template and in the CAPolicy.inf file. Any attempt to renew the certificate leads to the fact that the validity of the new root certificate can only be increased, but not reduced. Are there any simple ways to solve the problem?
If not, please evaluate the following plan:
1. Just in case we do a snapshot of MS CA.
2. Set the validity period of the CRL, which will be released on the old root certificate, until 2022 (the number indicated approximately) and release the CRL.
certutil -setreg CA \ CRLPeriodUnits 1000
certutil -setreg CA \ CRLPeriod "Days"
net stop certsvc
net start certsvc
certutil –CRL
3. With the help of the backup wizard we back up the certificate database.
4. Remove the role of the Certification Center.
5. Return the old value of CRLPeriodUnits.
6. Install the role of the Certification Center with the installation of the correct validity period of the root certificate.
7. Restoring the certificate database.
Microsoft Certificate Authority, Windows Server 2008 R2. The server worked on the SHA-1 hashing algorithm (the old root certificate is valid until 2022). The algorithm was updated to SHA-256. When updating the root certificate, a new root certificate was issued with a validity period up to 2117. This happened despite the fact that the period of 5 years is specified in the CA template and in the CAPolicy.inf file. Any attempt to renew the certificate leads to the fact that the validity of the new root certificate can only be increased, but not reduced. Are there any simple ways to solve the problem?
If not, please evaluate the following plan:
1. Just in case we do a snapshot of MS CA.
2. Set the validity period of the CRL, which will be released on the old root certificate, until 2022 (the number indicated approximately) and release the CRL.
certutil -setreg CA \ CRLPeriodUnits 1000
certutil -setreg CA \ CRLPeriod "Days"
net stop certsvc
net start certsvc
certutil –CRL
3. With the help of the backup wizard we back up the certificate database.
4. Remove the role of the Certification Center.
5. Return the old value of CRLPeriodUnits.
6. Install the role of the Certification Center with the installation of the correct validity period of the root certificate.
7. Restoring the certificate database.
↧
EAP-TLS authentication with NPS
I am trying to authenticate devices onto Wi-Fi using EAP-TLS against NPS.
My PKI and NPS are all part of the same domain but my clients (devices) are on various domains. In my head this should be straight forward - i have a certificate (client auth purpose) on each device (local computer personal certs) that's signed by the intermediate CA, chained up to root CA. I also have both root ca and intermediate ca certs in the devices trusted certs.
On NPS I have a server cert (server auth) signed by the same ca and also the root and intermediate ca certs trusted.
I have network and connection request NPS policies set as per: https://documentation.meraki.com/MR/Encryption_and_Authentication/RADIUS%3A_Creating_a_Policy_in_NPS_to_support_EAP-TLS_authentication
But whatever i try i cant get a device authenticating. In the NPS event log I get a "user does not exist".
Is there something obvious I've missed or am not Getting?
Does it matter what the SAN and Subject is for either the client or server certificate?
Thanks.
My PKI and NPS are all part of the same domain but my clients (devices) are on various domains. In my head this should be straight forward - i have a certificate (client auth purpose) on each device (local computer personal certs) that's signed by the intermediate CA, chained up to root CA. I also have both root ca and intermediate ca certs in the devices trusted certs.
On NPS I have a server cert (server auth) signed by the same ca and also the root and intermediate ca certs trusted.
I have network and connection request NPS policies set as per: https://documentation.meraki.com/MR/Encryption_and_Authentication/RADIUS%3A_Creating_a_Policy_in_NPS_to_support_EAP-TLS_authentication
But whatever i try i cant get a device authenticating. In the NPS event log I get a "user does not exist".
Is there something obvious I've missed or am not Getting?
Does it matter what the SAN and Subject is for either the client or server certificate?
Thanks.
↧
↧
MFA for RDS Gateway.
Is there away I can allow connection if for some reason the on-premise MFA server was not available to accept connections?
↧
Advapi Logons
Hi there,
I've looked through a wealth of information between these forums and other resources from both Microsoft and others to try and get an answer on an issue I'm having. I'm part of a security team (SOC) and I've been asked to create some rules in the SIEM to detect the use of interactive logons to service accounts through type 2 (Interactive) and type 10 (Remote desktop, assistance etc.) The idea is that users shouldn't be logging in with the service accounts and instead should only be using the service accounts for batch tasks, scripts etc. which are automated.
What I've found is that type 2 logons are shown with the logon process as 'Advapi' in a lot of cases, where the user performing the logon is the local SYSTEM account. Generally there are many of these at one time and it seems they must be automated, from the explanations I've seen I cannot grasp how they can be both automated and logon type 2 at the same time. Also, why would a logon that doesn't seem to be IIS or web services show the Advapi logon process? Regarding Advapi:
I understand the explanation I have seen where users have stated that:
"Logon’s through an KVM over IP component or a server’s proprietary “lights-out” remote KVM feature are still interactive logons from the standpoint of Windows and will be logged as such."
The above explanation does not seem to account for the payload below.
Here's a payload of a service account with a logon type 2 with the process of powershell:
<13>May 23 10:42:10 ComputerName1 AgentDevice=WindowsLog AgentLogFile=Security PluginVersion=7.2.5.27 Source=Microsoft-Windows-Security-Auditing Computer=ComputerName1.AD.INTRA OriginatingComputer=ComputerName1 User= Domain= EventID=4624 EventIDCode=4624 EventType=8 EventCategory=12544 RecordNumber=88259597 TimeGenerated=1558600930 TimeWritten=1558600930 Level=0 Keywords=0 Task=0 Opcode=0 Message=An account was successfully logged on. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: ComputerName1$ Account Domain: AD Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: AD\Service_Account1 Account Name:Service_Account1 Account Domain: AD Logon ID: 0x161287e88 Logon GUID: {B5A094D8-A46A-7DCB-FD2D-65852AFFC359} Process Information: Process ID: 0x852cProcess Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Network Information: Workstation Name: ComputerName1 Source Network Address: - Source Port: - Detailed Authentication Information:Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0
These events come in batches of 5-10 at once showing that these are obviously automated, the account itself's function pulls information from devices on the network to update a ticketing system, ServiceNow.
I know I could filter out any account initiating the logons which are computer accounts (End in $ or System) but I think this also runs the risk of users impersonating the System account.
Can anyone help in explaining my confusion? I want to only be detecting actual users misusing service accounts and any more information would be greatly appreciated. Many thanks in advance guys.
↧
Meltdown and Spectre patches.
In March 2018 or February (I don’t remember exactly) I installed security system quality update (monthly rollup) for the current month (Server 2008 R2). Then I install the update (monthly rollup) for December 2018. Today installed the update (only
security) for January 3, 2018, successful installation. After that, kb4100480 is not installed. Writes that the update is not applicable. Is this normal?
↧
Defining if a windows event file can show file has been opened, copied or just part of a search.
Hi
I am being told that a major global company can not differentiate if a recorded user Windows event is a file explorer search, a copy, viewing file metadata or opening a file.
This does not feel right s no company could ever tell which file were accessed in a data breach or just found in a search.
Can someone help clarify?
2 follow up questions,
If the company shares the raw log file is t possible to determine which files were opened or just came back as teh result of a search?
What is the significance of a file called desktop.ini showing up at various stages as "Read"
Thanks
↧
↧
How to create Test environment as close as possible to the production environment?
Hello Microsoft community,
I'm thinking about creating Test environment as close as possible to the production environment on my LAN
I have 3 Servers: the first one is not in use Dell T420 - the second one is DL360 GEN9 main server with 4 VMs and the third is DELL 5820 pc that working with DL360 to replicate the machines..
Now I cant use DELL 5820 replicated machines for my test because they are for disaster recovery if something happens to my main server DL360..
How do I create full replica of my production environment and keep the test environment up to date with my production environment?
↧
Update Root Cert Validity Period
Hi,
I was wondering if someone could point me in the right direction.
I have recently migrated our ca server from 2008 to 2016.
The root certificate has a validity period of 999 years. I would like to update this to something more reasoanble. I have created the file CAPolicy.inf and placed it in the c:\windows folder and then restarted the certificate service.
Upon generating a new root certificate, the validity period is still set to 999 years. I have also searched through the registry for the setting but with no luck.
Is there another place I should be looking at to update the time period?
Thanks
Pete
↧
Adding 3rd party root CA certs in CertSrv cacerts
Hello,
I spent a decent amount of time searching but could not find an answer to my question.
Is there a way to add 3rd party certs in the CA certs response CertSrv provides in https://<hostname>/certsrv/certcarc.asp ?
If this needs to be redirected to another forum please let me know.
Thank you,
PK
↧