Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Another PKI Question...Updating CDP/AIA Locations

May 17, 2019, 2:39 am
$
0
0

Hello,

I inherited a enterprise PKI setup and noticed a few errors. When running PKIview I get the following

Highlighting Root CA

Highlighting Issuing CA

I followed Vadims blog about using HTTP as best practice, even in an enterprise environment, so went about changing the LDAP locations to HTTP. My Issuing CA extensions now look like this

CDP Locations

AIA Locations

NOTE: We have a low change/revocation rate, so I do not see a need to publish the delta CRL.

Despite making these change (and restarting the services), when checking PKIview again, I still see the "DeltaCRL Location #1" showing the LDAP address, as shown in the first 2 screenshots above.

So, Question 1: How do remove this DeltaCRL Location?

Question 2: How do I update the locations for the Root CA? Do I need to boot up my offline Root CA and renew the certificate for the Issuing CA?

Kind regards


Search

Create certificate on CA from CSR file with key usage "TLS Web Server Authentication, TLS Web Client Authentication"

May 17, 2019, 7:32 am
$
0
0

A vendor for a Linux system is asking for a certificate which the certifiacte key usage state "TLS Web Server Authentication, TLS Web Client Authentication". They provided a CSR file. On the CA server, I ran the following command:

certreq -submit -attrib "CertificateTemplate:WebServer" cms.csr

It created the certificate successfully with the Enhanced Key usage field with "Server Authentication (1.3.6.1.5.5.7.3.1)". Is this the same thing as "TLS Web Server Authentication, TLS Web Client Authentication" which they need?

I looked into the Certificate Templates console and cannot modify the Web Server template key usage extension.

How long does it take that standby DHCP Server Be Active in Failover DHCP

May 24, 2019, 12:10 pm
$
0
0
I Installed dhcp fail over but is a question here that  How long does it take that standby DHCP Server Be Active in Fail over DHCP

Install Enterprise CA option is greyed out

January 24, 2011, 2:52 pm
$
0
0

I'm having issues with the "enterprise CA" option being grayed out during installation of the ADCS role for a 2008 R1 Enterprise Edition server (for a new Ent. Sub. CA).  The account I was using had Enterprise Admin rights in the root domain and Domain Admin rights for the child domain that the CA will be installed into (I don't need root domain admin since I have enterprise admin, right?).  The server is already joined to the domain.  I verified Enterprise Admins have full control for Public Key Policy container and all child containers.  I have not tried to re-create this as another CA (2003) is online within the same domain/forest - I would prefer not having to do this if at all possible.  I tried moving the capolicy.inf out of windir in case it was getting in the way.  I believe I have the firewall cleaned up - is there an official resource that documents how to configure the firewall for just the CA?  I'm not installing web services or anything else - this is a dedicated box.

Thanks in advance...

Ability to issue certificates from a secondary domain?

May 17, 2019, 10:23 am
$
0
0

Hi,

We have an internal domain and CA setup.  However we do not own the Internet domain for the CA's domain.

We own several other Internet domains and I would like to use one of those to issue certificates that are able to be trusted and generated internally to the organization.

For example I would like to use the Internet registered domain to get certificates for 100 printers but don't want to pay Godaddy or whoever 75/year per cert.  Would like to be able to generate for all my switches and other devices as well.

What would be the best way to accomplish this?

Thanks

KB4499164, KB4499175_Server not stable

May 21, 2019, 10:14 am
$
0
0

Hi,

Our server 2008 R2 not stable after installing these two patches.

Kindly confirm if any fix.

Issue: We are getting alert from nagios regard to this server is down, by the time my remote connection was also disconnected. when i tried login to this server few minutes later, my login session was active and all my files kept open (server was not rebooted) i think server goes to not responding by the time alert triggers.

ITandIT

How to Run a Bitlocker Powershell at startup with Highest admin privilege

May 27, 2019, 2:10 am
$
0
0

Hi all,

i'm configuring a bitlocker drive encryption on my corporate networks. All Notebook have TMP 1.2 with Windows 10 PRO.

I configured a gpo with basic setting to store recovery key to Active Directory.

To enable Bitlocker at Windows Startutp i make a simple powershell script:

$ErrorActionPreference="SilentlyContinue"
Stop-Transcript | out-null
$ErrorActionPreference = "Continue"
Start-Transcript -path C:\bitlocker.txt -append

$CdriveStatus = Get-BitLockerVolume -MountPoint 'C:'


if ($CdriveStatus.volumeStatus -eq 'FullyDecrypted') {
   
    Enable-Bitlocker -MountPoint "C:" -RecoveryPasswordProtector -SkipHardwareTest
}

Stop-Transcript


The script also log in c:\bitlocker.txt the debug information.

When a computer restart, the file contain this error: 

Add-TpmProtectorInternal : The requested privilege does not belong to the client. (Exception  HRESULT: 0x80070522)
In C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1:2095 car:31+ ...   $Result = Add-TpmProtectorInternal $BitLockerVolumeInternal.MountPo ...+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo          : NotSpecified: (:) [Write-Error], COMException+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Add-TpmProtectorInternal
Add-TpmProtectorInternal : The requested privilege does not belong to the client. (Exception HRESULT: 0x80070522)
In C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1:2095 car:31+ ...   $Result = Add-TpmProtectorInternal $BitLockerVolumeInternal.MountPo ...+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo          : NotSpecified: (:) [Write-Error], COMException+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Add-TpmProtectorInternal

If manually execute the script from elevated powershell sessions, all works fine.

How can execute the script with Highest privilege at startup pc (not logon user)

This is the GPO setting:

issue with auto-renewal of list of certificates generated using computer template

May 27, 2019, 2:23 am
$
0
0 
We have an AD and CA enabled on one of our servers. 

Now, we are generating certificates for the sub-systems using computer template with subject on supply request checked. 

Auto-Enrollment has been enabled at the GPO level. 

For testing purpose, template validity has been set to 4 hours with renewal period as 1 hour. 

Now, post 4 hours, we see that the latest certificate created is getting renewed and the rest of them are archived. 

Also, we see the renewal notification for the renewed certificate and expiry notification for the rest of the certificates in the event log. 

Ideally, we would have wanted all the certificates to be renewed. Not sure what's the miss here? can someone help here??



darshan m r

Search

TLS 1.3 Server 2016 (IIS 10.0)

July 17, 2017, 5:58 pm
$
0
0
We are running an asp.net application in IIS 10.0 (windows server 2016) and installed SSL certificate. One of our clients was asking us about supporting TLS 1.3. My understanding is that TLS 1.3 is still in draft and I found no reference for server 2016 and TLS 1.3. What can we do to provide support for TLS 1.3 (other than waiting for this version to be officially released) ? Would it be correct to say that we will support TLS 1.3 when Server 2016 begins to support it ?

System Center Endpoint Protection

May 27, 2019, 3:51 pm
$
0
0

I use Win7 and as everyone knows - MS is withdrawing support and security for Win7 desktop. I use System Center Endpoint Protection. Is this part of the support that will be withdrawn? 

TIA


Can't install security monthly quality rollups

May 27, 2019, 7:06 pm
$
0
0

Hi all,

Ever since I reinstalled my Windows 2008 R2, I'm unable to install security monthly rollups. All other updates install fine. No matter if I try to install it manually, or by Windows Update, I get error 8024200D.

Can anybody help me?

Thanks in advance,

--ggroke

Windows 2012 - WMI listening on port 1027 instead of 49152-65535

May 21, 2019, 11:11 pm
$
0
0

Why would Windows 2012 listen for WMI connections on port 1027 instead of the default range 49152-65535  ? How to change is back to 49152-65535 ?

Thanks

tamper resistant user authentication and e-mail security?

May 28, 2019, 11:17 am
$
0
0
Which are the tamper resistant user authentication and e-mail security?

Security Group Hierarchy

May 28, 2019, 1:50 pm
$
0
0

Hello,

We are looking to make a security group that has the same permissions as an administrator, but without the ability to add themselves to higher privileged groups. Currently if you give someone the administrator group access, they can login and give themselves domain admin.

The purpose of this is that everyone in IT needs an admin account to maintain our servers, but we have some corporate documents that need locked down so only the owners can see them. The issue is that even if we secure the files so the owners are the only ones with access, anyone in IT can log into the domain controller and make themselves domain admins and seize the files. So we need to have a "admin" group that can do all of our server maintenance that administrators can do, but can not promote anyone to domain admin. Ideally I would like the groups to have privileges as follows.

Domain Admin  
Corporate Admin (Has access to the files and can promote new people to Corporate Admins) These would be the Owners.
General Admin (Can work on servers and make changes, just can't seize files and promote to Corp/domain admin)

We would not be using these general admin accounts to log in and work daily with, they would be separate accounts as well.

Please let me know your thoughts on making this happen.


LAPS

May 28, 2019, 2:49 pm
$
0
0

I´m trying to configure LAPS on my domain, but when I try to run the comand:

Set-AdmPwdComputerSelfPermission -OrgUnit ´OU=ComputerAccounts,OU=IT,OU=SP,OU=BR,OU=XXX,DC=ng,DC=XXX´

It returns: 

Set-AdmPwdComputerSelfPermission : Cannot convert 'System.Object[]' to the type 'System.String'
'Identity'. Specified method is not supported.
At line:1 char:43
+ Set-AdmPwdComputerSelfPermission -OrgUnit ´OU=ComputerAccounts,OU=IT,OU=SP,OU=BR ...
+                                           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Set-AdmPwdComputerSelfPermission], Parameter
    + FullyQualifiedErrorId : CannotConvertArgument,AdmPwd.PS.DelegateComputerSelfPermission

Anyone can help me?

Search

Encryption Supported in Windows server 2012

May 28, 2019, 11:36 pm
$
0
0

Which among following was not supported encryptions in server 2012?

RC4

DES

SHA1

MD5

Vulnerabilities in application server need to fix.

May 29, 2019, 12:19 am
$
0
0

Hi Team, I have no. of Vulnerabilities in my Web application server.
As I have checked we have to disabled TLS 1.0 and 1.1 and I have done the same but the issue is still the same.

Please help.

1 FTP credentials transmitted unencrypted
2 Untrusted TLS/SSL server X.509 certificate
3 TLS Server Supports TLS version 1.0
4 TLS/SSL Server is enabling the BEAST attack
5 TLS Server Supports TLS version 1.1

Verify Certificate Chain on Subordinate CA

May 29, 2019, 3:08 am
$
0
0

Brand new installation, two Server 2016 servers, first is a standalone root CA setup. Then Enterprise Subordinate CA, in following steps from various blogs about this process I am stuck at the point where after submitting a request for a cert for subordinate and approving on the root when I try to install it on Sub I get "Cannot verify certificate chain. Revocation server is offline"  At this point my root CA is not offline.

I changed the CRL and AIA extensions on the root CA before I publish the revocation list and have copied that and the root cert to the sub before my attempt.   I can ping my sub CA from the root using the fqdn which is what I entered in the new http entry for both CRL and AIA. I copied the existing entry and then just stuck in the fqdn of the SUB CA server for <ServerName> part leaving all the rest the same.  I checked Included in CRL and Included in AIA for each one and remove those check marks for all the others except the CRL one for C:\windows\system32\certenroll etc.  

I cant' see what I missed in this not working

Any help would be appreciated

How Dynamic Access Control (DAC) and Rights Management Services (RMS) function.

May 29, 2019, 3:10 am
$
0
0
hello people, can anybody explain How Dynamic Access Control (DAC) and Rights Maneagment Services (RMS) function in terms of encryption, certificates, and protocols used.

Duplicate ADCS Templates from one Enterprise CA to another

May 29, 2019, 10:07 am
$
0
0

Is there a quick way to duplicate the list of templates available on a given Enterprise CA on a new one?  We need to mirror the list of advertised templates from an old WS2008R2 CA on a new WS2012 CA.

I had a look at the local registry on the old CA as well as in AD Sites and Services, but I can't seem to find how certificate templates are associated with a given enterprise CA.

Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>