Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Auditing TLS version handshake prior to removing TLS 1.0 from Server

August 7, 2019, 9:16 pm
$
0
0

Hi Everyone,

I hope someone with more technical experience can answer the questions below.

I'm running Microsoft Network Monitor 3.4 on our TMG 2010 box and have the following filter to audit the TLS version levels as we intend to deprecate TLS 1.0 

TLS.TlsRecLayer.TlsRecordLayer.SSLHandshake.HandShake.ClientHello

I note TlsRecordLayer stating TLS 1.0 initially, then SSL Handshake ClientHello TLS 1.2

Questions:

Based on the above has the communication established a TLS 1.0 or TLS 1.2 tunnel between the client and server?

What Cipher is it using as the trace does not indicate?

How is it possible to remove TLS 1.0/obsolete ciphers given clients using TLS 1.0 will always fail if we remove TLS 1.0/obsolete ciphers?

Thank you.

TLSSSLData: Transport Layer Security (TLS) Payload Data

TLS: TLS Rec Layer-1 HandShake: Client Hello.

TlsRecordLayer: TLS Rec Layer-1 HandShake:

ContentType: HandShake:

Version: TLS 1.0

Length: 512 (0x200)

SSLHandshake: SSL HandShake ClientHello(0x01)

HandShakeType: ClientHello(0x01)

ClientHello: TLS 1.2

Version: TLS 1.2

CipherSuitesLength: 34

TLSCipherSuites: Unknown Cipher

TLSCipherSuites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 { 0xC0,0x2B }

TLSCipherSuites: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   { 0xC0,0x2F }

<other Ciphers>

Search

PKI WinServer 2008: Add Custom values to Certificate Request

April 29, 2015, 9:23 am
$
0
0

Hi Everyone:

I have a CA WinServer 2008. I'm trying to add a custom extension into a request. This is a value named SerialNumber, where the serial number is a "rut" or Social ID of a person or company, and this to be like SerialNumber: 96777999-1.

I have tried to do with cerutil but have not been successful.

The idea is insert this field into a Subject field of the request certificate. 

How i do this into CA Server? It's possible to create it?

Thanks for you help.

Regards.

Jonatan

jm.

bitlocker network unlock certificate error

September 17, 2015, 1:12 pm
$
0
0

I am testing bitlocker network unlock on a Windows Surface 3. When I power it on, I see the DHCP request sent to the WDS server (2012 R2), but there is no response. On the WSD server Deployment-Services-Diagnostics debug log I see this message:

[WDSServer/WDSPXE/NKPPROV] Could not find configuration by thumbprint. Certificate thumbprint = 42A450BEEA28E264663FF46734C93171F72E1ACD.

When I look in the certificate store on the server, I see the with this thumbprint:

‎42 a4 50 be ea 28 e2 64 66 3f f4 67 34 c9 31 71 f7 2e 1a cd

so I do not understand why it is not working.



ADCS Web Enrollment on custom URL

August 8, 2019, 2:53 pm
$
0
0

What am I missing with getting ADCS Web Enrollment working on a custom URL?

Web Enrollment works if I access it using https://servername/certsrv (get cert warning, but that's expected)

It does not work if I access it using https://crl.domain.com/certsrv - It prompts me for credentials three times and then gives me a 401 error. I do not get prompted for credentials when accessing the servername. Also, trying to access https://localhost/certsrv exhibits the same behavior.

This happens both from the web server itself or a remote machine. It also happens with and without IE enhanced security enabled.

I have tried having kernel mode authentication disabled and enabled with no luck.
I have moved NTLM up to the top of the providers list

I have set spn as follows:
setspn -A HOST\crl SERVERNAME
setspn -A HOST\crl.domainname.com SERVERNAME

What could be left to change?

How can i get an export with the CVSS Score

August 8, 2019, 10:42 pm
$
0
0

Does anyone know how i could get an list with the CVSS Score of all Security Vulnerabilities that are covers each month by Microsoft?

I do not want to click each one of them from the Bulletin / Release Notes of the Security Updates in order to get the information.

Thank you,

Adrian

Windows 2008 R2 Certificate server to Windows 2019

August 9, 2019, 8:27 am
$
0
0

We have single Windows 2008 R2 Certificate server, upgraded from CSP to KSP and SHA-1 to SHA-256 in 2017. As Windows 2008 R2 is near end of support, we would like to migrate Certificate authority onto Windows 2019 server using the below procedure:

https://techcommunity.microsoft.com/t5/ITOps-Talk-Blog/Step-By-Step-Migrating-The-Active-Directory-Certificate-Service/ba-p/697674

However when I tried to backup CA, I got the below error.

When I click "YES", it was ended with below error:

Any help to migrate Certificate authority to 2019 is much appreciated.

Thanks in advance


Tek-Nerd

Bitlocker Network Unlock certificate issue

January 24, 2017, 3:45 am
$
0
0

I'm trying to enable Bitlocker Network Unlock feature. I followed this article: https://technet.microsoft.com/en-us/library/jj574173(v=ws.11).aspx

My environment is:

- Domain Functional Level: 2012

- Forest Functional Level: 2008 R2

- all Domain Controllers are running Windows 2012 R2

- WDS & Network Unlock feature running on Windows Server 2016 (WDS running flawlessly)

Following the article I created a certificate template by copying "User" template on my CA.  Then, on my WDS server I open up certificates console as current user and I request a new certificate. The certificate request appears as pending on a CA, which I accept manually. However, the issued certificate never shows in the "Personal" store on the WDS server, even though on the CA it appears as issued. I feel this article may be wrong, because "Bitlocker Network Unlock" cert store only appears in certificate console ran as Local Computer, not the User. But the current cert template doesn't allow requests from computer accounts. What should I do?

Security Logs

July 3, 2019, 1:37 pm
$
0
0

 I want to change the default security log drive to E drive. When I do that on properties pane on the event viewer for the security log, it accepts the change, and there is no error either.

 However logs are never generated on the E drive, it continues on the same system drive default path.

 Its windows 2016.

What could be the issue?

Shahid Roofi


Search

Locked account shows as "not locked" in lockoutstatus.exe

August 12, 2019, 9:19 am
$
0
0

I have users trying to login to our terminal server 2012 r2 who are blocked because of too many logon attempts

When I go see their status in lockoutstatus.exe it shows they are "Not Locked (Auto Unlocked)"

I keep refreshing, the status won't change but the user still get that message and can't login.

So, I can't unlock the user because he is supposedly "Not locked" but the user can't login because he is supposedly "Locked"

I need help fast please.

Computer has this error

March 1, 2019, 9:48 pm
$
0
0

The Open Procedure for service "BITS" in DLL "C:\Windows\System32\bitsperf.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.

source is Perflib

Bitlocker network unlock certificate expires soon

August 12, 2019, 11:13 pm
$
0
0

Hi,

Our BNU certificate expires soon, and I'm wondering what is best practise to renew this? Generate new certificate, or renew existing?

Since we have to change the cert on the server and workstation simultaneously, there will be some issues where some workstations don't get the GPO with the new certificate, and  will get prompt for the PIN. Is there a way to get around this?

And what will happen when this expires? As far as I can tell, there is no check for the validation of the certificate in the network unlock process. 

L2TP connection error

April 7, 2018, 11:03 am
$
0
0

Hi,

I am trying to connect my win10 with my NAS using a vpn. I am using a L2TP with a pre-shared key. It works for my iPhone, but I get the following error message, when I try to connect with my PC:

"The L2TP connection attempt failed because security policy for the connection was not found."

What kind of security policy do I need?

Thx

The L2TP connection attempt failed because security policy for the connection was not found.

August 13, 2019, 9:59 am
$
0
0

Hello,

I can not use VPN connection becouse of the following error: "The L2TP connection attempt failed because security policy for the connection was not found."

I have tried to add registry enty "AssumeUDPEncapsulationContextOnSendRule"  but it did not helped.

I work on Windows 10. The L2TP was working on my laptop but around month ago I started to have problem with L2TP...

Aby suggestion?

EFS Files and new PKI and DRA Agent

August 13, 2019, 3:46 pm
$
0
0

Guys, we have many EFS files encrypted with EFS certs from our existing internal PKI. The DRA agent certs expired preventing us creating new certs. No problem so we created new DRA certs and configured with GPO. All our EFS certs were encrypted with an EFS cert assigned to a windows service that runs with a domain account(3rd party batch scheduling product). As such, when this account next touches those EFS files the files are updated with the new DRA certs. So far so good.

Now we need to introduce a new PKI and retire the old one (as the old one runs on Windows 2008 R2). So how can we automate the application of the new EFS and DRA certs form the new PKI to existing files? Do we have to create new files and copy in the content?

WS2016 - Windows Defender service won't start - 0x80070003

May 6, 2019, 5:19 am
$
0
0

Hello.

I have a WS2016 server where I cannot start the defender service. I found out about the issue when Windows Update couldn't install Defender updates/signatures (but other WU work fine).

When i attempt to start the WinDefend service manually, it returns "Error 0x80070003: The system cannot find the path specified".

In the event log (Microsoft-Windows-Windows Defender/WHC) there are two events signalling the attempted service start:

"Windows Defender state updated to 10." and "Windows Defender state updated to 2." (in the same second).

Microsoft-Windows-Windows Defender/Operational has this error logged (in the same second of the attempted service start):

Windows Defender Real-Time Protection feature has encountered an error and failed.
 Feature: On Access
 Error Code: 0x8007007e
 Error description: The specified module could not be found. 
 Reason: Antimalware protection has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem.

I have tried:

 - installing latest WU

 - sfc /scannow - no problems/corruptions found

 - dism /online /cleanup-image /restorehealth - no problems found

 - removing the Defender feature, rebooting, (deleting C:\ProgramData\Microsoft\Windows Defender folder), reinstalling (Install-WindowsFeature -Name Windows-Defender-Features -IncludeAllSubFeature

None of the above helped.

Any ideas (other than reinstall/refresh/reset Windows) are welcome.

Search

Microsoft CA DC authentication certificate or kerbros authentication

July 23, 2019, 7:14 am
$
0
0

Hello All,

We are replacing 1024 bit DC authentication certificate to 2048 bit certificate, should we go for kerbores authentication certificate or DC authentication certificate, also since we doing it in AD we just want to test it the new certificate is working or not please advice how to test authentication is working properly or not.

Regards

Mahesh

Subordinate Certificate Authority not issuing

August 14, 2019, 3:25 am
$
0
0

Hi all.

I have a forest and 3 domains, with a DC with a installed role Certificate Auth. I don't want to lose the certificates still issued and used by this CA. I removed the templates from this CA.

I installed a new Offline CA and 2 new subordinate enterprise CAs. All is looking good :)

But...

Now the servers are unable to enroll certificates, they don't seem to be aware of the new issuing CAs :(

What is missing in this design?


ADCS CEP not returning Certificate Template with Client Compatibility set to Windows 2012

August 14, 2019, 10:49 am
$
0
0

Hello,

I am working on a client that supports MS-XCEP / MS-WSTEP for Certificate provisioning.

Currently I am testing it against Microsoft ADCS (Active Directory Certificate Services) running on a Windows Server 2016.

I am facing one issue:

When I create a new Certificate Template and add it to the in-use Certificate Templates of the Certificate Authority, it is listed in the responses the client gets when communicating with the ADCS CEP endpoint using the MS-XCEP protocol.

However, as soon as I go to the "Compatibility" tab of the Certificate Template and set "Certificate Recipient" to "Windows 8 / Windows Server 2012" or higher, the ADCS CEP endpoint responses stop listing the certificate template.

Interestingly, the template can still be used by my client through MS-WSTEP when talking to the ADCS CES endpoint directly.

I thought that maybe the ADCS CEP endpoint assumes the my client is not compatible, but I could not find anything in the MS-XCEP specification saying how to specify the client version / compatibility.

Does someone know what could be preventing the ADCS CEP from listing the Certificate Template to my client, or what I could do to indicate compatibility in the MS-XCEP request?

Thanks!

Event Log Forwarding - View Subscriptions at Source

July 11, 2019, 5:13 pm
$
0
0
At the source system how does one view the configured events being forwarded (be they configured using GPO or collector initiated) ? I understand the push/pull options to get the subscription to the source but where are those subscriptions stored/defined once the subscription definitions are set? 

Exchange logs - Unknown value in sc-substatus field

August 15, 2019, 12:45 am
$
0
0

Our company synchronizes IIS logs with other intrusion control systems.

I try to figure out how to recognize bad login attempts from IIS logs. I tried to parse them out manually with grep throught regulars. But I found out many values i do not understand.

I tried to google meaning of values in fields cs-status and cs-substatus. Bad login attempt should be marked with cs-status code 401 and different cs-substatus. But I found cs-substatus values that arent described in microsoft pages. Like cs-substatus values  111 or 0. (There is no description what means codes 401.0 and 401.111)

Here are 2 examples of log inputs (with header with field order description):

#Software: Microsoft Internet Information Services 10.0
#Fields: s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken

127.0.0.1 GET /PowerShell/ &CorrelationID=<empty>; 443 - 127.0.0.1 AMProbe/Local/ClientAccess - 401 111 0 5

10.10.10.10 POST /EWS/Exchange.asmx &CorrelationID=<empty>;&cafeReqId=2f43ba86-1f69-4116-82ca-e909e4e3edf7; 443 - 172.172.172.172 AppleExchangeWebServices/309+AddressBookSourceSync/1894 - 401 0 0 15



I found some pages on microsoft.com but these substatus codes are not explained there.

Can someone explain these subsatus codes? Any ideas?

Thank you for any suggestions

Viewing all 12072 articles
Browse latest View live
Search