Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Event ID 4625 but no Workstation Name, no Source Network Address

October 30, 2019, 12:19 pm
$
0
0

A user is complaining about account being locked several times a day

AD/DC = Win2008R2, user PC is Windows7

IT unlock the users and life goes on

Recently we got more than 10 errors in a single day

So we checked the logs, and there are several 4625, 4776 and 4740 events, but the 4625 event ID shows the closest DC to the user, the svchost PID proccess, the basic reason: 0xc000006d (pwd error), a sub status: 0xc000006a and:

Logon Process:CHAP

Logon Type:3

So, for now, we deleted the user profile and also changed the RDP port to avoid potential brute force attacks and so on, until we figure out how to really detect from where the connections attempts are trying to be originated from

As i read, i´m using NLA and therefore should be no info available unless i disable NLA, which i´m not inclined to do change right now because it´s a global RDP policy

So, there is a debug, log, more detailed information in some place?

below, details

Failure Information:
Failure Reason:Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a

Process Information:
Caller Process Name:C:\Windows\System32\svchost.exe

Network Information:
Workstation Name:
Source Network Address:-
Source Port: -

Detailed Authentication Information:
Logon Process:CHAP
Authentication Package:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services:-
Package Name (NTLM only):-
Key Length: 0


Search

Bitlocker doesn't recognize data drive and can't encrypt

October 30, 2019, 1:19 pm
$
0
0

I am attempting to encrypt the data drives on 2 servers. I have already used bitlocker to encrypt the operating system drive (C:) on each of them. The issue is that the data drives (F:) do not show up in the Bitlocker control panel menu and bitlocker is not an option in the context menu when right clicking the F: drive. 

I have used BBEHDCFG.exe and it says the F: drive is configured for Bitlocker use. When i use the command "manage-bde -status F:"  i receive  the following error:

 "ERROR: The volume C: could not be opened by BitLocker.  This may be because the volume does not exist, or because it is not a valid BitLocker volume." 

None of the GPOs for Bitlocker have been set in this environment and I do have tpm chips on these machines.

Are there any gpos, settings, or configurations that would cause the drive to not be available for Bitlocker?

retiring an old CA authority and adding two new ones

October 22, 2019, 4:55 am
$
0
0

Hi can you guys comment on this issue or shed some light on an issue I'm having in this scenario?  I have an ad environment with 3 domain controllers, one is a windows 2008 r2 enterprise DC (this is the current CA and I wish to remove it) another DC is a windows 2012 r2 server (this one is my RID, PDC and infrastructure master) and lastly, I have another DC, a windows 2016 standard server).  the domain is in 2008 R2 functional level.

The goal is to remove the 2008 DC server so I need to remove the CA role first.  

questions:

1 - is it as simple as installing the CA roles in both the 2012 and 2106 DCs?  is there anything that needs to be saved from the old 2008 CA server to import into the CAs being installed on the other two DCs?  or can they just be installed from scratch without any repercussions on the clients in the domain?

2- Would I need to retire the old 2008 DC before I can change the functional level of the domain?

I would appreciate it if someone could comment on Q1 as that is the most pressing right now.

What say you?

Thanks,  Wil

Disable Bulk AD account

October 30, 2019, 2:10 pm
$
0
0

Planning to use the script:

1
2
3
4
5
Import-ModuleActiveDirectory
Import-Csv"C:\Scripts\Users.csv"|ForEach-Object{
$samAccountName=$_."samAccountName"
Get-ADUser-Identity$samAccountName|Disable-ADAccount

}   

1
PSC:\Scripts>  .\Disable-Bulk-AD-Users-FromCSV.ps1

The User.csv file has cn= 'usename', will the above script work for cn users? Also would like to add description in the General tab

so that we know why this account was disabled.

Number of packets

October 31, 2019, 7:29 am
$
0
0

Hello!

Been puzzled by the following issue: after enabling ESP I sometimes get strange results when tracing ping command. The problem is that the single command "ping somehost" which usually produces 8 packets (4 requests and 4 replies) may produce only 6 or even 4 esp packets, for example:

1) ping somehost

- that's as expected.

2) ping somehost

- only 6 out of 8

3) ping somehost

- only 4 out of 8

I can hardly imagine how the presence of ESP may affect the number of packets sent/received - what am I missing here?

Thank you in advcance,
Michael

Hardened UNC Paths settings for SYSVOL

October 31, 2019, 9:15 am
$
0
0

Hello,

I have a problem with apply users group policy. After logon if I try open sysvol, I receive access deny. After some time (~10 min), I can open sysvol successfully.  
For resolve this issues, I try this:

To resolve this issue run gpedit.msc, go to 
Computer -> Administrative Templates -> Network -> Network Provider -> Hardened UNC Paths, enable the policy and click "Show" button. 

Enter your server name (\\myservername) into "Value name" and enter the folowing text "RequireMutualAuthentication=0,RequireIntegrity=0,RequirePrivacy=0" wihtout quotes into the "Value" field.

After that the problem is gone.
Only this settings help "RequireMutualAuthentication=0,RequireIntegrity=0,RequirePrivacy=0", only if each parameter = 0.

Please, help me find how I can resolve issue without security downgrade. 

More information

https://support.microsoft.com/en-us/help/3000483/ms15-011-vulnerability-in-group-policy-could-allow-remote-code-executi



A certificate was explicitly revoked by its issuer

October 24, 2019, 7:00 am
$
0
0

Hi Guys,

I have a file client.msi. The properties > Digital signature Tab says that the certificate is explicitly revoked by its issuer.

Seems the file is not trusted on one single machine whereas on other machines, it says the certificate is ok.

What went wrong and why the certificate is revoked?

Can somebody shed some light on this as its much appreciated?




Replacing 2008 R2 Certificate server with missed CA PFX keys.

October 21, 2019, 8:05 am
$
0
0

We have single Windows 2008 R2 Certificate server, upgraded from CSP to KSP and SHA-1 to SHA-256 in 2017. As Windows 2008 R2 is near end of support, we tried to migrate Certificate authority onto Windows 2019 server, however failed due to missed CA PFX keys.


Now we have only option to install Windows 2019 CA server in parallel to Windows 2008 R2 CA server and decommission Windows 2008 R2 CA server.

Here are my questions:

If we install Windows 2019 Standalone certificate server, is there anyway we can import existing certificates from 2008 R2 to 2019 server?

If not, do we need to maintain 2008 R2 server online or can we retire 2008 R2 and start using 2019 server as certificate issuing server?

If we retire 2008 R2 server, what happens to existing certificates deployed on client machines? Will they still valid till the end of certificate expiry date?

I appreciate your help and time for smooth transition from 2008 r2 to 2019 in our case and any best resources with step-by-step instructions much appreciated.

Thanks in advance

Tek-Nerd

Search

Enroll On Behalf Of... - Unable to find signing certificate

November 1, 2019, 7:57 am
$
0
0

There is no signing certificate available when we try to enroll on behalf of another user. We click browse when prompted but it's empty no matter what we do. We made sure CRL/CDP is working for the signing cert (certutil -url signing-cert.cer) but still no luck. Everything we can find online talks about CRL/CDP but we have eliminated that now. Does anyone know what the process is querying when it asks for the signing certificate? If we know where is it looking for the certificate maybe we can put the signing certificate there.

Thank you for your help.

Are there AD CS role considerations when upgrading OS from 2008 R2 to 2012 R2?

November 1, 2019, 11:59 am
$
0
0

We have two Server 2008 R2 SP1 servers with AD CS running on them. An online Enterprise Root CA and an online Enterprise Subordinate CA. They both have the 'Certification Authority', 'Certification Authority Web Enrollment', and 'Network Device Enrollment Service' role services installed on them (we're not using NDES anymore, so that role service isn't important). Before asking about the wisdom of this setup, it was a management decision that was made against recommendations and over objections.

Are there any AD CS role considerations that need to be addressed if we do an in-place OS upgrade to Server 2012 R2? Would this trigger anything to happen at the AD CS level? I understand there is a procedure for migrating AD CS on to a new box, but I'd prefer to go down the in-place OS upgrade path.

Any guidance would be appreciated. We'll be testing it in a lab environment, but I'd like to be prepared and possibly know what to look for.

Renewed Internal CA cert with SHA256, but no clients pick it up

November 1, 2019, 1:06 pm
$
0
0

Hello all. I upgraded our internal cert. It loaded fine in the console, but no other machine has it listed. Was I supposed to do something special when doing this?

CA is a domain member running on Server 2012r2. Domain functional level is Server 2016.





Windows users permissions

November 2, 2019, 4:03 am
$
0
0

Hello,

Urgently need to give users permissions to allow install and remove softwares only without joining or exite  machines from domain and deny login to DC/AD 

Thanks

Trojan Attack my servers

November 2, 2019, 8:32 am
$
0
0

hi please i need help because Trojan Attack my servers 

and i have Kasper Security but he did not catch any thing and i try many tools the same problem.

and try with microsoft security essentials program and the same problem.

but when i tried with save mode and scan again it dose not show any virus, so i restart windows again with normal mode show again the virus ... what shall i do .. any help !!

RasClient - error 1931

December 24, 2017, 6:07 am
$
0
0

Hi,

I have a VPN connection type IKEv2. This connection was working without any problem for a long time.

Now it's not working any more and I have and event viewer this error: CoId={9F462888-8B6A-4064-A54A-7FD7D1EAB9F9}: The user SYSTEM dialed a connection named XYZ which has failed. The error code returned on failure is 1931.

What this code means?

Tks,
CM

error has occurred: The Certification Authority Service has not been started

November 4, 2019, 3:08 am
$
0
0

hi

i configured separated CA web ,and when i wan to download CRL and certificate ,I get this error :The Certification Authority Service has not been started 

any idea?

Search

Net User command not working after harden the DC

November 4, 2019, 5:19 am
$
0
0

Hi

We introduced a new isolated Windows 2016 DC and applied all MS security baseline recommandations. Later we have configured some of the client machines with this new isolated site / DC for testing applications. We found net user <user> /domain is not working with error "System error 5 has occurred. Access is denied."

Looking for some advice to correct this issue. Thanks in advance




LMS

Windows 2012 R2 CA communicating over NTLM V1

November 4, 2019, 5:23 am
$
0
0

Hi

We have applied the setting “Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM” with DCs. We found Success event ID 4624 with Anonymous NTLM V1 generated only from CA server. How can we find out which servers / appliances communicating with CA using NTLM V1. Also why NTLM V1 still working on Windows 2016 DCs even though we configured to refuse teh connection?

Thanks in advance for any suggestions 

LMS

NET::ERR_CERT_AUTHORITY_INVALID on all domain controllers

June 6, 2019, 5:22 am
$
0
0

Browsing to any site from any of my domain controllers results in NET::ERR_CERT_AUTHORITY_INVALID 

Expanding the Certificate Information in Chrome yields: "Windows does not have enough information to verify this certificate."

Running "certutil -f -verifyCTL AuthRootWU"

Dumps all the certificates until:

[5f43e5b1bff8788cac1cc7ca4a9ac6222bcc34c6]
CertId = 1.3.6.1.4.1.311.10.11.3, "CERT_SHA1_HASH_PROP_ID"
Subject = "CN=Cybertrust Global Root, O=Cybertrust, Inc"
FriendlyName = "Cybertrust Global Root"
EKU = 1.3.6.1.5.5.7.3.1, "Server Authentication"
EKU = 1.3.6.1.5.5.7.3.2, "Client Authentication"
EKU = 1.3.6.1.5.5.7.3.3, "Code Signing"
EKU = 1.3.6.1.5.5.7.3.4, "Secure Email"
EKU = 1.3.6.1.5.5.7.3.8, "Time Stamping"
Policy = 1.3.6.1.4.1.6334.1.100.1, "", 1.3.6.1.4.1.311.60.1.1, "Root Program Flags", 0xc0
CertUtil: -verifyCTL command FAILED: 0x8007000d (WIN32: 13 ERROR_INVALID_DATA)
CertUtil: The data is invalid.

All the workstations can browse without issue. Where do I go from here?

Alan

Windows Server 2012 R2 "The password is incorrect. Try again."

May 27, 2014, 4:00 am
$
0
0

Hi,

I tried to login to my Windows Server 2012 R2 and I got this message "The password is incorrect. Try again." Although the username and password are absolutely correct.

Any thoughts. Thanks.


Upgrading from 2008r2 to 2019 - ADCS. In place upgrade?

November 4, 2019, 8:20 am
$
0
0

Hi, 

We have the following:

Offline Root CA - 2008r2 SHA1

Online Issuing CA - 2008r2 SHA1

I am planning on upgrading both servers to 2019, all documentation I have been through officially say migrate from old server onto new server. This is something I was planning on doing, however....I have read a few articles to say in place upgrade is possible, is this correct? could it break CA or would this work

My main worry is if I follow recommended migration plans from Microsoft, the preferred method is to use the same computer name as the server you are migrating from and to uninstall and take off the domain that source server first, leaves you a bit fearful if migration fails. However in place upgrade sounds interesting

Please let me know, also any documentation on this?

Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>