Hello
I've been poking at a MS Win 2k8r2 system looking to change the scope of all of the systems firewall inbound rules. Using netsh I was able to export the rules and thought it would be easy to edit the .wfw file and import the changed file. I haven't been able to find a method to edit the .wfw file. Is there one? How would one change the scope on inbound rules via command line/script?
Thanks
Scott Abbe
We have recently implemented SharePoint workflows in O365, using AD to select user accounts. This changed our internal processes to have AD account created for all company employee's regardless of role.
I am trying to determine best practice to setup the account that will leave it as ACTIVE but NOT allow login.
Currently I am setting them to "Change Password at Next Login", they would never have received details on the account or password.
I was advised that I could also set the account to "User can not change password", but don't seem to be able to set account this way via GUI or Powershell.
Would appreciate some thoughts on best practice alternatives.
SMD
Good Morning, I have a bit of a polling question surrounding the acceptable practices securing an offline root certificate authority, as well as issuing CAs. It is my understanding that hardware security modules (HSMs) are generally accepted as best practice when it comes to securing the private key of these entities. Likewise - the subsequent Issuing CAs should interface with network HSMs available in HA for that same purpose.
What if the budget doesn't exist for said appliances? What are generally accepted best practices around securing the offline, and issuing CA private keys? Is there anything else that can be done, or is that just about the only option? If another option does exist, what type of security does it provide...or does it at all?
Thanks in advance for any input you're able to offer on this subject.
Hi,
Lately a very strange thing happened on one of our DC.
For 20 min I was unable to connect to a server, and during that time I was getting replication errors and probe health issues.
(After 20 min, those problems disappeared)
I started to check logs and noticed those error events:
Event 7009, Service Conrol Manager:
A timeout was reached (30000 milliseconds) while waiting for the Microsoft Passport service to connect.
Event 7000, Service Conrol Manager:
The Microsoft Passport service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.
Event 10001, DistributedCOM:
Unable to start a DCOM Server: Microsoft.Windows.ShellExperienceHost_10.0.17763.1_neutral_neutral_cw5n1h2txyewy!App as Unavailable/Unavailable. The error:
"0"
Happened while starting this command:
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
Event 7031, Service Conrol Manager:
The Panda Cloud Office Protection Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
Is it possible that an antivirus (Panda) could cause that issue?
Many thanks in advance!
Hi all,
I am monitoring user access events, Event Ids: 4768
They appear on the Event viewer under Windows Logs - Security - Audit Success
e.g for 4768:
TargetDomainName MOSHE
Sometimes the TargetDomainName is MOSHE (Netbios) and sometimesTargetDomainName is MOSHE.com.
How can i enforce it to be only 1 unique thing? MOSHE and MOSHE.com, Its the same domain controller/domain.
The user join RDP session sometimes with .com and sometimes without. I want on both cases to have same Supplied realm name - is this possible?
Hi
We have getting error in our VDI infrastructure and it will encountered on RD gateway and RD web server ? Can i just ignore the error. Is this impacting the production ?
Homer Sibayan
Hello,
we are using a lot of accounts for some services like backup, scan-to-email, LDAP request on routers and etc.
Previously such accounts have had unexpired password and everything was fine. But recently the company decided to set expiration policy for these accounts too. And now we have to update their passwords on hundreds devices and services. Is there any best practice
to configure these accounts to allow unexpired password but completely secure them?
Thank you in advance.
I have CA installed on win server 2008 R2 SHA1 and I have to migrate it to windows server 2016 .
All generated certificates with SHA1 should be still as it is but the certificate authority server shall generate new certificate with SHA2 .
How we can do this scenario .
MCP MCSA MCSE MCT MCTS CCNA
Hi,
In one of our DC lot of audit failure logs captured from the multiple clients through the local user of clients. In client side checked and not sure from where it is getting triggered.
Local user of client and admin account of server username is same with different passwords.
Event id -4776
error code: 0xC000006A
Any suggestions to fix this.
I've been battling an issue with our domain for a couple days now. A little background:
We're attempting to migrate a standalone CA from our Windows 2008R2 system. We stood up two Windows 2019 servers (Root is off domain and IssuingCA is in Azure). Everything was going well by following this guide (https://timothygruber.com/pki/deploy-a-pki-on-windows-server-2016-part-3/) and I was able to get the Issuing CA working and functional and issuing certificates just fine. Around that point, we installed the Web Enrollment feature on the Issuing CA and I was trying to figure out why no templates would show up in the IIS portal. At some point I revoked a certificate and that's when things seemed to stop working, we could no longer request certificates via IIS or by using certlm.msc > Request new Certificate -- it just hangs indefinitely and never displays the domain templates.
I removed the Web Enrollment feature and then tried to reinstall the Issuing CA role, but now that won't complete either. None of our clients can request certificates via normal processes -- when selectingNext in the Certificate Enrollment process, it just sits there and hangs indefinitely. This happens on any system, server, workstation, even the standalone CA itself.
The only good thing at this point is that I can still see that the standalone CA is issuing Workstation Authentication certificates via an AutoEnroll GPO, so I know it's still functional, but for whatever reason something we've done in the configuration and hiccup experienced while standing up the Enterprise CA has caused this global issue on the domain.
I've removed what traces I could from ADSIEdit of the published Enterprise CA.
Any advice? I haven't been able to find any logs or indications in Event Viewer that seem related to this or hint at what the issue is.
Michael B Courville
I have a 2016 internal Enterprise CA with 3 versions of the root cert (from previous renewals) and within each of these cert versions, the CDP data shows stale (outdated) ldap and http url strings for the CRL. If I follow the steps to update the CDP url's noted here (https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-the-cdp-and-aia-extensions-on-ca1) will this magically update the CDP url's in the root cert details?
Or will I need to renew this cert (4th version) to get these values updated?
Each time I issue a certificate, the common name is forcefully changing to User's name,
I have a stale CDP entry in my AD domain from a previous Enterprise CA. I'd like to delete it because I suspect it may be causing issues however I see that there's still about 100 Issued certs that are still valid and also have this CDP ldap url specified. So my questions are;
1) Will deleting this stale CDP entry cause an issue with those 100 certs that are still valid on the newer CA?
2) Assuming it might impact them, does it matter that those certs also have an http url specified for the CRL (and that http url works because I created a DNS alias for the old CA to point to the new CA)?
Thanks!
Dear Sir,
I have an Windows Server 2016. After I scan with Nessus (Tenable). It is found that quite some .NET framework vulnerabilities. However some of the findings I cannot found any patch for Server 2016.
Take example as MS16-039, I cannot find any information that there is a patch for Windows Server 2016. Also cannot found if there is any other patches already superseded.
Could you show me where that I can find whether:
1. Windows Server 2016 is not affected, or
2. There is already a superseded patch installed in Windows Server 2016
Thank you very much!
Regards,
Leo
Hi All,
I was successfully able to configure WEF over WinRM using a “Source Initiated Subscription” as detailed here
https://docs.microsoft (.) com/en-us/windows/win32/wec/setting-up-a-source-initiated-subscription.
However, since forwarding PS data over the network in plain text (default WEF setting is to run over HTTP) is not my cup of tea, I was trying to set up a HTTPS listener as detailed in the “Setting up a source initiated subscription where the event sources are not in the same domain as the event collector computer” section of the document but this didn’t go as expected. I’ll mention that despite the name I am trying to set up HTTPS listener in a domain environment.
I’ve encountered two main problems. I was able to overcome the first one (“Message = Cannot create a WinRM listener on HTTPS because this machine does not have an appropriate certificate. To be used for SSL, a certificate must have a CN matching the hostname, be appropriate for Server Authentication, and not be expired, revoked, or self-signed.”) and now I’m stuck with the second one – “Message = The function: "HttpSetServiceConfiguration" failed unexpectedly. Error=1312. Error number: -2147023584 0x80070520 A specified logon session does not exist. It may already have been terminated”.
Have you ever encountered this before? Any suggestions?
Thanks in advance!
Hi
I have a new installation of Windows Server 2019 Version 1809 (Build 17763). I am seeing loads of Event ID 4763 in the Security section of the Event Viewer as below. (Yes, I have Audit Sensitive Privilege Use on). Question is why I am seeing the failure.
I have
Subject:
Security ID: SYSTEM
Account Name: <COMPUTERNAME>$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Service:
Server: NT Local Security Authority / Authentication Service
Service Name: LsaRegisterLogonProcess()
Process:
Process ID: 0x25c
Process Name: C:\Windows\System32\lsass.exe
Service Request Information:
Privileges: SeTcbPrivilege
I actually added SYSTEM to the 'Act as part of the Operating System' right, although I understood that was granted implicitly anyway... So first question... what's likely going on here?
Secondly, I am also seeing even more of the following:
A privileged service was called.
Subject:
Security ID: <COMPUTERNAME>\<LocalAdministratorUser>
Account Name: LocalAdministratorUser
Account Domain: <COMPUTERNAME>
Logon ID: 0x445DE
Service:
Server: Security
Service Name: -
Process:
Process ID: 0x4a4
Process Name: C:\Windows\System32\svchost.exe
Service Request Information:
Privileges: SeTcbPrivilege
Obviously I don't want to add the Admin account to that role, but something tells me there is a problem here... why is the system blocking whatever is being attempted on a clean-deploy OS like this?
Obviously I could turn off auditing but that would just mean I never heard about these problems... rather than actually resolving the root cause of the issue. Also, turning off auditing means I may not learn about other more relevant (and correct) attempts to use privileged rights.
Any thoughts?
Thanks,
Clive
Hive mind,
I ave an issue whereby users are running inside a Citrix session hosted on Windows Server 2016. Redirected folders are being used, set by GPO and everything is working fine for exactly 10 hours. After 10 hours, the redirected folders disconnect and the user needs to log off and on again for this to be restored.
The only error i can find up to now is the following:
Log name: System
Event ID: 32
Source: Kerberos-Key-Distribution-Center
Details: The Key Distribution Center (KDC) uses a certificate without KDC Extended Key Usage (EKU) which can result in authentication failures for device certificate logon and smart card logon from non-domain-joined devices. Enrollment of a KDC certificate with KDC EKU (Kerberos Authentication template) is required to remove this warning.
We are currently piloting the 2016 image after migrating from 2008R2, where this worked without issue. All kerberos timings are default and not amended in GPO/local policy.
klist tgt shows:
StartTime : 2/10/2020 11:23:10 (local)
EndTime : 2/10/2020 21:23:10 (local)
RenewUntil : 2/10/2020 21:23:10 (local)
TimeSkew : + 0:00 minute(s)
which is what i would expect...
Any ideas?
How to auto patch on Windows Server 2008 after January 2020, because windows server 2008 has EOL now. we have extended MAK key, how to update this MAK to 2008 servers and how to patch,
Appreciate your assistance on this.
I am currently in the process of removing all RDP self-Signed certificates from my windows 10 desktops and windows 2012/2016 servers. I have created instructions for this process for all administrators but do not have the steps they can follow (manually), stopping the systems from regenerating the RDP self-signed certificates after we have install new certificates that have been generated from our internal MS CA. Does anybody have the step-by-step process of changing the registry key to deny this certificate generation without doing it through Power Shell? Thanks