Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

windows update

March 24, 2020, 1:48 pm
$
0
0

Hello Guys

I have 17 servers at in a building near my main DC. when tryng to update (lest say) 6 servers it takes 4 hours. When I update 2 servers it takes about 2 hours.I believe that is bandwidth as the gpo is set to download but not install the updates. SOOOOO. My manager  wants me to see if it is possible to download the updates and put them on a USB drive and take it to the servers and update that way.

1-Is this even possible?

2-How can this is done.

For full disclosure I am a transplanted unix/hardware guy. I have only been doing this for 3 years

Search

You do not have administrative privileges on the server Failover Cluster

March 5, 2020, 4:43 pm
$
0
0

I am trying to setup a 3 node Failover cluster in Azure. The below is my configuration:

Region: West Europe

VM Size: Standard D2s v3

Storage: Premium LRS 

Data Disk: 2 numbers, 128 GB

OS Disk: 127 GB, Premium

OS: Windows Server 2016 DataCenter

3 nodes are domain joined. 1 DC.

Account used is in Domain Admins group. Account is also added to the Local Admins group in each of the nodes. In addition, the account and all descendants have given "Full Control" (for testing purposes) in Domain Controller -> Active Directory -> the domain -> Advanced Features - > Security.

I have tried multiple times, and followed instructions found in forums like rejoin domain, checked access, synced time etc. The weird thing is that I got it working once (though I don't remember any significant changes from other attempts), but since it was late night I stopped all the VMS (the cluster nodes and DC). Next day, I started all VMs to continue the work, only to see that it isn't working anymore. Could someone shed some light on this please?

 


Firefox "Secure Connection Failed" after installing KB4088879

March 29, 2018, 11:38 am
$
0
0

I currently have websites running on IIS8, on Windows 2012 R2 Servers.  After this months Microsoft patching we started to get reports of Firefox users not being able to connect to the website and are receiving a "Secure Connection Failed" error message.

* We also utilize a subset of ciphers of allowed ciphers instead of the default.

I have been able to determine:

- That without the recent KB4088879 patch installed, the Firefox error does NOT occur

- With KB4088879 installed, the Firefox error DOES occur

- With KB4088879 installed, and when I disable our restricted cipher listing, and allow all default ciphers, the Firefox error does NOT occur

- With KB4088879 installed, and when I enable our restricted cipher listing, the Firefox error DOES occur

We are trying to determine:

- What may have caused the sudden change in the cipher behavior

- What are possible solutions to remedy the situation, without enabling all the default ciphers as we find that not the best practice given security vulnerabilities against many of the default ciphers

Getting DC's to go back to using self signed certs post CA Removal?

March 26, 2020, 7:35 am
$
0
0

Hi!

As per title really. 

Our 2 DC's are configured to get their Directory Service Email Replication, KDC Authentication etc certs via our internal CA.

I want to remove this but am worried this will cause issues. How do I get the DC's to regenerate their own Certs again?

Thanks!

Brendan

RE: upcoming Safari SSL validity limited to one year

March 26, 2020, 7:51 am
$
0
0

Hi All,

Not sure if you are  aware and thought I would raise awareness about  the upcoming safari ssl   change which will  limit  ssl  certificates validity  to one year.  pls see the url below

How does this affect PKI internal SSL  certificates? To ensure safari clients are not impacted by this change  does this mean all new internal SSL certificates validity  will need to  be  set to one year?   

Seems like a huge initiative and want  to get ahead of  potential safari browser issues  that may pop up as a result of this change . thoughts comments?

Thanks!

https://www.thesslstore.com/blog/ssl-certificate-validity-will-be-limited-to-one-year-by-apples-safari-browser/



Can't enroll webserver certificate altough i'm in the domain admins group

March 26, 2020, 8:23 am
$
0
0

Hi,

i'm performing a migration of a CA on a Windows 2008 R2 domain controller to Windows 2016 domain member.

Migration itself is not a problem.  Everything is running...

The funny thing is i cannot enroll a webserver certificate as domain admin on the 2016 domain member.

I'm getting : The permissions on the certificate template do not allow the current user to enroll for this type of certificate.  0x80094012 (-2146877422 CERTSRV_E_TEMPLATE_DENIED)

I'm a member of the domain admins group, which have read, write and enroll permissions on the webserver template.

And here it comes...  If i add my domain admin account individually to the template, it works...  

If i go to the old CA (the Windows 2008R2) and run the certreq there, it also works...

Has anyone encountered something similar?

Always on VPN, RAS in DMZ with NIC to LAN?

March 26, 2020, 12:00 pm
$
0
0
Hi Everyone,


I've been tasked with building a proof of concept always on VPN system for my network.  There's many guides on the internet, but I can't help think that each one is a security risk.

We have a single Fortinet 1500D firewall which has an interface for the LAN and another for the DMZ.


My DMZ currently hosts an RODC and a domain joined SCCM DP for updating internet clients (which is bad enough).


Reading the deployment guides from Microsoft it infers that the RAS server in the DMZ is domain joined and has an interface for the DMZ and an additional one for the LAN.

Doesn't this pretty much blow all security out the water?

Thanks


AD CS: Offline Root CA and Subordinate CA - CRYPT_E_REVOCATION_OFFLINE

March 26, 2020, 12:54 pm
$
0
0

Like the title states, I have an offline, standalone Root CA Windows Server 2019 instance and I used it to issue a certificate for my subordinate CA. I have done the following:

Yet every time I try to start the Sub CA, it throws this error: "CRYPT_E_REVOCATION_OFFLINE"

I'm getting past this error for now by setting the registry to ignore that error:

certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

..but ideally I want my clients to check the Root CA's CRL to ensure the Sub CA is valid.

What else can I do here?

Search

(SOLVED) AD CS: Offline Root CA and Subordinate CA - CRYPT_E_REVOCATION_OFFLINE

March 26, 2020, 12:54 pm
$
0
0

I followed this guide: https://www.vkernel.ro/blog/how-to-publish-the-crl-and-aia-on-a-separate-web-server to properly configure my CRL locations for IIS. Thank you guys :)

----------------

Like the title states, I have an offline, standalone Root CA Windows Server 2019 instance and I used it to issue a certificate for my subordinate CA. I have done the following:

Yet every time I try to start the Sub CA, it throws this error: "CRYPT_E_REVOCATION_OFFLINE"

I'm getting past this error for now by setting the registry to ignore that error:

certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

..but ideally I want my clients to check the Root CA's CRL to ensure the Sub CA is valid.

What else can I do here?


AD CS: Submit CSRs without a certificate template defined

March 27, 2020, 12:51 pm
$
0
0

How can I submit a CSR, that's been created by an HP printer, to AD CS? Every time I try to, it says the request doesn't define a certificate template. I understand it's originating out of Active Directory and it must be looking for one, but how can I get past that error and issue the certificate? The request contains all the extensions, etc, the certificate needs.

Thank you. :)

AutoEnrollment Fails

March 27, 2020, 1:32 pm
$
0
0

Hi all, the autoenrollment group policy created using CEP/CES is timing out due to network latency. Our team has gone as far as it can to reduce this latency, but it is still not enough to stop timeout errors.

Manual enrollment using CEP via mmc.exe, certificates snap-ip is simple, we click the retry button on the timed out pop-up error, one time and it works.

Is there a retransmit/retry value can set somewhere to offset this latency in an auto-enrollment GPO?

Configuring grace period for CRL cause Microsoft to ignore Base CRL validity check

March 29, 2020, 7:42 am
$
0
0

Hi all,

I recently noticed a very strange behavior during certificate validation check in a workstation using crl extended validity period.

My goal was to check certificate validation process using cached CRLs and the validation behavior using CRL extended validity configuration at domain in computer level.

I created a lab domain environment with the following specs:

  • DC - Win Server 2012 R2
  • Enterprise Root CA + CDP (IIS) - Win Server 2016
  • Workstation - Win 10

Above is the detailed test performed in the workstation:

  1. Performed a sanity check trying to validate an endpoint certificate issued by the CA (using commandcertutil -q -verify test.crt), everything looks fine and the command ends with no problems.
  2. I turned off CDP website, clear crl cache on the workstation (computer+user cache), try to validate certificate again with no success as expected (revocation server was offline error).
  3. Use certutil -f -addstore root labrca.crl/labrca+.crl to add both CRLs to local certificate store.
  4. Use again certutil to validate the certificate, this time with success.
  5. Wait until delta CRL to expired and try validate again, as expected with no success (revocation offline).
  6. Configured a CRL extended validity period of 1 hour using GPO linked to workstation OU.
  7. Updated Group policy at the workstation and tried to validate cert again, as expected succeeded (CRL was half hour only expired).

Now, the problem started when using a cached expired Base CRL (1 day expired) and a new valid Delta CRL trying to validate the certificate on the workstation (configured to extend CRL validity time by 1 hour as defined within the GPO before).

The certutil -verify command simply ignore the Base CRL being 1 day already expired and just satisfied with the Delta CRL being valid to return a success code.

Disabling the CRL grace (extended validity period) cause certutil verify to fail as expected.

Anyone know why validation check is acting like this when using CRL extended validity period? I really expected validation check to fail during use of an expired CRL (never mind base or delta), even with extended validity configured in case the "NextUpdate+GracePeriod" be over.

Thanks and hope there are a logic answer so this is not a bug.

Bruno

Discontinued support for TLS 1.0 and 1.1

March 29, 2020, 7:00 pm
$
0
0

Hello.

Exactly when do support for TLS 1.0 and 1.1 end?

Microsoft CA- certreq service account

March 30, 2020, 5:10 am
$
0
0

Dear All,

We have microsoft CA setup like offline root and online CA  and We have certreq service account with domain admin rights, please let us know this certreq is mandatry service account or we can remove this, please note we have still windows 2000 servers.

Microsoft CA- PKI-CDP recommendation

October 1, 2019, 1:05 am
$
0
0

Hello All.

I have few questions regarding the CDP and OCSP

1. Shall i use the issuing CA for CDP location?

2, Shall i use OCSP and CDP on same server?

3, need the clustering for the CDP server for HA?


Search

Certificate template

March 30, 2020, 9:07 am
$
0
0

I can not dowload a SSL certificate for webserver, because the option is not there.

I restarted the IIS admin service and exchange topology but it didnt work.

How can I fix that?

Account Lockout

March 30, 2020, 9:54 am
$
0
0

I'm having account lockout issue that's happening 2-3 times a day.  User is running Windows 10 authenticating to Windows 2016 Domain and Exchange 2016 with Outlook 2016.  Tried to clear credential manager, recreate Outlook profile, and recreate user profile, disable active sync, and all other laptop or machines.   User is limited to one machine and lock still occurs.  I've also checked scheduled tasks and removed mapped drives.

I see four 4776, 4625, couple more 4776  then a lockout (this could be in different order during different times).

I have few hundred other users with the same setup.

Multile Event ID 4776 on Domain Controllers
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: johndoe Source Workstation: WORKSTATION Error Code: 0xc000006A

Event ID 4625 on Exchange 2016 server
An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: johndoe Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: WORKSTATION Source Network Address: 192.168.10.50 Source Port: 65012 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM

Event ID 4740 on Domain controller
A user account was locked out. Subject: Security ID: S-1-5-18 Account Name: DC1$ Account Domain: WIDGE Logon ID: 0x3E7 Account That Was Locked Out: Security ID: S-1-5-21-1333342718-210984868-523627154-63127 Account Name: johndoe Additional Information: Caller Computer Name: WORKSTATION

PKI 2012R2 Mail Encryption/Signature - Template Mystery

March 10, 2020, 5:19 am
$
0
0

Hi All,

I inherited the responsibility for certificates in my new company. In the month before I joined, a new PKI was developed and implemented. Sadly, the guy who planned and implemented it left the company without a lot of documentation and I have to learn as I go along.

One of the usecases is to encrypt and sign internal emails via S/MIME and I have a template called "internal email". I can request and issue the certificates. However, if I try and use it in Outlook I get a message that there is no eligible certificate.

I made a copy of the template and started to play with it. After a while I figured out that if I add the application policy "smart card logon" (no other changes at all) and put it on one of our safenet tokens, outlook recognizes it and encrypting/signing works without problems. It doesn't work if I have the copy on the local machine, though. Unfortunately, I have orders to get it to work without putting the email certificate on the smartcard. The guy who is responsible for our Outlook/Exchange says it is nothing that his machines do. so I am quite lost and would appreciate some advice.

In short:

1) I issue the certificate based on template "internal email" - Outlook doesn't recognize the certificate

2) I issue the certificate based on the customized template "Copy of internal email" and put it on the local machine - Outlook doesn't recognize the certificate

3) I put the certificate based on "Copy of internal email" on the safenet token - Outlook recognizes and accepts it without issues

Could somebody explain what is going on here and how to fix it please?

Cheers,

D


How to scan for malware using McAfee through AMSI

March 30, 2020, 11:12 pm
$
0
0
We are attempting to determine whether an uploaded file (Excel in this case, but could be anything) contains malware.  The solution is developed in C#.

To determine whether AMSI is available I am calling the following (only pertinent bits shown):

const string EicarTestString = @"X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*";

AmsiNativeMethods.AmsiScanString(_context, EicarTestString, "EICAR", session, out scanResult)

When using Windows Defender the scanResult value correctly identifies the EICAR test string as malware. 

However, when using McAfee the original issue was that the malware was detected and the test application was simply blocked and the process killed.  After contacting McAfee our security department made some changes and then the test application could run without being killed but the scanResult is returned as 0.  This would indicate that there is no malware which is incorrect.

We have been engaging with McAfee and sent all manner of logs.  They have now suggested we engage with Microsoft which is why I am asking about this here for now.

Any ideas?

p.s. Apologies for "cross-posting" but a response from my community question suggested that I ask in the TechNet forums.  A article on AMSI suggested asking in the community forums.  I cannot add any links until my account is verified.

Jump Server Procedure

March 30, 2020, 11:42 pm
$
0
0

Hi

Anybody can help me if there's a procedure or step by step to build a Jump Server / Jump host ? What is software and hardware prerequisites.

Thanks

Homer Sibayan

Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>