yaro
I have several BSD routers configured with certificates issued by Windows 2012 NDES server. They create IPsec tunnels to each other and communicate with no problems. The certificates are issued automatically using sscep development by Jarkko Turkulainen in 2003. This exact build worked perfectly well with Microsoft 2000 and 2003 servers using mscep add-on and still works with 2008 and 2012 servers using NDES services for certificate request and enrollment. However, crl requests, though worked well with 2000 and 2003 servers, fails under NDES service starting in 2008 servers.
The error reported in server is sourced to NDES and event ID is 45. Basically, starting in NDES implementation an additional feature fails CA signature checks in request. Is there a way I can turn this feature off? Or is there something else I can do to eliminate this issue and receive crl still using scep code? The error content is below.
Error 45: The Network Device Enrollment Service cannot match the issuer name and serial number in the device request to any certification authority (CA) certificate. Verify that the device request contains the correct CA certificate information, then resubmit the request.
ms
I have several BSD routers configured with certificates issued by Windows 2012 NDES server. They create IPsec tunnels to each other and communicate with no problems. The certificates are issued automatically using sscep development by Jarkko Turkulainen in 2003. This exact build worked perfectly well with Microsoft 2000 and 2003 servers using mscep add-on and still works with 2008 and 2012 servers using NDES services for certificate request and enrollment. However, crl requests, though worked well with 2000 and 2003 servers, fails under NDES service starting in 2008 servers.
The error reported in server is sourced to NDES and event ID is 45. Basically, starting in NDES implementation an additional feature fails CA signature checks in request. Is there a way I can turn this feature off? Or is there something else I can do to eliminate this issue and receive crl still using scep code? The error content is below.
Error 45: The Network Device Enrollment Service cannot match the issuer name and serial number in the device request to any certification authority (CA) certificate. Verify that the device request contains the correct CA certificate information, then resubmit the request.
ms
I've a standalone (not in AD domain) Win Server 2008 R2 Standard x64 box. I want my standard Windows users (non-admin) to be able to run an application. But when the users try to run the application they are prompted for administrator password. The application will only run with an account with administrative privileges. However, I do not want to assign admin rights to the users to be able to run this application. I've tried the solution as given at http://technet.microsoft.com/en-us/magazine/ff431742.aspx
1. On the Start menu, locate the program that you want to always run as an administrator.This did not work for me. The users are still prompted to provide password for a user with administrative rights.
Please help.
We have set up smart card logon, and set (via group policy) the machines to lock when the card is removed. This works well, but if another user inserts their card while the session is locked, they do not automatically switch to their own profile to log on and instead receive an error about not being the logged in user. If they click Switch User and Smart Card and then insert their card, they are able to log on using fast user switching.
This isn't very "fast" nor as elegant as user A removing their card, then user B inserting theirs and being immediately logged onto their own profile. Is there any way this can be achived or will there always be switch-user-button-clicking involved?
Hello,
I have posted this on the IIS forums as well, but I'm interested in input as it affects the server as well:
I'm fairly knowledgeable about setting up Windows servers, workstations, etc. I'm not well versed in the security side of the process. I know the basics: do updates, up-to-date protection, change passwords, etc. I generally stay away from IIS, and I've been asked to do something that is raising the shackles on the back of my neck. Basically, we have a Windows Server 2008 R2 with IIS on it running a medical practice software. The software company wants me to open port 443 directly to our primary/only application/file/data server. The company assures me that this is "safe" and that no one else has had any problems. My experience with IIS is that when working for gov’t agency, an IIS server was used to penetrate the network and completely subvert it. Luckily, this was a white-hat group that had been hired to check the security, but still, this is my experience with IIS and my gut tells me that I should recommend against this. So I've got a couple of questions:
1) Is this a good/bad idea on a small office server with no IDS system, the stock Verizon FIOS router/firewall, and no regular monitoring?
2) Is there a way to mitigate the risks that would be reasonable for a small office with no onsite tech support?
3) Verizon tells me that putting their Actiontec device into bridge mode is "not supported," so this means I cannot implement a better firewall such as a Cisco, Sonicwall, etc. To be fair, I've done this at home with a Cisco small business router and it works fine. Any comments on this? Reasons to put it in bridging mode, to not put it in bridging mode, personal experience with it?
4) If this is just a REALLY BAD IDEA, please give me specifics. The implementer told me that this is completely safe, they've never had any complaints, it’s the same way they implement it on their cloud service, etc. I explained that we have a basic firewall, no IDS, and no regular monitoring, but his only response was that if we don't want to use the system we don't have to.
Sorry if these are simple questions, but I don't setup, configure, or secure IIS. I'm not sure if I'm being overly nervous, if they are being stupidly optimistic, or somewhere in between.
Thanks,
Jeffery Smith
I'm using Microsoft CA to issue certificates for external users and so using a template with the option of the Subject Name being supplied in the certificate request.
The certificate request includes a dnQualifier component in the subject name but the certificates being issued do not include the dnQualifier component.
If I set the SecurityTemplate registry entry to the empty string then the certificates being issued do include the dnQualifier component.
Is there a way to add dnQualifer to the list of white listed DN component in the SecurityTemplate registry?
I've tried:
All cause the CA to report an error when it starts.
What is the correct "name" to use for dnQualifier in the SubjectTemplate white list?
We had our annual audit report last week. One of the findings has me a bit confused. It was found by Nessus plugin 33447, "Multiple Vendor DNS Query ID Field Prediction Cache Poisoning". This issue should have been resolved by MS08-037 which was superseded by a patch in 2011 all of the necessary patches have been applied b our patch management system.
Our IT manager found this article last week:
"Hi ManServ,Thanks for your clarification. I think that we all overlooked the point that this behavior only happens on NSlookup.Yes, the security patch randomizethe DNS UDP source port by modifying the DNS resolver behavior. As NSLookup does not use the DNS client resolver instead it has its own resolver, the DNS UDP source port will not be randomized via NSLookup even after you have installed the security patch. As you mentioned, the UDP source port is randomized when you use ping. I think that your system is working properly and the security patch has been installed successfully.Laura Zhang - MSFT"
If this is true then the Nessus plugin is completely broken. Having a lack of scripting knowledge, i can't confirm that this is the case. Below is the script that Nessus plugin 33447 runs. Please help me out and tell me what might be going on here.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if(description)
{
script_id(33447);
script_version ("$Revision: 1.22 $");
script_cve_id("CVE-2008-1447");
script_bugtraq_id(30131);
script_osvdb_id(46776, 46777, 46786, 46837, 47510, 48186);
script_xref(name:"CERT", value:"800113");
script_xref(name:"IAVA", value:"2008-A-0045");
# OSVDB split by vendor, 20 results as of 7/1/09. Including 6 higher profile vendors above.
script_name(english:"Multiple Vendor DNS Query ID Field Prediction Cache Poisoning");
script_set_attribute(attribute:"synopsis", value:
"The remote name resolver (or the server it uses upstream) may be vulnerable
to DNS cache poisoning." );
script_set_attribute(attribute:"description", value:
"The remote DNS resolver does not use random ports when making queries to
third party DNS servers.
This problem might be exploited by an attacker to poison the remote DNS
server more easily, and therefore divert legitimate traffic to arbitrary
sites." );
script_set_attribute(attribute:"solution", value:
"Contact your DNS server vendor for a patch" );
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'DNS BailiWicked Host Attack');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"plugin_publication_date", value: "2008/07/09");
script_cvs_date("$Date: 2012/12/10 03:02:35 $");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_summary(english:"Determines if the remote DNS server uses random source ports when making queries");
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2008-2012 Tenable Network Security, Inc.");
script_family(english: "DNS");
script_dependencie("bind_query.nasl");
script_require_keys("DNS/recursive_queries");
exit(0);
}
include("global_settings.inc");
include("byte_func.inc");
include("dns_func.inc");
include("misc_func.inc");
port = 53;
if (! get_udp_port_state(port)) exit(0, "UDP port "+port+" is not open.");
MIN_SAMPLES = 4;
NUM = 4;
HARD_LIMIT = 50;
function abs()
{
local_var x;
x = _FCT_ANON_ARGS[0];
if ( x > 0 ) return x;
return 0 - x;
}
totCount = 0;
per_ip = make_array();
for ( i = 0 ; i < NUM ; i ++ )
{
totCount ++;
req["transaction_id"] = rand() % 65535;
req["flags"] = 0x0100;
req["q"] = 1;
packet = mkdns(dns:req, query:mk_query(txt:dns_str_to_query_txt(rand_str(length:8, charset:"abcdefghijklmnopqrstuvwxyz") + "-" + i + ".t.nessus.org."), type:0x0010, class:0x0001));
soc = open_sock_udp(53);
send(socket:soc, data:packet);
r = recv(socket:soc, length:4096);
close(soc);
if ( ! r ) exit(0);
r = dns_split(r);
res = r["an_rr_data_0_data"];
if ( ! res || strlen(res) < 2 ) exit(0);
res = substr(res, 1, strlen(res) - 1);
if ( res !~ "^[0-9.]+,[0-9]+") exit(0);
array = split(res, sep:",", keep:FALSE);
responses_ports = per_ip[array[0]];
if ( isnull(responses_ports) ) {
responses_ports = make_list();
if ( max_index(keys(per_ip)) > 0 ) NUM += 4;
}
responses_ports[max_index(responses_ports)] = int(array[1]);
per_ip[array[0]] = responses_ports;
if ( totCount > HARD_LIMIT ) break;
}
buggy_dns_servers = make_array();
foreach dns_server ( keys(per_ip) )
{
responses_ports = per_ip[dns_server];
if ( max_index(responses_ports) >= MIN_SAMPLES )
{
flag = 0;
for ( i = 1 ; i < max_index(responses_ports) && flag == 0; i ++ )
if ( abs(responses_ports[i - 1] - responses_ports[i]) >= 20 ) flag = 1;
if ( flag == 0 )
{
buggy_dns_servers[dns_server] = responses_ports;
}
}
}
if ( max_index(keys(buggy_dns_servers)) > 0 )
{
report = "
The remote DNS server uses non-random ports for its
DNS requests. An attacker may spoof DNS responses.
List of used ports:
";
foreach dns_server ( keys(buggy_dns_servers) )
{
report += '\n+ DNS Server: ' + dns_server + '\n';
responses_ports = buggy_dns_servers[dns_server];
for ( i = 0 ; i < max_index(responses_ports) ; i ++ )
{
report += '|- Port: ' + responses_ports[i] + '\n';
}
}
security_hole(port:53, proto: "udp", extra: report);
Hello,
One of my remote user is not able to connect with Microsoft VPN, error I get is "The revocation function was unable to check revocation for the certificate"
Recently last name of this user was changed, but certificate on her machine still have the same name, infact in AD I can still see certificate with old name under "published certificate"
How to fix this?
Thanks
We have enabled LDAP signing on our DCs. Only the applications with third party SSL certificate installed are able to connect for LDAP queries others are not.
We have also enabled LDAP client signing requirement policy as "Require Signing" on these clients.
These clients run Java applications on both Windows and Linux machines.
In order to enable these clients to successfully query LDAP, We suggested the application owners to use LDAPS over port 636.
Do we need to install a self signed certificate on these application servers to make this work and also do we also need to install the certificate of the DC on these application servers they are attempting to connect to.
Buen día.
Aquí en la empresa tenemos un servidor con Windows server 2008 en cual contiene el Directorio Activo, un servidor de archivos con Windows server 2003 y un servidor Exchange con Windows Server 2008. Ahora bien el detalle es el siguiente:
Tengo el siguiente problema desde hace algunas semanas:
Cuando caduca la cuenta de los usuarios y estos las cambian, logran ingresar a su sesión de Windows pero no logran abrir ninguna de la unidades de red mapeadas en sus perfiles (Mapeos de red que apuntan a las carpetas compartidas en el Servidor con Windows Server 2003) y tampoco les permite abrir su correo mediante el cliente del Outlook. para solventar provisionalmente lo que hago es ó les coloco la clave anterior directamente desde el servidor que contiene la lista del directorio activo o reinicio los servidores (el servidor de archivos y el servidor Exchange) pero esto obviamente no resuelve el problema.
Si entra una persona nueva y debo crearle usuario en el AD y su respectivo buzón de correo en el Exchange debo igualmente reiniciar el servidor de archivos y el servidor Exchange para poder configurar su perfil en alguna PC (las PC tiene Windows XP SP3).
Si mal no recuerdo y no me equivoco este comportamiento se empezó a presentar cuando se instalo un nuevo servidor con Windows Server 2008 que contiene el System Center 2012 Configuration Manager, desde donde instalamos y configuramos el EndPoint Protection en todos los equipos que están conectados al Dominio de la empresa.
Que me recomiendan probar para intentar solventar este extraño comportamiento de la replicación del AD.
Sin mas a que hacer referencia.
Saludos.
Toyomax - Cristóbal Rodríguez
Why some system administrator set account expired in active directory why don't just disable user account and what are the differences?
Regard
Thanks.
i'm designer/administrator for a network with 500 clients/users. here we use extreme/cisco (mostly 2960) switches & cisco (mostly 3750) routers... we have 3 DCs running server 2k8 (not R2 yet) , & we have a dhcp running server 2k3 (haven't got the time to migrate it to a 2k8 R2 server). we have 25 scopes (each for different VLAN).
here's my problem...we don't share internet access for everyone....they must open file a ticket to IT department. their boss & IT department must accept their access to internet & then they'll be given the access.
but some users bring WiMax devices with them & connect them to their PCs using lan cables...
now we wanna prevent this...because of security issues & also their boss doesn't want them to have internet access.
is there a way through Active directory to achieve this? is there even a third party to accomplish this goal?
suggestions are most appreciated...
tnx in advance
this post is provided as is, with no warranties/guarantees
Hello-
I'm experiencing a weird issue that I'm hoping someone can shed some light upon.
I have need to export all of the certificates located within the "Trusted Root Authorities" (LocalMachine\AuthRoot) store, into a single file.
I start the certmgr.msc GUI (as Administrator), select the store, "Certificates", and see that there are currently 378 entries.
I change 'focus' to the pane showing the certificate list, and hit ctrl-A to select "all" of them. Choose the "Export" task,
and save them to a .p7b file.
Same issue happens if I select the first cert., scroll to the bottom of the list and hold shift while selecting the last cert ..instead of using ctrl-A.
All that is straight-forward and looks like it works perfectly.
However, when I process the resulting .p7b file- only 214 certs. are exported.
When I look into my (WinXP SP3) registry, under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\
all 378 'keys' are present.
I've experienced this issue on both a WinXP SP3 system and a Win7 SP1.
I'm not sure if the problem could be registry corruption (on both systems?!), certmgr.msc itself, or a limitation of the .p7b file format?
Thanks in advance for any thoughts and/or insight into this.
Dear All,
I have some issues with the sharing & security issues of folders/external drive in windows server 2003.
We need to plug in an external hard drive with the windows server 2003 and share the drive in the network so that other users mapped to the network can access the folders and files.
After sharing the external hard drive to the network. Then I need to provide user access permission like read/write/modify etc. so when I try to add new user and provide permissions then click apply the window is not responding.
After Step:4 from the picture..
Once click apply then the window become not responding. But still can access my inbuilt hard disk and do all operations. Only problem is I am not able to add user and give permissions.
platform : window server 2003 R2 Standard Edition service pack 2please help me how can i solve this issues
Regards,
ArunImage may be NSFW.
Clik here to view.
Hello,
I have ad a windows domain account to a custom windows service.
I also add this user to local security policy ->log on as service. Everything works fine, the service is running.
Now my question:
The service normal writes log files to folder c:\programdata\company\...
The logs are written if the user is local admin, if I remove the user from local admin group, no logs are in the log folder.
Which permission did I have to grant for this ad service account user, to write the logs without give them local admin rigths?
I hope somebody can help me,
Thanks Horst MOSS 2007 Farm; MOSS 2010 Farm; TFS 2010; IIS 7.5
Hey Guys,
I am having troubles with getting my offline Policy CA online. Everytime i try to start it after installing the PolicyCA cert + RootCA + RootCACrl i get an error that Revocation server is offline.
Even though i checked the CDP + AIA location and they are accessible from different computers also from the PolicyCA itself.
The CDP and AIA locations are located on a fileserver
for the CDP im using the following link file://fileserver\Certfolder\Certificates\Rootca.crl (crl name is apprehended with the predefined windows variables)
and for the AIA im using the link file://fileserver\CertFolder\Certificates\RootCA.crl (cert name is apprehended with the predefined windows variables)
When i copy the exact AIA & CDP location from the Policy CA certificate and try to access them via run and copying the link in it. Windows opens the cert or crl file without a problem. But i am still getting the revocation server is offline error.
Any idea's what i am doing wrong?
Hi,
I'm having a problem accessing the RAID management tool (which is browser HTTPS based) as I am presented with the the message that there is a problem with the servers security certificate (this is on https://localhost:7402/) I click continue to this website and still no luck access is still blocked. I am running win server 2012 and IE enhanced security is disabled. I also tried disabling 'check for server and publishers certificate revocation' in IE settings. It still did nothing. I even reinstalled the RAID manager and nothing. Windows is fully upto date. I did not have this problem previously running the same configuration on another win server 2012 machine.
Any ideas?
Thanks
Jake