Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Windows Firewall blocks local IIS connection to SQLExpress

August 19, 2013, 2:28 pm
$
0
0

Hi All: I have a server2008R2 virtual instance running at Godaddy. The server has IIS and SQLExpress 2008 R2 running. I'm using a standard security connection string to connect to the database from the website:

Provider=SQLNCLI10;Server=.\SQLEXPRESS;Database=myDataBase;Uid=myUsername;
Pwd=myPassword;

When Windows Firewall is enabled, I can't connect to the database from the website, although SMS is able to connect when launched locally. If I stop the firewall service the website connects to the local database fine. What would be causing the firewall to block local connections to the database from IIS?

When firewall is running, I have an inbound rule to allow TCP/IP 1433 for only a couple of remote IPs in the "Scope". Would that block local connections too?

In SQL Configuration Manager, I have Shared Memory and TCP/IP enabled, and Named Pipes and VIA disabled.

Search

Certificate Authority on Windows 2012 domain controller

August 19, 2013, 1:39 pm
$
0
0

Hi, everyone.

I'm configuring Certificate Enrollment Web Services installed along with the CA on a Windows 2012 domain controller.

I'm aware best practices is to install CA on member server and not on a DC, but for small businesses it's acceptable.

I'm using most default settings for now, as it is a lab environment.  When configuring Certificate Enrollment Web Services, the wizard recommends using a service account.  I created a user account and added it to the IIS_USRS group, but the wizard throws error "Logon failed due to insufficient rights".

I believe documentation only states the user should be added to the IIS_USRS group, and I would think that's enough for member servers, but being this a domain controller, there seems to be some other setting required for the account to have adequate permissions.

I tried editting the Default Domain Controller Policy and assigned the "Log on as a service" user right to the account.  Rebooted the server, but still the wizard throws same message.

For now I added the account to the Domain Admins group and this allowed for the wizard to complete, but I'm wondering if there are specific less broad permissions that can be assigned to this account to work on domain controller.  Please advice.

Thanks

Can't send e-mail from Outlook it's a Certificate Issue???

August 19, 2013, 7:29 am
$
0
0
Can't send e-mail from Outlook it's a Certificate Issue???

SSL Server allows cleartext communication vulnerability - Direct Access Servers 2012 - PCI Scan

August 16, 2013, 12:36 pm
$
0
0

I wanted to check with the community about the following situation.

SERVERs are Windows 2012 running DA.

We have a third party security company that runs PCI audit scans on a regular basis, they have recently detected the a vulnerability on the DA servers (see below). The DA servers are fully patched.

The proposed solution seems a little obscure and doing some research I have found the following article which describes the issue and a way to get it fix in IIS servers (How to configure Microsoft IIS to not accept weak SSL ciphers). 

http://blog.zenone.org/2009/03/pci-compliance-disable-sslv2-and-weak.html

This is a standard security scan and my assumption is that a lot of Microsoft DA customers facing PCI scans will be experiencing the same issue.

We would appreciate if someone can advise or guide us into the right direction.

VULNERABILITY DETAILS
CVSS Base Score: 5.4 AV:N/AC:H/Au:N/C:C/I:N/A:N
CVSS Temporal Score: 4.4 E:F/RL:TF/RC:UR
Severity: 4
QID: 38143
Category: General remote services
CVE ID: -
Vendor Reference: -
Bugtraq ID: -
Last Update: 08/06/2008
THREAT:
The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server.
The client-server communication is general encrypted using a symmetric cipher like RC2, RC4, DES or 3DES. However, some SSL ciphers allow
communication without encryption. This vulnerability allows anyone who can sniff the traffic between the client and the server to see the
communication.
Please note that this detection only checks for weak cipher support at the SSL layer. Some servers may implement additional protection at the data
layer. For example, some SSL servers and SSL proxies (such as SSL accelerators) allow cipher negotiation to complete but send back an error
message and abort further communication on the secure channel. This vulnerability may not be exploitable for such configurations.
IMPACT:
An attacker can exploit this vulnerability to read apparently secure communication.
SOLUTION:
Disable ciphers which support cleartext communication.L Server Allows Cleartext Communication Vulnerability

Replacing certs in cert store on ADFS server

August 17, 2013, 2:01 pm
$
0
0

Hi All,

I am building an ADFS environment. However, I have noticed that my certificates in the computer certificate store represent a different host name. I would like to fix this by placing a certificate into the store from my cert authority (internal). However, the cert authority is in a different forest. Would this cause an issue?

Thanks

Permissions of a program launched in service

August 18, 2013, 8:54 am
$
0
0

Hello,

I have created a service, using an account which is member of Administrators (on local server), but when I start the service in permissions group I don't have group administrators. I am starting the service with same account than I create it.

I checked permissions on the program, and administrators is setup in permissions.

SO I just want to add group Administrators for the program launched in service.

Regards,

Windows Firewall not opening Ports

August 20, 2013, 5:01 am
$
0
0

Hi

I am not Sure, but I think there may be a problem with a firewall on a server.

Its a Server 2012 server. I am trying to open port 5420.
I create the rule on the server, port 5420, all profiles.
Its open on the firewall and mapped to an external IP.

I run netsh firewall show state and it says the port is open.

I use this to test from the outside: http://www.yougetsignal.com/tools/open-ports/ and it says the port is closed

I even disable the firewall on the server and it does not connect.

Should I reset the firewall to defaults and start again. Is there a way to fix this?

Thanks

Unable to setup OCSP Configuration after Issuing CA certificate renewal

August 18, 2013, 4:00 pm
$
0
0

I have just completed the 2 year renewal of our Issuing CA and I went to add the new Revocation Configuration to the OCSP server however I get the following error message when selecting the CA certificate from the AD.

The error I get is "The CA certificate could not be retrieved. Element not found. (Exception from HRESULT: 0x80070490)"

This server is an OCSP end point for two issuing CA's and the first server configuration was setup fine. The two main differences between the two issues CA's is that:

1. Issuing CA is configured as a SAN issuing CA.

2. The server has a 60 character name. Which I believe should not be a problem as it is less than the 64 char limit... but it is close.

Any ideas were to start troubleshooting setting up the new OCSP configuration for the renewed Issuing CA servers..

Thanks

Alan Burchill

Alan Burchill (MVP)
http://www.grouppolicy.biz

@alanburchill

Search

Connection string security

August 15, 2013, 6:24 am
$
0
0

Hello guys,<o:p></o:p>

Some weeks ago came a subject in my company. Which the better use about connection strings for connection in Oracle’s databases. Between, I should to use complete datasource or use service name of tnsnames.ora. Which is best pratices?<o:p></o:p>

for example:

<add name="XYZ" connectionString="Data Source=XYZ.WORLD;User ID=xyz;Password=xyz;"/>

ou

 <add name="XYZ" connectionString="Data Source=(DESCRIPTION =

    (ADDRESS_LIST =

      (LOAD_BALANCE = off)

      (FAILOVER = on)

      (ADDRESS_LIST =

        (LOAD_BALANCE = on)

        (FAILOVER = on)

        (ADDRESS = (PROTOCOL = TCP)(HOST = XYZ1-1.internal.xyz.org.uk)(PORT = 1522))

        (ADDRESS = (PROTOCOL = TCP)(HOST = XYZ1-2.internal.xyz.org.uk)(PORT = 1522))

      )

      (ADDRESS_LIST =

        (LOAD_BALANCE = on)

        (FAILOVER = on)

        (ADDRESS = (PROTOCOL = TCP)(HOST = XYZ2-1.internal.xyz.org.uk)(PORT = 1522))

        (ADDRESS = (PROTOCOL = TCP)(HOST = XYZ2-1.internal.xyz.org.uk)(PORT = 1522))

      )

    )

    (CONNECT_DATA =

      (SERVICE_NAME = UVASA)

      (FAILOVER_MODE =

        (TYPE = select)

        (METHOD = basic)

        (RETRIES = 16)

        (DELAY = 1)

      )

    )

  );User ID=xyz;Password=xyz;"/>


Certificate stays in "Certificate Enrollment Requests" after issue

February 18, 2011, 6:14 am
$
0
0

If I let the CA server automatically issue the certificates I have no issue with them going into the right part of the Cert store on the clients. If I set it to put the certificates to a pending status and then I manually issue them they end up in the Issued Certificates on the CA but on the client they remain in "Certificate Enrollment Requests" folder. Any idea what I am doing wrong??

Thanks so much!

How create specific group that only this group can moving object of active directory between OUs?

August 20, 2013, 5:07 am
$
0
0

How create specific group that only this group can moving object of active directory between OUs?

this job must be done because we need to apply specific policy on an OU that have some computer account 

When would the "datagram variant of NTLM" be used?

August 20, 2013, 6:32 am
$
0
0

Hello,

From:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;147706

"Because the datagram variant of NTLM does not have a negotiation step, use of otherwise negotiated options, such as NTLMv2 session security and 128- bit encryption for message confidentiality, has to be configured."

WHEN would the 'datagram variant of NTLM' be used? Under what circumstances? what apps or OS components? This seems like it would be rather important to know. Can anyone answer?

Regards

Problem with websites security certificate on localhost to access Highpoint RAID management

August 14, 2013, 7:03 am
$
0
0

Hi,

I'm having a problem accessing the RAID management tool (which is browser HTTPS based) as I am presented with the the message that there is a problem with the servers security certificate (this is on https://localhost:7402/) I click continue to this website and still no luck access is still blocked. I am running win server 2012 and IE enhanced security is disabled. I also tried disabling 'check for server and publishers certificate revocation' in IE settings. It still did nothing. I even reinstalled the RAID manager and nothing. Windows is fully upto date. I did not have this problem previously running the same configuration on another win server 2012 machine.

Any ideas?

Thanks

Jake


Superseded certificates still showing up

August 20, 2013, 9:40 am
$
0
0

We've rolled out the Cert Authority role in our domain but don't have it in production yet. We issued some certificates then decided to customize our template. We followed the recommendation and copied the original template and set the original as Superseded. Then more than one cert would show up for staff - the original and the new ones - when you try to find an AD User ( for a certificate in file properties -> Advanced -> Details -> Add -> Find User.) You click to find a user and that person shows up with more than one cert.

We don't have this in production yet and have only encrypted a few test txt files and have tested from only two computers with two test accounts. In an attempt to reduce the number of certificates we simply revoked the older, superseded one. That didn't help. We eventually used certutil -deleterow [cert#] to remove the Superseded cert. That doesn't seem to have helped either. Even the deleted certificate shows up in the list and we can add that.

How do we reduce the number of certificates that staff can choose from when adding additional user certs to an encrypted file? We don't want them to see the revoked/superseded certificates.

Net Use Drive Mapping - Password guessing lockout policy

August 20, 2013, 11:23 am
$
0
0

Trying to find out if there is a policy or way that I can lockout an account, if the account being used, is under a password guessing attack - using Net Use Drive mapping.

Example: $net = new-object -ComObject WScript.Network $net.MapNetworkDrive("u:", "\server\share", $false, "domain\user", "password")

So if the password is wrong, say 10-15 times, will it lockout, such as like a Ctrl + Alt + Del windows login would lockout? (With a Lockout Policy enabled)

Thanks for any help!

Search

NTFS Permissions between parent and child folder

August 20, 2013, 12:27 pm
$
0
0

Hello,

I have a parent directory called: Data

I've created a child directory in this data folder that is called: final versions

I've set Modify permissions for a user on the data directory. I've added read rights to final versions for this same user.

Now what I don't understand according to the rules, is that explicit permissions go above inherited permissions. The way I see it is that the Read permissions take precedence (since they're explicit) over the modify rights (inherited). When I try this out the user does have Modify rights on this folder.

Can anyone explain this behaviour to me?

Many thanks,

Glenn

NtlmMinClientSec and NtlmMinServerSec - NTLM SSP - clarify what is meant by 'applications'

August 20, 2013, 1:51 pm
$
0
0

hello,

Information I'm finding regarding NtlmMinClientSec and NtlmMinServerSec settings all say they are for 'applications' that use NTLM SSP.. however they don't specifically say 'third party' applications, so are there builtin windows components/tools that would in fact be using NTLM SSP and therefore be affected by these settings?

Example of the reference information:

http://technet.microsoft.com/en-us/magazine/2006.08.securitywatch.aspx

"Hardening the NTLM SSP

The NtlmMinClientSec and NtlmMinServerSec settings, which are known as some variant of "Minimum session security for NTLM SSP based (including secure RPC) clients" in Group Policy, govern which behaviors are allowed for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services.
The NtlmMinClientSec and NtlmMinServerSec settings do not modify how the authentication sequence works. Rather, they are used to require certain behaviors in applications that use the SSPI. Each setting contains a bitmask that can be used to require some combination of up to four different types of behaviors, shown in Figure A.
The easiest way to differentiate between the NTLM SSP settings and LMCompatibilityLevel setting is by just considering the items they affect. The SSPI settings govern the behavior of applications that use authentication, while LMCompatibilityLevel governs which authentication protocols the operating system can use."

2012 Enterprise Root CA CRL Issues

August 20, 2013, 9:07 am
$
0
0

I recently migrated my 2008 R2 Enterprise Root CA to 2012 keeping the same host name and CA name.  I ran into a few issues at first with errors in the event logs which were resolved by giving the computer account full access to the CDP and AIA containers in AD even though the Microsoft documentation says this isn't required unless the computer name changed.  Of course this doesn't make sense considering they require that you delete the computer account and then join the new CA with the same computer name (SID changes).

The issue I'm running into now is regarding CRLs.  The CA is generating new CRLs automatically (pkiview.msc shows everything healthy), however if I revoke a certificate, wait for the Delta CRL to expire, and view the certificate on a server with MMC -> Certificates, it still shows as valid.  The only way the certificate stops working is if I check "Check for server certificate revocation" in IE and browse to the site.  Is this intentional?  I was assuming if a server downloads the latest Delta CRL, it would show as revoked in the Certificates MMC when I view the certificate, and when I browse to a site whether or not the "Check revocation status" is checked in IE.

What is the expected behavior?  Is there a way to view the current CRL cache on a server?


SSL/TLS Initialization Vector Information Disclosure for Port 8080, 9080

August 20, 2013, 2:27 pm
$
0
0

I have an issue where I have several external Internal facing web servers that need the SSL/TLS Vector Vulnerability and needing help with understand how to fix this?  I have the Windows Servers patch for the fix is in place but that did not fix it.  I have to modify the registy.  The Servers are Windows 2003 Servers.  Any information will be great at this time

ASP.net Application showing Access Denied to share folder on Another server.

August 19, 2013, 6:26 am
$
0
0
I have  a fairly simple environment . I have two Web Servers( Server A and Server B) which are running same ASP .net application. Server A is connected to SAN while Server B is writing files to the Server A drive using as shared drive (via $ sign) . Sometimes out of the blue it happens the server B started to show Access denined to share path (\\serverA\D$) but after restarting server B every thing works fine for around 1 month or so.Any Idea?. The OS is windows 2008 R2  and both servers are on Domain plus the Application is deployed via local Admin account and ServerB is included in Administrator Group of Server A .
Viewing all 12072 articles
Browse latest View live
Search

Latest Images

We put three Barbados hotels head to head — here’s what won for vibes and value

We put three Barbados hotels head to head — here’s what won for vibes and value

May 24, 2026, 4:00 am
Son of Mango fashion chain founder arrested in Spain over death of father

Son of Mango fashion chain founder arrested in Spain over death of father

May 24, 2026, 3:00 am
Taxing homeowners ‘from away’ is good politics, bad constitutional law | Opinion

Taxing homeowners ‘from away’ is good politics, bad constitutional law | Opinion

May 24, 2026, 1:47 am
Bonus $35 Bitcoin (BTC) Via Referral When You Purchase $199 of Any Crypto...

Bonus $35 Bitcoin (BTC) Via Referral When You Purchase $199 of Any Crypto...

May 24, 2026, 1:29 am
PCB Map Display Keeps An Eye On Family

PCB Map Display Keeps An Eye On Family

May 23, 2026, 7:00 pm
Personal Investments • Retirement Questions

Personal Investments • Retirement Questions

May 23, 2026, 1:07 pm
Magic Tracks Aurora Ableton Template-FANTASTiC

Magic Tracks Aurora Ableton Template-FANTASTiC

May 23, 2026, 1:05 pm
Ruby, 16hh Thoroughbred Mare - New

Ruby, 16hh Thoroughbred Mare - New

May 23, 2026, 12:15 pm
Ascent of Dragons 5.5e Dungeon Master's Companion

Ascent of Dragons 5.5e Dungeon Master's Companion

May 23, 2026, 8:00 am
Snoop Dogg LLC Seeks Exit From Drakeo Wrongful Death Suit

Snoop Dogg LLC Seeks Exit From Drakeo Wrongful Death Suit

May 23, 2026, 7:27 am
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>