can microsoft NPS support checking healthy setting for other application?
can SHA or SHV check update for other application like acrobat reader?
if yes would you please send me the list that it can supported?
↧
Microsoft NPS and SHA and SHV Support
↧
HP Integrated Lights-Out (iLO) will allow attackers to bypass the security.
Good Day Team,
On the finding of HP has suggested HP-ILO will allow to attackers to hack the servers ? is it true or just a myth only.
CVE-2013-4784 CVSS Base Score = 10.0
The HP Integrated Lights-Out (iLO) BMC implementation allows remote attackers to bypass authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka cipher zero) and an arbitrary password.
Help would be appreciable.
Paul
↧
↧
2012 Radius w/ 2008 Domain
Will this work? I'm going to begin setting up Radius on our network and figured it'd be better to put this on a 2012 server if it will work with our 2008 domain controller's.
↧
Network Permission In Domian
I am a Tech employed by a fairly large organization. I recently noticed that I am able to browse our local network unrestricted. I can access all PC's including our CEO's. I can access Servers hosting mission critical data as well. Fortunately I am not malicious and would like to help resolve this problem. Before I bring it to anyone's attention I would like to at least be able to explain why this is. We are in a HIPPA environment, so this is not something that we should be able to do at all. All other network resources seem to be secure, but I know if I snooped around I could probably get into anything I want. I would like to. Is this the way a Domain works by default, or is there something that should have been done when it was initially setup that was not?
↧
RAS / VPN Policy
I have a windows server 2003R2 RAS server and a 2008r2 domain environment. I'm trying to accomplish a VPN policy through RAS to only allow certain user accounts and only allow domain joined computer accounts. If anyone has any advice on how
to accomplish this please let me know. Thanks in advance!
↧
↧
Setting Up Rules for SMTP in Windows 2003 Firewall from a remote client
I have a dedicated windows 2003 server rented from Godaddy.
I manage the server from my home office using Remote Desktop.
Recently I began receiving hundreds of thousands of unauthorized login attempts to my mail server (345,384 in the last 10 days).
I use Rockliffe's MailSite mail server (version 7). It does not make easy to block this kind of attack, and I think it would be safer to stop it before it reaches the mail server.
So I am thinking to use Windows 2003 Firewall to solve the problem.
I was afraid I would loose my Remote Desktop connection after activating the firewall, but I tried using a local virtual server and I was able to keep the RD connection alive and available.
Now, what I need is to ban specific networks from reaching the mail server (90+% of the attack comes from 3 or 4 ISPs).
Can any one help me find documentation that teach me how to define and activate, in Windows 2003, a firewall rule of the form "Allow inbound access to SMTP service for everyone except for these networks"?
Thank you,
↧
File & Folder Permissions in AD for Domain Users
Hello
I have a Windows Server 2003 SBS running as a DC and File Server. However I have started running into the problem of old users who created directories and have since left the business. With their AD accounts deleted, when you look at the security tab of some folders it shows the Unknown User details.
I also have another problem in that some folders are finance related and not all users need access to these folders.
What I would like to do is create an OU in AD. Add groups into the OU with a combination of the different users of who can and cannot access the different folders. This will allow me to have a cleaner security structure rather than what is currently happening.
What I would like to know is whether this is feasible or whether there are other ways of accomplishing the same result with less overheads/effort?
↧
Custom NPS SHV with custom configuration attributes
How do I create a custom NPS SHV with custom configuration attributes such that instead of a dialog editor it is a property sheet that integrates better into the admin further provide custom ?SoH? attribute fields such that an admin can set policy based
on these field values. The NPS SDK doesn't really talk about which interfaces needs to be implemented or what xml needs to be provided to get equivalent functionality in other commercial SHV's.
↧
Windows 7 Client doesn't renew dhcp address after an other user logs on
Hello,
we have an W2K8R2 NPS Server running and the client W7 are using PEAP (Computer or User Authentication). Since every user can be in a different vlan I want client to restart the dhcp client everytime a user loggs on. But it doesn't work with Windows 7.
Can that be trigged by the NPS or is there any setting on W7 that needs to be change.
Appreciate the help.
Thomas
↧
↧
Event ID 4625 Null SID Guest account currently disabled
Hi, I'm seeing several Audit failures with the event information below. System is Window Server 2008 R2 in vitrual environment. Basically the event states that the Guest account tried to access Windows explorer and the user account is disabled. The system is in test at the moment and I'm the only one accessing the machine. The guest account is disabled but I'm tring to figure out why the login attempts?
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 8/17/2013 5:36:04 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: NEWPRD.sorvive.com
Description:
An account failed to log on.
Subject:
Security ID: NEWPRD\Administrator
Account Name: Administrator
Account Domain: NEWPRD
Logon ID: 0x1245586
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Guest
Account Domain: NEWPRD
Failure Information:
Failure Reason: Account currently disabled.
Status: 0xc000006e
Sub Status: 0xc0000072
Process Information:
Caller Process ID: 0xce0
Caller Process Name: C:\Windows\explorer.exe
Network Information:
Workstation Name: NEWPRD
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2013-08-17T21:36:04.587579800Z" />
<EventRecordID>17342</EventRecordID>
<Correlation />
<Execution ProcessID="656" ThreadID="2812" />
<Channel>Security</Channel>
<Computer>NEWPRD.sorvive.com</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-21-2531602938-1099658101-1319544182-500</Data>
<Data Name="SubjectUserName">Administrator</Data>
<Data Name="SubjectDomainName">NEWPRD</Data>
<Data Name="SubjectLogonId">0x1245586</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">Guest</Data>
<Data Name="TargetDomainName">NEWPRD</Data>
<Data Name="Status">0xc000006e</Data>
<Data Name="FailureReason">%%2310</Data>
<Data Name="SubStatus">0xc0000072</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">Advapi </Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">NEWPRD</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0xce0</Data>
<Data Name="ProcessName">C:\Windows\explorer.exe</Data>
<Data Name="IpAddress">-</Data>
<Data Name="IpPort">-</Data>
</EventData>
</Event>
↧
WPA2-Enterprise Radius Authentication Windows Server 2008 R2
Hello,
I have tried a few online tutorials for providing secure wireless access. I currently have a server running Server 2008 R2 that has RRAS, NAP, and AD CS installed on it. My goal is to create a wireless SSID that utilizes WPA2-Entperise for users to connect. Their AD credentials would need to belong to my "Wireless Users" group. I have seen tutorials that involved certificates, and some tutorials that simply added the RADIUS clients along with the network/connection policies, and then added the settings to the router. When I've tried both ways, the wireless network never connects to the network. If I un-check the "Use Windows login credentials" a username/password field pops up. I enter the credentials (tried both username and domain\username) of an account that is part of "Wireless Users". When I hit OK it sits for a few moments, and then pops back up again. When I do check "Use Windows login credentials" it says it can't connect.
I have tried different firmware on the router, and I know the router is not the issue. This server is joined to my domain controller. It feels like the NAP server is not reaching the domain to authenticate credentials. Am I doing anything wrong that I should be made aware of? In NAP if I right click the server, the "register in active directory" is greyed out, which I assume is because it's already joined to the domain.
I appreciate any help you can provide.
-Ken
↧
IPsec and addressing a server from itself via a DNS Alias to SQL Server on Port 1433 when blocked by IPsec
When using IPsec on Windows Server 2008 R2 to limit access to port 1433 (i.e. SQL Server 2008 R2) to specific IP addresses. Having blocked access from any address to the server's IP Address on port 1433 via a filter, and then only allowed specific IP addresses access via a filter, it appears to not then be possible to allow access to port 1433 from the server itself via a DNS alias. If the server is accessed via its name rather than the alias this appears to work (probably using shared memory protocol).
I have tried adding a filter to allow access from the server's ip address to itself but this does not work.
Any ideas how access via DNS alias on the server itself to itself can be made to work please? It does not appear that this can use shared memory access.
Name pipes and via protocols are disabled to port 1433, but shared memory and tcp/ip are enabled in SQL Server configuration manager.
I need to be able to use DNS Alias so that an application that does not support specification of a mirror in a connection string can be directed to the correct SQL server which currently has the principle and port 1433 is protected via IPSec.
Regards Ivan Piacun MNZCS Senior Developer and Database Administrator AgResearch Limited
↧
Server 2012 and Radius
Hi,
I'am getting ready to deploy RADIUS in our organisation, but i'am getting error from Windows XP (SP3 + All updates)
This is how I set it up, i have a Windows 2008r2 DC's and a Windows Server 2012 NAP server. I requested a certificate for [servername].domain.com, this is no problem for windows 7, 8 and smartphones. But Windows XP keeps popping up with the following error:
Reason Code:269
Reason:
The client and server cannot communicate, because they do not possess a common algorithm.
This is a laptop in an other domain, but it see the certificate as valid. I don't have a AD CS deployed, is the necessary for deploying RADIUS?
Thnx!
↧
↧
DNS server sending automatic packets
Hi forum,
I have configured a DNS sever(10.100.1.16) on a Server 2012 VM for Lab. But it is noticed in the firewall the dns server is automatically sending packets to some public ip's. can you help me figure this out.
↧
SYSTEMアカウント(サービス)から、他のWindowsマシンの共有フォルダを参照したい
現在、サービスから他のWindowsマシンの共有フォルダ内のファイルにアクセスしようとしています。
環境
Server:Windows Server 2008 R2(共有フォルダを公開)
Client:Windows 7(サービス実行マシン)
サービスのプロパティをユーザー権限で実行すると参照することはできますが、
SYSTEMアカウントで実行されたサービスでは、共有フォルダ内のファイルにアクセス出来ません。
SYSTEMアカウントで他のマシンの共有フォルダ内のファイルを参照する方法はないのでしょうか?
#開発の仕様上、WNetAddConnection2()の関数は使用することが出来ません。
環境
Server:Windows Server 2008 R2(共有フォルダを公開)
Client:Windows 7(サービス実行マシン)
サービスのプロパティをユーザー権限で実行すると参照することはできますが、
SYSTEMアカウントで実行されたサービスでは、共有フォルダ内のファイルにアクセス出来ません。
SYSTEMアカウントで他のマシンの共有フォルダ内のファイルを参照する方法はないのでしょうか?
#開発の仕様上、WNetAddConnection2()の関数は使用することが出来ません。
↧
windows 2008 R2 server can access ONLY https sites, any of http sites CANNOT be accessed!!
I am having a strange problem with my server machine. It is with all of the browsers Chrome, firefox, ie. I have been working on this issue for many hours and this is what I have done so far.
- CAN ping www.google.com, www.youtube.com or any non http or https sites.
- Installed and ran almost all malwares and tools: hitmanpro, HiJackThis, msert,tdsskiller FOUND NOTHING
- malwarebyes-cannot download the latest file but ran 120 day old - FOUND NOTHING
- eset does not run as it cannot connect to its site.
- Ran MS "test internet connection" indicated some policy need to fixed and after the fix applied, no connection to http sites
- Ran fiddler tool for any http request "error: 504 prot: http site:www.google.com
- I can go to any bank/credit card sites, www.gmail.com and they all work fine.
Any suggestion, help will be greatly appreciated. Searched and searched the net for solution did tried almost all but no mustard.
↧
IPSec-VPN with Windows Firewall + Routing&RAS with PortForwarding and Ping?
Hello,
i have a little complex question.
The Scenario is following:
- One physical Server, called Hyper-V-Host, which is located in a big Data-Center, Windows Server 2012
- Some vritual HyperV-Machines, Windows Server 2012, Winows 7
On the physical Server we have enabled a virtual Switch with two virtual Interfaces, one called "external", one called "internal".
We have enabled NAT via Routing and RAS, because the virtual machines does need access to the internet of course. Every VM gets the virtual "internal" NIC assigned.
Also, we have some IPSec-Connections to different Routers of Locations of the Customer. These IPSec-Tunnels are created with the Windows Built-In extended Firewall.
First thing to mention is, that if routing and ras is enabled a ping to the outside networks is not answered. If i disable Routing&RAS the ping to the outside networks works just fine. because we need ping only for debug, this is no problem so far, but now here comes my problem.
i need a RDP-Connection from one client of the outside-networks to one of the virtual machines. so basically a port-redirect would be all necessary.
The VPN-Connections are built-up with the public ip-adresses of the physical server as endpoint. if i use the ip of the virtual internal ip (192.168.137.1) or the complete subnet (192.168.137.0/24) the vpn-connection does not work. because of this, the complete traffic to this server does go the way through the VPN-Tunnel. I tried to create a port-forward using the NAT of R&RAS but this seems to work over the external interface, but not through the vpn-tunnel.
the simple question is: how can i solve this?
and btw - is there any solution for the ping-problem?
any hint would be great!
↧
↧
Can I use the NPS as a second Factor Authenication for Remote users and How do I set it up?
I lost My Radius Server because it was old software and when we migrated to the new network I tried to reload it and the company had been bought and it wasn't worth the hassle of trying to get it again. It was a RADIUS System that did a call to your listed
phone when you logged in to Authenticate you through your phone. The NPS looks like it may be a viable option. Has anyone used ti for this purpose?
Scott Cummins
↧
Can a MAC filter ever be 'Full'?
I work in a very large organization that runs Windows Server 2008 R2 for domain controllers. The direct customer support technicians (me) were recently told by a higher tier that any new systems to be added to the domain must have a request submitted showing
the MAC address of the system it is replacing. Their reasoning was that the MAC filter file was full and no new MAC addresses could be added. This seems highly unlikely and an excuse for some other reason. Is it possible that the MAC filter ACL could ever
become too full to add new MACs? If not, what other scenarios might explain this 'excuse'?
↧
NPS on SBS 2008 and problem with conditions for computer groups
Hello,
I have SBS with NPS, that authenticate VPN clients.
If I set up condition, that users must be member of specific AD user group to connect, it works ok. But when I want to have one other condition, that also the device, the user is dialing VPN from, is a member of AD computer group it stops working.
In server logs are errors, that user doesn't have rights to connect to the network. (ID 20271)
Is there any special how-to to make working two conditions (first - user is part of specific AD user group, second - computer is part of specific AD computer group)?
Thanks for help
J.Slady
↧