Security Forum

Roaming profile won't load b/c access denied to url link in favorites folder??

Mon, 23 Nov 2009 16:10:38 Z

Server 2003 SP2 acting as DC, FS, PS.
Clients are all XP Pro SP3
Roaming profiles in use
Folder redirection in use
Problem occurs with *some* user profiles, but not all - doesn't matter which client is used to log in

After getting reports that some users were getting error messages that their roaming profile could to be loaded, I was able to see the 'access denied' error message pointing to \\server\profiles\%user%\Favorites\Links\msn.com and the details that the system was unable to copy the file to the local drive.

Looked like a clear security settings problem (though odd to occur out-of-the-blue). I checked permissions on the links folder and all are set per "the book" and have been working fine previously. I attempted to change permissions on the offending Links files but access was denied even though I was physically at the server and logged in as the administrator. Ownership was set to the Administrators group so I attempted to take ownership as the administrator but access was denied (what the?). I attempted to delete the file but again, access was denied.

FYI, when checking properties on the individual files, I only see the General tab, not the Web Document or Security tabs (probably b/c I don't have access :-). So my attempts to take ownership and otherwise change NTFS settings were at the Links folder level and attempting to push settings down to all child folders and files - access denied.

I'm starting to think virus, but I can't find any mention of this behavior anywhere on the web.

This is becoming crippling as it is preventing users from accessing needed files.

Any thoughts?

Can't log on to W2K Server from Windows 7 Pro

Sun, 29 Nov 2009 23:59:01 Z

We have a Windows 2000 Server sharing files. From my new 7 Pro computer I get an error loging on which says "Logon Failure: unknown username or bad password". The password and username are correct (same ones been on the W2K server for years and using for years). I tried several other usernames and passwords with the same results. They still work from my XP boxes. Could it be that the machine name is messing up W2K - ie Win 7 may be using: "COMP1\User1" as the usernames instead of just "User1". I need a workaround or fix. Any Ideas?
Thanks

creating special limited user

Mon, 30 Nov 2009 15:43:30 Z

Hi

How can i create a limited user that only can install software?

Regards

Remote shutdown without admin rigths

Mon, 30 Nov 2009 01:42:56 Z

Hi all!
I has been trying to remote shutdown an X server without admin rights but dont work! if I run the same command with an admin right account works.
The server Its a domain controller (Windows 2003) and in the default domain controller pollicy I allow the follows rights to the user:
-Force shutdown from a remote system
-Log on as a batch job
-Shut down the system
-Log on locally

Note: I run it through runas by script. Repeat, if I use an admin account in the script works fine....so its a rights issue
If I logon locally with that account I can shutdown the server.
I test it in a lab with a clean domain and do not work.

whats more rights are needed?
whats can I do?
In the security logs showsup 3 logs after run the script
1:
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date:  11/29/2009
Time:  10:35:27 PM
User:  NT AUTHORITY\SYSTEM
Computer: DEN-DC1
Description:
User Logoff:
  User Name: DEN-DC1$
  Domain:  CONTOSO
  Logon ID:  (0x0,0x2BB70)
  Logon Type: 3

2:
Event Type: Success Audit
Event Source: Security
Event Category: Account Logon
Event ID: 672
Date:  11/29/2009
Time:  10:35:36 PM
User:  NT AUTHORITY\SYSTEM
Computer: DEN-DC1
Description:
Authentication Ticket Request:
  User Name:  apago
  Supplied Realm Name: CONTOSO.MSFT
  User ID:   CONTOSO\apago
  Service Name:  krbtgt
  Service ID:  CONTOSO\krbtgt
  Ticket Options:  0x40810010
  Result Code:  -
  Ticket Encryption Type: 0x17
  Pre-Authentication Type: 2
  Client Address:  10.x.x.x
  Certificate Issuer Name:
  Certificate Serial Number:
  Certificate Thumbprint:

3:
Event Type: Success Audit
Event Source: Security
Event Category: Account Logon
Event ID: 673
Date:  11/29/2009
Time:  10:35:36 PM
User:  NT AUTHORITY\SYSTEM
Computer: DEN-DC1
Description:
Service Ticket Request:
  User Name:  apago@CONTOSO.MSFT
  User Domain:  CONTOSO.MSFT
  Service Name:  DEN-CL1$
  Service ID:  CONTOSO\DEN-CL1$
  Ticket Options:  0x40800000
  Ticket Encryption Type: 0x17
  Client Address:  10.x.x.x
  Failure Code:  -
  Logon GUID:  {3ac8eb70-c331-ab85-f64b-6cebd5d30cb5}

Regards!!!

Windows Server 2008 R2

Mon, 30 Nov 2009 04:58:34 Z

how to create group policy in windows server 2008 R2

Security advice

Sun, 29 Nov 2009 10:38:39 Z

Hi Guys/Gals

I'm a newbie so be gentle, lol.

I'm reading through the MCTS in order to set up a client/server network within my home-office. I have 4 staff members and then me. I've managed to set up, albeit with trial software so far, 5 x windows 7 professional clients and 1 x server 2008 (x86) running AD DS, DHCP and DNS; I've also set up some shared folders for the staff.

I have a Netgear WNR2000 router to which the server has a wired gigabit connection. The clients access the router via the wireless n speeds. I currently have McAfee antivirus enterprise 8.7 running on the server and clients.

Should I be investing in firewall software for all the computers or will the one with the router be sufficient? I have not got to the section in the books about the security wizard just yet. What websites/tools are available to test my exposure/threat level/vulnerablility etc.

Thanks in advance

CD

A question about executing Certification Services Monitor script...

Sat, 28 Nov 2009 08:50:35 Z

Hi all;

When I execute the Certification Services Monitor script on my Windows Server 2008 box, the following output appears:

C:\>cscript camonitor.vbs /CAAlive /CACertOK /CACRLOK /KRAOK
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

11/27/2009 11:44:21 PM   certutil -ping:OK
11/27/2009 11:44:21 PM   certutil -pingadmin:OK
11/27/2009 11:44:21 PM   checking validity of CN=contoso-SERVER01-CA, DC=contoso, DC=com Serial Number:6306185397716BB74FF8060AE6B47895
11/27/2009 11:44:21 PM   CA Cert OK
11/27/2009 11:44:22 PM   Retrieve environment variable 'COMPUTERNAME':OK
11/27/2009 11:44:22 PM   eventcreate /T ERROR /SO "CA Operations" /ID 100 /D "Error: failed to read at least one CDP from certificate:CN=SERVER01.contoso.com" /L Application:OK
11/27/2009 11:44:22 PM   failed to read at least one CDP from certificate:CN=SERVER01.contoso.com
11/27/2009 11:44:22 PM   No KRAs

C:\>

Also the output says that it "Failed To Read At Leats One CDP From Certificate", the PKIView.msc utility does not show any error messages. Please look at the following figure:

http://cid-3a822dbb941c4298.skydrive.live.com/self.aspx/.Public/1.GIF

Any idea?

Thanks

Error message when executing Certificate Authority Monitor script

Sat, 28 Nov 2009 06:21:31 Z

Hi all;

I have Windows Server 2008 Enterprise CA. According to this link , when I execute the script by using the following command, I see an error message:

C:\>cscript camonitor.vbs /CAAlive /CACertOK /CACRLOK /KRAOK
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

11/27/2009 10:04:22 PM   certutil -ping:OK
11/27/2009 10:04:22 PM   certutil -pingadmin:OK
11/27/2009 10:04:22 PM   CAPICOM is not registered ... quitting
11/27/2009 10:04:22 PM   CAPICOM is not registered ... quitting
11/27/2009 10:04:22 PM   CAPICOM is not registered ... quitting

C:\>

I have also installed Microsoft CAPICOM 2.0 . Does this version of the CAPICPM does not supported in Windows Server 2008.If so, which version is compatible?

Thanks

All Domain users have access to Domain Controller Admin Shares

Wed, 25 Nov 2009 20:31:23 Z

I just discovered that all of our domain users can access our domain controller C$ drive shares. I am unsure how long this has been like this, but I do know I (even as network admin) would be prompted for my domain admin credentials to access those shares in the past.

All of our member servers prompt for username & password if we attempt to connect to those admin shares.

I am hoping this was an inadvertant change from our end. Any ideas on what settings might allow for this activity, and where I can find them?

Our environment:
Windows 2003 SP2
Win 2003 Forest & Domain level.

Thanks!
Matt

Matt Miller

New user profile is corrupted after computer restart

Fri, 27 Nov 2009 05:42:40 Z

Hi,

I have a Windows 2003 domain and around 100 XP client machines. I often need to setup an existing user on a different PC and have done so without problem for years.

Now I have two PC's on which I setup new user profiles (domain users) and that works fine until the PC is restarted. On logging on, I get a message saying Windows cannot load the locally stored profile suggesting insufficient security rights or a corrupted profile. All the settings e.g. printer, proxy, mail etc are gone.

I have added these users to the local administrators group to avoid security right problems. This happens every time I setup a user on these two PC's. Setting up the same users on other PC's causes no issues. The existing users on the PC's can still log on without issues.

Any ideas as to what might be happening here? Because it happens on two separate PC's it seems to be related to the domain rather than the PC itself.

Thanks,

John

user authentication against NIS

Wed, 25 Nov 2009 13:58:50 Z

Hi Everyone,
We have a lot of Linux servarar and a cupple of Windows servrar, in our server park.
All our shared folders have been on the linux mashines, and the authentication is done via NIS.

We have now come to a issue, we have a new program that need's to be installed on a windows server 2008, and needs to have a share on the machine.
We need to be able to authenticate users that connects to the share againts the NIS on the Linux machine. How do we do this??

Polises shall be applied on a group level.

Best regards
Ola

Windows XPsp3 client cannot obtain certificate from Windows 2008R2 Enterprise Issuing CA

Wed, 18 Nov 2009 15:14:53 Z

When requesting a certificate with a Windows XP sp3 client through the webinterface, the issued certificate cannot be installed. The error dialog box states:
Unable to install the certificate: Error: 0x80090008 (this happens when using IE6,7 or 8)
When doing the same procedure from a Windows 7 (IE8) client, the certificate can be installed

As far as I could research this means that an invalid algorithm is used.

The errors i see on the IssuingCA are the following. This occurs around the same time when a certificate is requested

When a certificate is requested which needs approval it ends up in de Pending Requests (e.g. this is requestid 141). When this request is Issued, it is displayed in the Issued certificates, and it can be seen by the client when it requests the status. What happens on the CA is that another a requested 142 ends up in the Failed Requests list due to Request Status Code:“The certificate has invalid policy. 0x800b0113 (-2146762477)” and Request Disposition Message: “Requested by <domain>\<user> Invalid Application Policies: 1.3.6.1.4.1.311.21.5”. This is also represented in the Application Windows eventlog.

I also see the error on the CA (the same invalid application policy message) when using pkiview.msc and when hitting the refresh option in pkiview.msc on this IssuingCA.

What I found is:
When requesting a certificate with for instance Windows Xp or Windows 7, the Issuing CA needs a CAExchange certificate, as stated in
http://msdn.microsoft.com/en-us/library/cc249706(PROT.10).aspx#endNote13

a windows client needs the CA to able to present a CA Exchange OID = 1.3.6.1.4.1.311.21.5 certificate

in
http://msdn.microsoft.com/en-us/library/cc250045(PROT.10).aspx#id13
is states that a 2008R2 will automatically makes such a certificate

The CA architecture is. offline RootCA, offline PolicyCA, enterprise IssuingCA. RootCA & PolicyCA have no entry for enhancekeyusageextensions in the CAPolicy.inf, IssuingCA has enhancekeyusageextensions in the CAPolicy.inf. 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2, 1.3.6.1.5.5.7.3.3, 1.3.6.1.4.1.311.10.3.12

So there is possibly a configuration error and would like to correct the CAExchange OID issues.

But far more important is to solve the error with the Windows XP sp3 client. I don’t know if these two are related.

Greetz,

Arie de Haan
MVP SCOM
This posting is provide "AS IS" with no guarantees, warranties, rigths etc.

Invalid certificate when using Non Repudiation in certificate

Thu, 26 Nov 2009 10:34:09 Z

Why is it not possible to specify "Signature is proof of origin(non repudiation)" as a Key Usage Extension when a certificate has the Request Handling set to "Signature and smartcard Logon"? This setting is greyed out and appears to be not set.

Sorry if this is a no brainer.

Cannot start my computer

Sat, 16 Feb 2008 04:57:08 Z

Hi, This is Saguis, my laptop don't start I only can see a message... "Windows cannot start (Windows Root) System32 hal.dll", and if I try the Safe mode the screen won't show anything, I have the Windows xp CD, but the laptop don't read it, shuold I do something else before?, or is there anything else I need to do becase F8 don't let me do anything, I try all options and is not responding, What do I need to restart my computer?

Certificate Services will not start because

Thu, 26 Nov 2009 09:57:45 Z

I am in the middle of server moves and have an error on my CA server which reads

Certificate Services will not start because the revocation server is offline.

I suspect that the server in question is now scrap, how can I recover this situation without having to buy new certificates?

How to renew the certificate issued by a standalone 2003 Enterprise Edition server

Thu, 19 Nov 2009 09:55:15 Z

How to renew the certificate issued by a standlone CA

Hi Everyone,

I have configured a standalone CA and issued ssl certificates
to end users who are Anonymous users All are made to requested through web page Enrollment then we created the certificate and sent them through mail along with private key. Now i need to renew
the issued certificates validity.(all the certificates have few more months validity time left out).

I followed the following renewal process from Tech net.

Steps I followed:

1) Open Internet Explorer

2) In Address, type http://servername/certsrv, where servername is the name of the Windows 2000 Web server where the certification authority (CA) you want to access is located

3) Click Request a certificate, and then click advanced certificate request

4) Click Submit a certificate request using a base64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
Here i used submit a renewal request by using a base-64-encoded PKCS # 7 file .

5) Do one of the following:

Open Notepad. On the File menu, click Open. Select the PKCS #10 or PKCS #7 file and click Open. On the Edit menu, click Select all, and then, on the Edit menu, click Copy. On the Web page, click in the Saved request scroll box. On the Edit menu, click Paste to paste the contents of certificate request into the scroll box.

If your Web browser security settings do not prohibit a Web page from accessing your disk, you can click Browse for a file to insert to locate the file you want to use for the certificate request. If you get a warning about the ActiveX control, click Yes to allow it to run, then click Browse. After locating and selecting the file you want to use for the certificate request, click Read!. On the Web page, click Read! to paste the contents of the file into the scroll box. See the note about using Browse.

6) If you are connected to an enterprise CA, choose the certificate template you want to use.
7) Click Submit.

Here after step NO 5 I am getting the error message as follows :

COM Error info:
CCertrequest:submit the data is invalid 0x8007000d(WIN32:13)

Suggested cause :

The certificate request contained bad data.if you are submitting a saved request,make sure that the request
contains no garbage data outside the BEGIN and END tags, and that the file containing the saved request is not corrupted.

I kindly invite the suggesstions .

Thanks & Regards
Arunkumar.G

Multiple enterprise subordinate CAs in one domain

Tue, 17 Nov 2009 08:52:56 Z

Lets imagine that i have following pki stucture – one root ca (standalone) and two enterprise Cas. One of these enterprise ca‘s has domain controller authentication template published and the other doesn‘t. As you may now domain controllers autoenroll certificates according this template from time to time. So my question would be – will domain controller be able to find correct CA in AD with domain controller authentication template enabled and will it be able to autoenroll certificate? I affraid that it can stuck on CA with this template disabled and fail with autoenrollment L Thanks.

Can a Standalone & Enterprise Certificate Authority both run on the same domain?

Tue, 24 Nov 2009 20:19:33 Z

Current running a standalone certificate authority on the primary DC which is Windows 2003 Std. Need to upgrade to an Enterprise Certificate authority on Windows 2003 Ent. Both certificate authorities would be on the same domain and domain controllers. Will running both a Standalone and Enterprise certificate authority on the same domain cause any issues? After all certificates have been duplicated I would take the Standalone certificate authority down.

How do you renew certificates issued by Standalone CA

Tue, 19 May 2009 20:37:43 Z

CA Server is Windows Server 2008 in Standalone mode, clients are both Windows XP and Windows Vista.

How do you renew expiring certificates when your CA is a standalone CA. Any attempts in the MMC snap-ins come back with "request contains No Certificate Template info" which makes sense because Standalone CA's do not use templates. So how do you renew a certificate? Or specifically, how do you create a certificate request for renewal using command-line tools which I'm guessing is the only option? Any help appreciated.

NPS Server Certificate

Tue, 24 Nov 2009 23:33:11 Z

I'm trying to follow the steps to use NPS for secure wireless access->http://technet.microsoft.com/en-us/library/cc771696.aspx. I'm following the steps to setup PEAP-MS-CHAP v2 Wireless Authentication. I'm at the part where I'm trying to setup an enterprise CA and issue a new certificate template that can be used by the RADIUS server. The new template is supposed to be based on the RAS and IAS template. I follow the steps to duplicate and customize the RAS and IAS template. When I go to the CA and choose New->Cert template to issue, only the version 1 templates are available to issue to the CA.

I'm running Server 2008 SP2 Standard. The Ent. CA is also running DS.

Maybe i'm running into his problem because I'm using the standard edition of server 2008? If this is the case, what options do I have? Thank you.

A Need to Customize Certreq Command and .inf File

Tue, 24 Nov 2009 23:36:25 Z

Hi all;

I have a need to change the following OID value for osVersion,

1.3.6.1.4.1.311.13.2.0

Using certreq utility on the command line of Windows 2003 (2008 as well) to generate a csr, this OID is set to:

5.2.3790.2

I need to change it to something more like:

6.0.6001.2

But have no idea how to do this in the research I have done on TechNet. I cannot see how to do this in a .inf file from the white paper; and I do not have templates availalbe so I cannot/have not explored that option.

Thanks in advance if anyone can respond.

Guest Account Audit

Tue, 24 Nov 2009 16:16:05 Z

Is it possible to audit who is enabling the guest account on a 2003 R2 Server?

Thanks!

Forced logouts

Tue, 24 Nov 2009 17:09:30 Z

In a Windows 2003 domain users (out of the blue) get logged out with a resulting Event ID: 680 and Error Code: 0xC0000234 in the security log. I have been trying to find a pattern in who gets logged out with little success. The only new "thing" I can think of, is that we're now getting Windows 7 PC's in the domain. Our 2 DCs are fully patched, but getting on a bit (Don't we all)

Niels Werner Mortensen

Cannot run Scheduled Tasks from user account

Fri, 20 Nov 2009 07:05:47 Z

I deployed a Windows 2003 Server STD R2 as a file server, just in workgroup. For security reason, I created a user account to logon, instead using the Administrator.
Is it correct? But I can't run scheduled tasks like antivirus scanning and UPS monitoring. I use Clamwin antivirus and Upsilon 2000 fo UPS. The command Run As doesn't solve the problem. Is there a solution or I must necessarily use Administrator session?

small buisness server 2003 configure rras firewall to allow exception for vnc application

Sun, 22 Nov 2009 23:33:02 Z

Running SB 2003 two nic cards as a router, firewall enabled through rras, have vnc installed and was working remotely until recent microsoft update. now when attempting to configure vnc, error message appears stating firewall need to have exception for program vnc. Could really use some advise as to where to make the exception and add the necessary ports?

What is WGASETUP.EXE

Fri, 20 Nov 2009 22:27:48 Z

I have blocked this program and need to know what it is? I think I have been hacked and Phished and then this popped up so I blocked it. Is it a program I need? I am at my wits end trying to figure out everything that is going on. How do I get rid of a hacker? I think my Mcafee product has been corrupted as well.
Thanks for any help! Please reply ASAP!

Wireless question

Thu, 30 Jul 2009 19:25:31 Z

Don't know if this is the correct forum but I will start here. I have a single forest single domain Windows Server 2003 AD environment. I have a seperate subnet for wireless traffic on one of my network segments. We are using Proxim AP-4000 access points. Is there a way (either through DHCP or Group Policy) to block unauthorized devices (IPods, IPhones, etc) from obtaining an IP address? Or should I think about setting up a RADIUS server? Any ideas?

Share access question

Tue, 24 Nov 2009 17:09:04 Z

I have several shares on a 2003 server in AD controlled by simple share permissions. When I want to give someone access, I either add their name directly, or put their name into an AD security group which in turn is listed in the permissions of the share. In the first case, access is granted immediately. In the second case, it will sooner or later happen. Is there a way to force the rereading (or whatever) of the group members to make the access happen quickly?

Manage Revocation Data by Using Local CRLs

Tue, 24 Nov 2009 15:44:42 Z

Hi all;

In the following Microsoft document we read that: To modify certificate data in a local CRL, we must right click our Revocation Configuration and then select "Local Certificate Revocation List" form the menu. The problem is I cannot find this option. What is the problem?

http://technet.microsoft.com/en-us/library/cc753253.aspx

I use Windows Server 2008 Enterprise Edition with SP2.

any idea?

Thanks

kb973037

Mon, 23 Nov 2009 23:28:58 Z

What are the prerequisites which could cause kb973037 to fail to apply?

How to Find Domain users with Local Administrator Rights

Mon, 23 Nov 2009 08:07:04 Z

Hello Friends,

We have found some of the domain users are having local admin rights on their PCs.

We need to find out the users those who are member of Administrator Account & remove them

Is there any tool to find out...???

Our Domain is Windows 2003 Enterprize R2.

Kindly help me ..Thanks in Advanced.

Regards, Amjad

Mac clients can't authenticate to SBS 2008

Mon, 23 Mar 2009 17:39:31 Z

Hi,
We have a brand new SBS 2008 in a small office environment, also handling AD DS, DNS, and some file shares. The clients include several OS X 10.4 and 10.5 machines, and it's evident that out of the box, Server 2008 doesn't let them connect over SMB.
I also posted this in the file services forum, but it seems to be a security issue just as much.

It's an audit failure; on the client side "Could not connect to the server because the name or password is not correct." On the server side, event ID 4625.
Window clients can connect fine, using the same credentials I'm feeding the Mac.
Giving "Everyone" access permissions to the folder didn't make any difference.
Same problem with 10.4 and 10.5.

Event logs: (FQDN renamed)

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4625</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2009-03-20T01:02:42.961Z" />
    <EventRecordID>4266289</EventRecordID>
    <Correlation />
    <Execution ProcessID="600" ThreadID="700" />
    <Channel>Security</Channel>
    <Computer>myserver.mydomain.local</Computer>
    <Security />
</System>
<EventData>
    <Data Name="SubjectUserSid">S-1-0-0</Data>
    <Data Name="SubjectUserName">-</Data>
    <Data Name="SubjectDomainName">-</Data>
    <Data Name="SubjectLogonId">0x0</Data>
    <Data Name="TargetUserSid">S-1-0-0</Data>
    <Data Name="TargetUserName">MAC</Data>
    <Data Name="TargetDomainName">MYDOMAIN</Data>
    <Data Name="Status">0xc000006d</Data>
    <Data Name="FailureReason">%%2313</Data>
    <Data Name="SubStatus">0xc0000064</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="LogonProcessName">NtLmSsp </Data>
    <Data Name="AuthenticationPackageName">NTLM</Data>
    <Data Name="WorkstationName">\\MACCLIENT</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0x0</Data>
    <Data Name="ProcessName">-</Data>
    <Data Name="IpAddress">192.168.0.30</Data>
    <Data Name="IpPort">49836</Data>
</EventData>
</Event>

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4625</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2009-03-20T01:02:42.961Z" />
    <EventRecordID>4266288</EventRecordID>
    <Correlation />
    <Execution ProcessID="600" ThreadID="700" />
    <Channel>Security</Channel>
    <Computer>myserver.mydomain.local</Computer>
    <Security />
</System>
<EventData>
    <Data Name="SubjectUserSid">S-1-0-0</Data>
    <Data Name="SubjectUserName">-</Data>
    <Data Name="SubjectDomainName">-</Data>
    <Data Name="SubjectLogonId">0x0</Data>
    <Data Name="TargetUserSid">S-1-0-0</Data>
    <Data Name="TargetUserName">MAC</Data>
    <Data Name="TargetDomainName">MYDOMAIN</Data>
    <Data Name="Status">0xc0000225</Data>
    <Data Name="FailureReason">%%2304</Data>
    <Data Name="SubStatus">0x0</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="LogonProcessName">
    </Data>
    <Data Name="AuthenticationPackageName">NTLM</Data>
    <Data Name="WorkstationName">\\MACCLIENT</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0x0</Data>
    <Data Name="ProcessName">-</Data>
    <Data Name="IpAddress">192.168.0.30</Data>
    <Data Name="IpPort">49836</Data>
</EventData>
</Event>

Replacing root CA above Windows Server 2003 subordinate issuing CAs

Thu, 19 Nov 2009 12:10:57 Z

Hi,

I did post a related question at http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/dfe1f541-e3b2-42b5-bd3b-7a7d0f7a7e66 but I guess as it mentions HSMs its not getting much response so Ive asked a more generic question here:

We have lost the ability to export our private key for the root CA (for now it can still be used for signing but see other post if more info needed) so we will need to have a completely new root CA and the old one removed.

My question is what implications will this have on the subordinate issuing CAs and all the certificates it has issued if we have to replace the root?

I guess we will still keep the old root CA cert as a trusted root but what about root CA CRL publishing etc, will that be required for the certificated issued by the subordinate CAs?

Thanks for any help

Security Templates

Thu, 19 Nov 2009 03:21:28 Z

Hi everyone,

If I create a security template, one of the settings for example might be "people allowed to access the registry" (I just made this setting up)
now it might list 'administrators', backup operators, but what if it has something like MACHINES_NAME/IIS_USER (or something like that)... what if it lists
that specific machines IIS account? - what if I then 'deploy this policy' via group policy to 100 other machines, will that setting have the 'exact name'
of the origional machine (MACHINES_NAME/IIS_USER or would it have the 'new name' of the machine the policy was applied to?

thanks,

Luke.

Limit the number of User's Certificate ( in PKI)

Tue, 24 Nov 2009 05:50:04 Z

We are using PKI in our organization. Although it has been set for Domain users to receive their certificates through Active Directly automatically, but they can also request for email encryption and signature certificates through web enrollment and the website. Now we must limit each user to have only one certificate for email encryption and one for email signature. I mean users should not have more than one certificate for each of the features. I could not find anything which help me on limiting users for their certificate requests! How can we limit users to receive one and only one certificate based on their requests?
thanks

Clearing specific event log from Eventviewer

Mon, 23 Nov 2009 23:47:28 Z

Hi Team,

Is there any way to clear a specific event log entry from event viewer inplace of clearing the entire log? Is there any way to do it from registry or using any tool available?
Any suggestions will be highly appreciated.

Regards,
Rohit

Setting up a brand new PKI - WS08 R2 - few questions

Mon, 23 Nov 2009 11:48:04 Z

Hi all,

I've been digging through a lot of documents before starting a PKI implementation. I'll be using a two tier approach ( Root CA offline, two issuing CA ) running on Windows Server 2008 R2. Now I've got the big picture pretty clear but I need a few hints.

1. As stated before I will be using two tier approach. I will only be using one CDP, wich will be a HTTP URL hosted on two servers in a DMZ ( load balancing ). I also would like to use the R2 feature Certificate Web Enrollment Services ( CES ) which I guess would be installed on the same servers were the CDP is hosted. Will that be sufficient for all Web Enrollment or will I also have to install the "old" Web Enrollment feature?

2. If I also have to use the "old" Web Enrollment, where would you recommend installing that feature, on the Issuing CA or on a seperate server?

3. I will also be using OCSP, installed on the same servers hosting the CDP. Does the server running the OCSP need to be domain joined?

4. Is it possible to publish delta crl to HTTP CDP?

5. With regards to NDES, is that something I have to take into consideration right now or can I implement that feature at a later stage after the PKI has been launched?

Best Regards
Konráð Hall

Konráð Hall

PKI for two different forests

Mon, 23 Nov 2009 20:43:10 Z

I am putting together PKI design for mostly internal clients but some will be on a DMZ. I was looking to have an offline Root CA with two sub CAs, one in the internal forest and one in the DMZ forest. I was going to use http and ldap CDPs. Does it make sense to use http and ldap or just http since the subs are in different forests? Is the only value with ldap CDP just if all clients are on the same internal forest? Thank you.

Effective Permissions

Sat, 21 Nov 2009 18:10:08 Z

Hi

Can anyone help me out. If you configure a share level permission of change and a ntfs permission of Modify. Which of the 2 is the most restrictive and why?

I think it would be change but I am unable to back up this thinking with any resource so I could be completly wrong. I would be very grateful if you have a link to perhaps a technect article to help out.

Regards

Robert

How to deploy wmi namespace security in domain, multlple servers?

Mon, 09 Nov 2009 21:58:25 Z

Hi,
I have a process that is doing remote monitoring via wmi. I am fully aware of the setting up the security and allowing dcom remotely.

My question is: is there any way to set WMI Namespace security across a domain or enterprise? I do not want to have to use an domain administrator user account for this monitoring, goes against the least privilege principle.

The only official microsoft way I can find is via wmimgmt.msc (see link http://support.microsoft.com/kb/295292).

It seems that this is very unfriendly to a large organization.