One my colleague wanted to make one of our customer’s environment very secure so he decided to install Enterprise Certification Authority environment with 4kB keys. He created one offline root CA with 4kB key (Windows 2003). This computer is offline all the time. Another CA is Issuing CA which key is signed by root CA. This issuing CA also had 4kB key (Windows 2008 R2). Certificates issued by issuing CA were from 2kB-16kB.
Problem raised when customer wanted to create certificate for Cisco devices to secure Wifi. To make those devices use and trust certificates from issuing CA customer needed to import Root and Issuing CA public certificates into those Cisco devices. And this was a problem. Those Cisco devices didn’t want to work with more than 2kB certificates.
 Read more…
			
		 
		
			Categories: Security, Windows			Tags: capolicy, capolicy.inf, certificate, certification authority, decrease, key, lenght, renewalkeylenght, size, Windows		 
	 
	
		
		
		
			Today one of our customers called me and asked how they can prevent from receiving e-mails from Internet for particular distribution group. They have Exchange 2010 SP2. I instructed him to check field on properties of distribution group called Require that all senders are authentificated.
 Read more…
			
		 
		
			Categories: Exchange, Security, Windows			Tags: authentificated, connector, exchange, externally secured, legacy exchange, receive, relay, require, users		 
	 
	
		
		
		
			Today I tried to split two domain created in one AD forest.
Scenario
I had 1st created domain domain.local which was top-forest root domain. It contained two domain controllers (SRVDC01.domain.local (W2008R2) and SRVDC02.domain.local(WS8)). Second domain I’ve created was domain2.local which was in same AD forest, but in different AD tree. I had little problem when creating new domain domain2.local, because SRVDC02.domain.local was powered off for couple days. DCPromo on SRVXX01.domain2.local was complaining about some replication problems. So I needed to power it on and force replication. It was weird, because SRVDC2.domain.local haven’t hold any of FSMO roles. When it was all done, all looked up and running.
 Read more…
			
		 
		
	 
	
		
		
		
			At one of our bigger customer we started to have weird problem. When you disabled UAC it was still active even after reboots.
 Read more…
			
		 
		
	 
	
		
		
		
			When I was cheking Remote Desktop configuration on couple Windows 2008 R2 servers I’ve noticed that I cannot access Remote Desktop Session Host Configuration and I get following error:
 Read more…
			
		 
		
	 
	
		
		
		
			One of our customer migrated his whole IT infrastructure into another datacenter. We powered off virtual machines at production site and powered on cloned versions of virtual machines. Domain Controllers were up all the time. Only member servers’ clones moved into another datacenter. They’ve ran for three days in another datacenter. Active Directory domain was up all the time. After tests we deleted clones in another datacenter and powered on virtual server in primary datacenter – their friday’s copies. And now we had problems on couple of servers.
 Read more…
			
		 
		
			Categories: Security, Windows			Tags: accounts, bad password, computer account, ERROR_ACCESS_DENIED, ghost, netdom, netlogon, nltest, relationship, reset password, security database, snapshot, Unauthenticated, vitual		 
	 
	
		
		
		
			At one of my customer I was implementing SAP GUI into Terminal Services farm. When you run SAP GUI as Administrator, SAP GUI works perfectly.
 Read more…
			
		 
		
	 
	
		
		
		
			Once upon the time I was at customer which had all infrastructure servers (and also all domain controllers) in VMWare VM. He decided to have one more domain controller on physical server. Only server he could use was management server, which was full of management tools.
 Read more…
			
		 
		
	 
	
		
		
		
			Most of the time I found at customers’ sites that they disable firewalls completely, because they don’t have time or they are just lazy to define exceptions in firewall settings. But this is not really good idea according to security.
 Read more…
			
		 
		
	 
Recent Comments