Can I revoke an SSL certificate using API calls towards the AD-CS?
Hello, I have very little experience with Windows Servers and even less with AD-CS. In our company we use AD-CS to issue certificates for all services, including Linux machines. At the moment the process is manual, but we need to automate it using…
request/approval of new AD user accounts
What are your procedures when it comes to the requesting and approving new user accounts (e.g., new employees, new consultants etc) in your active directory? I have seen a variety of processes; some have standardised e-forms that integrate with the…
if you split security into tiers as per RBAC and the same human person needs multiple accounts does each account consume an azure licence
Microsoft recommends splitting on prem and hybrid assets into tiered access T0 T1 and T2 to facilitate RBAC (role based access control). The principle being that t0 logons are never mixed with t1 logons to minimise any breach. If, therefore, an admin…
Bought a new used laptop, old user still signed in cant sign on
hello bought a new used laptop it's a KUU Yepbook 2The old user didn't sign off. I can see her picture, her name.Its asks for a PIN, password or finger
How do I install SSL/TLS cipher suite for Biztalk server2009
Hi, Recently my connections from Biztalk to an external financial system started failing with the message A message sent to adapter "WCF-Custom" on send port "SP_IMOS_AP_HEAD_TO_OCI_AP_HEAD" with URI…
Password incorrect when import certificate on server 2012
Hello, I trying to import a new certificate in server 2012 and says password incorrect, but the passworsd is correct. I have no problems importing this certificate on server 2019. I have seen in some forums that the problem is that 2012 does not…
Is Microsoft downplaying support for ECC certificates?
Hi folks, does anyone have any insight into this statement Microsoft's trusted root program requirements page that was updated in Feb? Signatures using elliptical curve cryptography (ECC), such as ECDSA, are not supported in Windows and newer Windows…
What are the benefits of the existing single forest AD Domain to convert or upgrade the AD Domain Controllers from FRS to DFSR?
What are the benefits of the existing single forest AD Domain to convert or upgrade the AD Domain Controllers from FRS to DFSR? https://learn.microsoft.com/en-us/windows-server/storage/dfs-replication/migrate-sysvol-to-dfsr FFL & DFL: Windows Server…
Generic unknown status in pkiview after migration Active Directory Certificate Services from Windows Server 2008R2 to Windows 2019.
Follwing below given Link from MS we migrated 2 tier PKI hierarchy from windows 2008 R2 to Windows 2019. https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674 Migration…
How to disable MFA for a single user
How can I disable MFA for a single user in Azure
How do I set the CSP and HSTS for an Azure app?
I have created an Azure app and use a custom domain to access it. However, when putting the URL through our cyber security process, it came back that the CSP and HSTS needs to be updated. I cannot find where in Azure to update the security headers. Where…
What is the purpose of enabling Windows Server internal firewall for internal AD Domain servers?
People, I wonder if enabling the internal Windows Server firewall feature is going to be very helpful or not ? Because I must also create the firewall rule to allow RDP on port 3389 and ICMP ping and also the WMI for the PowerShell remoting feature for…
CVE-2013-3900 WinVerifyTrust Signature Validation Vulnerability
Hi All https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900 To remediate the vulnerability CVE-2013-3900 is to add the below registry values. [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config] …
Final check before Fully Block NTLM for all Domain
Dear PPL, I would like to set our Default Domain Policy "Restrict NTLM: Incoming NTLM Traffic" to Deny All Accounts. Before I do it, I have enabled Auditing Logs, can see some devices or services are still using NTLM, for example, Win10…
Active Directory Certificate Services - Migrate from W2K8R2 to W2K19 Server - In-place upgrade
Hi My setup: ADCS and PKI services on domain joined (I know! I know, it shouldn't be domain joined) VM running on W2K8R2 I need to get out of W2K8R2 and the plan is to do an in-place upgrade to W2K12R2 and then to W2K19 When doing the in-place…
How to change days before password expires notice
I'm looking for a way to change the number of days before notifying users of password expiration from the default of 5 to some other number. I've found a web posting that references: Default Domain Policy (or Default Domain Controller Policy?) >…
Need some help to target the Group Policy to enable the NTLM audit?
I must audit any computers still using NTLM v1 in my AD Domain. Do I need to enable these group policies for all Windows servers and workstations in my AD Domain or just the Domain Controllers? Computer Configuration\Windows Settings\Security…
April Security update breaks MSMQ on Windows Server,
This patch will to break MSMQ in any current Windows Server version, Example KB5036896 installed on Windows Server 2019 Get "not implemented" error after patching. ErrorNumber: '-2147467263' Source: 'MSMQTransaction' Raised 'Unhandled…
FeatureSettingsOverride multiple value entries
Hello, i am looking to apply a patch to disable downfall mitigation. i am looking to amend the FeatureSettingsOverride value to "33554432" as per recommendations. However, FeatureSettingsOverride value is already set as "72" in order…
Block NTLM and NTLMv2 totally, only enable Kerberos
Dear PPL. I would like to totally shut down NTLMv2 in our Domain. I would like only Kerberos as our Accounts Authentications. Should I just change GPO of Default Domain Policy on AD: Network security: Restrict NTLM: Incoming NTLM traffic: to Deny All…