Active Directory Authentication over Firewalls

TheMSsForum.com: The Microsoft Software Forum

The MSS Forum ‹ Security
- Archive
  - Biz
  - MCSE
  - CRM
  - Drivers
  - Framework
  - ADO
  - ASP
  - Compact
  - Forms
  - Dotnet
  - C#
  - VB
  - FontpageGen
  - Excel
  - WorkSheet
  - Exchange
  - Setup
  - Fox
  - Fontpage
  - ASP
  - IIS
  - Entourage
  - Money
  - Messanger
  - PocketPC
  - Powerpoint
  - Project
  - Publisher
  - Excel
  - VB
  - Security
  - Portal
  - Services
  - SQLServerDev
  - SVCS
  - SQLServer
  - VB
  - VC
  - MFC
  - ExcelGen

- Previous
  - 1
    - Get Rich Take advantage of a great deal Tag: Active Directory Authentication over Firewalls Tag: 80948
  - 2
    - How to make a drive private I have added an other drive to my PC running Win XP Pro. My PC has two users, one is me as administrator plus another with no adninistrator rights. The privacy setting on drive C, that contains all the program files including My Documents folders, does not let the other user have access to them while the drive F that contains all my working files is wide open. I tried to make the all drive private but the sistem does not permit me to mark that option. I need to make the all the content of drive F private, can anybody suggest me how to do it? Thanks Maurizio Tag: Active Directory Authentication over Firewalls Tag: 80945
  - 3
    - Spyware/Virus Cleaning favor Hello. I am looking for a favor. I know several of you (MVPs in particular) have developed extensive "So you've been hit with spyware, now what?" instructions for non-technical users. If you have a link to your advice, could you post it (or the contents)? My non-technical cousin is asking me for advice and I'd much rather point her to your site(s) than reinvent the wheel. Thanks. Byron Hynes Windows Server Microsoft Corporation http://spaces.msn.com/members/byronphyne Tag: Active Directory Authentication over Firewalls Tag: 80936
  - 4
    - MS06-01(912919) and MS05-02(908519) Setup Error I could not apply the following security patches to a couple of Windows 2003 SP1 servers. It came back with the following message. Setup could not verify the integrity of the file update.inf. Make sure the cryptographic service is running on the server. Thanks -- dle Tag: Active Directory Authentication over Firewalls Tag: 80932
  - 5
    - MSN Space Security I don't want anyone can't any pictures from my msn space! How will I do? Tag: Active Directory Authentication over Firewalls Tag: 80930
  - 6
    - Folder Security - Finding Group or User Name in Security settings We have a customer with a 2003 server SP1, there are 100's of "securied" folders which have in many cases "everyone" as a security user (users allowed to create their own folders). I need a quick way of producing a report on the top level folders as to who has access. Is there such a tool freely available? Many thanks in advance -- Regards Dave Tag: Active Directory Authentication over Firewalls Tag: 80928
  - 7
    - windows installer (again) Hi all - still having trouble with my windows installer - the installer would appear to be totally corupted and unusable, i have tried anything and everthing i can think of and more, i have tried with windows help to fix this problem but without success - i have downloaded installer 3.1 but that does not help me, if anybody has any help with this issue i would appreciate the help. my system is windows xp sp2 i am using a presario with amd athlon 2400+ -- good xping and best regards williameric Tag: Active Directory Authentication over Firewalls Tag: 80921
  - 8
    - NTFS Permissions Hello, I am trying to prevent network users from deleting folders and files on a network drive. I have decided to apply read/write but not modify rules to network users in order to prevent them deleting important folders etc however there is a problem with MS Office. When a document is opened or edited Word will always create a temp file, this temp file is then left on the drive because it was created but could not be deleted because the user is unable to delete. This in my mind is quite a serious problem as I do not want the network drive to become full of these .tmp files which are not necessary and take up resources. Is there a way to prevent the .tmp files being created in the first place, or a way in which to allow them to be removed once the user has closed the program. -- Thanks, Cep. Tag: Active Directory Authentication over Firewalls Tag: 80920
  - 9
    - ml1.srt and ml2.srt Anyone know what these are and how to get rid of them? Tag: Active Directory Authentication over Firewalls Tag: 80911
  - 10
    - Automatic Updates greyed out My Windows XP Security Center-Automatic Updates is ON, but when I click on Manage Security Settings all the settings are greyed out, and I can't change them. Is there something I need to do to activate them? Thanks, Mark Tag: Active Directory Authentication over Firewalls Tag: 80905
  - 11
    - Public Keys, Private Keys, & Certificates This is a multi-part message in MIME format. ------=_NextPart_000_0006_01C624A3.FBC504A0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Are all Public and Private Keys stored on certificates? ------=_NextPart_000_0006_01C624A3.FBC504A0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.2900.2802" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2>Are all Public and Private Keys stored = on=20 certificates?</FONT></DIV></BODY></HTML> ------=_NextPart_000_0006_01C624A3.FBC504A0-- Tag: Active Directory Authentication over Firewalls Tag: 80899
  - 12
    - ewido malware software every one it seems uses adaware and spybot s/d,has anyone any plus comments to advise on ewido or minus comments come to that. Tag: Active Directory Authentication over Firewalls Tag: 80896
  - 13
    - DCOM - Allowing Remote Anonymous Access Can anyone tell me or does anyone know where I can find information regarding the risk associated with changing the following DCOM policy: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) Syntax - to allow remote anonymous access? Does this change the RPC security setting on the XP system also? Tag: Active Directory Authentication over Firewalls Tag: 80889
  - 14
    - Surfing with User privileges Apparently a person cannot use these newsgroups operating their computer without administrator privileges. Just now I tried to post a new message with only limited privileges and could not get the dialog box for writing the new post to come up. This limitation hinders good security practice. I turned on the â??allow pop-ups from this siteâ?? but that didnâ??t work, and I turned on â??temporarily allow pop-ups from this siteâ?? but that didnâ??t do it either! In our home and business we are trying to use our computers with limited privileges more and more, to protect the current Windows setup and avoid spyware and adware. If programs used daily wonâ??t operate properly with these limited rights it makes operation frustrating. Russ Tag: Active Directory Authentication over Firewalls Tag: 80873
  - 15
    - OneCare Live file sharing Windows OneCare Live has firewall settings to allow file sharing with the local subnet only- a good idea! But it doesn't seem to work. On my home network with three PCs, file sharing worked fine until installing OneCare on the new HP notebook. Now this machine won't share anything, though the settings say that the firewall is configured for file sharing. Have others had this problem? A few days later I opened the firewall settings to allow sharing with all computers (even those on the internet, (as it warns)) and it does share with the home computers all right. Does this local subnet restriction not work correctly in OneCare Live? The notebook computer has XP Home and the others have XP Professional. May this be the difference? Russ Tag: Active Directory Authentication over Firewalls Tag: 80872
  - 16
    - Windows One Care Beta I downloaded WOC Beta and about 2 weeks later uninstalled it. After uninstall, reboot, and sign on (and every sign on since) I get an error message that says: Windows cannot find 'C:\WINDOWS\Nail.exe' . Make sure you typed the name correctly, and then try again....When I did a search for the file I found it. It was a quarantineed file by WOC Beta. It let me delete the file, but I still get this warning each time I sign on. How do I get rid of this warning? Thank you. Alex. Tag: Active Directory Authentication over Firewalls Tag: 80869
  - 17
    - Kama Sutra / W32.Blackmal.E worm questions I have Norton AV and it was updated on Jan. 17 2006 with the entry: W32.Blackmal.E@mm CME-24, Win32.Blackmal.F [Computer Associates], Email-Worm.Win32.Nyxem.e [F-Secure], Email-Worm.Win32.Nyxem.e [Kaspersky], W32/MyWife.d@MM [McAfee], W32/MyWife.d@MM!M24 [McAfee], W32/Small.KI@mm [Norman], Tearec.A [Panda Software], W32/Nyxem-D [Sophos], WORM_GREW.{A, B} [Trend Micro] Will I be okay no matter what? Is there a way you can get this worm without opening email attachments? I just saw a CNN report where they did not mention that you can get it by opening attachments. But the mainstream media doesn't explain these things very well. Tag: Active Directory Authentication over Firewalls Tag: 80853
  - 18
    - Has my Hotmail account been infiltrated? Hi I have a serious problem that I believe may be some form of identity theft and breach of security. I have been informed by a few people that I know that they have received emails, allegedly from me, which usually have the following traits: 1. they are from my Hotmail account and name, although the name on these emails has only my first initial instead of my full name that all my email accounts and client are set to 2. they are usually blank, but one or two reports that they had attachments 3. the subject line includes the phrase "Not read:" and is often followed by subject line text that had been in previous emails between myself and them. I am using a Mac with Microsoft Entourage as my primary email client. I have run both Norton Antivirus and MacScan and have found NO viruses, spyware or keyloggers. I have turned on OS X's firewall and I frequently clear all my browser caches and cookies. I have changed my Hotmail/MSN password. So far, this did not solve the problem. I do not use forwards nor multiple-address emails, and my contacts have zero connection to each other except through me. They do not receive emails from each other nor have each other as contacts. The only connection is through me. Does someone have access to my address and contacts somehow? This is very worrisome, your help is greatly appreciated... I have not received any response from Microsoft Security and this is very frustrating... I am worried someone can do some real damage. Tag: Active Directory Authentication over Firewalls Tag: 80844
  - 19
    - Default GPO I changed my default group policy setting for my Windows Firewall settings to Disable and now I can no longer see the Windows Firewall settings in my Group Policy Editor. Any help is appreciated! Tag: Active Directory Authentication over Firewalls Tag: 80843
  - 20
    - Testing MS Security Patches? Does anyone know of specific tests that should be performed before implementing MS security updates on production systems. I am a member of a large organization and we are trying to enhance our testing procedures before implementing MS security patches through out our production environments. Is there a document that shows what specific things should be considered? I'm looking for a guideline that displays how to validate that a security patch released by MS will not break any applications or the Operating System. Tag: Active Directory Authentication over Firewalls Tag: 80842
  - 21
    - backworm - way to keep safe if the domain policy means that users are only allowed to run programs from a limited list of programs (set up using the gpedit.msc) does this mean that we are safe(r) from the blackworm. indeed, does this mean that most viruses would fail to run? thanks, kevin Tag: Active Directory Authentication over Firewalls Tag: 80841
  - 22
    - Stumped by Image Displayed in Preview Pane This morning I received a piece of SPAM. No big deal. I get that on occassion, but this one had somehow managed to circumvent the security feature in Outlook that prevents images from downloading and displayed Lisa and Bart (Simpson) all smiles going at it doggie style with the caption "Your Baby's on the hook now..." Not sure what they were trying to promote, but I digress... The src attribute value of the img tag was "cid:000701c622b1$dc702290$87d4fea9@VAIO". It doesn't even look like a path. How does this path circumvent the feature to not display images? How does it even work? If I copy and paste this "path" into an HTML email and send it to myself, it does not even work, but somehow it presents an image in the original email and one that does not even have to be downloaded. I forwarded it to GMail and it displayed there as well. Very odd. Does anybody have any idea how this is pulled off? -- The only thing that sucks worse than ________ is apathy about _________. Tag: Active Directory Authentication over Firewalls Tag: 80839
  - 23
    - Recommendations for 'Anonymous Surfing' Hello all, Iâ??ve searched for relevant posts on my subject, but seeing none, I then ask this question: I am thinking of installing â??anonymousâ?? Web Surfing software on my home Network. My network consists of a Linksys Wireless cable gateway, a desktop, and a laptop which are running under XP Pro. I use both IE and Firefox 1.5, and I have the McAfee Security Suite running (Personal Firewall, Privacy Service, and Virus scan). I also use your hosts file. I see products out there such as â??Annonymizerâ?? Privoxy, and â??Ghostsurfâ??. My question is this: In the opinion of the MVPâ??s are these products â??safeâ?? to use with an XP system? Are there system compromises or unacceptable side effects of using anonymous software? Is this software any good, does it do what it says it will do, which is make me invisible on the net? Is there a â??betterâ?? product out there? Is it maybe just a dumb idea to try and be invisible on the net? Please notice that I asked you guys these questions BEFORE I purchased and installed the stuff, thus preventing me from writing a â??whoa is meâ?? post. Iâ??d like you all to know that I am learning something here! Opinions, please? And thank you in advance ! Tag: Active Directory Authentication over Firewalls Tag: 80832
  - 24
    - Problem with certificate authority Hello, i installed a certificat autority on Windows 2003 std SP1, when the service start i've got the error message bellow : "A Certification Authority cannot use a certificate template" (this message appear for each template).... in the event log ... The problem does not exist on a Windows 2003 without SP1. Any idea ?? thanks Tag: Active Directory Authentication over Firewalls Tag: 80830
  - 25
    - Security Experts Warn of Kama Sutra Worm (yet another MS worm) "Security analysts are warning computer users about a new and potentially destructive Internet worm that can obliterate important documents. The worm, called Kama Sutra, is making the rounds now, but is scheduled to execute its first massive attack on February 3. Detected last week, the malicious worm targets computers running Windows and spreads primarily by copying itself to shared network locations and then sending itself to e-mail addresses found on afflicted computers. With subject lines that read "the best videoclip ever," "give me a kiss," and "school girl fantasies gone bad," the worm entices computer users to open the attached file. " http://www.cio-today.com/news/Experts-Warn-of-Kama-Sutra-Worm/story.xhtml?story_id=12100465ZLIH Imhotep Tag: Active Directory Authentication over Firewalls Tag: 80822
- Next
  - 1
    - NTLM V2 in Windows 2003 Native Forest Does anyone know how to completely disable NTLM from a Native Windows 2003 Forest, apparently MS still needs NTLM even in Windows 2003. The problem we are trying to address is the security concerns with NTLM v2 not being an exception. It is widely felt that the MD5 & MD4 algorithms that it leverages are not secure enough..... We would like to completely eliminate NTLM communication including v2, apparently when a non-trusted client with proper use creds. tries to access something in a Native Windows2003 forest it still downgrades to NTLM... Any thoughts/hacks :-) appreciated. Tag: Active Directory Authentication over Firewalls Tag: 80819
  - 2
    - Shedule Task problem Hi, I'm running a Standard Edition SP1 with Exchange 2003 Standard SP1 and I have huge problems with my schedule task. I found out that the server was using 100% of CPU usage. After some test we found it was the Schedule service the one that was affecting the CPU usage so we disable it and everything worked just fine. The problem is that I can not even open the Schedule Task folder, when I tried to do this, the explorer freezes. I need to use the schedule task so I can make my backups, anyone can help me with this? Thank you. Tag: Active Directory Authentication over Firewalls Tag: 80815
  - 3
    - paranoid computer taken over??? when i went to verify my email address the first one i ran into was from microsoft....it wanted my to click on this link (https://commcenter.bresnan.net/SRedirect/profile.microsoft.com/RegSysProfileCenter/ConfirmEmail.aspx?lcid=1033&EmailEntered=billington%40bresnan.net&eck=%252boMI94ak2EWj2c0BLSUoYw&CP=2&brand=Microsoft&Wizid=74386565-ca25-47ba-8168-c42975812e84&fu=http%3a%2f%2fwww.microsoft.com%2fwn3%2faspx%2fpptredirect.aspx&Sec=1) the second email said microsoft customer support so i trusted that one ..........mmmmmm.........ahhh help.............. billington is paranoid........ Tag: Active Directory Authentication over Firewalls Tag: 80813
  - 4
    - How to get rid of unknown items.... i think my computers been taken over.... my operating system is windows xp home. but in sys info it says windows nt.. I know nt is the core of the system... my device profile makes my desktop look like a laptop... docking state unknown???? background keeps being changed from windows xp to windows xp (modified) also have emachines but it changes to bliss.. when you reset should your screen darken as it resets...also on advanced internet options the notify me if being redirected keeps getting unchecked..... should nt authority be listed as a user.... should my printer be listening (port 85) my email address is piperoller@bresnan.net and someone else has a net passport using that, i tried forgot password but could not reset because no matter how many times i typed the 6 letters it kept telling my email wrong or letters wrong..yet signed up fine on alternative email.... help........... PLUS have modern font in red that will not be deleted..... also should internet adress contain (redir)i believe updates are being stashed and i'm being told their installed............ has anyone heard of powerdvd RemoteControl,, or changer, or nvpdaemon,,, what about nview imposter... in registery,, also should font's be read in OEM..... why cant i unhide some files.??? help,,,,,, paranoid..................... also should the xp in windows be dark red??????? Tag: Active Directory Authentication over Firewalls Tag: 80812
  - 5
    - IIS 6, DMZ and antivirus Hi all, Is it current practice to install an antivirus software on an IIS 6.0 server even though it has been hardened and placed in a DMZ? Thanks Tag: Active Directory Authentication over Firewalls Tag: 80810
  - 6
    - External LDAPS connection help We are in the process of migrating off of Novell to windows and We have a unix box that runs scripts to create users and import them into the directory. Now we need to make that same script creat accounts in AD via ldaps. The problem is Im new to the certificate authority and all i need for testing purposes is how to create a cer and give it to the unix box so it can be trusted and log in with a user id to import users into AD. Thanks Tag: Active Directory Authentication over Firewalls Tag: 80809
  - 7
    - Spyware & Adware Should I be using more than 1 Adware & Spyware program? I was told to install at least 3 as they all fix different problems. Today I was told to only have one as they could be interferring with eachother. Tag: Active Directory Authentication over Firewalls Tag: 80801
  - 8
    - Detect what software is blocking connections Hello all! If this is offtopic, please advise of a better newsgroup, I thought this may be the right one. Our customers download and install our client/server based software on their computer. Many of our customers use Norton Internet Security and other types of software that block ours from connecting to the Internet. Sometimes the users don't know to click "Allow" and they block it then call us wanting to know why it's not working. My problem is that on some computers, we can find no software that is blocking connections but it is obviously happening. My question is does anyone know of any software out there that will tell you what program in memory is blocking network connections or acting as a firewall? Thanks so much! Matthew Tag: Active Directory Authentication over Firewalls Tag: 80798
  - 9
    - EFS and impersonated user Hello, I'm using Windows XP Pro (SP2) and I'd like to encrypt a folder using the API Advapi32 / EncryptFile using the credentials of a particular user different than the user logged in. I'm trying it impersonating the user first with the API Advapi32 / LogonUser, with different values in the parameters "Logon Type" and "Logon Provider". All cases, when I exec EncryptFile I get the error 87: invalid parameter. If I exec EncryptFile without impersonating the user all work ok and the folder is encrypted successfully related to my session user. Someone tells me that i'd have to load the user profile but I don't know how to do it during or after impersonating user. is it posible?, any idea? Thanks and best regards, Raul Truco Tag: Active Directory Authentication over Firewalls Tag: 80796
  - 10
    - EFS and impersonated user Hello, I'm using Windows XP Pro (SP2) and I'd like to encrypt a folder using the API Advapi32 / EncryptFile using the credentials of a particular user different than the user logged in. I'm trying it impersonating the user first with the API Advapi32 / LogonUser, with different values in the parameters "Logon Type" and "Logon Provider". All cases, when I exec EncryptFile I reach a the error 87: invalid parameter. If I exec EncryptFile without impersonating the user all work ok and the folder is encrypted successfully related to my session user. Someone tells me that i'd have to load the user profile but I don't know how to do it before. is it posible?, any idea? Thanks and best regards, Raul Truco Tag: Active Directory Authentication over Firewalls Tag: 80795
  - 11
    - Spyware & Adware I have been told to have at least 3 different spyare and adware programs on my computer as they each clean different problems out. Today I am now told to only use one as they fight with eachother and they will bog eachother down. What is the correct solution to successfully protect against all of the spyware & adware? Tag: Active Directory Authentication over Firewalls Tag: 80790
  - 12
    - Windows 2003 SP1 Hi, Did windows 2003 server SP1 up to date with all the security patches is more secure than windows 2003 server without SP1 but up to date with all the security patches? If yes - What changes causing this? Thanks, Nir Tag: Active Directory Authentication over Firewalls Tag: 80780
  - 13
    - infected? 1) Iâ??ve recently had a significant increase in the amount of spam getting through both the ATT and the MS Outlook spam filters. It frequently carries a subject line that I have used recently myself or the â??fromâ?? name or the subject are reminiscent of a personâ??s name or a topic that I have recently discussed in an e-mail. 2) Within the past 48 hours, shortcuts to IE and OL have not responded until I try them a second time. 3) Just now, when I tried to open IE, I got a dialogue box informing me that â??the operation can not be completed because yada-yada are missing.â?? A bit later it worked fine. I have just reverified the following: MS AntiSpyware is active. Norton Autoprotect is active. My virus definitions are dated 1/25/06. I have just visited MS Security Help, but didnâ??t find anything applicable. Yes, I clear my cache regularly. Every 24 hours or so. What else should I be checking? Thanks much! Tag: Active Directory Authentication over Firewalls Tag: 80768
  - 14
    - strange encryption behavior I am getting the following strange behavior in Outlook 2003 SP1 on XP Pro. I have previously received signed emails from my friend "Joe" who is in the GAL (although his certficicate is not in the GAL) I can see his certificate in Certificate Manager, under Other People, and it is reported there as OK. I have also previously sent him signed and encrypted emails successfully. *Sometimes* when I create a new email and select Joe from the GAL in the To field, activate the Sign and Encrypt buttons, type my message, and click Send I get: Microsoft Office Outlook had problems encrypting this message because the following recipients had missing or invalid certificates, or conflicting or unsupported encryption capabilities. I then go to a signed email I have previously received from Joe and reply to it, again making sure that the Sign and Encrypt buttons are activated. That works. Now I once again send a *new* email to Joe, as above. It now works. It continues to work for a while, then suddenly goes back into its old "problems encrypting this message" mode. What is going on here? I would prefer not putting the certificates into the GAL. I already tried the registry modifications recommended in: http://support.microsoft.com/?scid=kb;en-us;870564&spid=2520&sid=216#kb5 but it did not help. Tag: Active Directory Authentication over Firewalls Tag: 80765
  - 15
    - Certificate configuration on Windows 2k Hi, On Windows XP, I can use the httpcfg.exe tool to assign a certificate to a port. For example: httpcfg set ssl /i IP:Port /h Hash /g Guid How can I accomplish the same task in Windows2k? Thanks, John Tag: Active Directory Authentication over Firewalls Tag: 80762
  - 16
    - Net Logger Pro Net Logger Pro tracks AOL, ICQ, IRC, MSN and Yahoo messengers , WWW, FTP and E-mail activities, classifies all collected information and sends it to your e-mail address or mobile phone, provides real time access to all incoming information on your PC. We would appreciate all you comments, critique and requests concerning operation and features of the Net Logger Pro. Thank you, Dual Software http://www.solidlabs.com/net/netlogger/ Tag: Active Directory Authentication over Firewalls Tag: 80745
  - 17
    - .NET Windows Forms Control hosted in web page I have a .NET 1.1 Windows Forms control that I built and have hosted it in a web page using the <OBJECT/> element. The control is used for downloading files to the users local system. I provided users with a .msi file which only added a code group to the machine-level runtime security policy to enable the control to run. The code group granted full trust to the intranet site hosting the control. Everything was working fine until our company pushed .NET Framework 2.0 out to all of the users stations, including mine. After this update the .NET control in this web page stopped working. The rectangle where the control would appear remains blank with a red/blue/green icon in the upper left-hand corner. My assumption was that the security configurations for .NET 2.0 were not configured and may be causing the 1.1 assy to not run. I installed the .NET 2.0 SDK and did a small test by adding the website manually to my 2.0 configuration in the same manner as 1.1. The control worked... I proceeded to create a 2.0 installer that users could run in addition to the 1.1 installer, but when I tested it again I could not get the 1.1 control to appear in my web page. I then migrated the control to 2.0 hoping that with the 2.0 settings correct and the control in 2.0 everything would work, but again I could not get the control to load. So a few questions: 1 - is this a bug? does the security in this case have to be configured in both 1.1 and 2.0 to allow a control hosted in a web page to run? 2 - If yes to the first question, is there a way to do all of this from one setup routine? Or does there need to be one in the 1.1 version and another one in the 2.0 version? I could not figure out how to iterate through both policy configurations from either 1.1 or 2.0. PLEASE HELP! I am desparate for a solution and my users are patiently waiting for this to start working again... thank you. Tag: Active Directory Authentication over Firewalls Tag: 80737
  - 18
    - Remote Attack? Modem security I was using my computer off-line when the phone rang and through my speakers I heard the modem pick-up & a computer/fax signal. (I have a Dell Win. XP SP-2, with a dial-up connection and CA eTrust Personal Firewall.) When I checked the eTrust logs, I found that several inbound communications had been blocked including two attempts were made (at about the same time as I heard my modem pick up) originating from DNS source: "dedicated67.fastcolocation.net". I was concerned when I heard my modem respond without my log on. Apparently, the etrust firewall blocked it, but why was another computer able to call my machine and have it pick-up the phone? Is this a symptom of a greater security threat? Tag: Active Directory Authentication over Firewalls Tag: 80733
  - 19
    - Re: NTFS folder permissions - Creator Owner issue (I think) Sorry, this clearly doesn't make any sense. Please disregard. Paul "Paul Baker" <paulb@online.rochester.rr.com> wrote in message news:... > Can't you simply add a CREATOR OWNER access control which denies delete > permissions? This will override any allow permissions. > > Paul > > "F Laufs" <FLaufs@discussions.microsoft.com> wrote in message > news:C7ED4834-1C38-4056-A2F4-DB5722435131@microsoft.com... >> Yes, I figured out that if I took the creator owner placeholder out of >> the >> list then I woudlnt have this problme from reading other peoples posts. >> However, I am using the creator owner placeholder to ensure that staff >> can >> only delete their own files and folders and not other peoples. >> >> Users get Read & Execute, List Folder Contents, Read and Write, and the >> Creator-Owner gets Modify. >> >> Maybe there's another way of getting the same result? >> >> Regards, >> >> Fiona >> >> "Paul Baker" wrote: >> >>> Are you aware that you can prevent permissions being given to the >>> Creator >>> Owner when they create a folder simply by removing the CREATOR OWNER >>> access >>> control. It's default, not hardcoded, behaviour. >>> >>> Paul >>> >>> "F Laufs" <FLaufs@discussions.microsoft.com> wrote in message >>> news:66363F0F-1388-4A12-89DB-97761A246275@microsoft.com... >>> > Roger, >>> > >>> > Sorry, I was confusing the issue by calling it a group - I do realise >>> > its >>> > a >>> > placeholder. From what you're telling me an owner has rights that >>> > cannot >>> > be >>> > overridden. As we are allowing staff to create subfolders (they then >>> > become >>> > the owner), we will not be able to prevent them having the rights of >>> > an >>> > owner, which seems to include the right to change permissions whether >>> > we >>> > want >>> > them to have that right or not. >>> > >>> > Anyway, thanks for all your patience and help. >>> > >>> > Regards, >>> > >>> > Fiona >>> > >>> > >>> > "Roger Abell [MVP]" wrote: >>> > >>> >> >>> >> "F Laufs" <FLaufs@discussions.microsoft.com> wrote in message >>> >> news:266F5017-7818-439A-A60A-7D9B3498BBE3@microsoft.com... >>> >> > Roger, >>> >> > >>> >> > Thank you very much for your help. >>> >> > >>> >> > You're saying that this group can change permissions even when not >>> >> > expressly >>> >> > granted the permission to change permissions or denied it, but I >>> >> > have >>> >> > never >>> >> >>> >> No, that is not what I said. >>> >> I said that the owner of an object can change the object's permission >>> >> whether the owner is (directly or indirectly) granted that >>> >> permissions or >>> >> even whether explicitly denied that permissions. >>> >> I did not state this about the Creator Owner "group" but about the >>> >> Owner. >>> >> >>> >> > read this anywhere, and can't seem to find any documentation on it >>> >> > on >>> >> > the >>> >> > net. (I do believe you as I have seen the results!) I'd like to >>> >> > read >>> >> > up >>> >> > on >>> >> > the rights that this group has that I am not aware of. >>> >> > >>> >> >>> >> It is not really a group, although it appears like one. >>> >> Creator Owner is a placeholder. You will find its use is normally >>> >> set >>> >> to inherit onto contained/child objects. When a new object is >>> >> created >>> >> the grant to Creator Owner becomes a real grant to the creator or the >>> >> permissions stated with the Creator Owner grant on the container. >>> >> The account that creates the object does become owner, and does >>> >> have the rights of an owner, not matter what is or is not granted >>> >> with >>> >> the use of Creator Owner. >>> >> >>> >> > We would really like to prevent users changing the permissions on >>> >> > folders >>> >> > because they tend to lock themselves and IT support out of them. >>> >> > Do >>> >> > you >>> >> > know >>> >> > of any method of doing this? >>> >> > >>> >> >>> >> You must take away ownership and then the NTFS security permissions >>> >> will control their actions. While they own (as they do of anything >>> >> they >>> >> create) >>> >> you can only hinder, not prevent. >>> >> >>> >> >>> >> > "Roger Abell [MVP]" wrote: >>> >> > >>> >> >> >>> >> >> "F Laufs" <FLaufs@discussions.microsoft.com> wrote in message >>> >> >> news:77E028E8-8366-4069-A32A-F71710489B04@microsoft.com... >>> >> >> > Hi all, >>> >> >> > >>> >> >> > I need to set up the permissions on a folder so that: >>> >> >> > >>> >> >> > For users in Group 1: >>> >> >> > Anyone can create a file or subfolder. >>> >> >> > Anyone can edit any file. >>> >> >> > Anyone can copy and paste any file or subfolder. >>> >> >> > Only the owner can, delete, rename or move a file or folder >>> >> >> > Anyone can view permissions >>> >> >> > Noone can change permissions or take ownership >>> >> >> > >>> >> >> >>> >> >> I doubt that that combination can be attained. >>> >> >> The issue is in that some files are changed by use of a temp >>> >> >> file that is renamed with the original deleted. >>> >> >> >>> >> >> > For users in Group 2: >>> >> >> > They can create, edit, copy and paste, delete, rename or move >>> >> >> > any >>> >> >> > file >>> >> >> > or folder, and view permissions. >>> >> >> > They can not changer permissions or take ownership >>> >> >> > >>> >> >> > For Group 1, I ticked R&E, List, R and W in basic settings, and >>> >> >> > then >>> >> >> > added >>> >> >> > a >>> >> >> > Creator Owner group to which I gave modify rights. This got me >>> >> >> > pretty >>> >> >> > close >>> >> >> > to what I need, except: >>> >> >> > >>> >> >> > (1) when trying to move a file or folder, an error message >>> >> >> > appears >>> >> >> > as >>> >> >> > expected for the file, but the folder error message says >>> >> >> > '...cannot >>> >> >> > copy...' >>> >> >> > and then copies just the folder. I suppose it doesn't actually >>> >> >> > move >>> >> >> > it >>> >> >> > but >>> >> >> > this will be confusing for the users >>> >> >> > >>> >> >> > (2) test user can change the permissions on own folders, >>> >> >> > definitely >>> >> >> > what I >>> >> >> > don't want. (On checking the advanced permissions it explicitly >>> >> >> > shows >>> >> >> > that >>> >> >> > change permissions is NOT ticked) >>> >> >> >>> >> >> The owner can always change permissions even when they are not >>> >> >> granted the permission to change permissions or denied it. Think >>> >> >> of >>> >> >> the permission to change permissions as something only important >>> >> >> for non-owners. >>> >> >> >>> >> >> > >>> >> >> > For permission set 2 I was thinking of giving Modify permissions >>> >> >> > but, >>> >> >> > again, >>> >> >> > this allows users to change permissions on their own folders. >>> >> >> > >>> >> >> >>> >> >> It is not the Modify grant that allows this but being owner that >>> >> >> does. >>> >> >> >>> >> >> > I wonder if there is a simple explanation? >>> >> >> > >>> >> >> > Regards >>> >> >> > >>> >> >> > Fiona Laufs >>> >> >> > >>> >> >> >>> >> >> >>> >> >> >>> >> >>> >> >>> >> >>> >>> >>> > > Tag: Active Directory Authentication over Firewalls Tag: 80716
  - 20
    - Auditing Workstation logons from DC I am trying to see workstation interactive logins in the Windows 2003 DC event viewer but am not seeing the events. I am seeing Remoteinteractive as well as interactive directly into the Domain Controller itself. However workstation computers that are a member of the domain are not registering event 528 or 539 type 2's in the event viewer. I have Domain Security Settings for Audit account logon to Success and Audit logon events to success. I have Domain Controller Settings to audit account logon to Success and Failure and Audit Logon to Success and Failure. I am running Windows 2003 Small Business Server. Tag: Active Directory Authentication over Firewalls Tag: 80714
  - 21
    - accessing a website Hi, I just installed AntiSpyware Beta 1 and have not been able to access a particular website. No problems with any other website. I had no issues prior to the spyware installation. The website does not show up on the blocked events site. Can anyone help? Thank you, Suzanne Tag: Active Directory Authentication over Firewalls Tag: 80711
  - 22
    - Auditing user login/logoffs I have a windows 2003 small bus server domain. How do I audit for user login and logoffs. Even better, how to I filter the massive security log to view the login/logoff events for users just logging into their workstations and logging out of their workstations?? Tag: Active Directory Authentication over Firewalls Tag: 80707
  - 23
    - Domain Administrator cannot logon to SBS 2003 LOCALLY Hi, I have a serious error with one of my servers. It is a SBS Server 2003 running a domain, dns, dhcp and AD. Up until late last year I have not had any issues with this, no new software or hardware has been added either in the past 6 months. I noticed that the daily backups were failing so I tried to logon to the server locally as domain administrator, and the server poped up a message 'The user has not been granted the requested logon type at this machine' ! So I tried to remote desktop in to the server and to my susprise I logged on successfully as domain administrator. I have got veritas backup exec 10 installed and the services run as domain/Administrator, backup exec was reporting that backups could not be run using this account as login access was not granted for the domain\administator !!!! So I started to look at the event viewer, and found this log from when I tried to logon locally: Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 534 Date: 24/01/2006 Time: 09:31:58 User: NT AUTHORITY\SYSTEM Computer: CMI-SERVER Description: Logon Failure: Reason: The user has not been granted the requested logon type at this machine User Name: Administrator Domain: CMI Logon Type: 2 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: CMI-SERVER Caller User Name: CMI-SERVER$ Caller Domain: cmi Caller Logon ID: (0x0,0x3E7) Caller Process ID: 4168 Transited Services: - Source Network Address: - Source Port: - Any help on this matter would a god send, as I have been searching all over the place for the event error 534 and cannot find anyone with a simular problem. I have check the local security policy and everything looks in order. Kind Regards Matt Tag: Active Directory Authentication over Firewalls Tag: 80700
  - 24
    - cipher.exe with imporsonated user Hello friends, I have a big doubt and i wish you could help me. I'm using Windows XP Pro (SP2) and I'd like to encrypt a folder using the tool cipher.exe but using the credentials of a particular user different than the user logged in. I'm trying it impersonating the user first with the API Advapi32 / LogonUser , using diferent value for the parameters "Logon Type" and "Logon Provider". After impersonating the correct user i execute the command: cipher.exe /E /S:c:\test /A but the folder is encrypted related to the user logged in in the session, no with the impersonated user. I have tried too with the API Advapi32 / CreateProcessWithLogonW, with the option "Logon with profile", but i don't get to work, is it posible?, any idea? Thanks very much, Raul truco Tag: Active Directory Authentication over Firewalls Tag: 80699
  - 25
    - TechNet - for IT professionals only? -- Thanks, Maria Tag: Active Directory Authentication over Firewalls Tag: 80682

Hi All,

What are the minimum ports that I need to open on my FW for AD
authentication?

Thanks,

Nir

Re: Active Directory Authentication over Firewalls by S

S
Tue Jan 31 04:03:11 CST 2006

Hi Nir,

Depends on your authentication mechanism. For example, one way to
authenticate is to use the user credentials in LDAP query - in that case,
you only need to open LDAP (or LDAPs) port from the authenticator to the
domain controller. Kerberos authentication requires Kerberos ports open.
Certificate authentication requires only access to CRLs, which might not
involve any open ports to the infrastructure.

If you are to place full Windows client behing a firewall, then you'll need
to open a bunch f ports - actually, same ports as for the replication - see

http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/confeat/adrepfir.mspx

As a bare minimum, you'll need Kerberos over UDP, UDP and TCP ports for
LDAP, TCP port for LDAP to GC, DNS ports, RPC portmapper and a single RPC
port from dymnamic range, CIFS direct hosting (445/TCP), and ping (so that
the client can measure link speed and pull the policies)

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

"Nir B" <nir@icomverse.com> wrote in message
news:esjlBGjJGHA.524@TK2MSFTNGP09.phx.gbl...
> Hi All,
>
> What are the minimum ports that I need to open on my FW for AD
> authentication?
>
>
> Thanks,
>
> Nir
>

Top