Migrating from single enterprise root CA to different root CA

TheMSsForum.com: The Microsoft Software Forum

The MSS Forum ‹ Security
- Archive
  - Biz
  - MCSE
  - CRM
  - Drivers
  - Framework
  - ADO
  - ASP
  - Compact
  - Forms
  - Dotnet
  - C#
  - VB
  - FontpageGen
  - Excel
  - WorkSheet
  - Exchange
  - Setup
  - Fox
  - Fontpage
  - ASP
  - IIS
  - Entourage
  - Money
  - Messanger
  - PocketPC
  - Powerpoint
  - Project
  - Publisher
  - Excel
  - VB
  - Security
  - Portal
  - Services
  - SQLServerDev
  - SVCS
  - SQLServer
  - VB
  - VC
  - MFC
  - ExcelGen

- Previous
  - 1
    - DoS? First post here. I've attached a snippet from my Kiwi Syslog from a customer's server. Take a look at the times any you'll see I'm getting bombarded with SMTP -- over 40 in half a minute, but sometimes as many as fifteen a second -- from IP addresses in the 72.34.1xx.xxx range. I've Googled some of them at random and the only connection is that they are all from the same ISP in Texas. I first noticed the problem when the Exchange server crashed. I blocked the ISP entire block at the router, but obviously this volume of traffic is still affecting things. Does anyone have an idea where to start with this? Any help will be much appreciated. Thanks, Mark 05-10-2007 11:47:11 Local0.Warning 192.168.0.1 IP: Packet discarded from 63.170.10.91 port 60668 to xxx.xxx.xxx.xxx port 25 (TCP) (incorrect state) @2007-05-10-12:47:12 05-10-2007 11:47:11 Local0.Warning 192.168.0.1 IP: entry duplicated 3 times @2007-05-10-12:47:10 05-10-2007 11:47:09 Local0.Warning 192.168.0.1 IP: Packet discarded from 63.170.10.91 port 60679 to xxx.xxx.xxx.xxx port 25 (TCP) (incorrect state) @2007-05-10-12:47:10 05-10-2007 11:47:09 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.174.68 port 51646 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:47:10 05-10-2007 11:47:08 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.166.120 port 44576 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:47:09 05-10-2007 11:47:08 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.163.226 port 44466 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:47:09 05-10-2007 11:47:07 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.169.197 port 44372 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:47:09 05-10-2007 11:47:07 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.168.216 port 44319 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:47:09 05-10-2007 11:47:07 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.168.170 port 44183 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:47:09 05-10-2007 11:47:07 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.162.135 port 43779 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:47:09 05-10-2007 11:47:07 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.164.25 port 43671 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:47:09 05-10-2007 11:47:05 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.166.120 port 44576 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:47:06 05-10-2007 11:47:05 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.163.226 port 44466 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:47:06 05-10-2007 11:47:05 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.169.197 port 44372 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:47:06 05-10-2007 11:47:05 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.168.216 port 44319 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:47:06 05-10-2007 11:47:05 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.168.170 port 44183 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:47:06 05-10-2007 11:47:05 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.162.135 port 43779 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:47:06 05-10-2007 11:47:05 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.164.25 port 43671 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:47:06 05-10-2007 11:47:01 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.165.187 port 52717 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:47:03 05-10-2007 11:46:57 Local0.Info 192.168.0.1 IP: Packet allowed from 130.13.100.122 port 2492 to xxx.xxx.xxx.xxx port 443 (TCP)(allow by HTTPS) @2007-05-10-12:46:59 05-10-2007 11:46:52 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.166.70 port 42172 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:46:54 05-10-2007 11:46:52 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.163.240 port 41907 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:46:54 05-10-2007 11:46:52 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.169.108 port 50974 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:46:54 05-10-2007 11:46:52 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.166.133 port 50915 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:46:54 05-10-2007 11:46:52 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.169.202 port 42518 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:46:54 05-10-2007 11:46:52 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.168.223 port 42407 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:46:54 05-10-2007 11:46:52 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.168.178 port 42107 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:46:54 05-10-2007 11:46:52 Local0.Warning 192.168.0.1 IP: Packet discarded from 219.148.119.6 port 6000 to xxx.xxx.xxx.xxx port 7212 (TCP)(no NAT port) @2007-05-10-12:46:54 05-10-2007 11:46:52 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.167.199 port 50697 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:46:54 05-10-2007 11:46:52 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.162.151 port 41557 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:46:54 05-10-2007 11:46:52 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.164.35 port 41449 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:46:54 05-10-2007 11:46:51 Local0.Info 192.168.0.1 IP: Packet allowed from 63.170.10.91 port 60995 to xxx.xxx.xxx.xxx port 25 (TCP)(allow by SMTP) @2007-05-10-12:46:53 05-10-2007 11:46:50 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.175.8 port 48881 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:46:51 05-10-2007 11:46:49 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.165.187 port 52717 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:46:51 05-10-2007 11:46:49 Local0.Warning 192.168.0.1 IP: Packet discarded from 192.168.0.21 port 1805 to 62.231.74.10 port 6667 (TCP)(outbound rule) @2007-05-10-12:46:50 05-10-2007 11:46:45 Local0.Info 192.168.0.1 IP: Packet allowed from 63.170.10.91 port 60820 to xxx.xxx.xxx.xxx port 25 (TCP)(allow by SMTP) @2007-05-10-12:46:47 05-10-2007 11:46:45 Local0.Info 192.168.0.1 IP: Packet allowed from 63.170.10.91 port 60819 to xxx.xxx.xxx.xxx port 25 (TCP)(allow by SMTP) @2007-05-10-12:46:47 05-10-2007 11:46:44 Local0.Info 192.168.0.1 IP: Packet allowed from 63.170.10.91 port 60779 to xxx.xxx.xxx.xxx port 25 (TCP)(allow by SMTP) @2007-05-10-12:46:45 05-10-2007 11:46:44 Local0.Warning 192.168.0.1 IP: Packet discarded from 72.34.165.187 port 52717 to xxx.xxx.xxx.xxx port 25 (TCP)(discard rule) @2007-05-10-12:46:45 05-10-2007 11:46:43 Local0.Warning 192.168.0.1 IP: Packet discarded from 192.168.0.21 port 1805 to 62.231.74.10 port 6667 (TCP)(outbound rule) @2007-05-10-12:46:44 Tag: Migrating from single enterprise root CA to different root CA Tag: 93052
  - 2
    - MSSecure.XML file will EXPIRE after October 9, 2007 On October 9, 2007, the MSSecure.XML file used by MBSA 1.2.1 will no longer be updated. After this date, no new security updates will be added to the MSSecure.XML file used by MBSA 1.2.1 and no new versions of the Enterprise Scan Tool will be released for standalone use. Customers who require a free standalone security update and VA assessment tool are strongly encouraged to upgrade to MBSA 2.0.1 or the MBSA 2.1 beta. Based on Microsoft Update technologies, MBSA 2.0.1 and MBSA 2.1 beta provide consistent results across all Microsoft update technologies (SMS, WSUS Server and Microsoft Update) and provide the most comprehensive security update detection available from Microsoft. Aside from Microsoft SMS 2.0 / 2003 and MBSA 1.2.1, non-Microsoft products, scripts or tools based on the Microsoft MSSecure.XML file are not supported and should have already moved to updated or newer technologies that do not rely on the MSSecure.XML file. For more details, please visit the MBSA home page at www.microsoft.com/mbsa. -- -- Doug Neal [MSFT] dugn@online.microsoft.com This posting is provided "AS IS" with no warranties, and confers no rights. If newsgroup discussion with experts and MVPs is unable to solve a problem to your satisfaction, feel free to contact PSS for support on the Microsoft Baseline Security Analyzer (MBSA). Information is available at the following link: http://support.microsoft.com/default.aspx This e-mail address does not receive e-mail, but is used for newsgroup postings only. Tag: Migrating from single enterprise root CA to different root CA Tag: 93051
  - 3
    - Restricting interactive login only to terminal services Hello, I want to set up my win 2003 server (with Terminal Server (TS) role) so that all users (non-admin, or speciafied exceptions) have the right to log in interactively only via TS, but not via console login. This restriction should not be domain-wide, but only on the TS/DC itself. Knowing the flexibility of Windows I am sure this can be done. I am totally comfortable with messing with something like scripting or wmi filtering if there's no "user-friendly" way of achieving this. Thank you. Tag: Migrating from single enterprise root CA to different root CA Tag: 93042
  - 4
    - MBSA 2.1 Beta 2 Now Available A revised beta 2 version of the upcoming Microsoft Baseline Security Analyzer 2.1 scan tool has been released for immediate download. Microsoft Baseline Security Analyzer (MBSA) is a free, standalone scan tool designed for the IT professional that helps small- and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Improve your security management process by using MBSA to detect common security misconfigurations and missing security updates on your computer systems. MBSA 2.1 Beta 2 is now available from the MBSA home page (www.microsoft.com/mbsa) and includes full support for Vista and Windows Server code-named 'Longhorn' in addition to Windows 2000, Windows XP and Windows Server 2003. MBSA 2.1 Beta 2 includes full support for Vista, WSUS 3.0 compatibility, an updated UI and revised vulnerability assessment (VA) checks for x64 platforms. All versions are available from the MBSA 2.1 landing page (http://www.microsoft.com/technet/security/tools/mbsa2_1/default.mspx) or you can download the x86 and x64 versions directly from the Microsoft Download Center at the following locations: x86 version http://www.microsoft.com/downloads/details.aspx?FamilyId=F32921AF-9DBE-4DCE-889E-ECF997EB18E9x64 version http://www.microsoft.com/downloads/details.aspx?FamilyId=0F90BCDB-9A6F-49D9-9FDC-4BC70BB31BF2Please feel free to post questions, bug reports or suggestions to the MBSApublic newsgroup at Microsoft.public.security.baseline_analyzer----Doug Neal [MSFT]dugn@online.microsoft.comThis posting is provided "AS IS" with no warranties, and confers no rights.If newsgroup discussion with experts and MVPs is unable to solve a problemto your satisfaction, feel free to contact PSS for support on the MicrosoftBaseline Security Analyzer (MBSA). Information is available at the followinglink:http://support.microsoft.com/default.aspxThis e-mail address does not receive e-mail, but is used for newsgrouppostings only. Tag: Migrating from single enterprise root CA to different root CA Tag: 93035
  - 5
    - NAC? How/where do I get NAC? I want to set it up in my lab and learn it a bit before i deploy to my clients. Tag: Migrating from single enterprise root CA to different root CA Tag: 93031
  - 6
    - cpv.feed.com Ugghhh! Okay, I have tried all the spyware, anti-virus, etc. that I have access to, but we keep getting a pop up for cpv.feed.com. Has anyone else ever dealt with this? Know what it is? How to get rid of it? I have my pop-up blocker on and I am not completely computer illiterate, but I just can't seem to get this dumb thing to stop. I have run avg, spybot, microsoft malicious software removal tool. Can anyone help? Thanks, Diane Tag: Migrating from single enterprise root CA to different root CA Tag: 93029
  - 7
    - Running .exe Hello all, I am having an issue running .exe on my 2003 server. They will run under the administrator all the time and one other profile but no more. It gives me : Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item. I 'm logging on with domain administrator accounts and they all have full control of the folder and everything in them. I have three servers that will let one admin run it and not the other and vice-versa on the others. Has anyone seen this. I thought it was sp.2 issue, then a sp.1, but it does not seem to be. If anyone has any clue I would greatly appreciate any help. Thanks, David Tag: Migrating from single enterprise root CA to different root CA Tag: 93028
  - 8
    - Is complete access in a win 2003 domain a possibility? I am an IT administrator of a very small company and was wondering if it was possible to create a security group to add my username to that has access to anything and everything. Just being a member of the administrators group still seems to have denies for certain permissions. And if I create a security group and set grants for everything in adsiedit it then allows for some permissions that the administrators group is denied but then denies other permissions. Being 1 of the 2 people that administrate this company I figured it would be easier for us to have access to everything rather than delegating specific permissions to each person. Tag: Migrating from single enterprise root CA to different root CA Tag: 93027
  - 9
    - How encryption keys should be distributed? Several software applications needs to encrypt and decrypt data, requiring either a single key in symmetrical encryption algorithms or public/private keys in asymmetrical algorithms, but how these keys should be distributed? Embed the key(s) within the application executable is a very vulnerable approach, since an attacker may trace API calls, or run the application under a debugger and simply halt the program when the keys has been reconstructed. And what about the risk to distribute the key in every exeucutable copy embedded within, if some attacker gets this key it can make it public, and every user of this application may use it to break its own installation. Can anyone give me any suggestion? Or point me in the correct direction to avoid these problems? Tag: Migrating from single enterprise root CA to different root CA Tag: 93025
  - 10
    - What SIDS need permisions to start my service? Here is the short version. I have an application which has a service component. It is a requirement that the service component be running only when the application is running, so AutoStart is not an option. I want to grant the following permissions on my service READ_CONTROL | SERVICE_QUERY_CONFIG | SERVICE_QUERY_STATUS | SERVICE_ENUMERATE_DEPENDENTS | SERVICE_START | SERVICE_STOP | SERVICE_PAUSE_CONTINUE | SERVICE_INTERROGATE to all users on the local machine. Currently I am granting this access to Everyone, Users, and Guest. This approach definitely gives permisions to the accounts i need.. but is this a securty risk (I am only concerned about security risks involving remote attacks, not ones that originate from the local machine). Should i be granting access to just "Guest and Users" or maybe "Guests and Authenticated Users"? Also note, the machines may or may not be on a domain.. the target os is 2k,xp,vista(32/64). This may be deployed on a large number of laptops (and i mean laaarrrggge). Can anyone shed some light on this issue? Tag: Migrating from single enterprise root CA to different root CA Tag: 93020
  - 11
    - BUILTIN\\Administrators question Our security s/w is flagging the below error... Does anyone know what the "QVSENDC" is indicating? --------------------------------------------------------------------------------------------- Account: BUILTIN\\Administrators; permissions: PC; expected: QVSENDC; comment: none Tag: Migrating from single enterprise root CA to different root CA Tag: 93019
  - 12
    - microbillsys / MBS Account Manager I write with reference to the above & your recent correspondence with alister28.I have managered to stop the pop ups but due to my previous correspondence via e mail they say i have an outstanding bill to pay which is causing grave concern. I think i may be being scammed & wondered if there was anything else i could do. Am i legally bound to pay. Tag: Migrating from single enterprise root CA to different root CA Tag: 93016
  - 13
    - Microsoft Takes on Google and Yahoo with Microsoft Adcenter and Adlabs Learn how can gain up to 20% ROI http://blog.yourseoconsulting.com/labels/case-studies.html by switching to Microsoft Adcenter and take advantage of their keyword forcasting tools and professional attitude to online advertising. Tag: Migrating from single enterprise root CA to different root CA Tag: 93010
  - 14
    - 128 bit password Hi, If a password is for example 128bit, how long is it in characters (a-z & A-Z)? How can i calculate this? If the password is "THISisMYpassword". How many bit password is it? Tag: Migrating from single enterprise root CA to different root CA Tag: 93005
  - 15
    - password can anyone tell me why my password...which i know is correct....is not recognised by various sites....keeps saying...invalid and not recognised....is it to do with my setting on computer cos i cant find it if it is thank you -- si Tag: Migrating from single enterprise root CA to different root CA Tag: 93001
  - 16
    - password error I cannot access accounts with my password..ie hotmail a/c and others...its always saying password not recognised...other people have tried using their own on different sites and it still doesnt recognise them....I must have a block on my computer but i cant find it...please help -- si Tag: Migrating from single enterprise root CA to different root CA Tag: 92998
  - 17
    - Installing & deploying multiple Windows updates.... Hello.....Kenneth here.\ How do I install multiple offline updates at once on Windows XP Professional SP2? I do not have a internet connection, therefore I download the updates from my friends PC and bring it to my house and install it one after the other. It takes a long time. Please anyone...help me!! Thanking you in advance. Tag: Migrating from single enterprise root CA to different root CA Tag: 92997
  - 18
    - application monitoring Hello, I am informing you people about a free program that makes you tension free through checking processes in your system comparing their signatures continuously with a signature file that you have generated first. It will alert whenever they change and when a new program runs. This is meant for knowledgeable people. Download it only if you know what you are doing. Thanks. http://bapuli.reflectionsindia.org/wssecure.htm Tag: Migrating from single enterprise root CA to different root CA Tag: 92994
  - 19
    - Service and profile settings Hi to all! We have a service at our company which our developers had developed. As part of the work of the service, it connects to mapped folder at another computer to read some files from there. We need to configure the service to run as custom application user, which is a user from our domain with sufficient permissions. We can't set in code of the service to connect to UNC address, instead we have to map the UNC address to network drive and afterwards to connect. Now the problem is that I don't know how to "say" to the service to load user's profile when the service starts. For instance, when I run something with "run as" utility, I can specify /profile option, and I just don't know what to do in order to specify something similar to the service. Any help would be appreciated. Regards, Simon Zeltser. Tag: Migrating from single enterprise root CA to different root CA Tag: 92991
  - 20
    - Logon Message Error When I turn on my computer I get an error with a yellor triange that says "The system could not log you on. Make sure your User name and domain are correct then type your password again. Letters in passwords must be typed using the correct case." I have been able to continue by hitting "enter" but this has prevented me from doing many things administratively. I tried to fix this with a CompRule back in April of 2006 (I could give you a case # if it would help)but it lasted a month until I turned my computer off and rebooted and it started all over again. I don't know what I did, I am virtually afraid to do anything to my computer and it seems when I do I seem to mess it up pretty well. I have Widows XPSP2, NortonSecurity&AntiVirus. One husband and one 14 year old and they think I'm the one who is the best to fix the problems when something goes wrong - I'm the mom-this is way over what I want to do or understand and I am way over frustrated with it always giving me error messages and not letting me logon and telling me this isn't my computer, it has been in this same spot for five years This problem has been the same for over a year but a friend said that maybe it is why I can't do things like download the Adobe Flash Player and some other files that my son sends me that I can't see on my email. I don't know but I would really like some help with this so that I can use my computer properly. If anyone can help let me know. Thank you in advance. Ginny. -- ginnyduemler Tag: Migrating from single enterprise root CA to different root CA Tag: 92983
  - 21
    - Disabling Proxy Settings in IE6 through Group Policies I would like to know if there is a way I can disable users for entering in any proxy information within IE6. I know that I can remove the connections tab but I just would like to grey out all fields in the proxy area. Hope this makes sense. Any help would be great Thanks, Rollinwest Tag: Migrating from single enterprise root CA to different root CA Tag: 92977
  - 22
    - PKI - invalid policy When I try to get a certificate I get the following error message: The certificate has invalid policy. Error construction or publishing certiviface invalid application policies: 1.3.6.1.4.1311.10.3.4 This happes with all of my certificates just different OIDs. Thanks, Ed Tag: Migrating from single enterprise root CA to different root CA Tag: 92976
  - 23
    - Moving Certificate Services Hello I have an issue where i need to move my Certificate Services to another computer as the one that it is currently on is going to be de-commisioned / reinstalled. I can only find information on the moving of the certificates when keeping the same server name as the one that is curently there. Unfortunately, i do not have this. I am moving from SERVER01 to SERVER02 SERVER02 needs to remain named this for other purposes and SERVER01 is going to be renamed SERVER03 and going to be in another physical location with a different operating system installed. Can anyone point me in the direction of a useful document etc for this Regards Gareth Collins Tag: Migrating from single enterprise root CA to different root CA Tag: 92975
  - 24
    - is this Hexi-, Deci- or IS4v adresses http://0000000000330.211 I have received several email messages (showing free (gmail) return addresses). I got no response from the OL group. They have an odd looking http address in the body of the email. I do not click on such things, But I actually do not know what this kind of link is, or what it might do. There are a couple of variations, such as this: <A href="http://0000000000330.211.0x0000000009E. 000000000000000000174"> or <a href="http:// 0x00000000000D8.00000000000323.0x000000000000000000000009E. 124"> or <a href="http://0000000000330.211.0x0000000009E. 000000000000000000174"> It looks like a loopback, a physical memory address, or some port, an executable. Or is this Hexi-, Deci- X n base IP address. I am not sure where else to post this type of question. Thanks for your assistance. -- Respectfully, Roger Howland RogerH@theJobDr.com.(noSPAM) Tag: Migrating from single enterprise root CA to different root CA Tag: 92962
  - 25
    - How to have system service to access network I have a VB app that i runs from a LocalSystem service with CreateProcessAsUser: The app gets the token of the service so it runs under LocalSystem too. When i call in my app that as said run from the Localsystem service to: WNetAddConnection2, i get error 1312 (ERROR_NO_SUCH_LOGON_SESSION) In my opinion since a LocalSystem service does not have access to network. Can i make the app that run from the LocalSystem service to access Network so that WNetAddConnection2 will work? I run it on XP pro and Vista - same problem. (The app and The service must keep running under LocalSystem - i do not want to change that) Thanks! Tag: Migrating from single enterprise root CA to different root CA Tag: 92961
- Next
  - 1
    - Disable Proxy settings in Internet explorer through Group Policies I would like to know if there is a setting within Group policy that will allow me to disable the LAN settings so users cannot change our proxy server in order to bypass. Any help would be great! Thanks! Tag: Migrating from single enterprise root CA to different root CA Tag: 92955
  - 2
    - Infection via Website There's a website I know of... as soon as you visit it, your anti- virus (AVG in my case) starts setting off warnings. The site is clearly trying to install spyware/viruses (apparently it is well known for doing this). As someone studying to become an MCSE I am curious in the specifics of how the site is trying to infect computers. IE: is it using java to do this? Active x? applets? scripts? I know it manages to get a few files onto my harddrive (the files being on my harddrive are what actually triggers the AVG warnings). How does it activate those files and get them running in memory/startup? Can Active X/Java/etc/etc make changes to your registry? Do you fully need to turn off these IE settings to be truly safe? etc etc... If anyone could give me some very basic info, or point me to some good (brief & to the point) links, it would be much appeciated. Thanks in advance Tag: Migrating from single enterprise root CA to different root CA Tag: 92953
  - 3
    - DRA certificate on smartcard - vista I configured a gpo to allow efs exclusively with smartcards on a vista box in a windows 2003 domain with a single domain running win2k3 sp1. The DRA is also using an EFS recovery certificate that is on a smartcard. I use the same box both for the user encrypting the file and the DRA trying to recover/restore the file. When I try recovering the file with the DRA designated user I'm prompted to insert a smartcard but when I inset the DRA smartcard I get a error message stating that the "wrong card is inserted." When I insert the user's card everything works fine. Checking the file encryption properties lists the designated DRA certificate as the recovery certificate (certificate thumbprint) as detailed in the appropriate admx file Any Ideas? -- Yariv Bashan MSecurity Tag: Migrating from single enterprise root CA to different root CA Tag: 92952
  - 4
    - Password Protect Hard Drives Hi, last year i was doing something and i somehow managed to put a password on each of my installed hard drives and every time i wanted to access one it would ask me for a password before opening the drive. it was perfect but at the time i didn't really have a use for it. i do now but i don't have a clue now how i did it. i'm wondering if anyone knows what i'm referring to and where i may get information on how to do this again. what's happening now is i am sharing my wireless router and users are able to see my files because i myself share between my laptop and desktop and i want to prevent others from being able to access my files without killing their connection to the internet. thanks everyone. eric6556 Tag: Migrating from single enterprise root CA to different root CA Tag: 92949
  - 5
    - 560 Errors I've applied a GPO with locked down NTFS permissions. I'm receiving 560 failure log events on numerous .dll files located in the Windows\System32 folder. I grant full access to the accounts having problems (network service, local service, and domain service account) and verify through the effective permissions tab that the accounts have full access to the dlls. I keep receiving the 560 errors, but it appears my application (WSS 3.0) works properly despite the dozens of 560 object access errors. Am I missing something? Tag: Migrating from single enterprise root CA to different root CA Tag: 92946
  - 6
    - AVS and Firefox in hidden mode? A scan with Gmer last version of a machine running genuine Windows XP Home Edition with SP2 installed showed two ***hidden*** processes belonging to Active Virus Shield and Firefox. Here are the pictures: http://img363.imageshack.us/img363/3492/gmer01lg8.jpg http://img117.imageshack.us/img117/7841/gmer02ib2.jpg Is that normal or should we worry? Thank you very much. Giulio - Rome Tag: Migrating from single enterprise root CA to different root CA Tag: 92943
  - 7
    - set permission for shared folders Hi all, I tried to set up a shared folders to our office network. I want to set permission for shared folders. But I can only set up access password to the individual files, not a wholed folder. can anyone help with setting up a permission to whole folder? Tag: Migrating from single enterprise root CA to different root CA Tag: 92941
  - 8
    - It is not advertising spam! PrivacySafer 2007 message is not advertising spam. We only want to let more people use it and keep data security for more people. Deter malewares to steal people's private data. Please understand. Thanks. If more people like it, please tell me. Thanks. Tag: Migrating from single enterprise root CA to different root CA Tag: 92928
  - 9
    - PrivacySafer 2007 Released - Manage your all passwords and protect your privacy in secure way! Hello all, PrivacySafer 2007 can manage your all passwords(Windows network logon, your e-mail account, your homepage's ftp password, online passwords, your bank account, etc. etc. etc.) in a secure way and protect your private data(bussiness docment, personal photos, secrets etc) and deter malewares(keylogger, Trojans etc). Main features: - Strong Security - Multiple User Keys - Portable and runs on all windows system - Easy Database Transfer - Support of Password Groups - Time Fields and Entry Attachments - Auto-Type, Auto-login into your app(game,email,ftp etc), Global Auto-Type Hot Key and Drag&Drop - Intuitive and Secure Windows Clipboard Handling - Searching and Sorting - Strong Random Password Generator - Creates a virtual encrypted disk and protect your privacy - Encryption is automatic, real-time (on-the-fly) and transparent. Download PrivacySafer 2007 from http://sebsolution.com/yhlsecure/download.htm Enjoy Jeff Tag: Migrating from single enterprise root CA to different root CA Tag: 92924
  - 10
    - Options for Deploying Root and Int Certs to clients not part of do What are the options for for deploying root and int ca certs to clients that are not part of your domain? For the clients that are part of the domain, do the root and int ca certs automatically get deployed once you setup the certificate services infrastructure? Thanks in advance Tag: Migrating from single enterprise root CA to different root CA Tag: 92919
  - 11
    - Locking out a specific user from a specific client Hi hope someone can help. I am trying to prevent a domain user account from logging in to a specific client workstation. any help on this would be most appreciated. Tag: Migrating from single enterprise root CA to different root CA Tag: 92909
  - 12
    - Wireless Security (WZC) Dear all, Anyone knows if there are any updates to the way WZC works. This post dated 2005, and i tested some of them but it does stands. http://www.microsoft.com/technet/community/columns/cableguy/cg1102.mspx "How Wireless Auto Configuration Works For the initial scan of available networks, Wireless Auto Configuration performs the following process: 1. Wireless Auto Configuration attempts to connect to the preferred networks that appear in the list of available networks in the preferred networks preference order, if the preferred networks are configured to automatically connect (the Connect when this network is within range checkbox is selected on the Connection tab for the properties of the preferred wireless network). 2. If there are no successful connections, Wireless Auto Configuration attempts to connect to the preferred networks that do not appear in the list of available networks, in the preferred networks preference order. This is done so that a Windows wireless client can connect to a hidden wireless network, one that is either not broadcasting its SSID or broadcasting an SSID of NULL. Configuring hidden wireless networks is used as a security measure to prevent malicious users from detecting and attempting a connection to a wireless network. However, the SSID is included in other types of wireless connection management frames and is easily discoverable by either capturing wireless management frames or using tools available on the Internet. 3. If there are no successful connections and there is an ad hoc network in the list of preferred networks that is available, Wireless Auto Configuration tries to connect to it. 4. If there are no successful connections and there is an ad hoc network in the list of preferred networks that is not available, Wireless Auto Configuration configures the wireless network adapter to act as the first node in the ad hoc network. 5. If there are no successful connections to preferred networks and there are no ad hoc networks in the list of preferred networks, Wireless Auto Configuration checks the Automatically connect to non-preferred networks setting. 6. If Automatically connect to non-preferred networks is enabled, Wireless Auto Configuration attempts to connect to the available networks the order in which the wireless adapter sensed them. 7. If all connection attempts to non-preferred networks fail or if Automatically connect to non-preferred networks is disabled, Wireless Auto Configuration creates a random wireless network name and places the wireless network adapter in infrastructure mode. After this, the wireless adapter is not connected to any wireless network but continues to scan for preferred wireless networks every 60 seconds. This behavior prevents the Windows wireless client from accidentally connecting to a wireless network that does not appear in the list of preferred networks. You are then prompted with the "One or more wireless networks are available" message in the notification area." Your help is appreciated Tag: Migrating from single enterprise root CA to different root CA Tag: 92907
  - 13
    - history.... I have a similar question because i know i used to be able to go into windows explorer and see all the files and folders and see all the history of where everyone was.....i am having a similar problem and would like to find out why i cant open the history folder from in there????? please help i cant afford a pro right at this point but i do need to know what these kids are doing since summer is coming soon! Tag: Migrating from single enterprise root CA to different root CA Tag: 92904
  - 14
    - block Proxy servers Hello all. I have a question about security. Kids are connecting to myspace, aim express and other similar chat web base chats. Is there a way to block this web-based aplications? I know my niece uses proxy servers like www.proxysf.com to get access and connect to myspace. I just don't want to hear an answer like. Take the computer away from her room, more discipline, or sit and talk to her. Done it all. botton line is we want to block access to all those web-base programs. i already use the Host file but doesn't work all the time. I though she wouldn't have access to aim express since I entered in the Host file, but she still get connected. Any advise pls. Thank you. Tag: Migrating from single enterprise root CA to different root CA Tag: 92902
  - 15
    - Certificate chain Hello I have one problem with certificate chain in my windows CA setup. I have Windows Server 2003 R2 as offline standalone root CA. That CA has self signet certificate. Then I installed subordinate enterprise CA on Windows Server 2003 R2. I copyed request to root CA and then exported certificate for subordinate CA from root CA. After that I made request on IIS for certificate. So now I have Root certificate - Subordinate certificate - Web certificate in chain. And I use last certificate to secure access to IIS. But when user access site from outside and check certificate chain it goes only up to Subordinate certificate. Is that normal? Miha Tag: Migrating from single enterprise root CA to different root CA Tag: 92895
  - 16
    - MS Update Schedule Does anyone know what Microsoft's schedule is for releasing updates? I know that the security updates are released once a month at 10 AM PST. Do they hold all security updates until the release day (and time) or are there times when they are released outside of the schedule? What about critical updates? I'm assuming that they are released as soon as possible but I wanted to make sure. Thanks, Suzie Tag: Migrating from single enterprise root CA to different root CA Tag: 92891
  - 17
    - Smartcard retire policy workflow Any ideas on how to bulid/configure a smartcard retire policy workflow where the actual smartcard retirement is not done (executed) by the end user (smartcard owner) but rather by a designated entity (helpdesk or RA for example Thanks -- Yariv Bashan MSecurity Tag: Migrating from single enterprise root CA to different root CA Tag: 92890
  - 18
    - windows shared computer toolkit I am planning to install this on our public computers. Question can you have it leave the admin account free to alter as desired, update, save doc, etc? Thank you Tag: Migrating from single enterprise root CA to different root CA Tag: 92886
  - 19
    - Folder permissions It has been a long time since I have had to change permissions and I admit I am a little rusty but, I have a shared folder on my server. Every folder has permissions assigned to it. I am seeing an increasing amount of users accidently grabbing and draging the folder into the folder above or below. What kind of permissions could I use that would prohibit this?? Thanks -- Mark Tag: Migrating from single enterprise root CA to different root CA Tag: 92885
  - 20
    - SMB Shares Dangerous? Appologies for the x-posting but I posted this at microsoft.public.win2000.security and got no response so hoping for a better response here. :) -- A number of our employees access our windows servers using either mapped drives or UNC paths with vpn. I am somewhat concerned that accessing our servers this way may pose a security risk as a number of viruses proliferate through network shares. The shares are password protected so users do have to authenticate to access them but as far as I know once they have authenticated, their credentials are cached for a period of time. Also with mapped drives in particular I believe login information is saved permanently. I'm wondering what others thoughts are on this matter and if anyone can point me to any articles that confirm or deny the risk (or lack there of) for using mapped drives and/or UNC paths. Finally if there is a risk, are there other alternatives? Thanks Brad Tag: Migrating from single enterprise root CA to different root CA Tag: 92883
  - 21
    - Execute File Auditing on a File Share Greetings! I have a situation in which I would like to audit the execute file object access type on files within a file share as opposed to a directory on the local server. I have enabled the 'Audit Object Access' policy on both the host and client machines and have set the Audit permissions on the directory. I am able to view the audit permissions from either the host or client successfully. However, when accessing files within the directory the audit events do not show up in the Event Viewer for either the host or client. Is it even possible to audit file access events over file shares? Thank you, Ryan Tag: Migrating from single enterprise root CA to different root CA Tag: 92876
  - 22
    - General Recommendations I am wondering if anyone can share their experiences or recommendations for accomadating developers on a production network with security in mind. Basically they want to run SQL and IIS on their workstations with default installations. They have full admin on their workstations. This of course makes the security admins nervous but what are the options. Tag: Migrating from single enterprise root CA to different root CA Tag: 92867
  - 23
    - How to Prevent Users from Moving Folders Windows Server 2003. I have a shared folder set up so that certain users can only read and create files. They cannot delete or rename files within this folder. However, they can move entire subfolders out of this folder (which has happened by mistake). How can I set access privileges to prohibit a user from moving files and/or folders out of a shared folder? -- Dr. Doug Pruiett Good News Jail & Prison Ministry www.goodnewsjail.org Tag: Migrating from single enterprise root CA to different root CA Tag: 92863
  - 24
    - Permission is missing after 2-3 days I'm try to give permission for userA to access folder in c:\Program Files\AirPlusXXX\DB But after 2-3 day that user can't access to c:\Program Files\AirPlusXXX\DB, I'm check permission on this folder but userA is disapper ? Any body know how to solved problem. Tag: Migrating from single enterprise root CA to different root CA Tag: 92852
  - 25
    - How do I destroy hardrives if "not me" trys access? Its not that important...but i'm curious..would like to hear some serious ideas on hard drive destruction if someone other than yourself accesses your PC. I thought of acid but that would be pretty complicated and wiping with the Peter Gutman algorythm takes too long... even on a SATA RAID0 10,000 RPR array. I want an immediate wipeout..like fire...based on a wrong password? Common guys.. you know what im talkin about.. Tag: Migrating from single enterprise root CA to different root CA Tag: 92851

Hi all,

due to extended cooperation with other companies we now have to set up a
shared PKI with our business partners.

Currently, we have got a single enterprise root CA for our Active Directory
(single domain) in place. It has been running for about two years now and
there is quite a number of certificates issued (>1000). The challenge we are
facing now is migrating from our local root CA to the shared public root CA
without the current certificates becoming invalid.
Public root CA (offline) is already in place. The responsible administration
team will provide an intermediate CA for our company, and we would like to
keep that one offline, too, and set up an issuing enterprise CA for our AD.

I thougt about that some time and determined that there is no need to keep
the current enterprise root CA running once all certificates have been
replaced by new ones. Because of that I would like to avoid
cross-certification and migrate in the following way:
- Publish new public root CA and intermediate CA to AD
- Set up issuing CA as enterprise subordinate
- re-issue certificates when suitable

I have now encountered some points which are not clear to me:
- Is this a valid migration path from a technical perspective?
- Is it possible to publish multiple root CAs to AD?
- Will the issued certificates stay valid with the new PKI in place until
they are replaced?
- How can I achieve that new certificates from our customized V2 templates
are issued by the new issuing CA instead of our old enterprise root CA?

Thanks in advance for your help!

Top