What is the purpose of enabling Windows Server internal firewall for internal AD Domain servers?
People, I wonder if enabling the internal Windows Server firewall feature is going to be very helpful or not ? Because I must also create the firewall rule to allow RDP on port 3389 and ICMP ping and also the WMI for the PowerShell remoting feature for…
CVE-2013-3900 WinVerifyTrust Signature Validation Vulnerability
Hi All https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900 To remediate the vulnerability CVE-2013-3900 is to add the below registry values. [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config] …
Final check before Fully Block NTLM for all Domain
Dear PPL, I would like to set our Default Domain Policy "Restrict NTLM: Incoming NTLM Traffic" to Deny All Accounts. Before I do it, I have enabled Auditing Logs, can see some devices or services are still using NTLM, for example, Win10…
Active Directory Certificate Services - Migrate from W2K8R2 to W2K19 Server - In-place upgrade
Hi My setup: ADCS and PKI services on domain joined (I know! I know, it shouldn't be domain joined) VM running on W2K8R2 I need to get out of W2K8R2 and the plan is to do an in-place upgrade to W2K12R2 and then to W2K19 When doing the in-place…
How to change days before password expires notice
I'm looking for a way to change the number of days before notifying users of password expiration from the default of 5 to some other number. I've found a web posting that references: Default Domain Policy (or Default Domain Controller Policy?) >…
Need some help to target the Group Policy to enable the NTLM audit?
I must audit any computers still using NTLM v1 in my AD Domain. Do I need to enable these group policies for all Windows servers and workstations in my AD Domain or just the Domain Controllers? Computer Configuration\Windows Settings\Security…
April Security update breaks MSMQ on Windows Server,
This patch will to break MSMQ in any current Windows Server version, Example KB5036896 installed on Windows Server 2019 Get "not implemented" error after patching. ErrorNumber: '-2147467263' Source: 'MSMQTransaction' Raised 'Unhandled…
FeatureSettingsOverride multiple value entries
Hello, i am looking to apply a patch to disable downfall mitigation. i am looking to amend the FeatureSettingsOverride value to "33554432" as per recommendations. However, FeatureSettingsOverride value is already set as "72" in order…
Block NTLM and NTLMv2 totally, only enable Kerberos
Dear PPL. I would like to totally shut down NTLMv2 in our Domain. I would like only Kerberos as our Accounts Authentications. Should I just change GPO of Default Domain Policy on AD: Network security: Restrict NTLM: Incoming NTLM traffic: to Deny All…
RDS with network segmentation
Hi, We have an environment that is not connected to the internet. This environment contains Windows Servers 2022 and Windows client 10/11. To be able to access this environment remotely, we have to use Cisco VPN and when the VPN is connected we do a RDP…
Fix Root AD CA certificate on Win Server 2022 for Apache Tomcat 9 website not loading?
We setup a Windows Active Directory Certificate Authority on our Windows Server 2022 and issued a certificate for an Apache Tomcat 9 server website. When a user accesses the website, logging in with a valid AD logon, the website will show the website…
CA Web enrollment(certsrv) behind VIP , load balancer
Hello Team, Is it a good recommendataion to move the CA WEB Enrollment role behind VIP , load balancer? I am getting an error while using the CA WEB Enrollement behind VIP , I am unable to request a certificate using…
Remote Credential Guard double-hop issue after server 2022 upgrade
we upgraded two of our jump/admin servers from server 2019 to server 2022. one was installed fresh, the other one was upgraded via inplace upgrade. now mstsc /remoteguard no longer works correctly, we seem to run into a kerberos double-hop issue. …
LDAP over SSL on a RODC only (how to)
Hi I have a "basic" question. Customer has 2x RODC in a separated environment, which is direct connected to the On_Prem domain controllers (all 2016) Firewall ports are configured and open. The RODC setup was done without any issues. …
what are Microsoft security recommendation for Microsoft Entra
hello, We are setting up a Microsoft Enterprise tenant; what basic recommendations can we make to make it more secure? Like we know, we like to implement MFA,CA ,PIM ,Audit log anything apart for this specially from IAM side security. Thanks Richa
Procedure for enabling and configuring the LDAPs feature for the existing Domain Controllers globally.
I need to globally configure the LDAPS feature in over 20 on-premises Domain Controllers/Global Catalogs to support new security software integration. My existing AD Domain controllers are Windows Server 2016 with Windows Server 2016 FFL/DFL. What steps…
Effective Mail Security applications for Exchange 2019 on-prem
I currently use Symantec Mail Security for Microsoft Exchange on our on-prem Exchange 2019 environment but am looking for a new product. The environment is not connected to the Internet, but on a large stand alone network and I initially wondered if…
Credential Validation Audit Failure -Event ID 4776 - MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 - Error Code: 0xc000006a/0xC0000234
Hello all, thanks for reading and attempting to help, I have been having an ongoing issue for the past month or so with having my account get locked multiple times throughout the day due to error listed in the title. Every time it happens I go check…
Delegate Control Wizard reports
Does the Delegate Control Wizard in AD allow an auditor to view which permissions have already been 'delegated' within AD/a domain? Or is it purely for delegating new permissions? If it does not, how exactly could you determine where such permissions…