Installing Certificate Authority

I have used this guide to install, in my lab a 2-tier PKI on Windows Server 2019
https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx
I know that guide is pretty old but it seems to have been updated pretty recently. Some steps are slightly different in the newer Windows version but nothing that can’t be figured out. The only deviation from the guide is that I have combined the the roles of the issuing (CA02) and the CDP/AIA publisher (SRV1). Other than that I followed the guide step-by-step (or at least I think I have, there are a couple of parts that are not very clear). I have redone the whole thing a couple of times. I keep winding up with the same issue:
I cannot validate the ldap connections for AIA, CDP or DeltaCRL in PKIView. I also notice that the share location that I create during the initial setup of the issuing server has somehow changed to the CertEnroll folder under certsrv in system32 rather than C:CertEnroll where I created it. How the heck does that happen?!? I am not sure at what point in the process that changes. I’ve just noticed it when I am troubleshooting the pkiview fail after completing all the setup steps. I am obviously most concerned witht he PKIView failure, just really curious as to why that share location changes. Thanks for reading.Screenshot of PKIView

Go to Source
Author: RobS

Are there security reasons for prohibiting universal mac address modification?

Background

In a standard 48-bit MAC address, the 7th (most significant) bit specifies whether it is a universally-administered address (UAA) or a locally-administered address (LAA).

If it is 0, then the MAC address is a UAA and the first 24-bits are the organizationally-unique identifier (OUI) of the manufacturer of the network interface card (NIC).

If it is 1, then the MAC address is just an LAA.

Question

Many drivers and NIC’s often allow users to modify the MAC address of their device.

But, it seems Windows does not allow modifying mac addresses to universal ones (i.e., UAA’s): https://superuser.com/questions/1265544/

What is the reason for this restriction? Are there security implications if this was not the case? Or, perhaps, is this merely just to prevent someone from spoofing a device as some legitimate company’s network communications product? (to their ISP)

Go to Source
Author: ManRow

Login names between sub domains in Active Directory

If I create two subdomains (sub1.domain.com and sub2.domain.com) to my parent domain (domain.com) can different users have the same login in the different subdomains? Or does logins need to be different across the forest.

  • jsmith@domain.com
  • jsmith@sub1.domain.com
  • jsmith@sub2.domain.com

Is this perfectly fine or will sub 1 and 2 conflict with the parent domain. Or will all 3 conflict with eachother?

Go to Source
Author: GSerrano

Make host header correct from upstream

I configured simple load balancer scheme on the windows:

upstream app.local {
    server app1.local:8001 fail_timeout=10s max_fails=10;
    server app2.local:8002 fail_timeout=10s max_fails=10;
}

server {
    listen 8000;

    location / {
        proxy_pass http://app.local;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $remote_addr;
    }
}

Changed hosts file like this

127.0.0.1       app.local
127.0.0.1       app1.local
127.0.0.1       app2.local

All fine, but my web servers behind app1.local and app2.local receive incorrect headers Host: app.local and therefore don’t want resolve requests. I readed
the post where the same problem but top answer not resolved my and i don’t want to use the double layer proxy option straight off.

Go to Source
Author: Vasil Akhmetov

What firewall should I use?

What is the most comprehensive free firewall solution available for Windows? Personal machine, not work machine. I see a ton of choices online, but not sure which one to pick.

Go to Source
Author: PerpetualLearner

ANSWER

For home use I am fine with the built-in and free Windows Firewall (or Windows Defender Firewall) most of the time. It serves its purpose. Does the job. Not overwhelming to use. Customizable enough.

I would also explore the security options that comes with my home router. Many have it included nowadays, and with a little tweaking, should be able to add an extra layer of protection to one’s home network..

Remote connection from Docker container by FTP

I built my docker image and run it:

docker run --rm -P -d test:latest

Then I entered the command and opened connection:

ftp
open XXX

I successfully connected and entered user data. After that I try to execute:

ls

And received these messages:

200 Command okay.
425 Can't open data connection.

Could you help me, please?

P.S.

I run a Linux image from Windows cmd.

Go to Source
Author: Leonid

What does “localhost name resolution is handled within DNS itself” mean?

I know that the Windows hosts file maps host names to IP addresses. But there is no mapping for localhost. Instead it has a comment that says this:

# localhost name resolution is handled within DNS itself.
#   127.0.0.1       localhost

I don’t understand this. Where is this “DNS” that handles this resolution? Is it a program somewhere in Windows OS? Is it outside of Windows? Does it have a config file? How is this being done?

Go to Source
Author: Liga

Why is Git Windows committing on merge, even with merge.commit=no?

I am using Git Bash in Windows 10, version: git version 2.25.1.windows.1. Let me know if I need to be more specific. I am also using GitExtensions but my question is around merging from Git Bash.

When I merge from there, i.e.:

git merge feature-branch-name

it commits even though, as far as I can tell, all three of my Git config files are set otherwise. I know I can specify --no-commit in the command but I would like not to have to do that.

From the source code directory, git config --list produces the output below, where it shows three times that merge.commit=no.

diff.astextplain.textconv=astextplain
filter.lfs.clean=git-lfs clean -- %f
filter.lfs.smudge=git-lfs smudge -- %f
filter.lfs.process=git-lfs filter-process
filter.lfs.required=true
http.sslbackend=openssl
http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
core.autocrlf=false
core.fscache=true
core.symlinks=false
core.editor="C:\Program Files\Notepad++\notepad++.exe" -multiInst -notabbar -nosession -noPlugin
credential.helper=manager
merge.ff=no
merge.commit=no
core.editor="C:/Program Files (x86)/GitExtensions/GitExtensions.exe" fileeditor
user.email=craig@wereallconnected.ca
user.name=Craig Silver
merge.tool=winmerge
merge.ff=no
merge.commit=no
mergetool.winmerge.path=C:/Program Files (x86)/WinMerge/winmergeu.exe
mergetool.winmerge.cmd="C:/Program Files (x86)/WinMerge/winmergeu.exe" -e -u  -wl -wr -fm -dl "Mine: $LOCAL" -dm "Merged: $BASE" -dr "Theirs: $REMOTE" "$LOCAL" "$BASE" "$REMOTE" -o "$MERGED"
pull.rebase=false
fetch.prune=false
rebase.autostash=false
diff.guitool=winmerge
difftool.winmerge.path=C:/Program Files (x86)/WinMerge/winmergeu.exe
difftool.winmerge.cmd="C:/Program Files (x86)/WinMerge/winmergeu.exe" -e -u "$LOCAL" "$REMOTE"
core.repositoryformatversion=0
core.filemode=false
core.bare=false
core.logallrefupdates=true
core.ignorecase=true
core.sshcommand=ssh
merge.ff=no
merge.commit=no
submodule.active=.
remote.origin.url=REMOVED
remote.origin.fetch=+refs/heads/*:refs/remotes/origin/*
remote.origin.puttykeyfile=REMOVED
branch.master.remote=origin
branch.master.merge=refs/heads/master
branch.FMS-1203_data-structures-algorithms-string-matching.remote=origin
branch.FMS-1203_data-structures-algorithms-string-matching.merge=refs/heads/FMS-1203_data-structures-algorithms-string-matching
branch.FMS-1205_recency-trumps-frequency-for-small-fr-diff.remote=origin
branch.FMS-1205_recency-trumps-frequency-for-small-fr-diff.merge=refs/heads/FMS-1205_recency-trumps-frequency-for-small-fr-diff
branch.FMS-1204_debug-window.remote=origin
branch.FMS-1204_debug-window.merge=refs/heads/FMS-1204_debug-window

Also, git config --get merge.commit outputs no.

FYI, GitExtensions behaves correctly: merging there does not commit.

What am I missing?

Go to Source
Author: Craig Silver

Double win10 installs – both bitlocker protected and isolated

Double win10 installs – both bitlocker protected and isolated

Hardware:

  • AMD Ryzen processor, ASUS Crosshair Hero VI mb, no TPM installed
  • M.2 Samsung 960 PRO SSD
  • SATA Samsung 840 PRO SSD

I would like to have latest win10 2004 on both SSDs and isolated from one another for privacy reasons.

  • 1st SSD is for work and part of AzureAD
  • 2nd SSD should be private

M.2 is already installed, with bitlocker and working. Asking for PIN on boot (before OS menu).

When I tried to setup bitlocker on 2nd SSD bitlocker setup crashed and cannot boot to 2nd OS anymore.
TrueCrypt is also an alternative for 2nd SSD, but seems I will have same problems with bootloaders?

Any suggestions how to set this up?
If really necessary I will reinstall everything.

Go to Source
Author: PeroR