I'm having an issue with RDP failing the PCI-DSS scan (port 3389) due to the default self-signed cert that Microsoft Server (2012 R2) generates when RDP is set up. I need to configure RDP to use a trusted cert. How would I do that? I can find nothing out there that explains how that is done.
R/
Prescott ..
Many thanks to the support personnel at Ait.Com for figuring this out for me. The steps below are specific to Windows Server 2012 r2, can't say that it'll work for any other version.
Right click on Windows icon on bottom left and select Run
Enter "gpedit.msc" & hit Enter or click OK
You will see the Group Policy Editor window, on left pane select:
Computer Configuration ->
Administrative Template ->
Windows Components ->
Remote Desktop Services ->
Remote Desktop Session Host ->
Security
Under Security we will change the following settings:
Server authentication certificate template: Select Enabled
inside the input box, enter TLS 1.2 click Apply and OK to close the window
Set client connection encryption level: Select Enabled and on Encryption level dropdown select High Level
Require use of specific security layer for remote (RDP) connections: Select Enabled and on Security layer dropdown select SSL
Require user authentication for remote connections by using Network Level Authentication: Select Enabled
Install the verified TLS 1.2 certificate you bought from a certificate authority:
Right click on Windows icon on bottom left and select Run
Enter MMC & hit Enter or Click OK, a Console1 window will appear
On File menu select Add/Remove snap-in...
Select Certificates on left pane & click the Add button at the center
Select Computer Account & click Next
Select Local Computer & click finish
On left pane select Certificates (Local Computer) -> Personal
Inside Personal folder, you may or may not find a Certificates subfolder, but its ok in either case
If not already, we will import the TLS 1.2 certificate here inside Personal folder Right click -> All Tasks -> Import
By default, Local Machine is selected, click Next
Browse the file path and select the file here, click Next
Enter Password for the certificate & click Next
Select Place All certificates in the following Store, Click Browse to Select Personal folder, we can also select Remote Desktop folder here but only one is required...
Click Next and Click Finish
You should see your certificate inside Personal -> Certificates or Remote Desktop -> Certificate folder (whichever you selected)
Run these commands in power-shell (replace #YourHash# with your Thumbprint from the notepad). run these commands in each line one after the other. PowerShell should show a message that all went successful
$TSGeneralSetting = Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'"
$Hash = "#YourHash#"
$TSGeneralSetting.SSLCertificateSHA1Hash = $Hash
$TSGeneralSetting.put()
Related
In previous versions of Thunderbird, when connecting to a server with a self-signed certificate, a warning was displayed, but the option was offered to create a security exception for that server with this dialog:
I could click on "Confirm Security Exception" and thereafter, TB could communicate with the server.
But in this version of TB, I only see a message:
Sending of message failed.
The certificate is not trusted because it is self-signed.
The configuration related to [server name] must be corrected.
There is no indication of what "must be corrected" for TB to trust the certificate.
The Certificate Manager in the Privacy settings section does open the dialog above. But once the correct IP:port is entered, the "Get Certificate" button does nothing apart from displaying "No Information Available". This renders the dialog pretty useless.
I'm not concerned about man in the middle attacks due to the lack of CA signing because the mail server is on an intranet.
Is there any other way to get TB 78 to work with self-signed certificates?
I also suffer from this issue for hours. Finally, I figure it out to solve it.
At first, I tried to download the certificate from Firefox. When I try to access https://bad-mail-admin.com:465 and it tells me:
This address uses a network port which is normally used for purposes
other than Web browsing. Firefox has canceled the request for your
protection.
Then I googled it and found the solution: https://support.mozilla.org/en-US/questions/1083282
Just go to about:config, right-click anywhere on the page and choose New > String. Create an option named network.security.ports.banned.override, with the value: 465
Then firefox show https://bad-mail-admin.com:465 successfully.
Immediately I realized that Firefox and TB use the same browser engine. So I repeat do it in "Config Editor" of TB.
Then go to Certificate Manager of TB, enter https://bad-mail-admin.com:465. Press "Get Certificate" and finally I can get the certificate and add it to the security exception.
only problem is that when the user has multiple email accounts that use different ports. That port override doesn't take multiple ports. I tried comma space colon semi-colon separated list with no success.
I want to enable the SSL encryption on SQL Server but I am facing the issues on step 8.
Which certificate how have to request?
How can I get the certificate?
Ref link: https://www.mssqltips.com/sqlservertip/3299/how-to-configure-ssl-encryption-in-sql-server/
1.Open the Microsoft Management Console (MMC): click Start, then click Run and in the Run dialog box type: MMC
2.On the File menu, click Add/Remove Snap-in...
3.Select Certificates, click Add.
4.You are prompted to open the snap-in for your user account, the service
account, or the computer account. Select the Computer Account.
5.Select Local computer, and then click Finish.
6.Click OK in the Add/Remove Snap-in dialog box.
7.Click to select the Personal folder in the left-hand pane.
8.Right-click in the right-hand pane, point to All Tasks, and then click
Request New Certificate...
9.Click Next in the Certificate Request Wizard dialog box. Select certificate type 'Computer'.
10.You can enter a friendly name in text box if you want or leave it blank, then complete the wizard.
11.Now you should see the certificate in the folder with the fully qualified computer domain name.
I'm writing a script that periodically checks that certain services are running on remote workstations. I'm having a devil of a time getting an "SC \workst1 query" command working from one test machine to another. Both machines are running XP pro SP3. Neither is part of a domain. Both are in the same workgroup, and the administrator accounts have the same passwords.
I keep getting the "[SC] OpenSCManager FAILED 5: Access is denied" message, from either workstation to the other. I have tried using elevated privileges on both. Windows firewall software is turned off. There are no messages are showing up in the Event security logs. When (as administrator) I try going to "Computer Management" -> "connect to another computer" and access the remote services I get "Error 5 Access is denied".
I can set up a filesystem share between the two machines successfully, and "net use \workst1\IPC$ /user:Administrator" completes successfully, but the SC query still fails. I'm using IP addresses and not hostnames in these commands, but that doesn't help. I don't know what else to try. Thanks for the help.
Try to run the commans as a Administrator
start-> (type cmd in search box), right click on cmd, Run as a administrator -> execute your command
You must have administrative rights on the remote machine.
Moreover you must access the drive before calling "sc".
This can be achieved in command line using
net use \\remotemachine\admin$ <password> /user:<username>
admin$ is a hidden shared drive accessible to administrators that "sc" uses to control services.
I was having the same issue today trying to check if a service is enabled remotely.
I could solve the issue modifying the User Account Control for remote restrictions in windows:
To disable UAC remote restrictions, follow these steps:
Click Start, click Run, type regedit, and then press ENTER.
Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
If the LocalAccountTokenFilterPolicy registry entry does not exist,
follow these steps:
On the Edit menu, point to New, and then click DWORD Value. Type LocalAccountTokenFilterPolicy, and then press ENTER.
Right-click LocalAccountTokenFilterPolicy, and then click Modify. In the Value data box, type 1, and then click OK.
Exit Registry Editor.
More information about this solution in this site.
Your user should be remote, from Manage and Local users and groups
The UAC issue is obvious you have to pull down the lever for UAC setting
Also while installing the services you can use the following command
SC create SERVICENAME DisplayName= "DISPLAYNAME" binPath= "PATH OF EXE" start= disabled type= share
I have implemented a windows service that runs every 3 minutes and polls a database for notifications that are ready to be sent. I collects them into a list determines whether it is an ios or an android notification and then call the PushBroker (PushSharp solution is included as a compiled solution in my solution project) I then iterate the items in the list to process as follows:
static void ProcessIOS(List<Client> IOS)
{
PushBroker push = new PushBroker();
push.OnNotificationSent += NotificationSent;
push.OnChannelException += ChannelException;
push.OnServiceException += ServiceException;
push.OnNotificationFailed += NotificationFailed;
push.OnDeviceSubscriptionExpired += DeviceSubscriptionExpired;
push.OnDeviceSubscriptionChanged += DeviceSubscriptionChanged;
push.OnChannelCreated += ChannelCreated;
push.OnChannelDestroyed += ChannelDestroyed;
foreach (var entry in IOS)
{
string dev = entry.Device_Id.ToString();
string load = entry.Push_Payload.ToString();
int count = entry.Unread_Count;
var appleCert = File.ReadAllBytes(Path.Combine(AppDomain.CurrentDomain.BaseDirectory, "../../../productionfile.p12"));
push.RegisterAppleService(new ApplePushChannelSettings(true, appleCert, "password")); //Extension method
push.QueueNotification(new AppleNotification()
.ForDeviceToken(dev)
.WithAlert(load)
.WithBadge(count));
}
}
The messages are sent successfully, however, the issue I am having is
1. trying to retrieve the responses when message was sent successfully, or failed, reason for failure etc... these are delegates within the pushsharp code so that I can log the responses to our database. For clarification... I need to know what entry attempt(deviceID) the error responses are from. I am unable to tell by the generated messages from the notificationsent delegates since the data is not linked to any particular deviceid delivery attempt.
2. I also want to be able to keep the pushsharp code as is without modifications and call methods from my code to reduce merging issues when any updates are made to pushsharp code in future.
Any Suggestions?
If anyone can give me any examples on how to use the response events and delegates to retrieve information for each notification send attempt, I would appreciate it.
thank you.
I did not get any replies but with further research I was able to resolve my issue with the failed sucesses and was able to successfully send out notifications with no errors. The solution was to regenerated my certificates. Since I am using a windows server for my push notification server The following steps will guide you to generate an APNs certificate from a Windows Server.
If you have already generated your certificate from a Mac OS X workstation, you can skip this
section and upload your certificate to the Push Notification Server.
Step 1—Generating a Certificate Signing Request (CSR)
1. Go to Start > Administrative Tools > Internet Information Services (IIS) Manager, and select the
server name.
2. Double-click Server Certificates.
Note: The version of IIS server is 7.0 in this document.
From the Actions pane on the right, click Create Certificate Request. The Request Certificate
wizard appears.
In the Distinguished Name Properties window, type the following:
• Common Name—the name associated with your Apple Developer account
• Organization—the legally registered name of your organization/company
• Organizational unit—the name of your department within the organization
• City/locality—the city in which your organization is located
• State/province—the state or province in which your organization is located
• Country/region—the country or region in which your organization is located
Click Next. Cryptographic Service Provider Properties window appears.
Select Microsoft RSA SChannel Cryptographic Provider in the Cryptographic service provider
field and 2048 in the Bit length field, and then click Next.
Select a location where you want to save the certificate request file. Make sure to remember
the filename and the location where you save the file.
Click Finish. You have now created a CSR request and are ready to upload it to your Apple
development portal.
Step 2— Uploading CSR to your Apple development portal and generate the
APNs certificate
Step 3— Downloading and Installing your APNs certificate
Click Download to save the .cer file to your computer.
Copy the .cer certificate file to the same Windows Server computer where you created the
certificate request file.
Go to Start > Administrative Tools > Internet Information Services (IIS) Manager, select the
server name, and then double-click Server Certificates
From the Actions pane on the right, click Complete Certificate Request. The Complete
Certificate Request wizard appears.
Select the .cer certificate file that you downloaded from the Apple Developer Portal, and type
the name of your application (e.g. com.xxxx.xxxxx) in the Friendly name field.
Tip: The friendly name is not a part of the certificate itself, but is used by the server
administrator to easily distinguish the certificate.
6. Select OK. The certificate will be installed on the server.
7. Verify that your Apple Production Push Services certificate appears on the Server Certificates
list.
A. If you can see the certificate, follow the next steps to export the certificate and upload it to
the Push Notification Server.
8. Right-click on the certificate in the Server Certificates list, and then click Export.
Select the location where you want to save the file, choose a password for exporting, and then
click OK. (Export as a .pfx)
Tip: If you only have the option to save as a .cer file rather than a .pfx, then you are not
correctly exporting the certificate. Make sure you selected the correct file to export. If you still do not have the option to export as a .pfx go to step B. below.
Note: Make sure to remember the password, or keep it in the secure place. The password will
be required when uploading the certificate to the Push Notification Server.
After completing all these steps, you should have the following items:
• APNs certificate (.pfx format, not .cer format)
• The password that you set when exporting the certificate
You are now ready to upload your certificate to Push Notification Server if you are not on that server already.
B. If you DON’T can see the certificate in the Server Certificate UI as shown above or DO NOT have the option to export as a .pfx from that UI, follow the next steps to export the certificate and upload it to the Push Notification Server.
8 . Go to Microsoft Managenment console
9. On the Start Menu, click Run, type MMC, and then click OK. Microsoft Management Console opens with an empty console (or administrative tool) as shown in Figure 1 below. The empty console has no management functionality until you add some snap-ins. The MMC menu commands on the menu bar at the top of the Microsoft Management Console window apply to the entire console.
Click File->Open and select Console1.msc and Open
Right click on the certificate you want to export select All Tasks-> Export
Click Next on the Certificate Export Wizard
Choose Yes, export the private key
Warning: DO NOT select Delete private key
Select, Personal Information Exchange - PKCS #12 (.PFX) if not already selected by default.
Browse to the location where the .cer is residing on your machine
Select the location where you want to save the file, choose a password for exporting, and then click OK. (Export as a .pfx)
Go to the exported .pfx file and rename extension to .p12.
Place file in root directory where Push Notification Engine is installed (e.g. C:\ or D:)
I installed a certificate on the server machine for a WCF service. It installed in the Local Computer area of the Certificates Manager. However, when I run the service it says it can't find the Private Key file. When I locate the Private Key, it is in my user account area. For the WCF to run (it is running HTTP), it is my understanding that it has to have the private key in the All Users area for permissions. How can I install the certificate to have the private key in the All Users area instead of my login username area? The makecert command does not seem to have any setting for this.
You should install the certificate to the Service Account or the Machine Account. You can do this by adding a Certificate snap-in to the management console:
Start->Run->MMC
File-> Add/Remove Snappin
Select Certificates, Click Add.
Select Service Account, and follow the prompts to select the account your service is running as.
You should now be able to import the certificate by right clicking on the tree and selecting All Tasks -> Import.