PS skript pro migraci CSP –> KSP / SHA1 –> SHA2

Moc pěkný skript pro migraci z „Microsoft Storage Key Service Provider“ na „Microsoft Storage Key Service Provider“:

Quick Script Share: Upgrade Windows Certificate Authority from CSP to KSP and from SHA-1 to SHA-256

Obsah není dostupný.
Vyjádřete prosím Váš souhlas s ukládáním tzv. "cookies" klepnutím na tlačítko Souhlasím. [cookie-control]

Komentáře a další detaily:

https://blogs.technet.microsoft.com/heyscriptingguy/2016/02/15/migrate-windows-ca-from-csp-to-ksp-and-from-sha-1-to-sha-256-part-1/

ADAL a ADFS authorization rules

Office modern authentication (ADAL) v O365 tenantu (OAuth2ClientProfileEnabled: True) znefunkční ADFS authorization rule „Block all external access to Office 365 except Browser-based apps“.

http://social.technet.microsoft.com/wiki/contents/articles/30253.office-2013-and-office-365-proplus-modern-authentication-and-client-access-filtering-policies-things-to-know-before-onboarding.aspx 

Block all external access to Office 365 except Browser-based apps Implement conditional policies in Office 365/Azure AD to block “Rich Client” traffic (allow on ADFS). This scenario is not yet supported for public preview and we recommend organizations that rely on this scenario to not onboard their tenants for modern authentication.

If scenario # 3 applies to you, and you enable modern authentication on your tenant, rich clients (Outlook and other Office apps) will be able to bypass your client access filtering policies and in ADFS access resources like Exchange Online and SharePoint online.

 

Zapnutí ADALu: HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL – REG_DWORD – 1

Vypnutí DALu: HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL – REG_DWORD – 0

Split-Brain a Geo-Location pro DNS ve WS2016

Tohle si musím poznamenat. Za současnou obezličku („PinPoint“ DNS zone) bude konečně k dispozici vytvářet více verzí DNS zón.

Split-Brain DNS Deployment Using Windows DNS Server Policies

http://blogs.technet.com/b/networking/archive/2015/05/12/split-brain-dns-deployment-using-windows-dns-server-policies.aspx

Geo-Location Based Traffic Management Using DNS Policies

http://blogs.technet.com/b/networking/archive/2015/05/11/geo-location-based-traffic-management-using-dns-policies.aspx

Perfect Forward Secrecy a TLS pro Windows Server

Poslední dobou všichni provádí bezpečnostní audity a panikaří ze špatných známek od https://www.ssllabs.com.

Skvělý PS skript pro snadné získání lepších známek je k dispozici na

https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12

Klikači samozřejmě mohou použít neméně skvělý IIS Crypto od  https://www.nartac.com/Products/IISCrypto/

Certifikáty pro Domain Controllery

Výborný článek popisující různé varianty šablon pro certifikáty doménových řadičů.

https://morgansimonsen.wordpress.com/2013/06/25/active-directory-domain-controllers-and-certificate-auto-enrollment 

 

Domain Controller related certificate templates

Domain controllers are interested in the following certificate templates, but depending on the DCs operating system version and the CA’s OS version it depends on what they prefer:

Name Description Key Usage Subject Type Applications used for enhanced key usage Application policies or enhanced key usage
Domain Controller Used by domain controllers as all-purpose certificates and is superseded by two separate templates: Domain Controller Authentication and Directory E-mail Replication Signature and encryption DirEmailRep Client authentication
Server authentication
4.1
Domain Controller Authentication Used to authenticate Active Directory computers and users Signature and encryption Computer Client authentication
Server authentication
Smart card logon
110.0
Directory E-mail Replication Used to replicate e-mail within AD DS Signature and encryption DirEmailRep Directory service e-mail replication 115.0
Kerberos Authentication New in Windows Server 2008, this template is similar to the Domain Controller Authentication template and offers enhanced security capabilities for Windows Server 2008 domain controllers authenticating Active Directory users and computers Signature and encryption Computer Client authentication
Server authentication
Smart card logon
KDC authentication
110.0

 

Domain Controller Windows2000 Server-based CA (version 1 only) Windows Server 2003-based CA Windows Server 2008-based CA
Windows 2000 Server (enroll for version 1 templates only) Domain Controller Domain Controller Domain Controller
Windows Server 2003 Domain Controller Domain Controller
or
Domain Controller Authentication
Directory E-mail Replication
Kerberos Authentication or Domain Controller Authentication
Directory E-mail Replication
Windows Server2008 Domain Controller Domain Controller
or
Domain Controller Authentication
Directory E-mail Replication
Kerberos Authentication
Directory E-mail Replication
Windows Server 2012 Domain Controller Domain Controller
or
Domain Controller Authentication
Directory E-mail Replication
Kerberos Authentication
Directory E-mail Replication

 

Template name Windows 2000 Server Windows Server 2003 Windows Server 2008/2012
Directory E-mail Replication X
Domain Controller X X X
Domain Controller Authentication X
Kerberos Authentication X

 

Používáme cookies. Další informace

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close