Security and Assurance
Security and compliance in datacenters, private cloud and hosting environments.
-
Allow to set user rights for windows services in services.msc
Please add a "Security" tab for services in services.msc to be able to give specific users/groups the right to start and stop a service.
This would make it easier to have less users with admin priviledges on the systems.
Currently I have to use process explorer to archive this.
1 vote -
Allow (g)MSA accounts to be used with task scheduler gui
Currently you have to use PowerShell to set a (g)MSA account in task scheduler. This is not very user friendly. After every change in the GUI you have to enter valid credentials - but you can't specify a (g)MSA. So you have to enter a dummy account and change it to the (g)MSA later with Powershell :/
1 vote -
`Actually I really don`t even know what your talking about I just want to be heard everywhere I go About a business poo poo`ed
My idea is this, Take all of your employees and retrain every one of them. Starting with " CUSTOMERS"The customer is always right. Once they get that down. Then stop there and have everyone drive to a mall close by, and just stop. Find some people and engage first with "WAIT A MINUTE" listen. What ever you were thinking to do or thinking what ever just wait. You should
nt be bummed. Don
t let it get you BUTT HURT. At least were on the right track. Once you start engaging with real people you
ll find that their…1 vote -
PCI BUS
I DONT KNOW ABOUT YOU,
BUT WHEN I PURCHASED MY INSIGNIA FLEX,AND PAID FOR 1 YEAR OF INSURANCE ON TOP OF MY WARRANTY.
DID I KNOW SOMEONE WAS GOING TO INTERNALLY TAKE IT OVER,LOCK ME OUT OF MY OWN ADMIN ACCOUNT AND TO THIS DAY,HAVE NO ACCSESS ON My OWN COMPUTOR.
MY COMP WONT UPDATE AND I SPEND ALL OF MY TIME DOING THIS,FINDING SOLUTIONS AND ******** FOR TWO YEARS NOW...I WILL BE MORE THAN HAPPPY TO SALE IT TO WHOM EVER REMOTELY CONTROLS IT..I DIDNT GIVE THEM ANY PERMISSION..THEY HAVE TAKEN OVER MY INTERNET ALSO AND USE ME AS…2 votes -
HGS (host guardian service) as Azure service
For PAW or other guarded host scenario, to leverage Azure HGS for device health attestation
30 votes -
Priviledged access workstation managed by Azure
Azure PAW service, so the customer PAW devices can be managed by Microsoft, and customer can run multiple workloads on the secure device.
53 votes -
Memory corruption issue on certificates mmc snap-in (german language)
Reproduceable on Windows Server 2016 and Server 2019 (any many other versions with german language)
-open mmc.exe and import the certificates snap in two times (user and computer)
-open the "Personal Certificates"->"Certificates" Folder
-Then click on "All Tasks" -> "Import..." -> Next -> Browse
-Open the file type ComboBoxSome random characters appear.
1 vote -
Publish somewhere, an explanation about new SIDs added in service security descriptors of Windows Server 2019
For example, in Windows Server 2016 1607, the SD SDDL for w32time service (sc sdshow w32time) is:
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPLOCRRC;;;LS)(A;;CCSWWPLORC;;;LS)Now, in Windows Server 2019 1809, the SD SDDL for w32time service is:
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPLOCRRC;;;LS)(A;;CCSWWPLORC;;;LS)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-3169285310-278349998-1452333686-3865143136-4212226833)What is the identity for this unsolvable SID?
S-1-5-80-3169285310-278349998-1452333686-3865143136-42122268331 vote -
Initialize-HgsServer fails when Kerberos RC4 is disabled
If you modify the security setting "Network security: Configure encryption types allowed for Kerberos" to only allow AES and not RC4, you get this error when initializing the Host Guardian Service
New-HgsGmsa : Active Directory operation failed with the following error:
Install-ADServiceAccount : Cannot install service account. Error Message: 'The provided context did not match the
target.'.This happens with gMSA accounts and is described in this blog post
https://blogs.technet.microsoft.com/joelvickery/cannot-install-service-account-the-provided-context-did-not-match-the-target/The New-ADServiceAccount command within HgsServer.psm1 should be modified to pass the KerberosEncryptionTypes parameter.
3 votes -
Defender AV should be in passive mode when enrolled with ATP with 3rd party AV
Windows Defender AV should act the same on Server 2016 as it does on Windows 10. if the Server is enrolled to Defender ATP and third party AV is installed it should go into passive mode to ensure that it can still apply reactive protection to the Server OS as required by Defender ATP.
also, then you will be able to troubleshoot Windows Update by using the get-windowsupdatelog command!
4 votes -
ADFS Management Console missing from RSAT
As Windows Server 2016 Core no longer supports Minimal UI I setup a management server for remote management. Installed all the management tools, but not there is no MMC for ADFS.
62 votes -
Definition Updates for Defender should not use Windows Update
Defender could easily get new definitions with another mechanism than Windows Update - like every other AV tool.
It is a pain to get announcements of new updates all the time just because Defender needs new definitions.
Please do not tell me to use wsus or sccm. I have no need for either of them.
8 votes -
RDCMan doesn't expose an option for Restricted Admin
This might not be the most optimal place for this request, but it somewhat fits and I can't seem to find anywhere more suitable, plus RDCMan is an official Microsoft tool...
Remote Desktop Connection Manager (RDCMan) doesn't currently seem to expose the RDP Restricted Admin option.
This feature is great for secure remote server administration when you can't use PowerShell remoting - many such cases still exist!
It's probably not a huge task either, the GUI just needs a checkbox for the feature which is already implemented elsewhere.
8 votes -
verification while holding the fingerprintreader, combined with a IR-Face-ID-Cam
Hi
I'm not sure if I'm on the right place and I'm just a normal user.
I've to change my passwords every few weeks and must change it in every device. I’ve to write it every time while I’m working on different levels on another computer. The passwords become longer and longer and more and more complex. The topic "passwords in a company" or even on a private System needs a lot of time over a year. I have a long password with all kinds of Extras in it and I'm not that bad on a keyboard but I'm sure…
2 votes -
Allow Windows Server 2016 to support disabling SMBv1 _and_ Server SPN target name validation
https://social.technet.microsoft.com/Forums/windowsserver/en-US/d520f2d4-4847-403d-bab6-1b33251a761c/issue-disabling-smbv1-and-windows-server-2016?forum=winserversecurity
On Server 2016, disabling (removing) SMBv1 and having Microsoft network server: Server SPN target name validation level = Required from client (2) are currently not “working together”, yet it works on the other Windows operating systems just fine.To recreate this:
1) Test with a Domain-joined Windows Server 2016 box
2) Remove-WindowsFeature FS-SMB1 on the Windows Server 2016 box
3) GPO set or reghack on the Windows Server 2016 box: Server SPN target name validation level = Required from client (2)
4) Reboot the Windows Server 2016Domain Admins are now unable to connect to the \Server2016\C$ default share…
8 votesChecking into this, thanks for mentioning.
-
import-pfxcertificate needs to support legacy private key storage format
When using Import-PFXCertificate to import PFXs that contain a private key the private key appears to be stored using CNG "Microsoft Software Key Storage Provider" instead of the legacy format "Microsoft Enhanced Cryptographic Provider v1.0"
Most Microsoft products can't read this format.
The PS-Drive Provider "Certificate" can't even read keys in this format.
It would be helpful to update the CMDLet to support CNG, however, as pointed out in this article: https://www.sysadmins.lv/blog-en/retrieve-cng-key-container-name-and-unique-name.aspx - almost no .NET apps use CNG because it has only been accessible via native APIs.
Without being able to force the key storage format to the older…
6 votes -
Enhance the password complexity requirements
Give the possibility for admins to increase the numbers of character set combinations. Currently it is 3, but we would like to make it 4 and we can't. We are "forced" to invest in an external party creating custom password filters - from what I am reading in TechNet forums.
10 votes -
Disable Insecure Cipher Suites and Protocols BY DEFAULT
SCHannel in Windows Server 2016 TP5 still has RC4 Ciphers and even SSLv3 enabled by default. Which is a complete joke from a security standpoint. If Microsoft doesn't want their server do be insecure by default disable those like every other major vendor has done.
14 votes -
Remove Windows Defender from default install
1) Windows Defender causes the installation of a lab setup to be 4x slower: https://github.com/Microsoft/ws2016lab/wiki
2) Please don't even get me started on how wrong you are doing if you need to put an antivirus solution IN A SERVER. (WTF Microsoft?!)
3) Obligatory xkcd reference: https://xkcd.com/463/
6 votes -
Provide easy to use PowerShell cmdlets for managing File and folder permissions (ACLs)
PowerShell Get-Acl and Set-Acl (to set permissions on folders/files) currently in Windows Server are extremely hard to use and do not offer nearly the same level of functionality in older commands like ICACLS.EXE. It would be great if you could manage ACLs for folders and files using an easier to use set of PowerShell cmdlets, like we can do with SMB shares. Something like Get-ItemAccess, Grant-ItemAccess, Revoke-ItemAccess, Deny-ItemAccess and Remove-ItemAccess would be great!
54 votes
- Don't see your idea?