Security and Assurance

Security and compliance in datacenters, private cloud and hosting environments.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. PCI BUS

    I DONT KNOW ABOUT YOU,
    BUT WHEN I PURCHASED MY INSIGNIA FLEX,AND PAID FOR 1 YEAR OF INSURANCE ON TOP OF MY WARRANTY.
    DID I KNOW SOMEONE WAS GOING TO INTERNALLY TAKE IT OVER,LOCK ME OUT OF MY OWN ADMIN ACCOUNT AND TO THIS DAY,HAVE NO ACCSESS ON My OWN COMPUTOR.
    MY COMP WONT UPDATE AND I SPEND ALL OF MY TIME DOING THIS,FINDING SOLUTIONS AND ******** FOR TWO YEARS NOW...I WILL BE MORE THAN HAPPPY TO SALE IT TO WHOM EVER REMOTELY CONTROLS IT..I DIDNT GIVE THEM ANY PERMISSION..THEY HAVE TAKEN OVER MY INTERNET ALSO AND USE ME AS…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Dynamic Access Control (DAC)  ·  Flag idea as inappropriate…  ·  Admin →
  2. HGS (host guardian service) as Azure service

    For PAW or other guarded host scenario, to leverage Azure HGS for device health attestation

    17 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  3. Memory corruption issue on certificates mmc snap-in (german language)

    Reproduceable on Windows Server 2016 and Server 2019 (any many other versions with german language)

    -open mmc.exe and import the certificates snap in two times (user and computer)
    -open the "Personal Certificates"->"Certificates" Folder
    -Then click on "All Tasks" -> "Import..." -> Next -> Browse
    -Open the file type ComboBox

    Some random characters appear.

    https://social.technet.microsoft.com/Forums/office/en-US/f0736be4-7ff1-496a-9275-d5a8faf25b1d/memory-corruption-issue-on-certificates-mmc-snapin?forum=win10itprogeneral

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates and CA  ·  Flag idea as inappropriate…  ·  Admin →
  4. Priviledged access workstation managed by Azure

    Azure PAW service, so the customer PAW devices can be managed by Microsoft, and customer can run multiple workloads on the secure device.

    32 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Misc  ·  Flag idea as inappropriate…  ·  Admin →
  5. Publish somewhere, an explanation about new SIDs added in service security descriptors of Windows Server 2019

    For example, in Windows Server 2016 1607, the SD SDDL for w32time service (sc sdshow w32time) is:
    D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPLOCRRC;;;LS)(A;;CCSWWPLORC;;;LS)

    Now, in Windows Server 2019 1809, the SD SDDL for w32time service is:
    D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPLOCRRC;;;LS)(A;;CCSWWPLORC;;;LS)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-3169285310-278349998-1452333686-3865143136-4212226833)

    What is the identity for this unsolvable SID?
    S-1-5-80-3169285310-278349998-1452333686-3865143136-4212226833

    0 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Misc  ·  Flag idea as inappropriate…  ·  Admin →
  6. Initialize-HgsServer fails when Kerberos RC4 is disabled

    If you modify the security setting "Network security: Configure encryption types allowed for Kerberos" to only allow AES and not RC4, you get this error when initializing the Host Guardian Service

    New-HgsGmsa : Active Directory operation failed with the following error:
    Install-ADServiceAccount : Cannot install service account. Error Message: 'The provided context did not match the
    target.'.

    This happens with gMSA accounts and is described in this blog post
    https://blogs.technet.microsoft.com/joelvickery/cannot-install-service-account-the-provided-context-did-not-match-the-target/

    The New-ADServiceAccount command within HgsServer.psm1 should be modified to pass the KerberosEncryptionTypes parameter.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  7. ADFS Management Console missing from RSAT

    As Windows Server 2016 Core no longer supports Minimal UI I setup a management server for remote management. Installed all the management tools, but not there is no MMC for ADFS.

    44 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  Management tools  ·  Flag idea as inappropriate…  ·  Admin →
  8. RDCMan doesn't expose an option for Restricted Admin

    This might not be the most optimal place for this request, but it somewhat fits and I can't seem to find anywhere more suitable, plus RDCMan is an official Microsoft tool...

    Remote Desktop Connection Manager (RDCMan) doesn't currently seem to expose the RDP Restricted Admin option.

    This feature is great for secure remote server administration when you can't use PowerShell remoting - many such cases still exist!

    It's probably not a huge task either, the GUI just needs a checkbox for the feature which is already implemented elsewhere.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  9. verification while holding the fingerprintreader, combined with a IR-Face-ID-Cam

    Hi

    I'm not sure if I'm on the right place and I'm just a normal user.

    I've to change my passwords every few weeks and must change it in every device. I’ve to write it every time while I’m working on different levels on another computer. The passwords become longer and longer and more and more complex. The topic "passwords in a company" or even on a private System needs a lot of time over a year. I have a long password with all kinds of Extras in it and I'm not that bad on a keyboard but I'm sure…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Biometric  ·  Flag idea as inappropriate…  ·  Admin →
  10. Allow Windows Server 2016 to support disabling SMBv1 _and_ Server SPN target name validation

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/d520f2d4-4847-403d-bab6-1b33251a761c/issue-disabling-smbv1-and-windows-server-2016?forum=winserversecurity
    On Server 2016, disabling (removing) SMBv1 and having Microsoft network server: Server SPN target name validation level = Required from client (2) are currently not “working together”, yet it works on the other Windows operating systems just fine.

    To recreate this:
    1) Test with a Domain-joined Windows Server 2016 box
    2) Remove-WindowsFeature FS-SMB1 on the Windows Server 2016 box
    3) GPO set or reghack on the Windows Server 2016 box: Server SPN target name validation level = Required from client (2)
    4) Reboot the Windows Server 2016

    Domain Admins are now unable to connect to the \Server2016\C$ default share…

    8 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  11. import-pfxcertificate needs to support legacy private key storage format

    When using Import-PFXCertificate to import PFXs that contain a private key the private key appears to be stored using CNG "Microsoft Software Key Storage Provider" instead of the legacy format "Microsoft Enhanced Cryptographic Provider v1.0"

    Most Microsoft products can't read this format.

    The PS-Drive Provider "Certificate" can't even read keys in this format.

    It would be helpful to update the CMDLet to support CNG, however, as pointed out in this article: https://www.sysadmins.lv/blog-en/retrieve-cng-key-container-name-and-unique-name.aspx - almost no .NET apps use CNG because it has only been accessible via native APIs.

    Without being able to force the key storage format to the older…

    5 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates and CA  ·  Flag idea as inappropriate…  ·  Admin →
  12. Enhance the password complexity requirements

    Give the possibility for admins to increase the numbers of character set combinations. Currently it is 3, but we would like to make it 4 and we can't. We are "forced" to invest in an external party creating custom password filters - from what I am reading in TechNet forums.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. Disable Insecure Cipher Suites and Protocols BY DEFAULT

    SCHannel in Windows Server 2016 TP5 still has RC4 Ciphers and even SSLv3 enabled by default. Which is a complete joke from a security standpoint. If Microsoft doesn't want their server do be insecure by default disable those like every other major vendor has done.

    13 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  SSL/TLS/Schannel  ·  Flag idea as inappropriate…  ·  Admin →
  14. Provide easy to use PowerShell cmdlets for managing File and folder permissions (ACLs)

    PowerShell Get-Acl and Set-Acl (to set permissions on folders/files) currently in Windows Server are extremely hard to use and do not offer nearly the same level of functionality in older commands like ICACLS.EXE. It would be great if you could manage ACLs for folders and files using an easier to use set of PowerShell cmdlets, like we can do with SMB shares. Something like Get-ItemAccess, Grant-ItemAccess, Revoke-ItemAccess, Deny-ItemAccess and Remove-ItemAccess would be great!

    51 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Management tools  ·  Flag idea as inappropriate…  ·  Admin →
  15. (Microsoft suggested idea) Help me understand who has access to what resources - Servers, Files, Databases...

    In order to better control access and provide insight to my management and my auditors - I'd like to be able to monitor who has access to what resources

    33 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  16. Install-AdcsEnrollmentPolicyWebService Ignores -WhatIf Parameter

    The following PowerShell command should NOT configure the Enrollment Policy Web Service, because it has the -WhatIf parameter:
    Install-AdcsEnrollmentPolicyWebService -AuthenticationType Certificate -Force -SSLCertThumbprint 'f0262dcf287f3e250d1760508c4ca87946006e1e' -KeyBasedRenewal:$false -WhatIf

    However, it does configure it. The same goes for Uninstall-AdcsEnrollmentPolicyWebService

    This is bad practice for PowerShell cmdlets. It is also preventing us creating a DSC resource to configure this feature.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Certificates and CA  ·  Flag idea as inappropriate…  ·  Admin →
  17. MICROSOFT AC BUS

    SIR BILL GATES IS OUR IDEAL PERSON.HE IS CREATED SO MANY EASY WAY FOR OUR LIFESTYLE.OTHERWISE IF HE WILL BE CREATING A DECENT MICROSOFT AC BUS FOR ALL CLASSES PEOPLE.ITS WILL BE A BEST IMPACT FOR OUR LIFE STYLE.& WE NEED TO A LOT OF THAT BUS IN INDIA.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authorization  ·  Flag idea as inappropriate…  ·  Admin →
  18. SUPERIOR MICROSOFT AROPLANE

    WE ARE INDIAN&WE LOVES OUR WORLD SO MUCH.NOW,THE WORLD IS SO MUCH FAST & CLEAN.IN THIS TIME,MICROSOFT IS A GREAT WAY FOR OUR LIFESTYLE.MICROSOFT WILL BE CREATING&MAKING A LOT OF DECENT AIRPLANE FOR OUR EASIER LIFESTYLE.ITS WILL BE A BEST IMPACT FOR OUR WHOLE WORLD.THAT AIRPLANE WILL BE USING FOR PASSENGERS,CONTAIN PRODUCTS,SUPPLYING(WATER,FOOD,CLOTHES,MEDICINE,ETC)&PATIENT FOR EMERGENCY.I MEAN ITS A VARIOUS WAYS LIKE STEP 1=PASSENGER AIRPLANE,STEP 2=WATER AIRPLANE,STEP 3=PATIENT AIRPLANE,STEP 4=SUPPLYING ALL LEGAL (PRODUCTS,FOOD,MEDICINE).

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authorization  ·  Flag idea as inappropriate…  ·  Admin →
  19. HELPING HANDS FOR POOR CHILD&PEOPLES

    NOW AT THIS TIME OUR WORLDS MANY FAMILY FACES FLOODS.THEY ARE SOMEONE RICHES BUT MANY OF THE FAMILY SO MUCH POOR.PLEASE REQUEST YOU ALL RICHEST PERSON PLEASE HELP THEM WITHIN FOOD,MEDICINE,CLOTHES,HOUSE PLEASE PLEASE PLEASE

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  20. Defender AV should be in passive mode when enrolled with ATP with 3rd party AV

    Windows Defender AV should act the same on Server 2016 as it does on Windows 10. if the Server is enrolled to Defender ATP and third party AV is installed it should go into passive mode to ensure that it can still apply reactive protection to the Server OS as required by Defender ATP.

    also, then you will be able to troubleshoot Windows Update by using the get-windowsupdatelog command!

    3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1
  • Don't see your idea?

Feedback and Knowledge Base