TechShizz | All posts tagged 'Security'

List of common ports

This is not a full list of ports, just a list of common ports to scan when looking to see what ports may be open to avoid having to scann every single port. 

80,8080,443,143,194,513,3306,42,137,139,12345,2049,1521,109,110,1723,9870,25,3128,22,517,23,37,6000

How to stop normal domain users from adding computers to the domain

By default, standard domain users can add computers to the domain. This is a major security threat to any company.

To disable this go to ASDI Edit.

Default Naming Context > “DC=domain,DC=com” > Properties > Attribute Editor:

You need to modify this property to the value of 0.

ms-DS-MachineAccountQuota

Embedded files in PDFs wont open

If you have a PDF file with a .docx .xlsx or any other file format embedded within it it's possible it wont open due to some security settings in the registry.

HKLM>SOFTWARE>Policies>Adobe>Adobe Reader><Version>>FeatureLockDown>cDefaultLaunchAttachmentPerms>

Edit the tBuiltInPermList key:

To modify the level of user access to file types:

  1. In the Add and Modify File Types (Extensions) list, scroll to the file type you want to modify.

  2. Set the user access level when opening or launching the file type to one of the following:

    • Unspecified: Sets tBuiltInPermList to 1.
    • Allowed: Sets tBuiltInPermList to 2.
    • Prohibited: Sets tBuiltInPermList to 3.

This feature sets:

[HKLM\SOFTWARE\Policies\Adobe\<product name>\<version>\FeatureLockDown\cDefaultLaunchAttachmentPerms\
"tBuiltInPermList"

Common SSL Errors

Common causes of SSL errors, from the client side:

 

1. Ensure that your systems date/time is correct.

2. Ensure that you are running the latest service pack and hotfixes

3. Ensure that you apply any “optional” root cert updates from the Windows update site.

4. Ensure that the Citrix ICA client is up to date and any older versions are removed.

5. If using Java, ensure that you are on the latest version of Sun Java.

6. Disable any local firewalls to ensure that a mis-configuration is not interfering with access to the Citrix servers.

7. Disable the VPN client prior to connecting to Citrix

8. Attempting to access Citrix from another organizations network that may not permit such access. (Usually they are running a proxy server that brokers Internet access)

 

 

SSL Error 15: SSL security contact is invalid or expired

Resolution: Ensure that the Citrix ICA client is current. Also ensure all other Citrix client versions are removed. Look in Add/Remove programs for anything related to Citrix or Metaframe and uninstall those instances. Then install the latest version of the Citrix ICA client.

 

SSL Error 29: Proxy denied access to port 1494 STA... from Web Resource in an Advanced Access Control Farm.

Resolution: Escalate to the Citrix team for immediate attention

 

SSL Error 37: Cannot connect to the citrix Metaframe server. There is no route from the Citrix SSL Relay to the specified subnet address.

Resolution: Escalate to the Citrix team for immediate attention

 

SSL Error 40: The Citrix SSL relay name could not be resolved

Resolution: Check local software firewalls. Norton 360, Symantec Security Suite and ZoneAlarm have been known to cause problems when incorrectly configured

 

SSL Error 45: The Citrix Relay sent an alert. Please contact your Citrix Administrator

Resolution: ?

 

SSL Error 49: The Remote SSL peer sent a bad certificate alert

Resolution: Ensure all other Citrix client versions are removed. Look in Add/Remove programs for anything related to Citrix or Metaframe and uninstall those instances. Then install the latest version of the Citrix ICA client.

 

SSL Error 55: The remote SSL peer sent an unrecognized alert

Resolution: The SSL Error 55 is caused by an invalid (or missing root) certificate. Ensure that the date/Time on your workstation is correct and that you have all the latest patches AND root cert updates.

 

SSL Error 59: Security alert: The name on the security certificate does not match the name of the server

Resolution: User has a VPN client installed and needs to disable this service before connecting to CITGO. Also check local software firewalls. Norton 360 and ZoneAlarm have been known to cause problems when incorrectly configured. Ensure the last Service Packs, hotfixes and root certs have been updated.

 

SSL Error 61: The server certificate received is not trusted

Resolution: Ensure that the date/Time on your workstation is correct and that you have all the latest patches AND root cert updates.

 

SSL Error 68: the SSL certificate is not yet valid

Resolution: Ensure that the date/Time on your workstation is correct and that you have all the latest patches AND root cert updates.

 

SSL Error 70: The connection was rejected. The SSL certificate is no longer valid. Please contact your Citrix Administrator.

Resolution: Single user incident, ensure that the date/Time on your workstation is correct and that you have all the latest patches AND root cert updates. Multiple user incident, escalate to the Citrix team for immediate attention.

Also reported: Create an exception in Windows Firewall for IE, per below. If this works, please report the incident to level 2 support for further evaluation.

 

SSL Error 73: One or more of the root certificates in the keystore are not valid

While not confirmed to resolve the issue, the Macintosh root certificate was determined to be in a CER format. Mac certificates need to be in a DER format with an extension of ".crt".

-Or -

On the Macintosh, the root certificate has been copied properly to the keystore/cacerts folder, but the user is receiving the above SSL Error when trying to connect. (See CTX104638 for resolution)

 

SSL Error 78: Certificate could not be checked for Revocation. Cannot connect to the citrix metaframe server.

Resolution: The client device does not have an installed or registered DLL for verifying the Certificate Revocation List (CRL). The Win9x/WinNT 4 operating systems do not support CRL checking. Additionally, ensure that the latest Citrix client is installed. If using an older OS, it might be possible to use the Java client to work around this issue. Uninstall the ICA client and do not install the ICA client when prompted. This will default you to the Java client.

Default Programs Shell Shortcut

In a locked down environment, the Default Programs menu might be unavailable. You can still access is by pasting this into the run command dialogue box.

%windir%\explorer.exe shell:::{17cd9488-1228-4b2f-88ce-4298e93e0966}