TechShizz | All posts tagged 'Security'

PKI Setup (Offline Root CA)

Place CAPolicy.inf in the c:\Windows folder on the CA

Install the Root CA

Configure the Root CA:

Remove ALL CRL Locations BEFORE issuing any certificates

On the root CA run  

certutil -setreg ca\ValidityPeriod "Years"

certutil -setreg ca\ValidityPeriodUnits "20"

 Copy files from Root CA from c:\windows\system32\certserv\ to the Sub-CA or Web server in c:\CertEnroll

Make CertEnroll Modify permissions for Cert Publishers and read for everyone.

Install the Sub-CA - Place the CAPolicy.inf file in the C:\Windows folder on the Sub-CA

Import the Request into the Root and Issue cert. The Save it to file and Install on the Sub-CA.

Start the CA Service on the SUB-CA - Errors will occur for the Sub CA in the PKI Hierarchy.

Go to the Webserver

Run Cmd:

C:\windows\system32\inetsrv\Appcmd set config "Default Web Site" /section:system.webserver/Security/requestFiltering -allowDoubleEscaping:True



Cd \CertEnroll

certutil -f -DSPublish CA-Root.contoso.com_CAROOT.crt RootCA

Finally configure DNS

if domain ends in .local an A record will need to be created to point to the websever.


List of users being Audited

AuditPol /List /User


To see how a user is being audited

AuditPol /Get /User:UserName / Category:*


To see the users SID

AuditPol /List /User /V


List all audit categories

AuditPol /List / Category