Andreas's questions

I just started using Let's Encrypt. The http-01-challenge is simple enough:

• Make a webserver respond to http://example.com
• Ask Let's Encrypt for a challenge-file
• Provide the file unter http://example.com/.well-known/acme-challenge
• Receive the TLS-certificate for example.com

Works like a charm. But how are they making sure that I am really the owner of example.com using an insecure http-connection?

Couldn't some admin in my data center (or at my ISP) just request a certificate and intercept the http-requests, Let's Enrypt sends to check the server's identity?

I just used our internal Windows-CA to create a certificate for our internal server "hdl-diamant".

When calling the website using "https://hdl-diamant", I do get "ERR_CERT_COMMON_NAME_INVALID" in Edge (Chromium), Chrome and Firefox.

But in IE 11, the certificate is accepted just fine.

What is going wrong here?

The following certificate is delivered by the webserver (you can decode it here)

-----BEGIN CERTIFICATE-----
MIIF2TCCBMGgAwIBAgITSgAAACvsEpZoQcz3YwAAAAAAKzANBgkqhkiG9w0BAQsF
ADBBMRIwEAYKCZImiZPyLGQBGRYCZGUxGjAYBgoJkiaJk/IsZAEZFgpnb20tYmVy
bGluMQ8wDQYDVQQDEwZIREwtQ0EwHhcNMjAwODIxMTIwMDAwWhcNMjIwODIxMTIw
MDAwWjCBgDELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMG
QmVybGluMSwwKgYDVQQKDCNGUsOWQkVMIEJpbGR1bmcgdW5kIEVyemllaHVuZyBn
R21iSDELMAkGA1UECxMCSVQxFDASBgNVBAMTC2hkbC1kaWFtYW50MIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoilKAQZum2Jv+XfYDY4e2+uC+OTK4cF5
nGYuwjUUFfK+UKqHv5VrRxLZeLnch0kOZppVzpU47KwjdtU/jI/BqvVuYyrmW8yp
y2iYm6DevCi08hiDLiSis/sZ/9n6rdqEB2ZmgdIOoNtgL8qk5chxP6ljtJwFTdO2
ksg2oGNAg1UdPqdwVrqUhxI7Y3Gq6MsbajJ23pO4EHQTqMBWhzv1Ja2vtdJhSRrS
vMIWCq8nn9sQe5vyTqZMGoWtNHgOlSr4C4BN3AcbtkrB57CKWwZK2xLeneAMj5hM
ZPbkJaHONGKw6nIjeSoyowA9ZnpZeeTx4oBO3Cn+cpxH2/jWVaj/dQIDAQABo4IC
iDCCAoQwCwYDVR0PBAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMHgGCSqGSIb3
DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDALBglghkgB
ZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUwBwYF
Kw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFLSI88muthGWCDpMgD/NkrpijhqP
MB8GA1UdIwQYMBaAFJ5MjQtUxt6n9+UUrT2gdUvhP7OjMIHFBgNVHR8Egb0wgbow
gbeggbSggbGGga5sZGFwOi8vL0NOPUhETC1DQSxDTj1IREwtREMsQ049Q0RQLENO
PVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3Vy
YXRpb24sREM9Z29tLWJlcmxpbixEQz1kZT9jZXJ0aWZpY2F0ZVJldm9jYXRpb25M
aXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgboGCCsG
AQUFBwEBBIGtMIGqMIGnBggrBgEFBQcwAoaBmmxkYXA6Ly8vQ049SERMLUNBLENO
PUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1D
b25maWd1cmF0aW9uLERDPWdvbS1iZXJsaW4sREM9ZGU/Y0FDZXJ0aWZpY2F0ZT9i
YXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwIQYJKwYBBAGC
NxQCBBQeEgBXAGUAYgBTAGUAcgB2AGUAcjANBgkqhkiG9w0BAQsFAAOCAQEACI23
mwPAtIDArRBW2sMDDFamsAs3XJh+dnzXTX4MvD/WQRh0zrN8l4sHLiNVI/r9662n
dohB80e62zM/fGIOTXZ9arCWRf+KggBiaRJKehSEBArw8fHadspUjOCtJReAnMkj
SkisgQTc3zDsx4/tQtd1o+uwGovsd7FFRsIWUOpmUdt8TJpgtWuklnA7UHYRVy/Y
Iry4bfN9qR0Bw/aWXmHPrakgzv471jkaQVlN/cHUMrLQPppw0aV1vxTKgl/h7jHv
X0WgrNL5Iz2Lq2I0194ymQh4ZftkNK9GSTAOYryxXi/9Jq4IL7mTQk561F0buyWk
8c0MTPrn6ZKkyQo3RQ==
-----END CERTIFICATE-----

I did set up a RRAS-VPN-Server for our network. It works almost fine. The only thing missing is that I want to create a policy on DHCP that can be used to communicate special options to the VPN-clients: They should get some additional information for routing (option 121).

But I do not find a way to setup the policy-conditions that match the RRAS-Server's requests.

If I add a nonesense-condition like "MAC-Address NOT equal to DDDDDDDDDDDD", the options are communicated just fine to the VPN-Clients, but also to clients on the LAN.

What condition do I need to set for the VPN-Clients only?

We did set up a Windows Server 2019 as a VPN-Server that should grant access to a /22-network.. It has a single Ethernet-connection to the network 192.168.32.0/22 (spanning up to 192.168.35.255). The server's IP is 192.168.33.47 and the RAS-connection has 192.168.33.201.

But when opening the VPN-connection (split-tunneling enabled), I can only reach everything in 192.168.33.0/24. The remainder of the network is not reachable.

What do I need to change on the RAS-Server in order to reach the entire network?

The issue seems to be the routing-table (192.168.110.1 is the remote computer's gateway):

route print -4

Network destination       Netmask        Interface          Gateway Metric
            0.0.0.0       0.0.0.0    192.168.110.1   192.168.110.12     25
       192.168.33.0 255.255.255.0   192.168.33.200   192.168.33.208     26
(...)

Requests to 192.168.32.0/24 are thus routed to the local gateway 192.168.110.1 instead of 192.168.33.200.

The powershell confirms this:

Find-NetRoute -RemoteIPAddress "192.168.33.5"
(...)
NextHop : 192.168.33.200 (good!)

Find-NetRoute -RemoteIPAddress "192.168.32.5"
(...)
NextHop : 192.168.110.1 (wrong!)

I can edit the routing-table manually of course:

route add 192.168.32.0 MASK 255.255.255.0 192.168.33.200 METRIC 26

The whole target-network is reachable after that. But surely, it cannot be the solution to edit the routing-table on each client.

What do I need to change on the server-side in order to get this to work automatically?

Thank you very much!

Edit: As requested a screenshot of the configuration of the static route that I tried.

On our network-shares, we have all kinds of broken permission-inheritance.

Just one example: The folder "D:\Shares\PublicRelations" has full access for the groups "PublicRelations" and "HR" (both with full inheritance set). But the folder "D:\Shares\PublicRelations\SomeTopic" lacks the inherited permissions for the group "HR", even though inheritance is active.

This probably happened, when someone added "HR" to the top-folder and the propagation failed for some reason.

Is there any tool to fix this kind of issue automatically?

Ideally, I would just call it with the parameter "D:\Shares". It will then traverse all directories and fix all inherited permissions where necessary.

I am trying to read full directories independent of the current file-permissions. But even though I do have "SeBackupPrivilege", the following code leads to an "UnauthorizedAccessException". How can this be?

//Create the test-directory.
string testPath = Path.Combine(Environment.CurrentDirectory, "TestDenied");
string filePath = Path.Combine(testPath, "Foo.txt");
Directory.CreateDirectory(testPath);
using (var fs = File.CreateText(filePath)) {
    fs.WriteLine("Foo");
}
var ds = Directory.GetAccessControl(testPath, Utils.AccessControlSectionsToRead);
ds.SetOwner(WindowsIdentity.GetCurrent().User);
ds.AddAccessRule((FileSystemAccessRule)ds.AccessRuleFactory(
    WindowsIdentity.GetCurrent().User,
    (int)FileSystemRights.FullControl,
    false,
    InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
    PropagationFlags.None,
    AccessControlType.Deny)
);
Directory.SetAccessControl(testPath, ds);

//Get the backup-privilege
WinAPI.ModifyPrivilege(PrivilegeName.SeBackupPrivilege, true);
//Checked the privilege on the command line here: The process has it.

//Try to access the forbidden file.
using (var fs = File.OpenRead(filePath)) {
    //UnauthorizedAccessException from the line above.
}

How can this happen? I thought, that SeBackupPrivilege gets me access to all files?

We just connected an alarm-system to our network that should detect physical intrusion into our buildings. To configure the system, I connect to it via https. Not surprisingly, I do get a certificate warning (untrusted issuer and invalid CN).

Is there any way to make the Window 10-machines on our network trust this certificate for a domain of my choice?

e.g.: The device should be available using https://alarm1.ourdomain.com.

The certificate seems to be a root-certificate, since it does not reference any other certificates. Some more details:

• Common Name (CN): Secvest
• Organization (O): ABUS Security-Center GmbH & Co. KG
• Country (C): DE
• Organizational Unit (OU): Alarmanlagen

Please find the full public certificate below. For further information you can decode the certificate here: https://redkestrel.co.uk/products/decoder/

-----BEGIN CERTIFICATE----- MIIDkzCCAnugAwIBAgIEIFXqSDANBgkqhkiG9w0BAQsFADBjMRAwDgYDVQQDEwdT ZWN2ZXN0MSswKQYDVQQKEyJBQlVTIFNlY3VyaXR5LUNlbnRlciBHbWJIICYgQ28u IEtHMQswCQYDVQQGEwJERTEVMBMGA1UECxMMQWxhcm1hbmxhZ2VuMCAXDTEzMDEw MTAwMDAwMFoYDzIwNjAwMTAxMDAwMDAwWjBjMRAwDgYDVQQDEwdTZWN2ZXN0MSsw KQYDVQQKEyJBQlVTIFNlY3VyaXR5LUNlbnRlciBHbWJIICYgQ28uIEtHMQswCQYD VQQGEwJERTEVMBMGA1UECxMMQWxhcm1hbmxhZ2VuMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAoRYMhI3iSzlC/bPNoFPn9jc261GQfsyOZZgh+LRlk8kk HQH5jLVmXJuWgulsAr+yZ8/BADxhhwms72SBidS7AwYatoVOy4oFpZ98dbOQ7/oz OV7PGaDb38jaLKIUzQZfSnwVXcFoqpIJ8F5f5ub+EDkW4SWNGs2iZQHbA5GQjlzV lXoJt2CgjU7cjOZLHEZAoxoT7bH+ou6DQzIC4x/LDf9ghWL/HyM/lRsPLuRmEwXd L3psF1gxHqWeDC1+G2O23CEhz6/1yYkCarzDyg97S1y5KC82AVWMjbVdgztOeEdH vhwPX0Q6ZNYtrM8N+BE9fsSyEKbipNuRcLGsuxeQiwIDAQABo00wSzAJBgNVHRME AjAAMB0GA1UdDgQWBBThCBy94Jmop1ms4LzjQSR8iDqrIDAfBgNVHSMEGDAWgBTh CBy94Jmop1ms4LzjQSR8iDqrIDANBgkqhkiG9w0BAQsFAAOCAQEAmXSALKISQx1J t97twpMWPPtuNeWlGRqPSqFoLcGHvbuK1UuATKv2STHlF0dleeMU3lxyR8WrnRkV UQXp/DbU0Wu7WZ+6XEzF1okC0utbixPDIsjyqNEPfcDqVD2JXYoH4u+jB8RozHGl HMYwrVlAYDaBuye0gxdB71lE8NE/t0IqEJL3tGEZuDoyCmN9x9SVgvKL+gM56Xx/ 5W8BXP1L0SDTVoOHH8g+iJ4MjGZceQAHSs9/6HUAJeRhYAHZqlq2S324TLDQZuqD mOocT4FtsKg6R6uLOiBAM3ijP3RnBgTziSH8uvWAFX4NrPqKAmVrvLgtx6BHM6Gw zagvSyAMWw== -----END CERTIFICATE-----