M.S. Dousti's questions -server

M.S. Dousti

Asked: 2013-06-10 11:56:16 +0800 CST

Windows 7 "Cryptographic Operators"

Cryptographic Operators: FIPS 140-2 defines a “Crypto Officer” role, which is represented by the Cryptographic Operators group in Windows, first introduced in Windows Vista SP1.

When the "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting is configured in local or group policy objects, only members of the Cryptographic Operators group or the Administrators group can configure Cryptography Next Generation (CNG) settings by default. Specifically, Cryptographic Operators can edit the cryptographic settings in the IPsec policy of Windows Firewall with Advanced Security (WFAS).

I have performed the following:

Enabled the "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting in Local Security Policy. It can be found under the Security Settings -> Local Policies -> Security Options key.
Created a new standard user.
Added the user to the Cryptographic Operators group.

I noted that this user cannot even access Windows Firewall with Advanced Security (WFAS), without first being a member of Network Configuration Operators. Then, I noted that any member of such group can access WFAS, and create new rules under the Connection Security Rules, including IPsec rules. In other words, the user need not be a member of the Cryptographic Operators group.

I then tried another thing: I opened MMC, and added the "IP Security Policy" snap-in. Oddly, the user (which is a member of the Cryptographic Operators group) does not have access to these settings:

Access denied to IPsec settings

Could you please help me figure out the task which members of the Cryptographic Operators group (but not standard users) can perform?

M.S. Dousti

Asked: 2013-04-28 22:29:36 +0800 CST

Adding "Enterprise Admins" group of forest A to "Enterprise Admins" group of forest B

First of all, I'd like to point out that this question is purely theoretical. I'm asking it to better understand the nature of different groups in Active Directory.

So, I have created two separate Active Directory forests, say forest A and forest B. Moreover, I manually created a two-way transitive forest trust between them. Now, I want to try one more thing: Allow any enterprise admin in forest A to perform any administrative task in forest B.

To do so, I thought of adding the "Enterprise Admins" group of forest A to "Enterprise Admins" group of forest B. This is impossible, since the "Enterprise Admins" group can only have members within the same forest.

Next, I tried to add an intermediate group to forest B. The idea is:

"Enterprise Admins" of A ==> Intermediate group ==> "Enterprise Admins" of B

However, the only group which can host members of other forests is a "local group," which cannot be a member of any other type of groups.

So, I'm stuck here. Is it possible to achieve this task?

Windows 7 "Cryptographic Operators"

Adding "Enterprise Admins" group of forest A to "Enterprise Admins" group of forest B

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?