A vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness, known as the attack surface. Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. Other vulnerabilities include security risks, security defects and constructs in programming languages that are difficult to use properly.

Share tech news, updates, or what's on your mind.

Sign up to Post

Two separate businesses using the same domain name have now merged into one.
This is the first time I've ran into this and hope someone could shed some light. We've recently acquired a new client who at one point had two domain controllers. Server 2008 and Server 2012. They moved Server 2012 over to a new location as part of a different business, but kept the same domain name. Server 2008 AD sees the 2012 as a DC, However 2012 doesn't see 2008 as a DC. They are now on different networks, but recently was configured to tunnel back to corporate to share resources.

What I'm trying to accomplish: Join a 2016 DC to their corporate to decommission 2008.

Error I'm getting when promoting 2016 to a DC: "Active Directory preparation failed. The schema master did not complete a replication cycle after the last reboot."

What I've gathered so far.

Server 2008 - DC - samedomain.local - Corporate Office

At one point was replicating to 2012.
Server 2012 - DC - samedomain.local - Remote Office

No longer replicating from 2008.
Recently a WatchGuard VPN was put in so the two locations could talk and share resources. Different IP schemes, and they don't know about each other.

My Question: Can I safely remove 2012 DC from 2008 to stop attemping replication and at the same time continue to operate both under the same domain names, but seperate?

Remote Office will still use 2012 to authenticate locally until we can sit down and plan out a migration plan several …
Introduction to Web Design
LVL 13
Introduction to Web Design

Develop a strong foundation and understanding of web design by learning HTML, CSS, and additional tools to help you develop your own website.

Is there a way to emulate threat traffic in a controlled environment?  We would then use this information for common use cases.  I was thinking anything along the lines that could include log files that could give an indication of different attack signatures.  This method is obviously safer than injecting a virus on a test box and then introducing it to a customers network.  Any suggestions are GREATLY APPRECIATED!
I'm making comparison for IPS brands that give the most virtual patches
for various CVEs for MS (Windows, Outlook, .Net,  MS SQL, IIS & MSOffice) ,
Oracle (Weblogic, Database, Java, Solaris), Linux (various Linux esp RHEL,
Ubuntu, Debian, CentOS used in microservices) & a couple Opensource
softwares (eg: PHP, Apache, Struts, Wordpress).

Reason is it's difficult to get downtime & lead time to patch can often
stretch to almost a year.   Currently, Trendmicro claims its Deep Security
is endorsed by MS as giving the most virtual patches for MS products.

What about TippingPoint NIDS (acquired by Trendmicro) in terms of
its number of virtual patches for various products above?

What about other products (esp coverage for Oracle & Linux-related ones)?
McAfee, Checkpoint, Sophos, ... ?

Also, continued availability of obsolete versions of softwares are crucial
for us as we have a long lead time to tech refresh obsolete (ie principals/
developers don't release patches for it anymore) softwares.

There's an argument that ultimately product patch still need to be applied?
What could be the possible reasons for these?   Heard that for NIDS, if
PCs got infected/compromised, the attacker could bypass NIDS & WAF to
attack the unpatched endpoint servers.  Guess an IPS with agent inside
the endpoint will mitigate, right?
i have traffic coming from outside world to watchguard  firewall to citrix netscaler which goes to internal  asa firewall  and then to internal network.

our citrix netscaler also has the  same certificate for ( service communication certificate)  which is being hosted on our internal ADfs server ( windows server R2)

we dont have ADFS proxy server as of now

recently we had password spray attack on our internal ADFS server

and we could not determine source IP on our internal ADFS server

i wanted to know following:

1) i read in articles  that windows server 2012 r2 has extranet lock out feature and adfs 2016 server also has extranet lock out feature so is there any difference between the 2 as far as
protection from password spray attack is concerned.

im the scenario i explained regarding traffic coming from outside to watchguard firewall - netscaler- asa firewall, where should i place WAP server and how it can help in mitigating password spray attack

are there any good tutorials for upgrading windows server 2012 to 2016 adfs server and how proxy adfs should be configured

we have mailboxes in 365 and ad accounts are synced through aad sync to azure AD.

i came to know from Microsoft that messages are being redirected from office 365 to internal ADFS sever and it is not authenticating , so what other steps i should take

to protect from spray attack just proxy ADFS server is sufficient or some conditional policy should be applied …
I have an application running in ASP.NET/C#/IIS/SQL Server.

The application is not rendering correctly on any browser other than Internet Explorer.

I have added a document with the details on display and some setting changes I had to make for PCI Scan Vulnerabilities.

Please advise on what the issue may be.


Bruce Merevick
we have been looking at some get-hotfix reports to determine that last MS security updates applied to a multitude of servers serving different purposes. In some cases the process seems to be working an critical updates are applied in a timely manner, but we found a few exceptions. For my own knowledge/benefit - if a server was acting as a web server and only had standard web ports open, could any of the vulnerabilities that the MS updates 'address', still be exploitable from the outside through those ports? I'm not entirely sure what range of products/services the updates cover in their 'monthly roll ups', so I would be interested to learn a little more.
just had two sites fail pci compliance tests with certificate errors on sonicwall tz180.  trustwave does the scans and this is what they said: The server should be configured to disable the use of the deprecated SSLv2, SSLv3, and TLSv1.0 protocols. The server should instead use stronger protocols such as TLSv1.1 and/or TLSv1.2. For services that already support TLSv1.1 or TLSv1.2, simply disabling the use of the SSLv2, SSLv3, and TLSv1.0 protocols on this service is sufficient.
i have no idea how to do what they said.  any help is really appreciated.  thanks
We have a few IT vendors located in other countries:

would it meet audit/compliance requirements that they do applications
penetration (eg: greybox) on their "cloned" environment rather than in
actual production environment?  (ie use 'cloned' as proxy to production)

What are the measures we can take to ensure the pre-production
'cloned' environment's scanning would yield the same results to the
actual environment?

Are reports generated by pentesting tools protected such that is'
tamper-proof?  Are  Nessus & Rapid7 tamper-proof?
For my hotmail accounts one has been hacked using malware. They say they know two of my passwords. One they know is accurate. One they have 6 of 9 characters correct. What free program can we use to remove any malware. The person warns on a daily basis but never acts on their intentions with a deadline they give of 3 days.
Are there any useful documents/articles that are routinely issued/upgraded which show specific trends in cyber attacks for say the past 2-3 years, and for any major cyber attacks that hit the news – what the root cause of the vulnerability that was exploited was? i.e. what the cyber criminals are targeting nowadays, and what the relevant controls are to protect against those, assuming they could be protected against, e.g. a relevant patch applied?

I was also interested in identifying the primary/priority security defences, or at least coming up with some form of priority checklist of what to assess in what order when it comes to security. I appreciate on larger networks/infrastructure security must be an absolutely mammoth effort, and any single vulnerability on any device could be your downfall, but there must be some form of precedence in terms of priority of cyber controls when self-assessing your cyber/security defences, so my question to you is - where exactly would you start, and do any of the guidelines out there put cyber controls/defences in order of importance/priority, I assume they must do, but quite which articles/guidelines is an unknown to me.  

If you were doing an independent review of your security/cyber defences, what order would you start in, e.g. the absolutely bare minimums, and then onto the second tier of
defences, 3rd etc. If there are no such guidelines, your own view on this would be equally as interesting.
PMI ACP® Project Management
LVL 13
PMI ACP® Project Management

Prepare for the PMI Agile Certified Practitioner (PMI-ACP)® exam, which formally recognizes your knowledge of agile principles and your skill with agile techniques.

Hi Experts,

Looking for a way to activate "Launch program before Windows login" for Watchguard 12.2 VPN client? Trying to have the VPN login show up before Windows login so once Internet is connected remote users can connect to the VPN and then AD for authentication. This has to be done during first boot so looking for silent switches which would enable install of VPN as well as enabling of the feature above. Have attached the silent install switches that I am aware of 

Thanks in advance
Sorry for such a noob question.  We have a Watchguard T35.  Right now it has a Branch to branch VPN set up to another watchguard.

It also has the capability to make a vpn to a specific computer that's on the road, right?  What app(s) can be installed on the windows 10 computer that can do that?

Preferably free.  Does watchguard include software to do that?  Is there a standard the software needs to meet (does Watchguard have their own proprietary way of talking to endpoints?  or an vpn software works?

We are coming up with policy/guidelines on when a new app system should
a) application greybox scan
b) blackbox penetration scan

Understand a  is more  stringent than b ie a will reveal more than what b will.

I'm contemplating if the app system  has one of the following, then it'll require
greybox scan, otherwise, only blackbox scan will do:

a) internet-facing
b) is designated as "Critical Information & Infrastructure" by regulator/authority
c) contains PII and is making payments of large amounts (including payroll ;
    would a system that bills customers classify as equially critical as payroll?)
We have a Parameter Tampering  weakness in our app which we are not in
time to fix at the applications level so exploring alternative mitigations,
namely WAF & IPS.

The Parameter Tampering weakness is:
a Web-based attack in which certain parameters in the Uniform Resource Locator (URL) or Web page form  field data entered by a user can
be changed without the required authorization. After changing, it points the browser to a link, page or site other than the one the user was
authorized (from his original authentication) to access.

Changing the input 60001 which user entered under parameter "file_id" in the URL is a valid request & thus the user could see
other contents (which he was not meant to see) by changing it to different values.

Is it possible to customize rules/policies in WAF/IPS such that the rules whitelist the download form (there's only 1 form that we're
vulnerable) to only the 3 URLs (exactly same URLs as above except the value after  file_id=   and block off the rest;  the 3 values
are 80001, 80002, 80003).

We use Weblogic to serve as web service

Please, Are you aware of the BlueKeep threat and the mitigation measures that could be put in place?

Best regards,
I'm planning on deploying a set of Domain Controllers over 3 sites very soon - replacing a medium-sized peer-to-peer network (well, some would call it "large").
In doing this, I'm looking forward to getting past some of the difficulties that I've had with network management.
Not having used some of the tools in a domain setting before, I'm wondering about a few things and could use Experts perspectives and experience.

We've been using ManageEngine Eventlog Analyzer for Security Event and Incident Management.  The biggest issue has been getting the workstations to respond to the monitor.  We started out trying to keep things centralized and use WMI but that was just too hard to keep all the computers "connected".  So, we've resorted to the use of Agents on the workstations.  But, even then, some refuse to play nice and we don't get any event data as in "Access Denied".

We've also been using GFI Languard for internal network vulnerability scanning and remediation (e.g. softare update management).  And, we've had similar problems here so use almost 100% Agents now.  This one doesn't seem to have the same connection problems.

Now, believe me, I've researched and asked and tried things but feel that some WMI enablements are just "too hard" - even though I don't give up easily, I remain hammering away at some tough cases.  I've generated my own checklist for setting up effective WMI and still don't have a magic formula for success.  Doesn't that seem …
CRM 4, CRM 2011 upgrade

We are doing a CRM 4.0 to CRM 2011 upgrade.  I have been asked if certain vulnerabilities are addressed in CRM 2011 (that were present in CRM 4.0)

Specifically, vulnerabilities are reported in the .ASPX files. It exposes version information from IIS, .ASP NET etc.

We are required to enhance Incident Response playbook to strike a balance between recovery and evidence preservation.

Offhand, I can only think of:
a) for AV, don't delete the malware/IOC file but quarantine it so that it can be analysed later:
    doing this for ClamAV (encrypt it to make it harmless) on UNIX servers & on Windows,
    only quarantine
b) on an infected PC/workstation, disconnect it from Wifi/LAN but don't power cycle it to
     retain as much evidences in it as possible & take an image backup of it (possibly run
     one of Fireeye's forensic tool to collect artefacts)

Though Trendmicro's EDR has articles that it helps with evidence collection, I don't
really know how it works with the collection.

  will need further inputs ...

Maybe this question is not technical help but wanted to know what is your opinion.  Last week in a group conversation a colleague said that the United States is storing and has been storing our data on cloud in a facility in UTAH, all text messages, calls land/mobile, web-browsing, etc.

How true is this and should there be any concern?
CompTIA Network+
LVL 13
CompTIA Network+

Prepare for the CompTIA Network+ exam by learning how to troubleshoot, configure, and manage both wired and wireless networks.

Hi, i have installed Skype on our network for a select few users to communicate with a partner company.

Users can login and communicate but are unable to share their screens.

We do run WatchGuard web blocking system and i wonder if Skype is being blocked for just sharing of the screen.

Has anyone got expereince of this issue and could possibly offer some advice.

I'm evaluating how this new scanner "AppScreener product" vs BlackDuck, Synopsis, Fortify & Coverity:
Appscreener is capable of scanning applications without their source codes. It also supports a wide span of 29 development languages including legacy ones such as COBOL, Dephi, ABAP. Such strength in the product comes in handy for organizations where 3rd party code security is critical, and also in situation where source code is not available.

comparing in terms of
a)  accuracy (# of false positives & false negatives)
b) ease of use (with good pointers of how to fix/secure the codes)
c) integration/linking to what a dynamic blackbox scan gives (eg: tenable showing XSS, injection, CSRF: so I'll need to know to track down where are the vulnerable source codes)
d) post-sales support (how well they guide us)

We have customers that cannot patch SharePoint as quickly as possible. So I have some questions:

1)    How high do you measure this vulnerability, since attacks can be done remotely?
2)    Do we have a temporary possibility to reduce the risk without patching?
3)    If yes, what would you recommend me? (Is there a way to block ports etc. ?)

Thank you in advance
I recently had a pen test and one of the findings was our OWA (exchange 2013) is vulnerable to "Possible SQL Injection". Our pen tester recommends us to download the latest login dialog applet from Microsoft or recompile the web code against the v4.5 or later .NET framework. I am not able to find any download in Microsoft nor can I find any information regarding vulnerability or how to remediate it.

Has anyone encounter this issue before or know how to secure the OWA's logon page from SQL Injection? I read somewhere that it is not recommended to edit Microsoft's code.
Heard from a Trendmicro speaker that he knew of PCI-DSS QSA accepts virtual patching
(be it NIDS or endpoint virtual patch) can be accepted as 'compensating control' in place
of principal vendors (eg: MS, Oracle)'s security patches.

Is there any authoritative articles (eg: by ISACA, NIST, PCI Council) that states that virtual
patching can be accepted in place of actual principals' patches??  I'll need to support
this claim to our auditors as the speaker can't produce authoritative supporting materials.

Run into difficulties applying various OS (including Solaris, WL, DB) patches & in some
cases, can't tech-refresh on time
Received a threat intel which indicated a file MSDFMAPI.INI (which has
MD5 hash value of c4103f122d27677c9db144cae1394a66 ) as an IOC.

When the above hash is entered into, all the security
products there rated it as non-malicious & it's from a trusted publisher.

Refer to attached for more detail:  support this file is present on a user
PC (on Windows) & it's needed, what mitigations can we do?

I had one past such IOC file that was rated as safe by virustotal (think
filename is msxsl.exe ) but it's a legit file, just that it is exploitable.
So how do we deal with it (ie this IOC & the msxsl)??






A vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness, known as the attack surface. Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. Other vulnerabilities include security risks, security defects and constructs in programming languages that are difficult to use properly.