Jan De Clercq

Q: Can I store my Encrypting File System (EFS) private key on my smart card?

By Jan De Clercq, 01/31/2012

With Windows Server 2008, Windows Vista, and later, you can store EFS private keys on users' smart cards and control these settings with Group Policy.

Q: How can I disable or enable the Windows Firewall for a specific network connection?

By Jan De Clercq, 01/30/2012

You can control specific network connections through the Microsoft Management Console (MMC) Windows Firewall with Advanced Security snap-in.

Q: Can we disable the default Windows administrative shares (C$, D$, Admin$, IPC$) to lock down some of our Windows servers?

By Jan De Clercq, 01/29/2012

You can remove the administrative shares on Windows servers and prevent them from being created automatically, although Microsoft doesn't recommend it.

Q: How can I find out if my clients are using NTLM for authentication instead of Kerberos against specific Windows servers, applications, or services?

By Jan De Clercq, 01/27/2012

These new Group Policy settings can help you audit, analyze, and restrict NTLM authentication use in your Windows environment.

Q: What are some simple tips for testing and troubleshooting Windows event forwarding and collection?

By Jan De Clercq, 12/28/2011

Use the Eventcreate utility and other command-line resources to verify that Windows event forwarding and collection is configured correction.

Q: With Windows event forwarding and collection, how can we limit the processing impact on source and collector computers?

By Jan De Clercq, 12/23/2011

Limit Windows event collection and forwarding processing impact by turning off pre-rendering of events on source computers and by setting the max number of events sent from a ...

Q: What Windows platforms support Windows event forwarding and collection?

By Jan De Clercq, 12/21/2011

Windows event forwarding and collection was introduced with the Windows Eventing 6.0 code in Windows Vista and Windows Server 2008, but other Windows OSs can serve as event ...

How-To: Use LDAP Over SSL to Lock Down AD Traffic

By Jan De Clercq, 12/12/2011

LDAPS—or LDAP over SSL—establishes an encrypted tunnel between an LDAP client and a Windows domain controller. Learn how to set up LDAPS in a Windows Server 2008 Active Directory ...

Q: How can I apply a security baseline that I defined through Microsoft Security Compliance Manager to a non-domain-joined Windows machine?

By Jan De Clercq, 11/30/2011

Security Compliance Manager 2 includes a tool called LocalGPO that helps you apply security baselines to a non-domain-joined computers.

Q: How does the Microsoft Security Compliance Manager compare to other Microsoft security management tools?

By Jan De Clercq, 11/23/2011

Microsoft Security Compliance Manager should become every security administrator's preferred security management tool for Windows clients and servers, but there are other tools ...

Q: What tool would you recommend for creating and maintaining security baseline configurations for the different types of Windows machines in our Active Directory (AD) forest?

By Jan De Clercq, 11/22/2011

Microsoft Security Compliance Manager 2 (SCM 2) is a free tool for creating and maintain security baselines for Windows OSs, Internet Explorer, and Microsoft Office programs in ...

Q: What do I need to watch out for in managing the RID pool used in an AD domain? Or is this all done auto-magically?

By Jan De Clercq, 10/26/2011

The RID pool on each domain is assigned by the RID master, but you can adjust the default size of the RID pool and keep track of how many RIDs have been issued.

Q: What's the easiest way to find out the SID and RID that are linked to my account?

By Jan De Clercq, 10/21/2011

Use the Whoami command to get the security ID (SID) and Relative ID (RID) of the account used to log on to Windows.

Q: What are the exact roles of a Windows account's SID, and more specifically its RID, for Windows security?

By Jan De Clercq, 10/21/2011

Windows security-related processes use security IDs (SIDs) to uniquely identify security principals. The Relative ID (RID) uniquely identifies a security principal relative to the ...

Active Directory Rights Management Services Secure Collaboration

By Jan De Clercq, 10/14/2011

Microsoft Windows Rights Management Services (RMS) provides four options for exchanging RMS-protected documents between organizations. Learn how to use AD RMS for secure ...

Q: Where can I find detailed information about the Certificate Services–related events that can be logged in Windows event logs?

By Jan De Clercq, 09/28/2011

Check out these resources for information about Certificate Services.

Q: To limit the attack surface of my Windows Certification Authority (CA), can I install it on a Windows Server Core platform?

By Jan De Clercq, 09/28/2011

Windows Server 2008 R2 permits installation of a Windows Certification Authority (CA) on Server Core.

Q: How can I back up my Windows Certification Authority (CA) to protect it and its configuration data from accidental loss due to hardware or storage media failure?

By Jan De Clercq, 09/26/2011

You can use either a system state backup or a manual backup to protect your Windows Certification Authority (CA) and its configuration data.

Q: Can we limit the impact on our Windows Certification Authorities (CAs) from high certificate issuance load by making sure the CAs don't store certificate requests and certificates in their databases?

By Jan De Clercq, 09/21/2011

Q: Why does Kerberos smart card login require public key certificates, private keys, and a Certification Authority (CA)?

By Jan De Clercq, 08/31/2011

Smart card login is based on the PKINIT protocol trust model where both users and the domain controller must trust the same Certification Authority.