Old posts

IIS HTTPS Security

Posted by on December 3, 2015 | No comments

Recently I’ve been looking at the security of the internet facing systems at work. It’s amazing how many bits of software by default still ship with massively insecure settings.

One of my main focusses has been IIS, and as such the related software we use that is built on top of IIS – Forefront UAG and Forefront TMG.

There is a fantastic website from Qualys that will scan an HTTPS server, check the certificate and all the various options around ciphers in use and what capabilities are/aren’t available and then give you a score based on current best practices. This is also updated quickly and takes into account things like the Poodle vulnerability.

You can visit their SSLLabs site to check the current status of this site, or check your own.

There are a number of articles on the web (and on SSLLabs above) dealing with disabling SSLv2 and SSLv3, which is great but isn’t actually sufficient, and remembering to set all of these things is quite tedious.

I was pleasantly surprised to discover a fantastic powershell script that sets all of the required registry entries for Windows servers to allow you to score an A rating.

It’s important to point out that all of the latest and greatest security options for HTTPS will actually break backwards compatability with some earlier Android handsets, and (shock!) Internet Explorer 6… I’m not going to cover off any changes required if this is important to you, because it shouldn’t be.

Anyway, hass.de has a fantastic script to fix your Windows server schannel security settings. A reboot is required to take effect.

You can read about their options and download the scripts to get your Windows servers an A rating from https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12. They also cover the option you can change if you want to get an A+!

Tags: , , , , , ,

Upgrading Office from 2010 to 2013 using SCCM

Posted by on January 2, 2015 | 4 comments

New year – new drive to try and keep updating my blog…

I’ve recently been exploring the challenges in our environment around upgrading from Office 2010 to Office 2013 using System Center Configuration Manager and thought it would make a good blog post.

I’m NOT going to cover creating a 2013 package/application for SCCM deployment as this has been done extensively elsewhere.

What I am going to cover is the install script for Office 2013 taking into account some of the specific environmental issues I face.

We have over 100 sites spread all over the global. The majority of these are small (<10 machines), with no onsite servers, connected via VSAT and so suffer from low bandwidth and high latency connectivity. As such, the prospect of re-copying my Office 2010 install package AND my Office 2013 package was not attractive. Especially as once all of the updates, SP1 and language packages had been included in the base install it exceeded 5Gb in size…
» Read the full post

Tags: , , , , ,

Medieval times

Posted by on September 4, 2014 | No comments

Hola.

So I’ve not added any new articles in “a while”… I went off to work for a consultancy for a bit and I did play with some cool stuff there (some of which I plan on sharing), but it sort of felt like I was giving away trade secrets… so I stopped updating… and just fell out of the habit.

I’ve got some funky SCCM and Lync stuff in my archives that I plan on sharing, so stay tuned! Or subscribed! Or however you currently get updates from my blog…

In the meantime… sound not required, but it’s probably better with sound, even if you don’t understand the language.

Drupal HTTPS images

Posted by on March 2, 2011 | No comments

I was involved with a project for a while which was using Drupal as the CMS. The entire site was being served over HTTPS, which was quite annoying as a large pile of the images that were being posted were being served over HTTP from their respective webservers. Naturally, this resulted in everyone getting very annoyed at their browser warning about loading unsecured content on a secure page.

So, I came up with this module. I’ve been meaning to release it for ages, but as I need to clear down the server it was running on it’s made me take the five minutes to write this post. Still needs a bit of work, but does what it says on the tin.

It identifies non-local images in content, downloads them and serves them from a local cache.

Download the module here: img_proxy.tar.gz

If you use Drupal, you should already know the drill – extract the file to your modules directory and enable it in the modules page. The module is implemented as an input filter, so you will then have to add it to the appropriate input formats at http://your.site.com/admin/settings/filters

Notes

  • Licenced under the GPL version 2.
  • *** There is nothing in the code that verifies the file being proxied is an image!! *** (that’ll be in the next version!)
  • May not work with sites that check the referer of the request for images.
  • I’ve been meaning to release this for ages, but there is sill a lot of debug code thats just commented out.

Hopefully I’m not the only webmaster that ever had this issue and somebody will find this handy.

Maybe one day I’ll tidy up the code and submit it to the Drupal Module repository!

Enjoy.

Tags: , , , , ,

SCE2007 Failed to install agent

Posted by on July 6, 2010 | 3 comments

I’ve been doing more and more work with the System Center product suite of late, and suffice to say I have some big loves and some big hates about the whole thing.

My recent hate is System Center Essentials 2007. Thankfully, I actually quite like Essentials 2010.

Anyway, while installing the SCE2007 agent the other day, I encountered an odd error message while trying both a push install and a local install of the agent.

Error 25211.Failed to install performance counters.. Error Code: -2147023886 (The configuration registry key is invalid.).

Sadly, there’s not a lot on the web in relation to this error. The only pointer that might have helped was this technet article: How to manually rebuild Performance Counter Library values.

This starts out pretty nasty, involving copying files from your install media and hacking about in the registry, which Microsoft always massively caveats. The one item of help on the page was the command:

lodctr /R

According to the help, this will rebuild the perf registry strings and info from scratch based on the current registry settings and backup INI files. And accorting to the KB article: “/R is uppercase. You must have administrative rights on the computer to successfully perform this command.”

That did the trick for me and completely avoided all the nasty work of actually finding the install media for this server 🙂

I’ve included below a larger chunk of the installation error log below which will hopefully help people find this page via searches.
» Read the full post

Tags: , , ,

Powered by Wordpress and Stripes Theme Entries (RSS) | Comments (RSS)