Posted by Fizzgig
on December 3, 2015 | No comments
Recently I’ve been looking at the security of the internet facing systems at work. It’s amazing how many bits of software by default still ship with massively insecure settings.
One of my main focusses has been IIS, and as such the related software we use that is built on top of IIS – Forefront UAG and Forefront TMG.
There is a fantastic website from Qualys that will scan an HTTPS server, check the certificate and all the various options around ciphers in use and what capabilities are/aren’t available and then give you a score based on current best practices. This is also updated quickly and takes into account things like the Poodle vulnerability.
You can visit their SSLLabs site to check the current status of this site, or check your own.
There are a number of articles on the web (and on SSLLabs above) dealing with disabling SSLv2 and SSLv3, which is great but isn’t actually sufficient, and remembering to set all of these things is quite tedious.
I was pleasantly surprised to discover a fantastic powershell script that sets all of the required registry entries for Windows servers to allow you to score an A rating.
It’s important to point out that all of the latest and greatest security options for HTTPS will actually break backwards compatability with some earlier Android handsets, and (shock!) Internet Explorer 6… I’m not going to cover off any changes required if this is important to you, because it shouldn’t be.
Anyway, hass.de has a fantastic script to fix your Windows server schannel security settings. A reboot is required to take effect.
You can read about their options and download the scripts to get your Windows servers an A rating from https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12. They also cover the option you can change if you want to get an A+!
Posted by Fizzgig
on January 21, 2009 | 5 comments
Well, its been a while, but I thought I’d share this little snippet.
Theres a big hoo-ha going round at the minute about a number of viruses that are exploiting autorun.inf to spread.
You can read all the gorey details over at CERT “Microsoft Windows Does Not Disable AutoRun Properly”
Essentially, the recommended fix is to set a registry key. I did read somewhere that this makes windows handle the file as a Win95 ini file but sadly I can’t find the blog/article where I read that anymore.
Approaching this as a sysadmin and wanting to undertake minimal effort to resolve this issue I’ve create a Group Policy adm file to solve apply it to all the machines in an Active Directory domain. I’ve copied the contents below and attached the file to this post.
To use it:
- Create a new group policy object in your AD
- Edit it, right click on the Administrative Templates folder and remove all the default ones listed and add the one below.
- Right click on the Administrative Templates folder and change the view filtering to not hide settings that can’t be fully managed
- Group poicy editor will now display the setting to disable autorun which will set the appropriate registry key
ADM files are just text. You can either download the one below or copy and paste this (watch for the line wrap on the last line!):
» Read the full post
Posted by Fizzgig
on February 11, 2008 | No comments
I’ve just started using a new (free) service called OpenDNS – http://www.opendns.com – at home and I’ve also set it up at work.
You need to know very little about How The Web Works™ to know that this can be a good thing.
DNS is where your computer takes a name like www.livejournal.com and turns it into a number that is used to route your computer to the right webserver.
OpenDNS doesn’t just give you the correct address for a website. It maintains a list of Phishing websites and redirects these to a safe page warning you about the site you were about to visit.
Of additional interest to me for its use at my work (and to parents who’s kids have access to the Internet) is that they don’t just categorise phishing websites, but they also have categories of adult and mature sites you can bar if you want (once you’ve signed up)
Took me a few minutes to setup (a little extra poking required at work, naturally). Very unintrusive – no software to install, just a couple of settings to change and they have lots of help pages on how to do that.