Tag: sysadmin

IIS HTTPS Security

Posted by on December 3, 2015 | No comments

Recently I’ve been looking at the security of the internet facing systems at work. It’s amazing how many bits of software by default still ship with massively insecure settings.

One of my main focusses has been IIS, and as such the related software we use that is built on top of IIS – Forefront UAG and Forefront TMG.

There is a fantastic website from Qualys that will scan an HTTPS server, check the certificate and all the various options around ciphers in use and what capabilities are/aren’t available and then give you a score based on current best practices. This is also updated quickly and takes into account things like the Poodle vulnerability.

You can visit their SSLLabs site to check the current status of this site, or check your own.

There are a number of articles on the web (and on SSLLabs above) dealing with disabling SSLv2 and SSLv3, which is great but isn’t actually sufficient, and remembering to set all of these things is quite tedious.

I was pleasantly surprised to discover a fantastic powershell script that sets all of the required registry entries for Windows servers to allow you to score an A rating.

It’s important to point out that all of the latest and greatest security options for HTTPS will actually break backwards compatability with some earlier Android handsets, and (shock!) Internet Explorer 6… I’m not going to cover off any changes required if this is important to you, because it shouldn’t be.

Anyway, hass.de has a fantastic script to fix your Windows server schannel security settings. A reboot is required to take effect.

You can read about their options and download the scripts to get your Windows servers an A rating from https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12. They also cover the option you can change if you want to get an A+!

Tags: , , , , , ,

SCE2007 Failed to install agent

Posted by on July 6, 2010 | 3 comments

I’ve been doing more and more work with the System Center product suite of late, and suffice to say I have some big loves and some big hates about the whole thing.

My recent hate is System Center Essentials 2007. Thankfully, I actually quite like Essentials 2010.

Anyway, while installing the SCE2007 agent the other day, I encountered an odd error message while trying both a push install and a local install of the agent.

Error 25211.Failed to install performance counters.. Error Code: -2147023886 (The configuration registry key is invalid.).

Sadly, there’s not a lot on the web in relation to this error. The only pointer that might have helped was this technet article: How to manually rebuild Performance Counter Library values.

This starts out pretty nasty, involving copying files from your install media and hacking about in the registry, which Microsoft always massively caveats. The one item of help on the page was the command:

lodctr /R

According to the help, this will rebuild the perf registry strings and info from scratch based on the current registry settings and backup INI files. And accorting to the KB article: “/R is uppercase. You must have administrative rights on the computer to successfully perform this command.”

That did the trick for me and completely avoided all the nasty work of actually finding the install media for this server 🙂

I’ve included below a larger chunk of the installation error log below which will hopefully help people find this page via searches.
» Read the full post

Tags: , , ,

EU Browser choice debacle

Posted by on March 13, 2010 | No comments

Theres been quite a bit of chit chat about this update that Microsoft has now released.

My personal opinion is Microsoft shouldn’t have been forced to release this. If you FORCE a choice for a web browser, you should also force a choice for every single application that comes with Windows.

Additionally, I fail to see why people should be forced to pick from a number of free products. Perhaps a better option would be for Microsoft to allow third parties to produce branded versions of Windows and then users can make their initial choices at the point of purchase.

This, of course, assumes a level of knowledge of the end users so questions like “where have all my favourites gone?” don’t happen…

Anyway, this was supposed to be a vaguely technical post and not a rant.

So, as a systems administrator, how do you block this update?

If you are using an internal update server such as WSUS or SCCM (which I love), then you have the simple option of not approving the update for release.

Otherwise, Microsoft have released a KB article showing a simple registry key that can be set to prevent the Browser Choice screen running – KB2019411.

So, as a sysadmin, how do you implement this?

Well, you can custom roll a Group Policy to set this as a preference on your client machines. I’ve written some GPOs before, but in this case I’ll simply direct you to this blog post by Christoffer Steding where you can download his version.

However, in my opinion, a much more graceful group policy to set is a software restriction policy. This has been documented by The Angry Technician.

Tags: , ,

Exchange Guid converter tool

Posted by on September 18, 2007 | 108 comments
ExchangePHPTech

In response to the amount of comments I’ve had (which are way way more than I was ever expecting!) on my Exchange Mailbox Recovery article, I’ve written a script to convert your guids from the bad format that exmerge gives you to the one thats required for updating the user account.

You can access it here. Please leave any feedback on this post.

Tags: , , ,

Exchange 2003 Mailbox Recovery

Posted by on September 1, 2006 | 132 comments

Today I recovered a single mailbox from backup tapes on an Exchange 2003 server. The user had been deleted from Active Directory. The mailbox had passed the retention time on the server and been purged from the Exchange database.

I found very very minimal documentation on how to do this, it was so sketchy that I was almost afraid to try this.
We only have a single Exchange 2003 Standard server, and I believe that its a little bit simpler if you have Enterprise or more Exchange servers. So, for those of you in the same boat, here’s how to do it. » Read the full post

Tags: , , , , , , ,

Powered by Wordpress and Stripes Theme Entries (RSS) | Comments (RSS)