Recently I had a client who purchase a new laptop from Dell.  It was a failry straight forward setup, nothing out of the ordinary.  After we got the computer joined to the domain and the user’s profile setup, we started the file syncronization process for a number of directories that they needed to take offsite on a daily basis to be able to read/modify while out of the office and without internet connectivty.  They had been using Microsoft’s offline file feature.  Again, nothint out of the ordinary.

Well, this computer took up more than a few hours of my time as well as another associate of mine.  The computer no matter what we did would not syncronize files during the logon process even thought the little checkbox was checked to do so.  As it turns out, Dell has some sort of security suite that they are deploying with all the laptops now with the name of WavXDocMgr.  This was the culprit of the syncronization issue.  We took this out of MSCONFIG as a startup process and the problem was solved.  As this was not the answer but rather a workaround, we have started talking with Dell but as of yet have not found a fix for the issue so I thought I would share.

I live in command line on Linux, Cisco, HP, and a number of other products but for some reason it feels UnAmerican to do it on Windows.  I’m coming around though.  With the implementation of the Microsoft Powershell on Windows you now have a great deal of power that you may or may not have had before.  For me, troubleshooting Exchange 2007 and AD, it is a blessing.  However, finding the command that you need to use to get the information you want is pretty hard.  I guess that’s why Microsoft created the “get-command” command for PowerShell.  It is basically a search function for Powershell and will return a list of commands that you can run to get the information you need (per your search).

So lets use the command to find more about our Exchange queues (Exchange 2007 Server).

Get-Command *queue*

Which will return a list of commands that you can run from PowerShell like Get-Queue, Retry-Queue, and Suspend-Queue.

Now lets try something to do with Active Directory.  Try this command.

Get-Command *User*

It’ll return a boatload of commands but you can see a few that might be useful like New-ADUser and New-ADGroup.

Hopefully this will shine some light on the still fairly new (feeling) command line power of Microsoft’s Operating Systems.

This is a followon from my last post about weak SSL ciphers but they kind of go hand in hand.  SSLv3 offers a few security improvements over SSLv2 and is supported by the majority of new browsers.  What we will do in this post is disable the ability for a client co choose to use SSLv2 if connected to your webserver that has SSLv2 disabled.  To accomplish this we will need to do the following.

Open regedit and find the key

HKLM\SYSTEM|CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

Now for SSL 2.0 you will want to create a new DWORD value named Enabled with a data value of 0 in Hex in both the client and server subkeys.  This will disable the ability for the server to use or allow the use of SSLv2 during the use of SSL.  You can also create a registry import like the following.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
“Enabled”=dword:00000000

Again with this one, Nessus will find the vulnerability fairly easy so their is almost no reason to have it running. Nessus’ vulnerability will be displayed as “Synopsis : The remote service encrypts traffic using a protocol with known weaknesses.”

NOTE: This change may break clients/servers/applications so I take no responsibility for YOUR actions.

I have been on a little bit of a security kick lately with my time at work thwarting SQL injection attempts, securing web servers, firewall administration and so much more and have been doing some pretty repetitive tasks so I thought I’d put them up here to help me remember how to do these very important tasks.

This piece is on restricting weak ciphers within your SSL certificates.  Nessus and some other security auditing tools will detect this one with ease so there’s really no good excuse not to lock it down.  Basically what we are going to do is remove the ability for web clients (IE, Firefox, Safari, Opera, etc) connect to the web server with anything but 128 bit or greater SSL encryption.  This just sounds like a good deal anyway if you as me.

An example of a weak cipher is like I mentioned above, anything less that 128 bit encryption.  There are about a dozen methods of encryption from SSL_RSA_EXPORT1024_WITH_RC4_56_SHA to SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5.  Yes I know that sounds cryptic and it really is (pun intended).  So what we need to do is scan the host first.  You can use Tenable Nessus or your choice of scanning utility but we want to see what it comes up with.  Chances are if you were diligent during the setup of the server, you may not have to do this but if your the other 95% out there, then you will need to do the following.

Open "regedit" and find the key
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers.

This will have a number of other subkeys below it.  Next we will want to disable anything that has a number less than 128 in it.  I.E. RC2 40/128 we will disable but RC2 128/128 we will not.  Clear as mud?  To disable the cipher click on the subkey that you want to disable and create a new DWORD value named Enabled.  In the value data keep it 0 in Hex.  This will disable the cipher from being able to run.  You could also create a registry import like the following.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
“Enabled”=dword:00000000

I would do this for RC2 40/128.  RC4 40/128 and RC4 56/128.  I feel better already.  Hopefully you will too after you get this done on your website.

NOTE: This may break some clients/servers/applications so I take no responsibility for YOUR actions.