2.11.2006

Determine SSL ciphers running on your web server

SSL Digger - Nice free tool from FoundStone (division of McAfee) for determining what SSL versions and encryption ciphers your web server supports.  If you are running a crucial web server you might want to turn off the weak ciphers and SSL version (SSL2).  The browser and server are supposed to negotiate the highest cipher and SSL version, but some ciphers have already been proven to be weak and vulnerable to crack/attack.

www.foundstone.com  It's kind-of hard to navigate the site: click on resources, then on the left side, "free tools". You should see it under the "Foundstone S3i™ Tools".

Disable SSL2 and weak ciphers in IIS

How to disable SSL protocols and encryption ciphers in Microsoft IIS. For IIS (IIS6 and IIS5):
The ciphers and SSL protocols must be disabled via registry entries; thus a reboot is required after changing the settings. If I ever find some free time, I may create a GUI utility to easily enable/disable these cryptos.

See the following documents:

Description of the Secure Sockets Layer (SSL) Handshake - http://support.microsoft.com/kb/257591
TLS/SSL Tools and Settings -
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/3f98fdd9-ed64-49f7-9c20-a2d4581dfbea.mspx
How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services - http://support.microsoft.com/kb/187498
How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll - http://support.microsoft.com/kb/245030/

The following are the registry entries I made to make one of my servers secure (Grade A by SSL Digger):

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]
"Enabled"=dword:ffffffff[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:ffffffff[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:ffffffff

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
"Enabled"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:ffffffff[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
"Enabled"=dword:ffffffff

Adding CPU / RAM to ES45 Alpha Server

1.      shutdown, turn off and unplug power
2.      insert  hardware  -  see pages 129-140 of the ES45 manual: 
http://h18002.www1.hp.com/alphaserver/download/ek-es450-ug-b01.pdf
3.      at chevron >>>  show config | more    and    show memory
4.      After boot:
  psrinfo –v  (processor info)
  vmstat -P  (Physical memory info)
  dxsysinfo -dash  (X windows display of CPU / memory activity)
5.      If you receive a “too many users logged on already” you may have to add the License PAK codes that were shipped with the cpu.  As root, run lmfsetup and enter the codes from the PAK.  After successfully entering the codes, it will ask to run an “lmf reset”, say yes and it will load the licenses into the kernel cache.

rDirectory - make AD web browsable

They've got a Free Community edition for those with small/limited needs, like creating an employee directory:

rDirectory: A Smart Choice for Your Evolving Directory Needs: "Simply put, rDirectory turns Active Directory into your enterprise-wide platform for securely publishing, accessing and maintaining information about virtually any directory-based corporate resource."

tail multiple log files in Win32 environments

Not just another tail command, but can match keywords, and can send mail notifications.
Tail for Win32 - Home Page

2.10.2006

Updating to FireFox 1.5 on Linux (Ubuntu)

These same instructions can be tweaked for other distros as well:
FirefoxNewVersion - Ubuntu Wiki

Linux Distrobution Guide

http://distroguide.box.sk - Main Page - Distro Guide

Security Warning disabled

My company has a lot of sites in it's trusted sites zone in order for users to download files from these sites. It kills me when I use my Windows XP SP2 machine and IE. I'd do a google search and one of the results was a link to microsoft. When I clicked the link, I'd get a Security Warning message: The current Web page is trying to open a site in your Trusted sites list. Do you want to allow this?

What was weird about it was that I had NO, not one, site listed in the trusted sites zone. I later found this was because of group policy. A few days later after group policy refreshed on my machine, the sites showed up in the trusted sites list.

To remove this warning, in the trusted sites zone, open the custom settings under Miscellaneous, "Web sites in less privileged web content zone can navigate into this zone." set to enable.
See: Security Warning appears when you try to navigate to a Trusted site from a webpage

Read AND Write NTFS volumes from Linux - Captive

The best solution to writing NTFS formatted volumes in Linux; it uses the native ntfs.sys driver and therefore is very safe:

Jan Kratochvil: Captive: The first free NTFS read/write filesystem for GNU/Linux: "Captive: The first free NTFS read/write filesystem for GNU/Linux"

2.09.2006

Packet capture tools

Open source and free packet sniffer/capture tools:
http://www.winpcap.org/ Also provides WinDump tool which is
based/proted from tcpdump. Reading the Windump FAQ first, even before
the manual, is essential.
And of course the big one: http://www.ethereal.com/

2.08.2006

Kerberos Token Size and logon problems

Your kerberos ticket can't be bigger than 12000 bytes by default as it will cause logon issues. This is typically cuased by being a member of too many groups.

Microsoft Certified Professional Magazine Online Column: The Group that Broke the Camel�s Back