TLS 1.0 is also obsolete ! This article tell you how to protect Windows Web Servers against vulnerabilities.

If your servers still support TLS 1.0 or older obsolete cryptographic protocols (SSL, PCT, …) for communication over the network , you should act asap!

Description:

SSL 3.0 and older protocols, now also TLS 1.0 are vulnerable to man-in-the-middle attacks, risking the integrity and authentication of data sent between a website and a browser. Disabling TLS 1.0 and older protocols support on your server is sufficient to mitigate this issue! These obsolete protocols should be Disabled before public deadline – June 30, 2018 for SSL/Early TLS Migration. Ups.. Yes , this date is gone already :\….and also Windows Servers 2016 by default support these protocols !!!

The deadline -June 30, 2018  it is not my invention. This deadline was scheduled by The PCI Security Standards Council which is a global open body formed to develop, enhance, disseminate and assist with the understanding of security standards for payment account security. Probably after this date, this vulnerability could be reported to ICT teams by their local security team. – https://blog.pcisecuritystandards.org/4-things-to-know-about-pci-dss-in-2018

 

Technical Details:

Secure Sockets Layer (SSL) and early versions of Transport Layer Security (TLS) are no longer considered secure forms of encryption. It is critically important that organizations upgrade to a secure version of TLS – such as TLS v1.2 or higher – as soon as possible and disable any fallback to SSL/early TLS.
Many PCI DSS requirements require the use of ‘strong cryptography’ as defined in the PCI DSS glossary. After 30 June 2018 SSL/early TLS should not be used as a security control to meet any PCI DSS requirements attempting to demonstrate strong cryptography.

 

Default Windows Server 2012 R2, Server 2016 configuration is below:

Recommend configuration (change requires server restart):

Screenshots from tool – https://www.nartac.com/Products/IISCrypto
IISCrypto is very good alternative way how to set secure sonfiguration on your server, when you do not want to do it directly in Registry.

Microsoft sources about this topic:

https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protocols

https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat

GPMC Search Item – with “User Configuration” it does not work

 

Today I  opened GPMC on the Windows Server 2019 Preview and really after long time I tried to use Search Item in GPMC console. I was surprised that Search Item with User Configuration did not allow me to add any condition. Please check in the picture below. It is suprise that same behavior I can see on S2K12R2, Windows 10 and etc….so it is nothing new :(. I spent some time with searching on  internet than I found TechNet article about it.  – https://social.technet.microsoft.com/wiki/contents/articles/23169.the-value-drop-down-list-is-grayed-out-when-you-perform-search-for-group-policy-objects-in-gpmc.aspx

Because I did not find any advice except article above I believe that more articles about this bug (or what it is) could be useful.

All what is necessary to do is open REGEDIT , go to this path (go to the part of registry, where OS has Client Side Extension for GPO) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4D2F9B6F-1E52-4711-A382-6A8B1A003DE6}]

click on GPextension with number above and choose export ! Yes, we should backup this key, because it should be our first step before we do any change in registry.

 

When we have backup, right click on GPExtension {4D2F9B6F-1E52-4711-A382-6A8B1A003DE6} again and choose “Permissions….”  perform 3 steps describes in the pictures. Change owner to your account used for logon. After we change owner, full control “Access” should be visible for our new owner.

 

Now we have to change Default value of REG_SZ which is empty. We have to put there this string RemoteApp and Desktop Connections , lets check picture below

 

Now is necessary close GPMC and open this console again. Try to use Search Item and choose User Configuration, now it should be ok 🙂 . Tested and for me it is working 🙂 . Thanks

 

 

Jak zabránit obnově smazaných dat na disku – NTFS ?

Co třeba příklad, kdy mám na počítači nebo serveru nějaká data, která nechci aby čelt někdo jiný (server bude využívat cizí admin a já zde ukládal důvěrná data). Data na serveru smažu, ale to nikomu nezabrání aby byla data obnovena. Tedy dokud neprovedu alespon jedno přepsání na disku v místě, kde byla původní data zapsána.

K tomuto nám slouží integrovaný nástroj cipher.exe .  Tento nástroj je dostupný už od Windows Serveru 2003 :\, no já o něm teda fakt nevěděl :). Na tyhle věci jsem do nedávna používal specilizovaný nástroj třetí strany 🙂 .

cipher

 

C:\Users\svobodma>cipher /?

Displays or alters the encryption of directories [files] on NTFS partitions.

CIPHER [/E | /D | /C]
[/S:directory] [/B] [/H] [pathname […]]

CIPHER /K [/ECC:256|384|521]

CIPHER /R:filename [/SMARTCARD] [/ECC:256|384|521]

CIPHER /U [/N]

CIPHER /W:directory

CIPHER /X[:efsfile] [filename]

CIPHER /Y

CIPHER /ADDUSER [/CERTHASH:hash | /CERTFILE:filename | /USER:username]
[/S:directory] [/B] [/H] [pathname […]]

CIPHER /FLUSHCACHE [/SERVER:servername]

CIPHER /REMOVEUSER /CERTHASH:hash
[/S:directory] [/B] [/H] [pathname […]]

CIPHER /REKEY [pathname […]]

/B Abort if an error is encountered. By default, CIPHER continues
executing even if errors are encountered.
/C Displays information on the encrypted file.
/D Decrypts the specified files or directories.
/E Encrypts the specified files or directories. Directories will be
marked so that files added afterward will be encrypted. The
encrypted file could become decrypted when it is modified if the
parent directory is not encrypted. It is recommended that you
encrypt the file and the parent directory.
/H Displays files with the hidden or system attributes. These files
are omitted by default.
/K Creates a new certificate and key for use with EFS. If this
option is chosen, all the other options will be ignored.

Note: By default, /K creates a certificate and key that conform
to current group policy. If ECC is specified, a self-signed
certificate will be created with the supplied key size.

/N This option only works with /U. This will prevent keys being
updated. This is used to find all the encrypted files on the
local drives.
/R Generates an EFS recovery key and certificate, then writes them
to a .PFX file (containing certificate and private key) and a
.CER file (containing only the certificate). An administrator may
add the contents of the .CER to the EFS recovery policy to create
the recovery key for users, and import the .PFX to recover
individual files. If SMARTCARD is specified, then writes the
recovery key and certificate to a smart card. A .CER file is
generated (containing only the certificate). No .PFX file is
generated.

Note: By default, /R creates an 2048-bit RSA recovery key and
certificate. If ECC is specified, it must be followed by a
key size of 256, 384, or 521.

/S Performs the specified operation on the given directory and all
files and subdirectories within it.
/U Tries to touch all the encrypted files on local drives. This will
update user’s file encryption key or recovery keys to the current
ones if they are changed. This option does not work with other
options except /N.
/W Removes data from available unused disk space on the entire
volume. If this option is chosen, all other options are ignored.
The directory specified can be anywhere in a local volume. If it
is a mount point or points to a directory in another volume, the
data on that volume will be removed.
/X Backup EFS certificate and keys into file filename. If efsfile is
provided, the current user’s certificate(s) used to encrypt the
file will be backed up. Otherwise, the user’s current EFS
certificate and keys will be backed up.
/Y Displays your current EFS certificate thumbnail on the local PC.
/ADDUSER Adds a user to the specified encrypted file(s). If CERTHASH is
provided, cipher will search for a certificate with this SHA1
hash. If CERTFILE is provided, cipher will extract the
certificate from the file. If USER is provided, cipher will
try to locate the user’s certificate in Active Directory Domain
Services.
/FLUSHCACHE
Clears the calling user’s EFS key cache on the specified server.
If servername is not provided, cipher clears the user’s key cache
on the local machine.
/REKEY Updates the specified encrypted file(s) to use the configured
EFS current key.
/REMOVEUSER
Removes a user from the specified file(s). CERTHASH must be the
SHA1 hash of the certificate to remove.

directory A directory path.
filename A filename without extensions.
pathname Specifies a pattern, file or directory.
efsfile An encrypted file path.

Used without parameters, CIPHER displays the encryption state of the
current directory and any files it contains. You may use multiple directory
names and wildcards. You must put spaces between multiple parameters.

 

MS Exchange 2010 v DAG-u je choulostivý na změnu fyzických sektorů při replikaci transakčních logů v režimu “block mode”

images

Jestli máte MS Exchange 2010 server v DAG-u na více mašinách a neprovádíte pravidelné instalace firmware na diskové řadiče serverů, může se vám přihodit jedna nepříjemnost. Známá věc je, že pro možnost mít Mailbox servery v DAG-u je zapotřebí, aby všechny členské servery měli stejné označení pro jména, jednotky disků, kde budou uloženy DB a transakční logy. Také se to ale týká velikosti fyzických sektorů disků. Mimochodem tuto informaci najdete na oficiálním webu Microsoftu –  Exchange storage configuration options V default nastavení budete mít pravděpodobně velikost fyzických sektorů na 512B. V případě, že se vám poškodí řadič, nebo je zapotřebí vyměnit baterku na řadiči disků vám obvykle servisák spolu s komponentou provede i instalaci nejnovějšího firmware a tím vám v některém případě automaticky změní instalací velikost fyzických sektorů.

Obecně s tím nebude problém, protože dnešní operační systémy podporují tzv. Advanced format, odkaz na pěkný článek – advanced-format-prichazeji-pevne-disky-se-4k-sektor

Ovšem v případě, že máte MS Exchange 2010 SP1 a vyšší, replikace transakčních logů vám poběží ve výchozím nastavení v režimu “Block Mode”, tedy používání bufferů na všech Mailbox serverech v DAG-u. MS Exchange vám kontroluje velikost datových bloků a v případě nesouladu velikosti fyzických sektorů na pasivní kopii Db + Transakční log vám přestane zapisovat a aktualizovat data v pasivní kopii DB.  Jak toto vyřešit ? Provést aktualizaci na všech serverech a tedy v některých scénářích provést dost práce, u které se můžete i trochu zapotit :). Protože se může jednat částečně i o virtuální servery, připravil jsem malou ukázku otestování disků VHD a VHDX na již aktualizovaném diskovém řadiči (aktualizace provedla změnu velikosti fyzických sektorů z 512B na 4KB) Server Fujitsu Primergy RX300 S6

Tady to je: )

 

Physical Disks (Server Fujitsu Primergy RX300 S6)

 

PS C:\Users\administrator.VDI> fsutil fsinfo ntfsinfo c:

NTFS Volume Serial Number :       0x4028750a28750068

NTFS Version   :                  3.1

LFS Version    :                  2.0

Number Sectors :                  0x000000003a27e7ff

Total Clusters :                  0x000000000744fcff

Free Clusters  :                  0x0000000006f5df5d

Total Reserved :                  0x0000000000000ff0

Bytes Per Sector  :               512

Bytes Per Physical Sector :       4096

Bytes Per Cluster :               4096

Bytes Per FileRecord Segment    : 1024

Clusters Per FileRecord Segment : 0

Mft Valid Data Length :           0x000000000be00000

Mft Start Lcn  :                  0x00000000000c0000

Mft2 Start Lcn :                  0x0000000000000002

Mft Zone Start :                  0x00000000000cbe00

Mft Zone End   :                  0x00000000000cc820

Resource Manager Identifier :     B2BFCF04-1D79-11E4-9ACC-0019999200EA

 

 

PS C:\Users\administrator.VDI> fsutil fsinfo ntfsinfo f:

NTFS Volume Serial Number :       0x0ea859aba85991d7

NTFS Version   :                  3.1

LFS Version    :                  2.0

Number Sectors :                  0x00000000073f7dff

Total Clusters :                  0x00000000073f7dff

Free Clusters  :                  0x00000000054926b4

Total Reserved :                  0x0000000000020040

Bytes Per Sector  :               4096

Bytes Per Physical Sector :       4096

Bytes Per Cluster :               4096

Bytes Per FileRecord Segment    : 4096

Clusters Per FileRecord Segment : 1

Mft Valid Data Length :           0x0000000000100000

Mft Start Lcn  :                  0x00000000000c0000

Mft2 Start Lcn :                  0x0000000000000002

Mft Zone Start :                  0x00000000000c0100

Mft Zone End   :                  0x00000000000cc820

Resource Manager Identifier :     CBF966D0-1F65-11E4-80B9-0019999CD753

 

 Virtuální disky VHD, VHDX používané v Microsoft OS a Hyper-V  umístěné na fyzických discích viz. výše

 

PS C:\Users\administrator.VDI> #vhd disk H: je ulozen na disku C:

PS C:\Users\administrator.VDI> fsutil fsinfo ntfsinfo h:

NTFS Volume Serial Number :       0xa0da4950da4923be

NTFS Version   :                  3.1

LFS Version    :                  2.0

Number Sectors :                  0x00000000001f27ff

Total Clusters :                  0x000000000003e4ff

Free Clusters  :                  0x000000000003d17f

Total Reserved :                  0x000000000001f2c0

Bytes Per Sector  :               512

Bytes Per Physical Sector :       512

Bytes Per Cluster :               4096

Bytes Per FileRecord Segment    : 1024

Clusters Per FileRecord Segment : 0

Mft Valid Data Length :           0x0000000000040000

Mft Start Lcn  :                  0x0000000000014c55

Mft2 Start Lcn :                  0x0000000000000002

Mft Zone Start :                  0x0000000000014c40

Mft Zone End   :                  0x000000000001c900

Resource Manager Identifier :     2D8AC3C4-372D-11E4-80BA-0019999CD753

 

 

PS C:\Users\administrator.VDI> #vhdx disk I: je ulozen na disku C:

PS C:\Users\administrator.VDI> fsutil fsinfo ntfsinfo I:

NTFS Volume Serial Number :       0x6cce64b8ce647be8

NTFS Version   :                  3.1

LFS Version    :                  2.0

Number Sectors :                  0x00000000001f27ff

Total Clusters :                  0x000000000003e4ff

Free Clusters  :                  0x000000000003d17f

Total Reserved :                  0x000000000001f2c0

Bytes Per Sector  :               512

Bytes Per Physical Sector :       4096

Bytes Per Cluster :               4096

Bytes Per FileRecord Segment    : 1024

Clusters Per FileRecord Segment : 0

Mft Valid Data Length :           0x0000000000040000

Mft Start Lcn  :                  0x0000000000014c55

Mft2 Start Lcn :                  0x0000000000000002

Mft Zone Start :                  0x0000000000014c40

Mft Zone End   :                  0x000000000001c900

Resource Manager Identifier :     2D8AC3D3-372D-11E4-80BA-0019999CD753

PS C:\Users\administrator.VDI>

 

 

PS C:\Users\administrator.VDI> #vhd disk J: je ulozen na disku F:

PS C:\Users\administrator.VDI> fsutil fsinfo ntfsinfo J:

NTFS Volume Serial Number :       0x1a0487290487074b

NTFS Version   :                  3.1

LFS Version    :                  2.0

Number Sectors :                  0x00000000001f27ff

Total Clusters :                  0x000000000003e4ff

Free Clusters  :                  0x000000000003d17f

Total Reserved :                  0x000000000001f2c0

Bytes Per Sector  :               512

Bytes Per Physical Sector :       512

Bytes Per Cluster :               4096

Bytes Per FileRecord Segment    : 1024

Clusters Per FileRecord Segment : 0

Mft Valid Data Length :           0x0000000000040000

Mft Start Lcn  :                  0x0000000000014c55

Mft2 Start Lcn :                  0x0000000000000002

Mft Zone Start :                  0x0000000000014c40

Mft Zone End   :                  0x000000000001c900

Resource Manager Identifier :     2D8AC3ED-372D-11E4-80BA-0019999CD753

 

 

PS C:\Users\administrator.VDI> #vhdx disk k: je ulozen na disku F:

PS C:\Users\administrator.VDI> fsutil fsinfo ntfsinfo k:

NTFS Volume Serial Number :       0x6c8ca2ec8ca2b04e

NTFS Version   :                  3.1

LFS Version    :                  2.0

Number Sectors :                  0x00000000001f27ff

Total Clusters :                  0x000000000003e4ff

Free Clusters  :                  0x000000000003d17f

Total Reserved :                  0x000000000001f2c0

Bytes Per Sector  :               512

Bytes Per Physical Sector :       4096

Bytes Per Cluster :               4096

Bytes Per FileRecord Segment    : 1024

Clusters Per FileRecord Segment : 0

Mft Valid Data Length :           0x0000000000040000

Mft Start Lcn  :                  0x0000000000014c55

Mft2 Start Lcn :                  0x0000000000000002

Mft Zone Start :                  0x0000000000014c40

Mft Zone End   :                  0x000000000001c900

Resource Manager Identifier :     2D8AC3FD-372D-11E4-80BA-0019999CD753