Categories
blog Microsoft Windows

Dell Laptop offline file syncronization issues

Recently I had a client who purchase a new laptop from Dell.  It was a failry straight forward setup, nothing out of the ordinary.  After we got the computer joined to the domain and the user’s profile setup, we started the file syncronization process for a number of directories that they needed to take offsite on a daily basis to be able to read/modify while out of the office and without internet connectivty.  They had been using Microsoft’s offline file feature.  Again, nothint out of the ordinary.

Well, this computer took up more than a few hours of my time as well as another associate of mine.  The computer no matter what we did would not syncronize files during the logon process even thought the little checkbox was checked to do so.  As it turns out, Dell has some sort of security suite that they are deploying with all the laptops now with the name of WavXDocMgr.  This was the culprit of the syncronization issue.  We took this out of MSCONFIG as a startup process and the problem was solved.  As this was not the answer but rather a workaround, we have started talking with Dell but as of yet have not found a fix for the issue so I thought I would share.

Categories
blog Microsoft Windows

Microsoft PowerShell – Searching for a command

I live in command line on Linux, Cisco, HP, and a number of other products but for some reason it feels UnAmerican to do it on Windows.  I’m coming around though.  With the implementation of the Microsoft Powershell on Windows you now have a great deal of power that you may or may not have had before.  For me, troubleshooting Exchange 2007 and AD, it is a blessing.  However, finding the command that you need to use to get the information you want is pretty hard.  I guess that’s why Microsoft created the “get-command” command for PowerShell.  It is basically a search function for Powershell and will return a list of commands that you can run to get the information you need (per your search).

So lets use the command to find more about our Exchange queues (Exchange 2007 Server).

Get-Command *queue*

Which will return a list of commands that you can run from PowerShell like Get-Queue, Retry-Queue, and Suspend-Queue.

Now lets try something to do with Active Directory.  Try this command.

Get-Command *User*

It’ll return a boatload of commands but you can see a few that might be useful like New-ADUser and New-ADGroup.

Hopefully this will shine some light on the still fairly new (feeling) command line power of Microsoft’s Operating Systems.

Categories
blog Microsoft Windows

Disable SSLv2 for Windows Server 2003

This is a followon from my last post about weak SSL ciphers but they kind of go hand in hand.  SSLv3 offers a few security improvements over SSLv2 and is supported by the majority of new browsers.  What we will do in this post is disable the ability for a client co choose to use SSLv2 if connected to your webserver that has SSLv2 disabled.  To accomplish this we will need to do the following.

Open regedit and find the key

HKLMSYSTEM|CurrentControlSetControlSecurityProvidersSCHANNELProtocols

Now for SSL 2.0 you will want to create a new DWORD value named Enabled with a data value of 0 in Hex in both the client and server subkeys.  This will disable the ability for the server to use or allow the use of SSLv2 during the use of SSL.  You can also create a registry import like the following.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Client]
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Server]
“Enabled”=dword:00000000

Again with this one, Nessus will find the vulnerability fairly easy so their is almost no reason to have it running. Nessus’ vulnerability will be displayed as “Synopsis : The remote service encrypts traffic using a protocol with known weaknesses.”

NOTE: This change may break clients/servers/applications so I take no responsibility for YOUR actions.

Categories
blog Microsoft Windows

Windows / IIS SSL – Restrict Weak Ciphers

I have been on a little bit of a security kick lately with my time at work thwarting SQL injection attempts, securing web servers, firewall administration and so much more and have been doing some pretty repetitive tasks so I thought I’d put them up here to help me remember how to do these very important tasks.

This piece is on restricting weak ciphers within your SSL certificates.  Nessus and some other security auditing tools will detect this one with ease so there’s really no good excuse not to lock it down.  Basically what we are going to do is remove the ability for web clients (IE, Firefox, Safari, Opera, etc) connect to the web server with anything but 128 bit or greater SSL encryption.  This just sounds like a good deal anyway if you as me.

An example of a weak cipher is like I mentioned above, anything less that 128 bit encryption.  There are about a dozen methods of encryption from SSL_RSA_EXPORT1024_WITH_RC4_56_SHA to SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5.  Yes I know that sounds cryptic and it really is (pun intended).  So what we need to do is scan the host first.  You can use Tenable Nessus or your choice of scanning utility but we want to see what it comes up with.  Chances are if you were diligent during the setup of the server, you may not have to do this but if your the other 95% out there, then you will need to do the following.

Open "regedit" and find the key
HKLMSYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphers.

This will have a number of other subkeys below it.  Next we will want to disable anything that has a number less than 128 in it.  I.E. RC2 40/128 we will disable but RC2 128/128 we will not.  Clear as mud?  To disable the cipher click on the subkey that you want to disable and create a new DWORD value named Enabled.  In the value data keep it 0 in Hex.  This will disable the cipher from being able to run.  You could also create a registry import like the following.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC2 40/128]
“Enabled”=dword:00000000

I would do this for RC2 40/128.  RC4 40/128 and RC4 56/128.  I feel better already.  Hopefully you will too after you get this done on your website.

NOTE: This may break some clients/servers/applications so I take no responsibility for YOUR actions. 🙂

Categories
blog Microsoft Windows

Recreate Exchange 2003 OWA Virutal Directories

Lately I have had a few client servers that needed this done for various reason. usually it has something to do with troubleshooting Windows Mobile 5 and 6 devices getting email via the OMA portion of Outlook Web Access on Exchange 2003. Some of them were getting the error, “ActiveSync encountered a problem on the server support code: 0×85010001″ or similar on the hand held devices. In all of the cases the following fix resolved each client’s particular problem.

Exchange 2003 has 6 total virtual directories. They are as follows:

Exchange | Exchweb | Exadmin | OMA | Public | Microsoft-Server-ActiveSync

For more information on the function of each virtual directory please visit this Daniel Petri’s website which is where I normally go to get the how-to for this function.

Now that we have identified the virtual directories associated with OWA, we need to backup the configuration and then delete them. I know, this seems like a really huge step, it was for me the first time I did it but now I do it on a regular basis. You will need to backup the configuration from IIS Manager by right clicking on the Default Web Site and going to “Save Configuration to a File”. I don’t think I need to walk you through the rest of the dialog boxes, you’ll figure it out.

Now that the configuration is backed up, delete the 6 virtual directories mentioned above. You may also, depending on OS version, have a virtual directory “exchange-oma”. Leave it alone for right now, we will get to it in a bit. Before we recreate the virtual directories, we need to delete a key out of the IIS Metabase. For this you will need to download the IIS 6.0 Resource Kit from here. Go ahead and install the package and navigate to “Metabase Explorer” which is part of the resource kit you just installed. In Metabase Explorer you will have some keys on the left hand side, LM being one of them. Expand the LM key and you will find the first one (ususally) to be DS2MB. Delete it the key DS2MB. DS2MB stands for Directory Service to Metabase. It’s purpose is to transfer configuration information from AD to IIS. It’ll get recreated during the next process.

Now that the virtual directories and the DS2MB keys are deleted, you can restart the “Microsoft Exchange System Attendant” service. That will recreate what we have deleted.

For some reason when the virtual directories are recreated you still have to fix a permissions issue to get it to function. Do this by going into IIS Manager and right clicking on the virtual directory “Exchweb” and select properties. Then go to the Directory Security tab and click Edit under Authentication and Access control. Ensure that Anonymous and Integrated Authentication are checked. An Inheritance Override dialog box will appear, make sure you click Select All. Click OK to finish. After you have completed that, go back into Authentication and Access control and uncheck Integrated Windows Authentication. (Yes I know, seems odd). Ok out and you are finished.

That pretty much sum’s the fix up. You will need to redo your SSL stuff but other than that you should have a fully functional OWA configuration.

Now, this is where the support code stuff and the exchange-oma virtual directory I mentioned earlier comes in. There are a number of mobile devices that are capable of connecting to Exchange to get email, contacts, calendar and tasks from their account. Some of them work with SSL / Forms Based Authentication and some don’t. To fix the ones that don’t support it, follow the steps below to get your non SSL Windows Mobile devices to connect to Exchange.

First delete the virtual directory (if you have it) exchange-oma. Now to finish this we will need to create a second virtual directory for OMA access. First, open IIS Manager and right click on the Exchange virtual directory and select “Save Configuration to File”.  Name is something like exchange-oma. Now, right click on “Default Website” and select new virtual directory from file.  Find the file you just saved (i.e. exchange-oma).  You will get a dialog box saying the virtual directory already exists.  In the alias box, type exchange-oma (or similar).

Lets, make it non SSL bound now.  Right click on the virtual directory you just created and go to the Directory Security Tab and then Authentication and Access control.  Make sure that Integrated and Basic authentications are enabled. Ok out and then under Secure communications click edit and uncheck “require SSL”.  Ok out and close IIS Manager.

To get IIS and Exchange to use the new virtual directory correctly we need to make a slight registry change.  Open the Registry Editor and find “HKLMSYSTEMCurrentControlSetServicesMasSyncParameters” If it does not exist, in the right pane right click and create a new String Value.  Name it ExchangeVDir and press Enter.  Modify the value of the key and put /exchange-oma in that field.

You are almost done now, quit the registry editor and restart the IIS Admin Service.  You can also use iisrestart from the run line or command prompt.

Here are some of the links I used to put this post together and have used in the past successfully.

Petri IT Knowledgebase | Dev IT Weblog | Microsoft