Message from Administrator Configuration in Windows Deployment Services

I’ve been using Windows Deployment Services for quite a while and was wondering how to change the message from administration field when a device requires approval. This is mostly to instruct service desk employees that deploying computers requires some approval.

It’s actually a pretty simple command that needs to be run on the WDS server with the message you want.

WDSUtil /set-server /AutoAddPolicy /Message:"This device requires approval for deployment, please call 123-4567“

Source: “Message from Administrator” in WDS Windows Deployment Services – Windows Server 2008 R2 blog by Kurt Roggen [BE].

Read More

How to Disable Weak SSL Protocols and Ciphers in IIS

I recently undertook the process of moving websites to different servers here at work. This required that university networking group scan the new webserver with a tool called Nessus. Unfortunately this turned up several errors, all of them had to do with Secure Sockets Layer or SSL which in Microsoft Windows Server 2003 / Internet Information Server 6 out of the box support both unsecure protocols and cipher suites. These problems would have to be solved before they would allow the new server though the firewalls. The report they university sent me was generated by Nessus generated errors like this:

SSL Version 2 (v2) Protocol Detection

Synopsis :

The remote service encrypts traffic using a protocol with known
weaknesses.

Description :

The remote service accepts connections encrypted using SSL 2.0, which
reportedly suffers from several cryptographic flaws and has been
deprecated for several years. An attacker may be able to exploit
these issues to conduct man-in-the-middle attacks or decrypt
communications between the affected service and clients.

See also :

http://www.schneier.com/paper-ssl.pdf
http://support.microsoft.com/kb/187498
http://www.linux4beginners.info/node/disable-sslv2

Solution :

Consult the application's documentation to disable SSL 2.0 and use SSL
3.0 or TLS 1.0 instead.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Nessus ID : 20007
----------------------------------------------------------
SSL Medium Strength Cipher Suites Supported

Synopsis :

The remote service supports the use of medium strength SSL ciphers.

Description :

The remote host supports the use of SSL ciphers that offer medium
strength encryption, which we currently regard as those with key
lengths at least 56 bits and less than 112 bits.

Note: This is considerably easier to exploit if the attacker is on the
same physical network.

Solution :

Reconfigure the affected application if possible to avoid use of
medium strength ciphers.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

Plugin output :

Here are the medium strength SSL ciphers supported by the remote server :

Medium Strength Ciphers (>= 56-bit and < 112-bit key)
SSLv2
DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
SSLv3
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
TLSv1
EXP1024-DES-CBC-SHA Kx=RSA(1024) Au=RSA Enc=DES(56) Mac=SHA1 export
EXP1024-RC4-SHA Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=SHA1 export
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}

Nessus ID : 42873
--------------------------------------------------------------------
SSL Weak Cipher Suites Supported

Synopsis :

The remote service supports the use of weak SSL ciphers.

Description :

The remote host supports the use of SSL ciphers that offer either weak
encryption or no encryption at all.

Note: This is considerably easier to exploit if the attacker is on the
same physical network.

See also :

http://www.openssl.org/docs/apps/ciphers.html

Solution :

Reconfigure the affected application if possible to avoid use of weak
ciphers.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

Plugin output :

Here is the list of weak SSL ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)
SSLv2
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
SSLv3
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
TLSv1
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}

Other references : CWE:327, CWE:326, CWE:753, CWE:803, CWE:720

Nessus ID : 26928
-----------------------------------------------------------------

These three error messages pretty much mean that you need to turn off SSL 2.0 due to exploits that were found after the standard was created. You need to turn off any encryption suites lower than 128bits. The third error message says we need to turn off anything for less than 56bits, but this will be accomplished by turning of anything less than 128bits. Basically your are modifying the settings that restrict the use of specific protocols and ciphers that are used by the schannel.dll. More detailed information can be found at Micorsoft’s KB187498 or KB245030

How do we do this?

Disabling SSL 2.0 on IIS 6

  1. Open up “regedit” from the command line
  2. Browse to the following key:
    HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
  3. Create a new REG_DWORD called “Enabled” and set the value to 0
  4. You will need to restart the computer for this change to take effect. (you can wait on this if you also need to disable the ciphers)

Disable unsecure encryption ciphers less than 128bit

  1. Open up “regedit” from the command line
  2. Browse to the following key:
    HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56
  3. Create a new REG_DWORD called “Enabled” and set the value to 0
  4. Browse to the following key:
    HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128
  5. Create a new REG_DWORD called “Enabled” and set the value to 0
  6. Browse to the following key:
    HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128
  7. Create a new REG_DWORD called “Enabled” and set the value to 0
  8. Browse to the following key:
    HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128
  9. Create a new REG_DWORD called “Enabled” and set the value to 0
  10. You will need to restart the computer for this change to take effect.

How to verify the changes?

Now that you have made these changes how can you be sure that they have taken place without having to go to your boss or higher authority just to find that you did them wrong. Well I found a nice tool called SSL-SCAN which you can download at http://code.google.com/p/sslscan-win/ for the Windows port or you can download an compile for your favorite operating system at the original project SSL-SCAN site http://sourceforge.net/projects/sslscan/. This tool provides some great detail about what is allows and not allows plus some analysis of the SSL certificate itself.

Below the screen shot shows that we have disabled any ciphers that attempt to use the SSL 2.0 protocol and we’ve disabled all ciphers that less than 128bit.

Read More

Death of the Zune

It’s sad to hear that the only major competitor to Apple’s Ipod is pulling out of the game. I am all about more competition within product market, but this section of the market being replaced by faster, larger smartphones. And you don’t have to be a genius to begin to wonder how much longer Apple will continue to make Ipods. Microsoft’s Zune was late to the party but I found that I was much happier using it than having to deal with iTunes and paying the standard Apple Tax. I wonder what use I can find for my old Zune 30 considering I just purchased the new Motorola Atrix which can hold all the music I need plus stream some over the cell network. Thanks for all the good times Zune.

Read More

Acer Aspire 1410 Hulu YouTube HD Playback Review

Just this week I purchased a new Acer Aspire 1410-2990 and while researching this “netbook” I never could get a definite answer on if it would be able to handle this type of demanding Flash video that I would love to be able to view in a hotel when I travel. The answer is Yes it can handle almost all of it. Check out the results below for detail.

Hulu Testing

  • Hulu 360p Windowed: Plays Perfect
  • Hulu 480p Windowed: Plays Perfect
  • Hulu 360p Full-Screen: Plays Perfect
  • Hulu 480p Full-Screen: Plays Well (depends on video)

This test was conducted using The Office – Delivery, part 1 which played well but had a few dropped frames in fast motion scene at 480p full screen. I also played a few Family Guy episodes 480p which looked perfect but this is probably not a very intensive video because it lacks lots of fast motions and many colors. I also played an American Greed episode which played perfectly. Please note that the Family Guy episode and American Greed are standard format where as The Office is in wide screen.

YouTube Testing

  • YouTube 360p Full-Screen: Plays Perfect
  • YouTube 480p Full-Screen: Plays Perfect
  • YouTube 720p Full-Screen: Plays Perfect
  • YouTube 1080p Full-Screen: Slideshow

This test was preformed with OK GO’s new This Too Shall Not Pass (Rube Goldberg Machine) music video.

These test was performed with out of the box driver set and Mozilla Firefox 3.6 and Adobe Flash 10.0.45.2 running on Microsoft Windows 7 Home Premium on battery with power plan set to “Balanced” over WiFi.

Specifications

  • 1.2GHz Intel Celeron SU2300 Processor (Dual-Core / 1MB Cache)
  • 2GB DDR2 667MHz Memory
  • 250GB SATA Hard Drive
  • 802.11a/b/g/Draft-N Wifi Connectivity
  • 11.6″ HD WXGA Acer CrystalBrite LED-backlit Display
  • Intel GMA 4500MHD Graphics
  • Windows 7 Home Premium
  • Up to 6 Hours of Battery Life

Models

  • Acer Aspire AS1410-2706 Ruby Red
  • Acer Aspire AS1410-2990 Sapphire Blue
  • Acer Aspire AS1410-2920 Diamond Black

Please notice that there are other 1410 models that have either a Core 2 Solo SU3500 or a Celeron M 743 both of which are single core processors that on most benchmarks I’ve seen don’t perform as well as the Celeron SU2300. These processor are slightly faster in clock speed and may have larger caches, but I don’t believe that overcomes the true dual cores advantage that exist in the SU2300. Don’t let the Celeron name scare you this is much faster than those Atom based netbooks.

Read More

How to export MySQL database to MSSQL using phpMyAdmin

Using phpMyAdmin to export data has always been very useful to me, however I found when trying to run the SQL scripts it generates for Microsoft SQL server I found that there is a variety of incompatibilities. This is further compounded by the Microsoft SQL Management Studio that is a much improvement over the previous Enterprise Manager however it seems to fair badly when trying to do bulk inserts. I ran into many out of memory issues when trying to execute large SQL scripts over 25 megabytes. I also tried using the sqlcmd to try to have it directly process the files but it also ran into memory issues. I choose to use SQL scripts rather because this makes it easy to get back to the original database if needed.

phpMyAdmin Export Config
Exporting from phpMyAdmin
Select your database and then go to the Export tab. You will need to change the following options to have it export SQL file that is mostly compatible with MSSQL.

  • Change the export type to SQL
  • Under Options – Uncheck Comments, Change the SQL compatibility mode to MSSQL
  • Under Structure – Uncheck Add IF NOT EXISTS, ADD AUTO_INCREMENT value, Enclose table and field names with backquotes
  • Under Data – Uncheck Extended inserts

These options will ensure that the INSERT lines will be valid when importing.

Data Structure / Table Definitions
phpMyAdmin does not intemperate data definitions to be compatible. So you have to options here, use Microsoft Management Studio to create your tables or modify the SQL script to be compatible. Here are is an example of a definition that I fixed and what I did.

phpMyAdmin export Microsoft SQL Compatible
CREATE TABLE transactions (
id int(11) NOT NULL,
medmgrid float NOT NULL,
medmgridpri int(11) NOT NULL,
medmgridsub int(11) NOT NULL,
“date” date NOT NULL,
department int(11) DEFAULT NULL,
“type” text NOT NULL,
detail text,
doctor int(11) DEFAULT NULL,
“procedure” text,
description text,
reference_date date DEFAULT NULL,
diagnosis text,
unit float DEFAULT NULL,
amount float DEFAULT NULL,
total float NOT NULL,
PRIMARY KEY (id)
);
CREATE TABLE transactions (
id int IDENTITY(1,1)PRIMARY KEY,
medmgrid float NOT NULL,
medmgridpri int NOT NULL,
medmgridsub int NOT NULL,
“date” datetime NOT NULL,
department int DEFAULT NULL,
“type” text NOT NULL,
detail text,
doctor int DEFAULT NULL,
“procedure” text,
description text,
reference_date datetime DEFAULT NULL,
diagnosis text,
unit float DEFAULT NULL,
amount float DEFAULT NULL,
total float NOT NULL
);
  • ID Field is AUTO_INCREMENT in MySQL, for MSSQL use “IDENTITY(1,1)PRIMARY KEY”
  • INT does not allow specificaton of lenght, remove these entries “(11)” after each INT
  • DATE is not a valid datatype for MSSQL, replace with DATETIME
  • Any Data Field name that is also a Keyword for MSSQL needs to be Double Quoted
  • Remove ANY comments from the phpMyAdmin export, even if you didn’t check this there still maybe some in there. Be sure to check the end of the file for them.

For other datatype issues you may need to consult – http://webcoder.info/reference/MSSQLDataTypes.html and check to see if it is even a valid data type. Most datatype errors are easily resolved by Googling the error that is returned.

Data Insertion
If you have used phpMyAdmin export specifications from earlier in this article your data should mostly script in just fine. However, you may need to encase any of your Data Field names with double quote if the word is also a keyword. For example I have used the word Procedure which requires double quote or MSSQL thinks you are calling a stored procedure. To do this I would suggest a program called TextPad that not only does really fast replacements and can do it across multiple files but also is able to handle a few hundred megabyte text file with ease.

If you are using an AUTO_INCREMENT field you will need to add “SET IDENTITY_INSERT field_name ON;” line in before inserting any entry that tries to set that field to a specific value. This happens when your AUTO_INCREMENT ID field has already been created from MySQL. If you don’t do this you will receive an error of “Cannot insert explicit value for identity column in table ‘field_name’ when IDENTITY_INSERT is set to OFF.”

When doing bulk inserts you will be required to keep your single SQL file < 25 megabytes. Microsoft SQL Management Studio will prompt you with "The operation could not be complete. Not enough storage is available to complete this operation" or "System.OutOfMemoryException". To divide up these files I used a free program appropriately called TextWedge which was able to handle up to 100MB SQL files and easily divided them up. You may have to open SQL Studio, execute one 25MB SQL script then close and repeat depending on how much data you have to move.

Read More