Tuesday, March 4, 2014

How enable/disable FIPS cryptography in WIndows - all version



source: http://stackoverflow.com/questions/4886368/how-to-enable-fips-on-windows-7


In WIndows 8, open up a command prompt wondoe and kick off gpedit.msc and go from there...

First, be aware of what actually happens when you enforce FIPS140-2 complient encryption within Windows. Details are at http://technet.microsoft.com/en-us/library/cc750357.aspx. However, the main 'gotcha' (old SSL website's don't work in IE anymore) is detailed in the article linked below.
The official instructions to enable FIPS 140-2 complience are at http://support.microsoft.com/kb/811833, but can be summarised as follows:
  1. Using an account that has administrative credentials, log on to the computer.
  2. Click Start, click Run, type gpedit.msc, and then press ENTER.
  3. In the Local Group Policy Editor, under the Computer Configuration node, double-click Windows Settings, and then double-click Security Settings.
  4. Under the Security Settings node, double-click Local Policies, and then click Security Options.
  5. In the details pane, double-click System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing.
  6. In the System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing dialog box, click Enabled, and then click OK to close the dialog box.
  7. Close the Local Group Policy Editor.
If you wish to do this manually, you can also simply change the registry key HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled to 1
Finally, to repeat, it is very important that you read through the documentation before you enable this - it changes cryptography system wide, including how the file system (both EFS and Bitlocker) and network (IE, Remote Desktop and the main cryptographic libraries) are allowed to encrypt, as well as if you allowed to recover lost encryption keys.

source: http://stackoverflow.com/questions/4886368/how-to-enable-fips-on-windows-7
Posted by at 12 comments:

Tuesday, February 25, 2014

Resolving VSS errors without a reboot


source: http://community.spiceworks.com/topic/170650-vss-writer-and-backup-issues
Mel9484 Dec 13, 2011 at 2:26 AM
Takeown /f %windir%\winsxs\filemaps\* /a
icacls %windir%\winsxs\filemaps\*.* /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\filemaps\*.* /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\filemaps\*.* /grant BUILTIN\Users:(RX)

Previous post was not properly aligned.

source: http://community.spiceworks.com/topic/170650-vss-writer-and-backup-issues
Posted by at No comments:

Connectwise System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

 source: http://ipswitchft.force.com/kb/articles/FAQ/Windows-Platform-FIPS-validated-crypto-message-appears-trying-to-access-Login-aspx-1307565986146

Answer/Solution:
 
Your Windows environment may be configured to use FIPS encryption that is conflicting with WebInspect.
To correct this you will need to disable the "Local Security Setting System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" policy in Windows.
  1. Go to Start > Control Panel > Administrative tools > Local Security Policy. The Group Policy dialog appears. 
  2. Under the "Local Policies" heading, select "Security Options" and look for the entry, "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing." 
  3. If entry this is enabled, disable it.
Also, open the registry editor and browse to the following path.  Make sure this registry subkey is set to 1:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\fipsalgorithmpolicy
ASP.NET 2.0 uses the RijndaelManaged implementation of the AES algorithm when it processes view state data. The ReindaelManaged implementation has not been certified by the National Institute of Standards and Technology (NIST) as compliant with the Federal Information Processing Standard (FIPS). Therefore, the AES algorithm is not part of the Windows Platform FIPS validated cryptographic algorithms.

Posted by at 2 comments:

Tuesday, January 28, 2014

Port alternatives for SMTP / Exchange server

 
On Thu, 12 Apr 2012 13:53:24 +0000, andyh999 wrote:
 
>We are using port 25 and 587 to send non-secure messages to external servers. Since some ISP's block port 25 we setup 587 a while back for those who contract with the ISP's that block 25.
 
Anyone that's running a SMTP server can find an alternative to using
port 25. Have a look at http://www.dyndns.com as an example. What's
required is a SMTP relay server.
 
>At some point I would like to secure port 587 but I believe would have to contact all users who currently use this port to check on "this server requires a secure connection (SSL)" once I check on "require a secure channel" on the virtual server properties. If this is incorrect please let me know.
 
If you're using anything except port 25 for server-to-server SMTP
you're going to have one heckuva problem. Port 587 is the SMTP Client
Submission port, not the SMTP Server port. Since you use port 587 for
YOUR clients it isn't a problem to manage communication and
configuration. How you'd tell some anonymous SMTP server that they
have to use some alternative port to 25 is a task I'd rather not
undertake.
 
>Due to the sensitive nature of information that passes through our Exchange server we want to at the least encrypt the username and password for outgoing messages. If you have other recommendations on how to do this please share.
 
If the information is sensitive then you should encrypt the message,
not just the transmission channel. Encrypting the channnel only
protects the content "on the wire," but does nothing for the messages
"at rest".
 
>So if I want to send secure email on port 465 what do I need to do?
 
Just send the mail on that port. Since there's no negotiation expected
the data should only be accepted if your server exchanges its
certificate with the target server.
 
---
Rich Matheisen
MCSE+I, Exchange MVP
 

Posted by at No comments:

Friday, January 24, 2014

VSS Writers and corresponding services

source: http://www.planetcobalt.net/sdb/vss_writers.shtml

Reset VSS Writers

VSS writers are application-specific components for Microsoft's Volume Shadow Copy Service, which ensure the consistency of application data when a shadow copy is created. That's quite useful for creating consistent backups of a system. However, some of these writers go into error states more or less frequently. And Microsoft did not deem it necessary to document how to reset writers without rebooting the entire system (or at least I didn't manage to find that piece of information).

Since this burnt me once too often, I started compiling a list of VSS writers and the services that need to be restarted to reset each of them. Some are rather obvious, others (System Writer for instance) not so much.

VSS Writer Service Name Service Display Name
ASR Writer VSS Volume Shadow Copy
BITS Writer BITS Background Intelligent Transfer Service
COM+ REGDB Writer VSS Volume Shadow Copy
DFS Replication service writer DFSR DFS Replication
FSRM writer srmsvc File Server Resource Manager
IIS Config Writer AppHostSvc Application Host Helper Service
IIS Metabase Writer IISADMIN IIS Admin Service
Microsoft Exchange Writer MSExchangeIS Microsoft Exchange Information Store
Microsoft Hyper-V VSS Writer vmms Hyper-V Virtual Machine Management
NTDS NTDS Active Directory Domain Services
OSearch VSS Writer OSearch Office SharePoint Server Search
OSearch14 VSS Writer OSearch14 SharePoint Server Search 14
Registry Writer VSS Volume Shadow Copy
Shadow Copy Optimization Writer VSS Volume Shadow Copy
SPSearch VSS Writer SPSearch Windows SharePoint Services Search
SPSearch4 VSS Writer SPSearch4 SharePoint Foundation Search V4
SqlServerWriter SQLWriter SQL Server VSS Writer
System Writer CryptSvc Cryptographic Services
WMI Writer Winmgmt Windows Management Instrumentation    
This list is far from complete. It merely contains those writers I already had to deal with.

source: http://www.planetcobalt.net/sdb/vss_writers.shtml

Posted by at No comments:

Thursday, January 16, 2014

Delegate the Server Administrator role to a user on an Exchange Server (2003, 2007 or 2010)


source: http://publib.boulder.ibm.com/infocenter/tivihelp/v24r1/index.jsp?topic=%2Fcom.ibm.itcamms.doc_6.3%2Fexchange%2Fassign_admin_rights.html

Procedure

For Microsoft Exchange Server 2003, complete the following steps to grant full administrator rights to the user:
  1. Click Start > Programs > Microsoft Exchange > System Manager. The Microsoft Exchange Systems Manager opens.
  2. Click Action > Delegate control. The Exchange Administration Delegation Wizard opens. Click Next.
  3. On the Users or Groups page, click Add.
  4. In the Delegate Control window, click Browse. Select the new user that you have created, and then click OK.
  5. From the Role list, select Exchange Full Administrator, and then click OK.
  6. Click Next, and then click Finish.
For Microsoft Exchange Server 2007, complete the following steps to grant recipient administrator rights to the user:
  1. Click Start > Programs > Microsoft Exchange Server 2007 > Exchange Management Console. The Exchange Management Console window opens.
  2. In the Console tree, click Organization Configuration.
  3. In the Action pane, click Add Exchange Administrator.
  4. On the Add Exchange Administrator page, click Browse. Select the new user that you have created, and then select Exchange Recipient Administrator role.
  5. Click Add.
  6. On the Completion page, click Finish.
For Microsoft Exchange Server 2010, complete the following steps to grant recipient administrator rights to the user:
  1. Click Start > Programs > Microsoft Exchange Server 2010 > Exchange Management Console. The Exchange Management Console window opens.
  2. In the Console tree, click Toolbox.
  3. In the Work pane, double-click the Role Based Access Control (RBAC) User Editor tool. The Exchange Control Panel window opens.
  4. Enter the user credentials for the account with permissions to open the user editor in the Exchange Control Panel. Click Sign in.
  5. Click the Administrator Roles tab.
  6. Select the Recipient Management role group, and then click Details.
  7. In the Members area, click Add.
  8. Select the user that you want to add to the role group, and then click OK.
  9. Click Save to save the changes to the role group.

    source: http://publib.boulder.ibm.com/infocenter/tivihelp/v24r1/index.jsp?topic=%2Fcom.ibm.itcamms.doc_6.3%2Fexchange%2Fassign_admin_rights.html
Posted by at No comments:

Friday, January 10, 2014

Office365 - Granting permission to another user's mailbox

Source: http://community.office365.com/en-us/forums/148/t/167084.aspx

There are two options for you to grant User B’s Full Access permission to User A.

1. If you are using Office 365 after-upgrade, you can grant Full Access permission in Exchange Admin Center (EAC).

a. Log into the admin center with global administrator account.

b. Click the “Outlook” tab in the top panel to enter OWA (Outlook Web App).

c. In the address bar, change the URL after “owa” to “ecp”. For example, if the URL of your Outlook Web App is https://server.outlook.com/owa/?exsvurl=1&ll-cc=1033&modurl=0&realm=domain.onmicrosoft.com, please change it to https://server.outlook.com/ecp/ to enter your Exchange admin center.

d. Click recipients on the left navigation.

e. Click mailbox on the right panel and double-click the display name of the mailbox (User B) you want to edit.

f. Click mailbox delegation on the left navigation.

g. Add User A under Full Access.


Please note: After granting the Full Access permission, we recommend you re-sign in to OWA (User A) to use “Open Another Mailbox” to open the mailbox (User B).

2. Use Windows PowerShell to grant Full Access permission.

a. Connect Windows PowerShell to the Service: http://help.outlook.com/en-us/140/cc952755.aspx

b. Run the following command:
Add-MailboxPermission -Identity "User B" -User UserA -AccessRights FullAccess -InheritanceType All

For more detailed information, please refer to the following link: http://technet.microsoft.com/en-us/library/bb124097(v=exchg.150).aspx

@AppRiver, your efforts are appreciated.

Thanks,
Anna Shi

Source: http://community.office365.com/en-us/forums/148/t/167084.aspx 
Posted by at No comments:
Subscribe to: Comments (Atom)