Sunday, March 23, 2014

Renewing an Exchange Certificate - Self signed / StartTLS or Transport (Exchange 2007 / 2010 / 2013)

source: http://forums.msexchange.org/Renewing_self-signed_SMTP_certificate/m_1800558152/tm.htm

Bharat's article is what I've used numerous times.

Just do a Get-exchangeCertificate | FL

Then with what youve provided you just highlight the SMTP cert
Thumbprint : 15405C99D3837CFF0DD2EA0213DAD6A241B

and then type out

Get-ExchangeCertificate -thumbprint “15405C99D3837CFF0DD2EA0213DAD6A241B” | New-ExchangeCertificate

then just bounce the microsoft exchange transport service.

source: http://forums.msexchange.org/Renewing_self-signed_SMTP_certificate/m_1800558152/tm.htm
Posted by at No comments:

Tuesday, March 18, 2014

Check Exchange Server Patch Level

Source: http://serverfault.com/questions/448827/how-do-i-determine-the-sp-and-rollup-version-of-an-exchange-installation




Slow method

Open "Programs and Features", select view updates, and search for the relevant Exchange 2010 patch.

Fast method

Run this command in Powershell

 gcm exsetup | %{$_.fileversioninfo}
 
Then use this URL to decipher the version number:

http://social.technet.microsoft.com/wiki/contents/articles/240.exchange-server-and-update-rollups-build-numbers-en-us.aspx




Source: http://serverfault.com/questions/448827/how-do-i-determine-the-sp-and-rollup-version-of-an-exchange-installation
Posted by at No comments:

Tuesday, March 11, 2014

Exchange 2013 (version 15) Viewing and setting Message Size Limits


http://technet.microsoft.com/en-us/library/jj150562%28v=exchg.150%29.aspx

Posted by at No comments:

Tuesday, March 4, 2014

How enable/disable FIPS cryptography in WIndows - all version



source: http://stackoverflow.com/questions/4886368/how-to-enable-fips-on-windows-7


In WIndows 8, open up a command prompt wondoe and kick off gpedit.msc and go from there...

First, be aware of what actually happens when you enforce FIPS140-2 complient encryption within Windows. Details are at http://technet.microsoft.com/en-us/library/cc750357.aspx. However, the main 'gotcha' (old SSL website's don't work in IE anymore) is detailed in the article linked below.
The official instructions to enable FIPS 140-2 complience are at http://support.microsoft.com/kb/811833, but can be summarised as follows:
  1. Using an account that has administrative credentials, log on to the computer.
  2. Click Start, click Run, type gpedit.msc, and then press ENTER.
  3. In the Local Group Policy Editor, under the Computer Configuration node, double-click Windows Settings, and then double-click Security Settings.
  4. Under the Security Settings node, double-click Local Policies, and then click Security Options.
  5. In the details pane, double-click System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing.
  6. In the System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing dialog box, click Enabled, and then click OK to close the dialog box.
  7. Close the Local Group Policy Editor.
If you wish to do this manually, you can also simply change the registry key HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled to 1
Finally, to repeat, it is very important that you read through the documentation before you enable this - it changes cryptography system wide, including how the file system (both EFS and Bitlocker) and network (IE, Remote Desktop and the main cryptographic libraries) are allowed to encrypt, as well as if you allowed to recover lost encryption keys.

source: http://stackoverflow.com/questions/4886368/how-to-enable-fips-on-windows-7
Posted by at 12 comments:

Tuesday, February 25, 2014

Resolving VSS errors without a reboot


source: http://community.spiceworks.com/topic/170650-vss-writer-and-backup-issues
Mel9484 Dec 13, 2011 at 2:26 AM
Takeown /f %windir%\winsxs\filemaps\* /a
icacls %windir%\winsxs\filemaps\*.* /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\filemaps\*.* /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\filemaps\*.* /grant BUILTIN\Users:(RX)

Previous post was not properly aligned.

source: http://community.spiceworks.com/topic/170650-vss-writer-and-backup-issues
Posted by at No comments:

Connectwise System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

 source: http://ipswitchft.force.com/kb/articles/FAQ/Windows-Platform-FIPS-validated-crypto-message-appears-trying-to-access-Login-aspx-1307565986146

Answer/Solution:
 
Your Windows environment may be configured to use FIPS encryption that is conflicting with WebInspect.
To correct this you will need to disable the "Local Security Setting System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" policy in Windows.
  1. Go to Start > Control Panel > Administrative tools > Local Security Policy. The Group Policy dialog appears. 
  2. Under the "Local Policies" heading, select "Security Options" and look for the entry, "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing." 
  3. If entry this is enabled, disable it.
Also, open the registry editor and browse to the following path.  Make sure this registry subkey is set to 1:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\fipsalgorithmpolicy
ASP.NET 2.0 uses the RijndaelManaged implementation of the AES algorithm when it processes view state data. The ReindaelManaged implementation has not been certified by the National Institute of Standards and Technology (NIST) as compliant with the Federal Information Processing Standard (FIPS). Therefore, the AES algorithm is not part of the Windows Platform FIPS validated cryptographic algorithms.

Posted by at 2 comments:

Tuesday, January 28, 2014

Port alternatives for SMTP / Exchange server

 
On Thu, 12 Apr 2012 13:53:24 +0000, andyh999 wrote:
 
>We are using port 25 and 587 to send non-secure messages to external servers. Since some ISP's block port 25 we setup 587 a while back for those who contract with the ISP's that block 25.
 
Anyone that's running a SMTP server can find an alternative to using
port 25. Have a look at http://www.dyndns.com as an example. What's
required is a SMTP relay server.
 
>At some point I would like to secure port 587 but I believe would have to contact all users who currently use this port to check on "this server requires a secure connection (SSL)" once I check on "require a secure channel" on the virtual server properties. If this is incorrect please let me know.
 
If you're using anything except port 25 for server-to-server SMTP
you're going to have one heckuva problem. Port 587 is the SMTP Client
Submission port, not the SMTP Server port. Since you use port 587 for
YOUR clients it isn't a problem to manage communication and
configuration. How you'd tell some anonymous SMTP server that they
have to use some alternative port to 25 is a task I'd rather not
undertake.
 
>Due to the sensitive nature of information that passes through our Exchange server we want to at the least encrypt the username and password for outgoing messages. If you have other recommendations on how to do this please share.
 
If the information is sensitive then you should encrypt the message,
not just the transmission channel. Encrypting the channnel only
protects the content "on the wire," but does nothing for the messages
"at rest".
 
>So if I want to send secure email on port 465 what do I need to do?
 
Just send the mail on that port. Since there's no negotiation expected
the data should only be accepted if your server exchanges its
certificate with the target server.
 
---
Rich Matheisen
MCSE+I, Exchange MVP
 

Posted by at No comments:
Subscribe to: Comments (Atom)