Tag Archives: Security

Free SSL Certificates for Public Domains and Sub-Domains via StartSSL

I’ve been using internally generated SSL certificates for testing and publishing, as most developers, IT pros, and DIY people have, and though it works, it can be a little frustrating when dealing with CRLs and OCSP Responders if you don’t want to receive warnings from browsers and applications about them being untrusted.  For public facing sites, there’s a vendor that is now providing free certificates and an excellent toolbox for managing them.

StartSSL logo
Read on for more info or take the link: https://www.startssl.com.

Continue reading Free SSL Certificates for Public Domains and Sub-Domains via StartSSL

SSL Sniffing – How Safe Is Your Information?

Some firewalls now have a new feature (or not so new), unbeknownst to most web users:  The little lock in your browser that shows that you are using a secure connection is not what it used to be.

When you make a secure connection to a web site, your bank for example, and you see the little lock appear, that is an indicator that your browser is connecting to and exchanging information with a server through a secure, certificate based channel.  Behind the scenes, some encryption keys are exchanged and the information that you are transmitting and that is being transmitted back to you is encrypted and not easily readable by others.  That perception of safety is the basis of all financial, as well as other, transactions on the Internet and you as the consumer believe when you see that lock, your information is safe.

There’s a lot that happens and can happen in between you and the server that you’re communicating with.  To illustrate what I’m talking about, here is a simplified diagram of a typical network configuration.  Using the example of a bank:

sslsniffing001

You can click the image above to enlarge it.  Your computer connects to your bank through firewalls.  The close firewall protects your network and the firewall on the bank’s end protects their network.  The is typically a certificate installed on the bank’s firewall and server that allow you to establish a secure connection to that server.

Continue reading SSL Sniffing – How Safe Is Your Information?

Team Foundation Server 2010 Installation Experiences and Lessons Learned

Do it right the first time! 🙂

There’s quite a few posts on Team Foundation Server 2010 (TFS) and how to install and configure it, as well as a really good CHM file from Microsoft on the same topics, so I won’t go through duplicating what everyone else has done and will link to one at the bottom of this post.  I’m writing this just to relay the experience I had with getting the product configured just the way I wanted it, or some facsimile thereof and some lessons learned.

 tfs001

After viewing some videos on YouTube of TFS, reading some of the Microsoft marketing material, and some of the posts on it, I decided to stand up TFS in my environment to see how well it works and to explore changes since the last version.  Right now, the team I lead isn’t really using any ‘set’ collaborative product.  We tend to work in small teams on projects so the need isn’t really there, though I’m sure the organization wouldn’t hurt.  We’re currently using Subversion as our source repository and occasionally use MOSS or WSS to collaborate.  Otherwise it’s phone calls and emails since we also tend to bounce around the country.  Enough background, on to TFS installation…

After reading through a few blog posts and Microsoft’s documentation on how to install and configure TFS, I stood up a Windows Server 2008 R2 VM and installed SQL Server 2008.  I was going with a single server install.  I followed the documentation to the letter for a single server install, and everything worked out just fine.  WONDERFUL!  GREAT!  So far…

Continue reading Team Foundation Server 2010 Installation Experiences and Lessons Learned

Windows Server 2008 and Subversion over HTTPS

Here’s the scenario, I decided to try out Subversion as a source control repository on a Windows Server 2008 server, attached to a Win Server 2008 domain, with ISA Server forwarding HTTP traffic.  After doing a little bit of research, I decided to give VisualSVN Server a try.  If you don’t know it, it’s a very small footprint product produced by VisualSVN Limited, that installs Subversion and an Apache server, on Windows, to handle the HTTP connection to SVN (Subversion).

The product installed and configured very easily, ‘hats off’ to VisualSVN, and I was immediately able to connect to it from internal on my network.  There are a few self-explanatory questions that are posed in the installation wizard.  Tough things like where do you want to store your repositories. ;)  (If you’re going to use a file share as a repository, make sure that you use the UNC and not a mapped drive.)

websiteshot

I’m amazed that I’ve come across yet another tech product that is actually behaving as advertised.  Is it just me, or is that odd???

Not the fault of VisualSVN, I began to run into configuration issues when I tried to route the traffic through ISA Server.

Keep Reading…

Continue reading Windows Server 2008 and Subversion over HTTPS

Get Windows 7 Working with your Terastation

Windows 7, along with Windows Vista, both have issues interacting with Buffalo Terastation and similar Buffalo products.  This is due to updated NTLM security settings in both Windows 7 and Vista.  The un-patched behavior is continued prompts to log in / authenticate to the NAS.

Buffalo has released a registry patch that allows Windows 7 and Vista to connect to their Terastation NAS products, by lowering the security level to Windows XP compatible NTLM security.  This is a downgrade, but I have thus far had no problem with it.  Check out the readme below that’s included in the download:

This registry patch files enables Windows(R) Vista(TM) PCs to
work with Buffalo NAS products.  This patch is installed
directly onto Windows Vista PCs.

WARNING:  This file is only for use on Vista PCs, it is NOT
required or supported on any other operating system.

Compatibility:
This patch is only required when using one of the following
Buffalo NAS products:- LinkStation (HD-HLAN)
– Gigabit LinkStation (HG-HGLAN)
– LinkStation Home Server (HS-DGL)
– TeraStation (HD-DTGL/R5)
– TeraStation Home Server (HS-DTGL/R5)
– TeraStation Pro (TS-TGL/R5)

Instructions:
1)  Double click on the Buffalo_NAS_Vista_Support.reg file
2)  Press the ‘Yes’ button when prompted.
3)  Press the ‘OK’ button to exit the patch file.
4)  Restart your Vista computer.

SECURITY NOTICE:
Applying this patch lowers the NTLM authentication
level to be compatible with some of Buffalo’s NAS products.
This NTLM authentication level is equivalent to the level
used in Windows XP.

Keep reading…

Continue reading Get Windows 7 Working with your Terastation

MOSS: An Unexpected Error Has Occurred

If you’ve worked with MOSS long enough, I’m sure you’ve seen this error.  The reasons that it occurs are numerous, and may even be blamed on poor error handling / reporting by the programmers.

If you’ve come across this error, and turned <customErrors /> off in your MOSS site’s web.config and it still occurs, you may have run into the issue that I did.

This can occur right after MOSS installation, or on a farm that has been up and running for some time, and this is something quick that you can check to make sure it’s not the reason, especially if your server is managed through AD or an admin that is really tight on server security.

My instance of this error was on a completely locked down Windows Server 2008 installation.  The cause was one setting that was applied through Active Directory (AD) Group Policy Objects (GPO), Use FIPS compliant algorithms for encryption, hashing, and signing.

Continue reading MOSS: An Unexpected Error Has Occurred

Building an Active Directory Domain Controller for Development using VMware Workstation – Pt. 2

In my last post, we created a VM (Virtual Machine) using VMware Workstation 6.5.2 running Windows Server 2003 R2.  If you’re getting started here with a VM of your own, or physical hardware, the current status of the VM for this tutorial is a standard Windows Server 2003 R2 installation, with all recommended updates / patches applied.

If this server is running in VMware Workstation, feel free to snapshot the VM at this point so that you have a clean build of Windows Server 2003, that can then be sysprep’ed and used to deploy multiple other servers.

Continue reading Building an Active Directory Domain Controller for Development using VMware Workstation – Pt. 2

Protecting Yourself and Your Passwords on the Internet

*** If you think one of your online accounts is hacked or compromised in some way, and that’s how you got here, immediately log into whatever account it is and change your password. ***

Recently a friend of mine’s Facebook account was phished which is the impetus for me creating this entry.  All of his friends received Wall posts saying that they had pictures posted on a web site.  This was designed to get the unknowing to visit the site.  Once on the site, the site began asking questions of the visitor prior to allowing you to interact with the site, for example, to view your pictures.  This is a standard tactic for deriving information from users by claiming to have something that the users want.  If you filled out the information, and created your own username and password on their site, which is mandatory, they then asked what site you came from, ie. Facebook.  I didn’t follow through, but I can imagine that if I had put in a standard password that I use, then next my Facebook account would be hacked.

Passwords.

It’s best practice to have different passwords for different websites, though in this day and age, it’s almost impossible.  The next best thing you can do is to have different passwords for different types of sites.  For example:

  • Password 1: Used only for financial sites.  Financial sites most often protect their user’s passwords by hashing them.  Hashing is a form on "non-reversible" encryption (it can still be compromised, but it is not easy by any means… see "brute force").  If you lose your password to a site that is hashing your password, you will have to create a new one since password recovery is not an option.  These are the safest sites as even the software engineers and administrators can’t view your password.  This should also be your most complex password using upper and lowercase alpha, numeric, and special characters.  Want to be REALLY secure?  Come up with a password that uses all of the above and is a minimum of 16 characters long.  A pass-phrase can help with replacing some alpha characters with numeric or special characters.  "Th15 Is @ $tr0n6 P@$$w0rd."  Oh and did I mention that you can also include spaces.  Brute force against long complex passwords with spaces is about as difficult as it gets.
  • Password 2:  Sites that are trusted but do not hash your password.  These are sites that if you click on the "forgot password" link they will email your password to you or show it to you on-screen.  These sites are not very secure in that your password can be viewed by anyone that has direct access to the database in which your password is stored.  Some of these sites DO encrypt passwords, but the encryption is reversible, which mean a programmer could extract the data.  Most company’s will attempt to use some sort of encryption on your personal identifiable information by encrypting it, therefore lowering their liability, but reversible encryption is still a flawed security measure in my opinion.
  • Password 3:  A junk password that you use for sites that you really don’t trust, don’t care about, and will likely never visit again.  Frankly, if you don’t trust, don’t care about, and will likely never visit again, it’s probably best to just not create an account or you may be subjecting yourself to someone’s SPAM list as well. 

 

Continue reading Protecting Yourself and Your Passwords on the Internet

Network Security Appliance for Free: Untangle

About a year ago a good friend, Bobby Shea, introduced me to Untangle.  I finally got around to implementing it on my network and I’ve found it to be an amazing system.

Untangle is an open source scaled down Linux implementation that can turn your old throw away PCs into commercial grade network appliances.  Why spend several hundred to several thousand dollars, when chances are that you’ve got the requisite hardware just sitting around gathering dust.  You’ll likely have to add a NIC or two, but otherwise, that’s it!  Oh, and it can even be virtualized.

Continue reading Network Security Appliance for Free: Untangle