How to secure Windows from POODLE and BEAST SSL attacks – Disable SSL, Enable TLS 1.2

We are witnessing the death of the SSL protocol as we (or some of us) know it.
This fall, news was released that the POODLE and BEAST attacks can be used to bypass SSL v3 and even TLS v1.0.

POODLE super strength!
You won’t like him when he’s angry…
This post is about disabling an enabling the protocols in Windows. But there is still a bit of debate as to how effective this really is. Regardless, organizations are already requiring that servers and clients disable SSL v2 and TLS v1.0 while requiring everything use TLS 1.1 and/or TLS 1.2.

Do you need to verify which protocol you are using? If you are using an Internet connected host, then there are some free online checkers out there.

You don’t have to buy a tool to make the change for you on a Windows hosts, though. Here are the Windows command-line commands needed to force the necessary registry changes:

REM   This part disables SSL 2 and 3 as well as disabling TLS 1.0
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Client" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 3.0\Server" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 3.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 3.0\Client" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 3.0\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Client" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f
REM   This part enables TLS 1.1 and 1.2 and sets them to be default. It also enables the high-end cipher algorithms
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.1\Server" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.1\Server" /v DisabledByDefault /t REG_DWORD /d 0 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.1\Client" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.1\Client" /v DisabledByDefault /t REG_DWORD /d 0 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.2\Server" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.2\Server" /v DisabledByDefault /t REG_DWORD /d 0 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.2\Client" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.2\Client" /v DisabledByDefault /t REG_DWORD /d 0 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Ciphers\RC4 128/128" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Ciphers\Triple DES 168/168" /v Enabled /t REG_DWORD /d 1 /f

Backup rules in ADFS

I had a need to create a PowerShell script that backs up the rules of claim provider trusts and relying-party trusts in ADFS. It works in AD FS 2 through 3.

You can use this to store version control or to migrate rules to a new federation server.

Here is the PowerShell code:

# Guidance for this was found here:
#  If you want the files saved somewhere other than C:\Temp, you need to change the "$RulePath" lines below.

Import-Module ADFS

# Export the Acceptance Transform Rules for each Claim Provider Trust (except the AD one)
$claimTrusts = Get-AdfsClaimsProviderTrust | ?{$_.Name -ne "Active Directory"}
foreach ($CT in $claimTrusts) {
    $RulePath = "C:\Temp\" + $CT.Name.Replace(" ","") + "-AcceptanceRules.txt"
    (Get-AdfsClaimsProviderTrust -Name $CT.Name).AcceptanceTransformRules | Out-File $RulePath
    $RulePath = $null

# Export all three types of rules for each Relying-Party Trust	
$RPTrusts = Get-AdfsRelyingPartyTrust
foreach ($RP in $RPTrusts) {
    $RulePath = "C:\Temp\" + $RP.Name.Replace(" ","") + "-IssuanceTransformRules.txt"
    (Get-AdfsRelyingPartyTrust -Name $RP.Name).IssuanceTransformRules | Out-File $RulePath
    $RulePath = "C:\Temp\" + $RP.Name.Replace(" ","") + "-IssuanceAuthRules.txt"
    (Get-AdfsRelyingPartyTrust -Name $RP.Name).IssuanceAuthorizationRules | Out-File $RulePath
    $RulePath = "C:\Temp\" + $RP.Name.Replace(" ","") + "-DelegationAuthRules.txt"
    (Get-AdfsRelyingPartyTrust -Name $RP.Name).DelegationAuthorizationRules | Out-File $RulePath

I haven’t forgetten about you

Question-mark-quizzes-19322056-126-154I’m trying to figure out what direction to go with my next posts. But what I really need is to commit to some consistency. My employers are asking me to contribute to the corporate blog so there is a lot of positive pressure to write more.

But what to post? Do you like instructional how-to stuff or do you like contracting consulting interviewing wisdom? You don’t have to answer but these are what’s warbling in my head.

Adding SharePoint Managed Service Accounts in PowerShell

If you have to build enough SharePoint 2010 environments after a while you get really tired of manually adding every service account in SharePoint Central Administration.

Below is some PowerShell code that can be used to load up all of your service accounts at once. You’ll have to change some things if you have different passwords for each account or if you need to enable automatic password changing.

###    This script is for bulk loading SharePoint managed service accounts that
###    are in the same domain as the server and all have the same password.
#    Enter the one password for all accounts between the quotes in the line below
$password = "Cryp7icP@ssword"
$securePassword = ConvertTo-SecureString -String $password -AsPlainText -Force
#    Put each service account to be SharePoint managed in double quotes like the example below
ForEach ($SvcAccount in "SVC-SPSearch","SVC-SPServiceApp1","SVC-SPBCS","SVC-SPProfileImport","SVC-SPPortalAppPool","SVC-SPMysiteAppPool") {
    $userName = $env:USERDOMAIN + "\" + $SvcAccount
    $cred = New-Object System.Management.Automation.PSCredential -ArgumentList $username, $securePassword
    New-SPManagedAccount -Credential $cred -whatif

Antivirus Exclusions for SharePoint 2010 and SQL Server 2008 R2

This comes up all of the time for me and it is high time that I created a single place for me to see every antivirus exclusion that is necessary for production SharePoint 2010 and SQL 2008 R2 servers to run efficiently. If you don’t configure antivirus exclusions on your servers you can expect to see performance problems and mysterious errors at some point, especially when load starts getting high.

After the break, there’s a full table that lists out all of the necessary antivirus exclusions that should be configured for Windows servers that are running SharePoint 2010 and/or SQL 2008 R2:

Continue reading Antivirus Exclusions for SharePoint 2010 and SQL Server 2008 R2

Can you run the Configuration Wizard on multiple SharePoint 2010 farm hosts at once?

Simply put, no.

Take for example, you install the bits for the service pack 1 upgrade. The first thing, of course, is that you need to finish installing those bits on all of the servers in your farm. But then after that you need to run the SharePoint Products Configuration Wizard (or run psconfig.exe) to upgrade the installation. I recommend running the wizard first on the app server that serves your Central Administration site. But you really need to wait until it’s finished before running the config wizard on your next server. If you do rush ahead, it won’t let you. I tried it just to see what would happen. When I started the second config wizard in the process, the screen stayed just like this until the first server was finished with the wizard.


So it looks like there is a flag that is checked before it starts. And if one server already is locking up the configuration, the next one will not start until the first is finished.

A SharePoint Consultant’s list of scope-growing factors

As I’m preparing to start work on building a single-server SharePoint 2010 pilot rig for a client, I was listing things to check for before I would be willing to shoot off my mouth about how easy the installation will be.

For those that may find it interesting, here is a list of scope-growing factors that can add major complexity to a simple SharePoint implementation:

  • Incoming email functionality
  • Non-AD profile sync connections
  • Write-to AD functionality for profile-sync (as opposed to reading from Active Directory only)
  • Forms based authentication or claims authentication (instead of old-school Windows auth)
  • Search content sources other than the local SharePoint content
  • FAST Search (instead of regular SharePoint search)
  • PowerPivot
  • Project Server
  • Team Foundation Server
  • SQL Reporting Services
  • Migration or upgrading of content from other SharePoint farms
  • Publishing service applications to other SharePoint farms
  • 3rd party add-ons

Forefront UAG install fails – Event ID 11406, Error 1406

I had four clean Windows 2008 R2 installed servers all in a row fail when installing Forefront Unified Access Gateway with the same error:

Log Name:      Application
Source:        MsiInstaller
Date:          9/29/2011 1:10:10 PM
Event ID:      11406
Task Category: None
Level:         Error
Keywords:      Classic
User:          DOMAIN\#ServiceAccount
Computer:      localcomputername
Product: Microsoft Forefront Threat Management Gateway — Error 1406.Could not write value InstalledBy to key \SOFTWARE\Microsoft\Updates\Microsoft Forefront Threat Management Gateway\7.0.8108\Service Pack 1.  System error .  Verify that you have sufficient access to that key, or contact your support personnel.

There was nothing out there helping me. I finally found in Microsoft KB969865 saying: “When you run .NET Framework 3.5 SP1 setup with a user account whose name begins with a ‘#’ character, the installation will fail.” and then it gives the error, which is the exact same as the one I got. In the cause section, it explains that the install tries to write a registry value with the “InstalledBy” username. But the ‘#’ character just happens to be a special prefix character in registry values.

So I tried it again with a different account and the install finishes with no problems at all.

Can’t use PSconfig to create SharePoint 2010 configdb

On a client’s site today I was having a horrible time trying to use psconfig to create a configdb. The reason I was doing it is because the client wanted every SharePoint database to have a certain prefix on the database name. You can use the configuration wizard to customize the name of the configdb but it doesn’t let you customize the name of the Central Admin site’s content database. To do that, you need to use PSconfig.exe. No problem, I’ve done this before; sometimes for this exact reason.

But this time I had a horrible time doing it. I don’t know if these factors had anything to do with it but my situation included the following noteworthy factors:

  • Brand new SQL 2008 R2 CU7 Active/Passive clustered SQL environment with a named instance
  • SQL is configured to use dynamic ports only on TCP/IP
  • My SharePoint 2010 hosts is configured to connect to use SQL client aliases to connect
  • SharePoint 2010 was installed with media that was slipstreamed with service pack 1 and the June 2011 CU

Here is the command I was trying to use:

psconfig.exe -cmd configdb -create -server MYSQLAliasName -database FancyPrefix_SharePoint_Config -dbuser Domain\SPfarm -dbpassword SomePassword -user Domain\spadmin -password SomePassword -admincontentdatabase FancyPrefix_Admin_Content –passphrase MY_passphrase

The error I got in command-prompt window was:

The configdb command is invalid or a failure has been encountered.
Cannot connect to database master at SQL server at MYSQLAliasName. The database might not
exist, or the current user does not have permission to connect to it.

Not helpful. After verifying that I was able to connect I turned to look at the database server. But on the SQL server there was a more descriptive error in the SQL Logs:

Error: 18456, Severity: 14, State: 6.

Login failed for user ‘Domain\SPfarm’. Reason: Attempting to use an NT account name with SQL Server Authentication.

So at first, I tried to configure SQL to accept Windows Authentication only. That didn’t help, after restarting the services, future attempt got me this error:

Error: 18456, Severity: 14, State: 58.

Login failed for user ‘Domain\SPfarm’. Reason: An attempt to login using SQL authentication failed. Server is configured for Windows authentication only.

So no dice. I kept searching and trying variations. Including altering my syntax to use the “username@domain.local” style but nothing worked.

I never did figure out how to get past the problem. I ran out of time and decided to go around the issue. I created the farm using the configuration wizard and then followed Cuban Pete’s instructions to change the name of the Admin Content database, which is simply the PowerShell commands needed to change the name in SharePoint and then when to go into SQL Server Managment Studio and change the actual database name.