I was wrong. It went well. And he had a working 2010 farm with all the basic service apps in under 2 hours.

Here are some points to remember when doing a pilot (or any kind of) install:

• Create all of your service accounts ahead of time. (You DO use service accounts, right??)
• Give the setup account admin rights on the SQL servers too and not just the SharePoint servers (this wasn’t necessary for MOSS). If it’s SQL 2008, make the setup account a sysadmin in SQL. (The farm account still just needs “secadmin” and “dbcreator” roles in SQL.)
• Remember to turn off the “Default Web Site” in IIS. Also change the bindings so that the port is something other than 80.
• Get a static IP
• Don’t forget to disable the loopback check.
• If your SQL server hosts multiple projects and not just your SharePoint farm, consider using some kind of prefix in front of the database names as you are setting up SharePoint. For example, if you put “SP2010_” at the beginning of all the SQL databases you use, your SharePoint databases will be nicely bunched together when you use SQL Management Studio
• When setting up profile synchronization to Active Directory, try to only select OUs that have actual user accounts in them. Avoid the OUs or containers that have service accounts. Nobody wants to store 150+ profiles for service accounts.

Technorati Tags: consulting, IIS, security, SharePoint, working

Follow these steps to make the change manually:

1. Back up your registry (outside link)
2. Disable SSL 2.0:
   1. Browse to the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0" key. 
   2. There is probably a key there called "Client".  If there is not also a key under there called "Server", create it.
   3. Create a DWORD for the "SSL 2.0\Client" sub-key called "Enabled" and set it to "0".
   4. Create a DWORD value for the "SSL 2.0\Server" subkey and set it to "0", too.  (This will disable SSL version 2.0)
3. Enable SSL 3.0:
   1. Browse to the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\" key. 
   2. If there is not a key under there called "SSL 3.0", create it.
   3. Under "SSL 3.0", create a key called "Client" and a key called "Server".
   4. For both "Client" and "Server", add a DWORD value to each called "Enabled" and set it to "1" (This will enable SSL 3.0).
4. Enable TLS 1.0:
   1. Browse to the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\" key. 
   2. If there is not a key under there called "TLS 1.0", create it.
   3. Under "TLS 1.0", create a key called "Client" and a key called "Server".
   4. For both "Client" and "Server", add a DWORD value to each called "Enabled" and set it to "1" (This will enable  TLS 1.0).
5. Add support for the RC2, RC4, and 3DES ciphers:
   1. Browse to this key: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers"
   2. Under "Ciphers" you will add three keys.  The first is called "RC2 128/128".  The second is called "RC4 128/128".  The third is called "Triple DES 168/168".
   3. Do not add any values or keys under the three new keys.
6. Restart the server.

Or you could just run these commands from an administrative command-line:

REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Client" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 3.0\Server" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 3.0\Client" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Client" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Ciphers\RC2 128/128"
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Ciphers\RC4 128/128"
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Ciphers\Triple DES 168/168"

Further Reference:

• How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll (Microsoft Support)
• How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services (Microsoft Support)

Technorati Tags: command-line, IIS, security

Have you ever stopped and wondered how much information is being gleaned from your use of free social web applications? And adding unfettered access to your email, means you might as well let them tap your cell phone.

Now get off my lawn.

Technorati Tags: Internet, security

BUT, in R2 of Server 2008, the most important one of these is locked down and won’t let you change it.  If you try to change the “IIS WAMREG admin Service” in R2 you’ll see a grayed out screen like this:

Even if you’re a full admin, you’re still locked out.  It turns out you have to into regedit and give yourself permissions to the corresponding registry key just to be ABLE to modify it in DCOM.  I found full instructions to fix it up in this blog post: http://www.wictorwilen.se/Post/Fix-the-SharePoint-DCOM-10016-error-on-Windows-Server-2008-R2.aspx

I had to pass this on.  Because I we’ll be running into this a lot as we get involved with MOSS installs on Server 2008 R2 servers.

Technorati Tags: security, SharePoint