Friday, October 24, 2014

Improve security on a Windows Server

HOW TO - Enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2003, 2008 and 2012.
q: What is the easiest way to review the security of our server and disable older, less secure technologies?

a: Here are a few steps:

  1. We recommend SSL Labs to run an audit of your public facing server and see what vulnerabilities exist. https://www.ssllabs.com/ssltest (Note: You'll probably want to mark the checkbox to keep the results private.)
  2. Historically we purchased Foundeo to disable weak ciphers. https://foundeo.com/products/iis-weak-ssl-ciphers/ That product was fine for our 2003 servers 3 years ago but it seems dated for 2014 vulnerabilities.
  3. Now we recommend Nartac's IIS Crypto utility.  https://www.nartac.com/Products/IISCrypto/Default.aspx This tool does a great job at showing you various Protocols & Ciphers.  It has quick click buttons to let you quickly secure your server to various levels.
  4. Our only warning is to be careful if you still have Windows XP machines in the mix.  Their best security is still lower than the lowest security of a FIPS 2012 Windows Server. In English, a FIPS 140-2 secure server won't have anyway to talk with a Windows XP machine using Internet Explorer for example.

Thursday, October 23, 2014

HOW TO - Install .NET Framework 3.5 on Server 2012 R2

  1. To install Report Viewer 2008 needed to run WSUS reports, you need .NET Framework 2.0.
  2. .NET Framework 2.0 is part of .NET Framework 3.5
  3. When you try to add this role/feature, you’re told "source files could not be found".
  4. Locate the 2012 R2 ISO and copy it locally.
  5. Right click on the ISO - Click Mount
  6. Assuming it mounted as F Drive run this command from an elevated CMD (see below)
Dism /online /enable-feature /featurename:NetFx3 /All /Sourc
e:F:\sources\sxs /LimitAccess

  1. Then attempt to install the ReportViewer.exe again and it should work.