Enable TLS and disable SSL and Cipher on windows server 2008R2

Disable Ciphers

For configuring ciphers like DES/RC2/RC4, etc. –
Browse to HKEY_LOCAL_MACHINE/SYSTEM/CurrnetControlSet/Control/SecurityProviders/SCHANNEL/Ciphers 

 · Right click Ciphers folder and select create new key and create DES 56/56.

· Create new key for NULL, RC 56/128, RC2 128/128, RC2 40/128, RC4 128/128, RC4 40/128, RC4 56/128, RC4 64/128, Triple DES 168

· Right click each new key created and select new – DWORD (32 bit) value, name it Enabled and set value to 0.

Now all the above ciphers have been disabled.

To disable SSL and enable TLS Settings

Browse to HKEY_LOCAL_MACHINE/SYSTEM/CurrnetControlSet/Control/SecurityProviders/SCHANNEL/Protocols

 · Create new keys under protocols folder named SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2

· Create sub keys named Client and Server for each key created in the step above.

DISABLE SSL

· SSL 2.0 – Client

o Right click Client, select new DWORD (32 bit) value , name it DisabledByDefault , value 1.

o Right click Client, select new DWORD (32 bit) value , name it Enabled , value 0.

 · SSL 2.0 – Server

o Right click Client, select new DWORD (32 bit) value , name it DisabledByDefault , value 1.

o Right click Client, select new DWORD (32 bit) value , name it Enabled , value 0.

 · SSL 3.0 – Client

o Right click Client, select new DWORD (32 bit) value , name it DisabledByDefault , value 1.

o Right click Client, select new DWORD (32 bit) value , name it Enabled , value 0.

· SSL 3.0 – Server

o Right click Client, select new DWORD (32 bit) value , name it DisabledByDefault , value 1.

o Right click Client, select new DWORD (32 bit) value , name it Enabled , value 0.

Enable TLS

 · TLS 1.0 – Client

o Right click Client, select new DWORD (32 bit) value , name it DisabledByDefault , value 0.

o Right click Client, select new DWORD (32 bit) value , name it Enabled , value 1.

· TLS 1.0 – Server

o Right click Client, select new DWORD (32 bit) value , name it DisabledByDefault , value 0.

o Right click Client, select new DWORD (32 bit) value , name it Enabled , value 1.

· TLS 1.1 – Client

o Right click Client, select new DWORD (32 bit) value , name it DisabledByDefault , value 0.

o Right click Client, select new DWORD (32 bit) value , name it Enabled , value 1.

· TLS 1.1 – Client

o Right click Client, select new DWORD (32 bit) value , name it DisabledByDefault , value 0.

o Right click Client, select new DWORD (32 bit) value , name it Enabled , value 1.

· TLS 1.2 – Client

o Right click Client, select new DWORD (32 bit) value , name it DisabledByDefault , value 0.

o Right click Client, select new DWORD (32 bit) value , name it Enabled , value 1.

· TLS 1.2 – Client

o Right click Client, select new DWORD (32 bit) value , name it DisabledByDefault , value 0.

o Right click Client, select new DWORD (32 bit) value , name it Enabled , value 1.

After applying the above changes, REBOOT the server for the changes to take effect.

Windows Server update services – Troubleshooting

  1. Telnet wsus server on port 80 (default) or other as per your environment.
  2. Check windows update log in the location c:\windows\windowsupdate.log
  3. Check if the group policy is correct , gpedit.msc – Local Computer Policy – Computer Comfiguration – Administrative Templates – Windows Components – Windows update –  a)check “specify intranet microsoft update service location” – It should point to your wsus server and the port number should be correct b) Check if “client-side targeting is enabled” (If enabled, the computer will appear under the group name mentioned in wsus server, if not enabled ignore).
  4. Check the proxy settings.
  5. Check firewall.
  6. Delete the software distribution folder from the location c:\Windows\SoftwareDistribution and run the command wuauclt.exe /detectnow.

Move local users from Windows Server 2003 to windows server 2008R2/Windows Server 2012R2

Unfortunately to move local user accounts from windows server, we cannot use USMT.

AIM: 

To move local user accounts and the groups associated with each user account.
Source : Windows server 2003 sp2
Destination : Windows Server 2012 R2

HOW TO:

In 2012 server, install the feature ” windows server migration tools”
browse to c:\windows\system32\servermigrationtools\
Execute the below command
.\smigdeploy.exe /package /architecture x86 /os WS03 /path c:\deploy

Now copy the c:\deploy to 2003 server

In the 2003server, open command prompt, browse to c:\smt_ws03_x86 and execute the below command
smigdeploy.exe
Wait till it opens a powershell window.

In the powershell window, run the below command
export-smigserversetting -user all -group -path c:\win2k3users

Copy c:\win2k3users folder to 2012 server.

In 2012 Server
Open server manager – Tools – Windows Server Migration Tools – Windows Server Migration Tools – This will open a powershell window

Run the below command
Import-SmigServerSetting -User All -Group -Path c:\win2k3users –Verbose

Now all users are imported.
After import, all user accounts will be disabled.All the user accounts migrated will have no password associated. You can login without any password . Remember to enable password for all required accounts.

Find serial number of windows PC

To find serial number of PC running on windows OS , just open powershell and run the below command

get-wmiobject win32_bios

OR

gwmi win32_bios

Power Shell – The very basics

I am also beginner to the power shell , so let us learn together.

If you need video tutorials, search for “scripting guy, Ed Wilson”. I went through the videos to get a clear concept. There are 5 short videos, try to practice, the same time you watch the videos. The only way you remember things will be by doing it yourself. (At least that is the only way i learn anything).

Powershell scripts will have the extension PS1. You can create any script by yourself in notepad and save it as filename.ps1 extension and it can be executed from the power shell.

By default power shell does not let you execute scripts on the system.
First, we have to check the existing set up on our computer.

NOTE : ignore double quotes when you type in the commands in power shell.

Open powershell and type “get-execution policy -list”
This will list the scope and the execution policy for user/computer/process, etc.
For example, to provide script execution right to current logged on user, use the following command,
set-executionpolicy -scope currentuser remotesigned

Remote signed is the preferred option. You have other options too like bypass, restricted, undefined, etc.

Use the get command to see if the above command has been applied ,
get-execution policy -list

Now you can see that the current user has been set to execute remote signed scripts.

SERVICES

get-service *  command will list all available services (running and stopped).
To get information about on particular service ie “wuauserv”,
get-service wuauserv . This will list the name, display name and status of the service wuauserv.

If you need more details about a service,
get-service wuauserv | format-list * — Gives you a detailed information about the service.

To list only services that are running,
get-service | where {_.status -eq ‘running’}

To list services that are stopped,
get-service | where {_.status -eq ‘stopped’}

This will list all services that are not running
get-service | where {_.status -ne ‘running’}

HISTORY

To see history of commands typed, just type ” h “. This will show all commands you have typed. I do not remember the exact number of commands it keeps, but its quite big. The good thing about history is that you donot need to type the whole big command again and again. For eg, to run the command 5 in history, type invoke-history 5 . That’s it.

Get-History | Format-List -Property * – This will list all commands executed with the date, time and execution status of the command.

 

EXAMPLES/HELP

To get help or examples just type get-help get-service -examples. Powershell will show you examples on how the get-service can be used.

PROCESS

For example, type notepad in power shell and it will open a notepad. Open one more notepad. So, now you have 2 process named notepad running on your system. To get details about the process notepad,

get-process notepad.

It will give you detailed information like , id, name and other details. No we have  2 process notepad, one with id 1234 and other with id 7890. To stop a process, we need to enter the id with the command , otherwise it will stop all process name d notepad.

stop-process 1234    — will kill only the process with the id 1234.

get-process notepad | format-list *     — will give you detailed view for each of the notepad process. For example, you prefer to check the time the process was started, you can execute the command and pipe it to filter the required details.

get-process notepad | format-list id, starttime

 

 

Will be updated soon…

 

 

 

 

 

 

 

VMWare ESXi guest – Reduce hard disk size

Everyone knows its easy to increased hard disk size, you just need to type in the amount in GB and expand the size in the OS level. But to reduce it is not straight forward, but can be done.

For example, you have a windows guest machine with c:\20o gb HDD, and you wish to reduce this to 100 gb.

Step 1 : Shrink the C drive in the windows OS to 100 gb and delete the partition and make it free for use.

Step 2: Power off the VMWare guest machine.

Step 3: Open putty and connect to the datastore where the vmware guest machine resides, /vmfs/volumes/..etc….

Step 4: using cat or Vi, open the file named *.VMDK (VMname.VMDK). under extent description, you will find RW 419430400 . The number after RW defines the size of the VMWare guest disk.

The number 419430400 is calculated as follows :

200 GB = 200 * 1024 *1024 *1024 / 512 = 419430400

Step 5: We need to reduce the VMDK file size to 100 GB , so we have to do calculation to find out

100 GB = 100 * 1024 *1024 *1024 / 512 = 209715200

Using Vi , edit the value in the *.VMDk file to 209715200  and save it.

Step 6: Reboot the Guest and you will see that the size of the VMWare guest has been reduced to 100 GB.