Disabling SSL v2 in Server 2008 x64 and Server 2008 R2

Disclaimer: Always back up your registry prior to making changes!

Incorrect entries can cause unexpected behavior, and may even render your operating system unusable! I disclaim any responsibility for damages, loss of data or any other issues resulting from registry changes.

While this worked for me, every environment is different, so use this at your own risk!

I recently assisted a client with getting a Windows Server 2008 R2 machine in compliance with Payment Card Industry (PCI) standards.

PCI compliance is very important for eCommerce sites and anyone handling credit card information.

We used a 3rd party testing tool that scanned for open ports, SSL version support, as well as allowed encryption/cipher combinations. The first few tests failed due to SSL 2.0 support in Server 2008 R2/IIS7.5.

I found an article on Microsoft’s support site which described how to disable IIS protocols by modifying the registry (this can’t be done through IIS Manager):

http://support.microsoft.com/kb/187498

Here’s where it gets confusing. I followed the instructions and browsed to:

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

As the article points out, the “SSL 1.0,” “SSL 2.0,” “SSL 3.0” subkeys are typically there. Note the use of the word Typically rather than Always, meaning that sometimes they’re bloody well NOT there, as was the case with my server!

The article goes on to say, “create a new DWORD value in the server subkey of the protocol.” I have big problem with this phrasing given the ubiquity of the word, “Server.” The instructions do not explicitly tell you to create a new subkey under “SSL 2.0” called “Server” and to place the DWORD in there, so naturally, I wrongly assumed that the DWORD went in “SSL 2.0” instead, which didn’t work.

After a little digging, I came across another a post on the IIS.net forums by a user named Pawel Dolny who did a much better job of explaining things:

http://forums.iis.net/p/1151822/1879690.aspx

When you follow his article, be sure to create subkeys called “Server” and “Client” in each of the SSL protocol keys, then add a DWORD in each called “Enabled” with a value of “0” to disable it (or 1 to enable it, as would be the case for SSL 3.0).

He also covers enabling/disabling ciphers. Once you’ve rebooted, you can test your site to verify the changes:

https://www.wormly.com/test_ssl

I hope this helps someone!

Retrieving a copy of all Emails Sent To or Received From a Specific Domain in Exchange 2007

I recently received a request to locate and create a copy of every email sent to or received from a specific domain. Exchange 2010 possesses some inherent litigation hold and compliance management tools that could do this for you, and I even found a VB script for Exchange 2003, there was not much information out there for Exchange 2007.

Here’s what I did…

Step 1: Ensure that your account has “FullAccess” permissions to all mailboxes in your Exchange Database by running this command in Exchange Management Shell:

get-Mailbox -Database "[Database Name]" | Add-MailboxPermission -User [Your Admin Acocunt] -AccessRights FullAccess -InheritanceType All

Step 2: This hefty commandlet tells Exchange to search every mailbox in the database for a messages received from a specific domain, excluding the target mailbox as you can’t export a mailbox to itself:

Get-Mailbox -Database "[Database Name]" |?{$_.Name -ne '[Username of the Target Mailbox]'} | Export-Mailbox -TargetMailbox [Username of the Target Mailbox] -TargetFolder [Name of Folder] -senderKeywords:'*[domain name]'

Step 3: The last command does the same as the above, but looks for any emails sent to a specific domain:

Get-Mailbox -Database "[Database Name]" |?{$_.Name -ne '[Username of the Target Mailbox]'} | Export-Mailbox -TargetMailbox [Username of the Target Mailbox] -TargetFolder [Name of Folder] -recipientKeywords:'*[domain name]'

Once done, you can open the target mailbox in Outlook and save it to a PST. So there you have it!

Microsoft CSAT Survey

NOTE: This post was written in July of 2009, and the information herein may be outdated/no longer applicable. I’ve elected to preserve the post here for posterity.

As of October 2009, Microsoft is requiring all of its Gold-level Partners to participate in a Customer Satisfaction Index (CSAT) Survey:

“Effective October 2009, partners re-enrolling at the Gold Certified level will need to have participated in at least one CSAT Index survey prior to re-enrolling, and receive ten or more survey responses (up to eight responses can be from the same customer organization).”

In my case, my employer is an ISV that develops web-based applications for use on a Microsoft platform (IIS/.NET/SQL Server etc), but don’t actually resell Microsoft products. This requirement is big headache for us for a number of reasons:

  1. Most of the questions are geared toward resellers, and won’t apply to ISVs (e.g. “…Assuming [Company Name]’s performance remains the same as it is now, do you expect your company’s future purchase levels from [Company Name] will be…”)
  2. The questionnaire is around 30 questions long, and can’t be shortened! You can only add additional questions.
  3. The partner points you can earn for these surveys are negligible (as little as 2 points for 10-19 responses, as much as 20 points for 200+ responses).

After several weeks of exchanges with various Microsoft representatives, I was finally told that although participation is mandatory for Gold Certified partners, incomplete surveys would still count toward the requirement if inapplicable questions were left unanswered (specifically, questions 14 and 15 as those pertain to sales performance).

I hope this helps someone else out there who might find themselves in a similar predicament!

Slipsteaming Drivers into Windows Setup CDs/DVDs

NOTE: This post was written almost 10 years ago, and republished here for posterity. As such, no attempt has been made to update the links or information below.

I recently had to repair an installation of Windows Server 2003. Unfortunately, Windows Setup was unable to automatically detect my RAID controller, and while you can press F6 during setup to provider a 3rd party driver, this won’t work for computers without floppy drives.

One solution is to “slipstream” the drivers you need into your Windows Setup media. Slipstreaming is a technique used to insert additional drivers, updates and service packs into your installation disks. This can be done manually by manipulating installation files, or by using a 3rd party tool such as nLite (vLite is the Vista version), AutoStream and PE Builder. I personally prefer nLite because it’s free, relatively easy to use, and works with a wide range of Microsoft OS’s. Best of all, you can also use it to remove unwanted or unneeded components, tweak system options, or set preferences in advance to create an unattended setup disk. Here’s procedure I used:

  1. Download and install nLite (https://nliteos.com/download.html)
  2. Copy the contents of your Windows setup CD to a folder on your hard drive (e.g. N:\Windows Setup Files)
  3. Start the nLite application, the click Next to advance to the source file screen
  4. Browse to the files you copied above, click Next again. nLite will detect the OS type, then click Next again to proceed
  5. The next screen gives you the ability choose a previous configuration if you have one, or you can click Next again to skip it and start fresh
  6. The next screen allows you pick and choose what features you want to manipulate, I chose “Integrate > Drivers” and “Create > Bootable ISO”, then Next to take you to the Driver selection screen
  7. Click Insert. If your driver directory comes with multiple .INF or .SYS files, you should select Multiple Driver Folder, otherwise, you can use Single Driver
  8. There will be a pop-up window prompting you to select a driver and a mode. The options are Textmode or PnP. Anything that you need to pre-load prior to installation should be installed as Textmode. NOTE: Be sure to use “Textmode” for any drivers windows will need to begin setup! I chose this option for my RAID controller drivers.
  9. Push Ok > Next to proceed, and when prompted, choose Yes to start the process
  10. When done, it should display the create window. At this point, you can create an ISO or burn the image directly to the CD There you have it!