Category Archives: Windows Server

Proper FTP setup via IIS using Passive FTP

IIS Tips & Tricks, Windows Server

Since PASSIVE FTP seems to be a relative standard (that I experience), and since most clients don’t understand or want to use “ACTIVE” FTP, here is the easy way to configure your firewall and FTP software on an IIS machine to permit PASSIVE FTP.

Firewall Setup

You’ll need two rules and one “one to one” NAT mapping (this may vary a bit due to your firewall software).

The one to one NAT mapping needs to map the external IP address to the internal IP of the server.  Such as “66.33.123.21” mapped to “10.1.1.21”

One rule to allow the world into TCP port 21, mapped to the specific server in question.  (Allow * from ANY to 10.1.1.21 TCP port 21).

Second rule, specifically for PASSIVE FTP.  Allow * from ANY to 10.1.1.21 on ports range 50000 to 50100.

FTP Server Setup

We normally use Filezilla Server (latest version, of course).

Add a user and setup the standard settings.

Passive settings are as follows (below).

Most importantly, the “X.X.X.X” area below is your PUBLIC IP that is mapped through your firewall.

Click OK and save the settings.

FTP1

 

FTP Client Settings

Nothing fancy here, just check to make sure the settings look like this:

FTP2

Leave a comment , ,

Throttling bandwidth on an IIS based site

IIS Tips & Tricks, Windows Server

If you need to throttle (or limit) the amount of bandwidth a specific site on Microsoft Server — this is for you.  This should work with any Microsoft Server OS from 2008 to present. Open IIS. Go to the specific site in question (in the tree to left expand and click on the specific site name).

on the right side panel, click Configure — Limits.

Check “limit bandwidth usage” and type in a number.

Click OK.

limits

One comment , ,

How to stop attacks on your site via IIS

Classic ASP, IIS Tips & Tricks, Windows Server

Often we see hack-bots or other automated hacking tools crawling our sites and hammering various pages looking for vulnerabilities.  There is an easy way to put a stop to this through Microsoft IIS 7.0 (and later).

Make sure you have the “IP Address and Domain Restrictions” module loaded in IIS (if not, install it.)

Launch it and add a DENY entry.

If the attacker is coming from AAA.BBB.CCC.49, I usually put a range block in there from

AAA.BBB.CCC.0 to AAA.BBB.CCC.254

At that point I usually restart the server because I’ve noticed that these blocks do not tend to take effect until (at minimum) the whole IIS process is restarted.  Restarting the box works for me.

Attacks blocked…

Leave a comment

How to prep a Windows 2012 R2 Update 1 server for PHP / WordPress

IIS Tips & Tricks, Windows Server

1) Presuming you have already loaded the OS onto the machine (whether virtual or physical)
2) Join the machine to your business domain
3) windows updates
4) reboot
5) windows updates (again until no more updates)
6) configure role -> Web server and under Application Development, pick .NET Extensibility 3.5
7) once that is complete, run windows updates again
8) probably you’ll need to reboot
9) check windows updates ONE MORE TIME
10) install the Web Platform Installer (version 5.0 as of this post), from here: http://www.microsoft.com/web/downloads/platform.aspx
11) after the WPI is installed, run it and choose the following: PHP 5.6.0 (or later), Windows Cache Extension 1.3 for PHP 5.6, PHP Manager for IIS
12) install those programs, when complete, open the IIS manager
13) verify that you see the following: URL Rewrite, PHP Manager under the main server features panel
14) download the latest version of PHP. (for me, it was 5.6.3)
15) unzip and move it to a new folder under “Program Files (x86)”\PHP\ called v5.6.3 (you should see v5.6 in there).
16) Make a folder called PHP-TEMP on the C:\ root
17) Give it the following permissions, IUSR and IIS_IUSRS to full control
18) Go to the PHP manager and register the new version
19) in the PHP manager, go to Manage all Settings and update the following:
Error Log -> PHP-TEMP directory
Memory_limit = 512mb
Post_Max_size = 10M
upload_max_filesize = 10M
upload_tmp_dir -> PHP-TEMP directory
SMTP->your internal email server IP
session.save_path -> PHP-TEMP directory
==
20) stop the default site
21) create your new site
22) make sure a static IP is assigned to the server for step 21
23) make sure firewall rules are in place to permit traffic to that IP
24) move or deploy the new wordpress site
25) adjust IIS settings-> Logging location and daily roll over, URL Rewrite rules for domain name and wordpress
26) you should have a web.config file from a previous (working) wordpress install. Use that for the above two things.

>more to come<

Leave a comment ,

Permission denied error dealing with Classic ASP loadpicture

Classic ASP, IIS Tips & Tricks, Windows Server

To solve the following error, which is generated by the loadpicture object

Microsoft VBScript runtime error ‘800a0046’
Permission denied: ‘loadpicture’

set myImg = loadpicture(“C:\aaa\asdf.jpg”)

==

The solution is to simply add this permission as full control

servername\IUSR

to the directory in which this object is going to work…

Leave a comment , ,

Quick change of Hyper-V UID – for Register in place VM

Windows Server

If you want to quickly create copies of one Hyper-V Virtual Machine, here is an easy process:

1) change the XML UID by editing the XML file within the Exported VM directory.
2) change the name to the new machine name (this is the XXXXX tag)
3) change the global_id
4) change the logical_id (to the new global ID)
5) save the file
6) rename the XML file to match the global ID
7) import – register in place (use the existing unique ID)
8) adjust any settings on the VM
9) start the VM

2 comments , ,

Inconsistent ping / inconsistent network connectivity on Hyper-V virtual machine

Windows Server

I recently came across this issue on one of my virtual server machines, where I just setup a brand new Windows Server W2K12R2 Update 1 virtual machine. It is currently in DHCP status soon to be set as a static IP.

With the client VM machine running (and while multiple other VM’s are running w/o any problems), I was experiencing the following:
1) inconsistent ping of the VM
2) inability to remote desktop into the machine (sometimes I could connect, sometimes I would not be able to)
3) DNS resolution issues with that VM

Here is my setup:
Windows Server 2012 R2, Update 1. Hyper-V 6.3.9600.xxxxx
Client: Windows Server 2012, R2, Update 1. Standard Server. Virtual Machine version 5, generation 2.

Network: High quality CAT6/Gigabit setup.

Here is what it looks like when I do a continuous ping of the virtual machine:

pings

After doing a LOT of troubleshooting / testing / trial & error, here is the fix:

This new VM has a “DYNAMIC” MAC address.  All the other VM clients on that server have STATIC MAC addresses.

I shut down the VM, adjusted the network settings (under ADVANCED) to a STATIC MAC.

Start the VM.

Login (via remote desktop while sitting on the Hyper-V server itself)

Do a continuous ping, and the issue is fixed!

Next, via Remote desktop into the hyper-v server and controlling the machine that way (not remote desktop connecting into the VM itself…) I switched the machine to a static IP, which was different than the DHCP assigned one.

Reboot machine (for the heck of it)

on my desktop, IPCONFIG /FLUSHDNS

(at this point depending on how your network is configured you may need to wait a bit for the DNS changes (IP change) to catch up so that your ping works…)

then try pinging the IP address (not machine name):  Works

try pinging the machine name: Works  (see above, you may need to wait a bit for your network to catch the DNS changes)

=

The above fix (changing to Static IP) alleviates the need to fiddle with the VM’s Hardware Acceleration settings, such as VMQ (Virtual Machine Queue) or the Enable IPsec task offloading.  On my Hyper-V server both of these are “CHECKED/ON”.

 

Leave a comment , , ,

Quick and easy method to upgrade MySQL Community Edition – Windows Server

MYSQL, Windows Server

I recently crossed my fingers and went through the upgrade process to upgrade MySQL from 5.6.14 to 5.6.17 on my Windows server.  (also works for 5.5.x to current)

 

NOTE – UPDATED 5/27/2016:  If you are using the MYSQL Installer – Community (if that is in your Start -> program list, please use that to upgrade you instance.  That is much simpler than my process below.  The process below should now be considered a LEGACY process.

 

Don’t forget to run

mysql_upgrade -u root -p

to allow MySQL to upgrade all the tables to the new standard.

 

Through trial and error, I have found the easiest process to do this.

  1. stop the existing service via services
  2. command prompt (as administrator)
  3. change to the MySQL directory, BIN, and then type in mysqld –remove  (to remove the service)
    1. If the above command does not work, try using SC DELETE MYSQL    (put the exact service name in place of MYSQL).  That should do the trick.
    2. go into the service manage and refresh and ensure the service is removed.
  4. go to the control panel and uninstall everything to do with MySQL (presuming this is on a dedicated MySQL box)
  5. make sure your data is moved to a directory on the root like “MYSQLDATA”
  6. delete every folder under programdata and program files pertaining to MySQL
  7. reboot the machine
  8. log into machine
  9. make sure .NET Framework 4.0 is installed
  10. download and run the MySQL Community 5.6.17 (or later) x32 MSI full installer
  11. do a fresh install
  12. Server type:  Server  (for production deployments)
  13. point things to the correct directories (e.g. your existing data directory, etc.)
  14. use the same root password as before (on the old install)
  15. add any extra admin users
  16. complete the install
  17. make sure the service is complete
  18. That’s it!

hope that helps someone else out there.  I took the couple of hours to sort this all out for you!

2 comments ,

All computers do not show up under Network Neighborhood across subnets Windows 2008 Server and Windows 2012 Server

Windows 10, Windows 7 tips, Windows Server

THE ISSUE – NETWORK DOES NOT SHOW ALL COMPUTERS FROM MULTIPLE SUBNETS

 

**NOTE:  10/11/16 Please see this new blog post which addresses a new issue that has happened since June 2016.  Both of these posts will help you resolve this cross-subnet browsing issue.

I recently ran into the situation where my PDC failed and after promoting a second DC to PDC all the computers in both my branches would not show up under the Windows 7 network.

What would happen is that the computers from branch 1 would all show up under branch 1 on that network, and the computers from branch 2 would only show up on branch 2’s network.

Both networks are in the same domain and are connected via a Point to Point firewall VPN tunnel, and both offices are on different local internal IP subnets, such as:

branch 1:  192.168.55.X

branch 2: 192.168.56.X

Logins and domain replication is working fine, and even the DNS servers I have set to properly replicate the data between them, but still the “network” list only shows the local subnet not both.

THE SOLUTION

Firstly, you need to determine which machine for sure is the PDC emulator on your network.  On our network we have two Windows 2008 R2 servers.

to do this, follow this procedure:

Using the Windows interface on your windows server

1. Open Active Directory Users and Computers.

2. Right-click the domain node, and then click Operations Masters.

3. On the PDC tab, under Operations masters, view the operations masters that will serve as the PDC emulator.

 

Secondly, to complete the solution (snipped from the website linked below…)

4. You can either set the Computer Browser service to Automatic on the DC holding the PDC role, or move the PDC role to another DC that has the Computer Browser service started.  So using the info gleaned from above, log in to the PDC computer, go to SERVICES and START the computer browser service, and set it to AUTOMATIC.

You will need File and Printer sharing On in the Network and Sharing Center, otherwise the Computer Browser service will fail to start since the required ports will not be open.  In a multiple subnet environment, make sure WINS is configured properly so that you have the proper NetBIOS name resolution.  After making the corrections, the computers holding the master browser roles will begin to populate the browse list for the entire network.

NOTE:  In my situation with two subnets it was NOT necessary to run WINS to have a proper solution.

Lastly, wait anywhere from 30-60 minutes and the computers from both subnets (or more) should all now show up under “NETWORK” on your Windows network.

 

(some information courtesy of this blog)

4 comments , , , , ,

How to get IIS 7.5 web server to pass the BEAST PCI vulnerability compliance scans

IIS Tips & Tricks, Windows Server

If your e-commerce website keeps flunking PCI vulnerability complaince scans with the following error:

BEAST (Browser Exploit Against SSL/TLS) Vulnerability, CVE-2011-3389

and you are running Microsoft Server 2008 R2, I can help you.

If you aren’t on Windows Server 2008 R2, there is no known way to pass this test short of upgrading your server to W2K8R2 and doing the following steps.

This is the exact vulnerability as reported (in our case, by Trustkeeper):

BEAST (Browser Exploit Against SSL/TLS) Vulnerability The SSL protocol encrypts data by using CBC mode with chained initialization vectors. This allows an attacker, which is has gotten access to an HTTPS session via man-in-the-middle (MITM) attacks or other means, to obtain plain text HTTP headers via a blockwise chosen-boundary attack (BCBA) in conjunction with Javascript code that uses the HTML5 WebSocket API, the Java URLConnection API, or the Silverlight WebClient API. This vulnerability is more commonly referred to as Browser Exploit Against SSL/TLS or “BEAST”.

CVE: CVE-2011-3389

NVD: CVE-2011-3389

Bugtraq: 49778

CVSSv2: AV:N/AC:M/Au:N/C:P/I:N/A:N(4.30)

This is the remediation (as stated by Trustkeeper):

Affected users should disable all block-based cipher suites in the server’s SSL configuration and only support RC4 ciphers, which are not vulnerable to fully address this vulnerability. This vulnerability was addressed in TLS version 1.1/1.2, however, support for these newer TLS versions is not widely supported at the time of this writing, making it difficult to disable earlier versions.

Additionally, affected users can also configure SSL to prefer RC4 ciphers over block-based ciphers to limit, but not eliminate, exposure. Affected users that implement prioritization techniques for mitigation as described above should appeal this vulnerability and include details of the SSL configuration.

Here is the evidence (as stated by TrustKeeper):

Service: http
Evidence:
Cipher Suite: SSLv3 : DES-CBC3-SHA
Cipher Suite: SSLv3 : RC4-SHA
Cipher Suite: SSLv3 : RC4-MD5
Cipher Suite: TLSv1 : AES256-SHA
Cipher Suite: TLSv1 : AES128-SHA
Cipher Suite: TLSv1 : DES-CBC3-SHA
Cipher Suite: TLSv1 : RC4-SHA
Cipher Suite: TLSv1 : RC4-MD5

That isn’t much help, of course.

Ok, here is how to solve this.  And you don’t even need REGEDIT!

  1. Make sure your website is on a Windows 2008 R2 server, with a valid SSL certificate.
  2. Download the following FREE – and FANTASTIC program to your web server.
    1. https://www.nartac.com/Products/IISCrypto/Default.aspx
  3. Run the program on your web server.  Please be logged in as full admin, and remote desktop is fine.
  4. Start by clicking the PCI button, then make all your settings look like below:
    1. pci
  5. In some cases you might have a few more listing under SSL Cipher Suite order.  Here is a screenshot from a second server (below).  The settings below are also perfectly fine:
    1. pci2
  6. In all cases – MAKE YOUR SETTINGS JUST LIKE ABOVE – and your site should always pass the BEAST test.
    1. IT IS CRITICAL that you have ONLY the CIPHERS selected in the above two screenshots, and the TOPMOST TWO in THIS SPECIFIC ORDER.
  7. apply the changes
  8. Restart the server.
  9. once the server is back up and running, go to the website below:
    1. https://www.ssllabs.com/ssltest/index.html
  10. Allow the test to complete.  The test will tell you if the site passes all the tests and is BEAST compliant, and it will give you a score for your website.  The website we tested scored 89 which is an “A”.

Hopefully this will help shortcut this process for some of you. I literally spent hours working this solution out.

 

 

15 comments , ,
1 2 3 4 5