Disabling SSLV3 and weak ciphers - Server 2008 R2

Similar Messages

• How to disable SSLv3 and RC4 on Lync Server Access Edge?

  We use Lync Server 2013.
  How to disable SSLv3 and RC4 on Lync Server Access Edge?
  This solution https://technet.microsoft.com/en-us/library/security/3009008.aspx doesn't work

  Hi dizen,
  To completely disable RC4, you can create the following registry key:
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
  "Enabled"=dword:00000000
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
  "Enabled"=dword:00000000
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
  "Enabled"=dword:00000000
  For more details, please check out this KB.
  http://support.microsoft.com/kb/2868725
  Best regards,
  Eric

• How do I disable SSLV3 in Oracle HTTP SERVER to prevent POODLE attacks?

  How do I disable SSLV3 in Oracle HTTP SERVER to prevent POODLE attacks?
  I see the line in the ssl.conf file:
  SSLCipherSuite SSL_RSA_WITH_RC4_128_MD5:SSL_RSA_WITH_RC4_128_SHA:SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_RSA_WITH_DES_CBC_SHA:SSL_RSA_EXPORT_WITH_RC4_40_MD5:SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
  but I'm not sure which ciphers are SSLV3.
  Thanks,
  Andy

  Hi Andy,
  For this, we highly recommend you to open a SR with Oracle support and Security team would be assisting you on how to get this fixed.
  Thanks,
  Sharmela

• Disable SSLv3 on Exchange 2010 server (Poodle Vulnerability)

  Following the recommendation to mitigate the Poodle vulnerability, we tried disabling SSLv3 and making sure that users had TLS 1.1 and 1.2 enabled on their browsers.
  We used IIScrypt to turn off SSLv3 (v2 was already disabled from before).
  Now, OWA works fine, and users are able to connect via the Web.
  Internally, users are also able to connect with Outlook 2010/2013.
  however, users are not able to connect via Outlook from outside (Outlook anywhere)
  In the event viewer you get an error:
  A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 70. The Windows SChannel error state is 105.
  I opened a ticket with Microsoft but the lady working on the case wanted us to re-enable SSLv2 which is out of the question.
  Anybody has seen this issue as well?

  Hi Max
  could you provide the steps to turn off SSLv3 . Is it from the registry
  http://support.microsoft.com/kb/187498 ?
  Mat A
  Yes. Copy and paste this into a text file and save as a .reg file, then double click on the file to add to the registry of the server
  Windows Registry Editor Version 5.00
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
  "DisabledByDefault"=dword:00000001
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
  "Enabled"=dword:00000000
  Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

• Is it possible to install and run Windows Server 2008 on a Mac Mini Server in a Virtual Machine software like Parallels

  I am wondering if it is possible to install and run Windows Server 2008 on a Mac Mini Server as a VM as my main application uses Windows VisualBasic and Fox Pro and requires a Static IP to connect to it, My other offices connects to Windows Server via RDP.
  Basically I am researching a Server for the same purpose and since Mac Mini and OsX both are robust in nature it can fit the bill if every thing work fine.
  Thanks

  From the Parallels website:
  32-bit Operating Systems
  Windows 8 with: Windows 8, 8.1 (when available)
  Windows 7 SP1
  Windows Vista SP0, SP1, SP2
  Windows Server 2008 R2, SP2, SP1, SP0
  64-bit Operating Systems
  Windows 8
  Windows 7 SP1
  Windows Vista SP0, SP1, SP2
  Windows Server 2012
  Windows Server 2008 R2, SP2, SP1, SP0
  I do suggest that you upgrade RAM to at least 8gig
  if you haven't already.
  FWIW, I currently use Win8/64 bit with Parallels on a 2011 Mini Server
  using the windows environment for engineering applications and have
  had no issues.  I am running Mountain Lion but do not have the
  Server app installed.

• Fax and Scan on Server 2008 Terminal Server

  Summary: Fax and Scan does not appear in the start menu on a terminal server with desktop experience installed.  Any ideas why? 
  I am running Windows Server 2008 Enterprise as  terminal server for about a dozen users.  I would like to enable them to use the fax server capability of our Windows SBS 2003 server.  From what I can tell, they can access the fax server using the Fax and Scan software on server 2008.  All of the documentation I've read says that when I enable the "Windows Desktop Experience" feature on Server 2008, the Fax and Scan software should appear in the Start Menu.  It's not there.  I have un-installed and re-installed Desktop Experience, but still no Fax and Scan.  From what I can see in the documentation, I don't need to install the fax server role to get the software, just the desktop experience feature.
  Is is possible that fax and scan and/or other features of desktop experience are disabled when terminal services are enabled?  Is there something else I'm missing?
  Thanks,
  Lee

   
  Hi,
  According to your description, I suspect that you may misunderstand “Desktop Experience” and “Windows Fax and Scan”.
  Based on my research, if you want to use Fax and Scan services on Windows Server 2008, you should install the Fax Server role from Server Manager first.(For instructions, see Install the Fax Server Role. http://technet.microsoft.com/en-us/library/cc771198.aspx)
  After you installing the Fax Server Role, the Windows Fax and Scan item will appear in the Start Menu(Start\All Programs\Windows Fax and Scan).
  The Desktop Experience includes most of applications and features that are provided in the Windows Vista. Users who are using computers running Windows Vista Business, Windows Vista Enterprise, Windows Vista Ultimate, and Windows Server 2008 can send a fax using the Windows Fax and Scan feature—either using a fax device attached locally or a fax server. To access this feature on Windows Server 2008, you must install Desktop Experience, which is available from Server Manager.
  You may refer to the following the steps to install Desktop Experience:
  1. Open Server Manager: click Start, point to Administrative Tools, and click Server Manager.
  2. In the Features Summary section, click Add features.
  3. Select the Desktop Experience check box, and then click Next. and then click Install
  Hope this is helpful.
  Nick Gu - MSFT

• Install BI Tools with paid VS2008 Pro in workstation and paid Sql Server 2008 R2 in server?

  My workstation has VS2008 Pro (paid) and Sql Express (free); our Windows Enterprise server has SQL Server 2008 R2 RTM (paid).
  In other words, my workstation may not have a paid version of the sql server DB, but our server does. Is there a possibility that I can install the BI development tools in my workstation?
  Thanks.
  VM

  Hi VM,
  As you can see on the link below
  http://msdn.microsoft.com/en-us/library/cc645993(v=sql.105).aspx#Dev_tools
  The Business Intelligence Development Studio is not available on SQL Server 2008 Express Edition. So if you want to the BIDS tool is available on your workstation, then you need to change the edition from Express to other edition.
  Besides, you can install SQL Server Data Tools - Business Intelligence for Visual Studio 2012 on your workstation, in this case, the BI development tools is available on your workstation. The SQL Server Data Tools - Business Intelligence for Visual Studio
  2012 is available on the link below.
  http://www.microsoft.com/en-in/download/details.aspx?id=36843
  Regards,
  Charlie Liao
  TechNet Community Support

• CF8 and MS SQL Server 2008

  Hi,
  I'm wondering if anyone else has run into this issue. We are porting an older CF app to CF8 and upgrading our db at the same time. Our old model is CF 6.1 using MS SQL Server 2005 and our new model is CF8 using MS SQL Server 2008.
  I'm having the following issue....
  We have an application form where people apply to jobs, they can either type their text in, or copy and paste (usually from MS Word). On the back end we use CF ToBase64 and then ToBinary functions to convert the data to store it in a Blob field in the db.
  No code changes have been done.
  If the user copies and pastes into the form field and it contains MS bullet points, in our old model they are stored correctly, under the new model they are not. When I look at that candidates data on the web page I see ? marks where the bullets should be. Querying the db field directly and doing the necessary conversions to get the data back into string format, I can see that the field actually contains question marks.
  I have tried using Adobe's recommended change of using the CharsetDecode and CharsetEncode functions - these do not make any difference.
  Has anyone else encountered this problem?

  You may test encode / decode the input data (only testing the ToBase64 function), or may be just display the input, without encode base 64, to check the encoding management. I guess it comes from the input page.

• WLC 5508 and Microsoft Radius Server 2008

  Hi, I am trying to setup WLC 5508 for a customer who want to use MS NPS for Radius authentication, however there aren't many good documents showing how to configure the MS NPS.
  I have couple of questions:
  1, Does WLC 5508 support MS NPS on Server 2008 R2?
  2, Are there any good document showing how to configure this?
  Thanks

  Hadisharifi,
  There is no single document that we can pick for configuring WLC and NPS. However, you may visit the below listed document for NPS  and WLC side configuration:
  Configure the WLC for RADIUS Authentication through an External RADIUS Server
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml#c2
  Fo the NPS side configuration, you may consider the attached document.
  Regds,
  JK
  Do rate helpful posts-

• BO 3.2 and DB SQL Server 2008

  Dear All,
  We have installed MS SQL server 2008R2 on MS windows 2008R2. Now we are installing BOBJ data service 3.2 on another system with windows XP. While installing we are selecting the option connect to existing database.
  But after providing connection parametres we are getting error as
  Cannot open connection to the repository. The error message from the underlying DBMS is <ODBC call <SQLDriverConnect> for data source <localhost> failed: <MicrosoftODBC SQL Server DriverDBNETLIBSQL Server does not exist or access denied.>. Notify Customer Support.>. (BODI-20006)
  Please advice
  Best Regards,

  Dear Jeff,
  Settings of TC/IP in SQL server configuration manager is enabled
  Dear manoj
  SQL Server 2008 client is installed still the error.
  By checking at command level its requesting password. But as soon as i enter the password iam getting the error
  sqlcmd -S(servername\instance) -U(username)
  Password: HResult 0xFFFFFFFF, Level 16, State 1
  SQL Server Network Interfaces: Error Locating Server/Instance Specified [xFFFFFF
  FF].
  Sqlcmd: Error: Microsoft SQL Server Native Client 10.0 : A network-related or in
  stance-specific error has occurred while establishing a connection to SQL Server
  . Server is not found or not accessible. Check if instance name is correct and i
  f SQL Server is configured to allow remote connections. For more information see
  SQL Server Books Online..
  Sqlcmd: Error: Microsoft SQL Server Native Client 10.0 : Login timeout expired.

• Macs and printing from server 2008

  We have several new mac os lion macs. We have  a server 2003 domain and a file and printer server running window server 2008 r2. For some reason in lion the open directly printers on the print server don't show up but the workstation  printers do. How can I fix this and list the main open directly printers. The network account server is working  correctly and not timing out. Also if this can't work is there a way to make it work like in windows from the network browser?

  Hi Justin,
  Yes. Passing DESTYPE=printer in the commandline will print the report to the default printer. You can additionally specify DESNAME='YourPrinterName' so that it prints to the printer specified in DESNAME.
  For more information, please refer to "Printing on Unix" document in the following page:
  http://otn.oracle.com/products/reports/htdocs/getstart/docs/index.html
  Regards,
  Siva

• Event ID's 4005, 50 and 56 on Server 2008 R2 RDS

  My event log's are being hammered with Event 4005 The Windows logon process has unexpectedly terminated,
   Event 50 The Terminal Server security layer detected an error in the protocol stream and has disconnected the client
  and Event 56 The RDP protocol component <component> detected an error in the protocol stream and has disconnected the client.
  I have followed the suggestions in
  http://technet.microsoft.com/en-us/library/cc734097(v=ws.10).aspx and searched on this without finding a solution to make the events go away.
  I also tried following this suggestion to remove two Windows Updates (even though I have Win 2008 Standard R2 and not SBS)
  http://social.technet.microsoft.com/Forums/en-US/dd7157b8-8ecc-4a13-88ad-f4ca0d3b3249/error-the-windows-logon-process-has-unexpectedly-terminated?forum=smallbusinessserver
  I have cross referenced the dates & times of these events with a login audit file I keep and hoping to find a pattern related to specific users but no luck.
  Before I open a paid support ticket, I just want to find out if there is any common thread to these Event ID's.
  Can these be caused by:
  1) an RDP worm/malware?
  2) Macintosh RDP clients?
  3) Disconnected session being logged off after 2 hrs by policy?

  Hi,
  The error which you are facing, might occurs due to some network related issue or some RDP\disconnection related issue. You can try to configure TCP offload chimney, disable RSS Disable NetDMA for Eevent ID 50 & 56. For Event ID 4005, as you have provided
  the link for article. Did you check whether registry is corrupted? Windows logon service is running.
  Please check below article for more information:
  1.  How
  to troubleshoot “The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client IP:” and “The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client”err
  2.  How to resolve the issue “Remote Desktop Disconnected” or
  “Unable to Connect to Remote Desktop (Terminal Server)”
  Hope it helps!
  Thanks,
  Dharmesh

• How to disable SSLv3 and keep only TLS for LDAP connection.

  Hi,
  I'm planning to keep only TLSv1.2 for LDAP connections.
  I tried to set LDAP_OPT_SSL_INFO in LDAP Session Options using a SecPkgContext_ConnectionInfo Structure with dwProtocol SP_PROT_TLS1_2_CLIENT(as described here -  https://social.msdn.microsoft.com/Forums/en-US/7544226d-97e1-4dae-a377-e382c2281e91/how-to-set-up-tls-in-ldap-connection?forum=vcgeneral),
  but it returns LDAP_PARAM_ERROR.
  I tried to call this function directly after ldap_sslinit/ldap_init and before ldap_connect() - without success, I tried to use other parameters with default values, I tried to initialize them by 0/other possible values - and also no success.
  How I can do this?
  Thanks for your advices.

  LDAP_PARAM_ERROR
  https://msdn.microsoft.com/en-us/library/aa367026(v=vs.85).aspx

• Disable OCSP in Windows Server 2008 / IIS7

  Is it possible to disable OCSP Stapling on Windows Server 2008 / IIS7?
  The problem is that
  FF30 does not allow access to a secure site if the server supports OCSP Stapling and the user's computer time is in the past.  The error is sec_error_ocsp_future_response.  So users are not able to access our site simply because their time is incorrect! 
  If they don't report the error to us, we can't tell them what to do about it and we lose customers.  So we need to disable OCSP Stapling.
  I've tried these thing with no luck:
  add RequestOCSP of type DWORD and set it to
  0 to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\
  certutil –setreg chain\ChainCacheResyncFiletime @now
  certutil -urlcache ocsp delete
  OCSP Stapling is commonly disabled (for example,
  sites such as amazon and google disable it). Please let me know how to disable
  OCSP Stapling on IIS7.

  Hi, please check on iis.net's forum. You will have a bigger audiance than there. I unfortunaly cant move the thread there.
  Thanks you for your understanding
  Regards, Philippe
  Don't forget to mark as answer or vote as helpful to help identify good information. ( linkedin endorsement never hurt too :o) )
  Answer an interesting question ? Create a
  wiki article about it!

• WAAS WITH WINDOWS SERVER 2008 AND CERTIFICATE

  172.20.203.3:135
  172.20.1.191:2751
  PT AD Int Error
  172.20.221.205:51786
  172.20.1.176:80
  PT In Progress
  172.20.1.191:2751
  172.20.203.3:135
  PT AD Int Error
  172.20.221.3:443
  172.20.1.29:25403
  PT AD Int Error
  172.20.1.176:80
  172.20.221.250:64345
  PT In Progress
  172.20.221.250:64345
  172.20.1.176:80
  PT In Progress
  172.20.203.222:57837
  172.20.1.232:80
  PT In Progress
  172.20.1.138:2249
  172.20.140.218:139
  PT AD Int Error
  172.20.1.29:25403
  172.20.221.3:443
  PT AD Int Error
  172.20.1.29:25452
  172.20.221.3:443
  PT AD Int Error
  172.20.1.138:2241
  172.20.140.218:445
  PT AD Int Error
  172.20.1.29:25411
  172.20.221.3:443
  PT AD Int Error
  172.20.1.187:8014
  172.20.221.250:64349
  PT In Progress
  172.20.1.176:80
  172.20.221.205:51786
  PT In Progress
  172.20.140.218:445
  172.20.1.138:2241
  PT AD Int Error
  172.20.221.3:443
  172.20.1.29:25452
  PT AD Int Error
  172.20.1.138:1942
  172.20.221.3:445
  PT In Progress
  SMB Digital Signing is enabled by default on Domain Controllers - I'll double check, but don't believe it is enabled across ALL 2008 Server, but it would be worth checking.
  Digital Signing is designed to prevent man in the middle attacks - which is precisely what WAAS is doing
  Turning it of generally improves speed by around 20% even without WAAS, and lets WAAS use full DRE and the CIFS adapter to cache files.
  Any problems, just raise a TAC case and my boys will help you out
  Edit: Link from MS which discusses it in more detail and how to turn off:
  http://support.microsoft.com/?kbid=887429
  According to that, it's NOT enabled across the board in 2008, just on the DC's.
  My company uses waas, as you can see above whenever i try to do the implementation waas is giving me the following message "pt in ad error"for all the connections that will be compatible with windows, I did some research and what's above has to do with the digital windows certificate which waas is struggling to open due to the code encrypted in the certificate. do you happen to have a way of enabling the certificate within the module. another option would be to disable the certificate in windows server 2008?

  Thiago,
  PT AD Int Error has nothing to do with SMB digital signatures.  PT AD Int error means TFO auto-discovery failed and could not negotiate an optimized flow; this is during the TCP 3-way handshake before digital signatures even come into play
  A common reason for PT AD Int Error status is another device in the path before WAAS has filled up the TCP options field with other data, thus leaving no room for WAAS to put it's TCP opt 0x21.
  Once you resolve the PT AD Int Error problem and a CIFS AO negotiated policy occurs, if the server/client require digital signatures then you will see the connection as T,G,D,L or T,G (meaning Generic AO).
  If digital signatures are not required the CIFS connections will show as T,C,D,L.
  I suggest you take packet captures on both client and server side WAEs to see how SYN and SYN-ACK packets are reaching the WAE and see if the options field is filed with data before reaching the WAE.
  If this is part of a WAAS PoC/ Demo feel free to open a case with the PDI team.
  http://www.cisco.com/web/partners/tools/pdi.html
  Otherwise, if this is in production please open a case with TAC.
  Regards,
  Mike Korenbaum
  Cisco Data Center PDI Help Desk
  http://www.cisco.com/go/pdihelpdesk