Windows 2012 and security

Need security on your computers and networks?  Call me, my contacts are at www.networksetup.com

Do you have remote code prevention at your site?  Remote code is usually referred to as unwanted code that someone is running at your site.  And its usually not good.  People can take advantage of your servers and workstations to:

1.  utilize your resources.  They can host content from your servers by attacking your web servers.
2. They can spy and pull data from your organization.
3. They can run malware or virus that slow your computers.  New malware will mine cryptocurrency on your servers/desktops and be creating wealth for unknown attackers at your expense!

Check your system by calling us at http://www.networksetup.com

 

 

ITIL certification

Took the three (3) day crash course ITIL training. Then took the test, I barely passed. Another trainee also passed, I put our two scores here, to show how difficult the test is.   I had to do significant studying on top of the three day class.  . . I am not a great test taker, so that is me.

Azure studies – part 2

Buy this study guide for the 70-533 Microsoft Azure test.

Pass the Azure test

 

microsoft windows powershell

Automating changes with powershell is your goal.   You should be able to do this on local and cloud datacenters, like azure.  Azure is something you are studying right?  Taking the azure test 70-533?  Read here for azure test guide:

https://docs.google.com/document/d/1kt7drQtvMHk8nmgHj94lZLPWglT78hKrwvpFcqMTmEU/edit?usp=sharing

You should be able to run powershell commands locally and remotely.  You will need to master access control to do this well.  Administrator rights and UAC will put hurdles in your plan (or is that painful pitfalls?).  Using batch files to launch PS files will help.

Use “Invoke-Command” powershell cmd to run powershell commands on remote computers (like ones in azure).

Need to change network settings?   There are commands to change ip address in powershell, often interface index is needed.  The interface index is often difficult to validate.  For example, msinfo32.exe will show different network interface indexes than other windows commands!   I find this frustrating.  Netshell (netsh.exe) maybe more reliable way to change ip address settings on NICs. Interfacealias is availabe via get-netipinterface command.  Example:

PS C:\Windows\system32> Get-NetIPInterface

ifIndex InterfaceAlias                  AddressFamily NlMtu(Bytes) InterfaceMetric Dhcp     ConnectionState PolicyStore

——- ————–                  ————- ———— ————— —-     ————— ———–

21      Local Area Connection* 12       IPv6                  1500               5 Disabled Disconnected    ActiveStore

19      Ethernet 2                      IPv6                  1500               5 Disabled Disconnected    ActiveStore

14      isatap.home                     IPv6                  1280              50 Disabled Disconnected    ActiveStore

20      Wi-Fi 2                         IPv6                  1500              25 Enabled  Connected       ActiveStore

1       Loopback Pseudo-Interface 1     IPv6            4294967295              50 Disabled Connected       ActiveStore

21      Local Area Connection* 12       IPv4                  1500               5 Enabled  Disconnected    ActiveStore

19      Ethernet 2                      IPv4                  1500               5 Enabled  Disconnected    ActiveStore

20      Wi-Fi 2                         IPv4                  1500              25 Enabled  Connected       ActiveStore

1       Loopback Pseudo-Interface 1     IPv4            4294967295              50 Disabled Connected       ActiveStore

With this, we see ifIndex 20 = our wireless.  To change dns settings only for wireless,  at powershell prompt type:

Set-DnsClientServerAddress -InterfaceIndex 20 -ServerAddresses “8.8.8.8”

How do you set back to normal DHCP provided dns?  Use reset command:

Set-DnsClientServerAddress -InterfaceIndex 20 -ResetServerAddresses

How do you set the IP address with powershell, once you have the interface index?

Use this command:

New-NetIPAddress -InterfaceIndex 2 -IPAddress 200.100.10.1 -PrefixLength 24 -DefaultGateway 200.100.10.10

Interface indexes are not all the same. For example, msinfo32.exe will give a different interface index than “Get-NetIPInterface”

Copyright 2016 Rod Deluhery

azure and windows on-site

Need azure?  Need identity for your apps?  Microsoft is working on getting apps to work with your users identities.  And connection, latency?  They have that covered, with ExpressRoute.  A point – point layer 3 connection from your servers to Azure.

https://azure.microsoft.com/en-us/documentation/articles/expressroute-howto-circuit-classic/

Get a list of providers:

PS C:\Users\elr2> Get-AzureDedicatedCircuitServiceProvider

Name                 DedicatedCircuitLocations      DedicatedCircuitBandwidths
—-                 ————————-      ————————–
AARNet               Melbourne,Sydney               50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
2Gbps:2000, 5Gbps:5000, 10Gbps:10000
Airtel               Mumbai,Chennai                 50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
2Gbps:2000, 5Gbps:5000, 10Gbps:10000
Aryaka Networks      Amsterdam,Dallas,Silicon Valle 50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
y,Singapore,Tokyo,Washington   2Gbps:2000, 5Gbps:5000, 10Gbps:10000
DC
AT&T                 Silicon Valley,Washington DC   50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
2Gbps:2000, 5Gbps:5000, 10Gbps:10000
AT&T Netbond         Amsterdam,Chicago,Dallas,Londo 50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
n,Silicon Valley,Singapore,Syd 2Gbps:2000, 5Gbps:5000, 10Gbps:10000
ney,Toronto,Washington DC
British Telecom      Amsterdam,London,Hong          50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
Kong,Silicon Valley,Singapore, 2Gbps:2000, 5Gbps:5000, 10Gbps:10000
Sydney,Tokyo,Washington DC
CenturyLink          Silicon Valley                 50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
2Gbps:2000, 5Gbps:5000, 10Gbps:10000
China Telecom Global Hong Kong                      50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
2Gbps:2000, 5Gbps:5000, 10Gbps:10000
Cologix              Dallas,Toronto                 50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
2Gbps:2000, 5Gbps:5000, 10Gbps:10000
Colt Ethernet        Amsterdam,Dublin,London,Tokyo  50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
2Gbps:2000, 5Gbps:5000, 10Gbps:10000
Colt IPVPN           Amsterdam,London               50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
2Gbps:2000, 5Gbps:5000, 10Gbps:10000
Comcast              Chicago,Silicon                50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
Valley,Washington DC           2Gbps:2000, 5Gbps:5000, 10Gbps:10000
Console              Los Angeles                    50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
2Gbps:2000, 5Gbps:5000, 10Gbps:10000
Coresite             Los Angeles                    50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
2Gbps:2000, 5Gbps:5000, 10Gbps:10000
Equinix              Amsterdam,Atlanta,Chicago,Dall 50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
as,Hong Kong,London,Los        2Gbps:2000, 5Gbps:5000, 10Gbps:10000
Angeles,Melbourne,New
York,Osaka,Sao
Paulo,Seattle,Silicon Valley,S
ingapore,Sydney,Tokyo,Toronto,
Washington DC
euNetworks           Amsterdam                      50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
2Gbps:2000, 5Gbps:5000, 10Gbps:10000
GEANT                Amsterdam                      50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
2Gbps:2000, 5Gbps:5000, 10Gbps:10000
IIJ                  Osaka,Tokyo                    50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
2Gbps:2000, 5Gbps:5000, 10Gbps:10000
InterCloud           London,Singapore,Washington    50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
DC,Amsterdam                   2Gbps:2000, 5Gbps:5000, 10Gbps:10000
Internet Solutions   Amsterdam,London               50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
– Cloud Connect                                     2Gbps:2000, 5Gbps:5000, 10Gbps:10000
Interxion            Amsterdam,London,Paris         50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
2Gbps:2000, 5Gbps:5000, 10Gbps:10000
Jisc                 London                         50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
2Gbps:2000, 5Gbps:5000, 10Gbps:10000
KPN                  Amsterdam                      50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
2Gbps:2000, 5Gbps:5000, 10Gbps:10000
Level 3              Amsterdam,Chicago,Dallas,Londo 50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
Communications –     n,Seattle,Silicon              2Gbps:2000, 5Gbps:5000, 10Gbps:10000
Exchange             Valley,Washington DC
Level 3              Amsterdam,Chicago,Dallas,Londo 50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
Communications –     n,Seattle,Silicon              2Gbps:2000, 5Gbps:5000, 10Gbps:10000
IPVPN                Valley,Washington DC
Megaport             Dallas,Hong Kong,Las           50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
Vegas,London,Los               2Gbps:2000, 5Gbps:5000, 10Gbps:10000
Angeles,Melbourne,New York,Sea
ttle,Singapore,Sydney,Washingt
on DC
MTN                  London                         50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
2Gbps:2000, 5Gbps:5000, 10Gbps:10000
Next Generation Data Newport                        50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
2Gbps:2000, 5Gbps:5000, 10Gbps:10000
NEXTDC               Melbourne,Sydney               50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
2Gbps:2000, 5Gbps:5000, 10Gbps:10000
NTT Communications   London,Los Angeles,Osaka,Tokyo 50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
,Washington DC                 2Gbps:2000, 5Gbps:5000, 10Gbps:10000
Orange               Amsterdam,Hong                 50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
Kong,London,Silicon Valley,Sin 2Gbps:2000, 5Gbps:5000, 10Gbps:10000
gapore,Sydney,Washington DC
PCCW Global Limited  Hong Kong                      50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
2Gbps:2000, 5Gbps:5000, 10Gbps:10000
SIFY                 Chennai                        50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
2Gbps:2000, 5Gbps:5000, 10Gbps:10000
SingTel Domestic     Singapore                      50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
2Gbps:2000, 5Gbps:5000, 10Gbps:10000
SingTel              Singapore                      50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
International                                       2Gbps:2000, 5Gbps:5000, 10Gbps:10000
SoftBank             Osaka,Tokyo                    50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
2Gbps:2000, 5Gbps:5000, 10Gbps:10000
Tata Communications  Amsterdam,Chennai,Hong         50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
Kong,London,Mumbai,Silicon     2Gbps:2000, 5Gbps:5000, 10Gbps:10000
Valley,Singapore,Washington DC
TeleCity Group       Amsterdam,Dublin,London        50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
2Gbps:2000, 5Gbps:5000, 10Gbps:10000
Telefonica           Sao Paulo                      50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
2Gbps:2000, 5Gbps:5000, 10Gbps:10000
Telenor              Amsterdam,London               50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
2Gbps:2000, 5Gbps:5000, 10Gbps:10000
Telstra Corporation  Melbourne,Sydney               50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
2Gbps:2000, 5Gbps:5000, 10Gbps:10000
Verizon              Amsterdam,Chicago,Dallas,Hong  50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
Kong,London,Silicon Valley,Sin 2Gbps:2000, 5Gbps:5000, 10Gbps:10000
gapore,Sydney,Tokyo,Washington
DC
Vodafone             London                         50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
2Gbps:2000, 5Gbps:5000, 10Gbps:10000
Zayo Group           Chicago,Los Angeles,New        50Mbps:50, 100Mbps:100, 200Mbps:200, 500Mbps:500, 1Gbps:1000,
York,Silicon                   2Gbps:2000, 5Gbps:5000, 10Gbps:10000
Valley,Toronto,Washington DC
PS C:\Users\>

tcp window size – wireshark and windows

Below

 This could be clients, or servers, or netscalers, any of one them, are breaking tcp windowing and causing TCP to think the receive window/buffers are low.   But for this one, its not good!   That means you need to check client settings, netscaler settings, and server settings.  All three are important.

Server/ Client settings here:

https://support.microsoft.com/en-us/kb/934430

 Make sure you understand “bandwidth delay product”.    You may notice a small 10 millisecond RTT can cause serious slowness.  Using calculations of bandwidth delay product, you can find out how slow an app will be (true bandwidth).

Sometime this results in a really SLOW data transfer, even on high speed links.   Read about it here and do some sample calculations.   Receive buffer size on both ends must be set high and our network has to allow selective acks.  

 

It’s crazy important to get this right, or it causes our networks to function very slow.

https://en.wikipedia.org/wiki/Bandwidth-delay_product

 

 

As part of the three way handshake, both sides agree on a window scale factor.  We might be able to tell by checking the SYN packets from both sides, and figure out,  who is telling who not to use TCP scaling. 

Here is some explanation

https://www.wireshark.org/lists/wireshark-users/200903/msg00217.html

  

Netscaler TCP window scaling:

http://support.citrix.com/article/CTX113656#Configuring the TCP Window Scaling on a NetScaler Appliance. 

Below is some screenshots of wireshark captures.  Notice the red color bitmap shows NO window scaling used.

 

this is good tcp window

this is bad tcp window, default and this will be slow transfer!

clicked – hijacked

You have a nice windows 2012 server, running all your IIS pages.  You think you are secure.  Well have you had a security audit?  You might see this in a good website audit.  It’s not a common attack, but it is easy enough to do for average hacker/phisher.  Here a attacker takes parts of your website, and puts them in a ‘web frame’ so that malicious parts of the site are delivered from a DIFFERENT website,  sometimes impossible to tell the good from the bad.  By not having certain HTTP options, your content is easier to hijack.  Read Acunetix write up here:

https://www.acunetix.com/vulnerabilities/web/clickjacking–x-frame-options-header-missing

Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.

The server didn’t return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page inside a frame or iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

hacking explained – data loss

A excellent detailed report of how someone can hack you.  And how to prevent it!  Link to this found on alienvault OTX feed.  Don’t know what alienvault OTX is?  Go find out!

Click to access Report_Ruag-Espionage-Case.pdf

 

tcp offload

I  like tcp offload NICs.   These NIC (network interface card) do the tcp processing in the card itself, leaving the server CPU free to do other things.  Windows 2008 started having this feature, it was around before that with specialized drivers.

Chelsea IO sells these NICs to boost your server speed.

How to determine whether TCP Chimney Offload is working

When TCP Chimney Offload is enabled in the operating system and in the network adapter, the TCP/IP stack tries to offload suitable TCP connections to the network adapter. To find out which of the currently established TCP connections on the system are offloaded, follow these steps:

1. Use administrative credentials to open a command prompt.
2. Type the following command, and then press ENTER:
   netstat –t

   You receive output that resembles the following:

   Active Connections
   
     Proto  Local Address          Foreign Address        State           Offload State
   
     TCP    127.0.0.1:52613        computer_name:52614       ESTABLISHED     InHost
     TCP    192.168.1.103:52614        computer_name:52613       ESTABLISHED     Offloaded
   

   In this output, the second connection is offloaded.

For more information about TCP Chimney offload in Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:

perfmon

Windows 2012 has an improved performance monitor (perfmon).  The feature that I like the best is the quick and handy way to find current DISK QUEUE.  Disk queue is a performance indicator of your disk speed.  Slow disk speed can make your virtual machines crawl, and your server in general to perform like a drunk pianist. . .it will sound horrible!  Perfmon can check for disk queue length easily!  See screen shot below, to see where the easy to find disk queue is at!

Oh and to improve disk speed (and reduce disk queue), use a RAID disk array and/or use SSD solid state drives.

copyright 2016 Rod Deluhery