Yesterday I put brakes on the Hyundai. One of the Caliper slider pins was rusted solid. :( I heated it up with a torch, applied PB blaster, and beat the crap out of it. The replacement pin and boot was $50. Conveniently I just bought a new hammer that has a longer handle. The extra leverage helped a lot. It was supposed to be for teaching Derek blacksmithing, but now I might keep it.
The garage is pissing me off. It's time to get that shit cleaned up.
arg.
-ellie
Monday, October 19, 2009
Wednesday, September 16, 2009
SQL Network (Transport) Level Encryption. (TDS)
By default, Microsoft SQL connections only encrypt the login credentials. Everything else can be sniffed right off the wire. Sql 2008 (and some earlier versions) allow you to do encrypted SQL connections pretty easily. Here is how.
You will need:
Sql server (well duh!)
A certificate server or "MakeCert".
On Windows server 2008, "WinHttpCertCfg".
MakeCert is a tool to "easily" make a self-signed certificates without installing a full Certification Authority. It is part of the Windows SDK available from here. I am on XP, but downloaded the Windows Vista version, Ran Setup and DE-selected all of the items except for the SDK. Total download size was about 18mb.
Since my SQL Server is Windows 2008, I also needed WinHttpCertCfg. This tool is needed on Server 2008 to set permissions for the Private Key. More on that in a second. That is available here.
So, lets get to work.
First, you need your database server's FQDN. This is the windows FQDN, not your internet FQDN. Right-Click "Computer" or "My Computer" and write down the "Full computer name:" On Server 2008 this is on the "System" pane. On prior versions of windows this is on the Computer Name tab.
Next you get to make your certificate. If you have a domain CA, go request a computer certificate, install it, and skip down to the "Assigning permissions to the service account" step. If you don't have a CA, we can use MakeCert.
The command for makecert is:
C:\Program Files (x86)\Windows Resource Kits\Tools\makecert -r -pe -n "CN=yourhost.yourdomain.com" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 c:\MyCertificate.cer
The certificate will be saved to c:\MyCertificate.cer.
Now we import the certificate to the Local Machine's Personal store.
Start -> Run -> MMC.
File -> Add/Remove Snap-in -> Certificates -> Add -> Local Computer -> Next -> Finish -> Ok.
Expand Certificates and Right-Click the "Personal" Store. Select "Import".
Browse to c:\MyCertificate.cer -> Next. There is no password -> Next -> finish.
Almost Done. Now we need to give the SQL service account permissions to the private key of the Cert.
Pop open your command prompt and run this command. You need to substitute the appropriate Server FQDN (yourhost.yourdomain.com) and the SQL Service account. (SqlServiceAccount).
C:\Program Files (x86)\Windows Resource Kits\Tools\winhttpcertcfg.exe -g -c LOCAL_MACHINE\My -s yourhost.yourdomain.com -a SqlServiceAccount
Next, Enable the Sql Encryption.
Start -> All Programs -> Microsoft SQL Server 2008 -> Configuration Tools -> Sql Server Configuration Manager.
Expand "Sql Server network Configuration" and Right-click Protocols for MSSQLSERVER. Select Properties.
On the Certificate tab, Select the yourhost.yourdomain.com certificate.
On the flags tab, Select "Force Encryption=Yes"
Click ok.
Click ok to close the warning message.
Finally you need to restart the SQL Server service.
Viola! Network Encryption is done.
MS KB316898 is the reference for this topic.
For the record, this is a "weak" security measure. It only does encryption. It still can be defeated with a man-in-the-middle attack, because SQL doesn't verify the certificates.
Hth,
Elizabeth Greene
You will need:
Sql server (well duh!)
A certificate server or "MakeCert".
On Windows server 2008, "WinHttpCertCfg".
MakeCert is a tool to "easily" make a self-signed certificates without installing a full Certification Authority. It is part of the Windows SDK available from here. I am on XP, but downloaded the Windows Vista version, Ran Setup and DE-selected all of the items except for the SDK. Total download size was about 18mb.
Since my SQL Server is Windows 2008, I also needed WinHttpCertCfg. This tool is needed on Server 2008 to set permissions for the Private Key. More on that in a second. That is available here.
So, lets get to work.
First, you need your database server's FQDN. This is the windows FQDN, not your internet FQDN. Right-Click "Computer" or "My Computer" and write down the "Full computer name:" On Server 2008 this is on the "System" pane. On prior versions of windows this is on the Computer Name tab.
Next you get to make your certificate. If you have a domain CA, go request a computer certificate, install it, and skip down to the "Assigning permissions to the service account" step. If you don't have a CA, we can use MakeCert.
The command for makecert is:
C:\Program Files (x86)\Windows Resource Kits\Tools\makecert -r -pe -n "CN=yourhost.yourdomain.com" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 c:\MyCertificate.cer
The certificate will be saved to c:\MyCertificate.cer.
Now we import the certificate to the Local Machine's Personal store.
Start -> Run -> MMC.
File -> Add/Remove Snap-in -> Certificates -> Add -> Local Computer -> Next -> Finish -> Ok.
Expand Certificates and Right-Click the "Personal" Store. Select "Import".
Browse to c:\MyCertificate.cer -> Next. There is no password -> Next -> finish.
Almost Done. Now we need to give the SQL service account permissions to the private key of the Cert.
Pop open your command prompt and run this command. You need to substitute the appropriate Server FQDN (yourhost.yourdomain.com) and the SQL Service account. (SqlServiceAccount).
C:\Program Files (x86)\Windows Resource Kits\Tools\winhttpcertcfg.exe -g -c LOCAL_MACHINE\My -s yourhost.yourdomain.com -a SqlServiceAccount
Next, Enable the Sql Encryption.
Start -> All Programs -> Microsoft SQL Server 2008 -> Configuration Tools -> Sql Server Configuration Manager.
Expand "Sql Server network Configuration" and Right-click Protocols for MSSQLSERVER. Select Properties.
On the Certificate tab, Select the yourhost.yourdomain.com certificate.
On the flags tab, Select "Force Encryption=Yes"
Click ok.
Click ok to close the warning message.
Finally you need to restart the SQL Server service.
Viola! Network Encryption is done.
MS KB316898 is the reference for this topic.
For the record, this is a "weak" security measure. It only does encryption. It still can be defeated with a man-in-the-middle attack, because SQL doesn't verify the certificates.
Hth,
Elizabeth Greene
Tuesday, June 16, 2009
Datestamps in batch files. (Unix and Dos)
In Linux, naming a file after todays date is pretty easy.
To get the possible formatting options, run the man date command.
In Dos it is pretty easy too, once you know the trick.
An Explanation:
The %date% environment variable contains the current date. Go ahead, test it. Pop open a command prompt and run echo %date%. The ":~-4,4" part does the cool thing. ":~" says "we want a substring". The "-" says "work from the end of the string backwards. The "4," says start at the fourth character, and the final "4" says give me four characters.
Cheat sheet!
HTH,
-Ellie
# Note: These are backticks, not quotes.
# They are on the same key as your tilde ~.
ls > `date %Y-%m-%d.`txt
To get the possible formatting options, run the man date command.
In Dos it is pretty easy too, once you know the trick.
dir > %date:~-4,4%-%date:~-7,2%-%date:~-10,2%.txt
An Explanation:
The %date% environment variable contains the current date. Go ahead, test it. Pop open a command prompt and run echo %date%. The ":~-4,4" part does the cool thing. ":~" says "we want a substring". The "-" says "work from the end of the string backwards. The "4," says start at the fourth character, and the final "4" says give me four characters.
Cheat sheet!
| Date Part | Code |
|---|---|
| Day of week (3 letter abbr.) | %date:~0,3% |
| Day | %date:~-10,2% |
| Month | %date:~-7,2% |
| Year (2 digits) | %date:~-2,2% |
| Year (4 digits) | %date:~-4,4% |
HTH,
-Ellie
Tuesday, June 2, 2009
Goodbye, Adios, Au revoir, Ciao, Sayanora..
The company I work for is centralizing all IT operations. From a business perspective, it makes sense. The data center and development staff are all in one location, etc.
Unfortunately I really wasn't up for relocation with the kids being in school, et al.
So, today I was downsized as part of the IT centralization. :(
They gave me a nice severance package, and I wish all them the best. Now I have to find a new gig. If anyone needs an adept Jane-of-all-trades network engineer, please email me at Elizabeth.a.greene@gmail.com
Thanks,
Ellie
Unfortunately I really wasn't up for relocation with the kids being in school, et al.
So, today I was downsized as part of the IT centralization. :(
They gave me a nice severance package, and I wish all them the best. Now I have to find a new gig. If anyone needs an adept Jane-of-all-trades network engineer, please email me at Elizabeth.a.greene@gmail.com
Thanks,
Ellie
Friday, May 22, 2009
Making the AVG batch file into a single-file exe.
In my previous post, I made a batch file to automatically install AVG. Previously I would zip this .bat+.ini+.exe combination and send it to the Users. In a perfect world, the users open the zip and run the batch file. In the real world, the users will run the executable instead of the batch file. Even when it is named NoNotThisFilePlease.exe. This time I am going to make it user resistant. I am going to wrap it into a single .exe installer.
There are a number of commercial self-extracting installer products out there. I really like Paquet Builder. Unfortunately it is $50. That is about $40 more than I'm willing to pay.
To do this for FREE you need the 7-zip installer and "7z Library, SFXs for installers, Plugin for FAR Manager" from the 7-zip download page. Also you may optionally want Resource Hacker. This lets you change the .EXE icon to something pretty.
Procedure:
That's it. That command copies the .sfx "stub", the config file, and the archive into a single .EXE file.
Finally and optionally the .exe needs a pretty icon. :D For Anti-virus software I am rather fond of this one. "Symbol". Note: it is not free for commercial use.
To change the icon:
That's it,
I hope this helps,
-Ellie
There are a number of commercial self-extracting installer products out there. I really like Paquet Builder. Unfortunately it is $50. That is about $40 more than I'm willing to pay.
To do this for FREE you need the 7-zip installer and "7z Library, SFXs for installers, Plugin for FAR Manager" from the 7-zip download page. Also you may optionally want Resource Hacker. This lets you change the .EXE icon to something pretty.
Procedure:
- Install 7-zip.
- Open the folder with the batch file and files.
- Compress the files into archive.7z
- Select the require files
- right-click, 7-Zip, Add To Archive.
- Name the 7-zip file archive.7z.
- The avg installer is already well compressed so the best compression method for it is just "store". It makes decompression fast too.
- Select the require files
- Open the 7-zip extras package and copy 7zSD.sfx and config.txt into the same directory as the archive.7z folder. The config.txt file is in the /installer directory.
- Edit config.txt and change it to run your batch file. Here is my example.
;!@Install@!UTF-8!
Title="GlobalOptions AVG8 Distributable v1.0"
BeginPrompt="Do you want to install AVG8?"
RunProgram="AVGSetup.Bat"
;!@InstallEnd@! - Finally "compile" the self-extracting EXE. This is actually just concatenating the files together.
- Open a command prompt.
- Change to the directory with archive.7z, 7zsd.sfx, and config.txt
- Run this command.
copy /b 7zSD.sfx + config.txt + archive.7z AvgSetup.exe
- Open a command prompt.
That's it. That command copies the .sfx "stub", the config file, and the archive into a single .EXE file.
Finally and optionally the .exe needs a pretty icon. :D For Anti-virus software I am rather fond of this one. "Symbol". Note: it is not free for commercial use.
To change the icon:
- Open ResHack.exe.
- File-> Open -> open the executable.
- Expand the "icon" group and expand Icon 1.
- Right-click the icon and select Replace Resource.
- Click "Open File with new Icon".
- Navigate to your .ico file.
- Click Replace.
- Save the executable.
That's it,
I hope this helps,
-Ellie
One-Click AVG Installer
AVG is my current favorite Antivirus product. It does what I need it and generally stays out of the way. Unfortunately the version upgrade from 7.5 to 8.0 has no upgrade path for our 160 users that are A.) Remote B.) Not on a domain and C.) not on a VPN.
Thanks so much Grisoft. Really, Thanks.
So anyway I installed the new datacenter software, AVG Admin 8 and got it all setup. For the users in AD we rolled it out and now we have to figure out how to upgrade all the remote users.
I went through the AVG wizard to create an installer. That got me a batch file and a .ini file for the installer. I edited the batch file and .INI to install it with our preferences. When finished I ended up with a .bat file that the users can run to install the app.
AvgSetup.bat
AvgSetup.ini
That's it. Now we have a one-click installer for a fully configured AVG application.
Check out my next post for how to make this a user-resistant install.
Thanks so much Grisoft. Really, Thanks.
So anyway I installed the new datacenter software, AVG Admin 8 and got it all setup. For the users in AD we rolled it out and now we have to figure out how to upgrade all the remote users.
I went through the AVG wizard to create an installer. That got me a batch file and a .ini file for the installer. I edited the batch file and .INI to install it with our preferences. When finished I ended up with a .bat file that the users can run to install the app.
AvgSetup.bat
@ECHO OFF
echo This application will automatically install AVG 8.0.
echo Please wait. This window will automatically close
echo when the installation is complete.
SET SETUP="%CD%\Setup\avg_ipw_stf_all_85_339a1525.exe"
%SETUP% /SCRIPT_FILE "%CD%\AvgSetup.ini" %1 %2 %3 %4 %5 %6 %7 %8 %9
echo.
echo.
Echo Setup is complete. If the AVG icon is not visible on your taskbar, then please reboot your PC now.
pause
AvgSetup.ini
LICNO: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
RESTART:
KILL_PROCESS_IF_NEEDED:
QUIT_IF_INSTALLED:
NAME: "MyCompany"
COMPANY: "MyCompany"
DCPATH: "avg.example.com:4158"
NOAVGTOOLBAR:
ADD_FEATURE: fea_AVG_HttpScanner
ADD_FEATURE: fea_AVG_SafeSurf
ADD_FEATURE: fea_AVG_SafeSearch
ADD_FEATURE: fea_AVG_Exchange_plugin
ADD_FEATURE: fea_AVG_EMC
ADD_FEATURE: fea_AVG_Office_2000_plugin
ADD_FEATURE: fea_AVG_Cl
NO_WELCOME:
That's it. Now we have a one-click installer for a fully configured AVG application.
Check out my next post for how to make this a user-resistant install.
Friday, April 3, 2009
Exchange 2007 POP/IMAP between Active Directory sites .. with solution!
As a follow up to the previous post, Pop and Imap can work between sites as well. The referenced paper says they can't, but it is incorrect.
To enable Imap between a CAS server and Mailbox server in 2 separate AD sites, edit this file
and change this line to true.
POP3 is eerily similar.
To enable Pop3 between a CAS server and Mailbox server in 2 separate AD sites, edit this file
and change this line to true.
Note to Microsoft: A quasi-legible text based configuration file. Thank you!
To enable Imap between a CAS server and Mailbox server in 2 separate AD sites, edit this file
C:\Program Files\Microsoft\Exchange Server\ClientAccess\PopImap\Microsoft.Exchange.Imap4.exe.config
and change this line to true.
<add key="AllowCrossSiteSessions" value="false" />
POP3 is eerily similar.
To enable Pop3 between a CAS server and Mailbox server in 2 separate AD sites, edit this file
C:\Program Files\Microsoft\Exchange Server\ClientAccess\PopIma\Microsoft.Exchange.Pop3.exe.config
and change this line to true.
<add key="AllowCrossSiteSessions" value="false" />
Note to Microsoft: A quasi-legible text based configuration file. Thank you!
Subscribe to:
Posts (Atom)
