Tuesday, August 8, 2017

Enable and Set as Default TLS 1.2 on Windows 7 and Windows 2008 R2

I had to ensure that TLS 1.2 is being used on a Windows 2008 R2 server, and was using a Windows 7 workstation to test it.  Just some quick notes on the whole process.

I had to update Windows 2008 R2 to Service Pack 1 as the first step.  Windows 7 must be on SP1 as well.

Microsoft KB 3080079 adds support for TLS 1.1 and 1.2 for Windows 7 SP1 and Windows 2008 R2 SP1 but DOES NOT force use of it (see later steps):

Apply KB3140245 to Windows 2008 R2 SP1 server and to Windows 7 SP1.  This KB gives the ability to set TLS 1.2 as the default protocol.  The article also explains how to set it as default on both Win 7 and Win 2008 R2:

Enable TLS 1.2 on Windows Server 2008 R2 SP1 and Win 7 SP1 after the above KBs are installed.  The article applies to Windows 7 SP1 also, though it doesn’t state that:

Windows 7 and Win2008R2 TLS/SSL settings reference.  More info than you need to simply enable TLS 1.2, but might be useful:

Friday, June 16, 2017

Clear Disk Space Used by the System Volume Information Folder

Our monitoring system report that disk space on a Windows 2008 R2 Enterprise server was very tight, less than 6GB free on a 136GB drive.  I checked the folders of the usual suspects that might be using large amounts of disk space, but none were using a large amount of space, and the Recycle Bin was empty.  What the heck?

I installed TreeSize Free on the server and discovered that the System Volume Information folder was using nearly 52GB of space.  Some searching showed lots of articles related to Windows System Backup or System Restore Points taking up lots of space in SVI, but that wasn’t relevant on this server.  I ran across this post, and one of the comments discussed Enabling and then Disabling Shadow Copies on the volume to clear out lots of SVI space.

I looked at the Shadow Copies tab of the Properties of the volume (right-click over the drive in Windows Explorer and choose Properties), and it showed that Shadow Copies was disabled, but showed 50GB+ in the Used column (I didn’t take a screenshot of that unfortunately, but the one below is similar).  After doing a bit of research to make sure enabling Shadow Copies is a safe operation to perform on a live production server, I enabled it.

After clicking Yes to enable Shadow Copies, I disabled it by clicking the Disable button and clicking Yes on the confirmation dialog.

After enabling and then disabling Shadow Copies, I re-scanned the volume with TreeSize Free,  The System Volume Information folder now took up only 3.0MB!  

Friday, July 29, 2016

How To Confirm Which NIC a Failed telnet

Attempt is Going Out Using Wireshark

I was troubleshooting why a FIX session was failing to connect over the Internet, when it worked the previous night.  Initially I thought that the connection was going out the incorrect interface.  Recently, I’d added a virtual NIC to the virtual machine, and realized that some traffic that was previously going over the NIC with Internet connectivity was now going over the new NIC (which is connected to our internal management network).  I defined a route to ensure the traffic to the FIX session in question would go out the Internet-facing NIC, but wanted to confirm absolutely that the traffic was going out that interface (because otherwise, it would never reach the Internet).  I ran a continuous telnet test to the IP and port and fired up Wireshark.  I initially tried to filter in the port in question, but saw no traffic.  So, I tried several other Wireshark filters to try to see packets related to the failing telnet test:
  • tcp.port==xxxxx
  • udp.port==xxxxx
  • telnet
  • ip.addr==the IP I was trying to reach

No packets whatsoever in Wireshark.  What the heck?  Admittedly, I’m a relative networking newbie, so I don’t have a firm grasp of the protocols and packets used by a telnet connection attempt.  What was I finally able to use to figure out that the traffic was absolutely going out the Internet-facing NIC?  I filtered on the ARP protocol (Wireshark filter arp) on a whim, and was able to see that the request for the IP address in question was indeed going out that interface. In this example, the ARP "who has x.x.x.x?" told me the traffic was going out the correct interface.

ARP "who has x.x.x.x?" packets
Now to go find my firewall colleague to tell me if the traffic is indeed reaching the Internet. If it is, then the issue is likely at the site that I'm trying to connect to....

Thursday, June 16, 2016

Why are my network interfaces not coming up at boot time on CentOS 6?!?!?

This has bugged me recently with a customer CentOS server that requires manual ifup of network interfaces following a reboot.  Well, thinking about it, it may be that I have to start the network service manually (service network start)....either way.    So many solutions to this issue related to not having ONBOOT=yes in the ifcfg file for the interface, but that was not the cause in this instance.  I finally discovered the cause today.  You can blame the fact that I'm a relative Linux newb to not finding this sooner.  Thanks to this forum post for enlightening me (see the answer by b13n1u):

CentOS 6.5 not bringing up network interface automatically after reboot [ifup eth0]

Here's the abridged version of chkconfig --list output from this server:

# chkconfig --list
NetworkManager  0:off   1:off   2:off   3:off   4:off   5:off   6:off
network         0:off   1:off   2:off   3:off   4:off   5:off   6:off

So, the services NetworkManager and network are not set to start.  So, this should be the solution to the issue.  I'm rebooting it this weekend, so I guess we'll see how that works.

chkconfig network on

Saturday, February 13, 2016

Wealth and Income Inequality - Bernie Sanders' Views

"Today, we live in the richest country in the history of the world, but that reality means little because much of that wealth is controlled by a tiny handful of individuals.

The issue of wealth and income inequality is the great moral issue of our time, it is the great economic issue of our time, and it is the great political issue of our time.

America now has more wealth and income inequality than any major developed country on earth, and the gap between the very rich and everyone else is wider than at any time since the 1920s.  
The reality is that since the mid-1980s there has been an enormous transfer of wealth from the middle class and the poor to the wealthiest people in this country. That is the Robin Hood principle in reverse. That is unacceptable and that has got to change."

That's how Bernie Sanders starts to outline his views on wealth and income inequality.  I'm firmly behind Bernie for President and hope you'll at least consider his views, even if you disagree.  Here's his whole outline on the issue from his website, which I agree with 110%.

Tuesday, March 31, 2015

Tim Cook: Pro-discrimination ‘religious freedom’ laws are dangerous

From Tim Cook's op-ed piece in the Washington Post on Sunday

There’s something very dangerous happening in states across the country.

A wave of legislation, introduced in more than two dozen states, would allow people to discriminate against their neighbors. Some, such as the bill enacted in Indiana last week that drew a national outcry and one passed in Arkansas, say individuals can cite their personal religious beliefs to refuse service to a customer or resist a state nondiscrimination law.

Others are more transparent in their effort to discriminate. Legislation being considered in Texas would strip the salaries and pensions of clerks who issue marriage licenses to same-sex couples — even if the Supreme Court strikes down Texas’ marriage ban later this year. In total, there are nearly 100 bills designed to enshrine discrimination in state law.

These bills rationalize injustice by pretending to defend something many of us hold dear. They go against the very principles our nation was founded on, and they have the potential to undo decades of progress toward greater equality.

America’s business community recognized a long time ago that discrimination, in all its forms, is bad for business. At Apple, we are in business to empower and enrich our customers’ lives. We strive to do business in a way that is just and fair. That’s why, on behalf of Apple, I’m standing up to oppose this new wave of legislation — wherever it emerges. I’m writing in the hopes that many more will join this movement. From North Carolina to Nevada, these bills under consideration truly will hurt jobs, growth and the economic vibrancy of parts of the country where a 21st-century economy was once welcomed with open arms.

I have great reverence for religious freedom. As a child, I was baptized in a Baptist church, and faith has always been an important part of my life. I was never taught, nor do I believe, that religion should be used as an excuse to discriminate.

I remember what it was like to grow up in the South in the 1960s and 1970s. Discrimination isn’t something that’s easy to oppose. It doesn’t always stare you in the face. It moves in the shadows. And sometimes it shrouds itself within the very laws meant to protect us.

Our message, to people around the country and around the world, is this: Apple is open. Open to everyone, regardless of where they come from, what they look like, how they worship or who they love. Regardless of what the law might allow in Indiana or Arkansas, we will never tolerate discrimination.

Men and women have fought and died fighting to protect our country’s founding principles of freedom and equality. We owe it to them, to each other and to our future to continue to fight with our words and our actions to make sure we protect those ideals. The days of segregation and discrimination marked by “Whites Only” signs on shop doors, water fountains and restrooms must remain deep in our past. We must never return to any semblance of that time. America must be a land of opportunity for everyone.

This isn’t a political issue. It isn’t a religious issue. This is about how we treat each other as human beings. Opposing discrimination takes courage. With the lives and dignity of so many people at stake, it’s time for all of us to be courageous.

Monday, March 30, 2015

Legal discrimination in Indiana? I'm not sure.

My initial reaction to the Indian Religious Freedom Restoration Act is "religious freedom needs to be restored???"  OK, well, I suppose many different groups feel that they are persecuted, so let's push the limit of non-separation of church and state even more.  So, my knee jerk reaction is "crap, I don't want to support Indian in any way at all, so now I have to stop drinking Three Floyds beer.  Crap I wish Three Floyds would move to Illinois!"

I have to join many others in saying that I won't knowingly support any business in Indiana, because I don't see a difference between a sign at a place of business that says "Colored people not served" and a sign stating "Gay persons not served".  The world is changing, and serving a gay person will not result in you being refused access to Heaven.

From From New York magazine

Did Indiana Just Legalize LGBT Discrimination? Governor Pence Can’t Say
By Margaret Hartmann  Follow @marghartmann

Immediately after Indiana governor Mike Pence signed the Religious Freedom Restoration Act into law last week, the new law was bashed by everyone from Miley Cyrus to Hillary Clinton for making it easier for businesses to refuse to serve gay customers by claiming religious freedom. Over the weekend hundreds protested the law at the Indiana statehouse, Angie's List froze a $40 million expansion in the state, and Apple CEO Tim Cook denounced the "very dangerous" law in a Washington Post op-ed.

With furor over the law growing, Pence appeared on ABC's This Week, saying he was "determined to clarify" the law and "correct the gross mischaracterization" that's been spread by "many in the media." Then he failed to do so in a spectacular fashion. Host George Stephanopoulos repeatedly asked the key question — "if a florist in Indiana refuses to serve a gay couple at their wedding, is that legal now in Indiana?" — but each time Pence refused to give a yes or no answer.

Instead, he repeatedly said that the law is based on the 1993 Religious Freedom Restoration Act signed into law by President Bill Clinton, and President Obama supported a similar law when he was an Illinois state senator (which PolitiFact rated only "half true"). Noting that many people feel their religious liberty is being infringed upon following the implementation of Obamacare and the Supreme Court's Hobby Lobby decision (which religious employers actually won), Pence said the purpose of the legislation "is very simply to empower individuals when they believe that actions of government impinge on their constitutional First Amendment freedom of religion."

Pence also said he'd be open to adding a section to the bill that "reiterates and amplifies and clarifies what the law really is," but confusingly also insisted "we're not going to change the law." And when Stephanopoulos asked Pence if he thinks "it should be legal in the state of Indiana to discriminate against gays or lesbians?" outside the context of the law that just passed, he still couldn't give a clear yes or no. (Pence answered, "Come on. Hoosiers don't believe in discrimination!" and pointed out that they're really nice, which probably means "no.")

A large part of the reason Pence had a hard time clarifying what the law means in practice is because no one's really sure. The Religious Freedom Restoration Act says "a governmental entity may not substantially burden a person's exercise of religion" unless there's a "compelling governmental interest" or it's "the least restrictive means of furthering" that interest. There's no specific mention of sexual orientation, but opponents didn't make up that interpretation. Eric Miller of Advance America, one of the key lobbyists behind the bill, said on his website that the law will ensure:

  • Christian bakers, florists, and photographers should not be punished for refusing to participate in a homosexual marriage! 
  • A Christian business should not be punished for refusing to allow a man to use the women’s restroom!
  • A church should not be punished because they refuse to let the church be used for a homosexual wedding!

Plus, Indiana conservatives began pressing for the law after they lost their fight to block marriage equality in the state a year ago.

Courts will decide whether the law actually bolsters the case of business owners who refuse to serve gay people and lesbians, and legal experts are divided on how they'll rule. As the Indianapolis Star explains, while about a dozen cities in Indiana have laws that specifically protect gay people and lesbians, there are no LGBT protections in statewide nondiscrimination laws. (And Pence says he will not push to make gay people and lesbians a protected class.) The paper says it's "difficult to find an analogous case" from another state to predict what would happen if someone discriminated against an LGBT individual for religious reasons in Indiana.

So, while it wouldn't have improved Pence's Sunday show performance, the most correct answer to Stephanopoulos's questions is probably "maybe."