Author Archive for: Chris

A Quick Look at IIS Crypto

22 Apr 2014
April 22, 2014

For many years now – I think about a decade — I have been building and managing Windows Web servers for a SaaS company. First as a contractor, then an employee and most recently as a consultant (tip: relationships matter). While I don’t have it down to an automated science, I do have pretty detailed checklists that I run through as part of each build.

My goal has always been to keep the server configurations consistent yet adapt as each new Windows Server release comes out. My first checklist was for a Server 2000 build. The one I updated last week was for 2012 R2. That’s covering some serious territory.IIS has certainly changed a lot over the years.

Of course, a big part of the builds revolves around security. One aspect of security is managing the SSL protocols and cipher suites offered by IIS. And, more importantly, which ones you do not wish to offer. I’ve documented this over the years and done some automation with batch files, vbs files (I know, I know…) and even .reg (registry import) files.

As I was updating the most recent servers last week I thought I had better do some quick research and make sure my notes were still current. These things date back 5 – 10 years after all. For instance, I know just half a year ago we went through the servers and disabled RC4 at Microsoft’s suggestion. That was never folded into my build notes…

While looking for SSL security updates I stumbled over a very handy little utility: IIS Crypto. I downloaded the tool, tried it on a dev server and then hit it with an external Qualys scan. It worked great – and fixed up a few holes that I had incorrectly plugged over the years (whoops). Now IIS Crypto is part of my toolbox.

IIS Crypto Screenshot

Just download and run it on your web server and choose the “Template” that applies. For me, that’s Best Practices with one click, then a second click to disable RC4 128/128 just to be consistent. Hit apply, schedule a reboot and you’re in good shape. Need to be PCI or FIPS compliant? Those are templates there as well.

There’s even a quick way to scan yourself from Qualys SSL labs.

Very slick. Highly recommended.

From their site:

IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2003, 2008 and 2012. It also lets you reorder SSL/TLS cipher suites offered by IIS, implement best practices with a single click and test your website.

LastPass on Android Now Logs Into Mobile Apps

28 Mar 2014
March 28, 2014

Best new feature ever. This makes LastPass so much easier to use on the tablet.

(This is a link post — click the title of this article to get to the article it references).

AWS WorkSpaces Now Live

27 Mar 2014
March 27, 2014

Just following up from last week’s article on the AWS WorkSpaces beta, I’m happy to see the product has gone live now.

(This is a link post — click the title of this article to get to the article it references).

OneNote News from March 2014

26 Mar 2014
March 26, 2014

OneNote logoOver the years, OneNote has slowly transitioned to an application that I cannot live without. I have it installed on my laptop, desktops, phones and tablet – and via any web browser since I store all my notebooks on OneDrive (formerly known as SkyDrive). It has become both my long and short term memory and, frankly, I can’t function well without it. I keep all sorts of task lists, project plans, notes, guides, clippings in there and tend to have it open in a monitor at all times.

image

Last week was a big week for OneNote news. I thought I’d share some of the more interesting ones here.

1) OneNote for Mac exists now. Yep, the hip OS X (10.9 or later) crowd can join in the fun. There were already versions for IOS phones and tablets so this rounds that out nicely.

2) OneNote is free everywhere/every platform. There are still premium features available to paid customers which includes things like SharePoint support, versioning and Outlook integration. Those are all very useful features, but you can live without them for a bit while getting up to speed.  More details in this OneNote blog post.

3) You can mail items to your default OneNote notebook. Just send or forward the mail to “me@outlook.com” after you have done a bit of setup at the OneNote Email Settings page and you now have a great way to capture more data.

4) There is now a cloud API for OneNote to allow 3rd party apps and devices to connect to it. Of the current offerings, I’m most intrigued by the IFTTT and Feedly options… but there are some others that others will find cool as well. More details for developer types can be found at the OneNote Service API Dev Center.

Want to keep up with all this and more? Check out the OneNote blog for more.