Tag Archive for: security

Java: Suppress Sponsor Offers

25 Aug 2014
August 25, 2014

While it is popular and common to suggest that we should avoid installing Java if we’re security conscious – or at least not enable it in our browsers – sometimes that’s just not an option. For instance, the web application that I spend my days in needs Java to be fully functional.

Java upgrades are a drag. One of the worst aspects has been to remember to uncheck the current sponsor stuff. Nope, I don’t need an Ask Toolbar and I really don’t want MacAfee Security Center installed. Ever!

If you feel the same way, you will love this new option at the bottom of the Advanced tab in the Java Control Panel:

Suppress sponsor offers when installing or updating Java

That’s pretty great.  You can find the Java Control Panel in your Windows Control Panel. If running Windows 8 or 8.1 just hit the windows key and type Java Control and search will turn it up as well.


A Quick Look at IIS Crypto

22 Apr 2014
April 22, 2014

For many years now – I think about a decade — I have been building and managing Windows Web servers for a SaaS company. First as a contractor, then an employee and most recently as a consultant (tip: relationships matter). While I don’t have it down to an automated science, I do have pretty detailed checklists that I run through as part of each build.

My goal has always been to keep the server configurations consistent yet adapt as each new Windows Server release comes out. My first checklist was for a Server 2000 build. The one I updated last week was for 2012 R2. That’s covering some serious territory.IIS has certainly changed a lot over the years.

Of course, a big part of the builds revolves around security. One aspect of security is managing the SSL protocols and cipher suites offered by IIS. And, more importantly, which ones you do not wish to offer. I’ve documented this over the years and done some automation with batch files, vbs files (I know, I know…) and even .reg (registry import) files.

As I was updating the most recent servers last week I thought I had better do some quick research and make sure my notes were still current. These things date back 5 – 10 years after all. For instance, I know just half a year ago we went through the servers and disabled RC4 at Microsoft’s suggestion. That was never folded into my build notes…

While looking for SSL security updates I stumbled over a very handy little utility: IIS Crypto. I downloaded the tool, tried it on a dev server and then hit it with an external Qualys scan. It worked great – and fixed up a few holes that I had incorrectly plugged over the years (whoops). Now IIS Crypto is part of my toolbox.

IIS Crypto Screenshot

Just download and run it on your web server and choose the “Template” that applies. For me, that’s Best Practices with one click, then a second click to disable RC4 128/128 just to be consistent. Hit apply, schedule a reboot and you’re in good shape. Need to be PCI or FIPS compliant? Those are templates there as well.

There’s even a quick way to scan yourself from Qualys SSL labs.

Very slick. Highly recommended.

From their site:

IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2003, 2008 and 2012. It also lets you reorder SSL/TLS cipher suites offered by IIS, implement best practices with a single click and test your website.

LastPass on Android Now Logs Into Mobile Apps

28 Mar 2014
March 28, 2014

Best new feature ever. This makes LastPass so much easier to use on the tablet.

(This is a link post — click the title of this article to get to the article it references).

Left Dropbox / Came back to Dropbox

17 Feb 2014
February 17, 2014

Dropbox logoI know I’m not alone when it comes to concerns about Dropbox and privacy/security. Last year there were a few “issues” in the press. Then the Dropbox app on my phone updated and wanted access to my contacts? “Pfft, nuts to that – time to check options!” said I. I have a large amount of free storage thanks to years of their referral program so I had to keep storage in mind. A free 2 GB account wasn’t going to cut it.

(and yes, let’s not forget that when you’re getting a product for free you are most likely the real product in that equation)

https://www.microsoft.com/global/en-us/news/PublishingImages/HomePage/hero/logo_onedrive2014_hero.jpgSkyDrive (soon to be OneDrive) is online storage that I’m already using. I have a personal account with a bunch of free “early adopter” storage but I also have a work account that I have on all my machines for key work stuff. That includes shared OneNote notebooks and such. Works great and I have never had an issue with it.

But. I once looked into running multiple SkyDrive clients on the same machine and it sure didn’t look like it would be worth the hassle. (has that changed?).

imageFinally,I recalled Box. When I bought my tablet last fall it came with a 50 GB subscription to Box storage. Well there you go – a nice storage upgrade and the price is right. I went looking for a Windows client.

Read more →