Tag Archive for: Windows

Freeing up Space on Server 2008 R2 (and 2012)

15 Jul 2014
July 15, 2014

We manage a pile of Windows Server 2008 R2 machines across a bunch of clients and many of those servers weren’t necessarily built by us. As such, sometimes space is allocated… poorly… And many of those servers are frequently dancing on the edge of running out of space on the C: drive.  (I will spare you the rant about 20 GB C: partitions. Maybe.)

While there’s always the option of resizing partitions, there isn’t always the time to do it. Either arranging a convenient time to take the server down during business hours or the more common after-hours (nights and weekends) time to travel onsite and do it at a time that doesn’t inconvenience anyone. Either way, never convenient for everyone.

What usually happens is I run WinDirStat on the server and look for anything obvious that can be cleared. Recycle bin? Logs? Assorted temp directories? That sort of stuff.

What often shows up? C:\windows\WinSxS directory. You know you can’t just delete it, right? Bad form.

 Good news. I recently stumbled over a blog post that I have found incredibly helpful for cleaning up WinSxS. Turns out that if your server is reasonably current in patches (you need KB2852386), the Disk Cleanup Wizard has the ability to cleanup Windows Update files.

Can’t find the Disk Cleanup Wizard? Well yeah, there’s a wrinkle there: first you need to install the Desktop Experience Feature. And reboot.

Yeah, I know, I know, but it is worth the amount of space you’ll reclaim. Honest.

And good news, this applies to Server 2012 and R2 as well. On a couple older servers I have reclaimed a lot of space doing this. Which is a heck of a lot easier than rooting around a bunch of random directories trying to find things to delete or compress. Right?

A Quick Look at IIS Crypto

22 Apr 2014
April 22, 2014

For many years now – I think about a decade — I have been building and managing Windows Web servers for a SaaS company. First as a contractor, then an employee and most recently as a consultant (tip: relationships matter). While I don’t have it down to an automated science, I do have pretty detailed checklists that I run through as part of each build.

My goal has always been to keep the server configurations consistent yet adapt as each new Windows Server release comes out. My first checklist was for a Server 2000 build. The one I updated last week was for 2012 R2. That’s covering some serious territory.IIS has certainly changed a lot over the years.

Of course, a big part of the builds revolves around security. One aspect of security is managing the SSL protocols and cipher suites offered by IIS. And, more importantly, which ones you do not wish to offer. I’ve documented this over the years and done some automation with batch files, vbs files (I know, I know…) and even .reg (registry import) files.

As I was updating the most recent servers last week I thought I had better do some quick research and make sure my notes were still current. These things date back 5 – 10 years after all. For instance, I know just half a year ago we went through the servers and disabled RC4 at Microsoft’s suggestion. That was never folded into my build notes…

While looking for SSL security updates I stumbled over a very handy little utility: IIS Crypto. I downloaded the tool, tried it on a dev server and then hit it with an external Qualys scan. It worked great – and fixed up a few holes that I had incorrectly plugged over the years (whoops). Now IIS Crypto is part of my toolbox.

IIS Crypto Screenshot

Just download and run it on your web server and choose the “Template” that applies. For me, that’s Best Practices with one click, then a second click to disable RC4 128/128 just to be consistent. Hit apply, schedule a reboot and you’re in good shape. Need to be PCI or FIPS compliant? Those are templates there as well.

There’s even a quick way to scan yourself from Qualys SSL labs.

Very slick. Highly recommended.

From their site:

IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2003, 2008 and 2012. It also lets you reorder SSL/TLS cipher suites offered by IIS, implement best practices with a single click and test your website.

Process Explorer Updated

21 Feb 2014
February 21, 2014

Have you checked out the latest version of Sysinternals Process Explorer? This remains one of my favorite tools to use when trying to get a grip of what’s really going on in a Windows machine.

Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded.

Now there’s one more really handy feature: it will submit the running processes to VirusTotal.com for further analysis. Don’t panic! It isn’t sending the actual files; it is sending hashes of them and it does it all very quickly. VirusTotal submits each process to up to 50 AV scanners and sends back the results of the scan. Just click the link in the right-most column to see the scan results.

Slick. Read more →

AWS: Check Drive’s Removal Policy

22 Dec 2013
December 22, 2013

This might be something that everyone else knows, but I was quite surprised the other day and thought I would share.

AWS Disk PropertiesI had just added some new EBS volumes to a new SQL Server database EC2 instance in AWS. See, I like to add 2 or 4 higher IOPS drives to database servers and then use the OS to put them in a RAID 0 stripe(s) for data files (and TempDB if I don’t have an ephemeral SSD handy. But perhaps that’s a post for another day…).

While configuring these new drives into an array I somewhat inadvertently ended up in the Properties dialog for one of the drives. Since I was there, I thought I would check things out.

The drive’s Removal policy was, by default, “Quick Removal.” This doesn’t strike me as the key to ultimate performance! This is how you treat external USB drives.

I checked the other 3 drives and determine that 3 out of the 4 I had just added were Quick and the one was “Better performance.” I then spot checked a handful of other instances and found similar results. Needless to say, I set them all to “Better” and then carried on.

But now I’m curious: Why were they defaulting to “Quick removal”. Yet, why weren’t ALL sharing that default?

Anyways, something to watch for when provisioning a new Windows server. Seems that this would apply to any virtualization platform, not just AWS.