Stop! Why do you want to disable IPv6? I see this regularly in forums, with other unusual statements like “If you’re not using it disabling it” or “It’s just another attack vector, disable it.“
Well unless you’re running Windows XP and Server 2012 you’re using IPv6. If something does not work and disabling IPv6 fixes it, then it’s usually because your network is not configured correctly, (usually your routers are doing something called IPv6 Address Allocation*)
“From Microsoft’s perspective, IPv6 is a mandatory part of the Windows operating system, and it is enabled and included in standard Windows service and application testing during the operating system development process. Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6”
Microsoft said that in 2016, and still there’s people routinely disabling IPv6?
*Note: You can disable SLAAC (Stateless Address Autoconfiguration) on a Cisco router with the interface command “no ipv6 address autoconfig“
Disabling IPv6 Alternative Solution
Before people accuse me of ‘not living in the real world’ If you have legacy equipment or ages old applications – you may need to consider ‘doing something about IPv6’. but your first action should be to prefer IPv4 over IPv6.
Both SSL and TLS are cryptographic protocols designed to secure communications over a network (remember the internet is just a network). Originally we had SSL version 1 and version 2. But they were, (to be honest) ‘a bit bobbins’ and full of security holes, so never really took off. Version 3 however did and was widely supported. The problem with version 3 was, (again) that was also ‘bobbins’. All this came to a head with the Poodle exploit and people started getting rid of SSLv3.
So, what about TLS? Well TLS v1.0 was largely based on, (but not compatible with) SSLv3. TLS 1.1 replaced v1.0 (circa 2006). Problems with it prompted TLS 1.2 (circa 2008). Then that was the standard until TLS v1.3 (circa 2018).
However: Just because you use the newest protocols does not necessarily mean you are more secure: Most documentation you read says TLS 1.2 ‘Should’ be secure (that’s reassuring eh!) This is because these protocols are built on cryptographic ciphers and they are only as secure as those ciphers. You can corrupt a strong protocol with a weak cipher and render it less secure. In some cases, you may need to do this, or you might simply enable a web cipher to fix a ‘problem’ without understanding the consequences.
You are ‘Probably’ Reading this Because…
If you’ve had a security audit, or a company had scanned your network and produced a report that says you are running insecure protocols and you need to do something about it.
THINK: Security is a good thing, (I’m all for it,) BUT just rushing to turn things off, can cause you problems, where possible test any remediation in a test environment, many old legacy (for legacy read ‘applications that are business critical, and you can no longer update or get support on’) may still be using these old protocols. Simply disabling SSLv3.0, TLS v1.0,1.1, and/or 1.2 can have some negative effects, either on YOUR applications or in the browsers of your clients. Remember if you provide a web based service it will also need testing with any browser that your staff, or even the public may be using to access your web based platforms.
TLS 1.0 and TLS 1.1 might be ‘depreciated’ but it’s still widely used, disabling them will probably cause you more problems than the older SSL protocols, so test, test, and test.
ISOLATE: If you have old legacy applications and you need to retain them for compliance or financial reasons, then consider simply MITIGATING the risk by taking them off the local network, and running them in isolation.
DOCUMENT: If you need TLS 1.1 then that’s fine just because a scan picked it up, does not mean that you HAVE TO run to the server room and disable it. Most compliance standards are fine with you not fixing something, providing you document what it is and why it’s still enabled.
Windows TLS 1.2 Support: Clients from Windows Vista, and Servers from Server 2008 support TLS 1.2. but all the way to Windows 8.1 and Server 2012 R2 it requires an update, so make sure you are fully up to date before attempting to use TLS 1.2.
Exchange: Support for TLS 1.1 and 1.2 wasn’t added until Exchange 2013 (CU8) and Exchange 2010 (SP3 RU9). Beware Some (Older) Microsoft Outlook clients will only work with TLS 1.0
Windows Client (Internet Explorer) Disabling SSL3 and TLS 1.0, TLS 1.1
Before disabling protocols on the server, it’s good practice to disable those protocols on the clients, some time beforehand, the easiest way to do this is via Group Policy.
Windows Server Disabling SSL3 and TLS 1.0, TLS 1.1
Last Friday, the IT world was hit by another attack, WannaCry is a Ransomware infection, that exploits a hole in the windows SMB Protocol.
This hole was patched back in March, (Security update MS17-010) so if your, (windows update supported systems) have updates enabled, you will probably already be protected.
Why were big organisations like the NHS hit? Primarily because they have systems that are no longer supported, (or patched) by Microsoft. e.g. Windows XP, (support ended in 2014), and Windows Server 2003, (support ended in 2015). It happens because organisations have software that cannot run on more modern operating systems, so instead of migrating away from the software, Trusts continue to run old operating systems.
Solution
WannaCry Removal
If you are already infected, disconnect your affected machines from the network, Kaspersky has a tool that you can use.
Enable Windows Updates and wherever possible set it to automatically install updates. If you are a corporate customer, then get together a patching policy that has security updates tested and rolled out, in a matter of days.
Backup your machines, the most effective defence if having your files backed up. So if you are infected, you can simply roll back to before the infection, and protect your machines.
Be vigilant: Don’t click attachments in Emails unless you are 100% sure they are genuine.
Local Firewalls: Turn them on (Start > Run > Firewall.cpl {enter}).
Corporate firewalls: Block all inbound TCP 139 and TCP 445 traffic
Run up to date AntiVirus and AntiMalware.
Dont pay the ransom, don’t engage with the perpetrators.
Related Articles, References, Credits, or External Links
By default all modern distributions of Windows come with their client firewall enabled. Which is a good thing, most corporate networks simply disable it using the rationale that they have a corporate firewall and security software etc. Again thats fine, but what if you want to leave it on, and still be able to ping that host to see if its alive.
Solution
The firewall exception is already written for you, you just have to enable it.
Open the Window Firewall with Advanced Security console > Inbound Rules > ‘File and Printer Sharing (Echo Request – ICMPv4-In) > Enable Rule > Obviously do the same for IPv6 (if required).
Related Articles, References, Credits, or External Links
Note this command assumes that you are using internet explorer as your browser, if not substitute your browser path and file details for those of iexplore.exe or use the Browser option of Task manager to locate it.
9) Click OK and your browser should start up and begin the download process
10) When prompted for the download Click run, the black screen fix program will download and run to automatically fix the issue.
11) Now restart your PC and the black screen problem will hopefully be gone.
Related Articles, References, Credits, or External Links
It seems a long road to get to installing Hyper-V, but now we are ready to actually install it as a SERVER ROLE, Server 2008 has many different roles, and Hyper-V is just one of them. However unlike most other roles Hyper-V requires a reboot, if you think about what hyper-v actually does then this should come as no surprise. Hyper-V is (as the name suggests) a bare metal hyper visor that sits beneath the OS. So the reboot is the digital equivalent of Windows Server 2008 jumping in the air, and sliding Hyper-V underneath itself, hence the reboot.
Solution
1. If you ran through Part 1 then your Disc is up to date – If not zip over to Microsoft and download/install the Hyper-V RTM update.
2. Server manager should start when you log in if not Start > run CompMgmtLauncher.exe {enter} > Roles > Add Roles.
3. Next
4. Tick Hyper-V > Next.
5. Next.
6. We have only got one NIC in this case select it > Next.
7. Install.
8. Coffee time………………
10. Close.
11. Yes > Let it reboot (Coffee cooled down by now).
13. How you store your drives is up to you I tend to create a master folder and then place a folder inside that one for Virtual Hard Drives, and one for Configuration Files > Browse > Set accordingly.
14. Repeat for your configuration files.
15. Much tidier.
16.And again.
17. Now, EXCLUDE the master folder from your AV scanning software on the host 2008 server. for THREE reasons.
a. Why scan a machine that you should have AV software running inside of anyway.
b. Your VM will run slow if its getting scanned on every read and write operation.
c. Do something clever like failover etc, and VM’s may no mount if it sees the configuration file “locked” i.e. getting scanned by AV.
18. Virtual Networks, there are three types….
External: Connect VM Guest to VM Guests and the outside world.
Internal: Connects VM Guests to VM Guests AND the Hyper-V Server
Private: Connect VM Guests to VM Guests
19. I want my VM Guests to be available to the outside world so I’ve connected the Server NIC to the External Network > Apply > OK
20. Click Yes – remember if your RDP connected this will boot you off for about one cup of coffee’s worth of time……………..
Related Articles, References, Credits, or External Links
Back in Part 1 we looked at getting your Hyper-V Media up to date, the next logical step would be to install Hyper-V, but I’ve never been that logical, and I already had a Hyper-V server at home, So I thought before I went any further I would install the Hyper-V Management tools on My laptop, then I could continue this from the comfort of my sofa.
In an ideal world that would have taken about 5 minutes and then I could get back to doing things in a logical order, BUT it turned out to be such a trip round the houses I thought I’d better do this first.
Why simply installing a management console has to be so difficult I don’t know, I’ve read many posts on other sites and forums, where it “Just Worked” but mine didn’t so lets take the worse case scenario and deal with that.
Before you start you need…….
1. A machine running Vista WITH SP1 installed
2. The Hyper-V management update, there’s a sea of dead links in the internet for these x86 or x64
1. Assuming you have installed the RSAT already > Put the administrative tools on your start menu > Right click the taskbar > Properties > Start menu > Customize > System Administrative Tools > Display on the all programs and start menu.
Note: I add the run command here as well because I use it all the time (Yes I know in vista you can use the “Start Search” box but you will see in my articles I always use Start > Run
2. And there they are, but Hyper-V that’s nowhere to be found, I spent an age searching the internet for the update, and about two minutes after I asked the question in the Technet Forum I found them download the x86 or x64 version as appropriate and install the update.
3. And there it is – Brilliant! Click it……….
4.Select Connect to Server.
5. Give it the name or IP of the Hyper-V server > OK
6. And mine broke……………
Error: You do not have the required permission to complete this task. Contact the administrator of the authorization policy for the computer “Server name”.
OK – After some web searching, head scratching, and reading some excellent articles/blogs, the problem seems to be, I have a domain at home, and my laptop is not in that domain, its in my work domain. You will also get this error in a workgroup environment. You need to create a user on the Hyper-V server and assign some permissions.
Configuration – (On the Vista Client)
7. Start > Run > cmd {enter} > Issue the following two commands.
netsh advfirewall firewall set rule group=”Windows Management Instrumentation (WMI)” new enable=yes
8. Start > Run > dcomcnfg {enter} > Component Services > Computers > My Computer > My Computer > Right Click > Properties.
10. COM Security tab > Access Permissions area (top section) > Edit Limits > ANONYMOUS LOGON > Grant Local and remote access > Apply > OK.
Now take a note of the username you are using on your Vista machine (in my case pete).
Configuration – (On the Hyper-V Server)
11. Create a user on the server (if its a domain controller it will need to be a domain user) with the same name and password as the one logged into your Vista client PC. Then Start > run > cmd {enter} > Enter the following command,
netsh advfirewall firewall set rule group=”Windows Management Instrumentation (WMI)” new enable=yes
11. Start > Run > dcomcnfg {enter}.
12. Component Services > Computers > My Computer > My Computer > Right Click > Properties.
13. COM Security tab > Launch and Activation Permissions (bottom) > Edit Limits > Add.
14. You need to add in your new user and the Authenticated Users group.
15. > Grant > Remote Launch and Remote Activation > (FOR AUTHENTICATED USERS) > OK.
16. Grant > Remote Launch and Remote Activation > (FOR YOUR LOCAL USER) > OK.
17. Start > Run > Compmgmt.msc {enter}.
18. WMI Control > Right click > Properties.
19. OK You need to make changes to permissions on TWO things for your USER and Authenticated Users > The first object you are going to change is CIMV2 select it then press Security.
Add > Authenticated users > Your Local User > Select EACH > Advanced > select the new user and group in then > Edit > “Apply to drop-down “This name space and subnamespaces” > Select Remote Enable > Tick “Apply these permissions to objects and/or containers within this container only”.
NOTE: So by the time you have finished this step you have assigned a group and a user rights to CIMV2
THEN REPEAT THE WHOLE PROCESS AND ASSIGN THE SAME PERMISSIONS TO THE ROOTVIRTUALIZATION NAMESPACE (it’s near the bottom of the list that CIMV2 is in).
22. Browse > c:ProgramDataMicrosoftWindowsHyper-VInitialStore.xml > OK.
23. Expand Hyper-V services > Role Assignments > Administrator > Administrator > In the right hand window > Right click >Assign Users and Groups > From Windows and Active Directory > Add your user and authenticated users.
24. Users and group added > OK
Close all open windows and REBOOT THE SERVER!!
25. Now, when you connect it should work, go and have a brew you’ve earned it 🙂
Related Articles, References, Credits, or External Links
Anyone who has tried the version of Hyper-V that came in the first release of Server2008 may well have written it off as a bad lot, In Microsoft’s defence it was still a Beta product in that initial release, but for many the damage has now already been done. (It seems the mistakes made by releasing “Longhorn Beta 1.00001 to the public have still not been learned).
I’ve been meaning to spend more time with this product, as I spend a lot of time with VMWare ESX and Virtual Centers, I know the questions people are going to ask, and unlike many I’m happy to to give Hyper-V a fair chance
So If the initial release is the one you have, either in your DVD’s, Technet/MSDN folders or downloads then they are buggy and problematic. You can patch the server when its built, but I Intend to a do a lot of work with the product so I want the DVD/ISO fixed before I start. Yeah I could use nLiteto include the update but, I’ll stick with the Windows Automated Install Kit.
1. Install the WAIK, select “Windows AIK Setup” > Next > I Agree > Next > Next > WAIK will install > Close. Then close down the window.
2. Copy the contents of the Server 2008 DVD to a folder on your C: Drive called C:2008×64, Create another folder called C:WIM, then locate the install.wim file and copy it from C:2008x64sources to C:WIM.
3. Create a further 2 directories on the C: Drive one called C:hyperv_update the other folder called C:hyperv_extracted, Place the update into the C:hyperv_update folder. Then drop to command line and issue the following command,
4. This is what you should see (4 files extracted).
5. From within the Windows Automated Installation Kit Program group, launch the “Windows PE Tools Command Prompt”
6. We now need to create yet another folder on the C: Drive to work in, we will call it C:MOUNT. Then issue the following command.
Imagex /mountrw C:WIMINSTALL.WIM 1 C:MOUNT
Note: There are FIVE install images inside the install.wim file you have to do each one at a time, In step 5 above you see there is a number 1, this command updates image number 1, you will need to repeat this process for images 2 to 5.
This will take a while and when finished gives no clue how it got on, Issue an “echo %errorlevel%” command, and it should return a Zero to let you know it ran OK.
8. Now we will commit the changes made to the mounted image and aply then to our install.wim file, issue the following command,
imagex /unmount /commit c:MOUNT
Note: Now repeat the process from step 5 for the other 4 images
9. You will now have an updated install.wim file (In C:WIM) copy that back to the C:2008x64sources folder (Overwrite the original when prompted).
10. Now we need to create a bootable .iso image again, there is a tool already at your fingertips to do this, (assuming you still have the Windows PE Tools Command Prompt window open), issue the following command,
Note: DO NOT use copy and paste, type the command in manually – there is a bug in some versions of oscdimg that will only work if you manually type in the command. It gives you Error number 3 if you try and use copy /paste.
11. All done 🙂 Your DVD image is at C:2008×64.iso you can burn it with your CD burning program (Or mount it in a Virtual Machine). Dont forget to delete the following folders,